Recently, we SINE security in the website of a customer's site vulnerability detection and remediation found serious sql injection vulnerability and upload webshell website Trojan file vulnerability of the site, the site is using a CMS system using PHP language development, mysql database the architecture, the site is now the source of state revenue.
CMS is a CMS system focused on social Paid knowledge, this knowledge has paid a very high demand in the current Internet, the system can share a document, free download, users can publish content hidden knowledge available to paying customers read. The code more streamlined by the majority of webmasters like the site vulnerability occurs mainly at the same time uploading the compressed package, construction of malicious code that extract the zip bag webshell decompressed speaking to the specified directory, resulting in vulnerabilities occur. The CMS also exist sql injection vulnerability, every one of us to a detailed breakdown of vulnerabilities.
SQL injection vulnerability details and rehabilitation program
Site code database configuration file for viewing, see the connection function database using pdo mode, and then carefully tracking code is also used to view operating escape some special symbols, some sql injection code is not aligned comprehensive security filtering, leading to sql injection attack Code shots are as follows:
Use the above code is select queries, we look at the focus of his cond function, detailed view of the code by determining the value of this function is the user front end for docking writing, the current end user to submit malicious code when he id which will be passed to this value, we have to splice the SQL statement, the values were variable id cover operation, with the iN, like and other sql statements to attack the database, view the account password database, and modify the database.
Repair sql injection vulnerability in the GET request, and the POST request, the filter input illegal characters. 'Semicolon Filter - 20% filter filtering special characters, single or double quotes,% percent sign, and filtered, tab key, etc. of the safety filter. Enable php magic, to prevent illegal transport and construction parameters.
Webshell Upload loophole site
The site is publicly registered users free of charge, can be considered ordinary users, found loopholes to upload zip archive, upload doc and other documents that need to be reviewed in time to conduct a comprehensive safety inspection of its upload function, but the zip directly written to the database we discovered through the above sql injection vulnerability database view, you can see the zip file address.
How to upload webshell, we injection vulnerability queries to the site background administrator account password sql, visit the website back-end, back-end functions are not flawed, but looking at the source code for some of them can be found on the zip file decompression function code, without the need for user permissions to decompress it, then we construct the parameters direct access to the decompression code files, post the request in the past, directly to unpack our zip file to the current file, we can just put our webshell Trojan upload up.
About repair site upload vulnerability, we recommend that administrators closed off decompression function, or for permission to determine its decompressed file, there is an administrator user decompression function, or an ordinary member privileges have permission to extract the documents, security permissions reasonable allocation , another directory to upload a script-free permission settings to prevent run webshell backdoor Trojan. If you fix vulnerabilities are not familiar with the site, the proposed site to find a professional security company to help you fix vulnerabilities site, it Sinesafe domestic and Green League, Venus and other security companies more professional.