Xinhu Rainrock RockOA SQL Injection Vulnerability in getselectdataAjax Function

A SQL injection vulnerability has been identified in Xinhu Rainrock RockOA version 2.7.0. The issue resides in the getselectdataAjax method of the inputAction.php file. Attackers can exploit this vulnerability by injecting malicious SQL through the actstr parameter, which is then Base64 encoded. The injection allows for the extraction of sensitive information from the database, including administrator accounts, password hashes, database structure, and other critical data.

Impact

Exploitation of this vulnerability could lead to a complete database compromise, allowing attackers to access sensitive information such as administrator accounts, password hashes, and the overall database structure. Additionally, there is a potential for extracting other critical data from the database.

Reproduction

To reproduce this vulnerability, send a request to the index.php file with the actstr parameter containing a Base64-encoded SQL injection payload. The payload should be crafted to exploit the time-based blind injection vulnerability by, for example, adding a SQL injection payload that includes a sleep command. Ensure that the request includes a valid session cookie.