帐号明文传输漏洞

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了帐号明文传输漏洞相关的知识,希望对你有一定的参考价值。

表单提交前加密,本文使用(BASE64)加密

技术分享
  1 /**
  2  *BASE64 Encode and Decode By UTF-8 unicode
  3  *可以和java的BASE64编码和解码互相转化
  4  */
  5 (function(){
  6     var BASE64_MAPPING = [
  7         ‘A‘,‘B‘,‘C‘,‘D‘,‘E‘,‘F‘,‘G‘,‘H‘,
  8         ‘I‘,‘J‘,‘K‘,‘L‘,‘M‘,‘N‘,‘O‘,‘P‘,
  9         ‘Q‘,‘R‘,‘S‘,‘T‘,‘U‘,‘V‘,‘W‘,‘X‘,
 10         ‘Y‘,‘Z‘,‘a‘,‘b‘,‘c‘,‘d‘,‘e‘,‘f‘,
 11         ‘g‘,‘h‘,‘i‘,‘j‘,‘k‘,‘l‘,‘m‘,‘n‘,
 12         ‘o‘,‘p‘,‘q‘,‘r‘,‘s‘,‘t‘,‘u‘,‘v‘,
 13         ‘w‘,‘x‘,‘y‘,‘z‘,‘0‘,‘1‘,‘2‘,‘3‘,
 14         ‘4‘,‘5‘,‘6‘,‘7‘,‘8‘,‘9‘,‘+‘,‘/‘
 15     ];
 16 
 17     /**
 18      *ascii convert to binary
 19      */
 20     var _toBinary = function(ascii){
 21         var binary = new Array();
 22         while(ascii > 0){
 23             var b = ascii%2;
 24             ascii = Math.floor(ascii/2);
 25             binary.push(b);
 26         }
 27         /*
 28         var len = binary.length;
 29         if(6-len > 0){
 30             for(var i = 6-len ; i > 0 ; --i){
 31                 binary.push(0);
 32             }
 33         }*/
 34         binary.reverse();
 35         return binary;
 36     };
 37 
 38     /**
 39      *binary convert to decimal
 40      */
 41     var _toDecimal  = function(binary){
 42         var dec = 0;
 43         var p = 0;
 44         for(var i = binary.length-1 ; i >= 0 ; --i){
 45             var b = binary[i];
 46             if(b == 1){
 47                 dec += Math.pow(2 , p);
 48             }
 49             ++p;
 50         }
 51         return dec;
 52     };
 53 
 54     /**
 55      *unicode convert to utf-8
 56      */
 57     var _toUTF8Binary = function(c , binaryArray){
 58         var mustLen = (8-(c+1)) + ((c-1)*6);
 59         var fatLen = binaryArray.length;
 60         var diff = mustLen - fatLen;
 61         while(--diff >= 0){
 62             binaryArray.unshift(0);
 63         }
 64         var binary = [];
 65         var _c = c;
 66         while(--_c >= 0){
 67             binary.push(1);
 68         }
 69         binary.push(0);
 70         var i = 0 , len = 8 - (c+1);
 71         for(; i < len ; ++i){
 72             binary.push(binaryArray[i]);
 73         }
 74 
 75         for(var j = 0 ; j < c-1 ; ++j){
 76             binary.push(1);
 77             binary.push(0);
 78             var sum = 6;
 79             while(--sum >= 0){
 80                 binary.push(binaryArray[i++]);
 81             }
 82         }
 83         return binary;
 84     };
 85 
 86     var __BASE64 = {
 87             /**
 88              *BASE64 Encode
 89              */
 90             encoder:function(str){
 91                 var base64_Index = [];
 92                 var binaryArray = [];
 93                 for(var i = 0 , len = str.length ; i < len ; ++i){
 94                     var unicode = str.charCodeAt(i);
 95                     var _tmpBinary = _toBinary(unicode);
 96                     if(unicode < 0x80){
 97                         var _tmpdiff = 8 - _tmpBinary.length;
 98                         while(--_tmpdiff >= 0){
 99                             _tmpBinary.unshift(0);
100                         }
101                         binaryArray = binaryArray.concat(_tmpBinary);
102                     }else if(unicode >= 0x80 && unicode <= 0x7FF){
103                         binaryArray = binaryArray.concat(_toUTF8Binary(2 , _tmpBinary));
104                     }else if(unicode >= 0x800 && unicode <= 0xFFFF){//UTF-8 3byte
105                         binaryArray = binaryArray.concat(_toUTF8Binary(3 , _tmpBinary));
106                     }else if(unicode >= 0x10000 && unicode <= 0x1FFFFF){//UTF-8 4byte
107                         binaryArray = binaryArray.concat(_toUTF8Binary(4 , _tmpBinary));    
108                     }else if(unicode >= 0x200000 && unicode <= 0x3FFFFFF){//UTF-8 5byte
109                         binaryArray = binaryArray.concat(_toUTF8Binary(5 , _tmpBinary));
110                     }else if(unicode >= 4000000 && unicode <= 0x7FFFFFFF){//UTF-8 6byte
111                         binaryArray = binaryArray.concat(_toUTF8Binary(6 , _tmpBinary));
112                     }
113                 }
114 
115                 var extra_Zero_Count = 0;
116                 for(var i = 0 , len = binaryArray.length ; i < len ; i+=6){
117                     var diff = (i+6)-len;
118                     if(diff == 2){
119                         extra_Zero_Count = 2;
120                     }else if(diff == 4){
121                         extra_Zero_Count = 4;
122                     }
123                     //if(extra_Zero_Count > 0){
124                     //    len += extra_Zero_Count+1;
125                     //}
126                     var _tmpExtra_Zero_Count = extra_Zero_Count;
127                     while(--_tmpExtra_Zero_Count >= 0){
128                         binaryArray.push(0);
129                     }
130                     base64_Index.push(_toDecimal(binaryArray.slice(i , i+6)));
131                 }
132 
133                 var base64 = ‘‘;
134                 for(var i = 0 , len = base64_Index.length ; i < len ; ++i){
135                     base64 += BASE64_MAPPING[base64_Index[i]];
136                 }
137 
138                 for(var i = 0 , len = extra_Zero_Count/2 ; i < len ; ++i){
139                     base64 += ‘=‘;
140                 }
141                 return base64;
142             },
143             /**
144              *BASE64  Decode for UTF-8 
145              */
146             decoder : function(_base64Str){
147                 var _len = _base64Str.length;
148                 var extra_Zero_Count = 0;
149                 /**
150                  *计算在进行BASE64编码的时候,补了几个0
151                  */
152                 if(_base64Str.charAt(_len-1) == ‘=‘){
153                     //alert(_base64Str.charAt(_len-1));
154                     //alert(_base64Str.charAt(_len-2));
155                     if(_base64Str.charAt(_len-2) == ‘=‘){//两个等号说明补了4个0
156                         extra_Zero_Count = 4;
157                         _base64Str = _base64Str.substring(0 , _len-2);
158                     }else{//一个等号说明补了2个0
159                         extra_Zero_Count = 2;
160                         _base64Str = _base64Str.substring(0 , _len - 1);
161                     }
162                 }
163 
164                 var binaryArray = [];
165                 for(var i = 0 , len = _base64Str.length; i < len ; ++i){
166                     var c = _base64Str.charAt(i);
167                     for(var j = 0 , size = BASE64_MAPPING.length ; j < size ; ++j){
168                         if(c == BASE64_MAPPING[j]){
169                             var _tmp = _toBinary(j);
170                             /*不足6位的补0*/
171                             var _tmpLen = _tmp.length;
172                             if(6-_tmpLen > 0){
173                                 for(var k = 6-_tmpLen ; k > 0 ; --k){
174                                     _tmp.unshift(0);
175                                 }
176                             }
177                             binaryArray = binaryArray.concat(_tmp);
178                             break;
179                         }
180                     }
181                 }
182 
183                 if(extra_Zero_Count > 0){
184                     binaryArray = binaryArray.slice(0 , binaryArray.length - extra_Zero_Count);
185                 }
186 
187                 var unicode = [];
188                 var unicodeBinary = [];
189                 for(var i = 0 , len = binaryArray.length ; i < len ; ){
190                     if(binaryArray[i] == 0){
191                         unicode=unicode.concat(_toDecimal(binaryArray.slice(i,i+8)));
192                         i += 8;
193                     }else{
194                         var sum = 0;
195                         while(i < len){
196                             if(binaryArray[i] == 1){
197                                 ++sum;
198                             }else{
199                                 break;
200                             }
201                             ++i;
202                         }
203                         unicodeBinary = unicodeBinary.concat(binaryArray.slice(i+1 , i+8-sum));
204                         i += 8 - sum;
205                         while(sum > 1){
206                             unicodeBinary = unicodeBinary.concat(binaryArray.slice(i+2 , i+8));
207                             i += 8;
208                             --sum;
209                         }
210                         unicode = unicode.concat(_toDecimal(unicodeBinary));
211                         unicodeBinary = [];
212                     }
213                 }
214                 return unicode;
215             }
216     };
217 
218     window.BASE64 = __BASE64;
219 })();
BASE64.js

 

登陆检验:

技术分享
 1 <form name="form1" method="post" action="<%=basePath%>/core/login.action"
 2                         onsubmit="return checkParam();"></form>
 3 
 4 
 5 <script language="javascript" type="text/JavaScript">
 6             //登录检验
 7             function checkParam(){
 8                 var userName = $.trim($("#userName").val()); 
 9                 var passWord = $.trim($("#passWord").val()); 
10                 if(userName==""){
11                     alert("请输入用户名!");
12                     $("#userName").focus();
13                     return false;
14                 }
15                 if(passWord==""){
16                     alert("请输入密码!");
17                     $("#passWord").focus();
18                     return false;
19                 }
20                 document.form1.action.value="authenticate";
21                 document.getElementById("userName").value = BASE64.encoder($("#userName").val());//返回编码后的账号
22                 document.getElementById("passWord").value = BASE64.encoder($("#passWord").val());//返回编码后的账号
23                 return true;
24             }
25             
26         </script>
form1

 

技术分享
  1 import java.io.Serializable;
  2 import java.io.UnsupportedEncodingException;
  3 
  4 /**
  5  * BASE64加密解密的处理类 
  6  * <br>
  7  * 
  8  * @author Vivim
  9  * @time Jan 13, 2009 12:12:42 PM
 10  * @version 1.0
 11  */
 12 public class BASE64 implements Serializable {
 13 
 14     private static final long serialVersionUID = 3762133767673900132L;
 15 
 16     private static char[] base64EncodeChars = new char[] { ‘A‘, ‘B‘, ‘C‘, ‘D‘,
 17             ‘E‘, ‘F‘, ‘G‘, ‘H‘, ‘I‘, ‘J‘, ‘K‘, ‘L‘, ‘M‘, ‘N‘, ‘O‘, ‘P‘, ‘Q‘,
 18             ‘R‘, ‘S‘, ‘T‘, ‘U‘, ‘V‘, ‘W‘, ‘X‘, ‘Y‘, ‘Z‘, ‘a‘, ‘b‘, ‘c‘, ‘d‘,
 19             ‘e‘, ‘f‘, ‘g‘, ‘h‘, ‘i‘, ‘j‘, ‘k‘, ‘l‘, ‘m‘, ‘n‘, ‘o‘, ‘p‘, ‘q‘,
 20             ‘r‘, ‘s‘, ‘t‘, ‘u‘, ‘v‘, ‘w‘, ‘x‘, ‘y‘, ‘z‘, ‘0‘, ‘1‘, ‘2‘, ‘3‘,
 21             ‘4‘, ‘5‘, ‘6‘, ‘7‘, ‘8‘, ‘9‘, ‘+‘, ‘/‘ };
 22 
 23     private static byte[] base64DecodeChars = new byte[] { -1, -1, -1, -1, -1,
 24             -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
 25             -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
 26             -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59,
 27             60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
 28             10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1,
 29             -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37,
 30             38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1,
 31             -1, -1 };
 32 
 33     // 编码
 34     public final static String encode(byte[] data) {
 35         StringBuffer sb = new StringBuffer();
 36         int len = data.length;
 37         int i = 0;
 38         int b1, b2, b3;
 39         while (i < len) {
 40             b1 = data[i++] & 0xff;
 41             if (i == len) {
 42                 sb.append(base64EncodeChars[b1 >>> 2]);
 43                 sb.append(base64EncodeChars[(b1 & 0x3) << 4]);
 44                 sb.append("==");
 45                 break;
 46             }
 47             b2 = data[i++] & 0xff;
 48             if (i == len) {
 49                 sb.append(base64EncodeChars[b1 >>> 2]);
 50                 sb.append(base64EncodeChars[((b1 & 0x03) << 4)
 51                         | ((b2 & 0xf0) >>> 4)]);
 52                 sb.append(base64EncodeChars[(b2 & 0x0f) << 2]);
 53                 sb.append("=");
 54                 break;
 55             }
 56             b3 = data[i++] & 0xff;
 57             sb.append(base64EncodeChars[b1 >>> 2]);
 58             sb.append(base64EncodeChars[((b1 & 0x03) << 4)
 59                     | ((b2 & 0xf0) >>> 4)]);
 60             sb.append(base64EncodeChars[((b2 & 0x0f) << 2)
 61                     | ((b3 & 0xc0) >>> 6)]);
 62             sb.append(base64EncodeChars[b3 & 0x3f]);
 63         }
 64         return sb.toString();
 65     }
 66 
 67     // 解码
 68     public final static byte[] decode(String str)
 69             throws UnsupportedEncodingException {
 70         StringBuffer sb = new StringBuffer();
 71         byte[] data = str.getBytes("US-ASCII");
 72         int len = data.length;
 73         int i = 0;
 74         int b1, b2, b3, b4;
 75         while (i < len) {
 76             /* b1 */
 77             do {
 78                 b1 = base64DecodeChars[data[i++]];
 79             } while (i < len && b1 == -1);
 80             if (b1 == -1)
 81                 break;
 82             /* b2 */
 83             do {
 84                 b2 = base64DecodeChars[data[i++]];
 85             } while (i < len && b2 == -1);
 86             if (b2 == -1)
 87                 break;
 88             sb.append((char) ((b1 << 2) | ((b2 & 0x30) >>> 4)));
 89             /* b3 */
 90             do {
 91                 b3 = data[i++];
 92                 if (b3 == 61)
 93                     return sb.toString().getBytes("ISO-8859-1");
 94                 b3 = base64DecodeChars[b3];
 95             } while (i < len && b3 == -1);
 96             if (b3 == -1)
 97                 break;
 98             sb.append((char) (((b2 & 0x0f) << 4) | ((b3 & 0x3c) >>> 2)));
 99             /* b4 */
100             do {
101                 b4 = data[i++];
102                 if (b4 == 61)
103                     return sb.toString().getBytes("ISO-8859-1");
104                 b4 = base64DecodeChars[b4];
105             } while (i < len && b4 == -1);
106             if (b4 == -1)
107                 break;
108             sb.append((char) (((b3 & 0x03) << 6) | b4));
109         }
110         return sb.toString().getBytes("ISO-8859-1");
111     }
112 
113     /**
114      * 获得指定字符串的Base64编码值字符串
115      * <br>
116      * @param srcString
117      * @return
118      */
119     public final static String encodeToBase64(String srcString) {
120         return encode(srcString.getBytes());
121     }
122 
123     /**
124      * 获得Base64编码字符串的解码值字符串
125      * @param base64String
126      * @return
127      * @throws UnsupportedEncodingException
128      */
129     public final static String decodeFromBase64(String base64String){
130         String s = null;
131         try {
132             s = new String(decode(base64String));
133         } catch (UnsupportedEncodingException e) {
134             e.printStackTrace();
135         }
136         return s;
137     }
138 }
BASE64.java

 

action层解密

技术分享
1             userName = BASE64.decodeFromBase64(userName);
2             passWord = BASE64.decodeFromBase64(passWord);
LoginAction

 

service层md5加密后与数据库密文对比。

md5不能解密。

以上是关于帐号明文传输漏洞的主要内容,如果未能解决你的问题,请参考以下文章

网站为啥需要安装SSL安全证书?

SSH

如何破解TELNET帐号和密码!

WIN10系统中帐号密码放在哪个文件夹,怎么查看明文?

伪AP检测技术研究

centos7 sshd 安全设置