| タイトル | Chanjet Chanjet CRM V1.0 SQL Injection |
|---|
| 説明 | A SQL injection vulnerability exists in Chanjet CRM V1.0 in the /tools/jxf_dump_systable.php component.
The gblOrgID parameter is directly concatenated into backend SQL queries without proper validation, escaping, or parameterized queries. An unauthenticated remote attacker can manipulate this parameter to inject arbitrary SQL statements.
Affected component:
/tools/jxf_dump_systable.php
Affected parameter:
gblOrgID
Attack vector:
Remote HTTP GET request
Authentication required:
No
Proof of Concept:
GET /tools/jxf_dump_systable.php?id=1&gblOrgID=1+AND+(SELECT+8198+FROM+(SELECT(SLEEP(5)))TIhN)&DontCheckLogin=1 HTTP/1.1
Host: <authorized-test-host>
User-Agent: Mozilla/5.0
Accept: */*
Connection: close
When the payload is injected into the gblOrgID parameter, the server response is delayed, confirming a time-based SQL injection vulnerability.
Impact:
Successful exploitation may allow an unauthenticated remote attacker to execute arbitrary SQL queries against the backend database. This may lead to unauthorized access to sensitive user data, business information, database enumeration, and potential privilege escalation depending on database privileges.
Recommended fix:
Use parameterized queries or prepared statements for all SQL operations involving user-controlled input. The vendor should also apply strict input validation to the gblOrgID parameter, restrict or remove the DontCheckLogin=1 behavior, and review other files under the /tools/ directory for similar issues.
Disclosure status:
Vendor coordination pending. |
|---|
| ソース | ⚠️ https://gist.github.com/jikdarren/67ba9fdd2a8b619fc9a370102c317971 |
|---|
| ユーザー | jikdarren (UID 98235) |
|---|
| 送信 | 2026年05月13日 16:16 (25 日 ago) |
|---|
| モデレーション | 2026年06月06日 17:58 (24 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 369075 [Chanjet CRM 1.0 HTTP GET Request jxf_dump_systable.php gblOrgID SQLインジェクション] |
|---|
| ポイント | 20 |
|---|