Slide 1
Slide 1 text
߈ܸͱޚͰ࣮ફ͢ΔϓϩμΫτηΩϡϦςΟԋश
ʙಋೖύʔτʙ
ग़Ո ༞و
๎
Slide 2
Slide 2 text
ΠϯτϩμΫγϣϯ
2
Slide 3
Slide 3 text
3
ग़Ո༞و / Yuki Ideya
• ݄ʙ 3&%5&".ॴଐ
• ͦΕҎલۚ༥ܥͷ4*FSɺηΩϡϦςΟϕϯμʔͰެிͷڭҭࣄ
ۀͳͲ͍ͬͯ·ͨ͠
ʲ࠷ۙϋϚ͍ͬͯΔ͜ͱɾࠓޙΓ͍ͨ͜ͱʳ
• ੜ"*ͷηΩϡϦςΟपΓษڧͨ͠Γͱ͔ ηΩϡϦςΟҎ֎ͷࣝ
՝ײʜʂ
• ͷௐࢠ͕ຫੑతʹѱ͍ͷͰɺͣ˓ͩΜͱ͔ͱੜ"*ͰΓΛΘ
Γʹͬͯ͘ΕΔΈΛࡧத
• ւಓ͔ΒϦϞʔτͰಇ͍ͯͯग़ࣾ΄΅ͳ͍ͷͰ߈ΊͨαϒΧϧͬΆ
͍ΛങͬͨΓ͢ΔͷͰ͕͢ɺணΔ໘͕ͳ͍ͯͭ͘ޙչ͠·͢
ظͷ࣋පͰͷௐࢠ͕ѱΊͳͷͰ֏͍ͳͲͰ͓ฉ͖͍ۤ͠໘͕͋Δ͔͠Ε·ͤΜɻ
ͪΌΜͱ࠷ޙ·ͰίϯςϯπΛ͓ಧ͚Ͱ͖ΔΑ͏४උສͳͷͰ҆͝৺͍ͩ͘͞ʜʂ
Slide 4
Slide 4 text
4
๎ / Tomoya Nakanishi
• य़ʙ 3&%5&".ॴଐ
• ϦΫϧʔτ৽ଔೖࣾ
ʲ࠷ۙϋϚ͍ͬͯΔ͜ͱɾࠓޙΓ͍ͨ͜ͱʳ
• ϖωτϨʔγϣϯςετͷࢿ֨ษڧɺҰ൪࠷ۙऔͬͨͷ04&1
• μΠϏϯάʹߦ͘ճ͕૿͍͑ͯΔ
Slide 5
Slide 5 text
5
ඇެ։
Slide 6
Slide 6 text
ಋೖฤ(1)ͷΞδΣϯμ
6
ΠϯτϩμΫγϣϯ
ԋशڥΛ৮ͬͯΈΑ͏
3. ϓϩμΫτηΩϡϦςΟͱ੬ऑੑ
4. WebΞϓϦέʔγϣϯʹ͓͚Δ੬ऑੑͱ߈ܸख๏
5. ੬ऑੑͷରࡦ
6. WebΞϓϦέʔγϣϯʹର͢Δ߈ܸख๏ΛΑΓৄ͘͠
ษڧ͍ͨ͠ํ
Slide 7
Slide 7 text
ࠓճͷߨٛ
߈ܸ ͱ ޚ Ͱ࣮ફ͢ΔϓϩμΫτηΩϡϦςΟԋशͰɺ
7
߈ܸऀ͕ͲͷΑ͏ʹ੬ऑੑΛѱ༻͢Δͷ͔ΛΔ͜ͱͰɺ
ਖ਼͘͠੬ऑੑΛमਖ਼͢ΔͨΊͷࣝͱํ๏
Λʹ͚ͭΔ͜ͱΛతͱ͠·͢
Slide 8
Slide 8 text
• ڐՄ͞ΕͨγεςϜҎ֎ʹࢼ͞ͳ͍͜ͱ
ʢෆਖ਼ΞΫηεېࢭ๏ʣ
• ਖ਼ͳཧ༝ͳ͘ϚϧΣΞΛऔಘɾอ༗͠ͳ͍͜ͱ
ʢෆਖ਼ࢦྩి࣓తهʹؔ͢Δࡑʣ
• Πϯλʔωοτ্Ͱ͞ΕΔιϑτΣΞͷར༻࣌ʹɺͦΕΒͷ৴པੑΛ
ࣄલʹ֬ೝ͢Δ͜ͱ
ʢใηΩϡϦςΟରࡦج४ʣ
ҙࣄ߲
8
͜ͷߨٛͰ࣮ࡍʹѱ༻͕ՄೳͳίʔυΛऔΓѻ͍·͢ɻ
औΓѻ͍ʹेʹҙ͍ͯͩ͘͠͞ɻ
Slide 9
Slide 9 text
ԋशڥΛ৮ͬͯΈΑ͏
9
Slide 10
Slide 10 text
10
ඇެ։
Slide 11
Slide 11 text
11
ඇެ։
Slide 12
Slide 12 text
12
ඇެ։
Slide 13
Slide 13 text
1-1. ػೳΛࢼ͠ͳ͕ΒιʔείʔυΛݟͯΈ·͠ΐ͏
1-2. ʲൃలʳ੬ऑੑΛ୳ͯ͠Έ·͠ΐ͏
13
ԋश1ɿԋशڥΛ৮ͬͯΈ·͠ΐ͏(࣮ࢪ࣌ؒ: 15)
Slide 14
Slide 14 text
ϓϩμΫτηΩϡϦςΟͱ੬ऑੑ
14
Slide 15
Slide 15 text
15
ηΩϡϦςΟ্ͷऑ͕͋ΔϓϩμΫτΛ࡞ΔͱͲ͏ͳΔʁ
Slide 16
Slide 16 text
16
ඇެ։
Slide 17
Slide 17 text
17
ඇެ։
Slide 18
Slide 18 text
18
ඇެ։
Slide 19
Slide 19 text
੬ऑੑ
ʢVulnerabilityʣ
19
ηΩϡϦςΟ্ͷऑ͕͋ΔϓϩμΫτΛ࡞ΔͱͲ͏ͳΔʁ
ιϑτΣΞʹ͓͚Δ
ͱ͍͏
Slide 20
Slide 20 text
ੈͷதͷγεςϜɾιϑτΣΞʹରͯ͠
ຖͲΕ͚ͩͷ੬ऑੑ͕ใࠂ͞Ε͍ͯΔʁ
Q.
20
Slide 21
Slide 21 text
1ฏۉ80݅ۙ͘ใࠂ͞Ε͍ͯΔʢ2023ʣ※
WebαʔϏεͳͲͷར༻ऀͷରॲͷඞཁ͕ͳ͍ͷΛ߹ΘͤΔͱɺ
ΑΓଟ͘ͷͷ͕ଘࡏ͢Δͱߟ͑ΒΕΔ
A.
21
※CVEʢڞ௨੬ऑੑࣝผࢠʣͷ༩ϕʔε
Slide 22
Slide 22 text
ͲΜͳʹ੬ऑੑ͕ใࠂ͞Ε͍ͯΔʁ
• LinuxWindowsɺAndroidɺiOSͳͲͷOS
• ϓϩάϥϛϯάݴޠͷඪ४ϥΠϒϥϦ
• ήʔϜػͳͲͷΈࠐΈػث
• ChromeFirefoxͳͲͷϒϥβ
ྫ͑ɾɾɾ
ͷճΓͰ͘ར༻͞ΕΔ༗໊ͳιϑτΣΞʹ੬ऑੑ͕ൃݟ͞Ε͍ͯΔ
զʑ੬ऑੑΛ࡞ΓࠐΜͰ͠·͏Մೳੑेʹ͋Δ
22
Slide 23
Slide 23 text
WebΞϓϦέʔγϣϯʹ͓͚Δ੬ऑੑͱ߈ܸख๏
23
Slide 24
Slide 24 text
ຊηΫγϣϯͷΞδΣϯμ
24
1. ຊηΫγϣϯͰऔΓѻ͏੬ऑੑͷհ
2. XSS (Cross-Site Scripting)
3. IDORʢInsecure Direct Object Reference)
4. CSRF (Cross-Site Request Forgery)
5. SQL Injection
6. Path Traversal
7. DoS (Denial-of-Service)
8. OS Command Injection
Slide 25
Slide 25 text
25
ඇެ։
Slide 26
Slide 26 text
26
XSSʢCross-Site Scriptingʣ
Slide 27
Slide 27 text
27
ඇެ։
Slide 28
Slide 28 text
28
ඇެ։
Slide 29
Slide 29 text
XSSʹΑΔ߈ܸྫ
29
ใऔ
ѱҙͷ͋Δίϯςϯπͷվม
• $PPLJFͷऔʹΑΔϩάΠϯηογϣϯͷͷͬͱΓ
• $PPLJFΛ༩ͨ͠ϦΫΤετ࣮ߦͱ༰ͷಡΈऔΓ
• ը໘ʹදࣔ͞Εͨใͷࡡऔ
• ٗϖʔδͷදࣔͳͲ
Slide 30
Slide 30 text
XSSͷݪཧ
30
ѱҙͷ͋Δ+BWB4DSJQͷίʔυ͕
ຒΊࠐΊͯ͠·͏ϖʔδ
Slide 31
Slide 31 text
XSSͷݪཧ
31
$PPLJFΛࣗͷαʔόʔʹૹ৴
ͤ͞ΔίʔυΛຒΊࠐΜͰΖ
͏ʂ
攻撃者
ΞΫηε͢Δͱ
$PPLJF͕ൈ͔ΕΔ
+BWBTDSJQU
Slide 32
Slide 32 text
XSSͷݪཧ
32 攻撃者
ΞΫηε͢Δͱ
$PPLJF͕ൈ͔ΕΔ
+BWBTDSJQU
被害者
͜ͷਓͷϓϩϑΟʔϧؾʹͳ
Δʂ
ΞΫηε࣌ʹ࣮ߦ
Slide 33
Slide 33 text
XSSͷݪཧ
33
ϖϯΪϯ͘Μͷ
ηογϣϯήοτʂ
攻撃者
ΞΫηε͢Δͱ
$PPLJF͕ൈ͔ΕΔ
+BWBTDSJQU
被害者
ඃऀϖʔδΛ
Ӿཡ͚ͨͩ͠Ͱ
$PPLJF͕ൈ͔Εͯ͠·͏
͜ͷਓͷϓϩϑΟʔϧؾʹͳΔʂ
ΞΫηε࣌ʹ࣮ߦ
Slide 34
Slide 34 text
ૉͳٙ
34
攻撃者
被害者
アクセスすると
Cookieが抜かれる
JavaScript
߈ܸऀ͕༻ҙͨ͠
ϖʔδʹΞΫηε
߈ܸऀ͕༻ҙͨ͠ϖʔδͷ+BWB4DSJQUͰ
ԋशڥͷαΠτͷใΛऔΕͳ͍ͷʁ
ٙ
Slide 35
Slide 35 text
ૉͳٙ
35
攻撃者
被害者
アクセスすると
Cookieが抜かれる
JavaScript
߈ܸऀ͕༻ҙͨ͠
ϖʔδʹΞΫηε
߈ܸऀ͕༻ҙͨ͠ϖʔδͷ+BWB4DSJQUͰ
ԋशڥͷαΠτͷใΛऔΕͳ͍ͷʁ
ٙ
401 4BNF0SJHJO1PMJDZ
ͰͰ͖ͳ͍
Slide 36
Slide 36 text
XSSʹΑΔ߈ܸྫ
36
https:// ...のページ
window.document.body
window.localStorage
Cookie(※)
https://evil.example.com/...のページ
※originより制限が緩いsite単位での管理
ѱҙͷ͋Δ+BWB4DSJQU
ブラウザ
Origin
͕ҟͳΔϖʔδ
͜͜ͷ෦Λ
0SJHJOͱ͍͏
ຊདྷϒϥβ্Ͱɺ͋Δ63-ʹΑͬͯϩʔυ͞ΕΔϦιʔεʢ+BWB4DSJQUͷίʔυͳͲʣ͔Β
ผαΠτͷϦιʔεΞΫηε͢Δ͜ͱ͕Ͱ͖ͳ͍
ˠಉҰΦϦδϯϙϦγʔʢ4BNF0SJHJO 1PMJDZ
401ʣʹΑΔอޢ
Slide 37
Slide 37 text
XSSʹΑΔ߈ܸྫ
ຊདྷϒϥβ্Ͱɺ͋Δ63-ʹΑͬͯϩʔυ͞ΕΔϦιʔεʢ+BWB4DSJQUͷίʔυͳͲʣ͔Β
ผαΠτͷϦιʔεΞΫηε͢Δ͜ͱ͕Ͱ͖ͳ͍
ˠ ಉҰΦϦδϯϙϦγʔʢ4BNF0SJHJO 1PMJDZ
401ʣʹΑΔอޢ
37
https:// ...のページ
window.document.body
window.localStorage
Cookie(※)
https://evil.example.com/...のページ
※originより制限が緩いsite単位での管理
ѱҙͷ͋Δ+BWB4DSJQU
ブラウザ
Origin
͕ҟͳΔϖʔδ
GFUDI
ʹΑΔϨεϙϯεಡΈऔΓ
Slide 38
Slide 38 text
38
XSSʹͭͳ͕Δةݥͳ࣮ྫ
+BWB4DSJQUͷίϯςΩετͰղऍ͞ΕΔ෦
![]()
document.body.innerHTML = “ユーザーの入力”
document.write(“ユーザーの入力”)
ʹ
Ϣʔβʔͷೖྗ͕͋Δ
ˠ ةݥͳίʔυʹͳΔ
K2VFSZͷK2VFSZBQQFOE
3FBDUKTͷEBOHFSPVTMZ4FU*OOFS)5.- ͳͲ
ϥΠϒϥϦΛ͍ͬͯͯҙ͕ඞཁͳ෦͋Δɻ
࣮ྫ
࣮ྫ
࣮ྫ
note
Slide 39
Slide 39 text
39
IDOR
ʢInsecure Direct
Object Referenceʣ
Slide 40
Slide 40 text
40
ඇެ։
Slide 41
Slide 41 text
41
ඇެ։
Slide 42
Slide 42 text
42
ඇެ։
Slide 43
Slide 43 text
43
IDORͷݪཧ
POST /posts/
comment=今⽇はいい天気☀
ID: 1ͷߘΛߋ৽͢ΔϦΫΤετ
POST /posts/
comment=こんにちは︕
ID: 2ͷߘΛߋ৽͢ΔϦΫΤετ
ߘ͝ͱʹ*%ΛׂΓͯͯαʔόʔଆͰࣝผ
ฤूରͷߘΛϦΫΤετ࣌ʹ*%Ͱࢦఆ
A͞Μ͕ࣗͷ
ߘʢID: 1ʣΛߋ৽
߈ܸऀ͕ࣗͷ
ߘʢID: 2ʣΛߋ৽
"͞Μ
ʮࠓ͍͍ఱؾ‗ʯ
߈ܸऀ
ʮ͜Μʹͪʯ
ߘ
ߘ
Slide 44
Slide 44 text
44
IDORͷݪཧ
POST /posts/
comment=私はお⾦持ちです︕
ID: 2ͷߘΛߋ৽͢ΔϦΫΤετ
߈ܸऀ͕ࣗͷ
ߘʢID: 2ʣΛߋ৽
他⼈の投稿IDに
変更して更新
"͞Μ
ʮࢲ͓ۚ࣋ͪͰ͢ʂʯ
߈ܸऀ
ʮ͜Μʹͪʯ
ߘ
ߘ
Slide 45
Slide 45 text
45
CSRF
(Cross-Site Request Forgery)
Slide 46
Slide 46 text
46
ඇެ։
Slide 47
Slide 47 text
47
ඇެ։
Slide 48
Slide 48 text
αʔόʔɺʮͲͷϢʔβʔʹΑΔϦΫΤετ͔ʯͱ͍ͬͨηογϣϯཧΛϦΫΤετ࣌ʹ
Ճ͞ΕΔ$PPLJFϔομͷͰߦ͏
ϒϥβଆͰɺϦΫΤετൃੜ࣌ʹαΠτผʹอଘ͞Ε͍ͯͨ$PPLJFΛࣗಈతʹ༩͢Δ
48
CSRFͷݪཧ
ϩάΠϯ
Ϣʔβʔhoge
https://example.com
Set-Cookie: sessionid=sdfhaiew
ϒϥβʹ
CookieΛอଘ
Slide 49
Slide 49 text
αʔόʔɺʮͲͷϢʔβʔʹΑΔϦΫΤετ͔ʯͱ͍ͬͨηογϣϯཧΛϦΫΤετ࣌ʹ
Ճ͞ΕΔ$PPLJFϔομͷͰߦ͏
ϒϥβଆͰɺϦΫΤετൃੜ࣌ʹαΠτผʹอଘ͞Ε͍ͯͨ$PPLJFΛࣗಈతʹ༩͢Δ
49
CSRFͷݪཧ
ϩάΠϯ
Set-Cookie: sessionid=sdfhaiew
ߘͷ͍͍Ͷ
ߘͷฤू
Cookie: sessionid=sdfhaiew
Cookieͷ͔Β
Ϣʔβʔhoge͔ΒͷϦΫΤετ
ͱͯ͠ॲཧ
ϒϥβ͔Β
https://example.com
ͷϦΫΤετૹ৴
Ϣʔβʔhoge
https://example.com
ϒϥβʹ
CookieΛอଘ
Cookie: sessionid=sdfhaiew
ϦΫΤετʹ
ࣗಈతʹ$PPLJF༩
Slide 50
Slide 50 text
ࣗಈͰ$PPLJFૹ৴͞ΕΔੑ࣭Λར༻ͯ͠
ଞͷϢʔβʔ͕ҙਤ͠ͳ͍ϦΫΤετૹ৴͢Δ63-ΞΫηεͤͨ͞ΒͲ͏ͳΔʁ
50
CSRFͷݪཧ
Ϣʔβʔͷআ
ʮϢʔβʔͷআʯͷϦΫΤετ
ͱಉ͡63-Λૹ৴
ϩάΠϯࡁΈͷϒϥβͰ
ϦϯΫΛ։͘
Ϣʔβʔhoge
Cookieͷ͔Β
Ϣʔβʔhoge͔ΒͷϦΫΤετ
ͱͯ͠ॲཧ
ˠ Ϣʔβʔͷҙਤʹͯ͠উखʹΞΧϯτ͕আ͞Εͯ͠·͏
Cookie: sessionid=sdfhaiew
ϦΫΤετʹ
ࣗಈతʹ$PPLJF༩
ϒϥβ͔Β
IUUQTFYBNQMFDPN
ͷϦΫΤετૹ৴
Slide 51
Slide 51 text
51
SQL Injection
Slide 52
Slide 52 text
52
ඇެ։
Slide 53
Slide 53 text
53
ඇެ։
Slide 54
Slide 54 text
8FCΞϓϦέʔγϣϯͰσʔλͷอଘʹσʔλϕʔεʢ%#ʣ͕ར༻͞ΕΔ͜ͱ͕ଟ͍
54
DBαʔόʔ
Webαʔόʔ
SQL Injectionͷݪཧ
ίϝϯτʹ”hoge”͕
ؚ·ΕΔߘΛݕࡧ
”hoge”ΛؚΉίϝϯτΛ
DBݕࡧ͢Δॲཧ
ݕࡧ݁ՌͷϨίʔυ
%#ͷૢ࡞ʹԠͯ͡
ൃߦ͢Δ42-ΫΤϦΛΈཱͯ
SELECT * FROM users
WHERE comment LIKE ‘%hoge%’
Slide 55
Slide 55 text
55
42-*OKFDUJPOͷݪཧ
4&-&$5'30.VTFST8)&3&DPNNFOU-*,&bϢʔβʔͷೖྗ`
ʮ`ʯͰғΘΕͨ෦จࣈྻͱͯ͠ղऍ
ϢʔβʔͷೖྗΛར༻͢Δ42-ΫΤϦ
Slide 56
Slide 56 text
56
42-*OKFDUJPOͷݪཧ
4&-&$5'30.VTFST8)&3&DPNNFOU-*,&bϢʔβʔͷೖྗ`
ʮ`ʯͰғΘΕͨ෦จࣈྻͱͯ͠ղऍ
4&-&$5'30.VTFST8)&3&DPNNFOU-*,&b`6/*0/4&-&$5'30.VTFST b`
Ϣʔβʔͷೖྗͷ్தʹʮ`ʯؚ͕·Ε͍ͯͨΒɾɾɾʁ
͜͜Ͱจࣈྻͱͯ͠ऴΘΓ
จࣈྻͰͳ͍෦ͱͯ͠ղऍ͞ΕΔ
͖ͳΫΤϦจΛهͰ͖Δ
ϢʔβʔͷೖྗΛར༻͢Δ42-ΫΤϦ
Slide 57
Slide 57 text
ใ࿙͍͑
6/*0/۟Λར༻ͯ͠Ϩεϙϯε͔Βใऔಘ
#MJOE42-*OKFDUJPO
݅ࣜΛར༻ͨ͠ΤϥʔԠ͔Βใऔಘ͢Δ &SSPSCBTFE42-*OKFDUJPO
݅ࣜΛར༻ͨ͠4-&&1͔Βใऔಘ͢Δ 5JNFCBTFE42-*OKFDUJPO
%P4
4-&&1۟ͷར༻ʹΑΔॲཧͷԆ
57
42-*OKFDUJPOʹΑΔ߈ܸྫ
ར༻͍ͯ͠Δ%#αʔόʔͷछྨݖݶʹΑͬͯɺҙίʔυ࣮ߦϑΝΠϧಡΈऔΓՄೳʹ
Slide 58
Slide 58 text
58
Path Traversal
Slide 59
Slide 59 text
59
ඇެ։
Slide 60
Slide 60 text
60
ඇެ։
Slide 61
Slide 61 text
ϑΝΠϧΞοϓϩʔυɾμϯϩʔυػೳͷ࣮
ʢྫɿϓϩϑΟʔϧը૾ͷऔಘɺ$47σʔλͷೖߘͳͲʣ
61
Path Traversalͷݪཧ
อଘઌಡΈग़͠ݩͷσΟϨΫτϦΛܾఆ͢ΔࡍʹϢʔβʔͷೖྗΛར༻
lBQQVQMPBETzGJMFOBNF
GJMFOBNFதʹlzΛؚΊͨύεΛࢦఆ͢Δͱɾɾɾ
Slide 62
Slide 62 text
ϑΝΠϧΞοϓϩʔυɾμϯϩʔυػೳͷ࣮
ʢྫɿϓϩϑΟʔϧը૾ͷऔಘɺ$47σʔλͷೖߘͳͲʣ
62
Path Traversalͷݪཧ
ಡΈग़͢ϑΝΠϧ͕FUDQBTTXEʹͳͬͯ͠·͏
lBQQVQMPBETFUDQBTTXEz
อଘઌಡΈग़͠ݩͷσΟϨΫτϦΛܾఆ͢ΔࡍʹϢʔβʔͷೖྗΛར༻
lBQQVQMPBETzGJMFOBNF
GJMFOBNFதʹlzΛؚΊͨύεΛࢦఆ͢Δͱɾɾɾ
Slide 63
Slide 63 text
ҙͷίʔυ࣮ߦ
QIQKTQͷஔʹΑΔαʔόʔ্Ͱͷίʔυͷ࣮ߦ
αʔόʔ্ͷҙͷϑΝΠϧɾใͷಡΈऔΓ
ϩάϑΝΠϧͷऔಘ
αʔόʔͷߏใऔಘ
ڥมͷऔಘ
63
Path TraversalʹΑΔ߈ܸྫ
Slide 64
Slide 64 text
64
DoS (Denial-of-Service)
Slide 65
Slide 65 text
65
DoSͷ࣮ྫ
ϓϩϑΟʔϧը૾ઃఆ࣌ʹΓൈ͖ॲཧͷίϚϯυ͕࣮ߦ͞Ε͍ͯΔ
ϐΫηϧ͕ଟ͍ը૾Λੜͯ͠Ξοϓϩʔυ
$ vips black black.png 1000000 1000000 --bands 3
ྫʣԯϐΫηϧͷQOHը૾Λੜ
ˠ Γൈ͖ॲཧͰେͳ$16ϦιʔεΛফඅ
Slide 66
Slide 66 text
66
ඇެ։
Slide 67
Slide 67 text
67
DoSͷݪҼྫ
܁Γฦ͠ॲཧͷ࣮ϛε
ϑΝΠϧͷऔΓѻ͍
ճ෮ෆೳͳྫ֎
ճͷ্ݶ੍͕ݶ͕ແ͍
αΠζ੍ݶ͕ແ͍ɺϦιʔεͷ։์Ε
ϝϞϦͷྖҬ֎ΞΫηε͕ൃੜ͢ΔόάʹΑΔϓϩηεͷΫϥογϡ
Slide 68
Slide 68 text
68
OS Command Injection
Slide 69
Slide 69 text
69
ඇެ։
Slide 70
Slide 70 text
70
ඇެ։
Slide 71
Slide 71 text
ίϚϯυΛ࣮ߦ͢ΔࡍͷҰ෦ͷʹϢʔβʔͷೖྗΛར༻͢Δ࣮
-JOVYͰγΣϧػೳΛ༗ޮʹͨ͠ίϚϯυ࣮ߦͷ߹ʢྫɿDIJME@QSPDFTTFYFDʣ
γΣϧεΫϦϓτͷߏจ͕ར༻Ͱ͖Δ
71
OS Command Injectionͷݪཧ
DPOWFSUJOQVUQOH HSBWJUZDFOUFSSFTJ[FYϢʔβʔͷೖྗ?DSPQPVUQVUQOH
cΛؚΊͨʮϢʔβʔͷೖྗʯΛࢦఆ͢Δͱɾɾɾ
Slide 72
Slide 72 text
ίϚϯυΛ࣮ߦ͢ΔࡍͷҰ෦ͷʹϢʔβʔͷೖྗΛར༻͢Δ࣮
-JOVYͰγΣϧػೳΛ༗ޮʹͨ͠ίϚϯυ࣮ߦͷ߹ʢྫɿDIJME@QSPDFTTFYFDʣ
γΣϧεΫϦϓτͷߏจ͕ར༻Ͱ͖Δ
72
OS Command Injectionͷݪཧ
DPOWFSUJOQVUQOH HSBWJUZDFOUFSSFTJ[FYϢʔβʔͷೖྗ?DSPQPVUQVUQOH
cΛؚΊͨʮϢʔβʔͷೖྗʯΛࢦఆ͢Δͱɾɾɾ
DPOWFSUJOQVUQOH HSBWJUZDFOUFSSFTJ[FYcMTc?DSPQPVUQVUQOH
ͭͷίϚϯυ ͭͷίϚϯυ ͭͷίϚϯυ
Ϣʔβʔͷࢦఆͨ͠ίϚϯυ͕࣮ߦ͞Εͯ͠·͏
Slide 73
Slide 73 text
73
OS Command Injectionͷ࣮ྫ
ίϚϯυΛ࣮ߦ͢ΔؔʹϢʔβʔೖྗΛར༻͢Δέʔε
ʢจࣈྻ݁߹ͳͲʣ
system(“ユーザーの入力”)
exec(“ユーザーの入力”)
passthru(“ユーザーの入力”)
Runtime.getRuntime().exec(“ユーザーの入力”)
child_process.spawn(“ユーザーの入力”)
child_process.exec(“ユーザーの入力”)
1)1
+BWB
/PEFKT
exec(“ユーザーの入力”)
system(“ユーザーの入力”)
3VCZ
Slide 74
Slide 74 text
੬ऑੑͷରࡦ
74
Slide 75
Slide 75 text
ຊηΫγϣϯͷΞδΣϯμ
75
1. Path Traversalରࡦ
2. OS Command Injectionରࡦ
3. ੬ऑੑରࡦͷϙΠϯτʢࠓճͷԋशࠓޙͷۀͰ࣮
ફͯ͠΄͍͜͠ͱ
Slide 76
Slide 76 text
ϑΝΠϧΞοϓϩʔυɾμϯϩʔυػೳͷ࣮
ʢྫɿϓϩϑΟʔϧը૾ͷऔಘɺ$47σʔλͷೖߘͳͲʣ
76
Path Traversalͷݪཧʢ࠶ܝʣ
อଘઌಡΈग़͠ݩͷσΟϨΫτϦΛܾఆ͢ΔࡍʹϢʔβʔͷೖྗΛར༻
lBQQVQMPBETzGJMFOBNF
ˠ ಡΈग़͢ϑΝΠϧ͕ҙਤ͠ͳ͍FUDQBTTXEʹͳͬͯ͠·͏
lzΛར༻͢Δͱɾɾɾ
lBQQVQMPBETFUDQBTTXEz
Slide 77
Slide 77 text
../../../etc/passwd
77
Path Traversalରࡦ
filenameʹ1্ͭͷ֊Λࣔ͢ “../” ͕ར༻Ͱ͖Δ͜ͱ͕͔ͩΒɾɾɾ
filename͔Β “../” ΛऔΓআ͘ॲཧΛͯ͠ରࡦ
etc/passwd /app/uploads/etc/passwd
“/app/uploads/” + filename
ࡉΛͯ͠ BQQVQMPBETԼ͕ಡΈग़͠ରͷύεʹͳΔ
ˠ ҙͷύεͷϑΝΠϧΛಡΈग़͢͜ͱ͕Ͱ͖ͳ͘ͳͬͨ
˞͜ͷमਖ਼ํ๏ਖ਼͋͘͠Γ·ͤΜʂ
Slide 78
Slide 78 text
78
Path Traversalରࡦ
Node.jsͰͷ࣮
ΛऔΓআ͘ॲཧ
Slide 79
Slide 79 text
ઌఔͷ1BUI5SBWFSTBMͷରࡦΛӌճͯ͠ FUDQBTTXEΛಡΈग़
ͯ͠Έ·͠ΐ͏
ͲͷΑ͏ʹରࡦΛ͢Δͱᘳʹमਖ਼Ͱ͖Δ͔Λߟ͑ͯΈ·͠ΐ͏
79
ԋश8ɿରࡦͷӌճ (࣮ࢪ࣌ؒ: 10)
Slide 80
Slide 80 text
filenameʹ….//….//….//….//etc/passwd Λࢦఆ͢Δ͜ͱͰରࡦΛӌճͰ͖Δ
80
Path Traversalରࡦ
….//….//….//etc/passwd ../../../etc/passwd /app/uploads/../../../etc/passwd
“/app/uploads/” + filename
→ /etc/passwd ͔ΒϑΝΠϧΛಡΈग़ͯ͠͠·͏
Slide 81
Slide 81 text
81
Path Traversalରࡦ
ରࡦྫ
ύεͷਖ਼نԽͷྫɿ
/app/uploads/./././etc/passwd → /app/uploads/etc/passwd
/app/uploads/././../uploads/../etc/././passwd → /etc/passwd
ύεΛਖ਼نԽͯ͠ɺҙਤͨ͠σΟϨΫτϦԼ͕ࢦఆ͞Ε͍ͯΔ͔Λ
ݕূ
/app/uploads/
Ͱ࢝·Δʁ
Slide 82
Slide 82 text
ίϚϯυΛ࣮ߦ͢ΔࡍͷҰ෦ͷʹϢʔβʔͷೖྗΛར༻͢Δ࣮
-JOVYͰγΣϧػೳΛ༗ޮʹͨ͠ίϚϯυ࣮ߦͷ߹ʢྫɿDIJME@QSPDFTTFYFDʣ
γΣϧεΫϦϓτͷߏจ͕ར༻Ͱ͖Δ
82
OS Command Injectionͷݪཧʢ࠶ܝʣ
DPOWFSUJOQVUQOH HSBWJUZDFOUFSSFTJ[FYϢʔβʔͷೖྗ?DSPQPVUQVUQOH
cΛؚΊͨʮϢʔβʔͷೖྗʯΛࢦఆ͢Δͱɾɾɾ
DPOWFSUJOQVUQOH HSBWJUZDFOUFSSFTJ[FYcMTc?DSPQPVUQVUQOH
ͭͷίϚϯυ ͭͷίϚϯυ ͭͷίϚϯυ
Ϣʔβʔͷࢦఆͨ͠ίϚϯυ͕࣮ߦ͞Εͯ͠·͏
Slide 83
Slide 83 text
83
OS Command Injectionରࡦ
ίϚϯυͷҾͱͯ͠ѻ͏෦ΛγΣϧߏจͷҰ෦ͱͯ͠ར༻Ͱ͖ͯ͠·͏ͷ͕͔ͩΒɾɾɾɾ
Ϣʔβʔೖྗͷ෦Λ""ͰғΉ
DPOWFSUJOQVUQOH HSBWJUZDFOUFSSFTJ[FYϢʔβʔͷೖྗ?DSPQ PVUQVUQOH
DPOWFSUJOQVUQOH HSBWJUZDFOUFSSFTJ[FYcMTc?DSPQPVUQVUQOH
""ͰͭͷҾͱͯ͠ೝࣝ͞ΕΔͷͰɺ
MT࣮ߦ͞Εͳ͍
˞͜ͷमਖ਼ํ๏ਖ਼͋͘͠Γ·ͤΜʂ
Slide 84
Slide 84 text
84
OS Command Injectionରࡦ
/PEFKTͰͷ࣮
Slide 85
Slide 85 text
9-1. ઌఔͷOS Command InjectionͷରࡦΛӌճͯ͠ ls Λ࣮ߦͯ͠Έ·
͠ΐ͏
9-2. ͲͷΑ͏ʹରࡦΛ͢Δͱྑ͍͔Λߟ͑ͯΈ·͠ΐ͏
85
ԋश9ɿରࡦͷӌճ (࣮ࢪ࣌ؒ: 10)
Slide 86
Slide 86 text
86
OS Command Injectionରࡦ
AͰίϚϯυΛғΜͰରࡦΛӌճͰ͖Δ
DPOWFSUlJOQVUQOHzHSBWJUZDFOUFSSFTJ[FlYAMTA?zDSPQlPVUQVUQOHz
Slide 87
Slide 87 text
87
OS Command Injectionରࡦ
ରࡦɿ
ಛఆͷจࣈΛېࢭͯ͠ίϚϯυ͕࣮ߦ͞Εͳ͍Α͏ʹ͠Α͏ɾɾɾ
˞͜ͷमਖ਼ํ๏ਖ਼͋͘͠Γ·ͤΜʂ
Λېࢭ
A
Slide 88
Slide 88 text
88
OS Command Injectionରࡦ
ͰίϚϯυΛғΜͰରࡦΛӌճͰ͖Δ
DPOWFSUlJOQVUQOHzHSBWJUZDFOUFSSFTJ[FlY MT
?zDSPQlPVUQVUQOHz
Slide 89
Slide 89 text
89
OS Command Injectionରࡦ
ରࡦɿ
˞͜ͷमਖ਼ํ๏ਖ਼͋͘͠Γ·ͤΜʂ
Λېࢭ
A
Slide 90
Slide 90 text
90
OS Command Injectionରࡦ
lcMTczͰจࣈྻ෦Λൈ͚ͯӌճͰ͖Δ
DPOWFSUlJOQVUQOHzHSBWJUZDFOUFSSFTJ[FlYzcMTcz?zDSPQlPVUQVUQOHz
Slide 91
Slide 91 text
91
OS Command Injectionରࡦ
ରࡦɿ
˞͜ͷमਖ਼ํ๏ਖ਼͋͘͠Γ·ͤΜʂ
Al Λېࢭ
ېࢭจࣈΛ૿͢ରࡦͰຊʹେৎɾɾɾʁ
Slide 92
Slide 92 text
92
OS Command Injectionରࡦ
ϑΝΠϧ໊ͷࡉͱΈ߹Θͤͯӌճ
DPOWFSUlUNQJOQVUQOHʘzHSBWJUZDFOUFSSFTJ[FlcMTcY?zDSPQ
lPVUQVUQOHz
όοΫεϥογϡͰlΛΤεέʔϓॲཧ
Slide 93
Slide 93 text
/PEFKTͷ߹
IUUQTHJUIVCDPNNNPNUDIFWNBHJDLXBOEKT Ͱಉ༷ͷॲཧΛهड़Ͱ͖Δ
93
OS Command Injectionରࡦ
ରࡦྫ
ίϚϯυ࣮ߦΛͤͣʹಉͷॲཧΛ࣮ݱ͢Δ
ېࢭจࣈΛ૿͢
ํΛݟͦ͏
Slide 94
Slide 94 text
ੈͷதҰൠʹެ։͞Ε͍ͯΔ߈ܸख๏ରࡦͷϕετϓϥΫςΟε͕͋Ε
ͦΕʹج͍࣮ͮͯΛ͢Δ
• ͯ͢ͷ߈ܸखஈΛࣗͰߟ͑ɺᘳʹରࡦΛ࣮͢Δ͜ͱ͍͠
• 94442-*OKFDUJPOͳͲͷҰൠతͳ੬ऑੑɺϑϨʔϜϫʔΫͷυΩϡϝϯτதͳͲɺ
ϕετϓϥΫςΟεͷهࡌ͕͋Δ߹͕ଟ͍ͷͰͦΕʹै͏
94
੬ऑੑରࡦͷϙΠϯτʢࠓճͷԋशࠓޙͷۀͰ࣮ફͯ͠΄͍͜͠ͱʣ
Slide 95
Slide 95 text
95
੬ऑੑରࡦͷϙΠϯτʢࠓճͷԋशࠓޙͷۀͰ࣮ફͯ͠΄͍͜͠ͱʣ
ѱ༻͞Ε͍͢ػೳ࣮ΛΖ͏
• ઃܭɾ࣮͍ͯ͠Δ࣌ʹηΩϡϦςΟΛҙࣝͰ͖Δঢ়ଶʹͳΖ͏
ʢϢʔβʔೖྗ͕ଟ͍ՕॴɺϑΝΠϧμϯϩʔυɾΞοϓϩʔυͳͲʣ
• ٯʹѱ༻͞ΕΔ͜ͱ͕ͳ͍҆શͳػೳɾ࣮͔ΔΑ͏ʹ
Slide 96
Slide 96 text
96
੬ऑੑରࡦͷϙΠϯτʢࠓޙۀͷதͰߟ͑ͯ΄͍͜͠ͱʣ
ΑΓ؆୯ʹ͔࣮ͭ֬ʹ҆શʹ࣮Ͱ͖Δํ๏ସࡦΛଟ֯తʹߟ͑Α͏
04$PNNBOE*OKFDUJPOͷྫ
ˠ ίϚϯυ࣮ߦΛ͢ΔؔΛ͏ͷΛΊΔ
Slide 97
Slide 97 text
• PortSwigger WebSecurity Academy
ʢ https://portswigger.net/web-security ʣ
• ମܥతʹֶͿ ҆શͳWebΞϓϦέʔγϣϯͷ࡞Γํ
ʢ https://www.sbcr.jp/product/4797393163/ ʣ
97
WebΞϓϦέʔγϣϯʹର͢Δ߈ܸख๏ΛΑΓৄ͘͠ษڧ͍ͨ͠ํ
Slide 98
Slide 98 text
ԋश
98
Slide 99
Slide 99 text
99
ࠓճʮCTFʯͱݺΕΔܗࣜͰνʔϜ͝ͱͷԋश
CTFͱʁ
Capture The Flag
ઐٕࣝज़Λۦͯ͠Ӆ͞Ε͍ͯΔFlagʢൿີͷจࣈྻʣΛݟ͚ͭग़͠ɺ
࣌ؒʹ֫ಘͨ͠߹ܭಘΛڝ͏ϋοΩϯάίϯςετ
νʔϜ͝ͱʹ֫ಘͨ͠ϙΠϯτΛڝ͏
ԋश֓ཁ
Slide 100
Slide 100 text
100
ඇެ։
Slide 101
Slide 101 text
101
2छྨ
੬ऑੑΛѱ༻ͯ͠ൿີͷ'MBHΛ
औಘɾૹ৴͢Δ͜ͱͰ
ϙΠϯτΛ֫ಘͰ͖Δ
߈ܸʢAttackʣ
ѱ༻Մೳͳ੬ऑੑΛमਖ਼͠ɺ
ϦϙδτϦʹίϛοτ
ߨࢣʹ֬ೝΛͯ͠Β͏͜ͱͰ
ϙΠϯτΛ֫ಘͰ͖Δ
ޚʢDefenseʣ
ʹ͍ͭͯ
Slide 102
Slide 102 text
102
üνʔϜͰ͔Βͳ͍ਓ͕͍Εڭ͑߹͏ͳͲɺޓ͍ʹॿ͚߹͍ͳ͕ΒਐΊ
͍ͯͩ͘͞
üΦϯϥΠϯͷਓ͕͍Δ߹ʹɺߨࢣࢀՃͰ͖ΔΑ͏ɺߨࢣ͕ೖ͍ͬͯΔ
νϟϯωϧͷϋυϧΛ׆༻͍ͯͩ͘͠͞
üαʔόʔʹଓͰ͖ͳ͍ͳͲͷτϥϒϧ࣌SlackͰϝϯγϣϯ
ʢ @pdo-fye0325-prd-security-tutors ʣ Λ͚ͯߨࢣʹΒ͍ͤͯͩ͘͞
αʔόʔϦηοτͳͲͷରԠΛߦ͍·͢
üձࣾͷϧʔϧ๏Λक্ͬͨͰ͋Εɺར༻͢ΔπʔϧαΠτʹ੍ݶ
͋Γ·ͤΜ
ԋशͷਐΊํ
Slide 103
Slide 103 text
103
είΞαʔόʔʹ͍ͭͯ
ࠓճͷԋशͰඞཁͳ֤छૢ࡞͕Ͱ͖ΔαʔόʔͰ͢
ͷճఏग़ ֫ಘͨ͠ϙΠϯτͷ֬ೝ ॱҐͷ֬ೝ
Slide 104
Slide 104 text
104
είΞαʔόʔͷΞΫηεͱϩάΠϯ
͞ΕͨείΞαʔόʔͷURLΛ։͘
※͜ͷαʔόʔ߈ܸରͰͳ͍͜ͱʹҙ
ӈ্ͷLoginΛΫϦοΫ
note
Slide 105
Slide 105 text
105
Check1: είΞαʔόʔͷΞΫηεͱϩάΠϯ
νʔϜ͝ͱʹ͞Ε͍ͯΔϩάΠϯใͰϩάΠϯ
Slide 106
Slide 106 text
106
Check1: Ұཡϖʔδͷ֬ೝ
ࠓճͷԋशதͰจνʔϜ͝ͱʹ͞ΕͨυΩϡϝϯτΛࢀর͍ͯͩ͘͠͞
Slide 107
Slide 107 text
107
ʹ͍ͭͯ
ü༩ϙΠϯτԼهͷ௨ΓͰ͢
attack: 100 pts
defense:
मਖ਼͕ᘳͳ߹: 100 pts
मਖ਼͕ෆશͳ߹: 50 pts
üChallenge͝ͱʹ൪߸͕ৼΒΕ͍ͯ·͕͢Ͳͷॱ൪Ͱղ͍ͯߏ͍·ͤΜ
üChallengeͷattackdefenseʹղ͖͘ॱ൪ʹࢦఆ͋Γ·ͤΜ
ü֤Ͱͦͷ͕ղ͚ͨνʔϜΛ֬ೝͰ͖·͢
ଟ͘ͷνʔϜ͕ղ͚ͨͷํ͕қ͕͍͔͠Ε·ͤΜ
Slide 108
Slide 108 text
ͷ֬ೝ
108
Slide 109
Slide 109 text
109
Check 2: νϡʔτϦΞϧʢ߈ܸฤʣɿ֬ೝ
֤νʔϜʹ͞ΕͨυΩϡϝϯτ͔ΒจΛ֬ೝͰ͖·͢
Slide 110
Slide 110 text
110
Check 3: νϡʔτϦΞϧʢ߈ܸฤʣɿ֬ೝ
தͷϦϯΫΛΫϦοΫͯ͠߈ܸରͷΞϓϦέʔγϣϯʹΞΫηε
ϢʔβʔΛొͯ͠ϩάΠϯ͢ΔͱɺϓϩϑΟʔϧ͕දࣔ͞ΕΔγϯϓϧͳWebαΠτ
Slide 111
Slide 111 text
111
Check 4: νϡʔτϦΞϧʢ߈ܸฤʣͷιʔείʔυͷऔಘ
֤νʔϜʹ͞ΕͨϦϙδτϦΛΫϩʔϯͯ͠ιʔείʔυΛ֬ೝ
$ git clone /bootcamp-2024-teamx.git
$ cd bootcamp-2024-teamx/
$ ls
… fortune …
໊ͱಉҰͷσΟϨΫτϦ໊ʹͦͷʹؔ࿈ͨ͠ϑΝΠϧ͕֨ೲ͞Ε͍ͯΔ
ࠓճͷͷ߹ʮfortuneʯ
Slide 112
Slide 112 text
112
ΞϓϦέʔγϣϯͱιʔεɾίʔυ͔Β
੬ऑੑΛ୳ͯ͠'MBHΛ֫ಘ͠Α͏ʢ߈ܸฤʣ
Slide 113
Slide 113 text
113
Flagʹ͍ͭͯ
üFlagͷܗࣜ͝ͱʹࢦఆ͕ͳ͍ݶΓɺ ctfRED{[¥x20-¥x7E]+} ʢ{}ද
ࣔՄೳͳ1จࣈҎ্ͷASCIIจࣈʣͰ͢
üdummy{…} ͱ͍ͬͨμϛʔͷFlag͕දࣔ͞ΕΔ͜ͱ͕͋Γ·͕͢ɺຊͰ
ͳ͍͜ͱʹҙ͍ͯͩ͘͠͞
ü͞ΕͨιʔείʔυதͰɺຊͷFlag͕ϚεΫ͞Ε͍ͯ·͢
üFlagૹ৴ϑΥʔϜ͔ΒԿճૹ৴ͯ͠ϙΠϯτ͕ݮΔ͜ͱ͋Γ·ͤΜ͕ɺ
ਪଌ͕ࠔͳจࣈྻʹͳ͍ͬͯ·͢
üօ͞Μͷਐ۩߹Λ֬ೝ͍ͨ͠ͷͰɺFlagͳΔ͘ཷΊࠐ·ͣʹఏग़Λ͓
ئ͍͠·͢
Slide 114
Slide 114 text
114
੬ऑੑʹ͍ͭͯ
ü࣍ͷ੬ऑੑࠓճͷ߈ܸରͰ͋Γ·ͤΜ
• HTTPΛར༻ͯ͠௨৴͍ͯ͠Δ
• CookieʹSecureଐੑ͕༩͞Ε͍ͯͳ͍
• DoS߈ܸ͕Մೳ
• ϩάΠϯࢼߦճʹ੍ݶ͕ͳ͍
Slide 115
Slide 115 text
115
νϡʔτϦΞϧʢ߈ܸฤʣɿFlagͷॴͷ֬ೝ
·ͣιʔείʔυத͔Βz'MBHzͷॴΛ୳͢
'MBH࠷ॳʹొ͞ΕΔϢʔβʔͷ
lGMBHzΧϥϜʹ֨ೲ͞Ε͍ͯΔ
fortune/src/database/seeders/UserSeeder.php
ϩάΠϯதͷϢʔβʔ໊͕zBENJOzͷ
ͱ͖ʹzGMBHzΛදࣔ
fortune/src/resources/views/user.blade.php
Slide 116
Slide 116 text
116
νϡʔτϦΞϧʢ߈ܸฤʣɿ੬ऑੑ
ϩάΠϯ͍ͯ͠ΔϢʔβʔΛࣝผ͢ΔϩδοΫΛݟͯΈΔ
VTFS@JE͕Ωʔͷ$PPLJFͷΛϩάΠϯதͷϢʔβʔͷJEͱͯ͠ར༻͍ͯ͠Δ
Slide 117
Slide 117 text
117
νϡʔτϦΞϧʢ߈ܸฤʣɿ੬ऑੑ
ཧऀϢʔβʔΞϓϦέʔγϣϯ࠷ॳʹొ͞Ε͍ͯΔϢʔβʔͳͷͰɺ
ཧऀϢʔβʔͷ VTFS@JE Ͱ͋Δ͜ͱ͕༧Ͱ͖Δ
։ൃऀπʔϧ͔Β$PPLJFΛฤूͯ͠Λ̍ʹมߋ
Slide 118
Slide 118 text
118
νϡʔτϦΞϧʢ߈ܸฤʣɿ੬ऑੑ
͏ҰϦΫΤετΛૹ৴͢Δͱɾɾɾ'MBH͕දࣔ͞Εͨ
Slide 119
Slide 119 text
119
νϡʔτϦΞϧʢ߈ܸฤʣɿϑϥάఏग़
֫ಘͨ͠'MBHΛϑΥʔϜ͔Βఏग़ ͕৭ʹมԽͯ͠QUT֫ಘ
Slide 120
Slide 120 text
120
߈ܸʹར༻Ͱ͖ͨ੬ऑੑΛमਖ਼ͯ͠ΈΑ͏ʢޚฤʣ
Slide 121
Slide 121 text
121
मਖ਼ʹ͍ͭͯ
ü੬ऑੑҎ֎ͷ෦ͷಈ࡞Ͱ͖Δ͚ͩอͬͨ··Ͱमਖ਼Λߦ͍ͬͯͩ͘͞
üҰؾʹଟ͘ͷఏग़͕͋Δͱ֬ೝ͕େมʹͳΔͷͰɺमਖ਼ਵ࣌ఏग़ͯ͠Β
͑Δͱॿ͔Γ·͢
αϒϚϦϯઓ๏
Slide 122
Slide 122 text
122
Check 6: νϡʔτϦΞϧʢޚฤʣ: मਖ਼ͷಈ࡞֬ೝ
$ cd fortune
$ docker compose up --build
͞ΕͨϦϙδτϦதͷίʔυΛमਖ਼ޙͷಈ࡞֬ೝ
࣍ͷίϚϯυͰ%PDLFSίϯςφͷىಈͱಉ࣌ʹϏϧυΛ࣮ߦ
αʔόʔ͕ىಈͯ͠ IUUQMPDBMIPTU ͔ΒΞΫηεͰ͖Δ
Slide 123
Slide 123 text
123
Docker Composeͷجຊૢ࡞ʢࢀߟʣ
$ docker compose exec php /bin/bash
PHPαʔϏεͷίϯςφͰγΣϧΛىಈ
$ docker compose down
ίϯςφΛআ
Slide 124
Slide 124 text
αʔόʔɺʮͲͷϢʔβʔʹΑΔϦΫΤετ͔ʯͱ͍ͬͨηογϣϯཧΛϦΫΤετ࣌ʹ
Ճ͞ΕΔCookieϔομͷͰߦ͏
ϒϥβଆͰɺϦΫΤετൃੜ࣌ʹαΠτผʹอଘ͞Ε͍ͯͨCookieΛࣗಈతʹ༩͢Δ
124
ηογϣϯཧʢ࠶ܝʣ
ϩάΠϯ
Set-Cookie: sessionid=sdfhaiew
ߘͷ͍͍Ͷ
ߘͷฤू
Cookie: sessionid=sdfhaiew
Cookieͷใ͔Β
Ϣʔβʔhoge͔ΒͷϦΫΤετ
ͱͯ͠ॲཧ
https://example.comϦΫΤετ
→ อଘͨ͠CookieΛϦΫΤετ
ϔομʹࣗಈతʹ༩
Ϣʔβʔhoge
https://example.com
ϒϥβʹ
CookieΛอଘ
Cookie: sessionid=sdfhaiew
Slide 125
Slide 125 text
125
Check 7: νϡʔτϦΞϧʢޚฤʣ: ίʔυͷमਖ਼
ϑϨʔϜϫʔΫʹ༻ҙ͞ΕͨηογϣϯཧͷAPIΛར༻ͯ͠ɺ
user_idͷอࢀরΛ͢ΔΑ͏ʹमਖ਼
fortune/src/app/Http/Controllers/UserController.php
Slide 126
Slide 126 text
126
Check 8: νϡʔτϦΞϧʢޚฤʣ: मਖ਼ͷఏग़
masterϒϥϯνʹमਖ਼ίϛοτΛؚΊͨޙɺSlackͷ֤νʔϜͷνϟϯωϧʹͯ
ԼهͷΑ͏ͳϝοηʔδͰߨࢣʹ௨͍ͯͩ͘͠͞
ߨࢣ͕֬ೝޙɺείΞαʔόʔ্ͰϙΠϯτΛ༩ͯ͠ɺ݁ՌΛฦ৴͠·͢
masterϒϥϯνͷΈ͕࠾ରͰ͋Δ͜ͱʹҙ͍ͯͩ͘͠͞
Slide 127
Slide 127 text
127
Check 9: είΞαʔόʔ্Ͱͷ֫ಘϙΠϯτͷ֬ೝ
Scoreboardλϒ͔Βɺ֤νʔϜ͕֫ಘͨ͠ϙΠϯτΛ֬ೝՄೳ
Slide 128
Slide 128 text
Ҏ্Ͱ͜ͷޙͷԋशͷઆ໌ऴྃͰ͢
࠷ޙʹɾɾɾ
Slide 129
Slide 129 text
129
ࠓճͷԋशͷউऀɺ
ϙΠϯτΛ࠷ଟ֫͘ಘͨ͠νʔϜ
Slide 130
Slide 130 text
130
ࠓճͷԋशͷউऀɺ
ϙΠϯτΛ࠷ଟ֫͘ಘͨ͠νʔϜ
Ͱͳ͘ɾɾɾ
Slide 131
Slide 131 text
131
ࠓճͷԋशͷউऀɺ
ϙΠϯτΛ࠷ଟ֫͘ಘͨ͠νʔϜ
Ͱͳ͘ɾɾɾ
Ͱ͖Δ͚ͩଟ͘ͷ͜ͱΛֶͿ͜ͱ͕Ͱ͖ͨνʔϜ
Ͱ͢ʂ
νʔϜͷதͰڠྗ͋ͬͯ͠ԋशΛਐΊ͍ͯͩ͘͞
ߨࢣਞ͔Βͷώϯτੵۃతʹ׆༻͍ͯͩ͘͠͞
Slide 132
Slide 132 text
Appendix.
132
Slide 133
Slide 133 text
133
Appendix 1. webhook.siteͷ͍ํ
ᶃ https://webhook.site/ ʹΞΫηε͢ΔͱɺࣗಈతʹURL͕ൃߦ͞ΕΔ
Slide 134
Slide 134 text
134
Appendix 1. webhook.siteͷ͍ํ
ᶄ ൃߦ͞ΕͨURLʹରͯ͠ϦΫΤετૹ৴
ϒϥβͰΞΫηε
curlͰૹ৴͢Δ
scriptλάͰϦΫΤετૹ৴
Slide 135
Slide 135 text
135
Appendix 1. webhook.siteͷ͍ํ
ᶅ ൃߦ͞ΕͨURLѼͷHTTPϦΫΤετͷதΛ֬ೝՄೳ
methodͱURL
ΫΤϦύϥϝʔλ ΫΤϦύϥϝʔλ
ϦΫΤετϘσΟ
Slide 136
Slide 136 text
136
Appendix 2. curlίϚϯυͷ͍ํ
λʔϛφϧ͔ΒHTTPϦΫΤετΛૹ৴Ͱ͖Δπʔϧ
# Cookieヘッダを設定してリクエスト
$ curl -H ‘Cookie: user_id=1’ http://localhost:8000/
# フォームの送信
$ curl -X POST -d ‘param=1¶m2=hoge’ http://example.com/
# ファイルをアップロード
$ curl -X POST -F upfile=@/path/to/sample.txt http://example.com/upload
Slide 137
Slide 137 text
137
Appendix 2. curlίϚϯυͷ͍ํ
$ python3 -m pip install requests
PythonͷHTTPΫϥΠΞϯτϥΠϒϥϦ
import requests
r = requests.get(‘http://example.com')
print(r.text)
r = requests.post(‘http://example.com', data={‘param1’: ‘value1’},
headers={‘Cookie’: ‘hoge=fuga’})
print(r.text)
Slide 138
Slide 138 text
138
Appendix 3. Chrome։ൃऀπʔϧͷ͍ํ
Option + Command + I Ͱىಈ
ʮιʔεʯλϒ
ݱࡏͷϖʔδͷදࣔʹඞཁͳ
HTMLɺJSɺCSSΛӾཡͰ͖Δ
JSͷ߹ʹߦ൪߸ΛΫϦοΫ͢
Δ͜ͱͰϒϨʔΫϙΠϯτΛઃஔ
֤ͯ͠มͷͳͲΛ֬ೝՄೳ
Slide 139
Slide 139 text
139
Appendix 3. Chrome։ൃऀπʔϧͷ͍ํ
ʮωοτϫʔΫʯλϒ
ʮϩάΛอ࣋ʯʹνΣοΫΛ͚Δ͜ͱͰϖʔδભҠ
͕ൃੜͯ͠ɺϦΫΤετཤྺ͕আ͞Εͳ͍
ʮΞϓϦέʔγϣϯʯλϒ
ද͍ࣔͯ͠ΔWebαΠτͷ
CookielocalStorageͷӾཡฤू͕Մೳ
ϒϥβͰൃੜͨ͠ϦΫΤετ
ΛӾཡͰ͖Δ
Slide 140
Slide 140 text
140
Appendix 4. Burp Suiteͷ͍ํ
ʮProxyʯ→ ʮInterceptʯ
ʮOpen browserʯΛΫϦοΫ͢Δ
͜ͱͰΈࠐΈϒϥβ͕ىಈ
Slide 141
Slide 141 text
141
Appendix 4. Burp Suiteͷ͍ํ
ʮIntercept is onʯͷঢ়ଶʹ͢Δ
ͱɺىಈͨ͠ϒϥβͰൃੜ͠
ͨϦΫΤετΛதஅͯ͠ฤूͰ
͖Δ
Slide 142
Slide 142 text
142