Srun3000 billing system Arbitrary File Download Vulnerability (getting management password directly)

Srun3000 billing system Arbitrary File Download Vulnerability (getting management password directly)

Srun3000 billing system Arbitrary File Download Vulnerability [No Logon required]

Version: Srun3000 [3.00rc14.17.4]

The usage is still quite large, mainly for major universities :(

The url is not listed, so it is too violent for fear that your school will be attacked.

1. Arbitrary File Download Vulnerability

Vulnerability files

/Srun3/srun/services/modules/login/controller/login_controller.php

Code
 

/*** Download an object ** // any file download Vulnerability exists here -- fuck public function download () {global $ file; $ this-> model-> download_file ($ file );}

The download_file file path is

/Srun3/srun/services/modules. php

The code is
 

/*** Download a file ** @ param unknown_type $ file */public function download_file ($ file) {if (file_exists ($ file )) {$ this_base_file = basename ($ file); header ("Content-type: application/octet-stream"); header ("Accept-Ranges: bytes "); header ("Accept-Length :". filesize ($ file); header ("Content-Disposition: attachment; filename = \"". $ this_base_file. "\" "); readfile ($ file );}}

Simple and crude Arbitrary file Download Vulnerability. $ file is controllable and registers variables in global. php.

Download its configuration file here

/Srun3/etc/srun. conf
 

Download/etc/passwd
 

Result
 

Then, give a rough description of the srun3000 System

The default system port is 8800, and the corresponding web path is/srun3/srun/services/

The corresponding web path for port 8080 is/srun3/srun/web/

The corresponding web path for port 8081 is/srun3/srun/system/[All holes...]

The corresponding web path for port 80 is/srun3/web/

/Srun3/srun/services/for students to log on to view their personal information, personal online records, etc. The database password encryption mode is md5, and then the 16-bit password is obtained from the 9th-bit start, the database table is user

The administrator of/srun3/srun/web/manages users. The database password encryption mode is md5, and the database table is sysmgr. There are two accounts admin support.

Logon address: http: // xxoo: 8080/

The administrator of/srun3/srun/system/manages the server. The password is encrypted by md5.js, and its storage location is the system location/srun3/etc/srun. conf file

The logon address is http: // xxoo: 8081/login. php.

/Srun3/srun/web/should be the integrated web gateway portal page,



In the downloaded file, the password in srun. conf is md5 encrypted. After cracking, you can log on directly,
 

It is easy to use shell after logon. You can execute any command to obtain the shell.
 

Solution:

Too many controllable Variables