Shenzhen Sixun Software Sixun Shanghui Group Business Management System SQL Injection Vulnerability in PayConfig API

A SQL injection vulnerability has been identified in Shenzhen Sixun Software's Sixun Shanghui Group Business Management System version 10. The issue arises in an unknown functionality of the file '/api/Dinner/PayConfig', where manipulation of the 'tableno' argument allows for SQL injection. This vulnerability can be exploited remotely. The vendor was notified about this issue but did not respond.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a request to the '/api/Dinner/PayConfig' endpoint with the 'tableno' parameter. Include a crafted SQL payload that exploits the application's SQL query handling. For example, using '1' followed by a SQL injection payload can demonstrate the vulnerability. The response time can be manipulated to confirm the injection, such as adding a delay payload to test for successful exploitation.