Ukulimaza kwamasayithi. Hlola isayithi. Uhlelo lokuskena isayithi lengozi

Inkinga yokuphepha kwewebhu akukaze ibe nzima kakhulu kunekhulu lama-21. Yiqiniso, lokhu kungenxa yokusabalalisa okuphelele kwenethiwekhi ye-intanethi kuzo zonke imikhakha kanye nezindawo. Nsuku zonke abaduni nabachwepheshe bezokuphepha bathola ukukhubazeka okusha kwamasayithi. Eziningi zazo zivaliwe ngokushesha ngabanikazi nabathuthukisi, kanti abanye bahlala njengabo. Kunalokho futhi isetshenziswa abenzi bokubi. Kodwa ngosizo lwesayithi elivinjiwe, ungabangela ukulimala okukhulu kokubili abasebenzisi bayo namaseva abanjwe kuwo.

Izinhlobo ze-site zisengozini

Lapho udala amakhasi wewebhu, ubuchwepheshe obuningi obuhlobene nobuchwepheshe busetshenziswa. Ezinye ziphelele futhi zivivinywa isikhathi esithile, kodwa ezinye zisha futhi zingakafiki. Kunoma yikuphi, kunezinhlobonhlobo zezinsalela zezingosi:

• XSS. Isayithi ngalinye linamafomu amancane. Ngesizo sabo, abasebenzisi bangena idatha futhi bathola noma yikuphi umphumela, ukuqhuba ukubhalisa noma ukuthumela imilayezo. Ngokufaka endaweni yamagugu akhethekile kulezi zindlela, kungenzeka ukuthi kususa ukukhishwa kweskripthi esithile, okungabangela ukwephulwa kobuqotho besayithi nokwehliswa kwedatha.
• Umjovo we-SQL. Indlela evamile kakhulu futhi ephumelelayo yokufinyelela idatha eyimfihlo. Kungenzeka noma ngokusebenzisa ibha yekheli noma ngamafomu. Inqubo yenziwa ngokufaka amanani angakwazi ukuhlungwa ngezikripthi nokwenza imibuzo ku-database. Futhi ngolwazi olufanele, lokhu kungabangela ukuphulwa kokuphepha.

• Amaphutha we-HTML. Cishe kufana ne-XSS, kodwa ayifaki ikhodi yeskripthi, kodwa i-HTML.
• Ukungabikho kwezindawo ezihlotshaniswa nokubekwa kwamafayela kanye nezinkomba ezindaweni ezizenzakalelayo. Isibonelo, ukwazi isakhiwo samakhasi ewebhu, ungathola ikhodi yephaneli yokuphatha.
• Ukwakhiwa okwanele kokuphepha kwesistimu yokusebenza kuseva. Uma ngabe kunengozi okunjalo, khona-ke umhlaseli uzokwazi ukwenza ikhodi engahambisani nayo.
• Amaphasiwedi angalungile. Enye yezokukhubazeka okusobala kakhulu kumawebhusayithi kusetshenziswa ukulinganiswa okubuthakathaka ukuvikela i-akhawunti yakho. Ikakhulukazi uma kunamalungelo omlawuli.
• I-Buffer igeleza. Isetshenziswe uma kususwa idatha kusuka enkumbulweni, ukuze ukwazi ukwenza izinguquko zakho. Ivela uma usebenzisa isofthiwe engaphelele.
• Ukushintshwa kwamakhasi wesistimu yewebhu. Ukuthola ikhophi eqondile yesayithi, ngokuya lapho umsebenzisi angase angasoli khona inkohliso engcolile bese efaka idatha yakhe siqu, emva kwesikhathi esithile esidlulela kumhlaseli.
• Ukulahla kwenkonzo. Ngokuyinhloko, leli gama libhekisela ekuhlaselweni kwiseva uma lithola izicelo eziningi ezingenakukwazi ukucubungula futhi "ziwele phansi" noma zikwazi ukukhonza abasebenzisi bangempela. Ubungozi ukuthi isihlungi se-IP asilungiselelwe kahle.

Sesha ukukhubazeka kwesayithi

Ochwepheshe bezokuphepha benza ukuhlolwa okukhethekile kwezinsiza zewebhu lapho kukhona khona amaphutha kanye nokungaphumeleli okungabangela ukukhwabanisa. Ukuqinisekiswa okunjalo kwesayithi kubizwa ngokuthi i-pentasting. Kule nqubo, ikhodi yomthombo esetshenziswa yi-CMS, ukuba khona kwamamojula asengozini kanye nokuhlola okuningi okuthakazelisayo kuhlaziywa.

Umjovo we-SQL

Lolu hlobo lokuhlola isayithi lunquma ukuthi iskripthi sihlunga yini amanani atholakele lapho uhlanganisa imibuzo ku-database. Ungenza ukuhlolwa okulula kakhulu ngesandla. Ungayithola kanjani inselele yeSQL kusayithi? Manje sizocatshangelwa.

Isibonelo, kukhona isayithi yami-site.rf. Kukhona ikhathalogi ekhasini layo eliyinhloko. Ukungena kuwo, ungathola ibha yekheli into ethize yami-site.rf /? Product_id = 1. Kukhona kungenzeka ukuthi lokhu kuyisicelo ku-database. Ukuze uthole ukukhubazeka kwesayithi, ungazama kuqala ukufaka uphawu olulodwa lwekhothethi kulolu gqa. Ekugcineni, kufanele kube khona-site.rf /? Product_id = 1 'yami. Uma ubona umlayezo wephutha uma ucindezela ukhiye we- "Enter" ekhasini, khona-ke kunengozi.

Manje ungasebenzisa izinketho ezahlukene zokukhetha amanani. Ama-operators wokuhlanganisa, okuhlukile, amazwana nabanye abaningi asetshenziswa.

XSS

Lolu hlobo lobungozi lungaba yizinhlobo ezimbili - okusebenzayo nokungenzi lutho.

Ukusebenza kuhilela ukufaka ikhodi yekhodi kukho database noma ngokuqondile kufayili kuseva. Uyingozi kakhulu futhi ayinakulinganiswa.

Imodi ye-passive ihilela ukukhokha isisulu ekhelini elithile le-site equkethe ikhodi eyingozi.

Usebenzisa i-XSS, umhlaseli angaba ama-cookies. Futhi zingaqukatha idatha ebalulekile yomsebenzisi. Imiphumela embi nakakhulu kakhulu ukwebiwa kweseshini.

Futhi, i-hacker ingasebenzisa iskripthi kwisayithi ukuze ifomu ngesikhathi sokuyithumela ngumsebenzisi inikeza ulwazi ngqo kumuntu ohlaselayo.

Ukuzenzakalela inqubo yokusesha

Enkundleni, ungathola indawo eningi yokuthakazelisa engozini yokusekela. Ezinye zihanjiswa ngokwahlukana, ezinye ziza ukuthengwa ngezimboni eziningana futhi zihlangene zibe isithombe esisodwa esifanayo, njengeKali Linux. Okulandelayo, ukubuka kabanzi kwamathuluzi athandwa kakhulu ekuzenzekelayo inqubo yokuqoqa ulwazi mayelana nokuhlukunyezwa kuzonikezwa.

I-Nmap

Isithwebuli esilula kunazo zonke sesayithi, esingabonisa imininingwane efana nesistimu yokusebenza, amathrekhi namasevisi asetshenzisiwe. Isibonelo sohlelo lokusebenza olujwayelekile:

I-Nmap -sS 127.0.0.1, lapho esikhundleni se-IP yangakini, udinga ukufaka endaweni yekheli langempela ngaphansi kokuhlolwa.

Okukhiphayo kuzokutshela ukuthi yiziphi izinsizakalo ezisebenzayo, nokuthi yiziphi izikebhe ezivulekile ngaleso sikhathi. Ngokusekelwe kulolu lwazi, ungazama ukusebenzisa ukukhubazeka kakade okubonisiwe.

Nazi izinkinobho ezimbalwa ze-nmap zokuskena okuningi okukhethiwe:

• -A. Ukuskena okunamandla, okuzokhipha ulwazi oluningi, kodwa kungathatha isikhathi esiningi.
• -O. Uzama ukuthola isistimu yokusebenza esetshenziselwa iseva.
• -D. Ibeka esikhundleni amakheli e-IP avela kuyo isheke, ukuze lapho ubuka izingosi ze-server kwakungenakwenzeka ukucacisa ukuthi ukuhlasela kwenzeke kuphi.
• -p. Ububanzi bamachweba. Ihlola amasevisi amaningana ukuze avulwe.
• -S. Ikuvumela ukuba ucacise ikheli le-IP elithandayo.

I-WPScan

Lolu hlelo lokuskena isayithi lengozi lufakwe ekusakazeni kwe-Kali Linux. Ihlose ukuhlola izinsiza zewebhu kwi-WordPress yokuphathwa kokuqukethwe. Kubhalwe eRuby, ngakho-ke kuqala kanje:

I-Ruby ./wpscan.rb --help. Lo myalelo uzobonisa zonke izinkinobho ezitholakalayo nezinhlamvu.

Ukuze uhlole ukuhlolwa okulula, ungasebenzisa umyalo:

Ruby ./wpscan.rb --url ezinye-site.ru

Ngokuvamile, i-WPScan iyisisetshenziswa esisebenziseka kalula sokuhlola isayithi lakho ku-WordPress yokukhubazeka.

Nikto

Lolu hlelo luhlola isayithi lengozi, olutholakala ekusakazeni kwe-Kali Linux. Unomsebenzi ocebile kukho konke okulula:

• Iskena nge-protocol yama-HTTP ne-HTTPS;
• Ukunciphisa amathuluzi amaningi wokuthola ngaphakathi.
• Ukuskena kwe-port amaningi, ngisho nakububanzi obulinganiselwe;
• Ukusekela ukusetshenziswa kwamaseva we-proxy;
• Kukhona ithuba lokuqalisa nokuxhuma ama-plug-ins.

Ukuze usebenzise i-nikto, kudingeka ube ne-perl ifakwe ohlelweni lwakho. Ukuhlaziywa okulula kunendlela elandelayo:

I-Perl nikto.pl -h 192.168.0.1.

Lolu hlelo lungakwazi "ukondla" ifayela lombhalo, olubala amakheli amaseva web:

I-Perl nikto.pl -h file.txt

Lo mbuso ngeke usize kuphela ochwepheshe bezokuphepha ukuqhuba amapentent, kodwa futhi nabaphathi benethiwekhi nezinsiza zokugcina ukusebenza kwamasayithi.

I-Burp Suite

Ithuluzi elinamandla kakhulu lokuhlola amasayithi hhayi kuphela, kodwa ukuqapha noma iyiphi inethiwekhi. Unomsebenzi owakhelwe ngaphakathi ukuguqula izicelo ezithunyelwe kwisiphakeli ngaphansi kokuhlolwa. I-Smart scanner, ekwazi ukuhlola ngokuzenzakalelayo izinhlobo eziningana zokukhubazeka ngesikhathi esisodwa. Kungenzeka ukuthi ulondoloze umphumela womsebenzi wamanje, bese uqala futhi. Ukuzivumelanisa, okukuvumela ukuba ungasebenzisi kuphela ama-plug-ins, kodwa futhi ukubhala owakho.

I-utility ine-interface yayo eqondile, okungangabazeki elula, ikakhulukazi kubasebenzisi be-novice.

I-SQLmap

Mhlawumbe ithuluzi elilula kakhulu nelinamandla lokusesha ukukhubazeka kwe-SQL no-XSS. Uhlu lwamalungelo alo lungaboniswa kanje:

• Ukusekela cishe zonke izinhlobo zezinhlelo zokuphathwa kwedatha;
• Ikhono lokusebenzisa izindlela eziyisithupha eziyisisekelo zokuchaza nokusebenzisa ama-SQL injection;
• Imodi yokubala abasebenzisi, ukushisa kwabo, amaphasiwedi kanye nedatha.

Ngaphambi kokuba usebenzise i-SQLmap, ngokuvamile kutholakala isayithi elisengozini ngokusebenzisa izinjini zokucinga, imibuzo yokucinga esiza ukukhula ukhula ngezinsiza ezidingekayo zewebhu.

Khona-ke ikheli lamakhasi lidluliselwa ohlelweni, futhi lihlola. Uma ngabe ubungozi buyatholakala ngokuphumelelayo, Umbuso ungasebenzisa futhi uthole ukufinyelela okugcwele kumthombo.

Webslayer

I-utility encane evumela ukuthi wena uhlasele ukuhlaselwa ngamandla. Ungakwazi "ukuhlukumeza" uhlobo lomthombo, iseshini, imingcele yesayithi. Isekela i-multithreading, enhle ukusebenza. Kungaphinda ukhethe amaphasiwedi kumakhasi afakiwe. Kukhona ukwesekwa kwe-proxy.

Izinsiza zokuqinisekisa

Inethiwekhi ineamathuluzi amaningana wokuhlola ukukhubazeka kwamasayithi e-intanethi:

• Coder-diary.ru. Indawo elula yokuhlola. Kwanele ukufaka ikheli lezinsiza ezivivinywe bese uchofoza "Hlola". Ukusesha kungathatha isikhathi eside, ngakho-ke kungenzeka ukuthi ucacise ikheli lakho le-imeyili ukuze kuthi uma isheke seluphelile, umphumela uthunyelwa ngqo ebhokisini lemeyili. I-database inezinselele ezingaba ngu-2500 ezaziwayo.
• Https://cryptoreport.websecurity.symantec.com/checker/. Isevisi ye-inthanethi yokuhlola izitifiketi ze-SSL ne-TLS kusuka ku-Symantec. Kuphela kuyadingeka ikheli lezinsiza ezihloliwe.
• Https://find-xss.net/scanner/. Le phrojekthi ihlola ifayela elihlukile lezingxenye ze-PHP ekusengozini noma kumlando wabo wefomethi ye-ZIP. Ungacacisa izinhlobo zamafayela okufanele ahlwetshwe kanye nezinhlamvu lapho idatha iskripthi ephunyukile khona.
• Http://insafety.org/scanner.php. Iskena sezindawo zokuhlola ku-"1C-Bitrix" yesikhulumi. I-interface elula futhi enembile.

I-algorithm yokuhlola ukuhlukunyezwa

Noma yimuphi uchwepheshe wezokuphepha wenethiwekhi wenza isheke esilula se-algorithm:

1. Okokuqala, ngokuzenzakalelayo noma ngosizo lwamathuluzi azenzakalelayo uhlaziya ukuthi kukhona yini ukukhubazeka kusayithi. Uma kunjalo, inquma uhlobo lwazo.
2. Kuncike ezinhlobonhlobo zokungcupheni okwamanje, kwakha izinyathelo ezengeziwe. Isibonelo, uma i-CMS yaziwa, indlela efanele yokuhlasela ikhethiwe. Uma lokhu kungumjovo we-SQL, khona-ke imibuzo ikhethwe ku-database.
3. Umsebenzi oyinhloko ukuthola ukufinyelela okunekhono kwipaneli yokuphatha. Uma lokhu kungenakufezwa, kungase kudingeke uvivinye ifomu kanye nokwakheka kwekheli ngokufakwa kweskripthi kulo kanye nokudluliselwa okulandelayo kumuntu ohlukunyeziwe.
4. Uma noma yikuphi ukuhlaselwa noma ukungenelela kuphumelela, khona-ke ukuqoqwa kwedatha kuqala: ngabe kukhona namanje ukukhubazeka, yiziphi iziphambeko ezikhona.
5. Ngesisekelo sedatha etholakele, isazi sezokuphepha sitshela umnikazi wesayithi ngezinkinga ezikhona kanye nezindlela zokuqedwa kwazo.
6. Ukuhlukumezeka kuqedwa ngezandla zakhe noma ngosizo lwabaphathi beqembu lesithathu.

Amathiphu ambalwa okuphepha

Labo abahlakulela i-website yabo ngokuzimela bayothola izeluleko nezincomo ezilula.

Idatha engenayo kumele ihlungwe ukuze izikripthi noma imibuzo zingakwazi ukuqala ngokuzenzakalelayo noma ukubuyisela idatha kusuka ku-database.

Sebenzisa amaphasiwedi anzima futhi aphikisayo ukufaka iphaneli yokuphatha ukuze ugweme i-bruteforce engenzeka.

Uma isayithi lakhiwe ngesisekelo se-CMS, udinga ukuyibuyekeza njalo ngangokunokwenzeka futhi usebenzise kuphela ama-plug-ins aqinisekisiwe, ama-templates nama-modules. Ungaphinde ulayishe isayithi ngezinsimbi ezingadingekile.

Kuvame ukuhlola izingosi ze-server ezivela ezenzweni noma izenzo.

Hlola isayithi lakho nge-scanners eziningana namasevisi.

Ukumiswa okulungile kweseva kuyisiqinisekiso sokusebenza kwayo okuzinzile nokuphephile.

Uma kungenzeka, kumele usebenzise isitifiketi se-SSL. Lokhu kuzovimbela ukutholakala kwedatha yomuntu siqu neyimfihlo phakathi kweseva nomsebenzisi.

Amathuluzi okuphepha. Kunengqondo ukufaka noma ukuxhuma isofthiwe yokuvimbela izinkinga kanye nezinsongo zangaphandle.

Isiphetho

Lesi sihloko saba yinto enamandla, kodwa ngisho akwanele ukuchaza ngokuningiliziwe zonke izici zokuphepha kwenethiwekhi. Ukuze ubhekane nomsebenzi wokuvikela ulwazi, kuzodingeka ufunde izinto eziningi kanye nemiyalelo. Futhi uphinde uhlole iqembu lamathuluzi nobuchwepheshe. Ungacela iseluleko nokusizwa ezinkampanini ezisebenzayo ezizibandakanya ekuqhubeni amapententi nokuhlolwa kwemithombo yewebhu. Nakuba izinsizakalo ezinjalo zizothela imali enhle, ukulondeka kwesayithi kungabiza kakhulu kokubili kwezomnotho nangokwesehlakalo.