Hongjing HCM Time Based SQL Injection Scanner

Hongjing HCM is a comprehensive human capital management system widely used by organizations to manage employee information, payroll, and administrative tasks. Businesses of all sizes and sectors leverage this software to streamline HR processes and improve operational efficiency. The system offers various modules that can be customized to meet specific organizational needs. It is deployed in environments that require the protection of sensitive employee data and integration with existing IT infrastructure. Due to its wide usage, ensuring the security of all components of the Hongjing HCM system is critical. Users rely on it not only for daily operations but also for strategic decision-making and planning.

The SQL Injection vulnerability found in the Hongjing HCM software targets the /gz/LoadOtherTreeServlet interface. This vulnerability allows unauthenticated remote attackers to inject malicious SQL commands into the database query. Exploiting this flaw could enable attackers to execute arbitrary commands on the underlying operating system using database features. The issue arises when input fields do not properly sanitize user inputs, allowing potentially harmful sequences to modify the execution of SQL commands. As a result, an attacker could compromise the system's integrity or even gain full administrative access. Quick remediation is essential due to the ease of exploitation and the impact of potential system control loss.

The specific endpoint vulnerable to SQL injection is the /gz/LoadOtherTreeServlet. An unprotected input parameter, modelflag, in particular, can be manipulated to exploit this vulnerability. Attackers can add SQL statements combined with database functions like xp_cmdshell to initiate remote command execution. The HTTP request crafted for this attack includes a TIME delay (WAITFOR DELAY), which serves as a blind test to confirm the injection's success. Moreover, the presence of certain XML elements in the HTTP response reinforces the exploit's effectiveness. This vulnerability reveals how unfiltered inputs can compromise database interactions and system security.

When this vulnerability is exploited, an attacker can gain unauthorized access to sensitive information stored in the database. This could result in data breaches, unauthorized data manipulation, or theft of personally identifiable information (PII). Furthermore, using mechanisms like xp_cmdshell, attackers might execute additional commands to escalate privileges, potentially taking full control of the server. This access level could disrupt business operations, manipulate critical data, or introduce malicious software affecting multiple organizational layers. The breach could lead to financial loss, legal repercussions, and damage to the organization's reputation.

REFERENCES

• https://github.com/wy876/POC/blob/main/%E5%AE%8F%E6%99%AFeHR%E4%BA%BA%E5%8A%9B%E8%B5%84%E6%BA%90%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%8E%A5%E5%8F%A3LoadOtherTreeServlet%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md