Upgrade to Pro — share decks privately, control downloads, hide ads and more …

セキュリティ・ミニキャンプ in 中国2017(広島)Webアプリケーション脆弱性診断入門

mrtc0
October 31, 2017

セキュリティ・ミニキャンプ in 中国2017(広島)Webアプリケーション脆弱性診断入門

mrtc0

October 31, 2017
Tweet

More Decks by mrtc0

Other Decks in Programming

Transcript

  1. ੬ऑੑͱ͸Կ͔ w ίϯϐϡʔλͷ04΍ιϑτ΢ΣΞʹ͓͍ͯɺϓϩάϥϜͷෆ۩߹΍ઃܭ্ͷϛε͕ݪ Ҽͱͳͬͯൃੜͨ͠৘ใηΩϡϦςΟ্ͷܽؕ w IUUQXXXTPVNVHPKQNBJO@TPTJLJKPIP@UTVTJOTFDVSJUZCBTJDSJTL IUNM w ཁ͸ѱ༻Մೳͳόά w

    8FCαΠτͷ಺༰Λॻ͖׵͑Δ w ൿಗ͢΂͖৘ใͷ࿙Ӯ w νʔτɺ੒Γ͢·͠ͳͲ w ଞਓ΋͘͠͸αʔϏεʹة֐ΛՃ͑Δ͜ͱ͕Ͱ͖Δ w ৴༻ΛࣦͬͨΓɺۚમతଛࣦͷิరͳͲ
  2. എܠ w 8FCશ੝ظ w ͋ΒΏΔ͜ͱ͕8FCͰ΍ΓऔΓ͞Ε͍ͯΔ w ෳࡶԽ͢Δ8FC w ཚཱ͢ΔϑϨʔϜϫʔΫ w

    &MFDUSPO΍3FBDU/BUJWFͷొ৔ w Ռͨͯ͠ੈͷதͷ8FCΞϓϦέʔγϣϯ͸҆શ͔ʁ
  3. എܠ w 8FCΞϓϦέʔγϣϯϑϨʔϜϫʔΫ΍ϒϥ΢βɺ8FCͷ࢓༷ͳ ͲʹΑΔอޢ w ࣗ໌ͳ΋ͷ͸๷͍Ͱ͘ΕΔ 944 42-*OKFDUJPO $43' 

    w શ෦๷͍Ͱ͘ΕΔΘ͚Ͱ͸ͳ͍ w ϨʔϧΛ֎ΕΔͱ੬ऑੑΛ࡞ΓࠐΜͰ͠·͍͕ͪ w ੈͷதͷ8FCΞϓϦέʔγϣϯͷඪ४͸௿͍
  4. ੬ऑੑ਍அνϡʔτϦΞϧ w Ϣʔβʔొ࿥ɺϩάΠϯɺϙετͷ౤ߘɺฤूɺ࡟আͳͲΛ΍ͬͯΈΑ͏ w ֤छૢ࡞Λͨ͠ͱ͖ʹ w ͲΜͳϝιουΛ࢖͍ͬͯΔ͔ʁ w ͲΜͳύϥϝʔλΛૹ৴͍ͯ͠Δ͔ʁύϥϝʔλͷҙຯ͸ʁ w

    ͲΜͳϨεϙϯε͕ฦ͍ͬͯΔ͔ʁ w ͳͲʹ஫໨͠Α͏ w &Y ϩάΠϯͰ͸1045ϝιουΛ࢖ͬͯɺೝূΛ͍ͯ͠ΔɻϦμΠϨΫτͰϩάΠϯޙ τοϓʹϦμΠϨΫτ͞ΕΔɻ ˖ 兛媮⢪欽׃גְ׷ػأٙ٦سװꅾ銲ז䞔㜠כ剅ֹ鴥תזְ״ֲח孡׾אֽגֻ׌ְׁ
  5. ηογϣϯ*%ͰؾΛ͚ͭΔ͜ͱ w ηογϣϯ*%͸ୈऀ͕༧ଌෆՄೳͳ΋ͷͰ͋Δ͜ͱ w ηογϣϯ*%Λ63-ʹؚΊͳ͍ w IUUQTFYBNQMFDPNNZQBHF KTFTTJPOJEBCDEFGH w 3FGFSFSʹΑͬͯϦϯΫઌͷ63-΁ૹ৴͞ΕΔ

    w ϩάΠϯ੒ޭޙʹ͸ηογϣϯ*%Λ৽͘͠ൃߦ͢Δ w 4FTTJPO'JYBUJPO ηογϣϯݻఆԽ߈ܸʣ w )5514௨৴Ͱར༻͢Δ৔߹͸TFDVSFଐੑΛ͚ͭΔ w )551௨৴Ͱૹ৴͠ͳ͍Α͏ʹ͢Δ͜ͱͰ౪ௌʹΑΔෆਖ਼઄औΛ๷͙
  6. 944ͷݪཧ w )5.-ੜ੒࣌ʹ஫ೖ͞Εͨʮʼʯ΍ʮʻʯΛΤεέʔϓͤͣʹग़ ྗͨͨ͠Ίʹɺ)5.-λάͱͯ͠ѻΘΕΔɻ // $str = <script>alert(1)</script> <p><?php echo

    $str; ?></p> <p><script>alert(1)</script></p> // $str = "><script>alert(1)</script> <input id="name" value="<?php echo $str; ?>" /> <input id="name" value=""><script>alert(1)</script> />
  7. 944ͷݕࠪํ๏ w BMFSUΛग़͢ "><script>alert(1)</script> '; alert(1); // <img src="x" onerror="alert(1)"

    /> w )5.-͕ૠೖՄೳ͔ "><s>XSS</s> "><h1>XSS</s> w %0.#BTFE944 var el = document.getElementById("item") el.innerHTML = foo; // foo = <script>alert(1)</script>
  8. 944ͷجຊతͳରࡦ w جຊతͳରࡦͱͯ͠͸ҎԼͷ)5.-ग़ྗ࣌ʹ)5.-ϝλΩϟϥΫλΛΤεέʔϓ͢Δ ˖ ̔MU ˖ ̔HU ˖ ̔BNQ ˖

    ̔RVPU ˖ ̔ w ࠷ۙͷϑϨʔϜϫʔΫʢςϯϓϨʔτΤϯδϯʣͰ͸ࣗಈͰΤεέʔϓ͞ΕΔ w Τεέʔϓ͠ͳ͍৔߹͸໌ࣔతʹߦ͏ඞཁ͕͋Δʢٯʹ࡞ΓࠐΈʹ͍͘ʣ # Rails(erb) <% raw @post.body %>
  9. 3BJMTͩͱ w ҆௚ʹग़ྗͯ͠͸μϝɻIUUQͱIUUQTͳͲͷΈʹ੍ݶΛ͔͚Δɻ w KBWBTDSJQU΍EBUBͳͲΛڐՄ͠ͳ͍Α͏ʹϗϫΠτϦετͰ੍ݶ // Bad <%= link_to link,

    link %> <a href="<%= link %>"><%= link %></a> // Good <%= sanitize link_to link, link %> w Τεέʔϓͷ࣮૷ w IUUQTHJUIVCDPNSBJMTSBJMTCMPCNBTUFSBDUJWFTVQQPSUMJC BDUJWF@TVQQPSUDPSF@FYUTUSJOHPVUQVU@TBGFUZSC w IUUQBQJSVCZPOSBJMTPSHDMBTTFT"DUJPO7JFX)FMQFST4BOJUJ[F)FMQFSIUNM
  10. 944ରࡦ͸େม w έʔεόΠέʔεʹͳΓ͕ͪ w ಛఆͷ)5.-λά΍Ϣʔβʔೖྗ$44ΛڐՄ͍ͨ͠ w TWHPOMPBEBMFSU   w

    QTUZMFYFYQSFTTJPO BMFSU   w .BSLEPXO΍ͦͷଞͷϚʔΫΞοϓݴޠΛ)5.-ϨϯμϦϯά͍ͨ͠ w <FYBNQMFDPN> KBWBTDSJQUBMFSU   w IUUQTIBDLFSPOFDPNSFQPSUT w ҆શͳ΢ΣϒαΠτͷ࡞ΓํΫϩεαΠτεΫϦϓςΟϯά w IUUQTXXXJQBHPKQpMFTQEGQBHF w %0.ϕʔε944ରࡦνʔτγʔτ w IUUQTKQDFSUDDHJUIVCJP08"41EPDVNFOUT$IFBU4IFFUT%0.CBTFE9441SFWFOUJPOIUNM "><svg/onload=alert(1) <p style="x:expression(alert(1))"> [example.com](javascript:alert(1))
  11. ؇࿨తରࡦ w ੬ऑੑ͸ଘࡏ͢Δ͚Ͳɺѱ༻͕೉͍͠Ϩϕϧʹམͱ͠ࠐΉ ˖ $PPLJFךIUUQPOMZ㾩䚍 w +BWB4DSJQU͔Β$PPLJF஋Λ৮Εͳͯ͘͠ɺηογϣϯϋΠδϟοΫ͔ΒकΔ ˖ 99441SPUFDUJPOقحت٦ w

    ϒϥ΢βͷ944ݕ஌ɾ๷ࢭػೳ ˖ $41$POUFOU4FDVSJUZ1PMJDZ  w 944Λܰݮ͢ΔͨΊʹઃܭ͞Εͨ࢓૊Έ w ࢦఆ͞ΕͨεΫϦϓτҎ֎͸࣮ߦͤ͞ͳ͍
  12. ੬ऑੑ਍அνϡʔτϦΞϧ w ݖݶ֎ૢ࡞ w ηογϣϯΛݟ͍ͯͳ͍ͷͰύϥϝʔλΛมߋ͢Δͱɺ೚ҙͷϢʔβʔͰϙετΛ ࡞੒Ͱ͖Δ w 944 w ѱҙ͋Δ+BWB4DSJQUͷ࣮ߦ΍ِ৘ใͷදࣔ

    ˖ $43' ˖ 鄃㹱罏ך埄ꣲד然㹀Ⳣ椚ָ㹋遤ׁ׸׷ w 42-ΠϯδΣΫγϣϯ w 42-จͷෆਖ਼ͳվมʹΑΔ৘ใ࿙͍͑ͳͲ
  13. ݪҼ w 8FCͷಛੑΛ׆͔ͨ͠੬ऑੑ w GPSNͷૹ৴ઌ͸ͲͷυϝΠϯͰ΋0, w FWJMDPNͷϖʔδ͚ͩͲFYBNQMFDPNʹૹ৴Ͱ͖Δ w ͦͷࡍɺ$PPLJF͸ର৅ͷαΠτʹࣗಈతʹૹ৴͞ΕΔ w

    ਖ਼نʢར༻ऀ͕ҙਤͨ͠ʣϦΫΤετͰ͋Δ͜ͱΛ֬ೝ͢Δ w $43'τʔΫϯͷຒΊࠐΈ w 3FGFSFSͷνΣοΫʢ৔߹ʹΑͬͯ͸ૹ৴͞Εͳ͍ͷͰʣ
  14. ͱ͸͍͑ɺ࣌͸೥ w ࣌୅͸"KBY 9)3  w 3BJMTͰ+BWB4DSJQU࢖ͬͯ1045͍ͨ͠ΜͰ͕͢ <% form_for @post,

    remote: true do |f| %> w NFUBλάͷ$43'τʔΫϯΛ9$43'5PLFOϔομʹηοτ w IUUQTHJUIVCDPNSBJMTKRVFSZSBJMTCMPCNBTUFSWFOEPS BTTFUTKBWBTDSJQUTKRVFSZ@VKTKT- X-CSRF-Token: KvDjn0XOpeK2dXiJ0sKXMzFYmnfQrkoY... w %KBOHPIUUQTEPDTEKBOHPQSPKFDUDPNFOSFGDTSGBKBY
  15. ͱ͸͍͑ɺ࣌୅͸41" w Ͳ͏΍ͬͯ$43'ରࡦ͢Ε͹͍͍Ͱ͔͢ w ಠࣗϔομΛ্͚ͭͨͰɺ015*0/4ʹ൓Ԡ͠ͳ͍ w ࣮ࡍͷॲཧͷલʹ1SFqJHIU͕ඈͿ w +85Ͱೝূͯ͠ϔομͰεςʔτϨεͳঢ়ଶͰ w

    MPDBM4UPSBHFʹอଘ͢Δ͜ͱ͕ଟ͍ ͕ɺ౰વIUUQ0OMZͷΑ͏ͳػೳ͸ແ͍ͷ Ͱؾ߹Ͱ944Λ௵͞ͳ͚Ε͹ͳΒͳ͍ w IUUQEIBUFOBOFKQIBTFHBXBZPTVLFQ w 0SJHJO͕ਖ਼͍͠63-Ͱ͋Γɺ9'SPN͕͋Δ͜ͱ w 0SJHJO͕ਖ਼͍͠9)33FRVFTU8JUI͕͋Δ IUUQTXXXPXBTQPSHJOEFYQIQ$SPTT4JUF@3FRVFTU@'PSHFSZ@ $43' @1SFWFOUJPO@$IFBU@4IFFU1SPUFDUJOH@3&45@4FSWJDFT@6TF@PG@$VTUPN@3FRVFTU@)FBEFST
  16. 42-ΠϯδΣΫγϣϯ SELECT * FROM post WHERE title LIKE '%#{title}%' //

    #{title} = "title" SELECT * FROM post WHERE title LIKE 'title' // #{title} = "O'Reilly" SELECT * FROM post WHERE title LIKE 'O'Reilly' // #{title} = "title'; DELETE FROM post;-- " SELECT * FROM post WHERE title LIKE 'title'; DELETE FROM post;-- OBNFVTFS03QBTT 4&-&$5 '30.VTFS 8)&3&OBNFVTFS03"/%QBTTXPSE -PHJO4VDDFTT
  17. ʢͰ͖Δ͚ͩʣ҆શͳݕࠪ w ʮ"/% ʯͰݕࡧ w ʮ"/% ʯͰݕࡧ SELECT * FROM

    posts WHERE (title = 'hoge' AND 1=1)-- SELECT * FROM posts WHERE (title = 'hoge' AND 1=2)-- ͸5SVFͳͷͰ ಉ͡ݕࡧ݁Ռ͕ฦΔ ͸'BMTFͳͷͰ ࣜશମ͕'BMTFͱͳΓ Կ΋ฦΒͳ͍
  18. w จࣈྻ࿈݁ w IUUQTFYBNQMFDPN TFBSDIUFccTU w ʮUFTUʯͱʮUF]]TUʯͰಉ͡Ϩεϙϯε͕ฦΔ͜ͱΛ͔֬ΊΔ SELECT * FROM

    posts WHERE (title = 'te' || 'st') w ΤϥʔͰ֬ೝ͢Δ w IUUQTFYBNQMFDPN TFBSDIˠΤϥʔ w IUUQTFYBNQMFDPN TFBSDIˠ0, SELECT * FROM posts WHERE (title = ''') # Syntax Error SELECT * FROM posts WHERE (title = '''') ʢͰ͖Δ͚ͩʣ҆શͳݕࠪ
  19. SELECT * FROM posts WHERE (id = 2+1) w ਺஋

    w IUUQTFYBNQMFDPNQPTU w ʮ ʯʮʯͱ͢Δ͜ͱͰಉ͡Ϩεϙϯε͕ฦΔ͜ͱΛ͔֬ΊΔ w TMFFQ w IUUQTFYNBQMFDPN TFBSDIUFTU w UFTU"/% 4&-&$5 '30. 4&-&$5 4-&&1  B  w ϦΫΤετΛૹ৴ͯ͠໿ඵޙʹϨεϙϯε͕ฦΔ͜ͱΛ͔֬ΊΔ SELECT * FROM posts WHERE (title = 'test' AND (SELECT * FROM (SELECT (SLEEP(10)))a))-- ʢͰ͖Δ͚ͩʣ҆શͳݕࠪ
  20. ରࡦ w 42-จͷ૊Έཱͯ͸੩తϓϨʔεϗϧμͰ࣮૷͢Δ w ʮʁʯʹՄมͷύϥϝʔλʢม਺ͳͲʣ͕ຒΊࠐ·ΕΔ w %#Ͱ42-จͷίϯύΠϧ͕ߦΘΕɺ஋͕όΠϯυ͞ΕΔ SELECT * FROM

    posts WHERE (title = ?) w 03.ͷػೳΛద੾ʹ࢖͍ɺจࣈྻ݁߹ͳͲ͠ͳ͍ͷ͕మଇ w 3BJMTͳͲͷϑϨʔϜϫʔΫ ͱ͍͏ΑΓ03.ʣ͕ϝιουΛఏڙ͍ͯ͠Δ w ࣗ෼Ͱ42-Λจࣈྻ࿈݁͢Δඞཁ͸ͳ͍ w ٯʹෳࡶͳΫΤϦͰ΋ͳ͍ͷʹจࣈྻ࿈݁͢Δͱ͖͸͓͔͍͠ͱࢥͬͨํ͕͍͍ Post.where(title: title) # SELECT * FROM posts WHERE (title = 'title');
  21. 3BJMTͰͷϓϨʔεϗϧμ # Good Post.where("title = ?", title) w จࣈྻ݁߹ʢల։ʣͳͲͰΫΤϦΛ૊Έཱͯͯ͸ͳΒͳ͍ #

    Bad Post.where("title = '#{title}'") Post.find_by_sql("SELECT * FROM posts WHERE title = '#{title}'") w "DUJWF3FDPSEͰ΋Ҿ਺ΛαχλΠζ͠ͳ͍ϝιου͕͋ΔͷͰɺ ஫ҙͯ͠42-Λॻ͘ w IUUQTSBJMTTRMJPSH
  22. ͦͷଞͷ੬ऑੑ w ڧ੍ϒϥ΢ζ w ௚઀63-ʹΞΫηε͢Δ͜ͱͰඇެ։ϙετΛݟΕΔ w JEʹΑΔ࿈൪ QPTUTͷΑ͏ͳ ͳͷͰɺਪଌ͕༰қ w

    ྫ͑͹ɺ೚ҙͷϑΝΠϧڞ༗Λߦ͏৔߹ͳͲ͸ʮڞ༗ͨ͠Ϣʔβʔ͔֬ೝ͢Δʯʮे ෼ʹෳࡶͰ௕͍JEʢQPTUT,X%XC#QHO"K"-"%ͷΑ͏ͳ Λൃߦ͢ΔʯͳͲ͢Δ w ੬ऑੑͱ͍͏ΑΓվળͨ͠ํ͕ྑ͍఺ w $PPLJFʹ)UUQ0OMZଐੑ TFDVSFଐੑ͕෇༩͞Ε͍ͯͳ͍ w )551ͰͷϩάΠϯ͕Մೳ w ΞΧ΢ϯτϩοΫͳ͠ w ੬ऑͳύεϫʔυʢQBTTXPSE΍ʣ͕࢖༻Մೳ
  23. ΦʔϓϯϦμΠϨΫτ w ࢦఆ͞Εͨϖʔδ΁ϦμΠϨΫτ͢Δࡍʹɺ߈ܸऀ͕ࢦఆͨ͠೚ҙͷ63-΁ϦμΠ ϨΫτ ˖ IUUQTFYNBQMFDPNMPHJO SFEJSFDUIUUQFWJMDPN w ͦͷυϝΠϯΛ৴པͯ͠ΞΫηεͨ͠ʹ΋ؔΘΒͣɺѱҙ͋ΔαΠτʹϦμΠϨ Ϋτ͞ΕΔͷͰ৴པΛଛͳ͏

    w ϦμΠϨΫτઌʹِͷϑΥʔϜΛදࣔͤ͞ΔͳͲͯ͠ϑΟογϯά w ϦμΠϨΫτઌΛϢʔβʔͷೖྗ͔ΒߦΘͳ͍ɻϗϫΠτϦετԽ͢Δɻ w IUUQTXXXPXBTQPSHJOEFYQIQ 6OWBMJEBUFE@3FEJSFDUT@BOE@'PSXBSET@$IFBU@4IFFU w IUUQHJIZPKQEFWTFSJBMKBWBTDSJQUTFDVSJUZ
  24. ύεϫʔυ࿙Ӯରࡦ ˖ ػأٙ٦سכ窫㼎ח䎂俑ד⥂㶷׃זְ农〾⻉׮تً ˖ إز عحءُ أزٖحثؚٝ w ύεϫʔυϦϚΠϯμͰ͸ͳ͘ɺύεϫʔυϦηοτͰ w

    0"VUIͳͲͰࣗલͰύεϫʔυΛ࣋ͨͳ͍ํ਑΋ w ࠷ۙͷϑϨʔϜϫʔΫͰ͸҆શੑͷߴ͍ΞϧΰϦζϜ͕࠾༻͞Ε͍ͯΔ w 3BJMTˠCDSZQU IBT@TFDVSF@QBTTXPSEΛϞσϧʹ௥Ճ͢Δ͚ͩ  w %KBOHPˠ1#,%' w IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXT@IUNM w IUUQTXXXPXBTQPSHJOEFYQIQ1BTTXPSE@4UPSBHF@$IFBU@4IFFU
  25. .BTT"TTJHONFOU w 3BJMTͰऔΓ্͛ΒΕΔ͜ͱ͕ଟ͍͕ɺͲͷϑϨʔϜϫʔΫͰ΋ى͜Δ w 3BJMTͰ͸4USPOH1BSBNFUFSͰݕূΛߦ͏ w )551ϦΫΤετͷ஋Λݕࠪͯ͠ϩδοΫ΁౉͢ # Controller class

    Users < ApplicationController def create # params[:user] = {:name => mrtc0, :passwrod => pass} @user = User.create params[:user] end end # HTTP Request Body user[name]=mrtc0&user[password]=pass&user[is_admin]=true
  26. ϑΝΠϧΞοϓϩʔυ w %P4ରࡦ w ڊେͳϑΝΠϧͷૹ৴Λ๷͙ͨΊʹϑΝΠϧαΠζͷ্ݶΛઃఆ͢Δ͜ͱ w ΋͘͠͸ඇಉظͰ࣮ߦΛߦ͏ w ϑΝΠϧͷछྨͷ੍ݶ w

    ֦ுࢠͰ͸ͳ͘ɺ.*.&5ZQFɺϚδοΫφϯόʔͳͲͰϑΝΠϧͷछྨΛ൑ผ͢Δ w ֦ுࢠΛِ૷͠ѱҙ͋Δ3VCZ΍1)1εΫϦϓτΛΞοϓϩʔυ͞Εͳ͍Α͏ʹ w อଘ͢Δࡍ͸ϑΝΠϧ໊ʹϥϯμϜͳ஋Λ w Ͱ͖ͳ͍৔߹͸ڐՄՄೳͳจࣈྻΛϗϫΠτϦετԽ w QBTTXEͳͲΛࢦఆ͞ΕɺσΟϨΫτϦτϥόʔαϧ͞Εͳ͍Α͏ʹ
  27. ϑΝΠϧΞοϓϩʔυ w ѹॖϑΝΠϧΛΞοϓϩʔυ͠ల։͢Δࡍ͸ɺల։લʹϑΝΠϧͷछྨ΍ల։࣌ ͷαΠζΛ֬ೝ͢Δ w γϯϘϦοΫϦϯΫΛ࢖ͬͨ߈ܸ΍[JQCPNCͳͲΛ๷͙ w IUUQTIBDLFSPOFDPNSFQPSUT w ΞΫηε੍ݶɺݖݶΛద੾ʹઃఆ͢Δ

    w Ӿཡݖݶͷͳ͍Ϣʔβʔ͕Ӿཡɺμ΢ϯϩʔυͰ͖ͳ͍Α͏ʹ w อଘઌ͸4ͳͲͷΫϥ΢υετϨʔδαʔϏε΁Ξοϓϩʔυ͢Δ͜ͱΛݕ౼͢ Δ w อݥతରࡦ͕ͩɺΞϓϦέʔγϣϯͱ੾Γ཭͢͜ͱͰηΩϡϦςΟ໰୊Λ؇࿨
  28. FWBM w จࣈྻΛίʔυͱͯ͠ධՁ͢Δؔ਺ w FWBM BMFSU    w

    ೚ҙͷίʔυ࣮ߦ͕ՄೳͳͷͰɺҾ਺ʹ֎෦͔ΒͷೖྗΛ༩͑ ͳ͍ͳͲͷରࡦΛߦ͏͜ͱ w FWBMͱ͍͏໊લͰͳͯ͘΋ಉ౳ͷػೳΛ࣋ͭؔ਺͕ଘࡏ͢ΔͷͰ ஫ҙ eval('alert(1)')
  29. ηΩϡϦςΟؔ܎ͷ)551ϔομ w ৭ʑ͋Δ͕ɺͱΓ͚͓͚͋͑ͣͭͯͱ͍͏ϔομ w 99441SPUFDUJPONPEFCMPDL w 944'JMUFS"VEJUPSΛ༗ޮ w 9$POUFOU5ZQF0QUJPOTOPTOJ⒎ w

    *&͸$POUFOU5ZQFΛແࢹ͢Δ͜ͱ͕͋ΔͷͰ w 9'SBNF0QUJPOT4".&03*(*/ w ΫϦοΫδϟοΩϯά๷ࢭ w ౰વΞϓϦέʔγϣϯʹΑͬͯઃఆ͢Δ஋͸มΘΔͷͰɺద੾ʹઃఆ͢Δ͜ͱ
  30. -FUT੬ऑੑ਍அ w ౡ͝ͱʹνʔϜʹͳͬͯ਍அΛ͍ͯͩ͘͠͞ w ࠷ޙʹ֤νʔϜʹݟ͚ͭͨ੬ऑੑʹ͍ͭͯൃදͯ͠΋Β͍·͢ w Ͳͷը໘ 63- Ͱ w

    Ͳ͏͍ͬͨૢ࡞Λͨ͠Β w Ͳ͏͍ͬͨ੬ऑੑ͕ݟ͔͔ͭͬͨ w ͜ͷΞϓϦέʔγϣϯ಺ͰͲͷΑ͏ͳӨڹ͕͋Δ͔ʢͰ͖Ε͹ରࡦʹ͍ͭͯ΋ʣ w ൃදޙ$ZCP[V-JWFʹ֤νʔϜ͕ݟ͚ͭͨ੬ऑੑͷ؆қใࠂॻΛΞοϓ͍ͯͩ͘͠͞ɻ w ݟ͚ͭͨΒҰਓ͕ใࠂॻ࡞੒ʹճΔͳͲɺޮ཰తͳ਍அΛ͢Δ͜ͱΛΦεεϝ͠· ͢ɻ
  31. ੬ऑੑใࠂλΠϜ w νʔϜͰ୅දऀਓ͕ݟ͚ͭͨ੬ऑੑʹ͍ͭͯͭൃද w Ͳͷը໘ 63- Ͱ w Ͳ͏͍ͬͨૢ࡞Λͨ͠Β w

    Ͳ͏͍ͬͨ੬ऑੑ͕ݟ͔͔ͭͬͨ w ͜ͷΞϓϦέʔγϣϯ಺ͰͲͷΑ͏ͳӨڹ͕͋Δ͔ʢͰ͖Ε ͹ରࡦʹ͍ͭͯ΋ʣ w ൃදޙʹ؆қใࠂॻΛ$ZCP[V-JWFʹڞ༗͍ͯͩ͘͠͞
  32. ஫ҙࣄ߲ʢ࠶ܝʣ ˖ 盖鱥㢩ך،فٔ؛٦ءّٝח㼎׃ג窫㼎余䷼׃זְ w #VH#PVOUZ੍౓ w IBDLFSPOFɿIUUQTXXXIBDLFSPOFDPN w $ZCP[V੬ऑੑใ঑੍ۚ౓ w

    *1"ʹใࠂ͠Α͏ w IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSU w ࠷௿Ͱ΋ࠓճॻ͍ͨ؆қใࠂॻϨϕϧͷ಺༰Ͱಧ͚ग़͠Α͏
  33. ࢀߟ w ମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯͷ࡞Γํ w IUUQTXXXBNB[PODPKQEQ w ΊΜͲ͏͍͘͞8FCηΩϡϦςΟ w IUUQTXXXBNB[PODPKQEQ w

    ҆શͳ΢ΣϒαΠτͷ࡞Γํ w IUUQTXXXJQBHPKQTFDVSJUZWVMOXFCTFDVSJUZIUNM w 3BJMT42-*OKFDUJPO w IUUQTSBJMTTRMJPSH w 08"41501 w IUUQTXXXPXBTQPSHJOEFYQIQ5PQ@@5PQ@