Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱なアプリを書く技術

akiym
October 31, 2014
Technology
11
8.2k

 脆弱なアプリを書く技術

Hokkaido.pm #12

補足: Mojo 5.48にて->paramの挙動が変更された

akiym

October 31, 2014
Tweet

More Decks by akiym

See All by akiym
CPAN Module Hacks
akiym
0
1.9k
Perlコーディングテクニック2018
akiym
0
10k
新時代のテストフレームワークTest2
akiym
2
18k
Hokkaido.pm#11
akiym
0
4.3k
Herokuで学ぶ、初めてのPerl
akiym
5
2.7k
Perl meets Leap Motion
akiym
0
1.3k
github止まり モジュール5選
akiym
0
1.2k
Skype効率化
akiym
1
1.4k

Other Decks in Technology

See All in Technology
Cloudflare WorkersとKVで キャッシュを非同期に更新する | Cloudflare Meetup Nagoya
aiji42
0
130
チームで導入する Jetpack Compose あの素晴らしいLTをもう一度.ver
kako351
1
180
Race Conditions em Microsserviços: Desmistificando um Problema Comum em Arquiteturas Distribuídas
jordihofc
0
380
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
25k
PHPマジックメソッドクイズ!/PHP Magic Method Quiz
ykanoh
0
280
世界モデルによる4脚ロボットの歩行学習
robots
1
320
スマート東京実施戦略_2023(令和5)年度の取組
tokyo_metropolitan_gov_smart_tokyo_strat
0
530
軽率に休学したら Babylon.js×WebARで 夢を3つ叶えてた / my dreams with babylon.js and WebAR
drumath2237
0
140
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
150
計測できるレガシーさを捉え、コード改善に対処する / phperkaigi2023
blue_goheimochi
0
230
AstroNvim を使おう!
ybrliiu
0
210
数年先の金融DX/AI活用
abenben
1
310

Featured

See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
The Web Native Designer (August 2011)
paulrobertlloyd
77
2.3k
Raft: Consensus for Rubyists
vanstee
130
5.8k
Building Flexible Design Systems
yeseniaperezcruz
314
35k
Side Projects
sachag
451
38k
Unsuck your backbone
ammeep
660
56k
Git: the NoSQL Database
bkeepers
PRO
419
60k
Fireside Chat
paigeccino
17
2k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.3k
Imperfection Machines: The Place of Print at Facebook
scottboms
255
12k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k

Transcript

  1. ੬ऑͳΞϓϦΛॻٕ͘ज़
    BLJZN
    )PLLBJEPQN

    View Slide

  2. ࣗݾ঺հ
    w BLJZN
    w ϚΠϒʔϜ
    w $5'ͱ͍͏ηΩϡϦςΟͷڝٕͷΑ͏ͳ΋ͷ
    w ೔ຊͰ͸4&$$0/$5'ͱ͔

    View Slide

  3. View Slide

  4. View Slide

  5. $5'
    w SFWFSTJOH QXO
    w XFC
    w DSZQUP

    View Slide

  6. w ʮ੬ऑͳΞϓϦΛॻ͘ʯ
    w $5'ͷ໰୊Λղ͘ɺ࡞Δ্Ͱศརͳٕज़
    w ࣮ࡍʹ࡞੒ͨ͠໰୊Λྫʹղઆ
    w ͔ͤͬ͘ͳͷͰ1FSMʹߜͬͨ࿩

    View Slide

  7. IUUQDUGLBUTVEPOPSH

    View Slide

  8. View Slide

  9. PQFO') pMF

    View Slide

  10. w ૝ఆͱͯ͠͸༻ҙ͞ΕͨςΩετϑΝΠϧΛಡΉɺ
    ϑΝΠϧ໊Λࢦఆ͢Δ͜ͱͰ੾Γସ͑Δ
    w ·ͣઈରύεΛࢦఆ͞ΕΔͱˠFUDQBTTXE
    w ૬ରύεͰ΋ˠFUDQBTTXE
    w ࢦఆͰ͖ΔύεΛ੍ݶͰ͖ΔΑ͏ʹ͠ͳ͚Ε͹
    ͍͚ͳ͍

    View Slide

  11. w Ͱ΋·ͩ໰୊͕͋Δ
    w PQFO') pMF
    w pMFcDBUFUDQBTTXE
    w ೚ҙͷίϚϯυΛ࣮ߦՄೳ

    View Slide

  12. PQFONZGI pMFPSEJF

    View Slide

  13. 42-JOKFDUJPO

    View Slide

  14. "SELECT * FROM user WHERE name =
    '$name' AND pass = '$pass'"

    View Slide

  15. "SELECT * FROM user WHERE name =
    '' AND pass = '' OR 1=1--'"

    View Slide

  16. w ೝূͷಥഁ͚ͩͰ͸ͳ͘ʜ
    w ςʔϒϧɺΧϥϜ৘ใ͔Β%#ͷ಺༰ΛಘΔ
    w [email protected] [email protected]
    w .Z42-Ͱ͋Ε͹ɺ-0"%@'*-&Ͱ೚ҙͷϑΝΠ
    ϧΛಡΈࠐΉ͜ͱ͕Ͱ͖ͨΓɺ*/50065'*-&
    ͰϑΝΠϧͷॻ͖ग़͕͠Ͱ͖Δ

    View Slide

  17. w ͍·͞Β42-JOKFDUJPO
    w ϓϨʔεϗϧμʔΛѻ͏৔߹ͳΒ҆શʁ
    w ͜Μͳ࿩΋ʜ

    View Slide

  18. +40/42-J

    View Slide

  19. View Slide

  20. w ΫΤϦϏϧλʹΑΔ42-ੜ੒
    w 42-JOKFDUJPO͸ൃੜ͠ͳ͍Α͏ʹݟ͑Δ͕ʜ
    w ΢ΣϒΞϓϦʹ͓͍ͯɺϢʔβʔ͔Βͷೖྗ͸

    จࣈྻͱͯ͠ѻΘΕΔ͕ɺ+40/Ͱσʔλͷड͚
    ౉͠Λ͢Δ͜ͱͰIBTISFGΛ౉͢͜ͱ΋Ͱ͖Δ
    w IBTISFGΛ౉ͨ͠ࡍͷΫΤϦϏϧλଆͷڍಈΛ

    ར༻ͨ͠42-JOKFDUJPO

    View Slide

  21. \OBNF\BBB^^
    4&-&$5'30.AVTFSA8)&3& AOBNFA
    03%&3#:[email protected]%&4$

    View Slide

  22. w ͜Ε͚ͩͰ΋ڴҖɺೝূͷಥഁ΍ςʔϒϧ಺ͷ

    ͢΂ͯͷϨίʔυΛऔಘ͞ΕΔڪΕ͕͋Δ
    w ࠷ѱͷέʔε͸ʁ

    View Slide

  23. w ໰୊
    w BLJDUGRTFBSDIFS
    w IUUQDUGLBUTVEPOPSHQSPCMFN
    w 42-JUF
    w 42-.BLFSΛར༻ͨ͠੬ऑੑ

    View Slide

  24. ΰʔϧผςʔϒϧͷϢʔβʔ໊ͱύεϫʔυΛಘΔ

    ͜͜ʹ͸੬ऑੑ͸ͳ͍

    View Slide

  25. ;(

    View Slide

  26. w XIFSF۟Λ͢΂ͯࢦఆ͢Δ͜ͱ͕Ͱ͖Δ
    w ͜ΕͰԿ͕Ͱ͖Δ͔
    w %#ͷ಺༰ ͢΂ͯ
    ΛऔಘͰ͖Δ

    View Slide

  27. {
    "name": "a",
    "1\"=\"1\") union select sql,tbl_name,null from
    sqlite_master where (\"a": "a"
    }
    WHERE ("name" LIKE ?) AND ("1"="1") union select
    sql,tbl_name,null from sqlite_master where ("a"
    LIKE ?)
    ΧϥϜ໊͸Τεέʔϓ͞Εͳ͍

    View Slide

  28. w IUUQEFWFMPQFSTNPCBHFKQCMPH
    KTPOTRMJOKFDUJPO
    w IUUQCMPHLB[VIPPLVDPNUIF
    KTPOTRMJOKFDUJPOWVMOFSBCJMJUZIUNM
    w IUUQXXXTMJEFTIBSFOFULB[VIPKTPOTRM
    JOKFDUJPOBOEUIFMFTTPOTMFBSOFE

    View Slide

  29. ਖ਼نදݱ

    View Slide

  30. w ϢʔβʔͷೖྗΛਖ਼نදݱͷύλʔϯͱͯ͠ѻ͏
    w RVPUFNFUB
    ͰΤεέʔϓ͢Δ
    w Τεέʔϓ͍ͯ͠ͳ͍৔߹͸ʁ
    w ॏ͍ਖ਼نදݱΛॻ͔ΕΔ
    w FWBM

    View Slide

  31. \DPEF^

    View Slide

  32. w ҆͝৺Λ
    w FWJM \QSJOU
    ^
    dFWJM
    w ಈ͔ͳ͍
    w &WBMHSPVQOPUBMMPXFEBUSVOUJNF
    w VTFSFFWBMΛ͢Ε͹ಈ͘Α͏ʹͳΔ

    View Slide

  33. w QFSMҎ߱Ͱ͸ΑΓݫ͘͠
    w d \ʜͱॻ͍ͯ΋ಈ͔ͳ͘ͳͬͨ
    w །Ұ൵͍͠ͷ͸ʜ"DNF&ZF%SPQT
    w 1FSMͰه߸ͷΈϓϩάϥϛϯά͸ෆՄೳʹ

    View Slide

  34. use re 'eval';
    ''=~('('.'?'
    .'{'.( '`'|'%').("\["^
    '-').('`'| '!').('`'|',').'"'
    .('['^'+') .('['^ ')').('`'|')').('`'|
    '.').('['^'/').('{'^ '[').'\\'.'"'.('`'^'('
    ).('`'|'%').('`'|',') .('`'|',').('`'|('/')).
    ','.('{'^'[').('['^ ',').('`'|'/').('['^')').(
    '`'|',').('`'| '$').'!'.'\\'.'\\'.('`'|'.').
    '\\'.'"'."\;". '"'.'}'.')');$:='.'^'~';$~="\@"|
    '(';$^=')'^'['; $/='`'|'.';$,='('^'}';$\='`'|'!';$:
    =')'^'}';$~='*' |'`';$^='+'^'_';$/='&'|'@';$,='['&'~';
    $\=','^"\|";$:= '.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.'
    ;$,='('^'}';$\ ='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_'
    ;$/='&'|'@';$, ='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'(';
    $^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~=
    '*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\=','^'|';$:='.'^
    '~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!'
    ;$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\=
    ','^'|';$:='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^
    '}';$\='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@'
    ;$,='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'(';$^="\)"^ '['
    ;$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~='*' |((
    '`'));$^='+'^'_';$/='&'|'@';$,='['&'~';$\ =','^'|' ;$:
    ='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'| '.';$,= '('
    ^'}'; $\='`'|'!';$:=')'^'}';$~="\*"| '`';$^= '+'
    ^'_';$/='&'|'@';$,='['&'~';$\ =(',')^ '|'
    ;$:='.'^ '~';$~='@' |"\("; $^=')' ^+
    '[';$/= '`'|'.'; $,='(' ^"\}"; $\
    =('`')| "\!";$:= "\)"^ "\}"; (
    ($~))= '*'|'`'; ($^) ='+'
    ^"\_"; $/=('&')| '@'; ($,)
    ='['& "\~";$\= ','^ '|';
    ($:)= '.'^'~' ;$~= '@'|
    '('; $^=')' ^'[' ;$/=
    '`'| '.' ;$,= '('^
    '}'; $\= '`' |((
    '!' )); $:= ')'
    ^(( '}' )); $~=
    '*' |(( '`' ))
    ;( ($^))= ((
    (( '+')) ))
    ^+ "\_";$/= ((
    '&' ))|+ "\@"; $,
    =(( '['))& '~'; $\=
    ','^ "\|";$:= '.' ^'~'
    ;($~)= ('@')|
    "\(";$^= ')'^'['
    use re 'eval';
    )FMMP XPSME
    Λग़ྗ͢ΔϓϩάϥϜ

    View Slide

  35. ηογϣϯ

    View Slide

  36. w ΫϥΠΞϯταΠυηογϣϯ
    w ΫϥΠΞϯτଆͰอଘ͢Δ
    w DPPLJFΛར༻͢Δ

    View Slide

  37. ϝϦοτ
    w αʔόଆͰηογϣϯετΞͷ؅ཧΛ͢Δඞཁ
    ͕ͳ͍

    View Slide

  38. σϝϦοτ
    w ஌ΒΕͨ͘ͳ͍৘ใΛTFTTJPOʹอଘͯ͠͸͍͚
    ͳ͍
    w ηογϣϯΛഁغ͢Δͱ͖͸ʁˠDMJFOUଆͷ৘ใ
    ͱͯ͠ظݶΛ࣋ͨͤΔɺTFDSFUΛมߋ͢Δͱ͔
    w TFDSFU͕ྲྀग़͢ΔͱTFTTJPOΛվ᜵͢Δ͜ͱ͕

    Ͱ͖Δ

    View Slide

  39. .PKPMJDJPVT

    View Slide

  40. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ
    iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0---
    a4fba79dbd246638df17e57e97ed4f1fded7a7e3
    {
    "super_secret_token": "p9B4iaKah8oOUzY1",
    "id": "1",
    "name": "akiym",
    "expires": 1414684980
    }
    data
    HMAC

    View Slide

  41. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ
    iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0---
    a4fba79dbd246638df17e57e97ed4f1fded7a7e3
    my $data = encode_base64(encode_json({
    ...
    expires => time() + 3600,
    }));
    $data =~ s/=/-/g;
    my $hmac = hmac_sha1_hex($data, $SECRET);
    data
    HMAC

    View Slide

  42. w σʔλΛ+40/ʹͨ͠΋ͷΛCBTFͰFODPEF
    w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ

    ͚ͭΔ

    View Slide

  43. w ໰୊
    w BLJDUGR0OMJOFCBOLJOH
    w IUUQDUGLBUTVEPOPSHQSPCMFN
    w 42-JOKFDUJPO TFTTJPOվ᜵
    w TFDSFUΛࢦఆ͍ͯ͠ͳ͍

    View Slide

  44. w .PKPMJDJPVTͰTFDSFUΛࢦఆ͍ͯ͠ͳ͍৔߹

    ܯࠂ͕ग़Δ͕ɺͱΓ͋͑ͣಈ͘
    w ͦͷͱ͖ʹ͸TFDSFUʹQBDLBHF໊͕ࢦఆ͞ΕΔ
    w .PKPMJDJPVT-JUFͷ৔߹͸ϑΝΠϧ໊
    w QBDLBHF໊͕஌ΒΕΔɺ΋͘͠͸༧ଌͰ͖Δ΋
    ͷͰ͋Ε͹TFDSFU͕෼͔Δ

    View Slide

  45. 1MBDL.JEEMFXBSF
    4FTTJPO$PPLJF

    View Slide

  46. 1414682274.88017:BQoDAAAAAQiAAAAABWFkbWlu:.
    Storable::thaw(decode_base64('BQoDAAAAAQiAAAAABWFkbWlu'))
    {
    'admin' => 0
    }
    data HMAC

    View Slide

  47. 1414683541.42553:BQoDAAAAAQiAAAAABWFkbWlu:

    bb33fc2e391e3d76edcbc8ffdcf66065d1d82862
    my $data = encode_base64(Storable::freeze({
    admin => 1,
    }));
    my $hash = hmac_sha1_hex($data, $SECRET);
    HMAC
    data

    View Slide

  48. w σʔλΛ4UPSBCMFͰγϦΞϥΠζͨ͠΋ͷΛ
    CBTFͰFODPEF
    w TFDSFU͕ࢦఆ͞Ε͍ͯͨ৔߹
    w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ

    ͚ͭΔ

    View Slide

  49. w ηογϣϯվ᜵
    w σετϥΫλ࣮ߦ

    View Slide

  50. w IUUQTTQFBLFSEFDLDPNNBMBIPXUP
    IBDLNFUBDQBOEPUPSH
    w IUUQTHJTUHJUIVCDPNNJZBHBXB
    CBGBEBDEE

    View Slide

  51. ίϯςΩετ

    View Slide

  52. w ίϯςΩετͱ͸
    w 1FSM͸୯਺ͱෳ਺Λผͱͯ͠ѻ͏
    w !GPP

    w !GPPˠ
    w TDBMBS!GPPˠ
    w ϦετΛ!BSSBZʹ୅ೖ͢Ε͹഑ྻʹɺIBTIʹ୅
    ೖ͢Ε͹ϋογϡʹ

    View Slide

  53. View Slide

  54. 1FSMͷίϯςΩετ͸
    ѱ

    View Slide

  55. w 1FSMͷಛ௃Ͱ΋͋Γɺݸਓతʹ͸݁ߏ޷͖
    w 5FOH͸ίϯςΩετʹԠͯ͡ಈ࡞Λม͑Δ

    ͜Ε͸࢖ͬͯͳ͍

    w NZBSHT GPP [email protected]
    Έ͍ͨͳ͜ͱ͕
    Ͱ͖Δ
    w ศརͳ͜ͱ΋͋Ε͹ɺѱ͍͜ͱ΋͋Δ

    View Slide

  56. w ໰୊
    w $5'֤ҐMPHJOQBHF
    w IUUQBLJZNIBUFCMPKQFOUSZ

    w ۠੾ΓจࣈɺDPOUFYUʹΑΔ੬ऑੑ

    View Slide

  57. ϦετΛड͚औΔͱల։
    OBNFBQBTTCQBTTD

    View Slide

  58. {
    ...
    pass => 'asdf',
    give_me_flag => 0,
    give_me_flag => 'give_me_flag', # true!
    0
    }
    VTFS\[email protected]@qBH^[email protected]@qBH

    View Slide

  59. w 0EEOVNCFSPGFMFNFOUTJOBOPOZNPVTIBTI
    w VTFXBSOJOHT'"5"-BMM
    w ·͋΍ͬͯΒΕͳ͍

    View Slide

  60. w IUUQXXXTPOHNVKQSJKJFOUSZ
    DHJQBSBNIUN
    w IUUQCMPHUPLVNBSVPSHOFX
    DMBTTPGWVMOFSBCJMJUZJOQFSMXFCIUNM

    View Slide

  61. ·ͱΊ
    w Ҿ਺ͷPQFO
    w +40/42-J
    w ਖ਼نදݱͰͷFWBM
    w ΫϥΠΞϯταΠυηογϣϯ
    w ϋογϡͷϦετͷల։

    View Slide