੬ऑͳΞϓϦΛॻٕ͘ज़ BLJZN )PLLBJEPQN

ࣗݾ঺հ w BLJZN w ϚΠϒʔϜ w $5'ͱ͍͏ηΩϡϦςΟͷڝٕͷΑ͏ͳ΋ͷ w ೔ຊͰ͸4&$$0/$5'ͱ͔

No content

No content

$5' w SFWFSTJOH QXO w XFC w DSZQUP

w ʮ੬ऑͳΞϓϦΛॻ͘ʯ w $5'ͷ໰୊Λղ͘ɺ࡞Δ্Ͱศརͳٕज़ w ࣮ࡍʹ࡞੒ͨ͠໰୊Λྫʹղઆ w ͔ͤͬ͘ͳͷͰ1FSMʹߜͬͨ࿩

IUUQDUGLBUTVEPOPSH

No content

PQFO') pMF

w ૝ఆͱͯ͠͸༻ҙ͞ΕͨςΩετϑΝΠϧΛಡΉɺ ϑΝΠϧ໊Λࢦఆ͢Δ͜ͱͰ੾Γସ͑Δ w ·ͣઈରύεΛࢦఆ͞ΕΔͱˠFUDQBTTXE w ૬ରύεͰ΋ˠFUDQBTTXE w ࢦఆͰ͖ΔύεΛ੍ݶͰ͖ΔΑ͏ʹ͠ͳ͚Ε͹ ͍͚ͳ͍

w Ͱ΋·ͩ໰୊͕͋Δ w PQFO') pMF w pMFcDBUFUDQBTTXE w ೚ҙͷίϚϯυΛ࣮ߦՄೳ

PQFONZGI pMFPSEJF

42-JOKFDUJPO

"SELECT * FROM user WHERE name = '$name' AND pass = '$pass'"

"SELECT * FROM user WHERE name = '' AND pass = '' OR 1=1--'"

w ೝূͷಥഁ͚ͩͰ͸ͳ͘ʜ w ςʔϒϧɺΧϥϜ৘ใ͔Β%#ͷ಺༰ΛಘΔ w TRMJUF@NBTUFS JOGPSNBUJPO@TDIFNB w .Z42-Ͱ͋Ε͹ɺ-0"%@'*-&Ͱ೚ҙͷϑΝΠ ϧΛಡΈࠐΉ͜ͱ͕Ͱ͖ͨΓɺ*/50065'*-& ͰϑΝΠϧͷॻ͖ग़͕͠Ͱ͖Δ

w ͍·͞Β42-JOKFDUJPO w ϓϨʔεϗϧμʔΛѻ͏৔߹ͳΒ҆શʁ w ͜Μͳ࿩΋ʜ

+40/42-J

No content

w ΫΤϦϏϧλʹΑΔ42-ੜ੒ w 42-JOKFDUJPO͸ൃੜ͠ͳ͍Α͏ʹݟ͑Δ͕ʜ w ΢ΣϒΞϓϦʹ͓͍ͯɺϢʔβʔ͔Βͷೖྗ͸
 จࣈྻͱͯ͠ѻΘΕΔ͕ɺ+40/Ͱσʔλͷड͚ ౉͠Λ͢Δ͜ͱͰIBTISFGΛ౉͢͜ͱ΋Ͱ͖Δ w IBTISFGΛ౉ͨ͠ࡍͷΫΤϦϏϧλଆͷڍಈΛ
 ར༻ͨ͠42-JOKFDUJPO

\OBNF\BBB^^ 4&-&$5'30.AVTFSA8)&3& AOBNFA 03%&3#:VTFS@JE%&4$

w ͜Ε͚ͩͰ΋ڴҖɺೝূͷಥഁ΍ςʔϒϧ಺ͷ
 ͢΂ͯͷϨίʔυΛऔಘ͞ΕΔڪΕ͕͋Δ w ࠷ѱͷέʔε͸ʁ

w ໰୊ w BLJDUGRTFBSDIFS w IUUQDUGLBUTVEPOPSHQSPCMFN w 42-JUF w 42-.BLFSΛར༻ͨ͠੬ऑੑ

ΰʔϧผςʔϒϧͷϢʔβʔ໊ͱύεϫʔυΛಘΔ
 ͜͜ʹ͸੬ऑੑ͸ͳ͍

;(

w XIFSF۟Λ͢΂ͯࢦఆ͢Δ͜ͱ͕Ͱ͖Δ w ͜ΕͰԿ͕Ͱ͖Δ͔ w %#ͷ಺༰ ͢΂ͯ ΛऔಘͰ͖Δ

{ "name": "a", "1\"=\"1\") union select sql,tbl_name,null from sqlite_master where (\"a": "a" } WHERE ("name" LIKE ?) AND ("1"="1") union select sql,tbl_name,null from sqlite_master where ("a" LIKE ?) ΧϥϜ໊͸Τεέʔϓ͞Εͳ͍

w IUUQEFWFMPQFSTNPCBHFKQCMPH KTPOTRMJOKFDUJPO w IUUQCMPHLB[VIPPLVDPNUIF KTPOTRMJOKFDUJPOWVMOFSBCJMJUZIUNM w IUUQXXXTMJEFTIBSFOFULB[VIPKTPOTRM JOKFDUJPOBOEUIFMFTTPOTMFBSOFE

ਖ਼نදݱ

w ϢʔβʔͷೖྗΛਖ਼نදݱͷύλʔϯͱͯ͠ѻ͏ w RVPUFNFUB ͰΤεέʔϓ͢Δ w Τεέʔϓ͍ͯ͠ͳ͍৔߹͸ʁ w ॏ͍ਖ਼نදݱΛॻ͔ΕΔ w FWBM

\DPEF^

w ҆͝৺Λ w FWJM \QSJOU ^ dFWJM w ಈ͔ͳ͍ w &WBMHSPVQOPUBMMPXFEBUSVOUJNF w VTFSFFWBMΛ͢Ε͹ಈ͘Α͏ʹͳΔ

w QFSMҎ߱Ͱ͸ΑΓݫ͘͠ w d \ʜͱॻ͍ͯ΋ಈ͔ͳ͘ͳͬͨ w །Ұ൵͍͠ͷ͸ʜ"DNF&ZF%SPQT w 1FSMͰه߸ͷΈϓϩάϥϛϯά͸ෆՄೳʹ

use re 'eval'; ''=~('('.'?' .'{'.( '`'|'%').("\["^ '-').('`'| '!').('`'|',').'"' .('['^'+') .('['^ ')').('`'|')').('`'| '.').('['^'/').('{'^ '[').'\\'.'"'.('`'^'(' ).('`'|'%').('`'|',') .('`'|',').('`'|('/')). ','.('{'^'[').('['^ ',').('`'|'/').('['^')').( '`'|',').('`'| '$').'!'.'\\'.'\\'.('`'|'.'). '\\'.'"'."\;". '"'.'}'.')');$:='.'^'~';$~="\@"| '(';$^=')'^'['; $/='`'|'.';$,='('^'}';$\='`'|'!';$: =')'^'}';$~='*' |'`';$^='+'^'_';$/='&'|'@';$,='['&'~'; $\=','^"\|";$:= '.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.' ;$,='('^'}';$\ ='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_' ;$/='&'|'@';$, ='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'('; $^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~= '*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\=','^'|';$:='.'^ '~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!' ;$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\= ','^'|';$:='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^ '}';$\='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@' ;$,='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'(';$^="\)"^ '[' ;$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~='*' |(( '`'));$^='+'^'_';$/='&'|'@';$,='['&'~';$\ =','^'|' ;$: ='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'| '.';$,= '(' ^'}'; $\='`'|'!';$:=')'^'}';$~="\*"| '`';$^= '+' ^'_';$/='&'|'@';$,='['&'~';$\ =(',')^ '|' ;$:='.'^ '~';$~='@' |"\("; $^=')' ^+ '[';$/= '`'|'.'; $,='(' ^"\}"; $\ =('`')| "\!";$:= "\)"^ "\}"; ( ($~))= '*'|'`'; ($^) ='+' ^"\_"; $/=('&')| '@'; ($,) ='['& "\~";$\= ','^ '|'; ($:)= '.'^'~' ;$~= '@'| '('; $^=')' ^'[' ;$/= '`'| '.' ;$,= '('^ '}'; $\= '`' |(( '!' )); $:= ')' ^(( '}' )); $~= '*' |(( '`' )) ;( ($^))= (( (( '+')) )) ^+ "\_";$/= (( '&' ))|+ "\@"; $, =(( '['))& '~'; $\= ','^ "\|";$:= '.' ^'~' ;($~)= ('@')| "\(";$^= ')'^'[' use re 'eval'; )FMMP XPSME Λग़ྗ͢ΔϓϩάϥϜ

ηογϣϯ

w ΫϥΠΞϯταΠυηογϣϯ w ΫϥΠΞϯτଆͰอଘ͢Δ w DPPLJFΛར༻͢Δ

ϝϦοτ w αʔόଆͰηογϣϯετΞͷ؅ཧΛ͢Δඞཁ ͕ͳ͍

σϝϦοτ w ஌ΒΕͨ͘ͳ͍৘ใΛTFTTJPOʹอଘͯ͠͸͍͚ ͳ͍ w ηογϣϯΛഁغ͢Δͱ͖͸ʁˠDMJFOUଆͷ৘ใ ͱͯ͠ظݶΛ࣋ͨͤΔɺTFDSFUΛมߋ͢Δͱ͔ w TFDSFU͕ྲྀग़͢ΔͱTFTTJPOΛվ᜵͢Δ͜ͱ͕
 Ͱ͖Δ

.PKPMJDJPVT

eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0--- a4fba79dbd246638df17e57e97ed4f1fded7a7e3 { "super_secret_token": "p9B4iaKah8oOUzY1", "id": "1", "name": "akiym", "expires": 1414684980 } data HMAC

eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0--- a4fba79dbd246638df17e57e97ed4f1fded7a7e3 my $data = encode_base64(encode_json({ ... expires => time() + 3600, })); $data =~ s/=/-/g; my $hmac = hmac_sha1_hex($data, $SECRET); data HMAC

w σʔλΛ+40/ʹͨ͠΋ͷΛCBTFͰFODPEF w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ
 ͚ͭΔ

w ໰୊ w BLJDUGR0OMJOFCBOLJOH w IUUQDUGLBUTVEPOPSHQSPCMFN w 42-JOKFDUJPO TFTTJPOվ᜵ w TFDSFUΛࢦఆ͍ͯ͠ͳ͍

w .PKPMJDJPVTͰTFDSFUΛࢦఆ͍ͯ͠ͳ͍৔߹
 ܯࠂ͕ग़Δ͕ɺͱΓ͋͑ͣಈ͘ w ͦͷͱ͖ʹ͸TFDSFUʹQBDLBHF໊͕ࢦఆ͞ΕΔ w .PKPMJDJPVT-JUFͷ৔߹͸ϑΝΠϧ໊ w QBDLBHF໊͕஌ΒΕΔɺ΋͘͠͸༧ଌͰ͖Δ΋ ͷͰ͋Ε͹TFDSFU͕෼͔Δ

1MBDL.JEEMFXBSF 4FTTJPO$PPLJF

1414682274.88017:BQoDAAAAAQiAAAAABWFkbWlu:. Storable::thaw(decode_base64('BQoDAAAAAQiAAAAABWFkbWlu')) { 'admin' => 0 } data HMAC

1414683541.42553:BQoDAAAAAQiAAAAABWFkbWlu:
 bb33fc2e391e3d76edcbc8ffdcf66065d1d82862 my $data = encode_base64(Storable::freeze({ admin => 1, })); my $hash = hmac_sha1_hex($data, $SECRET); HMAC data

w σʔλΛ4UPSBCMFͰγϦΞϥΠζͨ͠΋ͷΛ CBTFͰFODPEF w TFDSFU͕ࢦఆ͞Ε͍ͯͨ৔߹ w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ
 ͚ͭΔ

w ηογϣϯվ᜵ w σετϥΫλ࣮ߦ

w IUUQTTQFBLFSEFDLDPNNBMBIPXUP IBDLNFUBDQBOEPUPSH w IUUQTHJTUHJUIVCDPNNJZBHBXB CBGBEBDEE

ίϯςΩετ

w ίϯςΩετͱ͸ w 1FSM͸୯਺ͱෳ਺Λผͱͯ͠ѻ͏ w !GPP w !GPPˠ w TDBMBS!GPPˠ w ϦετΛ!BSSBZʹ୅ೖ͢Ε͹഑ྻʹɺIBTIʹ୅ ೖ͢Ε͹ϋογϡʹ

No content

1FSMͷίϯςΩετ͸ ѱ

w 1FSMͷಛ௃Ͱ΋͋Γɺݸਓతʹ͸݁ߏ޷͖ w 5FOH͸ίϯςΩετʹԠͯ͡ಈ࡞Λม͑Δ
 ͜Ε͸࢖ͬͯͳ͍ w NZBSHT GPP !@ Έ͍ͨͳ͜ͱ͕ Ͱ͖Δ w ศརͳ͜ͱ΋͋Ε͹ɺѱ͍͜ͱ΋͋Δ

w ໰୊ w $5'֤ҐMPHJOQBHF w IUUQBLJZNIBUFCMPKQFOUSZ w ۠੾ΓจࣈɺDPOUFYUʹΑΔ੬ऑੑ

ϦετΛड͚औΔͱల։ OBNFBQBTTCQBTTD

{ ... pass => 'asdf', give_me_flag => 0, give_me_flag => 'give_me_flag', # true! 0 } VTFS\HJWF@NF@qBH^HJWF@NF@qBH

w 0EEOVNCFSPGFMFNFOUTJOBOPOZNPVTIBTI w VTFXBSOJOHT'"5"-BMM w ·͋΍ͬͯΒΕͳ͍

w IUUQXXXTPOHNVKQSJKJFOUSZ DHJQBSBNIUN w IUUQCMPHUPLVNBSVPSHOFX DMBTTPGWVMOFSBCJMJUZJOQFSMXFCIUNM

·ͱΊ w Ҿ਺ͷPQFO w +40/42-J w ਖ਼نදݱͰͷFWBM w ΫϥΠΞϯταΠυηογϣϯ w ϋογϡͷϦετͷల։