好久的漏洞了,厂商是www.open.edu.cn ,最近整理博客发现这0day还能用就公布下。 多个注射漏洞,过滤了and等但能绕过,数据库连接配置文件暴露,任意文件上传等。。
详细说明: 一些注入BUG加默认路径问题,全是电大类机构。之前数据连接的inc文件.可用下载工具下载得到。上面统一安装的系统所以下面服上基本都在这个路径:D:\www\include\odbc.inc,现在试过不行了。现在有些系统升级成了.net版本,但注入漏洞等都还在。
漏洞证明: 谷歌搜索:D:\www\include\odbc.inc 公告处上传。 权限太大,提权简单,但都内网。 注射点蛮多,类似 research/research_result.php?id=1 root/teacher/admin_search.php //post .... 附上系统结构: \index.php
\student.php
\student_study.php
\teacher.php
\teacher_nocourse.php
\topic_frame_s.php
\adminuser\c.php
\adminuser\treedir.js
\config\config.php
\config\parameter_list.php
\config\parameters\odbc_userstat.inc
\config\parameters\system.inc
\embeded\userinfo.php
\exhibite\include_package\exhibite_display.class.php
\exhibite\include_package\exhibite_display_show.class.php
\file_post\display\topic.php
\file_post\file_add\file_upload.php
\file_post\file_add\file_upload2.php
\include\odbc_userstat.inc
\include\search_lib.php
\include\system_parameter.inc
\java\savetime.js
\java\school.js
\newstat\basic\func_im.inc
\newstat\basic\func_t.inc
\newstat\basic\reg_inc.php
\newstat\new\coursetop10.php
\newstat\root\config.inc
\newstat\root\ictab.php
\newstat\root\iview.php
\newstat\userinfo\config.inc
\newstat\userinfo\config1.inc
\newstat\userinfo\readnum_student.php
\newstat\userinfo\readnum_teacher.php
\newstat\userinfo\stat.php
\newstat\userinfo\user_stat2.php
\newstat\xwtj\Centerasc.php
\newstat\xwtj\centerfile1.php
\newstat\xwtj\look.php
\newstat\xwtj\resourceself.php
\reg\getPassWord.php
\reg\result.php
\reg\signup_fromold_finish.php
\schoolbook\preesbrief.php
\stat\config.inc
\stat\savetime_v2.php
\stat\basic\func_t.inc
\stat\student\config.inc
\stat\student\index.php
\stat\student\readnum.php
\stat\student\stat.php
\stat\teacher\config.inc
\stat\teacher\index.php
\stat\teacher\index_s.php
\stat\teacher\readnum_student.php
\stat\teacher\readnum_teacher.php
\stat\teacher\stat.php
\stat\teacher\view_student.php
\stat\teacher\uploadfile_teacher.php
省略一千句。 //更改权限代码信息后请更改\rights\common.inc文件!
var li = new Array() li[0] = "后台管理目录" li[1] = new Array() //3 li[1][0] = "网站统计管理" li[1][1] = new Array() li[1][1][0] = "平台运行基本数据" li[1][1][1] = "站点统计分析;/newstat/netbasic/counter_index.php;11" li[1][1][2] = "用户统计分析;/newstat/userinfo/counter_index1.php;11" li[1][1][3] = "浏览器统计分析;/newstat/netbasic/counter_browser.php;11" li[1][1][4] = "操作系统统计分析;/newstat/netbasic/counter_os.php;11" li[1][1][5] = "访问来路表;/newstat/netbasic/counter_from.php;11" li[1][1][6] = "年报表;/newstat/netbasic/counter_year.php;11" li[1][1][7] = "月报表;/newstat/netbasic/counter_month.php;11" li[1][1][8] = "日报表;/newstat/netbasic/counter_day.php;11" li[1][1][9] = "年、月、日报表查询;/newstat/netbasic/counter_search.php;11"
li[1][2] = new Array() li[1][2][0] = "平台资源数据" li[1][2][1] = "点击数排行榜;/newstat/new/coursetop10.php;12" li[1][2][2] = "文章上传统计;/newstat/topic_admin/index.php;12" li[1][2][3] = "中央电大下发资源统计;/newstat/xwtj/look.php;12" li[1][2][4] = "配套资源统计;/newstat/xwtj/resourceself.php;12" li[1][2][5] = "自建资源统计;/newstat/xwtj/resourceself1.php;12" li[1][2][6] = "共享资源统计;/sharefileadmin/showUserBrows.php;12"
li[1][3] = new Array() li[1][3][0] = "行为统计数据" li[1][3][1] = "用户行为统计;/newstat/userinfo/index3.php;13" li[1][3][2] = "课程停留时间统计;/newstat/root/itime.php;13"
li[1][4] = new Array() li[1][4][0] = "论坛数据" li[1][4][1] = "论坛总体情况表;/newstat/article/counter_index2.php;14" li[1][4][2] = "总论坛排行榜;/newstat/article/article_total.php;14" li[1][4][3] = "公共论坛排行榜;/newstat/article/article_public.php;14" li[1][4][4] = "课程论坛排行榜;/newstat/article/article_course.php;14" li[1][4][5] = "查询;/newstat/root/readnum.php;14"
li[2] = new Array() //2 li[2][0] = "网站管理" li[2][1] = new Array() li[2][1][0] = "参数设置" li[2][1][1] = "系统参数;/config/config.php?n=system;21" li[2][1][2] = "ODBC参数;/config/config.php?n=odbc;21" li[2][1][3] = "JWODBC参数;/config/config.php?n=jwodbc;21" li[2][1][4] = "论坛参数;/config/config.php?n=forum;21" li[2][1][5] = "用户行为统计ODBC参数;/config/config.php?n=odbc_userstat;21"
li[2][2] = "在线调查;/research/research_index.php;22"
li[3] = new Array() //3 li[3][0] = "教务管理" li[3][1] = new Array() li[3][1][0] = "人员管理" li[3][1][1] = "注册新用户;/reg/reg.php;31" li[3][1][2] = "浏览学生用户;/reg/list.php?usertype=1;31" li[3][1][3] = new Array() li[3][1][3][0]= "浏览教师用户" li[3][1][3][1]= "浏览全部;/reg/list.php?usertype=2;31" li[3][1][3][2]= "已验证;/reg/list.php?v=1&usertype=2;31" li[3][1][3][3]= "未验证;/reg/list.php?v=0&usertype=2;31" li[3][1][4] = new Array() li[3][1][4][0]= "浏览教师(学生)用户" li[3][1][4][1]= "浏览全部;/reg/list.php?usertype=1&studentno=0;31" li[3][1][4][2]= "已验证;/reg/list.php?usertype=1&studentno=0&v=1;31" li[3][1][4][3]= "未验证;/reg/list.php?usertype=1&studentno=0&v=0;31" li[3][1][5]= "浏览管理员用户;/reg/list.php?usertype=3;31" li[3][1][6]= "查询用户;/reg/search.php;31" li[3][1][7]= "修改用户密码 ;/reg/gaimima.php?;31"
li[3][2] = "教师权限管理;/rights/listuser.php;32"
li[3][3] = "管理员权限管理;/rights/listadmin.php;33"
li[3][4] = new Array() li[3][4][0] = "教材管理" li[3][4][1] = "出版社管理;/schoolbook/pressmanage.php;34" li[3][4][2] = "教材信息管理;/schoolbook/sbmanage.php;34" li[3][4][3] = "专业课程教材管理;/schoolbook/planmanage.php;34"
li[3][5] = new Array() li[3][5][0] = "教学计划开/关|维护" li[3][5][1] = "教学计划开/关;/adminuser/adminplan.php;35" li[3][5][2] = "教学计划维护;/plan/index.php;35"
li[4] = new Array() //4 li[4][0] = "课程端管理" li[4][1] = "文章管理;/file_post/topic_admin/index.php;41"
li[4][2] = new Array() li[4][2][0] = "论坛管理" li[4][2][1] = "论坛版块管理;/club/forum/admin/category/index.php;42" li[4][2][2] = "论坛版主管理;/club/forum/admin/admin/index.php;42" li[4][2][3] = "论坛帖子管理;/club/forum/admin/article/list.php;42" li[4][2][4] = "聊天室状态管理;/chatroot/admin.php;42"
li[4][3] = "教师风采;/teacher/index.php;43"
//li[4][4] = "试卷、作业权限管理;/exam/admin/manage.php;44"
//li[4][5] = "电视播放表及考试时间管理;/course_study/admin.php" li[4][4] = "课程评估调查;/evaluate/searches.php;44"
li[4][5] = "共享资源设置;/sharefileadmin/shareplan_list.php;45"
li[4][6] = "考试资源导入;/exam_res/index.php;46"
//省电大:具有资源生成权限!!!!!!!!!!!!!!!! li[4][7] = new Array() li[4][7][0] = "下发资源管理" li[4][7][1] = "资源展示;/exhibite/showpage/planlistbysql.php;47" li[4][7][2] = "资源生成;/exhibite/admin/index.php;47"
li[5] = new Array() //4 li[5][0] = "个人信息" li[5][1] = "修改信息;/reg/modify.php" li[5][2] = "修改密码;/reg/modifyadminpass.php" li[5][3] = "查看留言;/club/forum/message/shownew.php?isSubmit=0" li[5][4] = "给同学留言;/club/forum/message/sayto_admin.php"
document.write("<DIV noWrap>") document.write("<UL style=\"BACKGROUND-COLOR: " + treeBC + ";") document.write(" COLOR: " + treeFC + ";") document.write(" MARGIN-LEFT: " + marginleft + "\">") document.write(li[0] + "<BR>") for(var i = 1; i < li.length; i++) { writeItem(li, i) } document.write("</UL>") document.write("</DIV>") // --> </script>
修复方案: 建议通知所有各地电大院校更换新版.net系统。
|