当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-082008

漏洞标题:对北林的渗透测试

相关厂商:CCERT教育网应急响应组

漏洞作者: sunrain

提交时间:2014-11-04 18:16

修复时间:2014-11-09 18:18

公开时间:2014-11-09 18:18

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:已交由第三方合作机构(CCERT教育网应急响应组)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-11-04: 细节已通知厂商并且等待厂商处理中
2014-11-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

感觉可以深入内网
类型不知道怎么选了,就写个sqli

详细说明:

1. 弱口令问题(同时还有信息泄露的问题)
通过前期信息收集,构造如下post,进入oa

POST /cas/login HTTP/1.1
Host: cas.bjfu.edu.cn
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://cas.bjfu.edu.cn/cas/login
Cookie: key_dcp_cas=hg5mJY9T2dqbtWLT62p4mgQLGQvvNyJFpC6yvCRcQndvTQ1wpL2d!-1117389902
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 335
encodedService=http%253a%252f%252fi.bjfu.edu.cn%252fdcp%252fforward.action%253fpath%253d%252fportal%252fportal%2526p%253dwkHomePage&service=http%3A%2F%2Fi.bjfu.edu.cn%2Fdcp%2Fforward.action%3Fpath%3D%2Fportal%2Fportal%26p%3DwkHomePage&serviceName=null&loginErrCnt=1&username=jyxh@bjfu%2eedu%2ecn&password=123456&lt=LT-AlwaysValidTicket


因为发现该用户不久前在使用,为了不影响别人工作所以没有深入.但是这里可以获得很多老师信息,和学校业务信息等
所以就从学生入手,通过:
http://202.204.115.67/xueshengxinxichaxun/query.asp
根据百度上泄露的学号猜出学号规律,直接用burp模拟跑出几百个学号,再从上面的链接里测试,发现有弱口令,登陆后测试,但是用户也是在使用,所以就放弃了.而且,从简单的测试里发现该系统验证还是挺严格的,没有越权

1.png


2.png


2. sql注入
第一处 :

POST /inc/message_search.jsp HTTP/1.1
Host: jx.bjfu.edu.cn
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://jx.bjfu.edu.cn/shou-left.jsp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
searchname=title&searchword=jkh&Creator=&dsBeginTm=&dsEndTm=&submit=%B2%E9%D1%AF


第二处:

POST /newyjsmis/tutorsearch/search.aspx HTTP/1.1
Host: graduate.bjfu.edu.cn
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://graduate.bjfu.edu.cn/newyjsmis/tutorsearch/search.aspx
Cookie: ASP.NET_SessionId=uk24wtuqmwvnsn45exbcqa55; CheckCode=3g75
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3985
__VIEWSTATE=%2FwEPDwUKLTkwNzkwNDcxOQ9kFgICAw9kFgQCBQ8QDxYGHg1EYXRhVGV4dEZpZWxkBQZZSlhLTUMeDkRhdGFWYWx1ZUZpZWxkBQZZSlhLTUMeC18hRGF0YUJvdW5kZ2QQFTQABuiNieWtpiLojYnkuJoo5LiT5Lia5a2m5L2NKSAgICAgICAgICAgICAgCeWcsOeQhuWtpgbms5XlraYM6aOO5pmv5Zut5p6XKumjjuaZr%2BWbreael%2BehleWjqyjkuJPkuJrlrabkvY0pICAgICAgICAgIA%2Fpo47mma%2Flm63mnpflraYM5bel5ZWG566h55CGDOWFrOWFseeuoeeQhhXnrqHnkIbnp5HlrabkuI7lt6XnqIsq5Zu96ZmF5ZWG5Yqh56GV5aOrKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgJueOr%2BWig%2BW3peeoiyjkuJPkuJrlrabkvY0pICAgICAgICAgICAgFeeOr%2BWig%2BenkeWtpuS4juW3peeoiybkvJrorqHnoZXlo6so5LiT5Lia5a2m5L2NKSAgICAgICAgICAgIAzmnLrmorDlt6XnqIsm5py65qKw5bel56iLKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgICAo6K6h566X5py65oqA5pyvKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgIBjorqHnrpfmnLrnp5HlrabkuI7mioDmnK8J5bu6562R5a2mFeaOp%2BWItuenkeWtpuS4juW3peeoiw%2FnkIborrrnu4%2FmtY7lraYG5p6X5a2mDOael%2BS4muW3peeoiybmnpfkuJrlt6XnqIso5LiT5Lia5a2m5L2NKSAgICAgICAgICAgICbmnpfkuJrnoZXlo6so5LiT5Lia5a2m5L2NKSAgICAgICAgICAgIAzml4XmuLjnrqHnkIYV6ams5YWL5oCd5Li75LmJ55CG6K66LOWGnOadkeS4juWMuuWfn%2BWPkeWxlSjkuJPkuJrlrabkvY0pICAgICAgICAgEuWGnOael%2Be7j%2Ba1jueuoeeQhgzlhpzkuJrlt6XnqIsM5Yac5Lia5o6o5bm%2FKOWGnOS4muS%2FoeaBr%2BWMlijkuJPkuJrlrabkvY0pICAgICAgICAgICAS5Yac5Lia6LWE5rqQ5Yip55SoDOi9r%2BS7tuW3peeoiybova%2Fku7blt6XnqIso5LiT5Lia5a2m5L2NKSAgICAgICAgICAgIAnorr7orqHlraYJ55Sf5oCB5a2mCeeUn%2BeJqeWtpizpo5%2Flk4HliqDlt6XkuI7lronlhago5LiT5Lia5a2m5L2NKSAgICAgICAgIBXpo5%2Flk4Hnp5HlrabkuI7lt6XnqIsJ57uf6K6h5a2mDOWcn%2BacqOW3peeoixLlpJblm73or63oqIDmloflraYJ5b%2BD55CG5a2mCeeVnOeJp%2BWtpgboibrmnK8m6Im65pyv6K6%2B6K6hKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgICAJ6Im65pyv5a2mD%2BW6lOeUqOe7j%2Ba1juWtpirlupTnlKjnu5%2ForqHnoZXlo6so5LiT5Lia5a2m5L2NKSAgICAgICAgICAG5ZOy5a2mFTQABuiNieWtpiLojYnkuJoo5LiT5Lia5a2m5L2NKSAgICAgICAgICAgICAgCeWcsOeQhuWtpgbms5XlraYM6aOO5pmv5Zut5p6XKumjjuaZr%2BWbreael%2BehleWjqyjkuJPkuJrlrabkvY0pICAgICAgICAgIA%2Fpo47mma%2Flm63mnpflraYM5bel5ZWG566h55CGDOWFrOWFseeuoeeQhhXnrqHnkIbnp5HlrabkuI7lt6XnqIsq5Zu96ZmF5ZWG5Yqh56GV5aOrKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgJueOr%2BWig%2BW3peeoiyjkuJPkuJrlrabkvY0pICAgICAgICAgICAgFeeOr%2BWig%2BenkeWtpuS4juW3peeoiybkvJrorqHnoZXlo6so5LiT5Lia5a2m5L2NKSAgICAgICAgICAgIAzmnLrmorDlt6XnqIsm5py65qKw5bel56iLKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgICAo6K6h566X5py65oqA5pyvKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgIBjorqHnrpfmnLrnp5HlrabkuI7mioDmnK8J5bu6562R5a2mFeaOp%2BWItuenkeWtpuS4juW3peeoiw%2FnkIborrrnu4%2FmtY7lraYG5p6X5a2mDOael%2BS4muW3peeoiybmnpfkuJrlt6XnqIso5LiT5Lia5a2m5L2NKSAgICAgICAgICAgICbmnpfkuJrnoZXlo6so5LiT5Lia5a2m5L2NKSAgICAgICAgICAgIAzml4XmuLjnrqHnkIYV6ams5YWL5oCd5Li75LmJ55CG6K66LOWGnOadkeS4juWMuuWfn%2BWPkeWxlSjkuJPkuJrlrabkvY0pICAgICAgICAgEuWGnOael%2Be7j%2Ba1jueuoeeQhgzlhpzkuJrlt6XnqIsM5Yac5Lia5o6o5bm%2FKOWGnOS4muS%2FoeaBr%2BWMlijkuJPkuJrlrabkvY0pICAgICAgICAgICAS5Yac5Lia6LWE5rqQ5Yip55SoDOi9r%2BS7tuW3peeoiybova%2Fku7blt6XnqIso5LiT5Lia5a2m5L2NKSAgICAgICAgICAgIAnorr7orqHlraYJ55Sf5oCB5a2mCeeUn%2BeJqeWtpizpo5%2Flk4HliqDlt6XkuI7lronlhago5LiT5Lia5a2m5L2NKSAgICAgICAgIBXpo5%2Flk4Hnp5HlrabkuI7lt6XnqIsJ57uf6K6h5a2mDOWcn%2BacqOW3peeoixLlpJblm73or63oqIDmloflraYJ5b%2BD55CG5a2mCeeVnOeJp%2BWtpgboibrmnK8m6Im65pyv6K6%2B6K6hKOS4k%2BS4muWtpuS9jSkgICAgICAgICAgICAJ6Im65pyv5a2mD%2BW6lOeUqOe7j%2Ba1juWtpirlupTnlKjnu5%2ForqHnoZXlo6so5LiT5Lia5a2m5L2NKSAgICAgICAgICAG5ZOy5a2mFCsDNGdnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dkZAIJDxAPFgYfAAULQ29sbGVnZU5hbWUfAQUJQ29sbGVnZUlkHwJnZBAVDwAJ5p6X5a2m6ZmiG%2BeUn%2BeJqeenkeWtpuS4juaKgOacr%2BWtpumZognlt6XlrabpmaIM5L%2Bh5oGv5a2m6ZmiG%2BadkOaWmeenkeWtpuS4juaKgOacr%2BWtpumZogzlm63mnpflrabpmaIS57uP5rWO566h55CG5a2m6ZmiGOS6uuaWh%2BekvuS8muenkeWtpuWtpumZogzlpJbor63lrabpmaIS5rC05Zyf5L%2Bd5oyB5a2m6ZmiCeeQhuWtpumZohvnjq%2FlooPnp5HlrabkuI7lt6XnqIvlrabpmaIV6Ieq54S25L%2Bd5oqk5Yy65a2m6ZmiEuiJuuacr%2BiuvuiuoeWtpumZohUPAAMwMDEDMDAyAzAwMwMwMDQDMDA1AzAwNgMwMDcDMDA4AzAwOQMwMTADMDExAzAxNwMwMTYDMDE4FCsDD2dnZ2dnZ2dnZ2dnZ2dnZ2RkZD%2BFbRrUh4r%2Fq955G23DcfzhcQuc&__VIEWSTATEGENERATOR=B403CA61&txtTutorName=jjkh&btnSearchTutorName=%E6%9F%A5%E8%AF%A2&ddlCourseCategory=&ddlCollege=


第一处可在接下来的利用中起作用(比如直接登陆,上传)但是我没有测试
第二处就有学生和老师信息了,并且发现这个库挺大,好像不止是这一个网站数据

漏洞证明:

3.png


4.png


5.png

修复方案:

虽然写了这么多,但是估计还是要被忽略
修复的事你们自己看吧

版权声明:转载请注明来源 sunrain@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-11-09 18:18

厂商回复:

最新状态:

暂无