關於base64前端加密,後端解密
阿新 • • 發佈:2018-12-31
公司做的系統是給某公司內網的系統。做了一個滲透測試。提出一點漏洞,關於使用者名稱和密碼在傳輸中是用明文傳輸的,但後臺接到後已經做了MD5加密進行校驗而且還是內網,一般這個是沒問題的。但提出了漏洞就改唄,加個密。思路是前端加密,後端解密。
前端
<script src="<c:url value='/scripts/base64.js'/>"></script>
function submitForm(){ var abc=document.getElementById("submit"); abc.disabled=true; var str1=document.getElementById('j_username').value.trim(); var str2=document.getElementById('j_password').value.trim(); var result = Base.encode(str1); document.getElementById('j_username').value=result; var res = Base.encode(str2); document.getElementById('j_password').value=res; loginForm.submit(); }base64.js:
//base64加密 解密 /* //1.加密 var result = Base.encode('125中文'); //--> "MTI15Lit5paH" //2.解密 var result2 = Base.decode(result); //--> '125中文' */ ~(function(root, factory) { if (typeof define === "function" && define.amd) { define([], factory); } else if (typeof module === "object" && module.exports) { module.exports = factory(); } else { root.Base = factory(); } }(this, function() { 'use strict'; function Base64() { // private property this._keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; } //public method for encoding Base64.prototype.encode = function (input) { var output = "", chr1, chr2, chr3, enc1, enc2, enc3, enc4, i = 0; input = this._utf8_encode(input); while (i < input.length) { chr1 = input.charCodeAt(i++); chr2 = input.charCodeAt(i++); chr3 = input.charCodeAt(i++); enc1 = chr1 >> 2; enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); enc4 = chr3 & 63; if (isNaN(chr2)) { enc3 = enc4 = 64; } else if (isNaN(chr3)) { enc4 = 64; } output = output + this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) + this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4); } return output; } // public method for decoding Base64.prototype.decode = function (input) { var output = "", chr1, chr2, chr3, enc1, enc2, enc3, enc4, i = 0; input = input.replace(/[^A-Za-z0-9\+\/\=]/g, ""); while (i < input.length) { enc1 = this._keyStr.indexOf(input.charAt(i++)); enc2 = this._keyStr.indexOf(input.charAt(i++)); enc3 = this._keyStr.indexOf(input.charAt(i++)); enc4 = this._keyStr.indexOf(input.charAt(i++)); chr1 = (enc1 << 2) | (enc2 >> 4); chr2 = ((enc2 & 15) << 4) | (enc3 >> 2); chr3 = ((enc3 & 3) << 6) | enc4; output = output + String.fromCharCode(chr1); if (enc3 != 64) { output = output + String.fromCharCode(chr2); } if (enc4 != 64) { output = output + String.fromCharCode(chr3); } } output = this._utf8_decode(output); return output; } // private method for UTF-8 encoding Base64.prototype._utf8_encode = function (string) { string = string.replace(/\r\n/g,"\n"); var utftext = ""; for (var n = 0; n < string.length; n++) { var c = string.charCodeAt(n); if (c < 128) { utftext += String.fromCharCode(c); } else if((c > 127) && (c < 2048)) { utftext += String.fromCharCode((c >> 6) | 192); utftext += String.fromCharCode((c & 63) | 128); } else { utftext += String.fromCharCode((c >> 12) | 224); utftext += String.fromCharCode(((c >> 6) & 63) | 128); utftext += String.fromCharCode((c & 63) | 128); } } return utftext; } // private method for UTF-8 decoding Base64.prototype._utf8_decode = function (utftext) { var string = "", i = 0, c = 0, c1 = 0, c2 = 0, c3 = 0; while ( i < utftext.length ) { c = utftext.charCodeAt(i); if (c < 128) { string += String.fromCharCode(c); i++; } else if((c > 191) && (c < 224)) { c2 = utftext.charCodeAt(i+1); string += String.fromCharCode(((c & 31) << 6) | (c2 & 63)); i += 2; } else { c2 = utftext.charCodeAt(i+1); c3 = utftext.charCodeAt(i+2); string += String.fromCharCode(((c & 15) << 12) | ((c2 & 63) << 6) | (c3 & 63)); i += 3; } } return string; } var Base = new Base64(); return Base; }));
後端工具類:
package com.sasis.util; import sun.misc.BASE64Decoder; import sun.misc.BASE64Encoder; public final class BASE64Util { /** * 採用BASE64演算法對字串進行加密 * @param base 原字串 * @return 加密後的字串 */ public static final String encode(String base){ return BASE64Util.encode(base.getBytes()); } /** * 採用BASE64演算法對位元組陣列進行加密 * @param baseBuff 原位元組陣列 * @return 加密後的字串 */ public static final String encode(byte[] baseBuff){ return new BASE64Encoder().encode(baseBuff); } /** * 字串解密,採用BASE64的演算法 * @param encoder 需要解密的字串 * @return 解密後的字串 */ public static final String decode(String encoder){ try { BASE64Decoder decoder = new BASE64Decoder(); byte[] buf = decoder.decodeBuffer(encoder); return new String(buf); } catch (Exception e) { return null; } } }
後端處理:
String username1 = request.getParameter("j_username");
String password1 = request.getParameter("j_password");
log.info("使用者名稱:"+username1);
log.info("密碼:"+password1);
//後端解密
String username=BASE64Util.decode(username1);
String password=BASE64Util.decode(password1);
SimpleDateFormat sdf=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
String time=sdf.format(new Date());
log.info("操作時間:"+time+"使用者名稱:"+username);