电大在线在线远程教学平台0DAY（全国电大通吃)

oma 发表于 2011-12-20 09:47

<DIV>
简要描述： 好久的漏洞了，厂商是<A href="http://www.open.edu.cn/">www.open.edu.cn</A> ，今天整理博客发现这0day还能用就公布下。 多个注射漏洞，过滤了and等但能绕过，数据库连接配置文件暴露，任意文件上传等。。
详细说明： 一些注入BUG加默认路径问题，全是电大类机构。之前数据连接的inc文件.可用下载工具下载得到。上面统一安装的系统所以下面服上基本都在这个路径：D:\www\include\odbc.inc，现在试过不行了。现在有些系统升级成了.net版本，但注入漏洞等都还在。
漏洞证明： 谷歌搜索:D:\www\include\odbc.inc 公告处上传。 权限太大，提权简单，但都内网。 注射点蛮多，类似 research/research_result.php?id=1 root/teacher/admin_search.php //post .... 附上系统结构： \index.php
\student.php
\student_study.php
\teacher.php
\teacher_nocourse.php
\topic_frame_s.php
\adminuser\c.php
\adminuser\treedir.js
\config\config.php
\config\parameter_list.php
\config\parameters\odbc_userstat.inc
\config\parameters\system.inc
\embeded\userinfo.php
\exhibite\include_package\exhibite_display.class.php
\exhibite\include_package\exhibite_display_show.class.php
\file_post\display\topic.php
\file_post\file_add\file_upload.php
\file_post\file_add\file_upload2.php
\include\odbc_userstat.inc
\include\search_lib.php
\include\system_parameter.inc
\java\savetime.js
\java\school.js
\newstat\basic\func_im.inc
\newstat\basic\func_t.inc
\newstat\basic\reg_inc.php
\newstat\new\coursetop10.php
\newstat\root\config.inc
\newstat\root\ictab.php
\newstat\root\iview.php
\newstat\userinfo\config.inc
\newstat\userinfo\config1.inc
\newstat\userinfo\readnum_student.php
\newstat\userinfo\readnum_teacher.php
\newstat\userinfo\stat.php
\newstat\userinfo\user_stat2.php
\newstat\xwtj\Centerasc.php
\newstat\xwtj\centerfile1.php
\newstat\xwtj\look.php
\newstat\xwtj\resourceself.php
\reg\getPassWord.php
\reg\result.php
\reg\signup_fromold_finish.php
\schoolbook\preesbrief.php
\stat\config.inc
\stat\savetime_v2.php
\stat\basic\func_t.inc
\stat\student\config.inc
\stat\student\index.php
\stat\student\readnum.php
\stat\student\stat.php
\stat\teacher\config.inc
\stat\teacher\index.php
\stat\teacher\index_s.php
\stat\teacher\readnum_student.php
\stat\teacher\readnum_teacher.php
\stat\teacher\stat.php
\stat\teacher\view_student.php
\stat\teacher\uploadfile_teacher.php
省略一千句。 //更改权限代码信息后请更改\rights\common.inc文件！！！！！！！！！！！！！！！！！！！！！！！！
var li = new Array() li = "后台管理目录" li = new Array() //3 li = "网站统计管理" li = new Array() li = "平台运行基本数据" li = "站点统计分析;/newstat/netbasic/counter_index.php;11" li = "用户统计分析;/newstat/userinfo/counter_index1.php;11" li = "浏览器统计分析;/newstat/netbasic/counter_browser.php;11" li = "操作系统统计分析;/newstat/netbasic/counter_os.php;11" li = "访问来路表;/newstat/netbasic/counter_from.php;11" li = "年报表;/newstat/netbasic/counter_year.php;11" li = "月报表;/newstat/netbasic/counter_month.php;11" li = "日报表;/newstat/netbasic/counter_day.php;11" li = "年、月、日报表查询;/newstat/netbasic/counter_search.php;11"
li = new Array() li = "平台资源数据" li = "点击数排行榜;/newstat/new/coursetop10.php;12" li = "文章上传统计;/newstat/topic_admin/index.php;12" li = "中央电大下发资源统计;/newstat/xwtj/look.php;12" li = "配套资源统计;/newstat/xwtj/resourceself.php;12" li = "自建资源统计;/newstat/xwtj/resourceself1.php;12" li = "共享资源统计;/sharefileadmin/showUserBrows.php;12"
li = new Array() li = "行为统计数据" li = "用户行为统计;/newstat/userinfo/index3.php;13" li = "课程停留时间统计;/newstat/root/itime.php;13"
li = new Array() li = "论坛数据" li = "论坛总体情况表;/newstat/article/counter_index2.php;14" li = "总论坛排行榜;/newstat/article/article_total.php;14" li = "公共论坛排行榜;/newstat/article/article_public.php;14" li = "课程论坛排行榜;/newstat/article/article_course.php;14" li = "查询;/newstat/root/readnum.php;14"
li = new Array() //2 li = "网站管理" li = new Array() li = "参数设置" li = "系统参数;/config/config.php?n=system;21" li = "ODBC参数;/config/config.php?n=odbc;21" li = "JWODBC参数;/config/config.php?n=jwodbc;21" li = "论坛参数;/config/config.php?n=forum;21" li = "用户行为统计ODBC参数;/config/config.php?n=odbc_userstat;21"
li = "在线调查;/research/research_index.php;22"
li = new Array() //3 li = "教务管理" li = new Array() li = "人员管理" li = "注册新用户;/reg/reg.php;31" li = "浏览学生用户;/reg/list.php?usertype=1;31" li = new Array() li= "浏览教师用户" li= "浏览全部;/reg/list.php?usertype=2;31" li= "已验证;/reg/list.php?v=1&usertype=2;31" li= "未验证;/reg/list.php?v=0&usertype=2;31" li = new Array() li= "浏览教师（学生）用户" li= "浏览全部;/reg/list.php?usertype=1&studentno=0;31" li= "已验证;/reg/list.php?usertype=1&studentno=0&v=1;31" li= "未验证;/reg/list.php?usertype=1&studentno=0&v=0;31" li= "浏览管理员用户;/reg/list.php?usertype=3;31" li= "查询用户;/reg/search.php;31" li= "修改用户密码 ;/reg/gaimima.php?;31"
li = "教师权限管理;/rights/listuser.php;32"
li = "管理员权限管理;/rights/listadmin.php;33"
li = new Array() li = "教材管理" li = "出版社管理;/schoolbook/pressmanage.php;34" li = "教材信息管理;/schoolbook/sbmanage.php;34" li = "专业课程教材管理;/schoolbook/planmanage.php;34"
li = new Array() li = "教学计划开/关|维护" li = "教学计划开/关;/adminuser/adminplan.php;35" li = "教学计划维护;/plan/index.php;35"
li = new Array() //4 li = "课程端管理" li = "文章管理;/file_post/topic_admin/index.php;41"
li = new Array() li = "论坛管理" li = "论坛版块管理;/club/forum/admin/category/index.php;42" li = "论坛版主管理;/club/forum/admin/admin/index.php;42" li = "论坛帖子管理;/club/forum/admin/article/list.php;42" li = "聊天室状态管理;/chatroot/admin.php;42"
li = "教师风采;/teacher/index.php;43"
//li = "试卷、作业权限管理;/exam/admin/manage.php;44"
//li = "电视播放表及考试时间管理;/course_study/admin.php" li = "课程评估调查;/evaluate/searches.php;44"
li = "共享资源设置;/sharefileadmin/shareplan_list.php;45"
li = "考试资源导入;/exam_res/index.php;46"
//省电大：具有资源生成权限！！！！！！！！！！！！！！！！ li = new Array() li = "下发资源管理" li = "资源展示;/exhibite/showpage/planlistbysql.php;47" li = "资源生成;/exhibite/admin/index.php;47"
 li = new Array() //4 li = "个人信息" li = "修改信息;/reg/modify.php" li = "修改密码;/reg/modifyadminpass.php" li = "查看留言;/club/forum/message/shownew.php?isSubmit=0" li = "给同学留言;/club/forum/message/sayto_admin.php"
document.write("<DIV noWrap>") document.write("<UL style=\"BACKGROUND-COLOR: " + treeBC + ";") document.write(" COLOR: " + treeFC + ";") document.write(" MARGIN-LEFT: " + marginleft + "\">") document.write(li + " ") for(var i = 1; i < li.length; i++) { writeItem(li, i) } document.write("</UL>") document.write("</DIV>") // --> </script>
 修复方案： 建议通知所有各地电大院校更换新版.net系统</DIV>

页: [1]

Chinaunix's Archiver

电大在线在线远程教学平台0DAY（全国电大通吃)