SINE Security was conducting website vulnerability detection and repair on a customer's website and found that the website had serious sql injection vulnerabilities and uploaded webshell website Trojan file vulnerabilities. The website used a CMS system, developed in PHP language, and mysql database. The architecture of the website is currently open source.
A certain CMS is a social CMS system that focuses on providing paid knowledge. Payment for knowledge is in high demand in the current Internet. This system can share documents. There is a fee for downloading, and the knowledge content published by users can be hidden and provided to paying customers for reading. The code is relatively streamlined and is loved by the majority of webmasters. The vulnerability of this website mainly occurs when the compressed package is uploaded. A malicious decompression code is constructed to decompress the webshell in the zip package to the specified directory, causing the vulnerability to occur. This CMS also has a SQL injection vulnerability. Let’s break down the vulnerabilities in detail one by one.
SQL injection vulnerability details and repair plan
Check the code database configuration file of the website, and see that the database connection function uses pdo mode, and then carefully trace the code to see that it is also used Some sql injection codes are not aligned for comprehensive security filtering, resulting in sql injection attacks. The code screenshot is as follows:
The above code is used It is the select query function. Let’s focus on its cond function. Through a detailed look at the code, we determine that this function is used to connect the values written by front-end users. It will be passed in when front-end users submit malicious code. For the value of id, we will splice SQL statements and perform variable overwrite operations on the value of id. We can use SQL statements such as IN and like to attack the database, view the account password of the database, and modify the database.
To fix SQL injection vulnerabilities, it is necessary to filter the input of illegal characters in GET requests and POST requests. 'Semicolon filtering --Filtering special character filtering, single quote filtering, % percent sign, and filtering, tab key value, etc. security filtering. Enable PHP magic to prevent some illegal parameters from being transmitted and constructed.
Website upload webshell vulnerability
The website is open to free registered users, who can also be regarded as ordinary users. During a comprehensive security inspection of its upload function, it was found that there is a vulnerability in uploading zip compressed packages. , uploading files such as doc needs to be reviewed, but the zip is written directly into the database. We check the database through the SQL injection vulnerability discovered above, and we can see the file address of the zip.
How to upload webshell, we query the administrator account and password of the website backend through sql injection vulnerability, log in to the website backend, there are no vulnerabilities in the various functions of the backend, but in Looking at the source code, we found that there is a functional code that can decompress the zip file. It can be decompressed without using user permissions. Then we will construct parameters to directly access the decompression code file. Post the request and directly decompress our zip file to In the current file, we can upload our webshell Trojan.
Regarding the repair of the website upload vulnerability, it is recommended that the administrator turns off the decompression function, or determines the permissions of the decompressed files. Whether the administrator user has the decompression function, or the ordinary member has the permission to decompress the document. Properly assign permissions safely, and then set script-free permissions for the uploaded directory to prevent the webshell Trojan backdoor from running. If you are not familiar with website vulnerability repair, it is recommended to find a professional website security company to help you repair website vulnerabilities. In China, Sinesafe, NSFOCUS, Venustech and other security companies are more professional.
The above is the detailed content of Website vulnerability repair: Example analysis of uploading webshell vulnerability patching. For more information, please follow other related articles on the PHP Chinese website!