Tweet
Tweet

Slide 1

Slide 1 text

$PNQVUFS4FDVSJUZBU/5645 *OOEZJOOEZUX!HNBJMDPN 8FC4FDVSJUZ5IF#BTJDT

Slide 2

Slide 2 text

4PVSDFDPEFPGIUUQTWVMTFDVSJUZOUVTUJTBWBJMBCMFBU IUUQTHJUIVCDPNJOOEZXFCTFD

Slide 3

Slide 3 text

XIPBNJ ˙ *OOEZ加啄 ˙ 1MBZ$5' ˙ 3FWFSTF&OHJOFFSJOH ˙ (BNF)BDLJOH ˙ JOOEZUX!HNBJMDPN

Slide 4

Slide 4 text

0VUMJOF ˙ *OUFSOFUBOE/FUXPSL ˙ 'SPOUFOE#BDLFOE ˙ )551 ˙ $PNNPO)551)FBEFST ˙ $PPLJF ˙ &ODPEJOH ˙ 44-5-4 ˙ 08"415PQ

Slide 5

Slide 5 text

*OUFSOFUBOE/FUXPSL

Slide 6

Slide 6 text

*OUFSOFUBOE/FUXPSL   1PSUPG,BPITJVOH

Slide 7

Slide 7 text

*OUFSOFUBOE/FUXPSL  XXXOUVTUFEVUX

Slide 8

Slide 8 text

*OUFSOFUBOE/FUXPSL '51  44)  5FMOFU 155  )551  )5514  .Z42-  3%1  7/$  3FEJT 

Slide 9

Slide 9 text

8FC"SDIJUFDUVSF

Slide 10

Slide 10 text

4FSWFS $MJFOU Ճ)551PWFS*OUFSOFUՃ

Slide 11

Slide 11 text

#BDLFOE 'SPOUFOE Ճ)551PWFS*OUFSOFUՃ

Slide 12

Slide 12 text

OHJOYBQBDIFMJHIUUQE 1)1QZUIPOSVCZ )5.-$44 +BWB4DSJQU Ճ)551PWFS*OUFSOFUՃ

Slide 13

Slide 13 text

8FC'SPOUFOE

Slide 14

Slide 14 text

)5.-

Slide 15

Slide 15 text

)5.- $44

Slide 16

Slide 16 text

)5.- $44 +BWB4DSJQU

Slide 17

Slide 17 text

8FC#BDLFOE

Slide 18

Slide 18 text

)5513FRVFTU

Slide 19

Slide 19 text

8IBUIBQQFOFEBGUFS&OUFS  $MJFOU ˙ %/4MPPLVQ *GOFFEFE  ˙ $SFBUF5$1DPOOFDUJPO ˙ 44-IBOETIBLF *GOFFEFE  ˙ $PNQPTFBOETFOE)551SFRVFTU

Slide 20

Slide 20 text

8IBUIBQQFOFEBGUFS&OUFS  4FSWFS ˙ "DDFQU5$1DPOOFDUJPO ˙ 1BSTFSFRVFTUIFBEFST ˙ $IFDLSPVUFSVMFT ˙ 'JMFPS3FWFSTFQSPYZ

Slide 21

Slide 21 text

8IBUIBQQFOFEBGUFS&OUFS  'JMFCBTFE ˙ $IFDLJGMFFYJTUT  ˙ *GOPU SFTQPOTFXJUIFSSPS ˙ *TJUBTUBUJDMF  ˙ *GTP TFOEJUUPDMJFOU ˙ 0UIFSXJTF DBMMSFTQPOEJOHQSPDFTTPS ˙ .BZCFBDHJ QIQ QFSMTDSJQU ˙ 4FOESFTQPOTFUPDMJFOU

Slide 22

Slide 22 text

8IBUIBQQFOFEBGUFS&OUFS  4PGUXBSFSVMFT ˙ 1BSTFSFRVFTUGSPN)551TFSWFS ˙ 3PVUF ˙ %JTQBUDIDPOUSPMMFS ˙ 1SPDFTTSFRVFTUBOE3FOEFSSFTQPOTFEBUB ˙ 4FOEJUCBDLUP)551TFSWFS ˙ 4FSWFSTFOESFTQPOTFEBUBUPDMJFOU

Slide 23

Slide 23 text

8IBUIBQQFOFEBGUFS&OUFS  $MJFOU ˙ (PUSFTQPOTFEBUB .BZCFB)5.-EPDVNFOU  ˙ 1BSTF)5.-BOE%PXOMPBESFMBUFEBTTFUT ˙ $44 *NBHF +BWB4DSJQU 'MBTI PS0UIFSNFEJBDPOUFOU ˙ 3FOEFSFOHJOFTUBSUXPSLJOHXJUI$44BOE)5.- ˙ 8FCLJU (FDLP #MJOL 5SJEFOU &EHF)5.- ˙ +BWB4DSJQUFOHJOFSVOUIFTDSJQUT ˙ 7 4QJEFS.POLFZ $BSBLBO $IBLSB 3IJOP

Slide 24

Slide 24 text

)551

Slide 25

Slide 25 text

)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1 Host: vul.security.ntu.st Content-Length: 45 Content-Type: application/x-www-form-urlencoded title=title+text&msg=This+is+message+content. .FUIPE 1BUI 1SPUPDPM7FSTJPO "\r\n"JO$

Slide 26

Slide 26 text

)5513FRVFTU$PNQPTJUJPO POST /sqlinj/ HTTP/1.1 Host: vul.security.ntu.st Content-Length: 45 Content-Type: application/x-www-form-urlencoded title=title+text&msg=This+is+message+content. 3FRVFTU)FBEFST 3FRVFTU#PEZ .BZCFCJOBSZEBUB

Slide 27

Slide 27 text

)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK Server: nginx Date: Thu, 06 Oct 2016 15:03:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1973 Connection: keep-alive ..... )5517FSTJPO 3FTQPOTF4UBUVT

Slide 28

Slide 28 text

)5513FTQPOTF$PNQPTJUJPO HTTP/1.1 200 OK Server: nginx Date: Thu, 06 Oct 2016 15:03:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1973 Connection: keep-alive ..... (1973 bytes) 3FTQPOTF)FBEFST 3FTQPOTF#PEZ .BZCFCJOBSZEBUB

Slide 29

Slide 29 text

-FUTUSZOD $ nc www.ntust.edu.tw 80 GET / HTTP/1.1 Host: www.ntust.edu.tw

Slide 30

Slide 30 text

)5514UBUVT$PEF ˙ 99 ˙ *UTOF ˙ 99 ˙ 3FEJSFDUJPO ˙ 99 ˙ *UTZPVSGBVMU ˙ 99 ˙ *UTNZGBVMU

Slide 31

Slide 31 text

)5514UBUVT$PEF ˙ 0, ˙ *UTBMMHPPE ˙ /P$POUFOU ˙ 3FRVFTUJTOFCVU*IBWFOPUIJOHUPUBML ˙ 1BSJUBM$POUFOU ˙ *IBWFQBSUPGEBUBGPSZPV

Slide 32

Slide 32 text

)5514UBUVT$PEF ˙ .PWFE1FSNBOFOUMZ ˙ 'PVOE ˙ 7FSZDPNNPOGPSSFEJSFDUJPO ˙ /PU.PEJFE ˙ $BDIFJTOF ˙ 5FNQPSBSZ3FEJSFDU

Slide 33

Slide 33 text

)5514UBUVT$PEF ˙ #BE3FRVFTU ˙ :PVKVTUHBWFNFXSPOHUIJOHT ˙ 6OBVUIPSJ[FE ˙ 'PSCJEEFO ˙ :PVBSFOPUBMMPXFEIFSF ˙ /PU'PVOE ˙ .FUIPE/PU"MMPXFE ˙ *NBUFBQPU ˙ 6OBWBJMBCMF'PS-FHBM3FBTPOT

Slide 34

Slide 34 text

)5514UBUVT$PEF ˙ *OUFSOBM4FSWFS&SSPS ˙ &YDFQUJPOSBJTFEJOZPVSDPEF ˙ #BE(BUFXBZ ˙ 6QTUSFBNPGSFWFSTFQSPYZJTEFBE ˙ 4FSWJDF6OBWBJMBCMF ˙ .BJOUFOBODFNPEF  ˙ (BUFXBZ5JNFPVU ˙ 6QTUSFBNPGSFWFSTFQSPYZUJNFPVU

Slide 35

Slide 35 text

8IBUTUIFEJFSFODF

Slide 36

Slide 36 text

)551.FUIPE (&5 1045 165 1"5$) %&-&5& 015*0/4 )&"% $0//&$5 53"$& $034 "QBDIFEFCVHQVSQPTF )551QSPYZ /PSFTQPOTFCPEZ

Slide 37

Slide 37 text

)551.FUIPE ˙ (&5 ˙ %PXOMPBETPNFUIJOHGSPNXFCTJUF ˙ 1045 ˙ 4FOETPNFUIJOHUPXFCTJUF ˙ )&"% ˙ +VTUHJWFNFSFTQPOTFIFBEFST CVU*EPOUXBOUCPEZ ˙ 53"$& ˙ "QBDIFXJMMSFUVSOXIPMFSFRVFTUBTQMBJOUFYUUPZPV ˙ $0//&$5 ˙ 4QFDJBMNFUIPEGPSQSPYZUPEFBMXJUI)5514SFRVFTU

Slide 38

Slide 38 text

)551.FUIPE 3&45GVM"1* ˙ (&5 ˙ (FUMJTUBSFTPVSDF ˙ 1045 ˙ $SFBUFBOFXSFTPVSDF ˙ 165 ˙ 3FQMBDFBOFYJTUFESFTPVSDF ˙ 1"5$) ˙ 1BSUJBMVQEBUFBOFYJTUFESFTPVSDF ˙ %&-&5& ˙ %FMFUFBOFYJTUFESFTPVSDF

Slide 39

Slide 39 text

$PNNPO3FRVFTU)FBEFST&TTFOUJBM ˙ )PTUOUVTU ˙ 3FRVJSFE ˙ :PVDBOIBWFNVMUJQMFXFCTJUFPOPOF*1IPTU

Slide 40

Slide 40 text

$PNNPO3FRVFTU)FBEFST$PNNPO ˙ "DDFQUUFYUIUNMUFYUQMBJO ˙ 8IJDIUZQFPGDPOUFOUEPFTDMJFOUBDDFQU  ˙ "DDFQU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[  ˙ )PXUPDPNQSFTTEBUB ˙ "DDFQU-BOHVBHF[IUXFO ˙ 8IBUMBOHVBHFEPZPVQSFGFS  ˙ "MPUPGXFCTJUFDPOTJEFS[IUXBT[I

Slide 41

Slide 41 text

$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 3FGFSFS63- ˙ 8IFSFEJEZPVGSPN  ˙ 8FCQBHFBDPNCIUNMIBWF ˙ 3FRVFTUUPCDPNBKQHDPOUBJOTIFBEFS • Referer: http://a.com/b.html ˙ 1SJWBDZJTTVF ˙ KNQESPQCPYSFGFSFSWVM

Slide 42

Slide 42 text

$PNNPO3FRVFTU)FBEFST$PNNPO ˙ 6TFS"HFOU.P[JMMB .BDJOUPTI*OUFM.BD049SW  (FDLP'JSFGPY ˙ *UUFMMTTFSWFSXIJDICSPXTFS041MBUGPSNBSFZPVVTJOH ˙ 3FEJSFDUHPHPPHMFDPNDISPNFJG*&EFUFDUFE ˙ 5FMMTTFSWFSXIJDIFYQMPJUQBZMPBEUPTFOE ˙ #BEGPSQSJWBDZ UPP

Slide 43

Slide 43 text

$PNNPO3FRVFTU)FBEFST"VUIFOUJDBUJPO ˙ "VUIFOUJDBUJPO #BTJD]#FBSFS "65)@50,&/ ˙ "VUIUPLFOJTVTVBMMZCBTFTUSJOH ˙ CBTF 64&3/".&1"44803% GPS)551 CBTJDBVUIFOUJDBUJPO ˙ 0"VUIVTFT#FBSFS

Slide 44

Slide 44 text

$PNNPO3FRVFTU)FBEFST$POOFDUJPO ˙ $POOFDUJPOLFFQBMJWF ˙ 5$1IBOETIBLFJTFYQFOTJWF TPXFXBOUUPSFVTFFYJTUFEDPOOFDUJPO ˙ "TLTFSWFSOPUUPTIVUEPXO5$1DPOOFDUJPOBGUFSUIJTSFTQPOTF ˙ 4VQQPSUFETJODF)551 ˙ 3FTQPOTFIFBEFSTXJMMDPOUBJOTBNFIFBEFSJGTFSWFSTVQQPSUTJU ˙ *UTVTFGVMBOEJNQPSUBOUUPFYQMPJUTPNFCVH FY"4-3QSPUFDUJPO

Slide 45

Slide 45 text

$PNNPO3FRVFTU)FBEFST3FRVFTU#PEZ ˙ $POUFOU-FOHUI ˙ *UNFBOTXFIBWFCZUFTPGCPEZDPOUFOUBGUFSSFRVFTUIFBEFST ˙ $POUFOU5ZQF.*.& • application/x-www-form-urlencoded ˙ /PSNBMGPSNQPTU • multipart/form-data; boundary=$RANDOM_STRING ˙ 4UBOEBSEMFVQMPBEUBLFTUIJT ˙ UZQJDBMCPVOEBSZGPSXFCLJU----WebKitFormBoundaryo3CVe... ˙ application/jsonGPS8FC"1*

Slide 46

Slide 46 text

$PNNPO3FRVFTU)FBEFST.JTD ˙ %/5 ˙ %P/PU5SBDL ˙ 93FRVFTUFE8JUI9.-)UUQ3FRVFTU ˙ 'PS"+"9SFRVFTUT ˙ 3BOHFCZUFT ˙ 3FRVFTUQBSUJBMDPOUFOU %PZPVLOPX'MBTI(FU  ˙ .VMUJUISFBEFEMFEPXOMPBE ˙ 9'PSXBSEFE'PS ˙ 1SPYZNBZBEEUIJTIFBEFSXIJMFGPSXBSEJOHSFRVFTUUPUBSHFUTFSWFS

Slide 47

Slide 47 text

$PNNPO3FTQPOTF)FBEFST3FTQPOTF#PEZ ˙ $POUFOU-FOHUI ˙ 5IJT)551SFTQPOTFIBTCZUFTPGCPEZDPOUFOU ˙ $POUFOU&ODPEJOH H[JQ]EFBUF]TEDI]C[JQ]Y[  ˙ *OEJDBUFXIBUDPNQSFTTJPONFUIPEXBTVTFEXJUISFTQPOTFEBUB ˙ $POUFOU5ZQF.*.& ˙ text/html; charset=utf-8JTWFSZDPNNPOJONPEFSOXFCQBHFT ˙ &5BH)"4) ˙ )BTIWBMVFGPSDBDIFEBUB

Slide 48

Slide 48 text

$PNNPO3FTQPOTF)FBEFST3FEJSFDU ˙ -PDBUJPOIUUQTHPPHMFDPN ˙ 3FEJSFDUJNNFEJBUFMZ ˙ 3FGSFTIVSMIUUQTTFDVSJUZOUVTU ˙ 3FEJSFDUCVUEFMBZGPSTFDPOET VTFGVMUPTIPXTPNFNFTTBHF

Slide 49

Slide 49 text

$PNNPO3FTQPOTF)FBEFST.JTD ˙ 4FSWFSOHJOY ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIJDI)551TFSWFSZPVBSFVTJOH ˙ 91PXFSFE#Z1)1 ˙ )BDLFSTXJMMCFIBQQZUPLOPXXIBUMBOHVBHFZPVBSFVTJOH UPP ˙ %BUF5IV 0DU(.5 ˙ 4PNFTFSWFSTFOETEBUF JUTBHPPEXBZUPPCUBJOEBUF

Slide 50

Slide 50 text

$PNNPO3FTQPOTF)FBEFST4FDVSJUZ ˙ 99441SPUFDUJPONPEFCMPDL ˙ #BTJD944QSPUFDUJPO EFGBVMUFOBCMFEJO(PPHMF$ISPNF ˙ 3FGVTFUPFYFDVUF+4XIJDIBQQFBS ˙ 9'SBNF0QUJPOTEFOZ ˙ $BOUIJTXFCQBHFQVUUFEJOBJGSBNF  ˙ $POUFOU4FDVSJUZ1PMJDZ ˙ *UTDPNQMJDBUFE JUQSPWJEFEBCVODIPGTFDVSJUZQSPUFDUJPO

Slide 51

Slide 51 text

$PPLJFT

Slide 52

Slide 52 text

ˊ8JLJQFEJB չ$PPLJFJTBTNBMMQJFDFPGEBUBTFOUGSPNB XFCLJUBOETUPSFEJOUIFVTFSTXFCCSPXTFS XIJMFUIFVTFSJTCSPXTJOHպ

Slide 53

Slide 53 text

$PPLJF ˙ "DPPLJFDPOUBJOT ˙ /BNF ˙ 7BMVF ˙ %PNBJO ˙ 1BUI ˙ .BY"HF ˙ )5510OMZ'MBH ˙ 4FDVSF'MBH

Slide 54

Slide 54 text

$PPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJF ˙ IUUQTWVMTFDVSJUZOUVTUDPPLJFTJOHMFQIQ ˙ 4FU$PPLJFTJOHMF@DPPLJFEBUB PG TJOHMF DPPLJF ˙ -FUTPCTFSWFJUJO$ISPNFTEFWFMPQFSUPPMT

Slide 55

Slide 55 text

$PPLJFBOE4FTTJPO ˙ 4FTTJPOJOEJFSFOUGSBNFXPSLNBZIBWFUIFJSJNQMFNFOUBUJPO ˙ #VUUIFZIBWFTBNFJEFB ˙ 4UPSFEBUBJOTPNFXIFSFTBGFUZBOEHJWFZPVUIFLFZ TFTJTPOJE  ˙ &ODSZQUFEDPPLJF ˙ $BDIFTFSWJDF 3FEJT .FNDBDIFE  ˙ 5FNQPSBSZMF 1)1TEFGBVMUTFTTJPO  ˙ 4UPSFEJOEBUBCBTF

Slide 56

Slide 56 text

&ODPEJOH5FYU&ODPEJOH

Slide 57

Slide 57 text

&ODPEJOH ˙ )PXUPFYQSFTTBOVNCFS  ˙ CJO#JOBSZ ˙ PJO0DUBM ˙ JO%FDJNBM ˙ YBDJO)FY ˙ =YD=YB=Y=YJOCZUFTMJUUMFFOEJBOJOUFHFS

Slide 58

Slide 58 text

5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS" ˙ STUBMQIBCFUJOVQQFSDBTF ˙ " ˙ BTDJJDPEFY

Slide 59

Slide 59 text

5FYU&ODPEJOH ˙ )PXUPFYQSFTTBDIBSBDUFS꽺 ˙ 꽺 ˙ 6OJDPEFYFE ˙ #JH&ODPEJOH=YD=Y ˙ 4UBUJDNBQQJOH ˙ 65'&ODPEJOH=YF=YB=YBE ˙ 8FIBWFBSVMFUPUSBOTGPSNCFUXFFOVOJDPEFBOE65'

Slide 60

Slide 60 text

&ODPEJOH 4(7TC(T*'EWDNYL*2

Slide 61

Slide 61 text

&ODPEJOH ˙ 8FBMTPIBWFPUIFSFODPEJOH ˙ )FYFODPEF ˙ CBTF ]] FODPEF ˙ 63-&ODPEF

Slide 62

Slide 62 text

44-5-4

Slide 63

Slide 63 text

44-5VOOFM GET /user/login.php HTTP/1.1.... $MJFOU 4FSWFS

Slide 64

Slide 64 text

openssl s_client -host google.com -port 443

Slide 65

Slide 65 text

08"415PQ

Slide 66

Slide 66 text

08"41 0QFO8FC"QQMJDBUJPO4FDVSJUZ1SPKFDU

Slide 67

Slide 67 text

"6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET ˙ 4PNFUJNFTZPVOETPNFUIJOHJO63- ˙ FYBNQMFDPNMPHJOQIQ SFEJSFDUIPNFQIQ ˙ 8FDIBOHFSFEJSFDUUPBQIJTIJOHTJUF BOETFOEJUUPTPNFPOF ˙ FYBNQMFDPNMPHJOQIQ SFEJSFDUNBMXBSFDPNIPNFQIQ

Slide 68

Slide 68 text

"6TJOH$PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT ˙ 7VMOFSBCJMJUJFTJOUIJSEQBSUZMJCSBSZ ˙ &YDLFEJUPS

Slide 69

Slide 69 text

"$SPTT4JUF3FRVFTU'PSHFSZ $43' ˙ 4FOESFRVFTUGSPNBOPUIFSEPNBJO ˙ JNHTSDFYBQMFDPNMPHPVUQIQ ˙ IUUQTVQFSMPHPVUDPN ˙ &YQMPJU944CVHUPNBLFBGPSNBOEQPTUJU

Slide 70

Slide 70 text

".JTTJOH'VODUJPO-FWFM"DDFTT$POUSPM ˙ *DBODIBOHFPUIFSVTFSTQBTTXPSECVU*NOPUBENJO • curl https://vul.security.ntu.st/sqlinj/ --data 'truncate_confirm=1'

Slide 71

Slide 71 text

"4FOTJUJWF%BUB&YQPTVSF ˙ IUUQTWVMTFDVSJUZOUVTUTRMJOKDPOHJOD

Slide 72

Slide 72 text

"4FDVSJUZ.JTDPOHVSBUJPO • google('"index of"') ˙ 4PNFUJNFT JUMFBLTTPNFVTFGVMJOGPSNBUJPOUPIBDLFST

Slide 73

Slide 73 text

"*OTFDVSF%JSFDU0CKFDU3FGFSFODFT ˙ *VQMPBEFENZQSJWBUFQIPUPTUPTPNFXFCEJTL CVUBOZPOFDBO EPXOMPBEJUXJUIMFBLFE63-/PBDDFTTDPOUSPMPOUIBUMF

Slide 74

Slide 74 text

"$SPTT4JUF4DSJQUJOH 944 • ">alert(1)

Slide 75

Slide 75 text

"#SPLFO"VUIFOUJDBUJPOBOE4FTTJPO.BOBHFNFOU • function is_admin() {
 return $_COOKIE['role'] == 'admin;
 } ˙ %FNP

Slide 76

Slide 76 text

"*OKFDUJPO • ' or '' = ' ˙ %FNP

Slide 77

Slide 77 text

4PNF6TFGVM5PPMT

Slide 78

Slide 78 text

#VSQ4VJUF

Slide 79

Slide 79 text

)BDLCBS

Slide 80

Slide 80 text

$PPLJF.BOBHFS

Slide 81

Slide 81 text

.PEJGZ)FBEFST

Slide 82

Slide 82 text

6TFS"HFOU4XJUDIFS

Slide 83

Slide 83 text

8BQQBMZ[FS