Shulou(Shulou.com)05/31 Report--

This article mainly shows you "code audit fortify tool how to use", the content is easy to understand, clear, hope to help you solve doubts, the following let the editor lead you to study and learn "code audit fortify tool how to use" this article.

1. Download and install cms

Guess the address of the official website and download it yourself. Focus on the train of thought process, any set of systems can.

two。 The installation process simply analyzes whether there are any vulnerabilities.

Do not do installation analysis, many programs will delete the installation package, if you are interested, you can skip it here.

3. After the installation is complete, visit the home page to analyze the routing

I.index.php

Defined NoDb constant, under mark, I don't know what's the use yet.

The global configuration file config.php is loaded

Defines the method of routing

Ii.config.php

Defines a few constants

Contains func.php files (basic functions of the system, operation classes for adding data)

Depending on the value of the NoDb constant, it depends on whether you want to initialize the database. (mark answers the above questions)

The last function, _ stripslashes, whether to remove the escape, as shown below:

To determine whether it is supported or not, automatic escape is turned on. If enabled, remove the split slash globally and restore the data.

The last line of code in the iii.index.php file, match_route ()

The database is read and cached.

Cache record

Initialization template

Load templat

Template parsing

Complete the home page display, complete the process analysis, and have a general understanding of the cms

4. The following is a quick manual audit with the help of the tool fortify

Xss

It is said to exist here, a simple look, there is no filtering mechanism, then the specific analysis of whether the data source is accurate.

This location is the input box, the data source is manually filled in, and its destination is the database storage, so now the key location is whether the database storage process has done security filtering.

Here is a function dbstr, database string function processing, so look at the definition of the function

According to the analysis, the data is filtered by single quotation marks and escaped by backslashes, but not filtered angle brackets, so we can construct payload:alert (1) at will, and the effect is shown below:

Source code:

File Inclusion

It is prompted that there is a file included. To view the code logic, two parameters are required. The parameter values of do, nohtml and do are separated. The first parameter value is the path and the second parameter value is the file name. Followed by a validation function, the code is as follows:

Validated with the regular, allowed to enter values, numbers and letters, and the length is also limited, including suffixes, then whether there is an inclusion, obviously can be included, but the scope of the inclusion is relatively small, why? Think for yourself. If we can break through this limit, it will be even more awesome.

Backstage built-in file management system

According to the criteria of cnvd, as long as the system takes some backstage, it is a high-risk rating. Because shell is so simple.

5. Difficulty analysis

There are no interactive modules in the foreground, all start in the background, so from the above analysis, as long as the framework breaks the background account password, then shell is readily available. Now analyze the login process.

Does not do the verification code to do the verification, whether the weak password can be exploded.

At this point, these procedures show that login is limited to 20 login requests within 15 minutes, so let's analyze the rules for generating cache files:

In other words, if the IP can be changed. So is it possible to meet the login limit of 20 logins in 15 minutes? of course, you have to have a considerable number of ip proxy pools. Support all your requests. Go on and look down:

There is no SQL injection for the SQL statement of the verification database in the program here. There is also a third-party login, depending on the process:

The database is empty by default, that is, if the get value of code is empty, you can obtain data in MySQL and log in successfully. What string is in single quotation marks is equivalent to a null value.

The above is all the contents of the article "how to use the fortify tool for Code Audit". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.