脆弱なアプリを書く技術

Transcript

1. ੬ऑͳΞϓϦΛॻٕ͘ज़ BLJZN
   )PLLBJEPQN
   

2. ࣗݾ঺հ w BLJZN
   w ϚΠϒʔϜ
   w $5'ͱ͍͏ηΩϡϦςΟͷڝٕͷΑ͏ͳ΋ͷ
   w ೔ຊͰ͸4&$$0/
   $5'ͱ͔

3. None
4. None

5. $5' w SFWFSTJOH
   QXO
   w XFC
   w DSZQUP

6. w ʮ੬ऑͳΞϓϦΛॻ͘ʯ
   w $5'ͷ໰୊Λղ͘ɺ࡞Δ্Ͱศརͳٕज़
   w ࣮ࡍʹ࡞੒ͨ͠໰୊Λྫʹղઆ
   w ͔ͤͬ͘ͳͷͰ1FSMʹߜͬͨ࿩

7. IUUQDUGLBUTVEPOPSH

8. None

9. PQFO
   ')
   pMF

10. w ૝ఆͱͯ͠͸༻ҙ͞ΕͨςΩετϑΝΠϧΛಡΉɺ ϑΝΠϧ໊Λࢦఆ͢Δ͜ͱͰ੾Γସ͑Δ
    w ·ͣઈରύεΛࢦఆ͞ΕΔͱ
    ˠ
    FUDQBTTXE
    w ૬ରύεͰ΋
    ˠ
    FUDQBTTXE
    w ࢦఆͰ͖ΔύεΛ੍ݶͰ͖ΔΑ͏ʹ͠ͳ͚Ε͹ ͍͚ͳ͍

11. w Ͱ΋·ͩ໰୊͕͋Δ
    w PQFO
    ')
    pMF
    w pMF
    
    c
    DBU
    FUDQBTTXE
    w ೚ҙͷίϚϯυΛ࣮ߦՄೳ

12. PQFO
    NZ
    GI
    
    pMF
    PS
    EJF
    

13. 42-
    JOKFDUJPO

14. "SELECT * FROM user WHERE name = '$name' AND pass

    = '$pass'"

15. "SELECT * FROM user WHERE name = '' AND pass

    = '' OR 1=1--'"

16. w ೝূͷಥഁ͚ͩͰ͸ͳ͘ʜ
    w ςʔϒϧɺΧϥϜ৘ใ͔Β%#ͷ಺༰ΛಘΔ
    w TRMJUF@NBTUFS
    JOGPSNBUJPO@TDIFNB
    
    w .Z42-Ͱ͋Ε͹ɺ-0"%@'*-&Ͱ೚ҙͷϑΝΠ

    ϧΛಡΈࠐΉ͜ͱ͕Ͱ͖ͨΓɺ*/50
    065'*-& ͰϑΝΠϧͷॻ͖ग़͕͠Ͱ͖Δ

17. w ͍·͞Β42-
    JOKFDUJPO
    w ϓϨʔεϗϧμʔΛѻ͏৔߹ͳΒ҆શʁ
    w ͜Μͳ࿩΋ʜ

18. +40/
    42-J

19. None

20. w ΫΤϦϏϧλʹΑΔ42-ੜ੒
    w 42-
    JOKFDUJPO͸ൃੜ͠ͳ͍Α͏ʹݟ͑Δ͕ʜ
    w ΢ΣϒΞϓϦʹ͓͍ͯɺϢʔβʔ͔Βͷೖྗ͸
 จࣈྻͱͯ͠ѻΘΕΔ͕ɺ+40/Ͱσʔλͷड͚ ౉͠Λ͢Δ͜ͱͰIBTISFGΛ౉͢͜ͱ΋Ͱ͖Δ
    w IBTISFGΛ౉ͨ͠ࡍͷΫΤϦϏϧλଆͷڍಈΛ


    ར༻ͨ͠42-
    JOKFDUJPO

21. \OBNF
    
    \
    
    BBB^^ 4&-&$5
    
    '30.
    AVTFSA
    8)&3&
    AOBNFA
    
    
    03%&3
    #:
    VTFS@JE
    %&4$

22. w ͜Ε͚ͩͰ΋ڴҖɺೝূͷಥഁ΍ςʔϒϧ಺ͷ
 ͢΂ͯͷϨίʔυΛऔಘ͞ΕΔڪΕ͕͋Δ
    w ࠷ѱͷέʔε͸ʁ

23. w ໰୊
    w BLJDUG
    R
    TFBSDIFS
    w IUUQDUGLBUTVEPOPSHQSPCMFN
    w 42-JUF
    w 42-.BLFSΛར༻ͨ͠੬ऑੑ

24. ΰʔϧ
    ผςʔϒϧͷϢʔβʔ໊ͱύεϫʔυΛಘΔ
 ͜͜ʹ͸੬ऑੑ͸ͳ͍

25. ;(

26. w XIFSF۟Λ͢΂ͯࢦఆ͢Δ͜ͱ͕Ͱ͖Δ
    w ͜ΕͰԿ͕Ͱ͖Δ͔
    w %#ͷ಺༰ ͢΂ͯ ΛऔಘͰ͖Δ

27. { "name": "a", "1\"=\"1\") union select sql,tbl_name,null from sqlite_master where

    (\"a": "a" } WHERE ("name" LIKE ?) AND ("1"="1") union select sql,tbl_name,null from sqlite_master where ("a" LIKE ?) ΧϥϜ໊͸Τεέʔϓ͞Εͳ͍

28. w IUUQEFWFMPQFSTNPCBHFKQCMPH KTPOTRMJOKFDUJPO
    w IUUQCMPHLB[VIPPLVDPNUIF KTPOTRMJOKFDUJPOWVMOFSBCJMJUZIUNM
    w IUUQXXXTMJEFTIBSFOFULB[VIPKTPOTRM JOKFDUJPOBOEUIFMFTTPOTMFBSOFE

29. ਖ਼نදݱ

30. w ϢʔβʔͷೖྗΛਖ਼نදݱͷύλʔϯͱͯ͠ѻ͏
    w RVPUFNFUB ͰΤεέʔϓ͢Δ
    w Τεέʔϓ͍ͯ͠ͳ͍৔߹͸ʁ
    w ॏ͍ਖ਼نදݱΛॻ͔ΕΔ
    w

    FWBM

31. \
    DPEF
    ^

32. w ҆͝৺Λ
    w FWJM
    
     \QSJOU
     ^ 
    
    d
    FWJM
    w ಈ͔ͳ͍
    w

    &WBMHSPVQ
    OPU
    BMMPXFE
    BU
    SVOUJNF
    w VTF
    SF
    FWBM
    Λ͢Ε͹ಈ͘Α͏ʹͳΔ

33. w QFSMҎ߱Ͱ͸ΑΓݫ͘͠
    w d   \
    ʜ
    ͱॻ͍ͯ΋ಈ͔ͳ͘ͳͬͨ
    w །Ұ൵͍͠ͷ͸ʜ
    "DNF&ZF%SPQT
    
    w

    1FSMͰه߸ͷΈϓϩάϥϛϯά͸ෆՄೳʹ

34. use re 'eval'; ''=~('('.'?' .'{'.( '`'|'%').("\["^ '-').('`'| '!').('`'|',').'"' .('['^'+') .('['^

    ')').('`'|')').('`'| '.').('['^'/').('{'^ '[').'\\'.'"'.('`'^'(' ).('`'|'%').('`'|',') .('`'|',').('`'|('/')). ','.('{'^'[').('['^ ',').('`'|'/').('['^')').( '`'|',').('`'| '$').'!'.'\\'.'\\'.('`'|'.'). '\\'.'"'."\;". '"'.'}'.')');$:='.'^'~';$~="\@"| '(';$^=')'^'['; $/='`'|'.';$,='('^'}';$\='`'|'!';$: =')'^'}';$~='*' |'`';$^='+'^'_';$/='&'|'@';$,='['&'~'; $\=','^"\|";$:= '.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.' ;$,='('^'}';$\ ='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_' ;$/='&'|'@';$, ='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'('; $^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~= '*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\=','^'|';$:='.'^ '~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!' ;$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\= ','^'|';$:='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^ '}';$\='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@' ;$,='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'(';$^="\)"^ '[' ;$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~='*' |(( '`'));$^='+'^'_';$/='&'|'@';$,='['&'~';$\ =','^'|' ;$: ='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'| '.';$,= '(' ^'}'; $\='`'|'!';$:=')'^'}';$~="\*"| '`';$^= '+' ^'_';$/='&'|'@';$,='['&'~';$\ =(',')^ '|' ;$:='.'^ '~';$~='@' |"\("; $^=')' ^+ '[';$/= '`'|'.'; $,='(' ^"\}"; $\ =('`')| "\!";$:= "\)"^ "\}"; ( ($~))= '*'|'`'; ($^) ='+' ^"\_"; $/=('&')| '@'; ($,) ='['& "\~";$\= ','^ '|'; ($:)= '.'^'~' ;$~= '@'| '('; $^=')' ^'[' ;$/= '`'| '.' ;$,= '('^ '}'; $\= '`' |(( '!' )); $:= ')' ^(( '}' )); $~= '*' |(( '`' )) ;( ($^))= (( (( '+')) )) ^+ "\_";$/= (( '&' ))|+ "\@"; $, =(( '['))& '~'; $\= ','^ "\|";$:= '.' ^'~' ;($~)= ('@')| "\(";$^= ')'^'[' use re 'eval'; )FMMP
    XPSME
    Λग़ྗ͢ΔϓϩάϥϜ

35. ηογϣϯ

36. w ΫϥΠΞϯταΠυηογϣϯ
    w ΫϥΠΞϯτଆͰอଘ͢Δ
    w DPPLJFΛར༻͢Δ

37. ϝϦοτ w αʔόଆͰηογϣϯετΞͷ؅ཧΛ͢Δඞཁ ͕ͳ͍

38. σϝϦοτ w ஌ΒΕͨ͘ͳ͍৘ใΛTFTTJPOʹอଘͯ͠͸͍͚ ͳ͍
    w ηογϣϯΛഁغ͢Δͱ͖͸ʁˠDMJFOUଆͷ৘ใ ͱͯ͠ظݶΛ࣋ͨͤΔɺTFDSFUΛมߋ͢Δͱ͔
    w TFDSFU͕ྲྀग़͢ΔͱTFTTJPOΛվ᜵͢Δ͜ͱ͕
 Ͱ͖Δ

39. .PKPMJDJPVT

40. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0--- a4fba79dbd246638df17e57e97ed4f1fded7a7e3 { "super_secret_token": "p9B4iaKah8oOUzY1", "id": "1", "name": "akiym",

    "expires": 1414684980 } data HMAC

41. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0--- a4fba79dbd246638df17e57e97ed4f1fded7a7e3 my $data = encode_base64(encode_json({ ... expires =>

    time() + 3600, })); $data =~ s/=/-/g; my $hmac = hmac_sha1_hex($data, $SECRET); data HMAC

42. w σʔλΛ+40/ʹͨ͠΋ͷΛCBTFͰFODPEF
    w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ
 ͚ͭΔ

43. w ໰୊
    w BLJDUG
    R
    0OMJOF
    CBOLJOH
    w IUUQDUGLBUTVEPOPSHQSPCMFN
    w 42-
    JOKFDUJPO
    TFTTJPOվ᜵
    w

    TFDSFUΛࢦఆ͍ͯ͠ͳ͍

44. w .PKPMJDJPVTͰTFDSFUΛࢦఆ͍ͯ͠ͳ͍৔߹
 ܯࠂ͕ग़Δ͕ɺͱΓ͋͑ͣಈ͘
    w ͦͷͱ͖ʹ͸TFDSFUʹQBDLBHF໊͕ࢦఆ͞ΕΔ
    w .PKPMJDJPVT-JUFͷ৔߹͸ϑΝΠϧ໊
    w QBDLBHF໊͕஌ΒΕΔɺ΋͘͠͸༧ଌͰ͖Δ΋ ͷͰ͋Ε͹TFDSFU͕෼͔Δ

45. 1MBDL.JEEMFXBSF
    4FTTJPO$PPLJF

46. 1414682274.88017:BQoDAAAAAQiAAAAABWFkbWlu:. Storable::thaw(decode_base64('BQoDAAAAAQiAAAAABWFkbWlu')) { 'admin' => 0 } data HMAC

47. 1414683541.42553:BQoDAAAAAQiAAAAABWFkbWlu:
 bb33fc2e391e3d76edcbc8ffdcf66065d1d82862 my $data = encode_base64(Storable::freeze({ admin => 1, }));

    my $hash = hmac_sha1_hex($data, $SECRET); HMAC data

48. w σʔλΛ4UPSBCMFͰγϦΞϥΠζͨ͠΋ͷΛ CBTFͰFODPEF
    w TFDSFU͕ࢦఆ͞Ε͍ͯͨ৔߹
    w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ
 ͚ͭΔ

49. w ηογϣϯվ᜵
    w σετϥΫλ࣮ߦ

50. w IUUQTTQFBLFSEFDLDPNNBMBIPXUP IBDLNFUBDQBOEPUPSH
    w IUUQTHJTUHJUIVCDPNNJZBHBXB CBGBEBDEE

51. ίϯςΩετ

52. w ίϯςΩετͱ͸
    w 1FSM͸୯਺ͱෳ਺Λผͱͯ͠ѻ͏
    w !GPP
    
    
    
     
    

    w !GPP
    ˠ
    
    
    
    w TDBMBS
    !GPP
    ˠ
    
    w ϦετΛ!BSSBZʹ୅ೖ͢Ε͹഑ྻʹɺIBTIʹ୅ ೖ͢Ε͹ϋογϡʹ
53. None

54. 1FSMͷίϯςΩετ͸ ѱ

55. w 1FSMͷಛ௃Ͱ΋͋Γɺݸਓతʹ͸݁ߏ޷͖
    w 5FOH͸ίϯςΩετʹԠͯ͡ಈ࡞Λม͑Δ
 ͜Ε͸࢖ͬͯͳ͍
    w NZ
    BSHT
    
    GPP
    
    
    !@

    
    Έ͍ͨͳ͜ͱ͕ Ͱ͖Δ
    w ศརͳ͜ͱ΋͋Ε͹ɺѱ͍͜ͱ΋͋Δ

56. w ໰୊
    w $5'֤Ґ
    MPHJOQBHF
    w IUUQBLJZNIBUFCMPKQFOUSZ 
    w ۠੾ΓจࣈɺDPOUFYUʹΑΔ੬ऑੑ

57. ϦετΛड͚औΔͱల։
    OBNFBQBTTCQBTTD

58. { ... pass => 'asdf', give_me_flag => 0, give_me_flag =>

    'give_me_flag', # true! 0 } VTFS\HJWF@NF@qBH^
    
    HJWF@NF@qBH

59. w 0EE
    OVNCFS
    PG
    FMFNFOUT
    JO
    BOPOZNPVT
    IBTI
    w VTF
    XBSOJOHT
    '"5"-
    
    BMM
    w ·͋΍ͬͯΒΕͳ͍
    

60. w IUUQXXXTPOHNVKQSJKJFOUSZ DHJQBSBNIUN
    w IUUQCMPHUPLVNBSVPSHOFX DMBTTPGWVMOFSBCJMJUZJOQFSMXFCIUNM

61. ·ͱΊ w Ҿ਺ͷPQFO
    w +40/
    42-J
    w ਖ਼نදݱͰͷFWBM
    w ΫϥΠΞϯταΠυηογϣϯ
    w

    ϋογϡͷϦετͷల։