Seeyon Zhiyuan OA Web Application System SQL Injection Vulnerability in Car Manager Function

A SQL injection vulnerability has been identified in the Seeyon Zhiyuan OA Web Application System, specifically in version 1.0 prior to 20251222. The issue arises in the carManager function, within the file carUseDetailList.j73p. The vulnerability allows attackers to inject malicious SQL queries through the CAR_BRAND_NO parameter, exploiting the application's failure to properly sanitize user input before it is used in SQL commands. This flaw can be exploited remotely, without the need for authentication.

Impact

Exploitation of this vulnerability allows for unauthorized database access, manipulation of SQL queries, and potential execution of arbitrary SQL commands. This could lead to unauthorized data access, data modification, and in some cases, execution of administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a POST request to the carManager/carUseDetailList.j73p endpoint with the CAR_BRAND_NO parameter. The injection can be performed using stacked SQL queries or UNION-based payloads, taking advantage of the application's SQL query handling.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.