Seeyon OA SQL Injection Scanner
Detects 'SQL Injection (SQLi)' vulnerability in Seeyon OA A6 affects.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
10 days 15 hours
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Seeyon OA A6 is an enterprise office automation software widely used by organizations to manage communications, tasks, and document processes. It helps in streamlining office workflows and provides tools for task management, meeting scheduling, and document sharing. The software is commonly used by businesses of various sizes to enhance productivity and maintain digital records of operations. Seeyon OA A6 is also implemented for improving collaboration among team members across different departments. With its multitude of features, Seeyon OA stands as a crucial tool for efficient office management and is often integrated with additional software for enhanced functionalities.
SQL Injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It can allow attackers to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself can access. In some cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior. In the case of Seeyon OA A6, the vulnerability is present due to improper sanitization of user inputs. Successfully exploiting this vulnerability can allow attackers to execute arbitrary SQL commands in the database.
The technical specifics related to the SQL Injection vulnerability within Seeyon OA A6 involve the setextno.jsp endpoint. An HTTP GET request can be crafted in a way that manipulates the user_ids parameter through a union-based SQL Injection technique. Attackers use this to append their queries to the existing query structure. The vulnerable parameter does not properly escape or validate user inputs, making it possible to perform actions using SQL syntax, like extracting sensitive information such as usernames and passwords. This technique relies heavily on injecting a crafted payload that modifies the expected database call.
Exploitation of this SQL Injection vulnerability could lead to significant security breaches within an organization using Seeyon OA A6. Attackers may gain unauthorized access to sensitive information such as user credentials, confidential company data, and internal communications. This data can be used for further attacks, including identity theft, corporate espionage, and business disruption. If the vulnerability allows for privilege escalation, attackers could gain admin control, altering or deleting important data, affecting the integrity and availability of the service. Such breaches can result in financial losses, legal penalties, and reputational damage for the affected organization.
REFERENCES
- https://github.com/achuna33/MYExploit/blob/8ffbf7ee60cbd77ad90b0831b93846aba224ab29/src/main/java/com/achuna33/Controllers/SeeyonController.java
- http://wiki.peiqi.tech/wiki/oa/致远OA/致远OA%20A6%20setextno.jsp%20SQL注入漏洞.html
- https://github.com/Threekiii/Awesome-POC/blob/master/OA%E4%BA%A7%E5%93%81%E6%BC%8F%E6%BF%91/%E8%87%B4%E8%BF%9COA%20A6%20setextno.jsp%20SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%BF%91.md
