Preface:
Before doing a lot of web audit questions we have encountered the subject code, command execution, coverage and other variables. But if the code is distributed in a set of source code (such as CMS), we need to discover, to find and take advantage, you need to have a certain look and the use of ideas, this test is BlueCMS1.6important is not to reproduce this CMS vulnerabilities, while earlier look at the entire audit process as well as the idea is kind of how to exercise their audit capabilities. Since I am more vegetables, so there is the wrong place please correct me master.
What is white box, a black box, gray box testing
Code auditing will often encounter these three terms, which in turn represents what is the meaning of that?
- Black Box Testing: functional design specifications known products can be tested each implementation of the functions meet the requirements.
- White-box testing: the inner workings of the process known products can be tested whether each of the internal operation meet the design specifications, whether all internal components checked.
- Gray box testing is more like a mix of black box testing and white box testing, at this stage there is no clearer definition of the gray box testing, but more often, we have to do is test the gray box testing, ie not only do black box testing white box will do.
The other is also very simple to understand, to build such a website, black box testing in the case do not know the source of the site, each functional test to see if there are problems, and white-box testing is to know the source code, available from the Code to see if the code in question, gray box testing is the combination of the two together to test (personal understanding, if wrong, please correct me master), and of course there is a deeper concepts of knowledge, not described in detail here.
White-box testing process --BlueCMS1.6
As the beginner code audit, through BlueCMS1.6to practice, the focus here write some white-box testing how to analyze
0x00: Understanding the Directory Structure
To see so many, how to start, the idea is how to do it? Go directly to SQL vulnerabilities, RCE and other estimated a bit difficult, because too many documents, I read a lot of the chef who are the first to look at the entire directory structure, the directory is on what role, including what files found core files, then start with, it will narrow the scope of the audit and will save a lot of time.
├── admin 后台管理目录
├── install 网站的安装目录
├── api 接口文件目录
├── data 系统处理数据相关目录
├── include 用来包含的全局文件
└── template 模板
See also note the following functions:
-
Function set file, usually named included
functionsorcommonkeywords like, these documents there are some public functions, providing unified call to other files, so most files are included to them in the file header, look for these files in a very easy to use the trick is to open the file index.php or some functionality in general can be found in the head. -
Configuration file, usually named config which includes the keyword, the configuration file includes configuration information for the Web program must run a functional configuration options and database, which can learn from this document a small part of the application, another look at this file when observe profile parameter values are wrapped in single quotes or with double quotes, double quotes if it is, then there may be a lot of code execution vulnerability.
Of course, not the same CMS, have different directory structure, but most of the names and corresponding function folder will not have changed much, who wants in the development of a whole bunch of chaos from the file name, when their own test have a headache.
0x01: obtain information from Home
Understand the file directory, then start with the index.php file to start, index.php usually the entrance of the entire program, you can know the procedural framework through index files, running processes, including those configuration files, which contain and filter files that contain security filtering file, understand the business logic program, it is necessary to start from the home page of.
But index.php so many lines, we must look at it not too tired, but no use, because index.php often do not need user input, then we will see the introduction of this document which files, layer by layer progressive.
The introduction of these two documents, we must pay attention to the above-mentioned too contain commonfile keywords, open common.inc.phplook
in more than 30 lines found addslashes () function for global array POST, GET, COOKIES, REQUEST have been escaped so if we inject SQL file that contains the files necessary to pay attention to single quotes, double quotes, etc. will be escaped.
They observed would ban IP, can understand this document was written some general protection, other documents referenced can use
the file contains several files, if the encounter can not read back function, the function can be tracked by name these file search, so first look rough structure.
Of course, not all written here, just a little list, but at least this level relationship, or how many points they get. include files in the directory are common, is to make the file referenced reduce unwanted code, thus improving efficiency, then write another page is equivalent to write alone, when you need to refer to these documents, just the introduction to, so long as know these common file, there do not understand the function of traceability view to understand the use of these functions when you view other files, in order to continue the audit.
0x02: Mining vulnerability
Tracks the input variables
When you see a bunch of code that have that kind of feeling overwhelmed, you may wish to imagine where to place the site in general are loopholes in? Such as SQL injection, XSS, RCE, etc. will find one thing in common, that is, users can enter , enter a place of vulnerability may exist, it is so targeted, the range of the code, go look at those on the first user can control the input code.
Starting from the root directory, in accordance with the order, look at thead_js.php
$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
Found that ad_idthis parameter is controllable, then look down to find the SQL statement
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
ad_js.phpContains the common.inc.phpfile, so we enter the single and double quotes will be escaped, but here in the sql statement $ad_idis no single or double wrapped, so there is no need to pay attention to the filter, it is clear that here there is a sql injection vulnerability, acquire a little book about the record, this file contains a SQL injection vulnerability.
Came again ann.php, more than 90 lines, but we only went to the local user can input
$ann_id = !empty($_REQUEST['ann_id']) ? intval($_REQUEST['ann_id']) : '';
$cid = !empty($_REQUEST['cid']) ? intval($_REQUEST['cid']) : 1;
But after intval () function after treatment, they can not conduct SQL injection, and it replaced a file
View news_cat.phpfiles, single or double quotation marks but did not find the variables because intval () function can not conduct SQL injection
Check back user.php file may also exist SQL injection vulnerability check
is also no single or double quotation marks and no filter, should be able to look at is how the $ id parameter passing
because the processing intval () function so this SQL injection can not use the
The use of tools to find vulnerabilities
Audit PHP code commonly used tools Seay源代码审计系统, ripsand other tools sometimes find some place where we missed, so sometimes use manual tools and more efficient use of Seay源代码审计系统tools found so many loopholes, but note just might exist, and some not necessarily be utilized.
Or to find the user to input, after all, the general vulnerability exists in the local input, this tool when you need traceability functions, global search to find just
Find a hazard function
| Command execution | system、shell_exec、passthru、popen、proc_open |
|---|---|
| File contains | require、include、require_once、include_once |
| Variable coverage | parse_str 、mb_parse_str |
| Code execution | eval、assert、preg_replace |
| File Operations | file_get_contents 、file_put_contents 、move_uploaded_file 、unlink & delete |
Here are some of the various loopholes in the corresponding hazard function, we find vulnerability could not that RCE, SQL, file included and so on, then directly find these functions to see whether these functions can be used, not can determine whether there is a corresponding loopholes, such as querying about the unlink function
to see a $ _POST, to view what content
There is a variable that can be utilized $_POST['lit_pic']to track what the variable is
found in addition to these four files contain this variable, the other variable file does not contain, in addition to the beginning of the file containing escaped outside, where other filters useless, it can take advantage of this variable delete any file under the web root directory operations.
0x03: Parsing Vulnerability
sql injection vulnerability --UNION inquiry injection
Just tracking the input variables and found ad_js.phpthe existence of a SQL injection vulnerability, now look at how to exploit this vulnerability
carefully observe the code and found that argument is no single and double quotes, go look at the SQL statement contained front of getone function, we take a look at the incoming parameters will not change because of this function or what escaped, tracking getone function, found in mysql.class.php file function is used to encapsulate sql statement, and there is no filtering
here long-winded about the reason ad_js.phpcan call this function, because it contains common.inc.php, but common.inc.phpnot at the beginning of the introduction of this document, but only introduced in line 62, so some may not introduced in the beginning, using the best tools to find.
Then we go back ad_js.php, find this code
echo "<!--\r\ndocument.write(\"".$ad_content."\");\r\n-->\r\n";
Content directly echo, is not that common CTF joint inquiry inject it? Try
using the order by check out a total of eight, then on the union query
the database came out, bit 7 is the echo, which in turn follow routine joint inquiry continue to go on it, there is no longer written in detail
Any file deletion vulnerability
Here it involves the gray box testing
In the above mentioned controllable parameters exist user.php file, now take a closer look at the
discovery lit_picof this parameter can be controlled and does not include other conditions by POST, but in front of a BLUE_ROOT, need to get to know meaning it represents, at the beginning of the file found:
simply define a constant, what is not filtered, it is available, then the next to go with this parameter, but there is a problem directly in the file user.php POST this parameter? Or take a look at the source code in it, continue to look for this parameter is found in the classified information submitted edited
that page just to satisfy this need to pass parameters (fill in the necessary parameters) to
where I first create an experiment file text.txt
tests
look at text.txt, found to have been deleted
Reflective XSS
Sometimes tool can not be detected does not mean that there is no loophole, and some also need to manually review their own, such as guest_book.phpthey exist in a reflective XSS vulnerabilities, but the tool is not detected
In the page where users can be found in the mail
a look at the source code found a little something
page_id is passed directly through POST, and the definition of this function to view showmsg nor for the contents of any treatment
so this vulnerability is definitely available, biography the necessary parameters can cause reflective XSS
as to why conventional <script>alert(/xss/)</script>not observe the code, we want the statement to work, we need to put in front of <input>the tag to close out, why they added ">
it did not test out the tool, and does not mean that there is no loophole, or follow that principle, the user can enter a place must see
to sum up:
Of course there are many other vulnerabilities, this one is mainly to learn some process steps code audit, the next audit will be to concentrate on the code. Mining vulnerabilities, exploits!
Reference blog
