Upgrade to Pro — share decks privately, control downloads, hide ads and more …

攻撃と防御で実践するプロダクトセキュリティ演習

Avatar for Recruit Recruit PRO
August 10, 2023

 攻撃と防御で実践するプロダクトセキュリティ演習

2023年度リクルート エンジニアコース新人研修の講義資料です

Avatar for Recruit

Recruit PRO

August 10, 2023
Tweet

More Decks by Recruit

Other Decks in Technology

Transcript

  1. ߨࢣͷ঺հ  ஥੢ ๎໵ / Tomoya Nakanishi 2022೥౓ೖࣾ 2೥໨ झຯɿ

    ࠷ۙ΍ͬͨ͜ͱɾ΍Γ͍ͨ͜ͱɿ өըؑ৆ɺ ͨ·ʹཱྀߦɺͨ·ʹCTF ɾSECCON 2022ຊબग़৔ ɾΫϥ΢υܥͷηΩϡϦςΟษڧ ɾηΩϡϦςΟܥͷࢿ֨औಘʢOSCPऔಘࡁɺ࣍͸OSEPʣ
  2. ߨࢣͷ঺հ  Ճ౻ ࠤ೭ี /Sanosuke Kato 2021೥౓ೖࣾ 3೥໨ झຯɿ ࠷ۙ΍ͬͨ͜ͱɾ΍Γ͍ͨ͜ͱɿ

    ήʔϜʢRocket Leagueʣɺͨ·ʹυϥΠϒɺԻָؑ৆ɺF1؍ઓ ɾCAPTCHAύζϧͷ༗ޮੑݕূ ɾLinuxͷ࣮ߦόΠφϦʹର͢Δ߈ܸख๏ͷΩϟονΞοϓ
  3. զʑͷۀ຿  ཁ݅ఆٛ΍ઃܭࢿྉʹର͠ɺ ηΩϡϦςΟ؍఺ͰͷϦεΫ ΛϨϏϡʔɺૣظʹରࡦͰ͖ ΔΑ͏ʹ͢Δ ։ൃࡁΈͷϓϩμΫτͷ੬ऑੑ Λൃݟͯ͠ɺमਖ਼ͷͨΊͷࢧԉ Λ͢Δ αʔυύʔςΟ੡඼ͷ੬ऑੑΛ

    ϞχλϦϯάͯ͠ɺࣾ಺΁ͷӨ ڹௐࠪͱରԠґཔΛ͢Δ ੬ऑੑݕࠪ ্ྲྀ޻ఔࢧԉ ૣظܯռ ϓϩμΫτͷηΩϡϦςΟΛʮ͔֬ͳ΋ͷʹ͢Δʯ͜ͱΛ໨తʹɺ ༷ʑͳ޻ఔͰ։ൃऀΛࢧԉ͢Δۀ຿
  4.  WebΞϓϦέʔγϣϯͷ࣮૷Ͱ ҰൠతʹΑ͘ݟΒΕΔ੬ऑੑΛ୊ࡐʹग़୊ ໰୊ʹ͍ͭͯ ‣ ΞΫηε੍ޚෆඋ ‣ ೝূೝՄػೳͷෆඋ ‣ ೚ҙϑΝΠϧΞοϓϩʔυ

    ‣ SQLΠϯδΣΫγϣϯ ‣ OSίϚϯυΠϯδΣΫγϣϯ ‣ σΟϨΫτϦτϥόʔαϧ ‣ XSS ‣ CSRF ‣ ΦʔϓϯϦμΠϨΫτ ੬ऑੑ ࣮૷
  5.  ஫ҙࣄ߲ ‣ଞͷडߨੜ΍ߨٛͷਐߦΛ๦͛ΔߦҝΛ͠ͳ͍͜ͱ - ߨٛͷ౎߹্ɺҙਤ͠ͳ͍ܗͰ͜ͷΑ͏ͳߦҝʹͳΔ৔߹΋͋ΔͷͰɺͦͷࡍ͸ߨࢣͷࢦࣔʹ ै͍ͬͯͩ͘͞ ‣ීஈͷύεϫʔυ΍ϝʔϧΞυϨεΛ࢖༻͠ͳ͍͜ͱ - ࣗ਎ͷ࣮ࡍͷύεϫʔυͳͲ͕࿙Ӯ͢ΔՄೳੑ͕͋Γ·͢ -

    ࣮ࡍͷ΋ͷΛར༻͠ͳͯ͘΋ղ͚Δ໰୊ʹͳ͍ͬͯ·͢ ‣ߨٛͷղ౴͸ެ։͠ͳ͍͜ͱ - νʔϜ಺Ͱͷ৘ใڞ༗͸ɺSlackͷϓϥΠϕʔτνϟϯωϧ΍GHEͷPrivateϦϙδτϦΛར༻ ͍ͯͩ͘͠͞ - ໰୊Λདྷ೥ͷݚमʹ΋࢖͏Մೳੑ͕͋ΔͷͰɺΠϯλʔωοτ্ʹެ։͠ͳ͍Ͱ͍ͩ͘͞
  6.  ࣄલ४උ ‣Burp Suite Community Edition: https://portswigger.net/burp/communitydownload ‣Docker Desktop: https://www.docker.com/products/docker-desktop/

    ‣࠷৽൛ͷChrome ࣗ୐͔ΒࢀՃ͍ͯ͠Δํ͸ɺΤχίω/Πϯίωʹ઀ଓͯ͠ ԋश؀ڥʹΞΫηε͍ͯͩ͘͠͞
  7.  Check 4: νϡʔτϦΞϧ໰୊ʢ߈ܸฤʣɿιʔείʔυͷऔಘ $ git clone https:!" /bootcamp-2023- teamx.git

    $ cd bootcamp-2023-teamx/ $ ls … fortune … ֤νʔϜʹ഑෍͞ΕͨϦϙδτϦΛΫϩʔϯͯ͠ɺιʔείʔυΛ֬ೝ ࠓճͷ໰୊͸ʮGPSUVOFʯͱ͍͏໊લͳͷͰɺಉ໊͡લͷʮGPSUVOFʯͱ͍͏ σΟϨΫτϦͷதʹΞϓϦέʔγϣϯͷίʔυ͕֨ೲ͞Ε͍ͯΔ
  8. %PDLFS$PNQPTF  ߈ܸର৅ΞϓϦͷߏ੒ʢࢀߟʣ ഑෍͞Ε͍ͯΔιʔείʔυͷ%PDLFS$PNQPTFΛىಈͨ͠αʔόʔΛ༻ҙ ֤ϙʔτѼͷ&-#͕༻ҙ͞Ε͍ͯΔߏ੒ BQQ DSBXMFS NZTRM OHJOY QIQ

       %PDLFS$PNQPTF IUUQMCIPHFBQQDBG FMCBQOPSUIFBTUBNB[POBXTDPN IUUQMCIPHFDSBXMFSEBDBFFFCG FMCBQOPSUIFBTUBNB[POBXTDPN IUUQMCGVHBFCCC FMCBQOPSUIFBTUBNB[POBXTDPN
  9.  Check 6: νϡʔτϦΞϧ໰୊ʢ๷ޚฤʣɿमਖ਼ͷಈ࡞֬ೝ $ cd bootcamp-2023-teamx/fortune $ ls docker

    docker!entrypoint.sh src docker!compose.yml resources # dockerίϯςφͷىಈͱಉ࣌ʹιʔείʔυΛؚΊͨϏϧυΛ͢Δ # αʔό͕ىಈͯ͠ɺhttp:"#localhost:8000/ ͔ΒΞΫηεͰ͖Δ $ docker compose up "$build ഑෍͞ΕͨϦϙδτϦͷίʔυΛमਖ਼ɺEPDLFSDPNQPTFͰαʔόΛىಈͯ͠ಈ࡞֬ೝ
  10.  curl # CookieϔομΛઃఆͯ͠ϦΫΤετ $ curl -H ‘Cookie: user_id=1’ http:!"localhost:8000/

    # ϑΥʔϜͷૹ৴ $ curl -X POST #d ‘param=1&param2=hoge’ http:!"example.com/ # ϑΝΠϧΛΞοϓϩʔυ $ curl -X POST -F upfile=@/path/to/sample.txt http:!"example.com/upload λʔϛφϧ͔Β)551ϦΫΤετΛૹ৴Ͱ͖Δπʔϧ
  11.  Pythonͷrequests $ python3 #m pip install requests 1ZUIPOͷ)551ΫϥΠΞϯτϥΠϒϥϦ import

    requests r = requests.get(‘http:!"example.com') print(r.text) r = requests.post(‘http:!"example.com', data={‘param1’: ‘value1’}, headers={‘Cookie’: ‘hoge=fuga’}) print(r.text)
  12.  webhook.site $curl -X POST !d ‘hoge=fuga' https:"# webhook.site/ /

    <scri t>fetch(‘htt s:"#webhook.site/ ’) "%script> ϒϥ΢βͰΞΫηε DVSMͰૹ৴͢Δ TDSJQUλάͰϦΫΤετૹ৴ ൃߦ͞Εͨ63-ʹԿΒ͔ͷํ๏ͰϦΫΤετΛૹ৴