MTL - My Hi-tech Library-Chapter 6 Massive vulnerabilities
The vulnerability scanning tool has been written.
Li Yi started the test.
Log in to the Hackerone platform, register an account, log in to the platform, enter the vulnerability public testing project initiated by a company, and obtain the IP address of the relevant server. Next, Li Yi launches his self-made vulnerability scanning tool with one click.
The next second, the green code waterfall frantically emerged, the vulnerability scanning tool ran smoothly, and each sub-module began to work to analyze the vulnerability of the service site.
…
Fenggu Technology, a listed software company headquartered in Magic City, aims to promote the deep integration of informatization and industrialization, and improve the level of urban intelligence. Its business covers steel, transportation, medicine, chemical industry, finance, and other industries, and it is deeply involved in software. In the field, he has the ultimate pursuit of software security and system security.
Zhang Peiyong, the head of Fenggu Science and Technology Department, just like in the past, turned on the computer as soon as possible after going to work, checked his mailbox, reviewed the work progress of his subordinates, and planned the next step.
Suddenly, there was a knock on the door, interrupting Zhang Peiyong's thoughts.
"Come in!" Zhang Peiyong raised his eyes and looked out the door.
"Brother Yong, it's not good. A lot of bugs have been found in the Rongcheng Smart Cloud project. After fixing these bugs, the workload is almost equivalent to knocking it down and redoing it." A young man with sparse hair, Zhao Xiaohui, pushed in the door and reported with a sad face.
"Rongcheng Wisdom Cloud? Which project is open for public testing on the platform?" Zhang Peiyong looked at Zhao Xiaohui calmly and asked.
"Yes! A master has uncovered a lot of loopholes." Zhao Xiaohui confirmed with a bitter face.
Zhang Peiyong quickly opened the platform and logged into the background.
The next moment, the website backend displays a piece of vulnerability data, RCE vulnerability, SQL injection vulnerability, account hijacking vulnerability, CORS, CSRF, source code leak, rate limit, ..., etc., a total of 227 vulnerabilities.
Zhang Peiyong saw his scalp go numb.
There are so many?
real or fake!
Zhang Peiyong was full of disbelief, and clicked on the data of an RCE vulnerability.
This vulnerability targets a subdomain target, and its .git directory was discovered when using Dirb to explode the directory. When using in-depth detection, the POST parameters of the call were not filtered and audited, and it was associated with a remote code execution vulnerability.
Zhang Peiyong's expression tightened, and according to the vulnerability description above, he immediately started the test.
Zhang Peiyong put his hands on the keyboard and made a burst of operations. Soon, according to the description of the vulnerability, he directly cut into the vulnerability of the Rongcheng Smart Cloud project.
Oh shit!
There really is this loophole.
Zhang Peiyong panicked and continued to test the next loophole without any faith.
Soon, Zhang Peiyong demonstrated according to the description of the vulnerability discoverer, and successfully obtained all the source code of the application service on the site. This vulnerability is much more serious than the previous RCE vulnerability.
A drop of cold sweat fell on Zhang Peiyong's forehead.
If this vulnerability is not discovered, once the project is launched, it will be exploited, which will seriously threaten the data security of customers.
Zhang Peiyong took a deep breath and continued to look at the next loophole.
This is an account hijacking vulnerability. By replacing the email address with the email address of another user, the password contained in the request package can be used to replace and change the account password of others. The whole process does not require any verification mechanism.
Zhang Peiyong continuously tested five or six loopholes, and each loophole was real.
very good!
Zhang Peiyong was both angry and happy, and his mood was very complicated.
The reason for his anger is that his technical team wrote a bug with many loopholes, which is simply a pile of rubbish.
The reason for the happiness is that these problems were found out, which avoided handing them over to customers and created huge hidden dangers.
"Brother Yong, what do you do next?" Zhao Xiaohui asked anxiously, looking at Zhang Peiyong's angry face.
"What to do? What to do! Everyone helped us find the loopholes, why don't you just leave it alone? Tell everyone to gather in the conference room!" Zhang Pei shouted in a desperate manner.
"Okay!" Zhao Xiaohui bowed in response and left the office as if fleeing.
Zhang Peiyong stood up and rushed to the conference room to arrange revision tasks.
Not long after, in the conference room, there were bursts of mourning from the programmers.
There are more than 200 loopholes to be corrected within the specified time limit. The huge workload and the long-term overtime work, weekends, holidays, etc., are destined for a period of time in the future. Don't even think about it.
Watching his subordinates leave one by one in despair, Zhang Peiyong also had a sad face. He originally planned to spend the weekend with his daughter on her birthday. If the project had such a serious problem, he, the person in charge, would definitely not be able to leave.
"Brother Yong, how should the bug finder be rewarded? If there are more than 200 bugs, if the reward is too much, the financial side will definitely not approve the money." Zhao Xiaohui looked at Zhang Peiyong nervously and asked for instructions.
Hearing this, Zhang Peiyong's face became even more ugly.
Generally speaking, digging a loophole will usually give the discoverer several thousand or even tens of thousands of bonuses. If it is replaced by international giants such as Microsoft and Apple, if a major loophole is discovered, they can even get hundreds of thousands or even tens of millions of bonuses. , the unit is still the US knife.
The reward of several thousand yuan for a bug is very small.
Even if a loophole is only given a few thousand, more than two hundred loopholes will cost nearly one million. For the company, it is a large unexpected expenditure. It is strange that the financial manager does not bother him. UU reading www.uukanshu.com
Moreover, the money has to be given. This guy can find so many loopholes. He must be a master of technology. Who knows, does he have other loopholes in his hands?
It is not appropriate to give less, and the finances will not approve if you give too much.
Thinking of this question, Zhang Peiyong was overwhelmed.
"Brother Yong, if it's all right, I'll go to work first!" Seeing Zhang Peiyong's face getting worse and worse, Zhao Xiaohui hurriedly said goodbye.
"Wait a minute, I have a task for you." Zhang Peiyong quickly stopped Zhao Xiaohui.
Zhao Xiaohui paused, showing a remorseful face, wishing he could slap himself.
I want you to talk more, now, here comes the mission!
"Brother Yong, what is the mission!" Zhao Xiaohui turned around and asked with a wry smile.
"You can get in touch with this expert and get a price cut." Zhang Peiyong arranged.
"Brother Yong, I don't know how to bargain! Why don't you talk to him in person!" Zhao Xiaohui looked embarrassed, it was hard to say.
"You talk to him first, if you can't reach an agreement, I'll go out. There must be a transition, understand?" Zhang Peiyong looked at Zhao Xiaohui and reminded.
"Okay! Brother Yong, what are your expectations for bargaining?" Zhao Xiaohui nodded and asked.
"Of course, the fewer the better. A loophole is two or three thousand, and a serious one is less than ten thousand. Try it and see if you can talk about it." Zhang Peiyong replied.
"Brother Yong, this is too little! Can he agree?" Zhao Xiaohui scratched his head, feeling that this task was very difficult.
"Do your best! Such a large expenditure will definitely be deducted from the project bonus. For everyone's bonus, please do your best! I really can't talk about it, I will talk about it again." Zhang Peiyong encouraged.
When such a big pot was smashed down, Zhao Xiaohui was instantly stunned, confused, and walked out of the conference room somehow.