A vulnerability was detected in Yonyou KSOA 9.0. Affected is an unknown function of the file /kp/PrintZPYG.jsp. The manipulation of the argument zpjhid results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection flaw, allowing attackers to remotely execute arbitrary database commands. This vulnerability, located in the /kp/PrintZPYG.jsp file, stems from improper sanitization of the zpjhid parameter, potentially leading to data breaches and complete system compromise. The vendor has failed to address this issue, and a public exploit is available, making this a high-priority threat.
Step 1: Payload Delivery: The attacker crafts a malicious HTTP request targeting /kp/PrintZPYG.jsp. The request includes a crafted zpjhid parameter containing a SQL injection payload.
Step 2: Request Processing: The web server receives the malicious request and passes it to the PrintZPYG.jsp script.
Step 3: Query Construction: The PrintZPYG.jsp script constructs a SQL query using the value of the zpjhid parameter. Because the input is not sanitized, the attacker's injected SQL code is incorporated into the query.
Step 4: Database Execution: The crafted SQL query, now containing the attacker's payload, is executed against the database.
Step 5: Data Exfiltration/Manipulation: The attacker's injected SQL code executes, allowing them to potentially read sensitive data, modify existing data, or even gain control of the database server, depending on the privileges of the database user used by the application.
The vulnerability lies within the /kp/PrintZPYG.jsp file in Yonyou KSOA 9.0. The zpjhid parameter, likely used to retrieve data from a database, is not properly sanitized before being used in a SQL query. This allows an attacker to inject malicious SQL code, modifying the query's behavior. The root cause is a lack of input validation and parameterized queries. The application directly concatenates user-supplied input into a SQL statement without escaping special characters or using prepared statements. This allows an attacker to craft a payload that alters the intended query, potentially leading to unauthorized data access, modification, or even remote code execution if the database user has sufficient privileges. The absence of any form of input validation or sanitization is the core of the problem.