[★]Unauthenticated Remote SQL Injection in "ExportParkingRecords" Endpoint of Parking Management System Leading to Full Server Compromise
输入“/”快速插入内容
[★]Unauthenticated Remote SQL Injection in "ExportParkingRecords" Endpoint of Parking Management System Leading to Full Server Compromise
[★]Unauthenticated Remote SQL Injection in "ExportParkingRecords" Endpoint of Parking Management System Leading to Full Server Compromise
4月29日修改
Company:Shenzhen DAS INTELLITECH Co., Ltd.
Affected version: 6.2.0
Vulnerability Type: CWE-89 (SQL Injection)
Attack Vector: Network (Remote)
漏洞描述 (Description):
A critical security flaw has been identified in the ParkingRecord/ExportParkingRecords API endpoint of the "Parking Management System." The vulnerability stems from a complete lack of authentication (Unauthorized Access) combined with inadequate sanitization of the Value parameter within JSON payloads, resulting in a high-impact SQL Injection.
A remote, unauthenticated attacker can exploit this vulnerability by submitting a specially crafted POST request without any valid credentials. Successful exploitation allows the attacker to bypass access control to extract highly sensitive user data. Furthermore, in specific database environments, this can be escalated to Remote Code Execution (RCE) via database extensions (e.g., xp_cmdshell), leading to total system takeover. This poses a severe risk to the confidentiality, integrity, and availability of the affected infrastructure.
Impact Score (CVSS v3.1):
•
Attack Vector (AV): Network
•
Attack Complexity (AC): Low
•
Privileges Required (PR): None
•
User Interaction (UI): None
•
Scope (S): Changed
•
Confidentiality (C): High
•
Integrity (I): High
•
Availability (A): High
[DETAILS]
The specific request packet is as follows, no authentication required:
代码块
POST /ParkingRecord/ExportParkingRecords HTTP/1.1
Host:
Content-Length: 87
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin:
Referer:
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: keep-alive
{"pageIndex":1,"pageSize":50,"Filters":[{"Field":"OwnerName","Op":"=","Value":""}]}