Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Best Practices - The Upload
Search
Orange
August 21, 2024
190
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Best Practices - The Upload
Webconf 2013
Orange
August 21, 2024
More Decks by Orange
See All by Orange
Security in PHP 那些在滲透測試的小技巧
p8361
0
320
網頁安全 Web Security 入門
p8361
0
320
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
37k
那些 Web Hacking 中的奇技淫巧
p8361
16
15k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
13k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
13k
駭客看 Django
p8361
25
13k
Featured
See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
Java REST API Framework Comparison - PWX 2021
mraible
34
9.4k
Fireside Chat
paigeccino
42
4k
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
150
Everyday Curiosity
cassininazir
0
250
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.9k
Building Applications with DynamoDB
mza
96
7.1k
A better future with KSS
kneath
240
18k
Paper Plane (Part 1)
katiecoart
PRO
0
9.5k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.9k
Lightning Talk: Beautiful Slides for Beginners
inesmontani
PRO
2
590
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
450
Transcript
2013/01/13 @ WebConf <
[email protected]
>
• aka Orange • 2009 • 2011, 2012 • 2011
AVTOKYO • 2012 PHP Conf • 2012 VXRLConf • – – Web Security – Windows Vulnerability Exploitation
• CHROOT Security Group • NISRA • Disclosed – MS12-071
/ CVE-2012-4775 • http://blog.orange.tw/
None
None
1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.
Scanning – SYN/ACK Scan, TCP NULL/FIN/Xmas/Mainmon/Window Scan, SCTP INIT Scan, Hydra, Nessus …… 3. Gaining Access – Heap/Stack/V-table Overflow, ROP, Heap Spray, System Misconfiguration, Metasploit, Exploit Database …… 4. Maintaining Access – Privilege Escalation, Trojan, Backdoor, Rootkit, Code/DLL Injection, API Hook, LD_PRELOAD, Anti AV/Debugger …… 5. Clearing Tracks – Syslog, WTMP/UTMP, Event Log, Shell(Bash/Explorer) ……
None
– Upload? – Web log? Dabase log?
• • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd
) – <%eval request("cmd") %> – __import__('os').system(cmd)
https://github.com/evilcos/python-webshell/
None
None
None
None
None
None
None
http://www.lu-chen.com/
None
None
• – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login
• – /userfiles/mypic.jpg – /userfiles/mypic.jpg/nihao.php
• – Huffman table – EXIF • – copy /b
rst.jpg+backdoor.php dst.jpg • – http://orange.tw/exif.jpg
None
None
• • • •
• – – – • – php phtml php3 php4
php5 – asp asa cer cdx shtml – aspx asax ascx ashx asmx http://www.hitcon.org/download/2010/5_Flash Exploit.pdf#Page.20
None
– AddHandler application/x-httpd-php .jpg • – .php*
None
https://speakerdeck.com/allenown/the-internet-is-not-safe-webconf-taiwan-2013
https://www.facebook.com/TWWDB
(htaccess ^ ^)
• • – user.jpg .jpg – user.php.jpg .jpg
– user.php.xxx .php – user.php.xxx.ooo .php
None
• – IIS < 7 – Asp.net ^__< • –
http://webconf.orange.tw/files/a.asp/user.jpg • – http://webconf.orange.tw/files/user.asp;aa.jpg user.asp;aa.jpg
None
None
filename Content-Type File header
None
• Update your sense and software. • User controlled filename
is always dangerous. – Whatever filename, extension or temporary filename. • Use Image library to valid or strip the image. • Disabled the directory’s execution permission you uploaded to.
• • – htaccess • – Apache – IIS •
•
None
Q & A
[email protected]