Shulou(Shulou.com)06/01 Report--

The weather is getting cooler and cooler. While conducting penetration testing and vulnerability testing on the customer's website code, our SINE security penetration technology should conduct a full range of security testing and audit of the customer's website source code. Only if we really understand the website, can we better penetrate the test, find the loopholes in the website, and make the customer's website the most secure before it goes online. In the later stage of the rapid development of the website and platform, avoid the economic loss caused by major loopholes.

First of all, I would like to share the process of our SINE security penetration testing on the customer's financial platform some time ago. We found a problem when auditing the code. The first thing we saw was the php language + mysql database used on the customer's website, and the front end also used the VUE JS framework. Before conducting the penetration test, we should check whether the source code of the customer's website is encrypted and confused, and then check whether the php file corresponds to the URL address, which is called. Or a separate PHP function page, as well as the entry file and index.php home page access page code is consistent. The next thing we need to know is the catalogue of the entire financial platform website and what function catalogue it contains. What we have checked this time is that the customer website has the function of member registration, avatar upload, bank card addition, recharge, withdrawal, investment records, comments and feedback, modification of personal data and other functions.

Our SINE security is conducting a security audit of website code, using sensitive functions and tracking and debugging of transmission values to see if the code contains malicious code and whether it can lead to website vulnerabilities, including some logic vulnerabilities, vertical and parallel ultra vires vulnerabilities.

After a general code audit, it is found that there is a SQL injection vulnerability in some PHP files without closing quotation marks, so that malicious parameter values can be passed in the front end and passed into the database for execution. In particular, newxinxi.php?id=18 in the news bulletin column invokes the news content in the database directly after opening it, but the value of ID does not restrict the input of Chinese and special characters. As a result, it was directly executed into the back-end database, and our SINE security technology immediately fixed the loopholes in the customer's website, limiting the value of ID= to numbers and not allowing the input of special characters such as Chinese characters. In the recharge and withdrawal function, we found that the customer's website code did not limit the positive and negative sign of the number, which led to the possibility of entering a negative sign to recharge and withdraw money. In the actual penetration test, it was found that entering a negative number in the withdrawal could lead to an increase in the amount of money in the personal account, and the backstage did not audit the function of cash withdrawal. Instead, it directly performs the cash withdrawal function.

There is also a remote execution code writing vulnerability on the website. It can cause the website to be uploaded to webshell, and then the permissions of the website and the server will be taken down, and the user data can be tampered with and leaked. Let's take a look at this code, as shown below:

Let's take a look at how the value of this variable is written and assigned, $page, $dir = dirname (_ _ FILE__).'/.. / backup/' this backup is the custom backup directory. Dirname is the file name of the output. When we use helper to define this class, we will call the IF statement in the code to determine whether the condition is met. If it is met, it can cause malicious code to be inserted remotely, or malicious code can be constructed to execute. And output malicious files to the website directory, such as webshell is OK. The above are some of the vulnerabilities found by our SINE security in the penetration testing service of the customer's website, and how to do the code security audit and the sharing of the vulnerability testing process. If the website is attacked and the data is tampered with during the operation, you can find a professional website security company to carry out the penetration testing service. Domestic SINESAFE, Green Alliance and Qiming Star are all quite good, and security is a precaution. Find the loophole, fix the loophole, promote the website to achieve the ultimate security protection before the launch, the website is secure, users can feel at ease, but also hope that more people understand the penetration testing service.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.