Hack attack: in a WEB application hidden Backdoor-vulnerability warning-the black bar safety net

ID MYHACK58:62200715006
Type myhack58
Reporter 佚名
Modified 2007-04-13T00:00:00


In many commercial programs,the programmer might, for some purposes, in the program left by the back door. We do not discuss the purpose of doing so is what, just talk about how in the program to hide an“ultimate back door.”

First of all for everyone to see an example, last year I wrote an article for the campus network of the secondsecurity testing mentioned in the text of a similar back door:“...the hidden account do the back door now!... If not I'll get to the database, the analysis after a period of time to get into the program, I believe I wouldn't pay attention to this problem. Certain accounts in the background to query the administrator account, he does not appear in the admin query log and work log of the time he disappear to...”. At the time the JSP don't understand, by TOMCAT is not configured correctly vulnerability to download the database, and then landing back, immediately found wrong, know that there is a back door, but don't know what is the principle, this time we put the program carefully“dissected”.

In General, in the page displayed on the user list, is by the page to query the data in the database, and then returns to the browser. Check out the data is a bunch of“result set”, the page display time will take them one by one to traverse it. Open vulnerability exists in the page manager. jsp file code find to display a list of users of the code, I added comments to: !

Found to have an important array variable manager, see if it is how come to be on the look: !

You can see the code in manager is the value by calling the managermgt the search method returns the array. JSP program on the server runs under, In addition to the JSP file itself, in the WEB-INF directory under the classes directory, there are some“. class files”,they're already written JAVA classes that can be used to instantiate objects. Managermgt object is MgrMgt this class is instantiated out, in manager. jsp, start the import of the“speedcharge. controller.*” Under all the packages.

<%@ page contentType="text/html; charset=gb2312" language="java" import="java. sql., speedcharge. entity., speedcharge. controller.*" using the errorpage="" %>

“. class”file is stored in the java byte code is made. The JAVA file compiled, not source code. So we need to decompile back. Use“jad.exe”to decompile, and then find MgrMgt class of search methods:

...... Manager amanager[] = null;......// Call searchManager method amanager = Manager. searchManager(s);......

Continue to find, the Manager class searchManager methods.


See! This app from this SQL statement on to do the hands and feet, let the customer in the background to query all administrators can't see'ilovethisgame'this user,logging the time, also used a similar method, resulting in the system log ignore the user. While the program elsewhere, such as modifying the admin, login, and other places is not affected.

In this example, the overall idea is creative, but the technique is not Mature, as long as see the code, or see the data in the database, it will be me layer by layer caught out, even in I used to not understand the JSP of the case also put the back door pulling out. And database administrators table of data is also obvious, once the clients use the mysqladmin for a class of tools to browse the database, not just the exposure? The back door of the“coverage”is a bit big, easy to be clients of a database administrator find.

MYSQL version 5.0 already supported by the stored procedure, for this example, it should be the back door into the database of the stored procedure, so that the program will not appear so obvious traces. When customers see the code, only to see a return of the result set of a stored procedure, put this sentence"SELECT * FROM csmmanager WHERE managerid <> 'ilovethisgame'"of the package to the stored procedure. The landing also called a return value is a Boolean stored procedure, to determine if the user is ilovethisgame, directly through. The effect is the same, but very hidden, the code is simple, I do not write,only an idea.

In General, we should try to reduce the code in the back door of the traces, the focus throw to the database. There are so few big benefits.

1, to avoid the back door cover surface is too large, reducing to be found the risk.

2, The code development administrators do not have to know there's a back door, and other program development is completed, by a particular person database of the storage process of a change.

3, the stored procedure can be encrypted, but also reduces the risk.

4, even if exposed, can be interpreted as a test program when the legacy of small problems. Conducive to shirk responsibility.

5, one day need to clear the back door, just to the database to add a SQL file patch.

Can imagine, if I give you a trial version, and you have not bought genuine, I am against you, at any time in any place log into your back office, make some legitimate program on the permit, and unlawful-you do not want to appear to the operating system is not on the log, and then tell you about this“phenomenon”belongs to the trial version of BUG...black...really black...)