EnjoyRMIS SQL Injection Scanner

EnjoyRMIS is an enterprise resource management system used by organizations to facilitate efficient resource management and optimize their operations. It is commonly utilized by mid to large-sized businesses to handle business processes such as human resources, financial management, and operations. The software aids in streamlining workflows by integrating various modules into a single cohesive system. Companies implement EnjoyRMIS to improve data accuracy and accessibility in fulfilling their operational needs. Its flexibility allows organizations to customize workflows specific to their departmental requisites. The system is designed to increase productivity and facilitate better decision-making through comprehensive reporting tools.

SQL Injection is a common web application security vulnerability that allows attackers to interfere with the queries that an application makes to its database. This vulnerability can lead to unauthorized access to database content, allowing attackers to retrieve, modify, or delete the data. Specifically, it exploits improper validation of user input within database queries and is one of the leading causes of data breaches. A successful SQL injection attack can result in serious consequences, such as identity theft, financial loss, and unauthorized access to sensitive business information. Penetrators exploit this vulnerability to alter application behavior by injecting malicious SQL code. This vulnerability can affect any web application or system that relies on SQL databases if proper control measures aren't in place.

The EnjoyRMIS software had a specific vulnerability in its GetOAById function, where SQL injection could be executed due to insufficient validation of the sId parameter passed in HTTP requests. Exploiting this involves sending crafted requests with malicious SQL code appended to the sId parameter. The application fails to sanitize this user input, allowing the malicious code to be executed directly against the database. By manipulating the sId field, attackers can extract or manipulate data stored in the database which could have profound impacts on system integrity. Such attacks may involve observing different server responses to infer database schema and content. Attackers need an active connection and the knowledge of specific SQL syntax to exploit these vulnerabilities successfully.

Exploiting the SQL injection vulnerability in EnjoyRMIS can lead to unauthorized data access, data alteration, and potentially full server compromise. Malicious individuals can extract sensitive corporate data, affecting confidentiality and integrity of the business operations. This vulnerability gives attackers the opportunity to inject commands that can modify database contents, steal client data—leading to identity theft—and disrupt services within the organization. Furthermore, successful exploitation can lead to the delivery of malicious payloads to compromise end-user systems or facilitate lateral movement within the network. This may result in financial and reputational damage to the affected organization, as well as loss of client trust.

REFERENCES

• https://github.com/wy876/POC/blob/main/EnjoyRMIS-GetOAById%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6% BC%8F%E6%B4%9E.md