A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /worksheet/agent_worksdel.jsp of the component HTTP GET Parameter Handler. Performing manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection flaw, allowing attackers to remotely execute arbitrary database queries. This vulnerability, located in the /worksheet/agent_worksdel.jsp file, can lead to complete system compromise and data exfiltration. The vendor has not responded to the disclosure, making this a high-risk situation.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP GET request targeting the /worksheet/agent_worksdel.jsp endpoint.
Step 2: Parameter Manipulation: The attacker includes a crafted SQL injection payload within the ID parameter of the GET request. This payload is designed to alter the intended SQL query.
Step 3: Request Processing: The vulnerable agent_worksdel.jsp file receives the malicious request and extracts the attacker-controlled ID parameter.
Step 4: Query Execution: The application constructs a SQL query using the attacker-supplied ID parameter without proper sanitization. The malicious payload is directly incorporated into the query.
Step 5: Database Interaction: The crafted SQL query, now containing the attacker's payload, is executed against the database.
Step 6: Data Exfiltration/System Compromise: Depending on the payload, the attacker can then extract sensitive data (e.g., usernames, passwords), modify database contents, or potentially gain remote code execution on the server.
The vulnerability stems from improper input validation of the ID parameter within the /worksheet/agent_worksdel.jsp file. Specifically, the application fails to sanitize user-supplied input before incorporating it into a SQL query. This allows an attacker to inject malicious SQL code, altering the intended query logic. The root cause is a lack of parameterized queries or prepared statements, which would have prevented the injection of attacker-controlled data into the query. The absence of input validation, such as filtering or escaping special characters, further exacerbates the issue. The vulnerable code likely directly concatenates the ID parameter into a SQL query string without proper sanitization.