Zhong Bang CRMEB Java list getAdminList sql injection

Vulnerability

A SQL injection vulnerability exists in Zhong Bang CRMEB Java up to version 1.3.4. The flaw lies in the getAdminList function of the file /api/admin/store/product/list. The cateId parameter is directly concatenated into SQL queries without proper sanitization, allowing injection of arbitrary SQL statements. The affected component is the admin product list endpoint, which requires authentication to access [1].

Exploitation

An attacker with valid admin credentials can exploit this vulnerability by sending a crafted HTTP GET request to /api/admin/store/product/list with a malicious cateId parameter. The request includes an Authorization header, but no other special conditions are required. The injection occurs server-side when the cateId value is used in SQL statements without parameterization [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands, which can lead to data exfiltration, modification, or deletion. The reference indicates that code execution may also be possible, potentially resulting in full server compromise. The impact is severe due to the critical nature of the vulnerability and the remote attack vector [1].

Mitigation

As of the disclosure date (2023-03-23), no official patch has been published. Users are advised to upgrade to a version beyond 1.3.4 if available. In the absence of a patch, implement strict input validation and use parameterized queries to prevent SQL injection. Additionally, restrict access to the admin interface and consider using a web application firewall to filter malicious payloads [1].