脆弱なアプリを書く技術

7a8922191c1fa60728589a3def4c179f?s=47 akiym
October 31, 2014

 脆弱なアプリを書く技術

Hokkaido.pm #12

補足: Mojo 5.48にて->paramの挙動が変更された

7a8922191c1fa60728589a3def4c179f?s=128

akiym

October 31, 2014
Tweet

Transcript

  1. ੬ऑͳΞϓϦΛॻٕ͘ज़ BLJZN )PLLBJEPQN

  2. ࣗݾ঺հ w BLJZN w ϚΠϒʔϜ w $5'ͱ͍͏ηΩϡϦςΟͷڝٕͷΑ͏ͳ΋ͷ w ೔ຊͰ͸4&$$0/$5'ͱ͔

  3. None
  4. None
  5. $5' w SFWFSTJOH QXO w XFC w DSZQUP

  6. w ʮ੬ऑͳΞϓϦΛॻ͘ʯ w $5'ͷ໰୊Λղ͘ɺ࡞Δ্Ͱศརͳٕज़ w ࣮ࡍʹ࡞੒ͨ͠໰୊Λྫʹղઆ w ͔ͤͬ͘ͳͷͰ1FSMʹߜͬͨ࿩

  7. IUUQDUGLBUTVEPOPSH

  8. None
  9. PQFO') pMF

  10. w ૝ఆͱͯ͠͸༻ҙ͞ΕͨςΩετϑΝΠϧΛಡΉɺ ϑΝΠϧ໊Λࢦఆ͢Δ͜ͱͰ੾Γସ͑Δ w ·ͣઈରύεΛࢦఆ͞ΕΔͱˠFUDQBTTXE w ૬ରύεͰ΋ˠFUDQBTTXE w ࢦఆͰ͖ΔύεΛ੍ݶͰ͖ΔΑ͏ʹ͠ͳ͚Ε͹ ͍͚ͳ͍

  11. w Ͱ΋·ͩ໰୊͕͋Δ w PQFO') pMF w pMFcDBUFUDQBTTXE w ೚ҙͷίϚϯυΛ࣮ߦՄೳ

  12. PQFONZGI  pMFPSEJF

  13. 42-JOKFDUJPO

  14. "SELECT * FROM user WHERE name = '$name' AND pass

    = '$pass'"
  15. "SELECT * FROM user WHERE name = '' AND pass

    = '' OR 1=1--'"
  16. w ೝূͷಥഁ͚ͩͰ͸ͳ͘ʜ w ςʔϒϧɺΧϥϜ৘ใ͔Β%#ͷ಺༰ΛಘΔ w TRMJUF@NBTUFS JOGPSNBUJPO@TDIFNB  w .Z42-Ͱ͋Ε͹ɺ-0"%@'*-&Ͱ೚ҙͷϑΝΠ

    ϧΛಡΈࠐΉ͜ͱ͕Ͱ͖ͨΓɺ*/50065'*-& ͰϑΝΠϧͷॻ͖ग़͕͠Ͱ͖Δ
  17. w ͍·͞Β42-JOKFDUJPO  w ϓϨʔεϗϧμʔΛѻ͏৔߹ͳΒ҆શʁ w ͜Μͳ࿩΋ʜ

  18. +40/42-J

  19. None
  20. w ΫΤϦϏϧλʹΑΔ42-ੜ੒ w 42-JOKFDUJPO͸ൃੜ͠ͳ͍Α͏ʹݟ͑Δ͕ʜ w ΢ΣϒΞϓϦʹ͓͍ͯɺϢʔβʔ͔Βͷೖྗ͸
 จࣈྻͱͯ͠ѻΘΕΔ͕ɺ+40/Ͱσʔλͷड͚ ౉͠Λ͢Δ͜ͱͰIBTISFGΛ౉͢͜ͱ΋Ͱ͖Δ w IBTISFGΛ౉ͨ͠ࡍͷΫΤϦϏϧλଆͷڍಈΛ


    ར༻ͨ͠42-JOKFDUJPO
  21. \OBNF\BBB^^ 4&-&$5 '30.AVTFSA8)&3& AOBNFA 03%&3#:VTFS@JE%&4$

  22. w ͜Ε͚ͩͰ΋ڴҖɺೝূͷಥഁ΍ςʔϒϧ಺ͷ
 ͢΂ͯͷϨίʔυΛऔಘ͞ΕΔڪΕ͕͋Δ w ࠷ѱͷέʔε͸ʁ

  23. w ໰୊ w BLJDUGRTFBSDIFS w IUUQDUGLBUTVEPOPSHQSPCMFN w 42-JUF w 42-.BLFSΛར༻ͨ͠੬ऑੑ

  24. ΰʔϧผςʔϒϧͷϢʔβʔ໊ͱύεϫʔυΛಘΔ
 ͜͜ʹ͸੬ऑੑ͸ͳ͍

  25. ;(

  26. w XIFSF۟Λ͢΂ͯࢦఆ͢Δ͜ͱ͕Ͱ͖Δ w ͜ΕͰԿ͕Ͱ͖Δ͔ w %#ͷ಺༰ ͢΂ͯ ΛऔಘͰ͖Δ

  27. { "name": "a", "1\"=\"1\") union select sql,tbl_name,null from sqlite_master where

    (\"a": "a" } WHERE ("name" LIKE ?) AND ("1"="1") union select sql,tbl_name,null from sqlite_master where ("a" LIKE ?) ΧϥϜ໊͸Τεέʔϓ͞Εͳ͍
  28. w IUUQEFWFMPQFSTNPCBHFKQCMPH KTPOTRMJOKFDUJPO w IUUQCMPHLB[VIPPLVDPNUIF KTPOTRMJOKFDUJPOWVMOFSBCJMJUZIUNM w IUUQXXXTMJEFTIBSFOFULB[VIPKTPOTRM JOKFDUJPOBOEUIFMFTTPOTMFBSOFE

  29. ਖ਼نදݱ

  30. w ϢʔβʔͷೖྗΛਖ਼نදݱͷύλʔϯͱͯ͠ѻ͏ w RVPUFNFUB ͰΤεέʔϓ͢Δ w Τεέʔϓ͍ͯ͠ͳ͍৔߹͸ʁ w ॏ͍ਖ਼نදݱΛॻ͔ΕΔ w

    FWBM
  31. \DPEF^

  32. w ҆͝৺Λ w FWJM \QSJOU ^ dFWJM w ಈ͔ͳ͍ w

    &WBMHSPVQOPUBMMPXFEBUSVOUJNF w VTFSFFWBMΛ͢Ε͹ಈ͘Α͏ʹͳΔ
  33. w QFSMҎ߱Ͱ͸ΑΓݫ͘͠ w d   \ʜͱॻ͍ͯ΋ಈ͔ͳ͘ͳͬͨ w །Ұ൵͍͠ͷ͸ʜ"DNF&ZF%SPQT w

    1FSMͰه߸ͷΈϓϩάϥϛϯά͸ෆՄೳʹ
  34. use re 'eval'; ''=~('('.'?' .'{'.( '`'|'%').("\["^ '-').('`'| '!').('`'|',').'"' .('['^'+') .('['^

    ')').('`'|')').('`'| '.').('['^'/').('{'^ '[').'\\'.'"'.('`'^'(' ).('`'|'%').('`'|',') .('`'|',').('`'|('/')). ','.('{'^'[').('['^ ',').('`'|'/').('['^')').( '`'|',').('`'| '$').'!'.'\\'.'\\'.('`'|'.'). '\\'.'"'."\;". '"'.'}'.')');$:='.'^'~';$~="\@"| '(';$^=')'^'['; $/='`'|'.';$,='('^'}';$\='`'|'!';$: =')'^'}';$~='*' |'`';$^='+'^'_';$/='&'|'@';$,='['&'~'; $\=','^"\|";$:= '.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.' ;$,='('^'}';$\ ='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_' ;$/='&'|'@';$, ='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'('; $^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~= '*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\=','^'|';$:='.'^ '~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!' ;$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\= ','^'|';$:='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^ '}';$\='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@' ;$,='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'(';$^="\)"^ '[' ;$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~='*' |(( '`'));$^='+'^'_';$/='&'|'@';$,='['&'~';$\ =','^'|' ;$: ='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'| '.';$,= '(' ^'}'; $\='`'|'!';$:=')'^'}';$~="\*"| '`';$^= '+' ^'_';$/='&'|'@';$,='['&'~';$\ =(',')^ '|' ;$:='.'^ '~';$~='@' |"\("; $^=')' ^+ '[';$/= '`'|'.'; $,='(' ^"\}"; $\ =('`')| "\!";$:= "\)"^ "\}"; ( ($~))= '*'|'`'; ($^) ='+' ^"\_"; $/=('&')| '@'; ($,) ='['& "\~";$\= ','^ '|'; ($:)= '.'^'~' ;$~= '@'| '('; $^=')' ^'[' ;$/= '`'| '.' ;$,= '('^ '}'; $\= '`' |(( '!' )); $:= ')' ^(( '}' )); $~= '*' |(( '`' )) ;( ($^))= (( (( '+')) )) ^+ "\_";$/= (( '&' ))|+ "\@"; $, =(( '['))& '~'; $\= ','^ "\|";$:= '.' ^'~' ;($~)= ('@')| "\(";$^= ')'^'[' use re 'eval'; )FMMP XPSME Λग़ྗ͢ΔϓϩάϥϜ
  35. ηογϣϯ

  36. w ΫϥΠΞϯταΠυηογϣϯ w ΫϥΠΞϯτଆͰอଘ͢Δ w DPPLJFΛར༻͢Δ

  37. ϝϦοτ w αʔόଆͰηογϣϯετΞͷ؅ཧΛ͢Δඞཁ ͕ͳ͍

  38. σϝϦοτ w ஌ΒΕͨ͘ͳ͍৘ใΛTFTTJPOʹอଘͯ͠͸͍͚ ͳ͍ w ηογϣϯΛഁغ͢Δͱ͖͸ʁˠDMJFOUଆͷ৘ใ ͱͯ͠ظݶΛ࣋ͨͤΔɺTFDSFUΛมߋ͢Δͱ͔ w TFDSFU͕ྲྀग़͢ΔͱTFTTJPOΛվ᜵͢Δ͜ͱ͕
 Ͱ͖Δ

  39. .PKPMJDJPVT

  40. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0--- a4fba79dbd246638df17e57e97ed4f1fded7a7e3 { "super_secret_token": "p9B4iaKah8oOUzY1", "id": "1", "name": "akiym",

    "expires": 1414684980 } data HMAC
  41. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0--- a4fba79dbd246638df17e57e97ed4f1fded7a7e3 my $data = encode_base64(encode_json({ ... expires =>

    time() + 3600, })); $data =~ s/=/-/g; my $hmac = hmac_sha1_hex($data, $SECRET); data HMAC
  42. w σʔλΛ+40/ʹͨ͠΋ͷΛCBTFͰFODPEF w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ
 ͚ͭΔ

  43. w ໰୊ w BLJDUGR0OMJOFCBOLJOH w IUUQDUGLBUTVEPOPSHQSPCMFN w 42-JOKFDUJPO TFTTJPOվ᜵ w

    TFDSFUΛࢦఆ͍ͯ͠ͳ͍
  44. w .PKPMJDJPVTͰTFDSFUΛࢦఆ͍ͯ͠ͳ͍৔߹
 ܯࠂ͕ग़Δ͕ɺͱΓ͋͑ͣಈ͘ w ͦͷͱ͖ʹ͸TFDSFUʹQBDLBHF໊͕ࢦఆ͞ΕΔ w .PKPMJDJPVT-JUFͷ৔߹͸ϑΝΠϧ໊ w QBDLBHF໊͕஌ΒΕΔɺ΋͘͠͸༧ଌͰ͖Δ΋ ͷͰ͋Ε͹TFDSFU͕෼͔Δ

  45. 1MBDL.JEEMFXBSF 4FTTJPO$PPLJF

  46. 1414682274.88017:BQoDAAAAAQiAAAAABWFkbWlu:. Storable::thaw(decode_base64('BQoDAAAAAQiAAAAABWFkbWlu')) { 'admin' => 0 } data HMAC

  47. 1414683541.42553:BQoDAAAAAQiAAAAABWFkbWlu:
 bb33fc2e391e3d76edcbc8ffdcf66065d1d82862 my $data = encode_base64(Storable::freeze({ admin => 1, }));

    my $hash = hmac_sha1_hex($data, $SECRET); HMAC data
  48. w σʔλΛ4UPSBCMFͰγϦΞϥΠζͨ͠΋ͷΛ CBTFͰFODPEF w TFDSFU͕ࢦఆ͞Ε͍ͯͨ৔߹ w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ
 ͚ͭΔ

  49. w ηογϣϯվ᜵ w σετϥΫλ࣮ߦ

  50. w IUUQTTQFBLFSEFDLDPNNBMBIPXUP IBDLNFUBDQBOEPUPSH w IUUQTHJTUHJUIVCDPNNJZBHBXB CBGBEBDEE

  51. ίϯςΩετ

  52. w ίϯςΩετͱ͸ w 1FSM͸୯਺ͱෳ਺Λผͱͯ͠ѻ͏ w !GPP    

    w !GPPˠ   w TDBMBS!GPPˠ w ϦετΛ!BSSBZʹ୅ೖ͢Ε͹഑ྻʹɺIBTIʹ୅ ೖ͢Ε͹ϋογϡʹ
  53. None
  54. 1FSMͷίϯςΩετ͸ ѱ

  55. w 1FSMͷಛ௃Ͱ΋͋Γɺݸਓతʹ͸݁ߏ޷͖ w 5FOH͸ίϯςΩετʹԠͯ͡ಈ࡞Λม͑Δ
 ͜Ε͸࢖ͬͯͳ͍  w NZBSHT GPP !@

    Έ͍ͨͳ͜ͱ͕ Ͱ͖Δ w ศརͳ͜ͱ΋͋Ε͹ɺѱ͍͜ͱ΋͋Δ
  56. w ໰୊ w $5'֤ҐMPHJOQBHF w IUUQBLJZNIBUFCMPKQFOUSZ  w ۠੾ΓจࣈɺDPOUFYUʹΑΔ੬ऑੑ

  57. ϦετΛड͚औΔͱల։ OBNFBQBTTCQBTTD

  58. { ... pass => 'asdf', give_me_flag => 0, give_me_flag =>

    'give_me_flag', # true! 0 } VTFS\HJWF@NF@qBH^HJWF@NF@qBH
  59. w 0EEOVNCFSPGFMFNFOUTJOBOPOZNPVTIBTI w VTFXBSOJOHT'"5"-BMM w ·͋΍ͬͯΒΕͳ͍

  60. w IUUQXXXTPOHNVKQSJKJFOUSZ DHJQBSBNIUN w IUUQCMPHUPLVNBSVPSHOFX DMBTTPGWVMOFSBCJMJUZJOQFSMXFCIUNM

  61. ·ͱΊ w Ҿ਺ͷPQFO w +40/42-J w ਖ਼نදݱͰͷFWBM w ΫϥΠΞϯταΠυηογϣϯ w

    ϋογϡͷϦετͷల։