Java Code Audit Serial----Spice up

In the code audit, according to the business process audit is certainly necessary, the advantage of manual process audit is to be able to find a more comprehensive vulnerability, but the disadvantage is to find the vulnerability inefficient. If the lookup vulnerability is to be directed, the reverse tracking variable technique becomes more prominent, such as finding XSS, SQL injection, command execution ... Wait, reverse lookup variable can quickly locate the existence of the vulnerability, this time has SQL injection as an example.

This article hack brother Xiaoping, I spring and autumn debut

Objective

This article was originally a PPT, but has been placed without sharing, thinking of idle is also idle, then change into the article published it. In fact, this article focuses on two points of knowledge, one is the reverse thinking of code auditing , the other is two attack vulnerability , the other I have omitted, write a few important bar. For two attacks I also recently studied, research a little fur, the wrong place also please the broad circle of friends, thank you.

Code Audit Learning Journey

Always someone asked me code audit how to learn, where to learn from, now unified reply, said I do not know ...

But for individual learning routes, the journey is long and arduous, and it is recommended to study as follows (direct):

The above I write is "familiar", this is just for the students to say, as a code audit, proficiency in code programming is necessary, to the depth of development, proficient in a language is the only way.

Knowledge one-variable reverse tracking

In the code audit, according to the business process audit is certainly necessary, the advantage of manual process audit is to be able to find a more comprehensive vulnerability, but the disadvantage is to find the vulnerability inefficient. If the lookup vulnerability is to be directed, the reverse tracking variable technique becomes more prominent, such as finding XSS, SQL injection, command execution ... Wait, reverse lookup variable can quickly locate the existence of the vulnerability, this time has SQL injection as an example.

What is reverse tracking as the name implies, reverse tracking is the reverse lookup of variables, start to find out the possible vulnerabilities of the trigger point, and then backtrack parameters to the front-end, to see the parameters of the source of the parameters passed the process of processing.

How can the reverse tracking process be quickly located? Let's look at the process together.

1. View global file Web. xml

Web. XML is primarily a configuration of the information that is loaded when you start the website, such as <listener/> Configure your listener,<filter/> configuration filter,<servlet/> Configure your servlet implementation. We mainly look at whether the global filter filters which characters have been filtered by special characters, apparently not.

2. Find the trigger point of vulnerability

This time with SQL injection as an example, SQL injection I'm not going to say a bunch of related documents. SQL injection may exist when we see the SQL statement for the following situation:

Because the security is written like this:

So, the argument "word" may have a SQL injection vulnerability, then we go back to "word " parameter to see how "word" value is passed in, back to the control layer, found the "word" parameter:

Tracing to the control layer basically determines that the vulnerability exists and does not have the appropriate filtering, but to prevent the "search" method from being called only internally, continue to retrace the "Searchword" value to see if it was passed in from the front page:

It is found that the "Searchword" is passed in from the front-end page, so it can be determined that the vulnerability exists, Sqlmap as follows:

The above is a simple inverse tracking variable tips, what? Too low? No way, just this level.

Knowledge two-Two vulnerability audits

Two times the vulnerability also called two attacks, this aspect of the information on the Internet very little, I myself studied for a while, found that two attacks have a lot of situation, also did not understand how much, this time to talk about easy to understand the two command attack vulnerability, do not like to spray.

Two vulnerability definitions:

The malicious code submitted by an attacker is not directly submitted through a variable to the vulnerability function, but through a variable conversion or transit, and ultimately submitted to the vulnerability function.

Two vulnerabilities features:

1. The conversion of the vulnerability type is often present.

2, there are often variable relay.

Two vulnerability types:

1, through the SQL injection loophole conversion.

2. Transfer variables by encoding/decoding.

3, other ways.

Two command attacks

Two-time injection vulnerabilities are a widespread form of security vulnerability in Web applications. The two injection vulnerability is more difficult to discover than an injection vulnerability, but it has the same attack power as an injection attack vulnerability.

The basic flow is as follows:

1. Construction Parameters

In a normal database insert, update, and other operations, the construction of special commands, stored in the database:

Here is only convenient to demonstrate the vulnerability principle, real code in the situation may be more complex, here constructs the "cmd" parameter for "ipconfig" stored in the database.

2. Extracting Variables

A command attack is generated when the parameter is invoked at some point within the system, and the corresponding command execution parameter is passed.

After the runtime function executes the command execution:

See here there must be someone face confused, smart small partners to see the problem, these two attacks are not and storage-type cross-site, no difference ah?

However, strictly speaking, storage-type cross-site is not a two-time attack vulnerability, storage-type cross-site although the database as a transit, but the way it is executed by the human-click to take effect, but two attacks are stored after the active attack, this is the fundamental difference.

Conclusion

Above two is purely personal understanding, there is anything wrong place please advise.

Java Code Audit Serial----Spice up