Acrel EEMS Enterprise Power Operation and Maintenance Cloud Platform SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform version 3000WEBV2. The issue arises in the 'calc/getCalcmeterDetailDayListTree' interface, where manipulation of the 'sort' argument allows for SQL injection. This vulnerability can be exploited remotely, and the exploit is now public.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the 'calc/getCalcmeterDetailDayListTree' interface with a crafted 'sort' argument that includes SQL injection payloads. The injection can be verified by extracting database information, such as the database version, using specific SQL functions.