Smartbi 解密补丁信息

45011

通过每次的安全补丁我们能快速定位到漏洞点，但是我们发现每次的补丁文件无法直接查看，所以想着编写一个利用工具，方便的对每次的补丁文件进行解密操作

‍

安装补丁的教程

点击网站的右上角点击其中的系统监控

其中对应了系统补丁模块 http://192.168.222.133:18080/smartbi/vision/sysmonitor.jsp

手动更新时对应的数据包

再次利用之前的一些漏洞时就会失败

‍

smartbi.security.patch.PatchClassLoader 是对应的对补丁处理的文件

我们根据代码仿写出解密代码

这一部分可以不变仅仅修改指定的文件

    private ZipInputStream open() throws Exception {
        FileInputStream in = new FileInputStream("patch.patches");
        Base64InputStream bin = new Base64InputStream(in);
        String mode = "AES/CBC/PKCS5Padding";
        String key = "1234567812345678";
        String iv = "1234567812345678";
        Cipher cipher = Cipher.getInstance(mode);
        SecretKeySpec keyspec = new SecretKeySpec(key.getBytes("utf-8"), "AES");
        IvParameterSpec ivspec = new IvParameterSpec(iv.getBytes("utf-8"));
        cipher.init(2, keyspec, ivspec);
        CipherInputStream cin = new CipherInputStream(bin, cipher);
        return new ZipInputStream(cin);
    }

  public static void main(String[] args) throws Exception {
        ZipInputStream zip = open();
        ZipEntry entry = zip.getNextEntry();
        while(true) {
            if (entry == null) {
                break;
            }
            System.out.println(entry.getName());
            byte[] patchContent = new byte[0];
                patchContent = readFromStream(new FilterInputStream(zip) {
                    public void close() {
                    }
                }, "UTF-8");
            String className = entry.getName().substring(entry.getName().lastIndexOf("/") + 1);
            if (className.equals("patch.patches")){
                className = "patched.patches";
            }
            writeFile(className, patchContent);
            entry = zip.getNextEntry();
        }
    }

    public static void writeFile(String filePath, byte[]content) throws Exception {
        FileOutputStream outputStream = new FileOutputStream(filePath);
        outputStream.write(content);
        outputStream.close();
    }
    public static byte[] readFromStream(InputStream is, String charset) throws IOException {
        byte[] bs = streamToByteArray(is);
        return bs;
    }
    public static byte[] streamToByteArray(InputStream is) throws IOException {
        if (is == null) {
            return null;
        } else {
            BufferedInputStream in = new BufferedInputStream(is);
            ByteArrayOutputStream bo = new ByteArrayOutputStream();
            BufferedOutputStream bos = new BufferedOutputStream(bo);
            byte[] tmpBytes = new byte[1024];
            int readed;
            while((readed = in.read(tmpBytes)) != -1) {
                bos.write(tmpBytes, 0, readed);
            }

            in.close();
            bos.close();
            byte[] bs = bo.toByteArray();
            return bs;
        }
    }

把这个文件打包成 jar 包试试

我们利用 javafx 将代码做进一步的优化

package com.smartbi.decode;

import org.apache.commons.codec.binary.Base64InputStream;

import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.util.zip.ZipEntry;
import java.util.zip.ZipInputStream;
import java.io.*;

public class decode {
    public static void main(String[] args) throws Exception {
        ZipInputStream zip = open();
        ZipEntry entry = zip.getNextEntry();
        while(true) {
            if (entry == null) {
                break;
            }
            System.out.println(entry.getName());
            byte[] patchContent = new byte[0];
            patchContent = readFromStream(new FilterInputStream(zip) {
                public void close() {
                }
            }, "UTF-8");
            String className = entry.getName().substring(entry.getName().lastIndexOf("/") + 1);
            if (className.equals("patch.patches")){
                className = "patched.patches";
            }
            writeFile(className, patchContent);
            entry = zip.getNextEntry();
        }
    }

    public static void writeFile(String filePath, byte[]content) throws Exception {
        FileOutputStream outputStream = new FileOutputStream(filePath);
        outputStream.write(content);
        outputStream.close();
    }
    public static byte[] readFromStream(InputStream is, String charset) throws IOException {
        byte[] bs = streamToByteArray(is);
        return bs;
    }
    public static byte[] streamToByteArray(InputStream is) throws IOException {
        if (is == null) {
            return null;
        } else {
            BufferedInputStream in = new BufferedInputStream(is);
            ByteArrayOutputStream bo = new ByteArrayOutputStream();
            BufferedOutputStream bos = new BufferedOutputStream(bo);
            byte[] tmpBytes = new byte[1024];
            int readed;
            while((readed = in.read(tmpBytes)) != -1) {
                bos.write(tmpBytes, 0, readed);
            }

            in.close();
            bos.close();
            byte[] bs = bo.toByteArray();
            return bs;
        }
    }
    public static ZipInputStream open() throws Exception {
        FileInputStream in = new FileInputStream("patch.patches");
        Base64InputStream bin = new Base64InputStream(in);
        String mode = "AES/CBC/PKCS5Padding";
        String key = "1234567812345678";
        String iv = "1234567812345678";
        Cipher cipher = Cipher.getInstance(mode);
        SecretKeySpec keyspec = new SecretKeySpec(key.getBytes("utf-8"), "AES");
        IvParameterSpec ivspec = new IvParameterSpec(iv.getBytes("utf-8"));
        cipher.init(2, keyspec, ivspec);
        CipherInputStream cin = new CipherInputStream(bin, cipher);
        return new ZipInputStream(cin);
    }

}

‍

先写一个简单的界面进行处理

写的很简陋

主要思路是上传文件并拷贝到当前路径下的 decode 目录下，然后解密，感觉并没有原本的好用，但是写这个工具的目的也是为了练手，加速对 javafx 的理解，方便下次更好的编写利用工具。

‍