【Tiptop ERP T】Tiptop GP 用戶密碼加密算法改進為MD5不可逆加密

某一天debug Tiptop GP 5.X 的 webpass.4gl程式看到了一個不該看到的東西

深深的有一種罪惡感

既然看都看了就讓看了這個代碼所有的觀眾都一起來罪惡吧！

情景：Tiptop GP 5.x 本身對所有用戶的密碼都進行了加密

因此,即使用PL/SQL看Oracle資料庫裏面的信息也看不到用戶本身的用戶密碼,如下：

既然，密碼是密文，那User登錄系統就要驗證密文了，怎麼驗證了？密文可逆？密文不可逆？

非常高興的告訴你，鼎新人員對密碼加密算法是可逆的，解密函數就是cl_uszx_10decod()

如此,客至新的查詢程式p_pwdq(GP用戶密碼找回查詢)用於給user找回密碼

p_pwdq 的per檔源碼：

----------------------------------------------------------------------------------
-- $Id:  p_pwdq.per created Thu Jun 28 17:06:27 2012
-- File created from p_pwdq.4fd by Genero Studio 11401
-- Copyright (c) 2002-2007  Four J's Development Tools.  All rights reserved.
----------------------------------------------------------------------------------
-- WARNING! All changes made in this file will be lost!
----------------------------------------------------------------------------------
SCHEMA ds

LAYOUT( TEXT="p_pwdq")
  VBOX vb3
    FOLDER pc2
      PAGE page1( TEXT="Main", IMAGE="login")
        GRID gr3
        {
         UserID    [aa0           ]
         UserName  [aa1           ]  Department [aa2           ]
         Password  [aa3                              ]
         DPassword [aa4                              ][aa5 ][aa6 ]
         ToMD5     [aa7                              ][    ][    ]
         Email     [aa8                              ]


        }
        END -- GRID
      END -- PAGE
    END -- FOLDER
    GRID gr4
    {
    ------ Row[aa9     ]/[ab0     ] ------

    }
    END -- GRID
  END -- VBOX
END
ATTRIBUTES
  BUTTONEDIT aa0=FORMONLY.zx01 TYPE VARCHAR, ACTION=controlp, IMAGE="zoom", REQUIRED, TABINDEX=3;
  BUTTONEDIT aa1=FORMONLY.zx02 TYPE VARCHAR, ACTION=controlp, IMAGE="zoom", TABINDEX=4;
  BUTTONEDIT aa2=FORMONLY.zx03 TYPE VARCHAR, ACTION=controlp, IMAGE="zoom", TABINDEX=5;
  EDIT aa3=FORMONLY.zx10 TYPE VARCHAR, NOENTRY, TABINDEX=6;
  EDIT aa4=FORMONLY.zx10dcode TYPE VARCHAR, COLOR=RED, NOENTRY, TABINDEX=7;
  IMAGE aa5=FORMONLY.imgmksg;
  IMAGE aa6=FORMONLY.imglove;
  EDIT aa7=FORMONLY.zx10md5 TYPE VARCHAR, COLOR=BLUE, NOENTRY, TABINDEX=8;
  EDIT aa8=FORMONLY.zx09 TYPE VARCHAR, NOENTRY, TABINDEX=9;
  EDIT aa9=FORMONLY.cnt, NOENTRY, TABINDEX=1;
  EDIT ab0=FORMONLY.cn2, NOENTRY, TABINDEX=2;
END

p_pwdq 的4gl檔源碼：

# Prog. Version..: '5.10.16-10.10.14(00009)'     #
#
# Pattern name...: p_pwdq
# Descriptions...: GP用戶密碼找回查詢
# Date & Author..: 2012/06/28 By terry

DATABASE ds

GLOBALS "../../config/top.global"

DEFINE g_wc            STRING,
       g_sql           STRING
DEFINE g_zx            RECORD
                       zx01  LIKE zx_file.zx01,
                       zx02  LIKE zx_file.zx02,
                       zx03  LIKE zx_file.zx03,
                       zx09  LIKE zx_file.zx09,
                       zx10  LIKE zx_file.zx10,
                       zx10dcode  LIKE type_file.chr50,
                       zx10md5    LIKE type_file.chr50                       
                       END RECORD,
       g_argv1         LIKE zx_file.zx01,
       g_zx_rowid      LIKE type_file.chr18
DEFINE p_row,p_col     LIKE type_file.num5,
       g_msg           LIKE type_file.chr1000
DEFINE g_row_count     LIKE type_file.num10,
       g_curs_index    LIKE type_file.num10,
       g_jump          LIKE type_file.num10,
       mi_no_ask       LIKE type_file.num5
DEFINE g_cnt           LIKE type_file.num10

MAIN
   OPTIONS                                #改變一些系統預設值
        FORM LINE       FIRST + 2,        #畫面開始的位置
        MESSAGE LINE    LAST,             #訊息顯示的位置
        PROMPT LINE     LAST,             #提示訊息的位置
        INPUT NO WRAP                     #輸入的方式: 不打轉
   DEFER INTERRUPT                        #擷取中斷鍵, 由程式處理

   IF (NOT cl_user()) THEN
      EXIT PROGRAM
   END IF
 
   WHENEVER ERROR CALL cl_err_msg_log
 
   IF (NOT cl_setup("CZZ")) THEN
      EXIT PROGRAM
   END IF
   
   CALL  cl_used(g_prog,g_time,1) RETURNING g_time
   
   LET g_argv1 = ARG_VAL(1)
   LET p_row = 3 
   LET p_col = 2

   OPEN WINDOW p_pwdq_w AT p_row,p_col WITH FORM "czz/42f/p_pwdq"
        ATTRIBUTE (STYLE = g_win_style CLIPPED) 
   CALL cl_ui_init()
   
   CALL cl_set_comp_visible('imglove',FALSE)

   IF NOT cl_null(g_argv1) THEN 
      CALL p_pwdq_q() 
   END IF
   CALL p_pwdq_menu()
   CLOSE WINDOW p_pwdq_w
   CALL cl_used(g_prog,g_time,2) RETURNING g_time
END MAIN

FUNCTION p_pwdq_cs()
   DEFINE  lc_qbe_sn    LIKE gbm_file.gbm01
   
   IF NOT cl_null(g_argv1) THEN 
      LET g_wc = "zx01 = '",g_argv1,"'"
   ELSE 
      CLEAR FORM
      CALL cl_opmsg('q')
      INITIALIZE g_wc TO NULL
      CONSTRUCT BY NAME g_wc ON zx01,zx02,zx03
        BEFORE CONSTRUCT
          CALL cl_qbe_init()
        ON ACTION controlp 
           CASE 
             WHEN INFIELD(zx01)
               CALL cl_init_qry_var() 
               LET g_qryparam.state= "c"
               LET g_qryparam.form ="q_zx"
               CALL cl_create_qry() RETURNING g_qryparam.multiret
               DISPLAY g_qryparam.multiret TO zx01
               NEXT FIELD zx01
             WHEN INFIELD(zx03)
               CALL cl_init_qry_var() 
               LET g_qryparam.state= "c"
               LET g_qryparam.form ="q_gem"
               CALL cl_create_qry() RETURNING g_qryparam.multiret
               DISPLAY g_qryparam.multiret TO zx03
               NEXT FIELD zx03
             OTHERWISE EXIT CASE
            END CASE
        ON IDLE g_idle_seconds
           CALL cl_on_idle()
           CONTINUE CONSTRUCT 
        ON ACTION about
           CALL cl_about() 
        ON ACTION help 
           CALL cl_show_help() 
        ON ACTION controlg
           CALL cl_cmdask()
        ON ACTION qbe_select
		   CALL cl_qbe_list() RETURNING lc_qbe_sn
		   CALL cl_qbe_display_condition(lc_qbe_sn)
      END CONSTRUCT
      
      #此為客制共用函數,解決Oracle的'[123]FUCKYOU'查詢,你可以在本人以前的博客文章中找到此ccl_translate_sql()的介紹及源碼
      CALL ccl_translate_sql(g_wc) RETURNING g_wc
      
      IF INT_FLAG THEN RETURN END IF
   END IF
   
   LET g_sql="SELECT COUNT(*) FROM zx_file WHERE ",g_wc CLIPPED
   PREPARE p_pwdq_cnt_pre FROM g_sql
   DECLARE p_pwdq_cnt CURSOR FOR p_pwdq_cnt_pre
   
   LET g_sql=" SELECT zx01,ROWID FROM zx_file WHERE ",g_wc CLIPPED," ORDER BY zx03"
   PREPARE p_pwdq_pre FROM g_sql
   DECLARE p_pwdq_cs  SCROLL CURSOR FOR p_pwdq_pre
END FUNCTION

FUNCTION p_pwdq_menu()
   MENU ""
      BEFORE MENU
         CALL cl_navigator_setting(g_curs_index, g_row_count)
      
      ON ACTION query
         LET g_action_choice="query"
         IF cl_chk_act_auth() THEN
            CALL p_pwdq_q()
         END IF
      
      ON ACTION first
         CALL p_pwdq_fetch('F')
      ON ACTION last
         CALL p_pwdq_fetch('L')
      ON ACTION jump
         CALL p_pwdq_fetch('/')
      ON ACTION next
         CALL p_pwdq_fetch('N')
      ON ACTION previous
         CALL p_pwdq_fetch('P')
      
      ON ACTION send_pwd_tomail
         LET g_action_choice="send_pwd_tomail"
         IF cl_chk_act_auth() THEN
            CALL p_pwdq_send_pwd_tomail()
         END IF 
      
      ON ACTION help
         CALL cl_show_help()
      ON ACTION exit
         LET g_action_choice = "exit"
         EXIT MENU
      ON ACTION controlg
         CALL cl_cmdask()
      ON ACTION locale
         CALL cl_dynamic_locale()
         CALL cl_show_fld_cont()
      ON IDLE g_idle_seconds
         CALL cl_on_idle()
         CONTINUE MENU
      ON ACTION about
         CALL cl_about()
      COMMAND KEY(INTERRUPT)
         LET INT_FLAG=FALSE
         LET g_action_choice = "exit"
         EXIT MENU
   END MENU
   CLOSE p_pwdq_cs
END FUNCTION

FUNCTION p_pwdq_q()
    LET g_row_count = 0
    LET g_curs_index = 0
    CALL cl_navigator_setting( g_curs_index, g_row_count )
    CALL cl_opmsg('q')
    MESSAGE ""
    DISPLAY '   ' TO FORMONLY.cnt
    CALL p_pwdq_cs()
    IF INT_FLAG THEN LET INT_FLAG = 0 RETURN END IF
    OPEN p_pwdq_cs
    IF SQLCA.sqlcode THEN
       CALL cl_err('',SQLCA.sqlcode,0)
    ELSE
       OPEN p_pwdq_cnt
       FETCH p_pwdq_cnt INTO g_row_count
       DISPLAY g_row_count TO FORMONLY.cnt
       CALL p_pwdq_fetch('F')
    END IF
END FUNCTION

FUNCTION p_pwdq_fetch(p_flag)
    DEFINE p_flag          LIKE type_file.chr1,
           l_abso          LIKE type_file.num10
    DEFINE l_zx19          LIKE zx_file.zx19
    DEFINE l_lovepic       LIKE type_file.chr1000
    
    INITIALIZE g_zx.*,g_zx_rowid,l_zx19,l_lovepic TO NULL
    CALL cl_set_comp_visible('imglove',FALSE)
    CASE p_flag
        WHEN 'N' FETCH NEXT     p_pwdq_cs INTO g_zx.zx01,g_zx_rowid
        WHEN 'P' FETCH PREVIOUS p_pwdq_cs INTO g_zx.zx01,g_zx_rowid
        WHEN 'F' FETCH FIRST    p_pwdq_cs INTO g_zx.zx01,g_zx_rowid
        WHEN 'L' FETCH LAST     p_pwdq_cs INTO g_zx.zx01,g_zx_rowid
        WHEN '/'
            IF (NOT mi_no_ask) THEN
               CALL cl_getmsg('fetch',g_lang) RETURNING g_msg
               LET INT_FLAG = 0
               PROMPT g_msg CLIPPED,': ' FOR g_jump
                  ON IDLE g_idle_seconds
                     CALL cl_on_idle()
                  ON ACTION about
                     CALL cl_about()
                  ON ACTION help
                     CALL cl_show_help()
                  ON ACTION controlg
                     CALL cl_cmdask()
               END PROMPT
               IF INT_FLAG THEN
                  LET INT_FLAG = 0
                  EXIT CASE
               END IF
            END IF
            FETCH ABSOLUTE g_jump p_pwdq_cs INTO g_zx.zx01,g_zx_rowid
            LET mi_no_ask = FALSE
        OTHERWISE EXIT CASE
    END CASE

    IF SQLCA.sqlcode THEN
        CALL cl_err(g_zx.zx01,SQLCA.sqlcode,0)
        INITIALIZE g_zx.* TO NULL
        LET g_zx_rowid = NULL
        RETURN
    ELSE
       CASE p_flag
          WHEN 'F' LET g_curs_index = 1
          WHEN 'P' LET g_curs_index = g_curs_index - 1
          WHEN 'N' LET g_curs_index = g_curs_index + 1
          WHEN 'L' LET g_curs_index = g_row_count
          WHEN '/' LET g_curs_index = g_jump
       END CASE
 
       CALL cl_navigator_setting(g_curs_index, g_row_count)
    END IF

	SELECT zx01,zx02,zx03,zx09,zx10,'','',decode(zx19,'Y','N','N','Y','N') INTO g_zx.*,l_zx19 FROM zx_file
	  WHERE ROWID = g_zx_rowid
    IF SQLCA.sqlcode THEN
       CALL cl_err3("sel","zx_file",g_zx.zx01,"",SQLCA.sqlcode,"","",0)
       RETURN
    END IF
    
    IF NOT cl_null(g_zx.zx10) THEN
       LET g_zx.zx10dcode = cl_uszx_10decod(g_zx.zx10)
       LET g_zx.zx10md5 = p_pwdq_md5(g_zx.zx10dcode)
    END IF
    DISPLAY BY NAME g_zx.*
    #顯示該用戶是否已經有登錄過GP系統
    CALL cl_set_field_pic(l_zx19,"","","","",l_zx19)
    #筆數
    DISPLAY g_curs_index TO FORMONLY.cnt
    DISPLAY g_row_count TO FORMONLY.cn2
    #為我們的愛而寫,你需要上傳一張命名為 heart.jpg 的圖片于 $TOP/doc/pic 目錄下麵
    IF (g_zx.zx01 ='zhanna' OR g_zx.zx01= 'terry')
      AND (g_user = 'zhanna' OR g_user = 'terry') THEN
      CALL cl_set_comp_visible('imglove',TRUE)
    END IF
    LET l_lovepic = FGL_GETENV("FGLASIP") || "/tiptop/pic/heart.jpg"
    DISPLAY l_lovepic TO FORMONLY.imglove
    
    CALL cl_show_fld_cont()
END FUNCTION

FUNCTION p_pwdq_send_pwd_tomail()
    IF cl_null(g_zx.zx09) OR cl_null(g_zx.zx10) THEN
      CALL cl_err('','cro-144',0)
      RETURN
    ELSE
      IF cl_confirm("確認發送密碼至該用戶Email") THEN
         #CALL cl_flow_notify(g_zx.zx02,g_zx.zx10dcode)
         CALL cl_end(0,0)
      END IF
    END IF
    
END FUNCTION

FUNCTION p_pwdq_md5(p_str)
    DEFINE p_str           STRING
    DEFINE md5_result      STRING
    DEFINE l_cmd           STRING
    DEFINE l_channel_cmd   base.Channel
    
    INITIALIZE md5_result TO NULL
    IF cl_null(p_str) THEN
       RETURN " "
    END IF
    #注意GP SERVER上此shell及相應java jar都須有可執行權限喲！
    LET l_cmd = "sh $CZZ/4gl/p_java/javamd5.sh ",p_str CLIPPED," 2>/dev/null"
    LET l_channel_cmd = base.Channel.Create()
    CALL l_channel_cmd.openPipe(l_cmd,"r")
    LET md5_result = l_channel_cmd.readLine()
    CALL l_channel_cmd.close()
    RETURN md5_result
END FUNCTION

改進點:

1、用Java寫一個MD5加密應用程式,生成jar包部署于Tiptop GP server上

2、再寫一個Shell腳本,此Shell腳本調用上面Java的應用程式

3、p_pwdq 4GL代碼裏面RUN 此Shell得到用戶MD5加密后的密文

MD5密文是不可逆的,所以所有人都無法看到user密碼原明文！

如何在Tiptop Server上部署此Java jar包及Shell腳本,依本人此程式為例:

<topprod:/u1/topprod/topcust/czz/4gl> ll
total 106
-rw-rw-rw-   1 terry      mis          14769 May 18 16:49 p_dbspace.4gl
drwxrwxrwx   2 terry      mis             96 Jun 28 16:58 p_java
-rw-rw-rw-   1 terry      mis          14869 Mar 20 13:39 p_locked.4gl
-rw-rw-rw-   1 terry      mis           9949 Jun 28 17:17 p_pwdq.4gl
-rw-rw-rw-   1 terry      mis           8802 May 29 15:15 terry.4gl
<topprod:/u1/topprod/topcust/czz/4gl/p_java> ll
total 12
-rwxrwxrwx   1 terry      mis           4344 Jun 28 16:18 javamd5.jar
-rwxrwxrwx   1 terry      mis            225 Jun 28 16:34 javamd5.sh

javamd5.sh 腳本如下：

<topprod:/u1/topprod/topcust/czz/4gl/p_java> cat javamd5.sh
#!/bin/ksh
if [ "$1" = "" ]; then
  echo " "
  exit 1
fi
JAR_PATH=$CZZ/4gl/p_java/javamd5.jar;export JAR_PATH
JAVAPICCLIENTMAIN=tw.spaceshuttle.mis.md5.JavaMD5;export JAVAPICCLIENTMAIN
java -cp $JAR_PATH $JAVAPICCLIENTMAIN $1

javamd5.jar提供下載地址： http://download.csdn.net/detail/yihuiworld/4399585

執行結果：

關於愛情,這三字只為了你:

以供參考,請保留本人原作信息！

http://blog.csdn.net/yihuiworld