CVE-2024-33787

Vulnerability

Overview

Hengan Weighing Management Information Query Platform versions 2019–2021 53.25 contain a SQL injection vulnerability in the tuser_Number parameter of the search_user.aspx page. The vulnerability allows an attacker to inject arbitrary SQL statements into the query, as demonstrated by a UNION-based payload that retrieves a hash value from the database [1]. The root cause is insufficient sanitization or parameterization of user-supplied input before being used in SQL queries.

Exploitation

Details

An unauthenticated attacker can exploit this vulnerability by sending a crafted POST request to /用户管理/search_user.aspx with a malicious tuser_Number value. The provided proof-of-concept payload uses the UNION ALL SELECT statement and sys.fn_sqlvarbasetostr(HASHBYTES(...)) to confirm injection by comparing the returned MD5 hash with a known string [1]. The attack requires no prior authentication, as the request includes only a session cookie and an AdminInfo cookie with username=1.

Impact

Successful exploitation enables an attacker to execute arbitrary SQL commands, leading to disclosure of sensitive database information, such as user credentials or business data. In more severe scenarios, the attacker could potentially tamper with database contents or gain escalated privileges within the application [1]. The CVSS v3 base score of 8.2 (High) reflects the relatively low attack complexity and high potential for confidentiality and integrity impact.

Mitigation

The vendor is advised to update the platform to the latest version and implement parameterized queries (prepared statements) to separate SQL logic from user input. Input filtering and validation on the tuser_Number parameter should also be applied as a defense-in-depth measure [1]. As of the publication date (2024-05-03), no official patch has been mentioned in the reference, but the recommended mitigations are standard industry practices.