Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3029416
  • 博文数量: 181
  • 博客积分: 9990
  • 博客等级: 中将
  • 技术积分: 1865
  • 用 户 组: 普通用户
  • 注册时间: 2006-05-23 09:43
文章分类

全部博文(181)

文章存档

2011年(40)

2010年(17)

2009年(87)

2008年(37)

我的朋友

分类: 网络与安全

2011-04-06 21:48:09

简要描述:
好久的漏洞了,厂商是 ,今天整理博客发现这0day还能用就公布下。
多个注射漏洞,过滤了and等但能绕过,数据库连接配置文件暴露,任意文件上传等。。

详细说明:
一些注入BUG加默认路径问题,全是电大类机构。之前数据连接的inc文件.可用下载工具下载得到。上面统一安装的系统所以下面服上基本都在这个路径:D:\www\include\odbc.inc,现在试过不行了。现在有些系统升级成了.net版本,但注入漏洞等都还在。

漏洞证明:
谷歌搜索:D:\www\include\odbc.inc
公告处上传。
权限太大,提权简单,但都内网。
注射点蛮多,类似
research/research_result.php?id=1
root/teacher/admin_search.php //post
....
附上系统结构:
\index.php

\student.php

\student_study.php

\teacher.php

\teacher_nocourse.php

\topic_frame_s.php

\adminuser\c.php

\adminuser\treedir.js

\config\config.php

\config\parameter_list.php

\config\parameters\odbc_userstat.inc

\config\parameters\system.inc

\embeded\userinfo.php

\exhibite\include_package\exhibite_display.class.php

\exhibite\include_package\exhibite_display_show.class.php

\file_post\display\topic.php

\file_post\file_add\file_upload.php

\file_post\file_add\file_upload2.php

\include\odbc_userstat.inc

\include\search_lib.php

\include\system_parameter.inc

\java\savetime.js

\java\school.js

\newstat\basic\func_im.inc

\newstat\basic\func_t.inc

\newstat\basic\reg_inc.php

\newstat\new\coursetop10.php

\newstat\root\config.inc

\newstat\root\ictab.php

\newstat\root\iview.php

\newstat\userinfo\config.inc

\newstat\userinfo\config1.inc

\newstat\userinfo\readnum_student.php

\newstat\userinfo\readnum_teacher.php

\newstat\userinfo\stat.php

\newstat\userinfo\user_stat2.php

\newstat\xwtj\Centerasc.php

\newstat\xwtj\centerfile1.php

\newstat\xwtj\look.php

\newstat\xwtj\resourceself.php

\reg\getPassWord.php

\reg\result.php

\reg\signup_fromold_finish.php

\schoolbook\preesbrief.php

\stat\config.inc

\stat\savetime_v2.php

\stat\basic\func_t.inc

\stat\student\config.inc

\stat\student\index.php

\stat\student\readnum.php

\stat\student\stat.php

\stat\teacher\config.inc

\stat\teacher\index.php

\stat\teacher\index_s.php

\stat\teacher\readnum_student.php

\stat\teacher\readnum_teacher.php

\stat\teacher\stat.php

\stat\teacher\view_student.php

\stat\teacher\uploadfile_teacher.php

省略一千句。
//更改权限代码信息后请更改\rights\common.inc文件!!!!!!!!!!!!!!!!!!!!!!!!

var li = new Array()
li[0] = "后台管理目录"
li[1] = new Array() //3
li[1][0] = "网站统计管理"
li[1][1] = new Array()
li[1][1][0] = "平台运行基本数据"
li[1][1][1] = "站点统计分析;/newstat/netbasic/counter_index.php;11"
li[1][1][2] = "用户统计分析;/newstat/userinfo/counter_index1.php;11"
li[1][1][3] = "浏览器统计分析;/newstat/netbasic/counter_browser.php;11"
li[1][1][4] = "操作系统统计分析;/newstat/netbasic/counter_os.php;11"
li[1][1][5] = "访问来路表;/newstat/netbasic/counter_from.php;11"
li[1][1][6] = "年报表;/newstat/netbasic/counter_year.php;11"
li[1][1][7] = "月报表;/newstat/netbasic/counter_month.php;11"
li[1][1][8] = "日报表;/newstat/netbasic/counter_day.php;11"
li[1][1][9] = "年、月、日报表查询;/newstat/netbasic/counter_search.php;11"

li[1][2] = new Array()
li[1][2][0] = "平台资源数据"
li[1][2][1] = "点击数排行榜;/newstat/new/coursetop10.php;12"
li[1][2][2] = "文章上传统计;/newstat/topic_admin/index.php;12"
li[1][2][3] = "中央电大下发资源统计;/newstat/xwtj/look.php;12"
li[1][2][4] = "配套资源统计;/newstat/xwtj/resourceself.php;12"
li[1][2][5] = "自建资源统计;/newstat/xwtj/resourceself1.php;12"
li[1][2][6] = "共享资源统计;/sharefileadmin/showUserBrows.php;12"

li[1][3] = new Array()
li[1][3][0] = "行为统计数据"
li[1][3][1] = "用户行为统计;/newstat/userinfo/index3.php;13"
li[1][3][2] = "课程停留时间统计;/newstat/root/itime.php;13"

li[1][4] = new Array()
li[1][4][0] = "论坛数据"
li[1][4][1] = "论坛总体情况表;/newstat/article/counter_index2.php;14"
li[1][4][2] = "总论坛排行榜;/newstat/article/article_total.php;14"
li[1][4][3] = "公共论坛排行榜;/newstat/article/article_public.php;14"
li[1][4][4] = "课程论坛排行榜;/newstat/article/article_course.php;14"
li[1][4][5] = "查询;/newstat/root/readnum.php;14"

li[2] = new Array() //2
li[2][0] = "网站管理"
li[2][1] = new Array()
li[2][1][0] = "参数设置"
li[2][1][1] = "系统参数;/config/config.php?n=system;21"
li[2][1][2] = "ODBC参数;/config/config.php?n=odbc;21"
li[2][1][3] = "JWODBC参数;/config/config.php?n=jwodbc;21"
li[2][1][4] = "论坛参数;/config/config.php?n=forum;21"
li[2][1][5] = "用户行为统计ODBC参数;/config/config.php?n=odbc_userstat;21"

li[2][2] = "在线调查;/research/research_index.php;22"

li[3] = new Array() //3
li[3][0] = "教务管理"
li[3][1] = new Array()
li[3][1][0] = "人员管理"
li[3][1][1] = "注册新用户;/reg/reg.php;31"
li[3][1][2] = "浏览学生用户;/reg/list.php?usertype=1;31"
li[3][1][3] = new Array()
li[3][1][3][0]= "浏览教师用户"
li[3][1][3][1]= "浏览全部;/reg/list.php?usertype=2;31"
li[3][1][3][2]= "已验证;/reg/list.php?v=1&usertype=2;31"
li[3][1][3][3]= "未验证;/reg/list.php?v=0&usertype=2;31"
li[3][1][4] = new Array()
li[3][1][4][0]= "浏览教师(学生)用户"
li[3][1][4][1]= "浏览全部;/reg/list.php?usertype=1&studentno=0;31"
li[3][1][4][2]= "已验证;/reg/list.php?usertype=1&studentno=0&v=1;31"
li[3][1][4][3]= "未验证;/reg/list.php?usertype=1&studentno=0&v=0;31"
li[3][1][5]= "浏览管理员用户;/reg/list.php?usertype=3;31"
li[3][1][6]= "查询用户;/reg/search.php;31"
li[3][1][7]= "修改用户密码 ;/reg/gaimima.php?;31"

li[3][2] = "教师权限管理;/rights/listuser.php;32"

li[3][3] = "管理员权限管理;/rights/listadmin.php;33"

li[3][4] = new Array()
li[3][4][0] = "教材管理"
li[3][4][1] = "出版社管理;/schoolbook/pressmanage.php;34"
li[3][4][2] = "教材信息管理;/schoolbook/sbmanage.php;34"
li[3][4][3] = "专业课程教材管理;/schoolbook/planmanage.php;34"

li[3][5] = new Array()
li[3][5][0] = "教学计划开/关|维护"
li[3][5][1] = "教学计划开/关;/adminuser/adminplan.php;35"
li[3][5][2] = "教学计划维护;/plan/index.php;35"

li[4] = new Array() //4
li[4][0] = "课程端管理"
li[4][1] = "文章管理;/file_post/topic_admin/index.php;41"

li[4][2] = new Array()
li[4][2][0] = "论坛管理"
li[4][2][1] = "论坛版块管理;/club/forum/admin/category/index.php;42"
li[4][2][2] = "论坛版主管理;/club/forum/admin/admin/index.php;42"
li[4][2][3] = "论坛帖子管理;/club/forum/admin/article/list.php;42"
li[4][2][4] = "聊天室状态管理;/chatroot/admin.php;42"

li[4][3] = "教师风采;/teacher/index.php;43"

//li[4][4] = "试卷、作业权限管理;/exam/admin/manage.php;44"

//li[4][5] = "电视播放表及考试时间管理;/course_study/admin.php"
li[4][4] = "课程评估调查;/evaluate/searches.php;44"

li[4][5] = "共享资源设置;/sharefileadmin/shareplan_list.php;45"

li[4][6] = "考试资源导入;/exam_res/index.php;46"

//省电大:具有资源生成权限!!!!!!!!!!!!!!!!
li[4][7] = new Array()
li[4][7][0] = "下发资源管理"
li[4][7][1] = "资源展示;/exhibite/showpage/planlistbysql.php;47"
li[4][7][2] = "资源生成;/exhibite/admin/index.php;47"


li[5] = new Array() //4
li[5][0] = "个人信息"
li[5][1] = "修改信息;/reg/modify.php"
li[5][2] = "修改密码;/reg/modifyadminpass.php"
li[5][3] = "查看留言;/club/forum/message/shownew.php?isSubmit=0"
li[5][4] = "给同学留言;/club/forum/message/sayto_admin.php"

document.write("

")
document.write("
    document.write(" COLOR: " + treeFC + ";")
    document.write(" MARGIN-LEFT: " + marginleft + "\">")
    document.write(li[0] + "
    ")
    for(var i = 1; i < li.length; i++)
    {
    writeItem(li, i)
    }
    document.write("
")
document.write("
")
// -->


修复方案:
建议通知所有各地电大院校更换新版.net系统

阅读(1120) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~