首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
电大在线在线远程教学平台0DAY(全国电大通吃)
来源:vfocus.net 作者:vfocus 发布时间:2011-04-08  

好久的漏洞了,厂商是www.open.edu.cn ,最近整理博客发现这0day还能用就公布下。
多个注射漏洞,过滤了and等但能绕过,数据库连接配置文件暴露,任意文件上传等。。

详细说明:
一些注入BUG加默认路径问题,全是电大类机构。之前数据连接的inc文件.可用下载工具下载得到。上面统一安装的系统所以下面服上基本都在这个路径:D:\www\include\odbc.inc,现在试过不行了。现在有些系统升级成了.net版本,但注入漏洞等都还在。

漏洞证明:
谷歌搜索:D:\www\include\odbc.inc
公告处上传。
权限太大,提权简单,但都内网。
注射点蛮多,类似
research/research_result.php?id=1
root/teacher/admin_search.php //post
....
附上系统结构:
\index.php

\student.php

\student_study.php

\teacher.php

\teacher_nocourse.php

\topic_frame_s.php

\adminuser\c.php

\adminuser\treedir.js

\config\config.php

\config\parameter_list.php

\config\parameters\odbc_userstat.inc

\config\parameters\system.inc

\embeded\userinfo.php

\exhibite\include_package\exhibite_display.class.php

\exhibite\include_package\exhibite_display_show.class.php

\file_post\display\topic.php

\file_post\file_add\file_upload.php

\file_post\file_add\file_upload2.php

\include\odbc_userstat.inc

\include\search_lib.php

\include\system_parameter.inc

\java\savetime.js

\java\school.js

\newstat\basic\func_im.inc

\newstat\basic\func_t.inc

\newstat\basic\reg_inc.php

\newstat\new\coursetop10.php

\newstat\root\config.inc

\newstat\root\ictab.php

\newstat\root\iview.php

\newstat\userinfo\config.inc

\newstat\userinfo\config1.inc

\newstat\userinfo\readnum_student.php

\newstat\userinfo\readnum_teacher.php

\newstat\userinfo\stat.php

\newstat\userinfo\user_stat2.php

\newstat\xwtj\Centerasc.php

\newstat\xwtj\centerfile1.php

\newstat\xwtj\look.php

\newstat\xwtj\resourceself.php

\reg\getPassWord.php

\reg\result.php

\reg\signup_fromold_finish.php

\schoolbook\preesbrief.php

\stat\config.inc

\stat\savetime_v2.php

\stat\basic\func_t.inc

\stat\student\config.inc

\stat\student\index.php

\stat\student\readnum.php

\stat\student\stat.php

\stat\teacher\config.inc

\stat\teacher\index.php

\stat\teacher\index_s.php

\stat\teacher\readnum_student.php

\stat\teacher\readnum_teacher.php

\stat\teacher\stat.php

\stat\teacher\view_student.php

\stat\teacher\uploadfile_teacher.php

省略一千句。
//更改权限代码信息后请更改\rights\common.inc文件!

var li = new Array()
li[0] = "后台管理目录"
li[1] = new Array() //3
li[1][0] = "网站统计管理"
li[1][1] = new Array()
li[1][1][0] = "平台运行基本数据"
li[1][1][1] = "站点统计分析;/newstat/netbasic/counter_index.php;11"
li[1][1][2] = "用户统计分析;/newstat/userinfo/counter_index1.php;11"
li[1][1][3] = "浏览器统计分析;/newstat/netbasic/counter_browser.php;11"
li[1][1][4] = "操作系统统计分析;/newstat/netbasic/counter_os.php;11"
li[1][1][5] = "访问来路表;/newstat/netbasic/counter_from.php;11"
li[1][1][6] = "年报表;/newstat/netbasic/counter_year.php;11"
li[1][1][7] = "月报表;/newstat/netbasic/counter_month.php;11"
li[1][1][8] = "日报表;/newstat/netbasic/counter_day.php;11"
li[1][1][9] = "年、月、日报表查询;/newstat/netbasic/counter_search.php;11"

li[1][2] = new Array()
li[1][2][0] = "平台资源数据"
li[1][2][1] = "点击数排行榜;/newstat/new/coursetop10.php;12"
li[1][2][2] = "文章上传统计;/newstat/topic_admin/index.php;12"
li[1][2][3] = "中央电大下发资源统计;/newstat/xwtj/look.php;12"
li[1][2][4] = "配套资源统计;/newstat/xwtj/resourceself.php;12"
li[1][2][5] = "自建资源统计;/newstat/xwtj/resourceself1.php;12"
li[1][2][6] = "共享资源统计;/sharefileadmin/showUserBrows.php;12"

li[1][3] = new Array()
li[1][3][0] = "行为统计数据"
li[1][3][1] = "用户行为统计;/newstat/userinfo/index3.php;13"
li[1][3][2] = "课程停留时间统计;/newstat/root/itime.php;13"

li[1][4] = new Array()
li[1][4][0] = "论坛数据"
li[1][4][1] = "论坛总体情况表;/newstat/article/counter_index2.php;14"
li[1][4][2] = "总论坛排行榜;/newstat/article/article_total.php;14"
li[1][4][3] = "公共论坛排行榜;/newstat/article/article_public.php;14"
li[1][4][4] = "课程论坛排行榜;/newstat/article/article_course.php;14"
li[1][4][5] = "查询;/newstat/root/readnum.php;14"

li[2] = new Array() //2
li[2][0] = "网站管理"
li[2][1] = new Array()
li[2][1][0] = "参数设置"
li[2][1][1] = "系统参数;/config/config.php?n=system;21"
li[2][1][2] = "ODBC参数;/config/config.php?n=odbc;21"
li[2][1][3] = "JWODBC参数;/config/config.php?n=jwodbc;21"
li[2][1][4] = "论坛参数;/config/config.php?n=forum;21"
li[2][1][5] = "用户行为统计ODBC参数;/config/config.php?n=odbc_userstat;21"

li[2][2] = "在线调查;/research/research_index.php;22"

li[3] = new Array() //3
li[3][0] = "教务管理"
li[3][1] = new Array()
li[3][1][0] = "人员管理"
li[3][1][1] = "注册新用户;/reg/reg.php;31"
li[3][1][2] = "浏览学生用户;/reg/list.php?usertype=1;31"
li[3][1][3] = new Array()
li[3][1][3][0]= "浏览教师用户"
li[3][1][3][1]= "浏览全部;/reg/list.php?usertype=2;31"
li[3][1][3][2]= "已验证;/reg/list.php?v=1&usertype=2;31"
li[3][1][3][3]= "未验证;/reg/list.php?v=0&usertype=2;31"
li[3][1][4] = new Array()
li[3][1][4][0]= "浏览教师(学生)用户"
li[3][1][4][1]= "浏览全部;/reg/list.php?usertype=1&studentno=0;31"
li[3][1][4][2]= "已验证;/reg/list.php?usertype=1&studentno=0&v=1;31"
li[3][1][4][3]= "未验证;/reg/list.php?usertype=1&studentno=0&v=0;31"
li[3][1][5]= "浏览管理员用户;/reg/list.php?usertype=3;31"
li[3][1][6]= "查询用户;/reg/search.php;31"
li[3][1][7]= "修改用户密码 ;/reg/gaimima.php?;31"

li[3][2] = "教师权限管理;/rights/listuser.php;32"

li[3][3] = "管理员权限管理;/rights/listadmin.php;33"

li[3][4] = new Array()
li[3][4][0] = "教材管理"
li[3][4][1] = "出版社管理;/schoolbook/pressmanage.php;34"
li[3][4][2] = "教材信息管理;/schoolbook/sbmanage.php;34"
li[3][4][3] = "专业课程教材管理;/schoolbook/planmanage.php;34"

li[3][5] = new Array()
li[3][5][0] = "教学计划开/关|维护"
li[3][5][1] = "教学计划开/关;/adminuser/adminplan.php;35"
li[3][5][2] = "教学计划维护;/plan/index.php;35"

li[4] = new Array() //4
li[4][0] = "课程端管理"
li[4][1] = "文章管理;/file_post/topic_admin/index.php;41"

li[4][2] = new Array()
li[4][2][0] = "论坛管理"
li[4][2][1] = "论坛版块管理;/club/forum/admin/category/index.php;42"
li[4][2][2] = "论坛版主管理;/club/forum/admin/admin/index.php;42"
li[4][2][3] = "论坛帖子管理;/club/forum/admin/article/list.php;42"
li[4][2][4] = "聊天室状态管理;/chatroot/admin.php;42"

li[4][3] = "教师风采;/teacher/index.php;43"

//li[4][4] = "试卷、作业权限管理;/exam/admin/manage.php;44"

//li[4][5] = "电视播放表及考试时间管理;/course_study/admin.php"
li[4][4] = "课程评估调查;/evaluate/searches.php;44"

li[4][5] = "共享资源设置;/sharefileadmin/shareplan_list.php;45"

li[4][6] = "考试资源导入;/exam_res/index.php;46"

//省电大:具有资源生成权限!!!!!!!!!!!!!!!!
li[4][7] = new Array()
li[4][7][0] = "下发资源管理"
li[4][7][1] = "资源展示;/exhibite/showpage/planlistbysql.php;47"
li[4][7][2] = "资源生成;/exhibite/admin/index.php;47"


li[5] = new Array() //4
li[5][0] = "个人信息"
li[5][1] = "修改信息;/reg/modify.php"
li[5][2] = "修改密码;/reg/modifyadminpass.php"
li[5][3] = "查看留言;/club/forum/message/shownew.php?isSubmit=0"
li[5][4] = "给同学留言;/club/forum/message/sayto_admin.php"

document.write("<DIV noWrap>")
document.write("<UL style=\"BACKGROUND-COLOR: " + treeBC + ";")
document.write(" COLOR: " + treeFC + ";")
document.write(" MARGIN-LEFT: " + marginleft + "\">")
document.write(li[0] + "<BR>")
for(var i = 1; i < li.length; i++)
{
writeItem(li, i)
}
document.write("</UL>")
document.write("</DIV>")
// -->
</script>


修复方案:
建议通知所有各地电大院校更换新版.net系统。
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·南方数据企业网站管理系统V10.0
·动网(DVBBS)Version 8.2.0 后
·Solaris 10 telnet漏洞及解决
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·WinWebMail、7I24提权漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·Discuz!后台拿Webshell 0day
  相关文章
·PHPCMS 2008 SP2 本地文件包含漏
·千博购物系统QShopNet SQL注入漏
·ShopEx V4.8(v4.84,v4.85) 后台
·phpcms的另一个phpcms_auth函数
·乔客(joekoe) CMS 4.0 上传与SQL
·DZ-X1.5 论坛最新后台拿 WebShel
·Siteserver CMS 最新批量拿站 0D
·phpwind (manage.php)SQL注射
·DedeCMS. 织梦科技注入爆管理员
·蓝科企业网站管理系统中英繁版V1
·Phpspy 2010 shell 身份验证绕过
·简单文章管理系统 cookie注入漏
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved