### 简要描述: 最近用友高产,不知道重复没; ### 详细说明: 漏洞文件: /background/recievesms.php /background/timeoutlogin.php ``` $sql = "UPDATE tc_background_task SET plan_start_time=".tdb_todatebystring( $timestr )." WHERE org_id=0 AND bg_task_id=".$ID; $gblDB->execute( $sql ); $sql = "SELECT bg_server_ip FROM tc_background_task WHERE org_id=0 AND bg_task_id=".$ID; $rs = $gblDB->query( $sql ); ``` 两个文件中的ID参数都未进行过滤,直接进行SQL查询了。 ### 漏洞证明: ``` http://58.220.225.28:8080/background/recievesms.php?ID=1 http://58.220.225.28:8080/background/timeoutlogin.php?ID=1 ``` [<img src="https://images.seebug.org/upload/201408/11014329e656d3968be6c088cd4267ab2dbf22a0.png" alt="xx.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/11014329e656d3968be6c088cd4267ab2dbf22a0.png) [<img src="https://images.seebug.org/upload/201408/110154468ebdf7555ae5d082808518f6e0ac31a3.png" alt="databases.png" width="600"...
### 简要描述: 最近用友高产,不知道重复没; ### 详细说明: 漏洞文件: /background/recievesms.php /background/timeoutlogin.php ``` $sql = "UPDATE tc_background_task SET plan_start_time=".tdb_todatebystring( $timestr )." WHERE org_id=0 AND bg_task_id=".$ID; $gblDB->execute( $sql ); $sql = "SELECT bg_server_ip FROM tc_background_task WHERE org_id=0 AND bg_task_id=".$ID; $rs = $gblDB->query( $sql ); ``` 两个文件中的ID参数都未进行过滤,直接进行SQL查询了。 ### 漏洞证明: ``` http://58.220.225.28:8080/background/recievesms.php?ID=1 http://58.220.225.28:8080/background/timeoutlogin.php?ID=1 ``` [<img src="https://images.seebug.org/upload/201408/11014329e656d3968be6c088cd4267ab2dbf22a0.png" alt="xx.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/11014329e656d3968be6c088cd4267ab2dbf22a0.png) [<img src="https://images.seebug.org/upload/201408/110154468ebdf7555ae5d082808518f6e0ac31a3.png" alt="databases.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/110154468ebdf7555ae5d082808518f6e0ac31a3.png) google 关键字:用友TurboCRM inurl:login.php (sqlmap如果不能--dbs的话,试试直接--tables)
