浅析H3C-CAS虚拟化管理系统权限绕过致文件上传漏洞
2024-5-11 17:3:43 Author: y4tacker.github.io(查看原文) 阅读量:21 收藏

接下来我们来我们就具体看看com.virtual.plat.server.rs.ext.event.PasswordProtectDigestAuthenticationFilter做了什么处理

继续跟进super.doFilter的调用,其父类的调用为com.virtual.plat.server.rs.ext.event.DigestAuthenticationFilterExt#doFilter

因此自然而然函数的调用流向了com.virtual.plat.server.rs.ext.event.DigestAuthenticationFilterExt#b(HttpServletRequest, HttpServletResponse, java.lang.String, boolean),在这个认证中我们主要看if (!var14.equals(var10) && !var4) {,它的作用就是比对response摘要信息是否一致,而由于var4true,因此密码是否正确都不会影响程序的执行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
private boolean b(HttpServletRequest var1, HttpServletResponse var2, String var3, boolean var4) throws IOException, ServletException {
Map var5;
String var6 = (String)(var5 = a(a(var3 = var3.substring(7), ','), "=", "\"")).get("username");
String var7 = (String)var5.get("realm");
String var8 = (String)var5.get("nonce");
String var9 = (String)var5.get("uri");
String var10 = (String)var5.get("response");
String var11 = (String)var5.get("qop");
String var12 = (String)var5.get("nc");
String var25 = (String)var5.get("cnonce");
if (var6 != null && var7 != null && var8 != null && var9 != null && var2 != null) {
    if (!"auth".equals(var11) || var12 != null && var25 != null) {
        if (!var7.equals(this.getAuthenticationEntryPoint().getRealmName())) {
            this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.incorrectRealm", new Object[]{var7, this.getAuthenticationEntryPoint().getRealmName()}, "Response realm name '{0}' does not match system realm name of '{1}'"))));
            return false;
        } else if (!Base64.isBase64(var8.getBytes())) {
            this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.nonceEncoding", new Object[]{var8}, "Nonce is not encoded in Base64; received nonce {0}"))));
            return false;
        } else {
            String[] var13;
            if ((var13 = StringUtils.delimitedListToStringArray(var3 = new String(Base64.decode(var8.getBytes())), ":")).length != 2) {
                this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.nonceNotTwoTokens", new Object[]{var3}, "Nonce should have yielded two tokens but was {0}"))));
                return false;
            } else {
                long var18;
                try {
                    var18 = new Long(var13[0]);
                } catch (NumberFormatException var22) {
                    this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.nonceNotNumeric", new Object[]{var3}, "Nonce token should have yielded a numeric first token, but was {0}"))));
                    return false;
                }

                if (!a(var18 + ":" + this.getAuthenticationEntryPoint().getKey()).equals(var13[1])) {
                    this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.nonceCompromised", new Object[]{var3}, "Nonce token compromised {0}"))));
                    return false;
                } else {
                    boolean var24 = false;
                    UserDetails var26;
                    if ((var26 = this.e.getUserFromCache(var6)) == null) {
                        var24 = true;

                        try {
                            var26 = this.f.loadUserByUsername(var6);
                        } catch (UsernameNotFoundException var21) {
                            this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.usernameNotFound", new Object[]{var6}, "Username {0} not found"))));
                            return false;
                        }

                        if (var26 == null) {
                            throw new AuthenticationServiceException("AuthenticationDao returned null, which is an interface contract violation");
                        }

                        this.e.putUserInCache(var26);
                    }

                    String var14;
                    if (!(var14 = a(this.g, var6, var7, var26.getPassword(), var1.getMethod(), var9, var11, var8, var12, var25)).equals(var10) && !var24 && !var4) {
                        if (a.isDebugEnabled()) {
                            a.debug("Digest comparison failure; trying to refresh user from DAO in case password had changed");
                        }

                        try {
                            var26 = this.f.loadUserByUsername(var6);
                        } catch (UsernameNotFoundException var20) {
                            this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.usernameNotFound", new Object[]{var6}, "Username {0} not found"))));
                        }

                        this.e.putUserInCache(var26);
                        var14 = a(this.g, var6, var7, var26.getPassword(), var1.getMethod(), var9, var11, var8, var12, var25);
                    }

                    if (!var14.equals(var10) && !var4) {
                        if (a.isDebugEnabled()) {
                            a.debug("Expected response: '" + var14 + "' but received: '" + var10 + "'; is AuthenticationDao returning clear text passwords?");
                        }

                        this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.incorrectResponse", "Incorrect response"))));
                        return false;
                    } else if (var18 < System.currentTimeMillis()) {
                        this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new NonceExpiredException(this.messages.getMessage("DigestAuthenticationFilter.nonceExpired", "Nonce has expired/timed out"))));
                        return false;
                    } else {
                        if (a.isDebugEnabled()) {
                            a.debug("Authentication success for user: '" + var6 + "' with response: '" + var10 + "'");
                        }

                        UsernamePasswordAuthenticationToken var23;
                        if (this.h) {
                            var23 = new UsernamePasswordAuthenticationToken(var26, var26.getPassword(), var26.getAuthorities());
                        } else {
                            var23 = new UsernamePasswordAuthenticationToken(var26, var26.getPassword());
                        }

                        var23.setDetails(this.c.buildDetails(var1));
                        SecurityContextHolder.getContext().setAuthentication(var23);
                        if (var1.getSession() != null) {
                            var1.getSession().setAttribute("loginName", var6);
                        }

                        return true;
                    }
                }
            }
        }
    } else {
        if (a.isDebugEnabled()) {
            a.debug("extracted nc: '" + var12 + "'; cnonce: '" + var25 + "'");
        }

        this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.missingAuth", new Object[]{var3}, "Missing mandatory digest value; received header {0}"))));
        return false;
    }
} else {
    if (a.isDebugEnabled()) {
        a.debug("extracted username: '" + var6 + "'; realm: '" + var6 + "'; nonce: '" + var6 + "'; uri: '" + var6 + "'; response: '" + var6 + "'");
    }

    this.a((HttpServletRequest)var1, (HttpServletResponse)var2, (AuthenticationException)(new BadCredentialsException(this.messages.getMessage("DigestAuthenticationFilter.missingMandatory", new Object[]{var3}, "Missing mandatory digest value; received header {0}"))));
    return false;
}
}
1
Authorization: Digest username="admin", realm="VMC RESTful Web Services", nonce="xxxxx", uri="/cas/xxxxx", response="xxxxxx", qop=auth, nc=xxxx, cnonce="xxxxx", algorithm=xxxx

文章来源: https://y4tacker.github.io/2024/05/11/year/2024/5/%E6%B5%85%E6%9E%90H3C-CAS%E8%99%9A%E6%8B%9F%E5%8C%96%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E8%87%B4%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E/
如有侵权请联系:admin#unsafe.sh