SQL Injection in Smart Integrated Management Platform System (Fuzhou Yinda)

Vulnerability Key Information Title SQL Injection Vulnerability (Time-Based Blind) in Smart Integrated Management Platform System - XCamera Module Affected Versions Smart Integrated Management Platform System (all versions) Vendor Smart Integrated Management Platform System (Fuzhou Yinda Yunchuang Information Technology Co., Ltd.) Fuzhou Yinda Yunchuang Information Technology Co., Ltd. Software Smart Integrated Management Platform System (智慧综合管理平台系统) Description A vulnerability was found in the Smart Integrated Management Platform System developed by Fuzhou Yinda Yunchuang Information Technology Co., Ltd. Two main issues are identified: 1. Unauthenticated SQL Injection via ChannelName Parameter (Time-Based Blind): - The application does not properly sanitize the parameter. - User-controlled input from POST parameters is directly used in SQL queries. - The vulnerability does not require authentication. 2. Exploiting the Time-Based Blind SQL Injection Vulnerability: - Attackers can use techniques like to extract information. - The injection causes the database to delay its response. Example Time-Based Blind SQL Injection Payload ;WAITFOR DELAY ‘0:0:5’-- Vulnerable Endpoint Request Example HTTP POST request with the above payload in parameters Verification of Exploitation Server response delay of 5 seconds confirms the presence of the vulnerability Proof of Concept 1. Test time-based blind SQL injection 2. Measure response time 3. Extract database information Technical Details Root Cause: Unvalidated POST parameters directly used in SQL queries Impact: Data leakage, modification or deletion, DoS, etc. Detection Use FOFA to search for specific request patterns; over 300 affected systems identified Classification CWE-89: SQL Injection CVSS Base Score: 8.0–9.0, High Risk

Goal Reached Thanks to every supporter — we hit 100%!

SQL Injection in Smart Integrated Management Platform System (Fuzhou Yinda)

More from this source