Shulou(Shulou.com)06/01 Report--

When logging into the background of the website, there is a relatively old "universal password" loophole, that is, using a user name we have carefully constructed, you can log in to the background even if you don't have to enter a password, and its principle still belongs to the category of SQL injection.

Suppose the table storing user information in the database is admin, where the user name field is username, the password field is password, and the variables used to receive the user name and password entered by the user on the user verification page are username and password, respectively. When the user enters the user name and password on the user verification page, they will be submitted to the following statement for processing:

Select * from admin where `username` ='$userrname' and `password` ='$password'

In this way, when the user enters the user name'or'=', the corresponding statement becomes

Select * from admin where `username` =''or''=''and `password` =''

In this statement, the condition specified after where is permanent, so authentication can be bypassed, which becomes the so-called universal password.

The single quotation marks at the beginning and end of a universal password are mainly used to close the single quotation marks that refer to variables in the query statement. So once we have mastered this feature, we can construct universal passwords at will, such as the following forms:

'or'a'='a 'or'a'='a

'or'a'='a'or'

'or 1, 1 or'

Next we will build an experimental environment to verify the universal password, here we use the software NPMserv to build an experimental platform, using this software can quickly build a nginx+php+mysql Web platform. Two php websites with vulnerabilities are built into the software, which can be enabled by renaming the folder where the corresponding website is located to www. Software download address: http://down.51cto.com/data/1886128.

After the environment is set up, visit the website:

Click "Administration Center" to log in to the background. In the "user name", construct a universal password to log in, and the "password" can be entered without typing or at will:

You can log in successfully:

Let's set the policy in WAF to filter the universal password.

First, create a new policy called P-deny in policy management.

Then set the policy in basic Protection, set the status to "on" and the action to "block".

Custom rules are still created in "basic protection". Most of the functions of Digital China WAF are implemented through custom rules, so this is the top priority of WAF settings.

Here you create a rule called "nopass", which defines regular expressions and filters the statements injected by SQL.

Set parameters in the detection field, regular matching in the matching mode, and regular expressions in the numerical values.

Here, according to the characteristics of the universal password, I set the following regular expression:

. *. * or.*'

. Can match any character

* indicates that the expression does not appear or appears any number of times, so. * can match any number of characters.

After the policy setting is complete, apply the P-deny policy to the previously created web policy in the service management.

In this way, when the client logs into the background with the universal password again, an error will be reported.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.