Aaluoxiang OA System SQL Injection Vulnerability in External Address Book Handler

A critical SQL injection vulnerability has been identified in the Aaluoxiang OA System, specifically in the master branch up to commit c3a08168c144f27256a90838492c713f55f1b207. The issue arises in the 'outAddress' function of the External Address Book Handler, where improper handling of input allows for SQL injection attacks. This vulnerability requires authentication to exploit and can be initiated remotely.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access or modify database information. This could lead to unauthorized data exposure or alteration.

Reproduction

To reproduce this vulnerability, log into the application using any account. Navigate to the external address book feature and use the search function. The SQL injection can be performed by injecting a crafted SQL payload into the search input, which the application will improperly sanitize before executing the database query. This can be verified by using a SQL injection technique, such as appending a SQL payload that alters the query's logic, and observing the application's response for signs of successful exploitation, such as error messages or unexpected data retrieval.