| عنوان | Hunan Zhonghe Baiyi Information Technology Co., Ltd. Baiyi Cloud Asset Management System /wuser/admin.ticket.close.php SQL Injection |
|---|
| الوصف | The /wuser/admin.ticket.close.php interface of the Baiyi Cloud Asset Management System contains a Time-Based Blind SQL Injection vulnerability. Attackers can exploit this vulnerability by constructing a malicious ticket_id parameter, leveraging the SLEEP() function to induce database operation delays, bypass security mechanisms, and extract sensitive data (such as database names and table structures). This vulnerability can be exploited without authentication and affects multiple asset instances. Verified target addresses include http://x.x.x.x, http://x.x.x.x, among others.
Sensitive Data Exposure: Attackers can exfiltrate user information, ticket records, system configurations, and other critical data.
Privilege Escalation: By leveraging SQL injection, attackers may escalate privileges and gain full control over the server.
Service Disruption: Malicious injections may corrupt database integrity, leading to application downtime.
Legal and Compliance Risks: Data breaches may violate cybersecurity laws such as GDPR, leading to legal repercussions. |
|---|
| المصدر | ⚠️ https://github.com/sekaino-sakura/CVE/blob/main/CVE_2.md |
|---|
| المستخدم | sekainosakura (UID 81280) |
|---|
| ارسال | 08/02/2025 01:52 PM (1 سنة منذ) |
|---|
| الاعتدال | 21/02/2025 07:56 AM (13 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 296475 [Baiyi Cloud Asset Management System 8.142.100.161 admin.ticket.close.php ticket_id حقن SQL] |
|---|
| النقاط | 20 |
|---|