Xiaopi Panel WAF Firewall SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the WAF Firewall component of Xiaopi Panel versions prior to 20260126. The issue arises in the file /demo.php, where inadequate input filtering allows for the manipulation of the ID argument, enabling remote exploitation of the vulnerability. This flaw has been publicly disclosed and is actively being exploited.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the /demo.php endpoint with a crafted ID parameter that exploits the input validation weaknesses. The lack of proper filtering in the WAF rules will allow the injection of malicious SQL statements, which can be executed by the database.