CN105631342A - Penetration test method in allusion to mobile geographic information security of underground pipelines - Google Patents
Penetration test method in allusion to mobile geographic information security of underground pipelines Download PDFInfo
- Publication number
- CN105631342A CN105631342A CN201510968253.2A CN201510968253A CN105631342A CN 105631342 A CN105631342 A CN 105631342A CN 201510968253 A CN201510968253 A CN 201510968253A CN 105631342 A CN105631342 A CN 105631342A
- Authority
- CN
- China
- Prior art keywords
- file
- class
- dex2jar
- server
- geographic information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
The invention discloses a penetration test method in allusion to mobile geographic information security of underground pipelines. The method comprises the following steps: changing the suffix of an APK file into zip and decompressing the compressed file to obtain a class.dex file therein; copying the class.dex file into a catalogue to which a dex2jar.bat file belongs, executing a dex2jar class.dex command under a command line, and generating a class-dex2jar.jar file under the current catalogue; opening a jd-gui code check tool, importing the class-dex2jar.jar file and checking a reversed application source code; setting the address of a test machine and collecting a server-side interface list by utilizing the test machine; and carrying out vulnerability scanning on a server by using a burp suit tool through the server-side interface list, outputting a vulnerability analysis statement to the test machine, and carrying out sql injection test on a server side by utilizing a sqlmap tool so as to detect the sql injection vulnerabilities. The penetration test method is capable of finding the vulnerabilities of the application service programs on the underground pipeline map servers in allusion to the mobile GIS applications which carry underground pipeline route data, so as to prevent the data leakage of the underground pipelines.
Description
Technical field
The present invention relates to underground utilities movable geographic information security test technical field. More particularly, to a kind of penetration testing method for underground utilities movable geographic information safety.
Background technology
Along with the acceleration of urbanization process, various urban pipe network overlaps are interlocked, are fought for the underground space that city is limited desultorily. In recent years, underground utilities Frequent Accidents, the problem such as the blast thereby resulted in, fire, toxic gas discharge, the life security of the serious harm people. Adopt tradition GIS-Geographic Information System (GIS) technology can not meet daily pipeline performance and maintenance management.
In prior art, mobile GIS is with mobile Internet for supporting, with smart mobile phone or panel computer for terminal, it is positioning means in conjunction with the Big Dipper, GPS or base station, it it is another new hot technology after desktop GIS, WEBGIS, running fix, mobile office etc. increasingly become the urgent needs of enterprise or individual, but while underground utilities Mobile solution is widely used, the safety issue of Underground Pipeline Data also becomes increasingly conspicuous. Research for the method for testing security of mobile GIS application system is also extremely urgent.
In prior art, the underground utilities mobile GIS system of main flow is with spatial database for data support, with geographic application server for core application, with wireless network for communication bridge, and the integrated system with mobile terminal for sampling instrument and application tool. Underground utilities move GIS terminal equipment and include palm PC (PDA), portable computer, WAP (radio universal agreement) mobile phone, GPS location instrument etc. Software is mainly Embedded GIS application software. User sends service request by this terminal to long-range geographic information server, then accepts the result of calculation of server transmission and shows. Underground utilities move the application of GIS and are based on mobile terminal device. Portable, low consumption, the mobile terminal that computing capability is strong are increasingly becoming the first-selection of mobile GIS user. Underground utilities move the key component that the geographic application server in GIS is whole system, are also the GIS engines of system, provide large-scale geographical service and potential spatial analysis and query manipulation service for moving GIS user for underground utilities.
Under normal circumstances, it is in the way of webapi (web application interface) that underground utilities move GIS terminal application, calls geolocation server Service Source, carries out retrieval and the query manipulation be correlated with. this pattern is held together Underground Pipeline Data safely with web safely. it is mutual with service end in the way of web services that underground utilities move app, server end is also the website of an exhibition information, common web leak equally exists at server end, such as SQL (SQL) injects, files passe, middleware/server leak etc., but it is directly embedded into webpage in app owing to underground utilities move app, but use api interface to return json (JavaScriptObjectNotation) data, cause that scanning device reptile cannot crawl link, penetration testing cannot be carried out for the application of underground utilities GIS mobile terminal.
Hence it is highly desirable to the method for testing of a kind of highly versatile theoretical based on penetration testing, coverage rate is wide, flexibility ratio is high underground utilities movable geographic information safety.
Summary of the invention
It is an object of the invention to provide a kind of penetration testing method for underground utilities movable geographic information safety.
For reaching above-mentioned purpose, the present invention adopts following technical proposals:
A kind of penetration testing method for underground utilities movable geographic information safety, this penetration testing method comprises the steps:
Change APK file suffix name into zip, decompress this compressed file, obtain class.dex file therein;
Class.dex file is copied to dex2jar.bat file place catalogue, under order line, performs dex2jarclass.dex order, under current directory, generate class_dex2jar.jar file;
Open jd-gui code scan tool, import described class_dex2jar.jar file, check reverse after application source code;
The address of test machine is set, utilizes test machine to collect server end interface list;
Adopt burpsuit instrument to realize the vulnerability scanning to server by server end interface list, and export leak analysis form to test machine, utilize sqlmap instrument that server end carries out sql simultaneously and inject test, to detect sql injection loophole.
Preferably, described step " open jd-gui code scan tool, import the above-mentioned steps S2 class_dex2jar.jar file generated, check reverse after application source code " in, for the mobile process do not obscured, check application program source code; For the mobile process obscured, apkTool instrument is used to resolve topology file, to solve the mess code situation of topology file.
Preferably, described step " open jd-gui code scan tool, import the above-mentioned steps S2 class_dex2jar.jar file generated, check reverse after application source code " in, the program source file after reverse retrieves server WebAPI interface list.
Preferably, described burpsuit instrument is the integrated platform for attacking weblication.
Preferably, described sqlmap instrument is a free Open-Source Tools for detecting with utilize sql injection loophole.
Beneficial effects of the present invention is as follows:
(1) compared with prior art, described method of testing can for the mobile GIS application carrying underground utilities route data, find the leak of application services on underground utilities map server, thus preventing the leaking data of underground utilities, it is ensured that security of system;
(2) compared with prior art, described penetration testing method carries out penetration testing for patrolling and examining application APP for certain City Buried Pipeline, can realize the editting function of the checking of underground utilities routing iinformation, the retrieval of integrated information and part figure layer key element on Mobile solution.
Accompanying drawing explanation
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described in further detail.
The schematic diagram of the test system that the penetration testing method for underground utilities movable geographic information safety that Fig. 1 provides for the embodiment of the present invention adopts;
The flow chart of the penetration testing method for underground utilities movable geographic information safety that Fig. 2 provides for the embodiment of the present invention;
Fig. 3 is the decompressing files catalogue figure of APK file;
Fig. 4 is the schematic diagram of jd-gui code scan tool;
Fig. 5 be test machine figure is set;
Fig. 6 is burpsuit penetration testing figure.
Detailed description of the invention
In order to be illustrated more clearly that the present invention, below in conjunction with preferred embodiments and drawings, the present invention is described further. Parts similar in accompanying drawing are indicated with identical accompanying drawing labelling. It will be appreciated by those skilled in the art that following specifically described content is illustrative and be not restrictive, should not limit the scope of the invention with this.
As it is shown in figure 1, the test system that the penetration testing method for underground utilities movable geographic information safety that the present embodiment provides adopts includes server 1, mobile terminal 2 and test machine 3. Mobile terminal 2 is generally the hand-held mobile phone of the business personnel specializing in underground utilities movable geographic information trouble free service or panel computer. Test machine 3 for carrying out safely penetration testing for tester to underground utilities movable geographic information.
As in figure 2 it is shown, the penetration testing method for underground utilities movable geographic information safety that the present embodiment provides comprises the steps:
S1: change APK file suffix name into zip, decompresses this compressed file, obtains class.dex file therein, as shown in Figure 3;
S2: class.dex file copies to dex2jar.bat file place catalogue, performs dex2jarclass.dex order under order line, generates class_dex2jar.jar file, as shown in Figure 3 under current directory;
S3: open jd-gui code scan tool, imports the above-mentioned steps S2 class_dex2jar.jar file generated, check reverse after application source code, as shown in Figure 4;
In this step, for the mobile process do not obscured, check application program source code; For the mobile process obscured, apkTool instrument is used to resolve topology file, to solve the mess code situation of topology file;
Program source file after reverse retrieves server WebAPI interface list;
S4: arrange the address of test machine, utilizes test machine to collect server end interface list, as shown in Figure 5;
S5: adopt burpsuit instrument to realize the vulnerability scanning to server by server end interface list, and export leak analysis form to test machine, utilize sqlmap instrument that server end carries out sql simultaneously and inject test, to detect sql injection loophole, as shown in Figure 6.
In above-mentioned steps S5, burpsuit instrument is the integrated platform for attacking weblication. Burpsuit instrument contains many instruments, and is the many interfaces of these tool designs, to promote the process accelerating to attack application program. A powerful extendible framework that can process and show HTTP message, persistency, certification, agency, daily record and alarm all shared by all of instrument.
In above-mentioned steps S5, sqlmap instrument is a free Open-Source Tools for detecting with utilize sql injection loophole.
In above-mentioned steps S1 to above-mentioned steps S3, the information collecting step of described penetration testing method, it is primarily to the WebAPI interface obtaining underground utilities map server; Described penetration testing method adopts dex2jar and apkTool instrument to carry out reverse to underground utilities Mobile solution, it is achieved the acquisition of map server API.
Described penetration testing method carries out penetration testing for patrolling and examining application APP for certain City Buried Pipeline, can realize the editting function of the checking of underground utilities routing iinformation, the retrieval of integrated information and part figure layer key element on Mobile solution. Server has built the GIS server of underground utilities, and mobile terminal accesses the map layer issued on server by the mode of restapi, simultaneously by submitting inquiry, the statistics required parameter being correlated with to, it is achieved for the search function of underground utilities integrated information.
Obviously; the above embodiment of the present invention is only for clearly demonstrating example of the present invention; and be not the restriction to embodiments of the present invention; for those of ordinary skill in the field; can also make other changes in different forms on the basis of the above description; here cannot all of embodiment be given exhaustive, every belong to apparent change that technical scheme extended out or the variation row still in protection scope of the present invention.
Claims (5)
1. the penetration testing method for underground utilities movable geographic information safety, it is characterised in that this penetration testing method comprises the steps:
Change APK file suffix name into zip, decompress this compressed file, obtain class.dex file therein;
Class.dex file is copied to dex2jar.bat file place catalogue, under order line, performs dex2jarclass.dex order, under current directory, generate class_dex2jar.jar file;
Open jd-gui code scan tool, import described class_dex2jar.jar file, check reverse after application source code;
The address of test machine is set, utilizes test machine to collect server end interface list;
Adopt burpsuit instrument to realize the vulnerability scanning to server by server end interface list, and export leak analysis form to test machine, utilize sqlmap instrument that server end carries out sql simultaneously and inject test, to detect sql injection loophole.
2. the penetration testing method for underground utilities movable geographic information safety according to claim 1, it is characterized in that, described step " open jd-gui code scan tool; import above-mentioned steps S2 generate class_dex2jar.jar file; check reverse after application source code " in, for the mobile process do not obscured, check application program source code; For the mobile process obscured, apkTool instrument is used to resolve topology file, to solve the mess code situation of topology file.
3. the penetration testing method for underground utilities movable geographic information safety according to claim 1, it is characterized in that, described step " open jd-gui code scan tool; import the above-mentioned steps S2 class_dex2jar.jar file generated; check reverse after application source code " in, the program source file after reverse retrieves server WebAPI interface list.
4. the penetration testing method for underground utilities movable geographic information safety according to claim 1, it is characterised in that described burpsuit instrument is the integrated platform for attacking weblication.
5. the penetration testing method for underground utilities movable geographic information safety according to claim 1, it is characterised in that described sqlmap instrument is a free Open-Source Tools for detecting with utilize sql injection loophole.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510968253.2A CN105631342A (en) | 2015-12-22 | 2015-12-22 | Penetration test method in allusion to mobile geographic information security of underground pipelines |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510968253.2A CN105631342A (en) | 2015-12-22 | 2015-12-22 | Penetration test method in allusion to mobile geographic information security of underground pipelines |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105631342A true CN105631342A (en) | 2016-06-01 |
Family
ID=56046263
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510968253.2A Pending CN105631342A (en) | 2015-12-22 | 2015-12-22 | Penetration test method in allusion to mobile geographic information security of underground pipelines |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105631342A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106844766A (en) * | 2017-02-23 | 2017-06-13 | 郑州云海信息技术有限公司 | The method and device of a kind of compressed file decompression |
| CN109241707A (en) * | 2018-08-09 | 2019-01-18 | 北京邮电大学 | Application program obscures method, apparatus and server |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1191184A (en) * | 1998-01-16 | 1998-08-26 | 深圳市思路德实业发展有限公司 | Use of sheet moulded glass fibre reinforced plastic on antiglare shield |
| CN103902858A (en) * | 2013-12-25 | 2014-07-02 | 武汉安天信息技术有限责任公司 | APK application reinforcing method and system |
| CN104021346A (en) * | 2014-06-06 | 2014-09-03 | 东南大学 | Method for detecting Android malicious software based on program flow chart |
| CN104954353A (en) * | 2015-02-10 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Verification method and apparatus of APK file package |
-
2015
- 2015-12-22 CN CN201510968253.2A patent/CN105631342A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1191184A (en) * | 1998-01-16 | 1998-08-26 | 深圳市思路德实业发展有限公司 | Use of sheet moulded glass fibre reinforced plastic on antiglare shield |
| CN103902858A (en) * | 2013-12-25 | 2014-07-02 | 武汉安天信息技术有限责任公司 | APK application reinforcing method and system |
| CN104021346A (en) * | 2014-06-06 | 2014-09-03 | 东南大学 | Method for detecting Android malicious software based on program flow chart |
| CN104954353A (en) * | 2015-02-10 | 2015-09-30 | 腾讯科技(深圳)有限公司 | Verification method and apparatus of APK file package |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106844766A (en) * | 2017-02-23 | 2017-06-13 | 郑州云海信息技术有限公司 | The method and device of a kind of compressed file decompression |
| CN109241707A (en) * | 2018-08-09 | 2019-01-18 | 北京邮电大学 | Application program obscures method, apparatus and server |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103064123B (en) | A kind of underground utilities localization method and device | |
| US20110051665A1 (en) | Location Histories for Location Aware Devices | |
| Thelwall et al. | Graph structure in three national academic Webs: Power laws with anomalies | |
| CN104320453A (en) | Patrol method of intelligent patrol system on basis of Android mobile phone | |
| CN107623738B (en) | A kind of WebView bridge joint mouth stain mapping and analysis method towards Android application | |
| CN104519070A (en) | Method and system for detecting website permission vulnerabilities | |
| CN104965847A (en) | Information displaying method and apparatus | |
| CN102510389B (en) | Methods and systems for transmitting, installing and presenting application | |
| CN103685290A (en) | Vulnerability scanning system based on GHDB | |
| CN102622356A (en) | Encyclopedic knowledge system related to geographical position information | |
| CN105704130A (en) | Electricity safety system based on wireless communication devices | |
| CN107808203A (en) | Electric power testing underground cable path fast searching method and system based on foot path and panorama VR | |
| CN105631342A (en) | Penetration test method in allusion to mobile geographic information security of underground pipelines | |
| CN104281646B (en) | Urban waterlogging detection method based on microblog data | |
| CN103177648A (en) | Manufacturing method for code division multiple access (CDMA) network signal complaint information map | |
| CN104468459A (en) | Vulnerability detection method and apparatus | |
| Nguyen et al. | Unlocin: Unauthorized location inference on smartphones without being caught | |
| CN111049837A (en) | Malicious website identification and interception technology based on communication operator network transport layer | |
| KR100999323B1 (en) | System and method for generating integrated gis information | |
| CN116010254A (en) | Performance detection method and system in system research and development stage | |
| US20150169695A1 (en) | Location based event identification | |
| CN104702670A (en) | Special equipment supervision device based on mobile GIS (geographic information system) | |
| US20140214791A1 (en) | Geotiles for finding relevant results from a geographically distributed set | |
| US10216747B2 (en) | Customized synthetic data creation | |
| CN104518947A (en) | Information modification notification device and information modification notification method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160601 |
|
| RJ01 | Rejection of invention patent application after publication |