Chanjet CRM SQL Injection Scanner

Chanjet CRM is a customer relationship management software designed for businesses to manage interactions with current and potential clients. Developed by Chanjet, it is used primarily by sales and customer service teams across various industries to improve client engagement and streamline communication processes. The software offers comprehensive features for managing customer information, facilitating better sales tracking, and enhancing overall customer experiences. It is typically deployed in environments where organizations need to centralize customer data and optimize their sales and service cycles. With a strong focus on delivering efficient CRM solutions, Chanjet CRM serves both small businesses and large enterprises.

An SQL Injection vulnerability occurs when an attacker can manipulate a SQL query by inserting untrusted data into the query language without proper sanitization. This type of vulnerability in Chanjet CRM allows unauthorized users to interfere with the queries that an application makes to its database. As a result, attackers can alter, steal, or destroy information from the database. This can lead to a variety of consequences including data breaches or unauthorized access to sensitive information. By exploiting such vulnerabilities, attackers can gain complete control over the application's database, potentially leading to significant business disruption and financial losses.

The vulnerability in Chanjet CRM specifically exists in the get_usedspace.php endpoint, where user inputs are not adequately sanitized allowing for SQL commands to be executed. The endpoint 'site_id' parameter is vulnerable and can be manipulated to inject malicious SQL statements. Attackers can insert deliberate, harmful SQL statements into this parameter and retrieve sensitive information through crafted union-based payloads. Using the path '/webservice/get_usedspace.php' with a crafted parameter allows injecting and executing potentially malicious SQL queries. The SQL injection flaw can be validated through specific payloads that result in database errors or unexpected behaviors when executed.

When exploited, an SQL Injection vulnerability in Chanjet CRM can lead to unauthorized access to the database where sensitive business, customer, or financial information is stored. Attackers may be able to read, modify, or delete this critical data, leading to data theft or other malicious activities. It may also allow an attacker to escalate privileges, execute administrative database functions, or compromise the application's backend server. Furthermore, it can undermine trust in the organization and cause reputational damage, alongside financial and regulatory consequences due to data breaches.

REFERENCES

• https://www.chanjet.com/