Network security series of ten Universal password login website backstage

In the background of the login site, there is an older "universal password" vulnerability, that is, the use of a well-constructed user name, even without entering a password, you can log in the background, its principle is still a category of SQL injection.

Assume that the database holds the user Information table is the admin, where the field that holds the user name is username, the field that holds the password is password, the variable that receives the user name and password entered by users in the User Authentication page is username and password respectively, When the user enters the user name and password on the user authentication page, it is submitted to the following statement for processing:

SELECT * from admin where ' username ' = ' $userrname ' and ' password ' = ' $password '

Thus, when the user enters the user name ' or ' = ', the corresponding statement becomes

SELECT * from admin where ' username ' = ' or ' = ' and ' password ' = '

In this statement, the conditions specified at the end of the where are permanently established, so that the authentication can be bypassed and become the so-called universal password.

A single quotation mark at the beginning and end of a universal password, primarily to enclose a single quotation mark that references a variable in a query statement. Thus mastering this feature, we can arbitrarily construct the universal password, such as the following several forms:

' or ' a ' = ' a ' or ' a ' = ' a

' or ' a ' = ' a ' or '

' or 1=1 or '

Below we set up an experimental environment to verify the universal password, here use software Npmserv to build the experimental platform, using the software can quickly build a nginx+php+mysql web platform. The software contains 2 PHP Web sites with vulnerabilities, and when used, it is only possible to rename the folder where the site is located to www. Software: http://down.51cto.com/data/1886128.

After setting up the environment, visit the website:

650) this.width=650; "title=" 1.jpg "src=" Http://s3.51cto.com/wyfs02/M01/4C/DC/wKiom1RG5FqggpoOAAKz3aM3glo128.jpg " alt= "Wkiom1rg5fqggpooaakz3am3glo128.jpg"/>

Click "Admin Center" to login to the background. In the "user name" to construct a universal password login, "password" can not lose or arbitrary input:

650) this.width=650; "title=" 2.jpg "src=" Http://s3.51cto.com/wyfs02/M02/4C/DD/wKioL1RG5LOT2cusAADdAn3mq-c367.jpg " alt= "Wkiol1rg5lot2cusaaddan3mq-c367.jpg"/>

You can log in successfully:

650) this.width=650; "title=" 3.jpg "src=" Http://s3.51cto.com/wyfs02/M02/4C/DC/wKiom1RG5HOinwfnAAFASLQgE-4542.jpg " alt= "Wkiom1rg5hoinwfnaafaslqge-4542.jpg"/>

The following policy is set in the WAF to filter the universal password.

First, create a new policy named P-deny in policy management.

650) this.width=650; "title=" 4.jpg "src=" Http://s3.51cto.com/wyfs02/M00/4C/DD/wKioL1RG5MqSSX58AADKTDFubN4674.jpg " alt= "Wkiol1rg5mqssx58aadktdfubn4674.jpg"/>

Then set the policy in basic attack protection, set the status to On, and set the action to block.

650) this.width=650; "title=" 5.jpg "src=" Http://s3.51cto.com/wyfs02/M00/4C/DC/wKiom1RG5Ini-sr1AACp_QxkuQ0033.jpg " alt= "Wkiom1rg5ini-sr1aacp_qxkuq0033.jpg"/>

is still in "basic attack protection" to create a custom rule, most of the features of the Shenzhou digital WAF are implemented by custom rules, so this is the top priority of WAF settings.

This creates a rule called "NoPass", in which the main rule is to define regular expressions and filter the SQL injected statements.

Set "Parameters" in the detection domain, set "regular match" in matching mode, and set regular expressions in numeric values.

Here according to the characteristics of the universal password, I set the following regular expression:

. * '. *or.* '

. can match any character;

* Indicates that an expression does not appear or appears any time, and therefore. * can match any number of characters.

650) this.width=650; "title=" 6.jpg "src=" Http://s3.51cto.com/wyfs02/M01/4C/DD/wKioL1RG5OKzP9P9AADA45OheSo220.jpg " alt= "Wkiol1rg5okzp9p9aada45oheso220.jpg"/>

When the policy setting is complete, apply the P-deny policy to the previously created web policy in service management.

650) this.width=650; "title=" 7.jpg "src=" Http://s3.51cto.com/wyfs02/M01/4C/DD/wKioL1RG5PeSLaxXAADVp0utNng717.jpg " alt= "Wkiol1rg5peslaxxaadvp0utnng717.jpg"/>

This will cause an error when the client is logged into the background again through a universal password.

650) this.width=650; "title=" 8.jpg "src=" Http://s3.51cto.com/wyfs02/M01/4C/DC/wKiom1RG5MGCiJO0AADYX_VBTRE896.jpg " alt= "Wkiom1rg5mgcijo0aadyx_vbtre896.jpg"/>

This article from "a pot of turbid wine" blog, reproduced please contact the author!

Network security series of ten Universal password login website backstage