毛主席说:“哪里有压迫,哪里就有反抗”

全校校园wifi免费且不及流量但是独独宿舍没有校园wifi,但是还好宿舍有校园网的网线接口,插上网线后系统会自动弹出熟悉wifi认证的网页,行云流水般的输入账号密码点击登录结果却显示不在认证区域,作为一个爱折腾的人这时候就难免有些大胆的想法。

在认证网页的下面有一个自助服务平台,点进去看看
1.PNG

在自助服务平台上输入账号密码及验证码后登录了一个毫无卵用的简易后台,没有收获。
这时候我注意到校园网自主平台的首页有一个找回密码功能,脑子里立马想起来乌云网上重置管理员密码的各种骚操作。
2.PNG

点击后进入到找回密码页面,先拿自己的账号测试测试找回流程(万一被查水表了呢?还是用基友的账号试试(#手动滑稽))
3.PNG

点击下一步。什么?没反应?F12抓个包看看。
4.PNG

越是平静的表面背后越有可能隐藏着巨大真相!果不其然,服务器返回了一个json数据,我们格式化一下看看

{
    "userinfoUuid": "2c8a7f82564e2c230156b6b982112e4b",
    "userId": "手动马赛克",
    "businessType": 3,
    "password": "8c481ad71078eb59",
    "userType": 1,
    "userFrom": 4,
    "userTemplateUuid": "2c8a7f83284b825c0128669be7395429",
    "accountInfoUuid": "2c8a7f82564e2c230156b6b981fe2e4a",
    "webSelfhelpPerUuid": "2c8a7f8430da07ba0130f84c290c0d21",
    "webManagePerUuid": "",
    "devManagePerUuid": "",
    "policyInfoUuid": "2c8a7f83284b825c012866999b7553e7",
    "userPackageUuid": "2c8a7f83284b825c0128669c22db542d",
    "teamUserUuid": "",
    "createTime": "2016-8-23 17:27:06",
    "lastUpdateTime": "2017-9-26 14:06:35",
    "createManagerId": "superyang",
    "stateFlag": 2,
    "userName": "手动马赛克",
    "sex": 1,
    "certificateType": 1,
    "education": 5,
    "address": "",
    "telephone": "",
    "mobile": "",
    "postCode": "",
    "useripV4": "",
    "userMacWireless": "",
    "wpNasIp": "",
    "nasipV4Wireless": "",
    "tempipV6AddrsNum": 0,
    "userMac": "",
    "nasipV4": "",
    "nasPort": 0,
    "gatewayV4": "",
    "gatewayV6": "",
    "mainDnsV4": "",
    "netmaskV4": "",
    "personalInfo": "",
    "freeAuthen": 1,
    "authoripV4": "",
    "filterId": "",
    "firstBind": 0,
    "periodStartTime": "1970-1-1 8:00:00",
    "nextBillingTime": "1970-1-1 8:00:00",
    "isPeriodStop": 2,
    "periodTimeCumut": 0,
    "periodTrafficCumut": 0,
    "periodForeUpCumut": 0,
    "periodForeDownCumut": 0,
    "periodInlandUpCumut": 0,
    "periodInlandDownCumut": 0,
    "periodNtdFlowSumCumut": 0,
    "policyFrom": 0,
    "field2": "土木建筑工程学院",
    "field3": "土木工程",
    "field7": "土木163",
    "field15": "汉族",
    "assignedSelfUnbindFreq": 0,
    "labTeacherUsedinfos": [],
    "labManagerUsedinfos": [],
    "userOperatorsInfosOfUserListView": [],
    "userOperatorsInfoSizeOfUser": 0,
    "haveOperatorsInfo": false,
    "numOfOperatorsBindInfo": 0,
    "userIpv6LocalLink": "",
    "canAcctDetail": false
}

这么多敏感信息就这样只要一个学号就泄露了。。。真不知道学校网络中心在干什么
首先怀疑passwordmd5加密,因此尝试md5解密----失败

(如果哪位大神知道如何解密不妨处于血书目的 email 我和我♂交流♂交流♂)

解密不了密码就要尝试换一个思路
返回的数据中有 createManagerId 这样一个字段,superyang 肯定是某个管理员的账号,我们尝试找回这个账号的密码
删去空字段和无用字段,其余如下

{
    "userinfoUuid": "2c8a7f84318e922401322a8d41e51e21",
    "userId": "superyang",
    "businessType": 4,
    "password": "a9d5df0d5ad05248bb88cbeb21f7db5a",
    "userType": 1,
    "userFrom": 2,
    "userTemplateUuid": "2c8a7f83284b825c012890cb6b114d44",
    "accountInfoUuid": "2c8a7f84318e922401322a8d41d61e1f",
    "webSelfhelpPerUuid": "4028b621133e18c90113300000000001",
    "webManagePerUuid": "2c8a7f825c8201a7015cae7b42721a53",
    "devManagePerUuid": "2c8a7f812984ca8a01298d4c7c3a6206",
    "policyInfoUuid": "2c8a7f83284b825c012890bb74f20ee2",
    "userPackageUuid": "2c8a7f83284b825c012890cbe14b4efa",
    "createTime": "2011-9-2 22:31:33",
    "lastUpdateTime": "2017-6-16 9:34:33",
    "createManagerId": "admin",
    "stateFlag": 2,
    "userName": "",
    "periodStartTime": "2018-5-17 2:00:43",
    "nextBillingTime": "2018-6-17 0:00:00",
}

继续尝试对 "password": "a9d5df0d5ad05248bb88cbeb21f7db5a" 解密又失败,然后createManagerId有变成了admin,已经升级到系统超级管理员了,看来我们离成功又进了一步

找回admin的密码试试

"\u8be5\u7528\u6237\u6ca1\u6709\u8d26\u6237\u4e0d\u80fd\u7f34\u8d39"

???
解码下
"该用户没有账户不能缴费"

wtf??!!!

好吧这次折腾过程就到这里了,虽然没能成功绕过认证,但是发现了一个隐藏的超级无敌的接口,只要有学号他的姓名学院密码年纪什么都出来了,哈哈哈这简直屌丝追女神的神器啊。我要不要祭奠出神器 burpsuite 爆破一波接口然后拿到全校学生的信息然后帮助屌丝追女神呢?(#手动阴险)

结尾

未作任何破坏,拒绝查水表。

标签: 折腾

仅有一条评论

  1. 醒醒,别做宝可梦了

添加新评论