Shulou(Shulou.com)06/01 Report--

When many customers launch the website and APP, they will conduct comprehensive penetration testing and security testing of the website in advance to detect the existing website vulnerabilities in advance, so as to avoid significant economic losses in the later development of the website. Some time ago, some customers came to our SINE security company to do penetration testing services, here we will put the entire penetration testing process and security testing of customers All the loopholes found are recorded and shared with you, and I hope you can learn more about penetration testing.

While serving the customer's website, we must first understand and analyze the data packets and the various functions of the website, which will help us to find loopholes in the penetration test, repair the loopholes, synthesize the structure, scale, and database type of the customer's website, and use the server system, windows or linux, to collect information in the early stage so that we can know each other and know ourselves. Only when we really understand the website, can we find out the loopholes layer by layer. The website is developed in php language, mysql database is used, the client server uses linux centos system, and the phpstudy one-click environment is used to build the website. The version of PHP is 5.5, and the MySQL database version is 5.6. Customer website is a platform, using member login, the functions are basically some interactive, member data modification, bank card addition, recharge and withdrawal, online feedback and so on.

Let's start our whole penetration testing process. First of all, the customer authorizes us to conduct website security testing, then we can do it freely. First of all, we check whether the website has SQL injection vulnerabilities. When we check whether the website has sql injection, our SINE security will check the log of the mysql database to check whether the SQL statement we submitted has been successfully executed. Then many people will ask how to open the log of the database. How to check it? First, connect to the SSH port of the linux server, use the root account password to enter the server, open the mysql configuration file mysqld.cnf to edit general_log_file= (address of log log), general_log=1, and enter tail-f (log address) in the server to view the real-time database statement execution log. When our SINE security technology tests SQL injection vulnerabilities, we will see whether there are malicious SQL statements executed successfully in real time. If so, there will be errors in the database log, which is very convenient in penetration testing and more conducive to finding vulnerabilities.

There is no detailed analysis of the code here. During the test, we found that there was a SQL injection vulnerability in the background management page of the platform. When the administrator logged in to the background, we saw POST in guanlilogin.php to guanlicheck.php to verify the administrator's account password. In the process of verification, guanlicheck.php did not carry out security validation on the passed parameters, resulting in SQL injection vulnerabilities. The specific code is as follows

The getenv parameter in the code is to obtain the https header information of the front-end user. Through data comparison, if the header information is large enough to return a value of 0 and then assign the IP to it, generally speaking, there is no security validation and interception, and the IP of the variable is directly brought into the MySQL database. As a result, SQL injection vulnerabilities are created. Then the SQL injection vulnerability found in the penetration test is a high-risk vulnerability, which brings great harm, such as tampering with data, modifying the database, resetting the administrator's password, or obtaining all user account passwords and other information. If the user information is leaked, use the authority of the database to modify the administrator's password to log in to the background for the next step of lifting rights, upload webshell, and control the website code.

Next, we have to test the various functions of the website and whether there are logic loopholes, ultra vires vulnerabilities, horizontal vertical loopholes, and so on. Our SINE security technology tests each function many times, once, twice, and repeatedly. There are loopholes found here in the user's password reset function. The normal function code design is such a process that we will first judge whether the user's account exists. As to whether the next user's mobile phone number is the same as the mobile phone number in the database, a simple security verification is done here, but no security verification is done when obtaining the mobile phone number verification code, so that the post packet can be modified, the mobile phone number can be changed to any mobile phone number to obtain the verification code, and the verification code can be used to modify the reset password.

How to fix SQL injection vulnerabilities in penetration testing?

In the security judgment of the value input from the front end, confirm whether the variable value exists, if it exists, it will not be overwritten, and the variable coverage will not cause the malicious construction of sql injection statement code to filter the input of illegal characters in the GET request and POST request. Semicolon filtering-security filtering for% 20 special character filtering, single quotation mark filtering,% percent mark filtering, and filtering, tab key values, etc. If you don't know much about the code, you can also find a professional website security company to deal with. Domestic SINESAFE, Qiming Star and Green League are all more professional. The repair method of the logic loophole, carries on the security validity to the password recovery function page, checks whether the identity of the account is the current mobile phone number, if it is not unable to send the verification code, in fact, there is something wrong with the logic design of the code function. If the logic is straightened out, it is easy to fix the loophole. I also hope that the penetration testing process shared by our SINE security can let more people understand the penetration test. Be safe and take precautions.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.