Hello everyone , I meet you again , I'm your friend, Quan Jun .

beescms Website penetration test Repair comments

Catalog

1. Environment building 2. Pre penetration information collection 3. It's beginning to penetrate 4. summary 5. Repair suggestions

Beescms Construction of experimental environment

1、 The official download Beescms v4.0, Download address : http://beescms.com/cxxz.html 2、 Unzip the compressed file , Then put the document in phpstudy The root directory of the website 3、 Browser access http://127.0.0.1/beescms/install, Start installation

4、 All the way to the next step , The following interface appears , Enter database account password

5、 Successful installation

6、 modify mysql.ini file , stay mysqld Add items below : secure_file_priv =, Save and restart phpstudy, Otherwise use mysql Writing to a file will result in an error .

7、 installation is complete

Pre penetration information collection

1、 use kali Of dirb Scan the site directory

It also uses sqlmap Scan the website for injection sqlmap -u "http:// Drone aircraft IP/newsletter&id=1" -p id

2、 After scanning ,sqlmap No injection point was found , But the directory scan found the administrative login point , Attempt to test the administrative login for vulnerabilities

3、 Log in to the user name here sql Injection attempts

Found to have sql Statement error

Here is a penetration point write down ！

4. Check whether the administrator login can be exploded

ad locum , You can see , There is a captcha submit To refresh the page , In other words, control can be achieved submit To disable the verification code refresh to realize the blasting , This is also the penetration point , Write down the ！

Exploit

One 、 Password explosion vulnerability

（1） Try entering your username and password to log in

（2） adopt burp Analyze the parameters required for login

You can see that there are user,password,code,submit It can be found through the code ,submit Refresh the page and verification code after the user submits , So we need to be able to submit=true Where to change to submit=false You can make him stop refreshing , So you can input the verification code once . （3） adopt burp Blast

modify submit=true by false Set the password as a variable pair admin Users conduct blasting . （4） Successful results

Two 、 File upload vulnerability

1. Log in to the background to obtain system permissions （1） There are file upload areas in the background management

（2） Upload a one sentence Trojan horse , The discovery file will be renamed

（3） After observing the source code, I found , After the file is renamed, the source file is still in the same directory , Just add a separate screenshot of the file _thumb.png The suffix of is changed to the suffix of the file we uploaded , Remove the suffix and you can see that the file we uploaded contains the following sentence: Trojan horse

（4） Connect test with ant sword

Test success , Access to the system sql Inject holes （1） Login page try

Through analysis, we can see that there are sql Inject holes

unionselect Wait for keywords to be filtered （3） Through the above analysis of the source , Find out bypass Methods , Guessing SQL The number of fields in the query statement , According to the figure below , Determine the SQL The number of fields in the query statement is 5

（4） Blast the name of the library

（5） Blast the table name

（6） Listing blasting

（7） Storm fields

（8） Code of violence

（9） Password decryption The password is md5 Compiling , use md5 Decrypt it

The password is admin

summary

After audit analysis ,beescms V4.0 Version has a background administrator password explosion vulnerability 、 File upload vulnerability 、 backstage SQL Inject holes . The administrator background password explosion vulnerability will cause the administrator password to be leaked ; File upload vulnerability vulnerability will cause the system to be affected by hackers ; backstage SQL The injection vulnerability will cause the administrator password to be leaked .

Repair suggestions

The password vulnerability of the background administrator can be repaired by modifying the verification code , The repair measures are as follows ：

1. Captcha can only be used once , Expired immediately after use ！ You can't use
2. The captcha should not be too weak . Distortion 、 deformation 、 Disturbing lines 、 Interferes with the background color 、 Change the font 、 increase token, And it works all at once .
3. Fuzzy reminders
4. Limit request frequency , Certain number of errors , Lock your account for a while
5. Modify authentication method settings , Change to slider verification or graphical verification to prevent packet capture

You can fix the file upload vulnerability by modifying the image , The repair measures are as follows ：

1. After the second image processing , Delete or transfer the source file to another directory , Prevent being found , Avoid a word Trojan horse insert You can modify the picture to sql Inject vulnerabilities for repair , The repaired code or measures are as follows ：
2. The permissions of ordinary users and system administrator users should be strictly distinguished , If an ordinary user embeds another in the query statement Drop Table sentence , So is it allowed to execute ? because Drop Statement is related to the basic object of the database , Therefore, to operate this statement, the user must have relevant permissions
3. Force the use of parameterized statements , If you are writing SQL At the time of statement , The variables entered by the user are not directly embedded in SQL sentence , Instead, this variable is passed through parameters , Then it can be effectively prevented SQL Injection attack
4. Enhance the verification of user input , Strengthen the inspection and verification of user input content , Forcing parameterized statements to pass user input . stay SQLServer In the database , There are many user input content verification tools , Can help administrators deal with SQL Injection attack . Test the contents of string variables , Accept only the required values . Reject containing binary data 、 The input of escape sequences and comment characters
5. Use more SQL Server The security parameters of the database , stay SQLServer The database is specially designed to be relatively safe SQL Parameters . In the process of database design , Try to use these parameters to prevent malicious SQL Injection attack
6. Regularly use professional vulnerability scanning tools to find possible points of attack , Before someone attacks your website , Find out the loopholes of your website first
7. Set up two accounts , One is an ordinary administrator account , One is an anti injection account . Set the anti injection account like an administrator , Such as admin, To create illusion to attract software detection , And the password is more than 1000 Chinese characters , Force the software to enter the full load state when analyzing the account or even crash due to resource exhaustion

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/151799.html Link to the original text ：https://javaforall.cn