简要描述:好久的漏洞了,厂商是,今天整理博客发现这0day还能用就公布下。多个注射漏洞,过滤了and等但能绕过,数据库连接配置文件暴露,任意文件上传等。。
详细说明:一些注入BUG加默认路径问题,全是电大类机构。之前数据连接的inc文件.可用下载工具下载得到。上面统一安装的系统所以下面服上基本都在这个路径:D:\www\include\odbc.inc,现在试过不行了。现在有些系统升级成了.net版本,但注入漏洞等都还在。
漏洞证明:谷歌搜索:D:\www\include\odbc.inc公告处上传。权限太大,提权简单,但都内网。注射点蛮多,类似research/research_result.phpid=1root/teacher/admin_search.php//post....附上系统结构:\index.php
\student.php
\student_study.php
\teacher.php
\teacher_nocourse.php
\topic_frame_s.php
\adminuser\c.php
\adminuser\treedir.js
\config\config.php
\config\parameter_list.php
\config\parameters\odbc_userstat.inc
\config\parameters\system.inc
\embeded\userinfo.php
\exhibite\include_package\exhibite_display.class.php
\exhibite\include_package\exhibite_display_show.class.php
\file_post\display\topic.php
\file_post\file_add\file_upload.php
\file_post\file_add\file_upload2.php
\include\odbc_userstat.inc
\include\search_lib.php
\include\system_parameter.inc
\java\savetime.js
\java\school.js
\newstat\basic\func_im.inc
\newstat\basic\func_t.inc
\newstat\basic\reg_inc.php
\newstat\new\coursetop10.php
\newstat\root\config.inc
\newstat\root\ictab.php
\newstat\root\iview.php
\newstat\userinfo\config.inc
\newstat\userinfo\config1.inc
\newstat\userinfo\readnum_student.php
\newstat\userinfo\readnum_teacher.php
\newstat\userinfo\stat.php
\newstat\userinfo\user_stat2.php
\newstat\xwtj\Centerasc.php
\newstat\xwtj\centerfile1.php
\newstat\xwtj\look.php
\newstat\xwtj\resourceself.php
\reg\getPassWord.php
\reg\result.php
\reg\signup_fromold_finish.php
\schoolbook\preesbrief.php
\stat\config.inc
\stat\savetime_v2.php
\stat\basic\func_t.inc
\stat\student\config.inc
\stat\student\index.php
\stat\student\readnum.php
\stat\student\stat.php
\stat\teacher\config.inc
\stat\teacher\index.php
\stat\teacher\index_s.php
\stat\teacher\readnum_student.php
\stat\teacher\readnum_teacher.php
\stat\teacher\stat.php
\stat\teacher\view_student.php
\stat\teacher\uploadfile_teacher.php
省略一千句。//更改权限代码信息后请更改\rights\common.inc文件!!!!!!!!!!!!!!!!!!!!!!!!
varli=newArray()li[0]="后台管理目录"li[1]=newArray()//3li[1][0]="网站统计管理"li[1][1]=newArray()li[1][1][0]="平台运行基本数据"li[1][1][1]="站点统计分析;/newstat/netbasic/counter_index.php;11"li[1][1][2]="用户统计分析;/newstat/userinfo/counter_index1.php;11"li[1][1][3]="浏览器统计分析;/newstat/netbasic/counter_browser.php;11"li[1][1][4]="操作系统统计分析;/newstat/netbasic/counter_os.php;11"li[1][1][5]="访问来路表;/newstat/netbasic/counter_from.php;11"li[1][1][6]="年报表;/newstat/netbasic/counter_year.php;11"li[1][1][7]="月报表;/newstat/netbasic/counter_month.php;11"li[1][1][8]="日报表;/newstat/netbasic/counter_day.php;11"li[1][1][9]="年、月、日报表查询;/newstat/netbasic/counter_search.php;11"
li[1][4]=newArray()li[1][4][0]="论坛数据"li[1][4][1]="论坛总体情况表;/newstat/article/counter_index2.php;14"li[1][4][2]="总论坛排行榜;/newstat/article/article_total.php;14"li[1][4][3]="公共论坛排行榜;/newstat/article/article_public.php;14"li[1][4][4]="课程论坛排行榜;/newstat/article/article_course.php;14"li[1][4][5]="查询;/newstat/root/readnum.php;14"
li[2]=newArray()//2li[2][0]="网站管理"li[2][1]=newArray()li[2][1][0]="参数设置"li[2][1][1]="系统参数;/config/config.phpn=system;21"li[2][1][2]="ODBC参数;/config/config.phpn=odbc;21"li[2][1][3]="JWODBC参数;/config/config.phpn=jwodbc;21"li[2][1][4]="论坛参数;/config/config.phpn=forum;21"li[2][1][5]="用户行为统计ODBC参数;/config/config.phpn=odbc_userstat;21"
li[2][2]="在线调查;/research/research_index.php;22"
li[3]=newArray()//3li[3][0]="教务管理"li[3][1]=newArray()li[3][1][0]="人员管理"li[3][1][1]="注册新用户;/reg/reg.php;31"li[3][1][2]="浏览学生用户;/reg/list.phpusertype=1;31"li[3][1][3]=newArray()li[3][1][3][0]="浏览教师用户"li[3][1][3][1]="浏览全部;/reg/list.phpusertype=2;31"li[3][1][3][2]="已验证;/reg/list.phpv=1&usertype=2;31"li[3][1][3][3]="未验证;/reg/list.phpv=0&usertype=2;31"li[3][1][4]=newArray()li[3][1][4][0]="浏览教师(学生)用户"li[3][1][4][1]="浏览全部;/reg/list.phpusertype=1&studentno=0;31"li[3][1][4][2]="已验证;/reg/list.phpusertype=1&studentno=0&v=1;31"li[3][1][4][3]="未验证;/reg/list.phpusertype=1&studentno=0&v=0;31"li[3][1][5]="浏览管理员用户;/reg/list.phpusertype=3;31"li[3][1][6]="查询用户;/reg/search.php;31"li[3][1][7]="修改用户密码;/reg/gaimima.php;31"
li[3][2]="教师权限管理;/rights/listuser.php;32"
li[3][3]="管理员权限管理;/rights/listadmin.php;33"
li[3][4]=newArray()li[3][4][0]="教材管理"li[3][4][1]="出版社管理;/schoolbook/pressmanage.php;34"li[3][4][2]="教材信息管理;/schoolbook/sbmanage.php;34"li[3][4][3]="专业课程教材管理;/schoolbook/planmanage.php;34"
li[3][5]=newArray()li[3][5][0]="教学计划开/关|维护"li[3][5][1]="教学计划开/关;/adminuser/adminplan.php;35"li[3][5][2]="教学计划维护;/plan/index.php;35"
li[4][2]=newArray()li[4][2][0]="论坛管理"li[4][2][1]="论坛版块管理;/club/forum/admin/category/index.php;42"li[4][2][2]="论坛版主管理;/club/forum/admin/admin/index.php;42"li[4][2][3]="论坛帖子管理;/club/forum/admin/article/list.php;42"li[4][2][4]="聊天室状态管理;/chatroot/admin.php;42"
li[4][3]="教师风采;/teacher/index.php;43"
//li[4][4]="试卷、作业权限管理;/exam/admin/manage.php;44"
li[4][5]="共享资源设置;/sharefileadmin/shareplan_list.php;45"
li[4][6]="考试资源导入;/exam_res/index.php;46"
//省电大:具有资源生成权限!!!!!!!!!!!!!!!!li[4][7]=newArray()li[4][7][0]="下发资源管理"li[4][7][1]="资源展示;/exhibite/showpage/planlistbysql.php;47"li[4][7][2]="资源生成;/exhibite/admin/index.php;47"
li[5]=newArray()//4li[5][0]="个人信息"li[5][1]="修改信息;/reg/modify.php"li[5][2]="修改密码;/reg/modifyadminpass.php"li[5][3]="查看留言;/club/forum/message/shownew.phpisSubmit=0"li[5][4]="给同学留言;/club/forum/message/sayto_admin.php"