Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性を作ってみた

Avatar for Sota Sugiura Sota Sugiura
December 22, 2016
Technology
570
1

 脆弱性を作ってみた

雑兵MeetUp #8@21cafe

Avatar for Sota Sugiura

Sota Sugiura

December 22, 2016

More Decks by Sota Sugiura

See All by Sota Sugiura
内製したSlack Appで頑張るIncident Response@Waroom Meetup #1 / Incident Response with Slack App in 10X
Avatar for Sota Sugiura sota1235
0
1.9k
20220926_セキュリティチームの今_for_Drs._Prime_公開用.pdf
Avatar for Sota Sugiura sota1235
0
190
再発防止策を考える技術 / #phpconsen
Avatar for Sota Sugiura sota1235
10
4.1k
How to choose the best npm module for your team?
Avatar for Sota Sugiura sota1235
9
650
Realtime Database for high traffic production application
Avatar for Sota Sugiura sota1235
7
4.3k
Road to migrate JP Web as a microservice
Avatar for Sota Sugiura sota1235
4
1.7k
インターフェース再入門 / Think Interface again
Avatar for Sota Sugiura sota1235
6
11k
再発防止策を考える技術 #phpconfuk_rej
Avatar for Sota Sugiura sota1235
1
1.4k
Update around Firebase #io18
Avatar for Sota Sugiura sota1235
3
4.4k

Other Decks in Technology

See All in Technology
カオナビに Suspenseを導入するまで / The Road to Suspense at kaonavi
Avatar for 株式会社カオナビ kaonavi
1
410
Reasoning Models in Practice: From Inference- Time to Training-Time Scaling on Verifiable Tasks
Avatar for Dat Nguyen nptdat
0
110
Cortex Codeのコスト見積ヒントご紹介
Avatar for Yosuke Katsuki yokatsuki
0
150
生成AIはソフトウェア開発の革命か、ソフトウェア工学の宿題再提出なのか -ソフトウェア品質特性の追加提案-
Avatar for kyonmm kyonmm
PRO
2
840
AI駆動開発で生産性を追いかけたら、行き着いたのは品質とシフトレフトだった
Avatar for Koichiro Matsuoka littlehands
0
360
20260513_生成AIを専属DSに_AI分析結果の検品テクニック_ハンズオン_交通事故データ
Avatar for NobuakiOshiro doradora09
PRO
0
180
AgentCore Managed Harness を使ってみよう
Avatar for やくも yakumo
2
320
AIの揺らぎに“コシ”を与える階層化品質設計
Avatar for ICKX ickx
0
220
OWASP APTSを眺めてみた
Avatar for su3158 su3158
0
110
アクセシビリティはすべての人のもの
Avatar for tomokusaba tomokusaba
0
260
Forget technical debt
Avatar for Uwe Friedrichsen ufried
0
170
[Oracle TechNight#99] 生成AI時代のAI/ML入門 ~ AIとオラクルデータベースの関係 (前半)
Avatar for oracle4engineer oracle4engineer
PRO
2
220

Featured

See All Featured
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.4k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
120
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
130
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
180
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
1
530
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
130
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
333
25k
The Spectacular Lies of Maps
Avatar for Per Axbom axbom
PRO
1
730
Navigating Team Friction
Avatar for Lara Hogan lara
192
16k
Technical Leadership for Architectural Decision Making
Avatar for Kenny Baas-Schwegler baasie
3
350
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
340
58k

Transcript

  1. ੬ऑੑΛ࡞ͬͯΈͨ !TPUB͖ΓΜ ࡶฌ.FFU6Q

  2. ࣗݾ঺հ w ͖ΓΜͰ͢ w !TPUB w ໌೔͔Βࢮͷ೔͕ؒ࢝·Γ· ͕͢Έͳ͞ΜਐḿͲ͏Ͱ͔͢

  3. ੬ऑੑΛ࡞ͬͪΌͬͨͰ͸ͳ͘ ࡞ͬͯΈͨ࿩Ͱ͢ ̃䯡ՙ☭岩ՙՊլՖ㈕ՙՊլ

  4. ߈ܸຊೳͷ࿩ w ਓ͸ਐԽ͢Δલ͸Ԑͩͬͨ w ՐΛ࢖͍ɺಓ۩Λ࢖͍ɺङΓΛߦ͏͜ͱͰੜ͖ Ԇͼ͖ͯͨ w ߈ܸ͢Δ͜ͱͱ͸ੜ͖Δ͜ͱͦͷ΋ͷ

  5. ਓੜJT Ԑͷ࿭੕γϦʔζΑΓ

  6. ϓϩάϥϚʹ͓͚Δ߈ܸຊೳ w ϓϩάϥϚ΋ਓؒ w ౰વɺ߈ܸຊೳΛඋ͍͑ͯΔ w ࣮͸ϓϩάϥϚͱ߈ܸੑ͸ີ઀ʹؔ܎ͯ͠Δͱ ݴΘΕ͍ͯΔ

  7. ·͊ӕͳΜͰ͚͢Ͳ IUUQKJHPLVOPDPNFJE@IUNM

  8. ·͊ӕͳΜͰ͚͢Ͳ Ͱ΋෺૽ͳਓ͕ଟ͍ؾ͸͠·͢ΑͶ IUUQKJHPLVOPDPNFJE@IUNM

  9. ݱ࣮͸ݫ͍͠ IUUQTUXJUUFSDPNIULC@TUBUVT

  10. ݱ࣮͸ݫ͍͠ IUUQTUXJUUFSDPNIULC@TUBUVT

  11. ఘΊΔ͔͠ແ͍ͷ͔ w ߹๏తʹ߈ܸຊೳΛຬͨ͢ํ๏͕ʜ w ͋Γ·͊ SZ

  12. $BQUVSF 5IF 'MBH

  13. $BQUVSF5IF'MBH w ضऔΓ߹ઓ w αʔόʹ৵ೖͨ͠ΓηΩϡϦςΟʹ·ͭΘΔ໰ ୊Λղ͍ͯضΛऔΔ w 4&$$0/ͱ͔༗໊Ͱ͢ΑͶ

  14. ຊ୊ w ઌ೔ɺ਎಺޲͚ʹ$5'Λ΍ͬͨ w ඍົʹܦݧ͕͋ͬͨͷͰ໰୊࡞Γͱ͔΍ͬͨ

  15. ༷ࢠ

  16. ༷ࢠ

  17. ग़୊δϟϯϧΛܾΊΔ w $5'ͷकඋൣғ͸ΊͪΌͪ͘Ό๲େ w ҉߸ ϑΝΠϧղੳ ωοτϫʔΫ 8FC  'PSFOTJDT

    QXO FUD w ࠓճ͸8FCͷਓ͕ଟ͔ͬͨͷͰ8FCଟΊʹͨ͠

  18. ໰୊Λߟ͑Δ w ͱ͍ͬͯ΋ࢲ΋ॳ৺ऀͳͷͰաڈ໰ͱ͔੬ऑੑ Λௐ΂ͳ͕Βߟ͑Δ w ͓΋͠Ζ͔ͬͨΓֶͼʹͳΓͦ͏ͳ΋ͷ͕͋Ε ͹࠾༻͍ͯ͘͠

  19. ໰୊Λߟ͑Δ

  20. γφϦΦΛҙࣝ͢Δ w ͜Μͳ੬ऑੑ͕͋ͬͨΒ͜Μͳ͜ͱ͕Ͱ͖ͪΌ ͏ΑͶɺΈ͍ͨͳͷΛߟ͑Δ

  21. Կݸ͔঺հ

  22. ྫ͑͹ψϧόΠτ߈ܸ w /6--จࣈΛจࣈྻͷऴ୺จࣈͱͯ͠ೝࣝ͢Δ ͜ͱΛར༻ͨ͠߈ܸ w ࠓճ͸1)1Ͱ࣮૷ͨ͠

  23. ψϧόΠτ߈ܸ <?php $filename = $_GET['filename'].'png'; echo file_get_contents($filename);

  24. ψϧόΠτ߈ܸ <?php $filename = $_GET['filename'].'png'; echo file_get_contents($filename); // /index.php?filename=/etc/passwd //

    Ͱ΋.png͕अຐͦ͏…

  25. ψϧόΠτ߈ܸ w ͓΋ΉΖʹJOEFYQIQ pMFOBNFUD QBTTXEʹΞΫηε͢Δ w ͢ΔͱpMF@HFU@DPOUFOUT͸Λऴ୺จࣈͱ ͯ͠ೝࣝ͢ΔͷͰQOH͕ࣺͯΒΕΔ

  26. ψϧόΠτ߈ܸ <?php $filename = $_GET['filename'].'png'; echo file_get_contents($filename); // /index.php?filename=/etc/passwd%00 //

    ϢʔβҰཡൈ͚Δͧʂ

  27. ྫ͑͹/P42-*OKFDUJPO w υΩϡϝϯτ%#Ͱى͖͏Δ੬ऑੑ w 1)1 NPOHP%#Ͱ࣮૷Ͱ͖Δ

  28. /P42-ΠϯδΣΫγϣϯ <?php $name = $_GET['name']; return $db->find(['name' => $name]); //

    /index.php?name=kirin

  29. /P42-ΠϯδΣΫγϣϯ <?php $name = $_GET['name']; return $db->find(['name' => $name]); //

    /index.php?name[$ne]=xͬͯ΍Δͱ…

  30. ྫ͑͹/P42-*OKFDUJPO w 1)1Ͱ͸(&5ΫΤϦετϦϯάΛ࿈૝഑ྻͰड ͚औΕΔ w OBNF<OF>Yͬͯ΍ΔͱҎԼͷΑ͏ͳ஋͕ ౉ͬͯ͘Δ

  31. ྫ͑͹/P42-*OKFDUJPO w ͜ͷΫΤϦ͕ͦͷ··NPOHPʹ౉Δͱ42-Ͱ ݴ͏ͱ͜Ζͷ8)&3&OBNFbY`ͱ͍͏৚݅ ͕੒ཱͯ͠͠·͏

  32. ͳΜͰ1)1͹͔ͬΓ͔ͬͯʁ w ؾ෇͍ͯ͠·ͬͨਓ͸ফ͞ΕΔͷͰؾ͔ͮͳ͍ ϑϦΛ͠·͠ΐ͏Ͷ ?Т?  w 1)1Yd࢖͓͏ɺܑ͓͞Μͱͷ໿ଋͩ ?Т?

  33. ଞʹ΋ʜ w ύεϫʔυ͖ͭ;*1ղੳ w %JHFTU#BTJDBVUIFOUJDBUJPO w 944 w ҉߸ղੳ 305ͱ͔୯Ұ׵ࣈࣜͱ͔

  34. ਅ໘໨ͳ࿩ w ࡞໰͢Δʹ͸ͭͷࢹ఺͕ඞཁ w ߈ܸऀࢹ఺ w ։ൃऀࢹ఺ w ʮప໌͚ʹ։ൃͯͨ͠ΒΪϦΪϦ͋Γ͏ΔʯΈ ͍ͨͳ΍ͭΛ࡞Δͷ͸ָ͍͠͠ษڧʹͳΔΑ

  35. ·ͱΊɿ$5'͠Α͏ w ߹๏తʹ߈ܸຊೳΛຬͨͤΔͷͰΦεεϝ w 8FCʹݶΒͣ෯޿͍஌ࣝΛٻΊΒΕΔͷͰษڧ ʹͳΔ w ৗறܕ$5'΋͋ΔͷͰڵຯ͕͋Δํ͸ͥͻ