校務行政系統行為觀察

# 校務行政系統行為觀察 ## `session_key` ### 發現在點擊各個資料查詢頁面時，前端會發送 `POST` 請求至以下這類 URL - `https://sschool.tp.edu.tw/B0209S_Absence_select.action` - `https://sschool.tp.edu.tw/B0305S_Reward_select.action` - `https://sschool.tp.edu.tw/B1005S_StdSemeView_select.action` 大致符合：`https:\/\/sschool\.tp\.edu\.tw\/[A-Z0-9]+_[A-Za-z]+_select\.action` 且請求的 Payload 幾乎都含有 `session_key` 鍵值 ### 測試在完全相同的請求內容下，將 `session_key` 移除會造成 `請先登入！` #### 正常情況 Request -> ``` POST /B0209S_Absence_select.action HTTP/1.1 Host: sschool.tp.edu.tw Content-Type: application/x-www-form-urlencoded Content-Length: 94 session_key=[HIDDEN]&nd=[HIDDEN]&sidx=&sord=asc&_search=false ``` Response <- ``` HTTP/1.1 200 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Cache-Control: no-cache Content-Type: application/json;charset=UTF-8 Content-Length: 1382 Date: Mon, 25 Sep 2023 03:39:13 GMT Set-Cookie: [HIDDEN] Set-Cookie: [HIDDEN] [HIDDEN JSON DATA] ``` #### 移除 `session_key` 鍵值 Request -> ``` POST /B0209S_Absence_select.action HTTP/1.1 Host: sschool.tp.edu.tw Content-Type: application/x-www-form-urlencoded Content-Length: 45 nd=[HIDDEN]&sidx=&sord=asc&_search=false ``` Response <- ``` HTTP/1.1 200 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Cache-Control: no-cache Content-Type: text/html;charset=utf-8 Content-Length: 15 Date: Mon, 25 Sep 2023 03:54:13 GMT Set-Cookie: [HIDDEN] 請先登入！ ``` 可知，`session_key` 鍵值似乎可作為身份驗證所用 ### 取得待執行... ## 假別對應 ```json { "1": "曠", "2": "事", "3": "病", "4": "喪", "5": "公", "7": "遲" }