Shulou(Shulou.com)06/01 Report--

Introduction

Wave after wave, wave after wave. The business of financial companies is really eye-catching, not to mention that our company's business is above the tuyere (blockchain finance), and there are a lot of cash transactions every day, so I don't know how many have been staring at your system in the dark, making it impossible for you to guard against, and find ways to find a breakthrough in order to achieve the goal to obtain illegal benefits.

As the saying goes, "as virtue rises one foot, vice rises ten". The system and code can also be understood in this way, the prevention is good, there are always loopholes. The system and code are not absolutely secure. What should come will always come.

Sql injection meets "her"

One day, the weather was sunny and I was in a good mood. "she" came, breaking the author's good time. At more than 2: 00 in the afternoon, my friend and I were attending a Kubernetes technology salon of a cloud manufacturer at the geek coffee on the second floor of Angel Hui on Suzhou Street. While we were listening excitedly, a php developer in my company group suddenly posted a picture:

At this time, there was a stir in the group. Yes, it was injected by SQL, the tables of the database were injected with fields, and after inspection, it was found that most of the tables in the library were injected with this field. I didn't bring my computer with me. I was really in a hurry. I immediately explained the seriousness of the problem to the director. Since my computer is not around, I can only authorize the database account (read and write permissions) to the php developer to check all the tables and delete the injected fields. And check to see if the data and other tables have been modified. Fortunately, in case of emergency, the data and business have not been lost or damaged.

Here, I would like to make it clear that our business is in Aliyun, and the project is based on php, and has opened a waf firewall, but the protective measures on waf are relatively loose. The author is also lack of experience in security, but fortunately, it has opened Aliyun's WAF, which makes it easy and fast for the author to investigate and protect.

At this time, I was on my way home and quickly turned on my computer.

Adjust waf policy

As the author has just taken over the job, many of the strategies on Aliyun have not been adjusted in time. That's why it's so easy to get in. Now that it has been injected, we must find out the source. I also checked all the tables for the first time and confirmed that there was no problem. After adjusting the waf strategy, I entered Aliyun.

1. After entering the protection configuration of the relevant domain name, let's take a look at the policy before adjustment, as shown below:

As can be seen from the figure above, the "Web application protection" policy is a loose mode, and its main function is to protect common Web applications such as SQL injection and XSS cross-site. In the loose mode, the false positives on business are the lowest, but it is also easy to miss * *. "malicious IP penalty" is also not enabled. Such loose protective measures are more risky. Let's adjust it first.

2. The adjusted policy (if there are multiple domain names, all are adjusted), as shown below:

The protection strategy has been adjusted, but also need to find the root cause of the problem, this is the most important!

Find suspicious files

At this time, the project source code of php is distributed on several servers. If you rely on the traditional way to investigate, check the directories of these servers one by one, and use all kinds of commands that can be used, is it also very laborious and time-consuming? I don't know when to check. At this time, Ali has a service that plays a key role: "situational awareness", which needs to be upgraded to the enterprise version (the cost is not high, our company has been open for a year, the cost is more than 6000 yuan). This is the advantage of using Ali (not advertising), and it really makes you worry.

1. Check "situation Awareness" and immediately find a bunch of abnormal behavior, spread all over several servers, as shown below:

2. Click a few abnormal behaviors to enter and take a look. I'll open two of them to have a look, and the other behaviors are similar, as shown below:

From the command line parameters, you can see that there is / Mode/Lite/ in the relevant directory, and the solution is to check the information under the suspicious directory in time and clear it in time. Following the instructions given, the author conducts a find-related directory on the server to find out the path where the directory is located, as shown in the following figure:

Follow the steps and list the files in this directory:

From the above picture found that there are two abnormal php files, the directory owner is also different from other files, the author opened the code repository to enter the same directory for comparison, the code warehouse really does not have these two files. To make sure, down these two files down and send them to the developer. The developer says there are no these two files in the project. Down it down and open the file:

Contents of Content.class.php file:

}

Isn't this code the field in the injected table? the above code roughly means: decrypt the two parameters of the post request with base64, convert the other into hexadecimal with hex2bin, and then splice them together. It should encrypt the statements that operate the database, and then decrypt them, so that they will not be intercepted. If any blogger thinks that the explanation is wrong, be sure to bring it up.

Contents of Lite.class.php file:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.