SQL injection exists in the ibos office OA. Procedure

version:4.5.5

POC

Route: r=weibo/comment/addcomment

The injection parameter touid exists

Successfully burst the database name by reporting an error injection

The addComment() method under the model layer is invoked through the actionAddComment() method.

addComment() then calls the addComment() method under the parent class

The addComment() method receives the uploaded parameters as an array via post

Following the above branch, data[] is brought directly into the addComment() method

There is the escapeData() security check, but the touid parameter passed in here is not intval(), for unknown reasons

Finally, the data is brought to the fetchRealnameByUid() method in the model layer to execute the SQL statement

Provide feedback

Saved searches