A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/agent_worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection attack, allowing remote attackers to potentially compromise the database and gain unauthorized access to sensitive information. The vulnerability, located in /worksheet/agent_worksadd.jsp, is easily exploitable due to a lack of input validation on the ID parameter, and a public exploit is available. The vendor has not responded, making this a high-priority security risk.
Step 1: Request Initiation: The attacker crafts a malicious HTTP GET request targeting the /worksheet/agent_worksadd.jsp file.
Step 2: Payload Delivery: The attacker includes a specially crafted SQL injection payload within the ID parameter of the GET request. This payload is designed to manipulate the underlying SQL query.
Step 3: Server-Side Processing: The vulnerable application receives the malicious request and processes the ID parameter.
Step 4: Query Execution: The application constructs an SQL query using the attacker-supplied ID value without proper sanitization. The malicious payload is directly incorporated into the query.
Step 5: Database Interaction: The crafted SQL query, now containing the attacker's payload, is executed against the database.
Step 6: Data Exfiltration/Manipulation: Depending on the payload, the attacker can potentially extract sensitive data (e.g., usernames, passwords), modify existing data, or even gain complete control over the database server.
The vulnerability stems from insufficient input validation on the ID parameter within the /worksheet/agent_worksadd.jsp file. Specifically, the application fails to properly sanitize user-supplied input before incorporating it into an SQL query. This allows an attacker to inject malicious SQL code through the ID parameter. The root cause is a missing or inadequate implementation of input validation and parameterized queries. The application directly concatenates the user-controlled ID value into an SQL query string, making it susceptible to SQL injection attacks. The lack of prepared statements or stored procedures further exacerbates the issue.