SQL injection exists in the ibos office OA. Procedure
official website:http://www.ibos.com.cn/
version:4.5.5
POC
Route: r=weibo/comment/addcomment
The injection parameter touid exists
Successfully burst the database name by reporting an error injection
The addComment() method under the model layer is invoked through the actionAddComment() method.
addComment() then calls the addComment() method under the parent class
The addComment() method receives the uploaded parameters as an array via post
Following the above branch, data[] is brought directly into the addComment() method
There is the escapeData() security check, but the touid parameter passed in here is not intval(), for unknown reasons
Finally, the data is brought to the fetchRealnameByUid() method in the model layer to execute the SQL statement