Shenzhen Ruiming Technology Streamax Crocus SQL Injection Vulnerability

A critical SQL injection vulnerability exists in the Streamax Crocus O&M Platform version 1.3.44. The issue is located in the /OperateStatistic.do endpoint, specifically within the VehicleID parameter. This vulnerability arises from inadequate input validation, allowing unauthenticated remote attackers to inject malicious SQL payloads. Exploitation of this vulnerability could lead to unauthorized access to the database, allowing attackers to exfiltrate sensitive information, disrupt service by overloading server resources, or manipulate database contents.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can inject SQL commands that are executed by the database. This could be used to extract data, such as database information or application data, or to modify database contents. Additionally, according to VulDB, this vulnerability could be exploited to cause a denial-of-service condition by exhausting server CPU resources.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /OperateStatistic.do endpoint with the VehicleID parameter manipulated to include a crafted SQL payload. For example, injecting SQL commands that exploit time-based blind SQL injection techniques, such as using the SLEEP function, can confirm the presence of the vulnerability.