-
-
卓越课程中心弱口令+个人信息泄露+CSRF+XSS+路径遍历
-
发表于:
2014-5-29 22:30
2165
-
卓越课程中心弱口令+个人信息泄露+CSRF+XSS+路径遍历
我国有大量高校采用了卓越电子(
6eeK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4T1L8r3g2Q4x3X3c8W2L8r3g2U0i4K6u0W2j5$3!0E0i4@1g2r3i4@1u0o6i4K6R3&6i4@1f1%4i4K6W2m8i4K6R3@1i4@1f1#2i4K6S2p5i4K6V1K6i4@1f1^5i4@1t1$3i4K6S2m8i4@1f1^5i4@1q4r3i4@1u0q4i4@1f1%4i4@1p5^5i4K6S2n7i4@1f1@1i4@1t1^5i4@1q4p5i4@1f1#2i4@1u0r3i4K6R3K6i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1#2i4K6R3^5i4@1t1H3i4@1f1#2i4@1u0m8i4K6V1#2i4@1f1$3i4K6W2o6i4K6R3&6i4@1f1#2i4@1p5@1i4K6W2m8i4@1f1#2i4@1t1H3i4K6V1I4i4@1g2r3i4@1u0o6i4K6W2r3i4@1f1^5i4@1q4q4i4@1u0r3i4@1f1&6i4K6V1%4i4@1q4q4i4@1f1#2i4K6S2p5i4K6V1K6i4@1f1^5i4@1t1$3i4K6S2m8i4@1f1^5i4@1q4r3i4@1u0q4i4@1f1%4i4@1p5^5i4K6S2n7i4@1f1@1i4@1t1^5i4@1q4p5i4@1f1#2i4@1u0r3i4K6R3K6i4@1f1^5i4K6R3I4i4K6V1@1i4@1f1%4i4K6W2n7i4K6W2r3i4@1g2r3i4@1u0o6i4K6R3^5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3M7J5M7#2)9J5k6h3y4F1i4K6u0r3i4@1g2r3i4@1u0o6i4K6R3&6i4@1f1#2i4K6S2r3i4@1q4r3i4@1f1^5i4@1p5%4i4K6R3I4i4@1f1@1i4@1t1^5i4K6R3H3i4@1f1$3i4K6V1$3i4K6V1I4i4@1f1K6i4K6R3H3i4K6R3J5
漏洞公布如下:
1.弱口令
a.普遍将 学号/工号 同时作为用户名与密码
举例:http://cc.bjmu.edu.cn(1310116113:1310116113|1310116114:1310116114|...)| ...
b.存在由程序员疏忽大意留下的弱口令,且这些帐户都是教师权限,可创建课程
举例:test1:test1(
141K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4U0i4K6u0W2j5X3A6E0N6g2)9J5k6h3g2V1N6g2)9J5k6h3y4F1i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9%4b7#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Z5N6s2c8H3i4K6y4m8i4K6u0r3i4K6u0r3j5$3y4Q4x3X3g2^5K9Y4c8#2i4K6u0W2k6h3c8#2i4K6u0W2j5$3&6Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6N6o6i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9J5k6g2)9J5k6g2)9J5k6g2!0q4c8W2!0n7b7#2)9^5z5g2)9%4b7#2)9J5y4X3&6T1M7%4m8Q4x3@1u0@1k6i4y4@1x3W2)9K6b7i4c8W2M7%4b7J5i4K6t1$3L8X3u0K6M7q4)9K6b7W2)9%4b7#2)9J5y4X3&6T1M7%4m8Q4x3@1u0Q4x3X3g2Q4x3X3g2Q4x3X3g2Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6N6o6i4K6t1$3L8X3u0K6M7q4)9K6b7Y4c8W2M7%4b7J5x3q4)9K6b7i4c8W2M7%4b7J5x3l9`.`.
2.个人信息泄露
登陆后进入“修改信息”(/MySpace/PersonalInfo.aspx)即可查看个人详细信息。
3.CSRF
存在多处CSRF,仅举一例:
访问
d74K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3y4U0i4K6u0W2M7$3A6@1N6g2)9J5k6h3g2V1N6g2)9J5k6h3y4F1i4K6u0r3c8K6u0e0i4K6u0r3e0i4W2e0M7r3q4U0k6g2)9J5c8W2g2K6k6i4u0o6L8$3&6@1M7X3!0D9i4K6u0r3g2f1y4d9f1#2x3I4i4K6u0W2j5i4y4Z5P5q4)9K6c8V1!0H3N6q4c8&6M7r3g2Q4x3@1c8o6L8$3&6X3K9i4u0E0f1Y4y4K6d9h3&6X3L8@1u0&6d9f1c8Q4x3U0k6u0c8q4)9K6c8o6p5@1y4K6R3@1x3#2)9J5y4Y4y4F1j5h3#2W2i4K6y4p5L8h3!0V1K9h3k6A6k6h3c8Q4x3U0k6K6k6X3g2W2k6q4)9K6c8r3S2@1N6s2m8Q4x3U0f1K6b7g2)9J5c8W2)9J5c8X3A6%4j5#2)9J5k6i4y4B7N6s2g2Q4x3X3g2W2k6s2g2Q4x3X3g2U0L8W2)9J5c8Y4u0K6M7#2)9J5c8Y4u0K6M7#2)9#2k6X3&6G2N6r3W2U0k6g2)9J5k6h3q4K6M7s2S2Q4x3U0f1K6c8Y4y4#2j5X3A6W2j5%4c8A6k6q4)9J5y4e0y4p5x3e0V1^5x3o6p5#2i4K6t1#2x3U0k6@1k6h3#2H3L8r3q4@1k6h3W2V1i4K6t1#2x3@1b7J5x3U0p5H3x3U0M7`.
即可将“教务处通知”改为“modified”,有何利用价值?且看下文。
4.XSS
a.将3中的modified改为<svg onload="alert(document.cookie)" />即可利用CSRF制造储存型XSS。
b.使用发送消息功能(/TeacherSpace/Message/New.aspx),主题、正文皆未过滤,可触发指定用户储存型XSS。
c.在论坛、课程建设等多处皆存在XSS
5.路径遍历
系统采用了ewebeditor,在/ewebeditor/admin/default.aspx页面中使用弱口令admin:admin登陆后台,访问/ewebeditor/admin/upload.aspx?id=1&dir=../&d_viewmode=list,改变参数dir的值,不断添加“../”可实现目录跳转回溯。
6.上传Webshell
在“样式管理”中修改任一样式,添加上传文件类型asp,预览样式,上传图片,webshell即得。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
