Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Best Practices - The Upload

Orange
August 21, 2024
0
16

Best Practices - The Upload

Webconf 2013

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Security in PHP 那些在滲透測試的小技巧
p8361
0
22
網頁安全 Web Security 入門
p8361
0
32
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k

Featured

See All Featured
Become a Pro
speakerdeck
PRO
24
5k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
505
140k
Scaling GitHub
holman
458
140k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
42
2.2k
How GitHub (no longer) Works
holman
310
140k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
Designing for Performance
lara
604
68k
Building Your Own Lightsaber
phodgson
102
6.1k

Transcript

  1. 2013/01/13 @ WebConf <[email protected]>

  2. • aka Orange • 2009 • 2011, 2012 • 2011

    AVTOKYO • 2012 PHP Conf • 2012 VXRLConf • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • Disclosed – MS12-071

    / CVE-2012-4775 • http://blog.orange.tw/
  4. None
  5. None

  6. 1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.

    Scanning – SYN/ACK Scan, TCP NULL/FIN/Xmas/Mainmon/Window Scan, SCTP INIT Scan, Hydra, Nessus …… 3. Gaining Access – Heap/Stack/V-table Overflow, ROP, Heap Spray, System Misconfiguration, Metasploit, Exploit Database …… 4. Maintaining Access – Privilege Escalation, Trojan, Backdoor, Rootkit, Code/DLL Injection, API Hook, LD_PRELOAD, Anti AV/Debugger …… 5. Clearing Tracks – Syslog, WTMP/UTMP, Event Log, Shell(Bash/Explorer) ……
  7. None

  8. – Upload? – Web log? Dabase log?

  9. • • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd

    ) – <%eval request("cmd") %> – __import__('os').system(cmd)

  10. https://github.com/evilcos/python-webshell/

  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None

  18. http://www.lu-chen.com/

  19. None
  20. None

  21. • – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login

    • – /userfiles/mypic.jpg – /userfiles/mypic.jpg/nihao.php

  22. • – Huffman table – EXIF • – copy /b

    rst.jpg+backdoor.php dst.jpg • – http://orange.tw/exif.jpg
  23. None
  24. None

  25. • • • •

  26. • – – – • – php phtml php3 php4

    php5 – asp asa cer cdx shtml – aspx asax ascx ashx asmx http://www.hitcon.org/download/2010/5_Flash Exploit.pdf#Page.20
  27. None

  28. – AddHandler application/x-httpd-php .jpg • – .php*

  29. None

  30. https://speakerdeck.com/allenown/the-internet-is-not-safe-webconf-taiwan-2013

  31. https://www.facebook.com/TWWDB

  32. (htaccess ^ ^)

  33. • • – user.jpg  .jpg – user.php.jpg  .jpg

    – user.php.xxx  .php – user.php.xxx.ooo  .php
  34. None

  35. • – IIS < 7 – Asp.net ^__< • –

    http://webconf.orange.tw/files/a.asp/user.jpg • – http://webconf.orange.tw/files/user.asp;aa.jpg user.asp;aa.jpg
  36. None
  37. None

  38. filename Content-Type File header

  39. None

  40. • Update your sense and software. • User controlled filename

    is always dangerous. – Whatever filename, extension or temporary filename. • Use Image library to valid or strip the image. • Disabled the directory’s execution permission you uploaded to.

  41. • • – htaccess • – Apache – IIS •

  42. None

  43. Q & A

  44. [email protected]