A vulnerability has been found in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /worksheet/work_edit.jsp. Such manipulation of the argument Report leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Yonyou KSOA 9.0 is vulnerable to a critical SQL injection flaw, allowing attackers to remotely execute arbitrary database queries. This vulnerability, located in the /worksheet/work_edit.jsp file, can lead to complete system compromise and data exfiltration due to the vendor's lack of response and public exploit availability. Organizations using this software are at significant risk and should prioritize immediate mitigation efforts.
Step 1: Payload Delivery: The attacker crafts a malicious SQL injection payload and includes it within the Report parameter of a specially crafted HTTP request to /worksheet/work_edit.jsp. This request is sent to the vulnerable Yonyou KSOA 9.0 server.
Step 2: Request Processing: The server receives the HTTP request and processes the Report parameter's value.
Step 3: Query Construction: The application's code constructs a SQL query, directly incorporating the attacker-supplied Report parameter without proper sanitization.
Step 4: Query Execution: The database server executes the maliciously crafted SQL query, which includes the attacker's injected code.
Step 5: Data Exfiltration/System Compromise: Depending on the injected SQL payload, the attacker can then extract sensitive data (e.g., usernames, passwords, database contents) or execute commands on the database server, potentially leading to complete system compromise.
The vulnerability stems from insufficient input validation of the Report parameter within the /worksheet/work_edit.jsp file. The application directly incorporates user-supplied input into a database query without proper sanitization or escaping. This allows an attacker to inject malicious SQL code, altering the intended query logic and enabling unauthorized access to sensitive data, including user credentials, financial records, and other confidential information. The root cause is a missing or inadequate implementation of parameterized queries or prepared statements, which are crucial for preventing SQL injection attacks. The lack of input validation allows for the injection of SQL commands, leading to unauthorized data access and potential system compromise.