来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 1 由奥达软件开发的一所高校管理系统存在注入漏洞,注入漏洞发生在登录框中虽然存在s的判断用户数据提交的合法性,但是这都是可以绕过的=_=!例子:http: 202 117 144 50 login loginpagefo...
#1.由奥达软件开发的一所高校管理系统存在注入漏洞,注入漏洞发生在登录框中虽然存在s的判断用户数据提交的合法性,但是这都是可以绕过的=_=!
例子:
http://202.117.144.50/login/loginpageforuserb.aspx?LogoutURL=%2flogin
看看登录页面源代码,可以看到的确是JS限制了=_=!
<script type="text/javascript"> //<![CDATA[ var VS___Page = document.all ? document.all["VS___Page"] : document.getElementById("VS___Page"); VS___Page.headertext = "您的输入有以下错误:"; VS___Page.showmessagebox = "True"; VS___Page.showsummary = "False"; var RFV_txtUserId = document.all ? document.all["RFV_txtUserId"] : document.getElementById("RFV_txtUserId"); RFV_txtUserId.controltovalidate = "txtUserId"; RFV_txtUserId.errormessage = "[用户名]不能为空!"; RFV_txtUserId.display = "None"; RFV_txtUserId.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid"; RFV_txtUserId.initialvalue = ""; var REV_txtUserId = document.all ? document.all["REV_txtUserId"] : document.getElementById("REV_txtUserId"); REV_txtUserId.controltovalidate = "txtUserId"; REV_txtUserId.errormessage = "[用户名]格式错误,正确形式:不允许输入英文单引号\'"; REV_txtUserId.display = "None"; REV_txtUserId.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid"; REV_txtUserId.validationexpression = "[^\']*"; var RFV_txtPwd = document.all ? document.all["RFV_txtPwd"] : document.getElementById("RFV_txtPwd"); RFV_txtPwd.controltovalidate = "txtPwd"; RFV_txtPwd.errormessage = "[密码]不能为空!"; RFV_txtPwd.display = "None"; RFV_txtPwd.evaluationfunction = "RequiredFieldValidatorEvaluateIsValid"; RFV_txtPwd.initialvalue = ""; var REV_txtPwd = document.all ? document.all["REV_txtPwd"] : document.getElementById("REV_txtPwd"); REV_txtPwd.controltovalidate = "txtPwd"; REV_txtPwd.errormessage = "[密码]格式错误,正确形式:不允许输入英文单引号\'"; REV_txtPwd.display = "None"; REV_txtPwd.evaluationfunction = "RegularExpressionValidatorEvaluateIsValid"; REV_txtPwd.validationexpression = "[^\']*"; //]]> </script>
抓包吧=_=!!然后我们继续提交,绕过本地JS限制=_=!!
枚举几个案例<警:以下案例仅供Cncert复现测试,其它人不得非法使用,否则后果自负>:
http://zhaojiu.xzmy.edu.cn/login/loginpageforuserb.aspx?LogoutURL=/login&c=1 西藏民族学院
http://job.xaufe.edu.cn/Login/loginpageforuserb.aspx?LogoutURL= 西安财经学院
http://202.117.144.50/login/loginpageforuserb.aspx?LogoutURL=/login 陕西师范大学
http://202.117.112.29/Login/loginpageforuserb.aspx?LogoutURL=/login 西安电子科技大学
http://202.117.3.62:5002/Login/LoginPageForuserB.aspx 西安交通大学
http://xg.chd.edu.cn/Login/loginpageforuserb.aspx?LogoutURL=/login&c=1 长安大学
http://219.244.0.28/login/loginpageforstudentb.aspx 延安大学
以陕西科技大学为例演示:
http://202.117.144.50/login/loginpageforuserb.aspx?LogoutURL=/login
Database: Studwork6
[353 tables]
+-------------------------------+ | dbo.I$_tstud_Student | | dbo.J$tsys_NoticeType | | dbo.JV$Dtsys_NoticeType | | dbo.JV$tsys_NoticeType | | dbo.SNP_CDC_OBJECTS | | dbo.SNP_CDC_SET | | dbo.SNP_CDC_SET_TABLE | | dbo.SNP_CDC_SUBS | | dbo.SNP_CHECK_TAB | | dbo.VoteList | | dbo.Vsign_AgtRegistry | | dbo.Vsign_AgtRegistryFell | | dbo.Vsign_AgtRegistryOrder | | dbo.[Vdorm_buildingInfo【不用】] | | dbo.[tDorm_User[不用] | | dbo.[tsys_Modules_测试] | | dbo.[tsys_NoticeType学工网站] | | dbo.[vDorm_OccupiedRoom[不用] | | dbo.dtproperties | | dbo.qg | | dbo.setup | | dbo.sysconstraints | | dbo.syssegments | | dbo.tAcc_File | | dbo.tCadreGroup_state | | dbo.tCadre_dimission | | dbo.tCode_DeregReason | | dbo.tDerate_Temp | | dbo.tDorm_Area | | dbo.tDorm_Bed | | dbo.tDorm_Building | | dbo.tDorm_ChargeHistory | | dbo.tDorm_History | | dbo.tDorm_RewardHistory | | dbo.tDorm_Room | | dbo.tDorm_RoomMaster | | dbo.tDorm_RoomType | | dbo.tDrom_BuildingUser | | dbo.tEmp_BothMeeting | | dbo.tEmp_BothMeetingUnit | | dbo.tEmp_BothMeetingUnitSpec | | dbo.tEmp_UnitVideo | | dbo.tEmp_ViewCounter | | dbo.tEmp_codeComputerLevel | | dbo.tEmp_codeLiteracyDegree | | dbo.tEmp_codeMandarin | | dbo.tEmp_codeUnitEconomyType | | dbo.tEmp_codeUnitLevel | | dbo.tEmp_codeUnitSubjection | | dbo.tEmp_codeUnitTrade | | dbo.tEmp_codeUnitType | | dbo.tEmp_codeWageManageType | | dbo.tEmp_gbRegionalism | | dbo.tEmp_pblDeptDate | | dbo.tEmp_pblEmployment | | dbo.tEmp_pblSpecIntro | | dbo.tEmp_signAgtRegistry | | dbo.tEmp_studAcc | | dbo.tEmp_studFavorite | | dbo.tEmp_studIntro | | dbo.tEmp_studTouch | | dbo.tEmp_unitAcc | | dbo.tEmp_unitBaseInfo | | dbo.tEmp_unitEmploy | | dbo.tEmp_unitFavorite | | dbo.tFile_Video | | dbo.tGreen_Apply | | dbo.tMin_Activity | | dbo.tMin_InMoney | | dbo.tMin_OutMoney | | dbo.tMin_Visit | | dbo.tPoor_Student | | dbo.tPoor_StudentRevocation | | dbo.tPopedom_Atom | | dbo.tReg_register | | dbo.tSim_Appraise | | dbo.tSim_Punish | | dbo.tSim_Reward | | dbo.tSloan_Apply | | dbo.tSloan_ApplyAuditing | | dbo.tSloan_Condition | | dbo.tSloan_Exempt | | dbo.tSloan_ExemptAuditing | | dbo.tSloan_Repay | | dbo.tSloan_Type | | dbo.tSloan_Unit | | dbo.tStudCadre_Info | | dbo.tStudCadre_Type | | dbo.tStudCadre_Unit | | dbo.tStud_AllowApply | | dbo.tTemp_Apply | | dbo.tarm_AwardList | | dbo.tarm_StudCourse | | dbo.tarm_StudLevy | | dbo.tarm_StudRecord | | dbo.tarm_policy | | dbo.tarrear_enrol | | dbo.tarrear_ratify | | dbo.tarrear_repay | | dbo.tasl_Affirm | | dbo.tasl_Bank | | dbo.tasl_BankAuditing | | dbo.tasl_BankBargain | | dbo.tasl_Breach | | dbo.tasl_Compensate | | dbo.tasl_End | | dbo.tasl_Estate | | dbo.tasl_Extend | | dbo.tasl_Familial | | dbo.tasl_Imburse | | dbo.tasl_LoanType | | dbo.tasl_Postponed | | dbo.tasl_SchoolAuditing | | dbo.tasl_SchoolAuditingIdea | | dbo.tasl_StudRequisition | | dbo.tasl_Whither | | dbo.tbase_Department | | dbo.tbase_Teacher | | dbo.tbase_User | | dbo.tbase_UserID_UserNO | | dbo.tborrow_enrol | | dbo.tborrow_ratify | | dbo.tborrow_repay | | dbo.tcard_AllowSpec | | dbo.tcard_InviteUnit | | dbo.tcard_MakeCard | | dbo.tcard_ScanCard | | dbo.tcgb_Folk | | dbo.tcgb_PolityVisage | | dbo.tcgb_Regionalism | | dbo.tcgt_AwardGrade | | dbo.tcgt_AwardList | | dbo.tcgt_ClassRelation | | dbo.tcgt_StudCourse | | dbo.tcgt_StudRecord | | dbo.tcgt_stdResultCell | | dbo.tcgt_stdScale | | dbo.tcmoe_BloodType | | dbo.tcmoe_Emigrant | | dbo.tcmoe_PunishType | | dbo.tcmoe_RewardLevel | | dbo.tcmoe_RewardType | | dbo.tcmoe_StatusChangeCause | | dbo.tcmoe_StatusChangeType | | dbo.tcode_Academic | | dbo.tcode_Aspect | | dbo.tcode_Degree | | dbo.tcode_LenOfSchool | | dbo.tcode_Post | | dbo.tcode_PsychologyLevel | | dbo.tcode_StudType | | dbo.tcode_TeacherRole | | dbo.tcode_poorType | | dbo.tcpt_BranchActivity | | dbo.tcpt_ClassRelation | | dbo.tcpt_Document | | dbo.tcpt_MemberStudy | | dbo.tcpt_PartyActive | | dbo.tcpt_PartyBranch | | dbo.tcpt_PartyMember | | dbo.tcpt_PartyPrep | | dbo.tcpt_PersonRelation | | dbo.tcpt_Requisition | | dbo.tderate_AuditSchooling | | dbo.tderate_RegSchooling | | dbo.temp_CodeStudType | | dbo.temp_SMS | | dbo.temp_Student | | dbo.temp_displayitem | | dbo.tev_ClassAssess | | dbo.tev_ClassAssessTemp | | dbo.tev_EvaluatingItem | | dbo.tev_EvaluatingType | | dbo.tev_StudAssess | | dbo.tev_StudAssessTemp | | dbo.tgreen_Charge | | dbo.tgreen_temp | | dbo.titem_DeregType | | dbo.titem_PartyBranchType | | dbo.titem_PartyMemberType | | dbo.titem_PartySchoolType | | dbo.tlv_Procedure | | dbo.tlv_RegForGraduate | | dbo.tlv_Schema | | dbo.tmem_BookEnrol | | dbo.tmem_ChooseCadre | | dbo.tmem_Development | | dbo.tmem_DevelopmentNum | | dbo.tmem_MemBerDocment | | dbo.tmem_MemCharge | | dbo.tmem_Member | | dbo.tmem_OrgType | | dbo.tmem_Party | | dbo.tmem_PartyNum | | dbo.tmem_Record | | dbo.tmem_Rewards | | dbo.tmem_TrainDepartment | | dbo.tmem_TrainManInfo | | dbo.tmem_orgMan | | dbo.tmem_organization | | dbo.tmema_ActivityApply | | dbo.tmema_ActivityAudit | | dbo.tmema_ActivityField | | dbo.tmema_AssnJob | | dbo.tmema_AssnMember | | dbo.tmemp_Activity | | dbo.tmemp_ComAuthor | | dbo.tmemp_ComManuscript | | dbo.tmemp_ComReport | | dbo.tmemp_PublicationIssue | | dbo.tmemp_PulicJob | | dbo.tpopedom_UserBackManage | | dbo.tpopedom_UserModule | | dbo.tpsy_BBSMain | | dbo.tpsy_BBSRestore | | dbo.tpsy_Dossier | | dbo.tpsy_Emphases | | dbo.tpsy_Preengage | | dbo.tpsy_Talk | | dbo.tpsy_Work | | dbo.tpunish_Information | | dbo.tpunish_Repeal | | dbo.tqgzx | | dbo.tqgzx1128 | | dbo.tqgzxbf | | dbo.treward_Information | | dbo.treward_InformationG | | dbo.treward_Repeal | | dbo.treward_Type | | dbo.tsafety_InsurePayforMoney | | dbo.tsafety_InsureRegStudent | | dbo.tsafety_SafetyGrade | | dbo.tschol_Annotion | | dbo.tschol_Apply | | dbo.tschol_Classify | | dbo.tschol_Quotas | | dbo.tschol_RankObj | | dbo.tssc_History | | dbo.tstipend_Annotion | | dbo.tstipend_Apply | | dbo.tstipend_Classify | | dbo.tstipend_Quotas | | dbo.tstipend_RankObj | | dbo.tstud_Accessories | | dbo.tstud_CardPrint | | dbo.tstud_CardPrintFiled | | dbo.tstud_Educate | | dbo.tstud_Family | | dbo.tstud_FieldEdit | | dbo.tstud_Graduate | | dbo.tstud_NewStudent | | dbo.tstud_Student | | dbo.tstud_StudentTest | | dbo.tsubsidy_Annotion | | dbo.tsubsidy_Apply | | dbo.tsubsidy_Classify | | dbo.tsubsidy_Quotas | | dbo.tsubsidy_RankObj | | dbo.tsys_Download | | dbo.tsys_EmpNavigation | | dbo.tsys_FriendlyLink | | dbo.tsys_Message | | dbo.tsys_Modules | | dbo.tsys_Notice | | dbo.tsys_NoticeInterface | | dbo.tsys_NoticeType | | dbo.tsys_Options | | dbo.tsys_VoteList | | dbo.tsys_VoteProject | | dbo.tsys_VoteRen | | dbo.tsys_loginLog | | dbo.tsys_loginSession | | dbo.tt | | dbo.twl_WorkLog | | dbo.twork_Apply | | dbo.twork_CheckIn | | dbo.twork_Department | | dbo.twork_PayMoney | | dbo.twork_PostObj | | dbo.twork_PostType | | dbo.vAloan_ListAff | | dbo.vAloan_ListBasic | | dbo.vAloan_ListExtend | | dbo.vCadreGroup_state | | dbo.vDerate_green_Stat | | dbo.vDorm_AllRoomDetail | | dbo.vDorm_Bed | | dbo.vDorm_BuidingCode | | dbo.vDorm_CanBePreared | | dbo.vDorm_CanUseBed | | dbo.vDorm_Preared | | dbo.vDorm_StudBedInfo | | dbo.vDorm_UsedBed | | dbo.vDorm_building | | dbo.vDorm_room | | dbo.vDorm_student | | dbo.vGreen_Apply | | dbo.vGreen_YearsMoney | | dbo.vMin_EmpSearch | | dbo.vMin_RPSearch | | dbo.vMin_ScholSearch | | dbo.vMin_Stipent | | dbo.vMin_SubSearch | | dbo.vMin_SysNumber | | dbo.vMin_WorkStudSearch | | dbo.vSchol_QuotaForDept | | dbo.vSim_Reward | | dbo.vbase_Department | | dbo.vbase_UserStudAllForLogin | | dbo.vcard_Student | | dbo.vcgt_AwardList | | dbo.vcgt_StatGradeRecord | | dbo.vcgt_StudSumRecord | | dbo.vcgt_student | | dbo.vderate_RegSchooling | | dbo.vderate_XNMoney | | dbo.vderate_YearsMoney | | dbo.vemp_StudCompleteInfo | | dbo.vemp_Student | | dbo.vemp_StudentAll | | dbo.vgreen_StudApply | | dbo.vins_InsGrade | | dbo.vjob_StudInfo | | dbo.vlv_GraduateState | | dbo.vparty_PersonRelation | | dbo.vparty_StatBranchSum | | dbo.vpopedom_UserModule | | dbo.vpsy_Dossier | | dbo.vsafety_StatDeptInsurePay | | dbo.vsafety_StatDeptInsureSum | | dbo.vschol_Classify | | dbo.vschol_QuotaForClass | | dbo.vschol_QuotaForGrade | | dbo.vschol_XNMoney | | dbo.vschol_YearsMoney | | dbo.vstipend_Classify | | dbo.vstipend_QuotaForClass | | dbo.vstipend_QuotaForDept | | dbo.vstipend_QuotaForGrade | | dbo.vstipend_XNMoney | | dbo.vstipend_YearsMoney | | dbo.vstud_Student | | dbo.vstud_StudentAll | | dbo.vstud_StudentGraduate | | dbo.vstud_StudentInschool | | dbo.vsubsidy_Classify | | dbo.vsubsidy_QuotaForClass | | dbo.vsubsidy_QuotaForDept | | dbo.vsubsidy_QuotaForGrade | | dbo.vsubsidy_XNMoney | | dbo.vsubsidy_YearsMoney | | dbo.vunit_Unit | | dbo.vwork_Department | +-------------------------------+
后台就不入了,学生管理系统,没有学生信息就不可能的事情了~
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com