当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-01801

漏洞标题:电大在线在线远程教学平台0DAY(全国电大通吃)

相关厂商:电大在线

漏洞作者: piaoye

提交时间:2011-04-03 11:33

修复时间:2011-04-03 17:36

公开时间:2011-04-03 17:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:10

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2011-04-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2011-04-03: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

好久的漏洞了,厂商是www.open.edu.cn ,今天整理博客发现这0day还能用就公布下。
多个注射漏洞,过滤了and等但能绕过,数据库连接配置文件暴露,任意文件上传等。。

详细说明:

一些注入BUG加默认路径问题,全是电大类机构。之前数据连接的inc文件.可用下载工具下载得到。上面统一安装的系统所以下面服上基本都在这个路径:D:\www\include\odbc.inc,现在试过不行了。现在有些系统升级成了.net版本,但注入漏洞等都还在。

漏洞证明:


谷歌搜索:D:\www\include\odbc.inc
公告处上传。
权限太大,提权简单,但都内网。
注射点蛮多,类似
research/research_result.php?id=1
root/teacher/admin_search.php //post
....
附上系统结构:
\index.php
\student.php
\student_study.php
\teacher.php
\teacher_nocourse.php
\topic_frame_s.php
\adminuser\c.php
\adminuser\treedir.js
\config\config.php
\config\parameter_list.php
\config\parameters\odbc_userstat.inc
\config\parameters\system.inc
\embeded\userinfo.php
\exhibite\include_package\exhibite_display.class.php
\exhibite\include_package\exhibite_display_show.class.php
\file_post\display\topic.php
\file_post\file_add\file_upload.php
\file_post\file_add\file_upload2.php
\include\odbc_userstat.inc
\include\search_lib.php
\include\system_parameter.inc
\java\savetime.js
\java\school.js
\newstat\basic\func_im.inc
\newstat\basic\func_t.inc
\newstat\basic\reg_inc.php
\newstat\new\coursetop10.php
\newstat\root\config.inc
\newstat\root\ictab.php
\newstat\root\iview.php
\newstat\userinfo\config.inc
\newstat\userinfo\config1.inc
\newstat\userinfo\readnum_student.php
\newstat\userinfo\readnum_teacher.php
\newstat\userinfo\stat.php
\newstat\userinfo\user_stat2.php
\newstat\xwtj\Centerasc.php
\newstat\xwtj\centerfile1.php
\newstat\xwtj\look.php
\newstat\xwtj\resourceself.php
\reg\getPassWord.php
\reg\result.php
\reg\signup_fromold_finish.php
\schoolbook\preesbrief.php
\stat\config.inc
\stat\savetime_v2.php
\stat\basic\func_t.inc
\stat\student\config.inc
\stat\student\index.php
\stat\student\readnum.php
\stat\student\stat.php
\stat\teacher\config.inc
\stat\teacher\index.php
\stat\teacher\index_s.php
\stat\teacher\readnum_student.php
\stat\teacher\readnum_teacher.php
\stat\teacher\stat.php
\stat\teacher\view_student.php
\stat\teacher\uploadfile_teacher.php
省略一千句。
//更改权限代码信息后请更改\rights\common.inc文件!!!!!!!!!!!!!!!!!!!!!!!!
var li = new Array()
li[0] = "后台管理目录"
li[1] = new Array() //3
li[1][0] = "网站统计管理"
li[1][1] = new Array()
li[1][1][0] = "平台运行基本数据"
li[1][1][1] = "站点统计分析;/newstat/netbasic/counter_index.php;11"
li[1][1][2] = "用户统计分析;/newstat/userinfo/counter_index1.php;11"
li[1][1][3] = "浏览器统计分析;/newstat/netbasic/counter_browser.php;11"
li[1][1][4] = "操作系统统计分析;/newstat/netbasic/counter_os.php;11"
li[1][1][5] = "访问来路表;/newstat/netbasic/counter_from.php;11"
li[1][1][6] = "年报表;/newstat/netbasic/counter_year.php;11"
li[1][1][7] = "月报表;/newstat/netbasic/counter_month.php;11"
li[1][1][8] = "日报表;/newstat/netbasic/counter_day.php;11"
li[1][1][9] = "年、月、日报表查询;/newstat/netbasic/counter_search.php;11"
li[1][2] = new Array()
li[1][2][0] = "平台资源数据"
li[1][2][1] = "点击数排行榜;/newstat/new/coursetop10.php;12"
li[1][2][2] = "文章上传统计;/newstat/topic_admin/index.php;12"
li[1][2][3] = "中央电大下发资源统计;/newstat/xwtj/look.php;12"
li[1][2][4] = "配套资源统计;/newstat/xwtj/resourceself.php;12"
li[1][2][5] = "自建资源统计;/newstat/xwtj/resourceself1.php;12"
li[1][2][6] = "共享资源统计;/sharefileadmin/showUserBrows.php;12"
li[1][3] = new Array()
li[1][3][0] = "行为统计数据"
li[1][3][1] = "用户行为统计;/newstat/userinfo/index3.php;13"
li[1][3][2] = "课程停留时间统计;/newstat/root/itime.php;13"
li[1][4] = new Array()
li[1][4][0] = "论坛数据"
li[1][4][1] = "论坛总体情况表;/newstat/article/counter_index2.php;14"
li[1][4][2] = "总论坛排行榜;/newstat/article/article_total.php;14"
li[1][4][3] = "公共论坛排行榜;/newstat/article/article_public.php;14"
li[1][4][4] = "课程论坛排行榜;/newstat/article/article_course.php;14"
li[1][4][5] = "查询;/newstat/root/readnum.php;14"
li[2] = new Array() //2
li[2][0] = "网站管理"
li[2][1] = new Array()
li[2][1][0] = "参数设置"
li[2][1][1] = "系统参数;/config/config.php?n=system;21"
li[2][1][2] = "ODBC参数;/config/config.php?n=odbc;21"
li[2][1][3] = "JWODBC参数;/config/config.php?n=jwodbc;21"
li[2][1][4] = "论坛参数;/config/config.php?n=forum;21"
li[2][1][5] = "用户行为统计ODBC参数;/config/config.php?n=odbc_userstat;21"

li[2][2] = "在线调查;/research/research_index.php;22"
li[3] = new Array() //3
li[3][0] = "教务管理"
li[3][1] = new Array()
li[3][1][0] = "人员管理"
li[3][1][1] = "注册新用户;/reg/reg.php;31"
li[3][1][2] = "浏览学生用户;/reg/list.php?usertype=1;31"
li[3][1][3] = new Array()
li[3][1][3][0]= "浏览教师用户"
li[3][1][3][1]= "浏览全部;/reg/list.php?usertype=2;31"
li[3][1][3][2]= "已验证;/reg/list.php?v=1&usertype=2;31"
li[3][1][3][3]= "未验证;/reg/list.php?v=0&usertype=2;31"
li[3][1][4] = new Array()
li[3][1][4][0]= "浏览教师(学生)用户"
li[3][1][4][1]= "浏览全部;/reg/list.php?usertype=1&studentno=0;31"
li[3][1][4][2]= "已验证;/reg/list.php?usertype=1&studentno=0&v=1;31"
li[3][1][4][3]= "未验证;/reg/list.php?usertype=1&studentno=0&v=0;31"
li[3][1][5]= "浏览管理员用户;/reg/list.php?usertype=3;31"
li[3][1][6]= "查询用户;/reg/search.php;31"
li[3][1][7]= "修改用户密码 ;/reg/gaimima.php?;31"
li[3][2] = "教师权限管理;/rights/listuser.php;32"
li[3][3] = "管理员权限管理;/rights/listadmin.php;33"
li[3][4] = new Array()
li[3][4][0] = "教材管理"
li[3][4][1] = "出版社管理;/schoolbook/pressmanage.php;34"
li[3][4][2] = "教材信息管理;/schoolbook/sbmanage.php;34"
li[3][4][3] = "专业课程教材管理;/schoolbook/planmanage.php;34"
li[3][5] = new Array()
li[3][5][0] = "教学计划开/关|维护"
li[3][5][1] = "教学计划开/关;/adminuser/adminplan.php;35"
li[3][5][2] = "教学计划维护;/plan/index.php;35"
li[4] = new Array() //4
li[4][0] = "课程端管理"
li[4][1] = "文章管理;/file_post/topic_admin/index.php;41"
li[4][2] = new Array()
li[4][2][0] = "论坛管理"
li[4][2][1] = "论坛版块管理;/club/forum/admin/category/index.php;42"
li[4][2][2] = "论坛版主管理;/club/forum/admin/admin/index.php;42"
li[4][2][3] = "论坛帖子管理;/club/forum/admin/article/list.php;42"
li[4][2][4] = "聊天室状态管理;/chatroot/admin.php;42"
li[4][3] = "教师风采;/teacher/index.php;43"
//li[4][4] = "试卷、作业权限管理;/exam/admin/manage.php;44"
//li[4][5] = "电视播放表及考试时间管理;/course_study/admin.php"
li[4][4] = "课程评估调查;/evaluate/searches.php;44"
li[4][5] = "共享资源设置;/sharefileadmin/shareplan_list.php;45"
li[4][6] = "考试资源导入;/exam_res/index.php;46"
//省电大:具有资源生成权限!!!!!!!!!!!!!!!!
li[4][7] = new Array()
li[4][7][0] = "下发资源管理"
li[4][7][1] = "资源展示;/exhibite/showpage/planlistbysql.php;47"
li[4][7][2] = "资源生成;/exhibite/admin/index.php;47"
li[5] = new Array() //4
li[5][0] = "个人信息"
li[5][1] = "修改信息;/reg/modify.php"
li[5][2] = "修改密码;/reg/modifyadminpass.php"
li[5][3] = "查看留言;/club/forum/message/shownew.php?isSubmit=0"
li[5][4] = "给同学留言;/club/forum/message/sayto_admin.php"
document.write("<DIV noWrap>")
document.write("<UL style=\"BACKGROUND-COLOR: " + treeBC + ";")
document.write(" COLOR: " + treeFC + ";")
document.write(" MARGIN-LEFT: " + marginleft + "\">")
document.write(li[0] + "<BR>")
for(var i = 1; i < li.length; i++)
{
writeItem(li[i], i)
}
document.write("</UL>")
document.write("</DIV>")
// -->
</script>

修复方案:

建议通知所有各地电大院校更换新版.net系统。

版权声明:转载请注明来源 piaoye@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:6 (WooYun评价)


漏洞评价:

评论

  1. 2011-04-03 20:01 | ( 实习白帽子 | Rank:35 漏洞数:20 | 关注网络安全,关注漏洞研究)

    SB

  2. 2011-04-03 20:05 | ( 实习白帽子 | Rank:35 漏洞数:20 | 关注网络安全,关注漏洞研究)

    强大围观

  3. 2011-04-03 20:06 | ( 实习白帽子 | Rank:35 漏洞数:20 | 关注网络安全,关注漏洞研究)

    玩笑都开不得`还退群`无语`

  4. 2011-04-03 20:10 | piaoye ( 普通白帽子 | Rank:343 漏洞数:53 | ww)

    哥对你不薄,你说sb?

  5. 2011-04-03 20:21 | ( 实习白帽子 | Rank:35 漏洞数:20 | 关注网络安全,关注漏洞研究)

    某人请表误解。。后来才知是飘叶兄

  6. 2011-04-03 20:53 | piaoye ( 普通白帽子 | Rank:343 漏洞数:53 | ww)

    呵呵.

  7. 2011-04-04 10:20 | knife ( 普通白帽子 | Rank:155 漏洞数:24 | 抬枪上御女,提臀迎众基。)

    围观一群黑客吵架 。。。 强势围观