image-20250303094718114

0x01

访问靶场

image-20250303095058966

0x02信息收集

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML>
	<HEAD>
		<title>欢迎使用正方教务管理系统!请登录</title>
		<meta content="IE=7" http-equiv="X-UA-Compatible">
		<meta content="text/html; charset=gb2312" http-equiv="Content-Type">
		<meta content="gb2312" http-equiv="Content-Language">
		<meta name="robots" content="all">
		<meta name="author" content="作者信息">
		<meta name="Copyright" content="版权信息">
		<meta name="description" content="站点介绍">
		<meta name="keywords" content="站点关键词">
		<LINK rel="icon" type="image/x-icon" href="style/base/favicon.ico">
			<LINK rel="shortcut icon" type="image/x-icon" href="style/base/favicon.ico">
				<LINK rel="stylesheet" type="text/css" href="style/base/jw.css" media="all">
					<LINK rel="stylesheet" type="text/css" href="style/standard/jw.css" media="all"> <!--[if IE 6]>
			<SCRIPT src="style/js/ie6comm.js"></SCRIPT>
			<SCRIPT> 
				DD_belatedPNG.fix('img'); 
			</SCRIPT>
		<![endif]-->
						
						<style>.fangshua {
	COLOR: red; FONT-SIZE: 14px; FONT-WEIGHT: bold
}
.login_right DL {
	MARGIN: 0px 0px 0px 105px; MIN-HEIGHT: 20px; WIDTH: 285px; _height: 20px
}
</style>
	</HEAD>
	<body class="login_bg">
		<form name="form1" onsubmit="return false;" id="form1">
			<div class="login_main">
				<div class="login_logo">
					<h2><IMG src="logo/logo_school.png"></h2>
					<h3><IMG src="logo/logo_jw.png"></h3>
				</div>
				<div class="login_left"><IMG class="login_pic" src="logo/login_pic.png"></div>
				<div class="login_right">
					<dl style="MARGIN-TOP: 92px">
						<dt class="uesr">
							<label id="lbYhm">学号:</label>
						</dt>
						<dd>
							<input id="a" name="username" type="text" id="txtUserName" tabindex="1" class="text_nor" autocomplete="off" /></dd></dl>
					<div style="CLEAR: both"></div>
					<dl>
						<dt class="passw">
							<label id="lbMm">密码:</label>
						</dt>
						<dd>
							<input id="p" name="password" type="password" id="Textbox1" tabindex="2" class="text_nor" autocomplete="off" /><input name="TextBox2" type="password" id="TextBox2" tabindex="2" class="text_nor" onblur="update(this);" autocomplete="off" style="DISPLAY: none" /></dd></dl>
					<div style="CLEAR: both"></div>
					<div style="CLEAR: both"></div>
					<dl>
						<dd>
							<table id="RadioButtonList1" border="0">
	<tr>
		<td><input id="RadioButtonList1_0" type="radio" name="RadioButtonList1" value="部门" tabindex="4" /><label for="RadioButtonList1_0">部门</label></td><td><input id="RadioButtonList1_1" type="radio" name="RadioButtonList1" value="教师" tabindex="4" /><label for="RadioButtonList1_1">教师</label></td><td><input id="RadioButtonList1_2" type="radio" name="RadioButtonList1" value="学生" checked="checked" tabindex="4" /><label for="RadioButtonList1_2">学生</label></td><td><input id="RadioButtonList1_3" type="radio" name="RadioButtonList1" value="访客" tabindex="4" /><label for="RadioButtonList1_3">访客</label></td>
	</tr>
</table></dd>
						<dt></dt>
					</dl>
					<div style="CLEAR: both"></div>
					<dl>
						<dd>
							<input type="button" onclick="check();" name="Button1" value="" id="Button1" class="btn_dl" /><input type="submit" name="Button2" value="" id="Button2" class="btn_cz" /><input name="lbLanguage" type="text" id="lbLanguage" style="DISPLAY: none" />
								
							<p><a href="list.xlsx" id="linkForget" target="_blank">录取名单</a><br>
								<A  href="info/query.php" target="_blank">
									<span id="lbSelect">学生学籍信息查询系统</span></A></p>
						</dd>
					</dl>
				</div>
				<div class="login_copyright"><IMG src="logo/二维码.png"><span>&copy;1999-2017 <a href="http://www.zfsoft.com" target="_blank">正方软件股份有限公司</a> <span>版权所有</span></span>
					<input name="hidPdrs" id="hidPdrs" type="hidden" size="5" /><input name="hidsc" id="hidsc" type="hidden" size="5" />
				</div>
			</div>
		</form>
	</body>
		<script type="text/javascript" src="js/jquery.min.js"></script>

	<script>

		function check(){
			$.ajax({
			url:'checklogin.php',
			type: 'POST',
			dataType:'json',
			data:{
				'a':$('#a').val(),
				'p':$('#p').val()
			},
			success:function(data){
				alert(data['msg']);
			},
			error:function(data){
				alert(data['msg']);
			}

		});
		}


	</script>
</HTML>

审查源码可获得一份list.xlsx文件,内容为

image-20250303095422864

以及一个超链接,href="info/query.php"内容为

image-20250303095726055

0x03

尝试利用excel中的已知的姓名和对应身份证信息在录取查询中进行抓包爆破

image-20250303103002561

爆破成功

image-20250303103148448

解码后查看回显获得学号密码

image-20250303103432175

登录后获得flag

image-20250303103958626