SQL injection exists in the ibos office OA. Procedure
official website:http://www.ibos.com.cn/
version:4.5.5
Function point: Background Management = "Address Book Management =" Department and User Management = "Export user function
Route: r=dashboard/user/export&uid=X
The injection parameter: uid exists
The database name was successfully exploded using sqlmap Invoke the exportUser() method through the actionExport() method
The exportUser() method calls the fetchAllByUids() method of the model layer Finally, the SQL statement is executed in the wrapUserInfo() method