Week 123
Week 123
1.
$ whoami
@splitline
Web 🐶
SQLab @ NYCU CSIE
CTF @ 10sec / TSJ
Web
Security
Web
號稱最好上手的資安領域?
Security
Lab: Cat Shop
已經 學會了
恭喜🎉 你
- /admin_panel 根本沒驗證使用者身份?
- /admin 403 Permission Denied
垂直越權
普通用戶 -> 管理員
- /admin/delUser ???
- /myAccount?user=5 水平越權
- /myAccount?user=6 ??? 使用者A -> 使用者B
<p>Hi, <script>
/xss/
alert(/xss/) </script>!</p>
確定
splitline.tw 顯示
<p>Hi, <script>
/xss/
XSS
alert(/xss/) </script>!</p>
確定
facebook.com/vuln
?xss=<script>postArticle("Hacked!");</script>
{\__/}
( • - •)
/>🌰
舉個栗子
Ping this IP: 8.8.8.8|
ping -c 1 USER INPUT
ping -c 1 8.8.8.8
ping -c 1 8.8.8.8; ls -al
and Injectionls -al
Com1m8.8.8.8;
ping -c
HTML
https://splitline.tw
<!DOCTYPE html>
<html>
Meow 🐱 <style>
CSS
https://splitline.tw <!DOCTYPE html>
<html>
splitline.tw 顯示
Meow 🐱 <style>
body { background-color: cyan; }
Hello, World. |
h1 { color: red; }
</style>
取消 確定
<h1>Meow 🐱</h1>
<p>Hello, World.</p>
<script>prompt()</script>
</html>
JavaScript
前端
前端框架/套件 Bootstrap, jQuery, React…
Browser
(Client)
前端
Web 前端語言 HTML, CSS, JavaScript
後端
Web 開發框架 Laravel, Express, Spring, Flask…
後端
Web 後端語言 PHP, Node.js, Java, Python…
HTTP Request
HTTP Response
HTTP/1.1 200 OK
Content-Length: 5
瀏覽器 / Client Server
Meow!
HTTP Protocol
HyperText Transfer Protocol
HTTP Request
HTTP Response
HTTP/1.1 200 OK
Content-Length: 5
瀏覽器 / Client Server
Meow!
HTTP Request
POST /login?redirect=%2f HTTP/1.1\r\n
Host: example.com\r\n
Referer: http://example.com/home\r\n
User-Agent: Mozilla/5.0 …\r\n
Content-Length: 32\r\n
\r\n
username=admin&password=p455w0rd
- 動詞,用來表達使用者發出這個請求想幹嘛
- 常見的有 GET, POST, PUT, DELETE, PATCH, HEAD …
HTTP Request: Path
POST /login?redirect=%2f HTTP/1.1\r\n
Host: example.com\r\n
Referer: http://example.com/home\r\n
User-Agent: Mozilla/5.0 …\r\n
Content-Length: 32\r\n
\r\n
username=admin&password=p455w0rd
http://example.com/login?redirect=%2f#login-form
\r\n
��
Content-Length: 32\r\n
internal.service
Host: internal.service
(private app)
username=admin&password=p455w0rd
HTTP Request
HTTP Response
HTTP/1.1 200 OK
Content-Length: 5
瀏覽器 / Client Server
Meow!
HTTP Response
HTTP/1.1 302 Found
Content-Length: 35\r\n
Content-Type: text/html; charset=UTF-8\r\n
Location: https://example.com/\r\n
Server: Apache/2.4.41 (Ubuntu)\r\n
\r\n
Redirecting to <a href="/">/</a>...
- 1xx:
HTTP/1.1 Found 101 Switching Protocol
修但幾勒
302
- 2xx: 👍
Content-Length: 200 OK
35\r\n
Content-Type:
- 3xx: 走開text/html; charset=UTF-8\r\n
301 Moved Permanently
Location:
- 4xx:https://example.com/\r\n
你怪怪的 403 Forbidden
Server: Apache/2.4.41 (Ubuntu)\r\n
- 5xx: 我怪怪的 500 Internal Server Error
\r\n
Redirecting to <a href="/">/</a>...
HTTP Status Codes Decision Diagram
🐱 http.cat / 🐶 httpstatusdogs.com
Protocol version and Response status
HTTP Response: Header
HTTP/1.1 302 Found
Content-Length: 35\r\n
Content-Type: text/html; charset=UTF-8\r\n
Location: https://example.com/\r\n
Server: Apache/2.4.41 (Ubuntu)\r\n
\r\n
Redirecting to <a href="/">/</a>...
?redirect=http://example.com/%0d%0a%0d%0a...
HTTP Response: Header
HTTP/1.1 302 Found
Content-Length: 35\r\n
Content-Type: text/html; charset=UTF-8\r\n
Location: https://example.com/\r\n
\r\n
<script>alert(1)</script>\r\n
BODY
Server: Apache/2.4.41 (Ubuntu)\r\n
\r\n
Redirecting to <a href="/">/</a>...
?redirect=http://example.com/%0d%0a%0d%0a...
HTTP Response: Header
HTTP/1.1 302 Found
Content-Length: 35\r\n
Content-Type: text/html; charset=UTF-8\r\n
CRLF Injection
Location: https://example.com/\r\n
\r\n
<script>alert(1)</script>\r\n
BODY
Server: Apache/2.4.41 (Ubuntu)\r\n
\r\n
Redirecting to <a href="/">/</a>...
?redirect=http://example.com/%0d%0a%0d%0a...
Cookie
- 紀錄使用者資訊的一小段資料
- 跟 domain name 和 path 綁定
Visit https://splitline.tw:8080
splitline.tw / meow=123
google.com / session=c8763
HTTP/1.1 200 OK
(Cookie added)
Set-Cookie: over18=1
over18=1
server
GET / HTTP/1.1
(Next visiting)
Cookie: over18=1
Cookie 屬性
- HttpOnly
- 無法在 JavaScript 中利用 document.cookie 取得
- Secure
- 只有在透過 https:// 傳輸時才會被送出到伺服器
- Expires=<date>
- cookie 會在設定的日期與時間之後失效
- 沒設定則會在瀏覽器關閉後自動失效
- Max-Age=<seconds>
- cookie 會在設定的秒數之後失效
- 優先級比 Expires 高
Session
GET / HTTP/1.1
Cookie: sessionid=8b25bf2a843de1fa
Server
Session ID Data
...
Signed Cookie
GET / HTTP/1.1
Cookie: session=eyJ1c2VybmFtZSI6ICJhZG1pbiJ9.CAAEGc3...
data hmac
- Error message
- Session ID
- (And more)
- robots.txt
- .git / .svn / .bzr
- .DS_Store
- .index.php.swp
- Backup files
常見套路
- robots.txt
- 告訴爬蟲什麼該看什麼不該看
- 可能包含不想被爬取的路徑
- 管理後台?
- .DS_Store
- .index.php.swp
- Backup files HITCON Zeroday ZD-2019-00770
常見套路
- robots.txt
- .git / .svn / .bzr
- .DS_Store
- macOS 上自動產生的隱藏檔
- 可得知資料夾 內的文件名稱、路徑
- lijiejie/ds_store_exp
- .index.php.swp
- Backup files
常見套路
- robots.txt
- .git / .svn / .bzr
- .DS_Store
- .index.php.swp
- vim 暫存檔
- 可以直接還原原本的 source
- Backup files
常見套路
- robots.txt
- .git / .svn / .bzr
- .DS_Store
- .index.php.swp
- Backup files
- www.tar.gz
- backup.zip
- …
Google Hacking
- site:nycu.edu.tw
- intext:"管理介面"
- filetype:sql
http://splitline.tw/index.php http://splitline.tw/home
http://splitline.tw/index.php http://splitline.tw/home
- 「一句話木馬」:
http://example.com/uploads/webshell.php?code=system('id');
Prevent & Bypass
No .php ?
<FilesMatch "meow">
SetHandler application/x-httpd-php
</FilesMatch>
file_get_contents("./files/".$_GET['file'])
./files/report_9487.pdf
http://victim.com/
download.php?file=../download.php
file_get_contents("./files/".$_GET['file'])
./files/../download.php
--> ./download.php
http://victim.com/
download.php?file=../../../../etc/passwd
file_get_contents("./files/".$_GET['file'])
files/../../../../etc/passwd
/var/www/html/
--> /etc/passwd
Path traversal: Nginx misconfiguration
Breaking Parser Logic
Orange@Black Hat
Arbitrary File Read
- 任意讀取伺服器上的檔案
- 後端原始碼、敏感資料 etc…
- fopen()
- file_get_contents()
- readfile()
- …
file_get_contents($_GET['page'])
/?page=/etc/passwd
/?page=index.php
Config files
- /etc/php/php.ini
- /etc/nginx/nginx.conf
- /etc/apache2/sites-available/000-default.conf
- /etc/apache2/apache2.conf
System information
- User information
- /etc/passwd
- /etc/shadow # 通常要 root 權限
- Proccess information
- /proc/self/cwd # symbolic link 到 cwd
- /proc/self/exe # 目前的執行檔
- /proc/self/environ # 環境變數
- /proc/self/fd/[num] # file descriptor
- /etc/hosts
- /proc/net/*
- /proc/net/fib_trie
- /proc/net/[tcp,udp]
- /proc/net/route
- /proc/net/arp
Local File Inclusion
- include 伺服器端任意檔案
- require()
- require_once()
- include()
- include_once()
include($_GET['module']);
/?module=phpinfo.php
/?module=phpinfo.php
Parsed 🤔
/?module=php://filter/convert.base64-enc
ode/resource=phpinfo.php
php://filter/
read=convert.base64-encode/
resource=phpinfo.php
php:// - Manual
php://filter/
read=convert.base64-encode/
resource=phpinfo.php
- <empty>
- read=
- write=
php://filter/
read=convert.base64-encode/
resource=phpinfo.php
List of Available Filters - Manual
- string.rot13
- convert.base64-encode
- zlib.deflate / zlib.inflate
- …
php://filter/
read=convert.base64-encode/
resource=phpinfo.php
php://filter/
read=convert.base64-encode/
resource=phpinfo.php
- Required
- 指定你要輸入 filter 的資料
可以串很多 filter 一起用
php://filter/
read=convert.base64-encode/
read=string.rot13/ 執行順序
...
resource=phpinfo.php
LFI to RCE
- access.log / error.log 可讀
- /proc/self/environ 可讀
- 把 payload 塞在 user-agent 裡面,然後 include 它
- 控制 session 內容
- PHP session 內容預設是以檔案儲存
- include /tmp/sess_{session_name}
LFI to RCE
- session.upload_progress
- session.upload_progress = on; # enabled by default
- https://blog.orange.tw/2018/10/#session-tragedy
- phpinfo
https://insomniasec.com/downloads/publications/LFI+With+P
HPInfo+Assistance.pdf
Injection
「駭客的填字遊戲」
Injection
「日常的填字遊戲」
Injection
- 使用者輸入成為指令、程式碼、查詢的一部分 -> 改變原始程式預期行為
- 包括
- Code injection
- Command injection
- SQL injection
- Server side template injection
- NoSQL injection
- CRLF injection
- ...
Injection
- 使用者輸入成為指令、程式碼、查詢的一部分 -> 改變原始程式預期行為
- 包括
- Code injection
- Command injection
- SQL injection
- Server side template injection
- NoSQL injection
- CRLF injection
- ...
Basic Injection
"+system(Code Injection)+"
Simple Calculator
<?php
echo eval("return ".$_GET['expression'].";");
?>
/calc.php?expression=7*7
Simple Calculator
<?php
echo eval("return ".$_GET['expression'].";");
?>
/calc.php?expression=system("id")
Dangerous function
- PHP
- eval
- assert
- create_function // removed since PHP 8.0
- Python
- exec
- eval
- JavaScript
- eval
- (new Function(/* code */))()
- setTimeout / setInterval
Basic Injection
; $(Command) `Injection`
Cool Ping Service
<?php
system("ping -c 1 ".$_GET['ip']);
?>
Cool Ping Service
ping -c 1 127.0.0.1
/?ip=127.0.0.1
Cool Ping Service: Malicious
/?ip=127.0.0.1 ; ls -al
Cool Ping Service: Malicious
Pwned!
/?ip=127.0.0.1 ; ls -al
Basic Tricks
- ping 127.0.0.1 ; id
- ; -> 結束前面的 command
- ping 127.0.0.1 | id
- A|B -> pipe A 的結果給 B
- ping notexist || id
- A||B -> A 執行成功就不會執行 B
Basic Tricks: Command substitution
- cat meow.txt $(id)
- cat meow.txt `id`
- ping "$(id)"
ping "$(id)"
will expand to
ping 'uid=0(root) gid=0(root) groups=0(root)'
You don't really need Space
- cat<TAB>/flag
- cat</flag # Pipeable command
- {cat,/flag}
- cat$IFS/flag # IFS -> Input Field Separators
- X=$'cat\x20/flag'&&$X
Bypass Blacklist
"/home/USER"[0:1]
Lab: DNS Lookuper
Basic Injection
SQL
SELECT * from article
/articles
Data
n
id username password create_date
1 iamuser SQ L I n j
123456 e c ti o 2021/02/07
Username
Password
Login
背後 SQL 會怎麼寫?
https://splitline.tw/admin
Username
Password
Login
notexist
xxx
Login
notexist
Password
Login
admin
p@55w0rd
Login
admin
p@55w0rd
Login
admin' or 1=1--
Login
admin' or 1=1--
Login
註解
閉合單引號 TRUE
SELECT * FROM admin WHERE username =
'admin' or 1=1 -- ' AND password = 'x'
SELECT * FROM admin WHERE username =
ED password = 'x'
'admin' or 1=1 -- A'CKAND
H
Lab: Let me in!
Homework
- 4 + 1 Homeworks
- 完成 Lab + 四個作業即可拿滿分數 (1000 分)
- 想刷 ranking(?)可以解滿五題
- 可能會遇到的後端框架 / 語言
- PHP
- Python
- Golang
- Node.js
- ...
Week 0x01 Week 0x02 Week 0x03
--- --- ---
Profile Medium
Learning Resources