Shulou(Shulou.com)05/31 Report--

Website upload vulnerability scanning and detection and webshell solution is what, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, hope you can gain something.

Some time ago, our SINE Security received the commission of the penetration testing service from the customer. before that, the customer's website was attacked and the data was tampered with, which required us to conduct a comprehensive penetration test on the website, including vulnerability detection and testing, logic vulnerabilities. Vertical horizontal ultra vires loophole, file upload loophole. Before conducting security testing, we have a general understanding of the customer's website. The entire platform website, including APP, Android and IOS, is developed using JSP+oracle database architecture. The front end uses VUE, and the server is linux centos system. Next, we will record the detection of file upload vulnerabilities and webshell analysis in the process of penetration testing, in the hope that more people will understand what penetration testing is.

Let's go straight to the root cause of the vulnerability and look at the code in the uplpod.php file. We can see that a lang variable has been given to language.php, and a condition has been attached to the specified file before the parameter value can be passed. The code screenshot is as follows:

If we look carefully, we can see that the code calls save_file, which can cause the Langup value to be forged. Tracing back to the source shows that the value is the file upload function of the corresponding WEB front-end user. Here, there is no security validation and security whitelist interception mechanism, resulting in renaming, uploading the .jsp script file directly to the root directory of the website, including APP also exists this vulnerability.

Let's use SINE security technology to infiltrate the test and reproduce how the file upload vulnerability is exploited. First, log in to the member and open the profile page. There is a file upload function, which only allows you to upload files in image format, only files with JPG,PNG,GIF, suffixes and other suffixes are allowed to upload as ordinary picture files. We grab the POST upload data package and change the path address of cont1 to / beifen/1.jsp. And submit the past, return the data for successful upload. The copy path, opened in the browser, found that the JSP script file we uploaded had been executed, and it was proved once again that the vulnerability was sufficient to cause the website data to be tampered with. Before that, the customer's website must have been uploaded to the webshell website Trojan file, and then we carried out a comprehensive manual security test and analysis on the customer's website source code, and checked the one-sentence Trojan special eval, encryption, including the time point of file upload. It is found that there is indax.jsp in the JS directory of the website, and opening and visiting in the browser is a JSP script Trojan, which can tamper with the website, download code, create new files, and other operations of the webmaster, and the same loophole exists on the app side. Call the file upload function interface is the same. The specific webshell screenshots are as follows:

Only one aspect of penetration testing, mainly to check whether there are loopholes in the file upload function, whether it can be renamed, custom upload path and file format bypass, about how to repair the file upload loopholes found in the penetration test, we SINE security to give you some repair suggestions and methods, first of all to limit the file upload format, only allow the whitelist of jpg,png,gif and other format file upload The custom path address is overridden by variables, and it is not allowed to change the path address. Do script security restrictions on uploaded directories and remove script execution permissions from JSP.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.