Jinher Network OA SQL Injection Vulnerability in NetDiskProperty.aspx

A critical SQL injection vulnerability has been identified in Jinher Network OA C6, specifically in the file '/C6/JHSoft.Web.NetDisk/NetDiskProperty.aspx'. The vulnerability arises from the manipulation of the 'id' argument, allowing remote attackers to inject malicious SQL commands. This exploitation could lead to unauthorized access to sensitive data. The vulnerability has been publicly disclosed, and a proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by sending a GET request to '/C6/JHSoft.Web.NetDisk/NetDiskProperty.aspx' with a crafted 'id' parameter that includes SQL injection payloads. The injected SQL code is executed by the application, allowing the attacker to manipulate the database. After the injection, the response can be analyzed to confirm the exploitation, such as by extracting database information or causing a delay in the response, indicating successful injection.