Fujian Smart Integrated Management Platform SQL Injection Vulnerability in XAccessPermissionPlus.ashx

A time-based blind SQL injection vulnerability has been identified in the Fujian Smart Integrated Management Platform System, specifically in version 7.5 and prior. The issue arises in the file '/Module/CRXT/Controller/XAccessPermissionPlus.ashx', where the 'DeviceIDS' parameter is not properly sanitized before being used in SQL queries. This vulnerability allows remote attackers to inject malicious SQL commands that can be executed in the database, potentially leading to unauthorized access to sensitive information, data manipulation, or system compromise. The vulnerability does not require authentication, making it accessible to any attacker.

Impact

Exploitation of this vulnerability allows for unauthorized execution of SQL commands, with the potential to access, modify, or delete database information. Additionally, the vulnerability could be exploited to cause a denial-of-service by introducing delays in database response times. The vulnerability is widespread, with over 300 instances of the affected platform identified.

Reproduction

To reproduce this vulnerability, send a POST request to '/Module/CRXT/Controller/XAccessPermissionPlus.ashx' with the 'DeviceIDS' parameter manipulated to include a SQL injection payload. The injection can be verified by measuring the response time; a delay of several seconds indicates successful exploitation.