Shulou(Shulou.com)06/01 Report--

2020 Spring Festival is approaching, received a call for help from customers of the new converged payment platform website to us Sinesafe, reflecting that the status of the payment order has been modified from the original unpaid to paid, resulting in merchants there directly shipping to this order member, merchants and platforms suffer great losses, many code merchants do not dare to use this payment platform, in order to prevent the aggregation payment system from continuing to be attacked, after we understand the general situation of SINE security Immediately arrange safety engineers who have been in the industry for ten years to set up a security emergency response team for aggregation and channel payment platforms.

Analyze and understand the payment process

Our Sinesafe analyzes the process of the entire third-party payment platform as follows: the platform first connects to the upstream payment channel, then returns the payment status from the upstream payment channel to the platform, and then returns the status of the platform to the merchant (that is, the code vendor). First, the code merchant registers the merchant user of the platform, and then obtains the interface docking program from the merchant user background to dock with the codec's own website for debugging. If the merchant member pays for the order, if the payment is successful, the payment status will be obtained from the platform, while the platform will obtain the status back and forth from the upstream channel to its own platform. At present, most of the interfaces are some PDD channels and personal QR code docking enterprise channels, commonly known as aggregate payment.

Payment loophole security cause symptoms

1. It is found that the payment status of the member order placed by the code merchant has not been successfully paid, and the payment status here on the platform has been modified by hackers, so as to call back the data to the merchant that it has been paid, resulting in the successful status of the order. Merchants have to send goods to members (that is, upper distribution to members), resulting in serious losses caused by malicious withdrawal.

two。 It is found that the payee information of the merchant applying for withdrawal has been tampered with, resulting in the merchant's funds being falsely claimed. Many code dealers attach great importance to this point, almost all of them are daily settlement. And the daily volume of the platform is a quantity, almost all of them are collected under the group, and they are very sensitive and attach importance to the capital.

3. It is found that some orders are deleted, resulting in a mismatch between the amount settled by the merchant and the amount settled in the upstream channel, resulting in less profit.In fact, this is because the hacker deleted the order and the successful amount of the merchant increased, but the amount in the upstream channel does not increase.

Check and Analysis of website vulnerability Security Log

After understanding the above problems, know the specific symptoms of the problem and the whole process of payment, arrange the team of Sine security engineers to respond quickly to find out the key to the loophole and minimize the customer's loss. Then log in to the payment platform website server to audit and analyze the program code, and find that the program uses TP architecture (thinkphp) to manage the background and front end together. The function functions of the program code are compared to see whether the functions in the payment process are called with boast permissions, and it is found that the background login has been tampered with. You can log in arbitrarily without any password through the built-in function, as shown in the figure:

You can log in to the backend directly and arbitrarily through the function admin_login_test123 of get. It is found that this is only one of the points. After logging in at the background, the status of the order can be set, but the hacker's method is not like this, because if the status is changed manually from the background, then the database table here will add a data timestamp in the status of successful payment, while the hacker does not have this timestamp to tamper with the status of the payment, indicating that it is not modified through the background. This is achieved by directly executing the sql statement or directly modifying the database. After knowing the cause of the problem, analyze other files of the program to see if there is a script backdoor. If you do find a phpwebshell backdoor, several backdoors can be directly manipulated with the mysql database as follows:

Found that there are a lot of backdoor files and hidden words in the backdoor Trojan horse, through our SINE engineer's penetration testing service found that merchants functional picture upload loopholes can be arbitrarily uploaded php format backdoor files, resulting in intrusion, found in the order query function there is a SQL injection vulnerability can be updata update statement to perform database modifications. Then we immediately repaired the vulnerabilities of the three websites and cleaned up the Trojan back door and hidden back door. Let the platform start operation for 3 days to see if it has been tampered with. So far, there has been no security problem of order status being tampered with.

Suggestions on website security protection of third-party payment platform

Test vulnerabilities must be penetrated before launching the new platform, strictly define and convert sql injection statements, whitelist control the format uploaded here, and strictly compare the website payment callback with the acquisition status, such as matching sgin back and forth, signature effectiveness to see whether there is a tampered value if it is tampered with and directly returns the data to report an error If you are not familiar with the program code security problems, then it is recommended to find a professional website security company to deal with the solution, domestic relatively good, such as Sinesafe, Eagle Shield Security, Green Alliance, Qiming Star and so on are relatively large website security service providers.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.