In many commercial programs, programmers may leave backdoors for some purpose. We will not discuss what the purpose is, but how to hide an "ultimate backdoor" in a program ".
First, let's look at an example. Last year I wrote an article titled the second Security Detection on the campus network. This article mentions a backdoor similar to "… Hide your account as a backdoor !... If I did not get the database first, and analyzed it for a while before I got the program, I believe I will not pay attention to this problem. An account does not appear when the Administrator account is queried in the background. It disappears automatically when the Administrator queries logon and work logs ...". I didn't know about JSP at the time. I downloaded the database through the incorrect TOMCAT configuration vulnerability, and then logged on to the background. I immediately found that there was a backdoor, but I didn't know how it works, this time, we will carefully "dissect" the program.
Generally, the user list is displayed on the page, where the database data is queried on the page and then returned to the browser. The queried data is a pile of "result sets". When the page is displayed, they are traversed one by one. Open the vulnerability page, and find the code in the manager. jsp file to display the user list. I added a note): Figure 1
| Figure 1 |
Find an important array variable manager and see how it comes from. Go up to Figure 2.
| Figure 2 |
The value of manager in the Code is the array returned by calling the search method of managermgt. JSP program running in the server, in addition to the JSP file itself, in the WEB-INF directory under the classes directory, there are some ". class files. They are already written JAVA classes that can be used to instantiate objects. The Managermgt object is instantiated by the MgrMgt class. In manager. jsp, all packages under "speedcharge. controller. *" are imported at the beginning.
|
The ". class" File Stores java bytecode and is compiled from the. JAVA file, not the source code. So we need to decompile it back. Use “jad.exe to decompile and find the search method of the MgrMgt class:
|
Continue to search for the searchManager method of the Manager class. Figure 3
| Figure 3 |
See it! This program uses this SQL statement to make it invisible to the user 'ilovethisgame' when querying all the administrators in the background. Similar methods are also used to record logs, this user is ignored in system logs. Other places of the program, such as modifying the Administrator and logging in, are not affected.
In this example, the idea is very creative in general, but the technique is not mature. As long as I see the code or the data in the database, it will be caught by me one by one, even if I didn't understand JSP before, I broke the backdoor. In addition, the data in the administrator table in the database is also obvious. Once the customer browses the database using tools such as mysqladmin, will the data be exposed? The backdoor's "coverage" is a little large and is easily discovered by the customer's database administrator.
MYSQL 5.0 already supports stored procedures. For this example, you should put backdoors In the stored procedures of the database so that there will be no such obvious traces in the program. When you view the code, you can only view the stored procedure of one returned result set. encapsulate this statement "SELECT * FROM csmmanager WHERE managerid {} 'ilovethisgame'" into the stored procedure. A boolean stored procedure is also called during login. If the user is ilovethisgame, the stored procedure is passed directly. The results are the same, but they are hidden. The code is simple and I will not write it. I only provide a train of thought.
In general, we should try to reduce the backdoor traces in the Code and focus on the database. There are several benefits.
1. Avoid backdoor coverage and reduce the risks of being detected.
2. The code development Administrator does not need to know that there is such a backdoor. After the program is developed, a specific person will change the database storage process.
3. The stored procedure can be encrypted, reducing the risk.
4. Even if exposed, it can be interpreted as a small problem left over during testing. It is conducive to shirking responsibility.
5. One day, you need to clear the backdoor. You only need to add an SQL file patch to the database.
As you can imagine, if I give you a trial version, and you never buy a genuine version, I am not satisfied with you, you can log on to your background at any time and make some legal programs to allow) if it is not legal, you do not want to see it), there is no log on the system, and then tell you that this "Symptom" is a trial version BUG... Black... Really black ...)
| Figure 4 |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
