1. Introduction (opening nonsense)
An attacker could obtain through pages vulnerable directly to the database configuration information. If an attacker can directly access the database, you can directly obtain user data, or even direct control of the database server.
2. sphere of influence
Any vulnerabilities relates to include 8.0, 9.0, Version
3. build environmental (in fact, the environment is not important, information disclosure, this thing)
4. known vulnerabilities dots appear /mobile/dbconfigreader.jsp this page (beginning at random analysis ... wrong chefs also want to point out)
Well look directly at the source code, search the circle did not find the installation package 8.0, I'm too hard to come by Zhang map, hey hey hey
Source: https: //mp.weixin.qq.com/s/zTEUan_BtDDzuHzmd9pxYg
First, get on this page database username and password, and then stored in the variable sb, and then convert, a DES encryption
With the source code, we look at the source code compiler, debugger breakpoints, Kankan where the problem
<% String conStr= "12345"; //Prop.getPropValue("weaver","ecology.url"); String conUser= "12345"; //Prop.getPropValue("weaver","ecology.user"); String conPsw= "12345"; //Prop.getPropValue("weaverl","ecology.password"); String loginType="sqlserver"; //Prop.getPropValue("weaver","authentic"); // The above data should be taken from other pages to come, I will die here directly StringBuffer sb=new StringBuffer(); // new a class object StringBuffer // The biggest difference between StringBuffer and StringBuilder StringBuilder method is not thread-safe (can not synchronize access) // Since there StringBuffer StringBuilder compared to the speed advantage, most of the time or use StringBuilder String verb="url="+conStr+",user="+conUser+",password="+conPsw+",Logintype="+loginType; // assignment byte[] str=verb.getBytes(); // convert the string to an array of bytes byte [] String keyString = "1z2x3c4v5b6n"; // DES encrypted key System.out.println(verb);//url=12345,user=12345,password=12345,Logintype=sqlserver byte[] keyByte=keyString.getBytes(); // Create a key factory, then use it to convert objects into a Secretkey objects DESKeySpec DESKeySpec dks1=new DESKeySpec(keyByte); SecretKey key=SecretKeyFactory.getInstance("DES").generateSecret(dks1); Cipher cipher=Cipher.getInstance("DES"); cipher.init(Cipher.ENCRYPT_MODE,key); // DES cryptographic operations byte[] cipherText=cipher.doFinal(str); //System.out.println(cipherText.length); ServletOutputStream sos=response.getOutputStream(); System.out.println(cipherText);//[B@641a034d sos.write(cipherText); Des // output stream of bytes encrypted, why the output stream, where fan out stupid sos.flush(); // clear the buffer data sos.close(); // close the stream %>
And I am here to report abnormal, do not know why, it seems to be a conflict
Looked under repair program, it seems to prohibit access /mobile/dbconfigreader.jsp this page
4.exp and use
There are ready-made scripts on github
https://github.com/NS-Sp4ce/Weaver-OA-E-cology-Database-Leak
The main page is displayed on a byte stream des decrypt bin
Reference article:
https://mp.weixin.qq.com/s/zTEUan_BtDDzuHzmd9pxYg