SQL Injection in Zhengfang educational administration system and Arbitrary File Download (including repair solution)

1. There is an SQL injection in the classroom query area,

1 union select NULL, owner from all_tables database exposed

2.
SQL Injection exists in password retrieval
The verification method is local javascript verification, and the server does not do the verification, the first user (administrator password) can be exposed)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
First, use SQL injection to investigate the password of the login account of the teacher (by the way, the Code is not standardized, and the table and field names are all xyz, xsz, etc, password Encryption is also a reversible method, and it is also a self-written encryption algorithm, or that cannot be called an encryption algorithm, that is, a simple string transformation)
This SQL injection, his instructor login account password is stored in the yhb table, several main fields kl password js: department type yhm: UID kl: Password xm: Name szdw: Department
1 union select NULL, js | ''| szdw |'' | xm | ''| yhm |'' | kl obtains the passwords of all the instructor accounts, department Category?

 

When we can see that the queried kl is a transformed string, we use Reflector to flip down the dll and find the encryption method.

 

Then I found the decryption method and used. net to draw a box (. net Frame is really fast). copy the decryption method.

 

 

So far, we have been able to log on to all the management personnel (teachers, Department accounts), so we can use the Administrator account to log on, you can view all the children's shoes (including sisters) Information (phone number, address, pp or something)

 

 

Then you can look at a girl on campus and immediately find her information. At night, you have nothing to do with harassing calls.




Solution:

1. Filter and restrict all input.
2. The password should not be stored in reversible mode, and the key should not be directly compiled in the dll. All keys are the same and placed in Web. config.

Author's cold night


 

By default, the Zhengfang educational administration system generates user operation log files in txt format every day under the log directory. The actual file name is 2012-06-14-log.txt and 2012-06-14-errorlog.txt.

Because the majority of schools use private addresses and static allocated addresses in the campus network, a complete student ID-ip ing table can be created by collecting a few records during the course selection, in combination with other vulnerabilities in the system, the harm to personal privacy cannot be ignored.
Proof of vulnerability: Direct http://www.bkjia.com/log/2012-06-14-log.txt
Http://www.bkjia.com/log/2012-06-14-ErrorLog.txt

The recorded Operation Records contain the following sensitive information:

1:14:23 User: 20100201143 ip: 218.192.118.43
Execution page:/lw_xscj.aspx
Execution module content: user operation jump page: The page points to lw_xscj.aspx

1:14:23 User: 20100201143 ip: 218.192.118.43
Execution page:/lw_xscj.aspx
Execution module content: user operation jump page: the user name is blank

1:20:54 User: 20112501124 ip: 110.65.88.39
Execution page:/tjkbcx. aspx
Execution module content: user operation jump page: The page points to tjkbcx. aspx

Solution:

Prohibit files in this directory from being downloaded.

Author prolog