当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092370

漏洞标题:习网问题整理打包

相关厂商:习网

漏洞作者: 爱上平顶山

提交时间:2015-01-17 21:11

修复时间:2015-03-03 21:12

公开时间:2015-03-03 21:12

漏洞类型:内容安全

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-17: 细节已通知厂商并且等待厂商处理中
2015-01-19: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向核心白帽子及相关领域专家公开
2015-02-08: 细节向普通白帽子公开
2015-02-18: 细节向实习白帽子公开
2015-03-03: 细节向公众公开

简要描述:

...

详细说明:

习网的一些问题整理下
1、后台:
Google bing下
后台:
http://jxhd.ciwong.com/
http://bbs.ciwong.com/login.aspx
http://super.admin.ciwong.com/Admin/Login
http://mail.ciwong.com/index.php
http://gwy2013.ciwong.com/lead/Login
http://anquan.ciwong.com/Account/Login/
http://e.ciwong.com/login/indexbefore
http://e.ciwong.com/login/
http://admin.eschool.ciwong.com/users/login
http://admin.ciwong.net/Permission/Login/Login
http://demo.ciwong.com/ 云平台
结合这个:

databases [132]:
[*] beehive_listenread
[*] beehive_pointmall
[*] beehive_synchronwork
[*] beehive_voicespeech
[*] beehivedb
[*] bookcase
[*] ciwong_colorful
[*] ciwong_newsmanagement
[*] ciwong_qr
[*] cloudreader
[*] cmsdata
[*] cw_6v68_settlement
[*] cw_admin_elearning
[*] cw_admin_elearning_bak
[*] cw_app_store
[*] cw_audio_video_db
[*] cw_basedapplications
[*] cw_chinadream
[*] cw_cooperator
[*] cw_dw
[*] cw_edu
[*] cw_elearning
[*] cw_elearning_bak
[*] cw_englishshow
[*] cw_eshop_cart
[*] cw_eshop_common
[*] cw_eshop_news
[*] cw_eshop_order
[*] cw_eshop_product
[*] cw_eshop_user
[*] cw_gwy
[*] cw_hd
[*] cw_homepage
[*] cw_jibei
[*] cw_jibei_school
[*] cw_learnmonth
[*] cw_microvideo
[*] cw_netschool
[*] cw_packager_arithmetic
[*] cw_packager_arithmetic_en
[*] cw_packager_ebook
[*] cw_packager_experiment
[*] cw_packager_experiment_v2
[*] cw_packager_kousuan
[*] cw_packager_learning_level
[*] cw_packager_listenning_ch
[*] cw_packager_listenning_ch_v2
[*] cw_packager_listenning_en
[*] cw_packager_listenning_en_v2
[*] cw_packager_playwords
[*] cw_packager_reading_ch
[*] cw_packager_reading_en
[*] cw_packager_speaking_en
[*] cw_pay
[*] cw_press
[*] cw_press_new
[*] cw_recommend
[*] cw_resx_center
[*] cw_settlement
[*] cw_trainingdb
[*] cw_workcategory
[*] cw_workcategory_arithmetic
[*] cw_workcategory_arithmetic_en
[*] cw_workcategory_common
[*] cw_workcategory_ebook
[*] cw_workcategory_experience
[*] cw_workcategory_experiment
[*] cw_workcategory_experiment_v2
[*] cw_workcategory_learning_level
[*] cw_workcategory_listenning_ch
[*] cw_workcategory_listenning_ch_v2
[*] cw_workcategory_listenning_en
[*] cw_workcategory_listenning_en_v2
[*] cw_workcategory_more
[*] cw_workcategory_playwords
[*] cw_workcategory_reading_ch
[*] cw_workcategory_reading_en
[*] cw_workcategory_settings
[*] cw_workcategory_speaking_en
[*] cw_workshop
[*] cw_workshop2
[*] cw_yishang
[*] cw_yishang1
[*] cw_yishang_settle
[*] cw_ziyuan
[*] cwapi
[*] cwfav
[*] db_ciliao
[*] db_filestatus
[*] db_kousuan100
[*] db_statistics
[*] db_txb
[*] db_txb_paipai
[*] efficientclassroom
[*] game
[*] gxktv3
[*] gxktv3_resource
[*] information
[*] information_schema
[*] microrecord
[*] mysql
[*] notebook_good
[*] notebook_mistake
[*] notebook_senten
[*] notebook_word
[*] performance_schema
[*] quesdata
[*] research
[*] research_ky
[*] roompermissionjingsai
[*] schoolzone
[*] searcher
[*] synchpreparation
[*] szdsy2013
[*] t_db_areaconf
[*] t_db_jibei
[*] t_db_listening
[*] t_db_markham
[*] t_db_roomtask
[*] t_db_tinyurl
[*] videouser
[*] wiki
[*] wikicommunity
[*] wikipoint
[*] wikiques
[*] wordstockchinese
[*] wordstockenglish
[*] wordstockenglishchangebuilding
[*] wordstockenglishchangeclassifying
[*] wordstockenglishchangescene
[*] wordstocktempresources
[*] work_listen
Database: beehive_listenread
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| h_stupracticeword | 2225817 |
| h_studentworkpersentence | 1179092 |
| h_stupracticeread | 1143587 |
| s_favorites | 787644 |
| h_studentworkword | 702708 |
| h_heardrank | 320771 |
| v_workbook | 310072 |
| s_workrecord | 235518 |
| s_workanswer | 216187 |
| h_stupractice | 174053 |
| h_studentwork | 139538 |
| h_teacherfixword | 135150 |
| s_mybookshelf | 119652 |
| e_s_work_item | 119166 |
| v_saledetail | 115829 |
| o_order_off_detail | 115256 |
| h_studentvistor | 82884 |
| s_publishques | 47454 |
| h_unitword | 43505 |
| e_s_work | 29547 |
| h_teacherworkdetail | 20967 |
| s_publishquessummary | 19550 |
| h_teacherpublishrecord | 11344 |
| h_teacherwork | 9817 |
| h_studentprivacy | 6758 |
| p_agent_books | 5840 |
| h_studentfollow | 5674 |
| s_publishrecorddetails | 5613 |
| h_unitcourse | 5447 |
| s_publishpaper | 4133 |
| h_units | 3759 |
| o_apply_free_record | 3693 |
| questionbookversion | 2786 |
| h_units_copy | 1855 |
| s_question | 1730 |
| tmp_booksresource | 1391 |
| tmp_resourceversion | 1390 |
| s_publishrecord | 1324 |
| tmp_booksresource_bak | 1164 |
| tmp_booksresource_bak2 | 1164 |
| s_questionsummary | 711 |
| o_order_off_line | 640 |
| o_order | 573 |
| e_t_work_chapter | 562 |
| e_t_work_class | 554 |
| o_openservicedetail | 447 |
| s_book_areas | 320 |
| e_t_work_record | 308 |
| h_bookinfo | 290 |
| p_class_recommend | 276 |
| s_chapter | 228 |
| o_service_message | 223 |
| o_openservice | 213 |
| h_bookinfo_copy1 | 169 |
| h_bookinfo_copy | 168 |
| h_bookinfo_copy_copy | 168 |
| s_chapter_copy | 150 |
| s_paper | 149 |
| s_book_copy1 | 27 |
| s_book_copy | 25 |
| s_template_kind | 21 |
| p_message | 10 |
| h_courseinfo | 9 |
| s_book | 7 |
| s_book_template | 4 |
+--------------------------+---------+
Database: beehive_pointmall
+------------------+---------+
| Table | Entries |
+------------------+---------+
| tb_goods | 102 |
| tb_pointsrule | 24 |
| tb_pointssummary | 19 |
| tb_goodscategory | 12 |
| tb_orders | 11 |
| tb_address | 7 |
| tb_supplier | 5 |
| tb_notices | 2 |
| tb_manager | 1 |
+------------------+---------+
Database: beehive_synchronwork
+---------------------------+---------+
| Table | Entries |
+---------------------------+---------+
| studentworkquestiondetail | 6053 |
| studentwork | 5493 |
| message | 1440 |
| publisherdetail | 1140 |
| messageuser | 1033 |
| workstatistical | 722 |
| classworkpublicrec | 685 |
| studentworddetail | 619 |
| workpublish | 388 |
| messageclass | 369 |
| workcontent | 293 |
| workcategory | 122 |
| workstep | 111 |
| worksummary | 10 |
+---------------------------+---------+
Database: beehive_voicespeech
+-------------+---------+
| Table | Entries |
+-------------+---------+
| voiceprop | 373441 |
| voicespeech | 93360 |
+-------------+---------+
Database: beehivedb
+------------------------------+---------+
| Table | Entries |
+------------------------------+---------+
| a_settlement_order_detail | 115723 |
| tb_classmember | 85263 |
| tb_groupmember | 84710 |
| tb_classmember_20140627_1520 | 60961 |
| tb_classproduct | 664 |
| tb_users | 579 |
| tb_productuse | 492 |
| tb_areas | 466 |
| tb_products | 457 |
| a_settlement_detail | 341 |
| appmanager | 226 |
| tmp_user_service_record | 218 |
| tmp_proxyschoolopen | 215 |
| tb_bank_account | 205 |
| tb_schoolmodules | 166 |
| tb_schoolproxy | 147 |
| tb_schoolinfo | 142 |
| a_settlement_type_detail | 67 |
| tb_app_menurole | 65 |
| tb_areaproxy | 46 |
| tb_productsorder | 29 |
| a_settlement_remark | 25 |
| tb_app_menu | 25 |
| tb_procate | 24 |
| course | 23 |
| a_settlement_record | 20 |
| tb_proxyproduct | 20 |
| tb_apprecommend | 17 |
| tb_schoolmanager | 12 |
| tb_app_itemrole | 10 |
| tb_app_menuitem | 10 |
| tb_app_role | 6 |
| tmp_proxyyearopen | 6 |
| tb_bank_pay_record | 5 |
| stage | 4 |
| tb_appinfo | 3 |
| tb_modules | 3 |
| a_settlement_rate | 1 |
| tb_appuserrole | 1 |
| tb_myproducts | 1 |
+------------------------------+---------+
Database: bookcase
+---------------+---------+
| Table | Entries |
+---------------+---------+
| paperlist | 632983 |
| bookshelflist | 538160 |
| ebookstep | 407616 |
| paperclip | 189647 |
| ebooktheme | 41311 |
| mybookshelf | 23656 |
| bookmark | 3946 |
| recommendbook | 32 |
+---------------+---------+
Database: ciwong_colorful
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| tb_hist_testexercises | 7760 |
| tb_cmt_comment | 557 |
| tb_uer_usermsg | 242 |
+-----------------------+---------+
Database: ciwong_newsmanagement
+-------------------------+---------+
| Table | Entries |
+-------------------------+---------+
| newsdetails | 401 |
| newsdetailsassistant | 401 |
| newscategoryrelation | 203 |
| competitionnews | 139 |
| newscompetitionrelation | 126 |
| newscategory | 22 |
| newsfrom | 4 |
+-------------------------+---------+
Database: ciwong_qr
+--------------+---------+
| Table | Entries |
+--------------+---------+
| personalcard | 436791 |
| classcard | 81708 |
| app | 5 |
+--------------+---------+
Database: cloudreader
+------------------------+---------+
| Table | Entries |
+------------------------+---------+
| tb_creditsrecord | 27854 |
| tb_dynamic | 7232 |
| tb_recentvisitors | 7101 |
| tb_review | 6705 |
| tb_taskdetail | 3203 |
| tb_dotask | 1935 |
| tb_content | 1835 |
| tb_autostudytestreport | 1764 |
| tb_ucrelation | 1455 |
| tb_user | 1434 |
| tb_recommend | 1226 |
| tb_errorquesnote | 777 |
| tb_article | 620 |
| v_totaldotask | 378 |
| v_totalreview | 336 |
| tb_quesoption | 318 |
| tb_questext | 279 |
| tb_ques | 278 |
| tb_userdetail | 224 |
| v_totalstudyreview | 156 |
| tb_section | 138 |
| tb_attachment | 129 |
| tb_photo | 118 |
| tb_relation | 85 |
| tb_albums | 79 |
| tb_task | 64 |
| tb_menu | 60 |
| tb_classlearninggroup | 54 |
| tb_topic | 46 |
| tb_privateletter | 45 |
| tb_unit | 42 |
| tb_book | 41 |
| v_totaltopstudyreview | 34 |
| v_totaltopreview | 29 |
| tb_creditsrules | 28 |
| tb_creditgradedetail | 22 |
| tb_type | 15 |
| tb_apprequesservices | 10 |
| tb_schoolinfo | 6 |
| tb_openservices | 5 |
| tb_topteacherteam | 5 |
| tb_services | 1 |
+------------------------+---------+
Database: cmsdata
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| syslog | 23016 |
| sitepagetemplaterelation | 9721 |
| moduletemplaterelation | 3211 |
| templateconfig | 498 |
| moduleconfig | 427 |
| domainsiterelation | 387 |
| domainconfig | 73 |
| task | 31 |
| siteextendinfo | 19 |
| sitetype | 8 |
+--------------------------+---------+
Database: cw_6v68_settlement
+-----------------------+---------+
| Table | Entries |
+-----------------------+---------+
| settlement | 25996 |
| settlementrelation | 6691 |
| settlementdatasynclog | 124 |
| userrightrelation | 89 |
| shopaudit | 70 |
| publisheraudit | 42 |
| userrolerelation | 25 |
| agentinfo | 19 |
| auditrecords | 10 |
| userright | 9 |
| userinfo | 8 |
| roleinfo | 6 |
+-----------------------+---------+
Database: cw_admin_elearning
+--------------------------+---------+
| Table | Entries |
+--------------------------+---------+
| admin | 3988 |
| site_admin | 3984 |
| siteinfo | 3913 |
| siteinfo_new | 3674 |
| admin_new | 3671 |
| sitemodule | 3574 |
| tmp_tb4 | 3309 |
| tmp2_tb | 3304 |
| tmp_tb3 | 3304 |
| site_admin_bak | 392 |
| siteinfo_bak | 370 |
| admin_bak | 367 |
| siterecommendapplication | 13 |
| sitemodule_bak | 8 |
| sitenavigation | 7 |
| `module` | 6 |
| sitefriendlylink | 5 |
| sqlmapfile | 3 |
| deploy | 2 |
| newsarea | 2 |
| sitebanner | 2 |
| newsinfo | 1 |
| sitelogo | 1 |
+--------------------------+---------+
Database: cw_dw
+---------------------------------+---------+
| Table | Entries |
+---------------------------------+---------+
| dw_user_learning_history | 14689703|
| user_learning_records | 7756018 |
| dw_learnning_words | 2292036 |
| chapterreport | 1710845 |
| dw_user_answer_detail_history | 1686803 |
| dw_user_answers_statistics | 676806 |
| workreport | 488690 |
| dw_user_learning_history_record | 7 |
+---------------------------------+---------+


结合这些账户密码 会达到是什么效果 自己评估吧。
2、
http://game.ciwong.com/game/Play/1315'

0.jpg


game.ciwong.com 下这样的很多
3、bbs
http://bbs.ciwong.com/ReadMe.txt 还有一些列目录 自查
http://www.6v68.com/Areas/ 列目录
http://www.6v68.com/admin/
http://113.106.50.4:81/admin/

0.jpg


4、
MS12-020 蓝屏漏洞 没有升级补丁
rdp://121.14.117.223:6543
rdp://121.14.117.26:6543
rdp://113.106.50.9:6543
可用metasploit直接攻击 不做测试了
ok 就这样

漏洞证明:

···

修复方案:

改。

版权声明:转载请注明来源 爱上平顶山@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-01-19 15:19

厂商回复:

漏洞修复中...

最新状态:

暂无