Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHPサイバーテロの技法 書籍紹介

Avatar for ikuwow ikuwow
June 06, 2015
Programming
0
950

PHPサイバーテロの技法 書籍紹介

社内勉強会で「PHPサイバーテロの技法」を紹介しました
http://ikuwow.website/entry/php-cyberterro/

Avatar for ikuwow

ikuwow

June 06, 2015
Tweet

More Decks by ikuwow

See All by ikuwow
Elasticsearch on EC2からAmazon Elasticsearch Serviceに 移行してだいぶ楽になった話
Avatar for ikuwow ikuwow
0
3.5k
意外と使える! Alibaba Cloud
Avatar for ikuwow ikuwow
0
240
teratailの解析基盤をEFKで作っていろいろ楽しい話
Avatar for ikuwow ikuwow
0
870
UNIXという考え方
Avatar for ikuwow ikuwow
1
2k
技術書紹介 パーフェクトPHP
Avatar for ikuwow ikuwow
0
2.1k
みんなもMiddlemanで技術ブログ作って幸せになろう!
Avatar for ikuwow ikuwow
0
970

Other Decks in Programming

See All in Programming
r2-image-worker
Avatar for Yusuke Wada yusukebe
1
180
詳細の決定を遅らせつつ実装を早くする
Avatar for shimabox shimabox
2
1.3k
AIの弱点、やっぱりプログラミングは人間が(も)勉強しよう / YAPC AI and Programming
Avatar for Naoki Kishida kishida
13
5.4k
TVerのWeb内製化 - 開発スピードと品質を両立させるまでの道のり
Avatar for TVer Inc. techtver
PRO
3
1.2k
GraalVM Native Image トラブルシューティング機能の最新状況(2025年版)
Avatar for NTTドコモソリューションズ Java担当 ntt_dsol_java
0
170
GeistFabrik and AI-augmented software development
Avatar for Ade Oshineye adewale
PRO
0
180
関数の挙動書き換える
Avatar for takato fukui takatofukui
4
750
251126 TestState APIってなんだっけ?Step Functionsテストどう変わる?
Avatar for Takumi Abe east_takumi
0
230
How Software Deployment tools have changed in the past 20 years
Avatar for Geshan Manandhar geshan
0
10k
Java_プロセスのメモリ監視の落とし穴_NMT_で見抜けない_glibc_キャッシュ問題_.pdf
Avatar for NTTドコモソリューションズ Java担当 ntt_dsol_java
0
230
Flutterアプリ運用の現場で役立った監視Tips 5選
Avatar for Takuma Osada ostk0069
1
520
AWS CDKの推しポイントN選
Avatar for アキキー akihisaikeda
1
210

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
46
2.6k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
210
24k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
413
23k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
61k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.5k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.9k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
253
22k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
186
22k

Transcript

  1. ॻ੶঺հɿ PHPαΠόʔςϩͷٕ๏ ʙ߈ܸͱ๷ޚͷ࣮ࡍʙ 2015/06/03(Fri) Ι͘Λʢikuwowʣ

  2. ࣗݾ঺հ • Ι͘Λʢikuwowʣ • झຯ αʔόʔߏஙɾ؅ ཧࣗಈԽ • ϚΠϒʔϜ ࿥ըαʔόʔ

    • ޷͖ͳ৭ ࢵ @ikuwow 

  3. ֓ཁ • ஶऀ GIJOE • AmazonϨϏϡʔ਺18ɺ
 ධՁ4.6 • 2005೥ॳ൛ୈ1࡮ൃߦ
 2011೥ॳ൛ୈ10࡮ൃߦ

     ʁʂ

  4. ຊͷ໨࣍ 1.WebΞϓϦέʔγϣϯͷηΩϡϦςΟͱ͸ 2.WebΞϓϦέʔγϣϯΛ࣮ࡍʹ߈ܸͯ͠ΈΑ͏ 3.߈ܸํ๏14छྨ૯͟Β͑ 4.WebΞϓϦέʔγϣϯηΩϡϦςΟͷཧ࿦ 5.HTTPηογϣϯ͔Β߈ܸͷຊ࣭Λ஌Δ 6.੬ऑੑεΩϟφʔΛར༻͢Δ 7.νϟʔτࣜ:੬ऑੑͷݟ͚ͭํ  ͍ΘΏΔʮWebηΩϡϦςΟͷຊʯ

    ex. XSSɺCSRFɺSQLΠϯδΣΫγϣϯɺ…

  5. ͜ͷຊͷಛ௃ΛҰݴͰݴ͏ͱ 

  6. ߈ܸํ๏ʹ஫໨ͨ͠ WebηΩϡϦςΟͷ ϨϑΝϨϯε

  7. ʮຊॻͰ͸ɺ߈ܸํ๏Λղઆ͠ɺ ͦΕʹର͢Δద੾ͳ๷ޚํ๏Λ ໌͍ࣔͯ͠·͢ɻ ։ൃऀ͕҆શͰ߈ܸʹڧ͍ ΞϓϦέʔγϣϯΛ࡞Δ্Ͱɺ ඞཁͳ஌ࣝΛ͜ͷҰ࡭ʹڽॖɻʯ ʢຊͷଳΑΓʣ

  8. ͜ͷຊͷελϯε • ʮηΩϡϦςΟ͸߈ܸํ๏͋Γ͖ʯ • ʮຊॻ࠷େͷςʔϚ͸໢ཏੑͰ͢ʯ
 ʮશ14छͷ߈ܸํ๏ʯ • ʮWebʹ͓͚ΔηΩϡϦςΟରࡦ͸Webඪ४Խ΍ MVCΑΓ΋͸Δ͔ʹ༏ઌ౓͕ߴ͘ɺݴޠͷجૅจ ๏ͷ͙࣍͢ʹ֮͑Δ΋ͷʯ

     ʢʮ͸͡ΊʹʯΑΓʣ

  9. ಙؙຊͱൺֱ ɾ੬ऑੑʹ஫໨
 ɾಡΈ෺త ɾ߈ܸํ๏ʹ஫໨
 ɾϨϑΝϨϯεత

  10. ͦͷଞΑ͍ͱ͜Ζ • ઌʹαϯϓϧίʔυΛग़ͯ͠߈ܸΛࢼΈΔ • ʮରࡦࣦഊྫʯʮෳ਺ͷରࡦྫʯʮϝϦο τɾσϝϦοτʯͳͲ಺༰͕ॆ࣮͍ͯ͠Δ  <?php // ੬ऑੑ

    readfile(‘/home/username/mydata/‘.$_GET[‘file_name’]); // ରࡦࣦഊྫ readfile(‘/home/user/name/mydata/’.str_replace(‘../‘,’’, $_GET[‘file_name’])); // ରࡦ੒ޭྫ readfile(‘/home/user/name/mydata/’.basename($_GET[‘file_name’]));

  11. ಡΜͰಘΒΕͨҰͭͷڭ܇ 

  12. ϢʔβʔΛ ৴༻͠ͳ͍

  13. ϢʔβʔΛ৴༻͠ͳ͍ • ΞϓϦέʔγϣϯʹͲΜͳϦΫΤετ͕ඈΜͰ͘Δ͔Θ͔Βͳ͍ • Ϣʔβʔ͔Βͷೖྗ͸ৗʹ࠷ѱͷঢ়گΛߟ͑Δ • Ϣʔβʔ͔Βͷೖྗ͸ಟΛ͍࣋ͬͯΔͱߟ͑Δ • => αχλΠζʢhtmlspecialchars()ɺ໌ࣔతͳΩϟετɺಈతͳ

    ϑΝΠϧಡΈࠐΈɾ࣮ߦΛڐ͞ͳ͍ɺ… etc. Ϣʔβʔ͔ΒͷೖྗΛ௚઀γεςϜʹ౉͞ͳ͍͜ͱ͕ॏཁ

  14. ͜ͷຊΛಡΉͱ͖ͷ஫ҙ఺

  15. ݹ͍

  16. ݹ͍ • 2005೥12݄ॳ൛ୈҰ࡮ൃߦ • PHP͕ݹ͍ʢPHP4ʙ5.1ʣ
 ɾmysql_query(), register_globals, safe_mode, … etc.

    • ίʔυ΍ؔ਺ʹ͍ͭͯͷ෦෼͸ඞͣ
 PHPͷυΩϡϝϯτΛࢀর͠ͳ͕ΒಡΉ͜ͱ

  17. ಡΉͱ͍͍ਓ • MVCϑϨʔϜϫʔΫʹ؁΍͔͞Εͨ
 ΏͱΓWebʢPHPʣΤϯδχΞ  42-ΠϯδΣΫγϣϯͳΜͯ ϑϨʔϜϫʔΫ͕ରࡦͯ͘͠ΕΔͰ͠ΐʁ )551ϔομͱ͔ ݟͯ΋Α͘Θ͔Γ·ͤΜ

  18. ͳΜͷ໾ʹཱ͔ͭ • ʮ͜ΕηΩϡϦςΟʹ݀͋Δɾɾɾʁʯͱࢥͬ ͨ࣌ʹऔΓग़ͯ֬͠ೝ • ߈ܸऀͷ໨ઢͰηΩϡϦςΟΛ֬ೝͰ͖Δ • ຊ౰ʹରࡦ͞Ε͍ͯΔ͔ෆ҆ʹͳͬͯϑϨʔ ϜϫʔΫͷιʔεΛಡΈͨ͘ͳΔ 

  19. ·ͱΊ • ʮPHPαΠόʔςϩͷٕ๏ʯ͸߈ܸํ๏ʹ஫໨ͨ͠Web ηΩϡϦςΟͷϨϑΝϨϯεɻͨ·ʹಡΈͨ͘ͳΔຊɻ • ֶ΂ΔηΩϡϦςΟͷݪଇ
 ʮϢʔβʔΛ৴༻͠ͳ͍ʯ • ٕज़ॻͱͯ͠͸͔ͳΓݹ͍ຊͳͷͰ
 10೥ͱ͍͏࣌୅ͷҧ͍ʹ஫ҙ

    ͝ਗ਼ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠

  20. ҎԼิॿεϥΠυ 

  21. ʮશ14छͷ߈ܸํ๏ʯ 1.XSSʢΫϩεαΠτεΫϦϓςΟϯάʣ 2.ίϯςϯπ಺ʹJavaScriptຒΊࠐΈ 3.SQLΠϯδΣΫγϣϯ 4.CSRFʢΫϩεαΠτϦΫΤετϑΥʔδΣϦʣ 5.ψϧόΠτ߈ܸ 6.σΟϨΫτϦτϥόʔαϧ 7.؀ڥม਺Ԛછ߈ܸ 8.HTTPϨεϙϯε෼ׂ߈ܸ 9.ΠϯΫϧʔυ߈ܸ

    10.evalར༻߈ܸ 11.֎෦ίϚϯυ࣮ߦ߈ܸ 12.ϑΝΠϧΞοϓϩʔυ߈ܸ 13.ηογϣϯϋΠδϟοΫ 14.εύϜϝʔϧ౿Έ୆߈ܸ શ14छͱஅݴͯ͠Δ => ໢ཏੑ 

  22. ࡞ऀ • GIJOEʢຊ໊ ޙ౻ๆཅʣ • ౦ژग़਎ɻେֶ࣌୅͸ੜ෺ֶΛઐ߈͠…ʢུʣ • ߴ໦ߒޫࢯͱGIJOEࢯͷ࿦૪ʹ͍ͭͯɺGIJOEࢯ ʹ൓࿦ͯ͠ΈΔ
 http://blogs.yahoo.co.jp/quitthemusic/

    24047659.html