2008 pdf Copyright 2008 2008
Copyright 2008 2008 2
SQL DNS Copyright 2008 2008 3
SQL Copyright 2008 2008
1 SQL 1.1 SQL 1.2 : 1.3 SQL 1.4 SQL Copyright 2008 2008 5
1.1 SQL Copyright 2008 2008 6
1.1 SQL Copyright 2008 2008 7
SQL Copyright 2008 2008 8
1.2 : About Search Login S h o p p i n g S i t e C 200 Windows 10 Copyright 2008 2008 9
img img ul li li li About Search Login div S h o p p i n g S i t e img DB Copyright 2008 2008 10
About Search Login S h o p p i n g S i t e C Copyright 2008 2008 11
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html lang= ja > <head> <title>welcome to C shopping site</title> <link rel="stylesheet" href="style.css" TYPE="text/css"> <script src= http //othersite.example.net/3.js ></script> </head> HTML Copyright 2008 2008 12
Copyright 2008 2008 13
1: 2: 3: Copyright 2008 2008 14
1: DB (port 25) (port 80/443)? ( 1) DB Copyright 2008 2008 15
2? ( 2) DB Copyright 2008 2008 16
3: SQL SQL ( 3) DB /shop/cart/?no=... %20SELECT%20... %20FROM%20... %20WHE RE%20... %20HAVING%20... (...) /shop/cart/?no=... %20SELECT%20... %20FROM%20... %20WHE RE%20... %20ORDER%20... Copyright 2008 2008 17
SQL SQL UPDATE pages SET "created_at" = '2006-09-05 16:19:46', "template" = 'toppage.tmpl', "verified" = 1, "role" = NULL, "published" = 0, contents= <html><head>... SQL Copyright 2008 2008 18
... EXECUTE xp_cmdshell echo ( SELECT... FROM... )...... EXECUTE xp_cmdshell echo ( SELECT... FROM... )... OS Copyright 2008 2008 19
About XXXX/XX XX/XX S h o p p i n g S i t e WAF Copyright 2008 2008 20
何が起こっていたのか About [HTTPでのアクセス] /shop/cart/?no=... %20SELECT%20.. 悪意ある 攻撃者 Search Login [SQLでのアクセス] SELECT... FROM... WHERE... ウェブ アプリケーション データ ベース S h o p p i n g S i t e ウェブサイトに SQL インジェクションの脆弱性が あり そこを攻撃された SQL インジェクションにより ショッピングカートシ ステムのログに残らない形で ウェブページを改 ざんされた さらに OS コマンドが実行されて情報漏えいを起 こされる可能性があった Copyright 2008 独立行政法人 情報処理推進機構 2008年度情報セキュリティセミナー 21
SQL SQL Copyright 2008 2008 22
1.3 SQL 4 (CRUD) Copyright 2008 2008 23
SQL Copyright 2008 2008 24
1.4 SQL Copyright 2008 2008 25
Copyright 2008 2008 26
Copyright 2008 2008 27
2 (Prepared Statement) Perl DBI quote() PHP dbx_escape_string() s/'/''/g; Copyright 2008 2008 28
DB Copyright 2008 2008 29
SQL prepare Copyright 2008 2008 30
SQL Copyright 2008 2008 31
SQL error with query SELECT a.name, a.displname, a.passwd, a.expire_date, a.create_date, a.misc FROM account as a WHERE a.category=7 ORDER BY c.date: Can't open file: account.myd'. (errno: 145) SQL SQL SQL & Copyright 2008 2008 32
Copyright 2008 2008 33
Microsoft IIS 6 ASP ASP Copyright 2008 2008 34
PHP 5 (pni.ini ) display_errors=off HTML display_startup_errors=off ; PHP HTML error_reporting ; log_errors ; Copyright 2008 2008 35
sa (System Administrator) dba (Database Administrator) Copyright 2008 2008 36
DB Copyright 2008 2008 37
ilogscanner 47 SQL 0 IP ilogscanner http://www.ipa.go.jp/security/vuln/ilogscanner/index.html Copyright 2008 2008 38
SQL SQL OS Copyright 2008 2008 39
SQL SQL Copyright 2008 2008 40
2 Copyright 2008 2008
2 2.1 2.2 2.3 Copyright 2008 2008 42
2.1 H HTTPS Copyright 2008 2008 43
H H * H Copyright 2008 2008 44
Copyright 2008 2008 45
SECURITY TOKEN 014568 SECURITY TOKEN 014568 Copyright 2008 2008 46
H : H 32 inch TV : 100,000 Copyright 2008 2008 47
xxxxxxxxxx ID URL Copyright 2008 2008 48
xxxxxxxxxx ID Copyright 2008 2008 49
HTML * HTML Copyright 2008 2008 50
" " " " Copyright 2008 2008 51
Copyright 2008 2008 52
SQL SQL Copyright 2008 2008 53
Cookie * ID Copyright 2008 2008 54
2.2 xxxxxxxxxx xxxxxxxxxx Copyright 2008 2008 55
2.2 ><script>alert( test );</script> xxxxxxxxxx xxxxxxxxxx Copyright 2008 2008 56
XSS Copyright 2008 2008 57
2.3 HTML URL Copyright 2008 2008 58
2.3 HTML HTML Copyright 2008 2008 59
HTML/ HTML Copyright 2008 2008 60
URL HTML/ URL URL URL : URL http:// https:// data: javascript: Copyright 2008 2008 61
HTML/ : <script> </script> <script src=" "> Copyright 2008 2008 62
HTML/ expression() : Copyright 2008 2008 63
HTML/ scr ipt Copyright 2008 2008 64
HTML/ Copyright 2008 2008 65
HTML / html head title body table p script meta link thead tbody a font Copyright 2008 2008 66
HTML / <script> <xscript> javascript: xjavascript: java script: javascript: Copyright 2008 2008 67
/ Content-Type: Content-Type: text/html; charset=euc-jp meta <meta http-equiv="content-type" content="text/html; charset=euc-jp"> Copyright 2008 2008 68
: Struts(Java), Smarty(PHP), Ruby on Rails Copyright 2008 2008 69
3 http://www.ipa.go.jp/security/vuln/websecurity.html Copyright 2008 2008 70
DNS Copyright 2008 2008
3 DNS 3.1 DNS 3.2 : 3.3 3.4 3.5 DNS 3.6 LAME delegation Copyright 2008 2008 72
3.1 DNS DNS(Domain Name System) ( :www.example.jp)ip ( :192.168.0.1) DNS (JP JPRS) JPRS) DNS URL http://www.example.jp Windows 192.168.0.1 Copyright 2008 2008 73
3.2 : M 500 ISMS P (IPS) 24 Copyright 2008 2008 74
IPS v IPS WEB DB DNS MAIL M (IDC) Copyright 2008 2008 75
G website v --------------------------- Copyright 2008 2008 76
ISP Copyright 2008 2008 77
G Copyright 2008 2008 78
website Copyright 2008 <div class= maincontent > /* start <div -class= maincontent > topic area */ <div /* class= topic start id= topic_xxxx > <div -class= maincontent > area */ <p> <div </p> /* class= topic start id= topic_xxxx > <p> <div - class= maincontent > area */ <p> </p> <div </p> <p> /* class= topic start id= topic_xxxx > <p> <div - class= maincontent > area */ </p> <p> </p> <p> <div </p> <p> /* class= topic start www: - tail f area id= topic_xxxx > /var/log/apache/access_log */ </p> <p> </p> </div> <p> </p> <p> <div class= topic id= topic_xxxx > </p> <p> </p> </div> <p> </p> </div> <p> </p> </p> <p> <p> v </p> </div> <p> </p> </p> </div> --------------------------- <p> <p> </p> </p> </div> </div> <p> </p> </div> </div> </div> <div class= maincontent > /* start - topic area */ <div class= topic id= topic_xxxx > <p> </p> <p> </p> <p> </p> <p> </p> </div> </div> [~/work] DB? 2008 79
website v ---------------------------! Copyright 2008 2008 80
IP IP! C: WINDOWS>nslookup www.m.example.jp Server: mobile.isp.example.com Address: 10.1.1.1 www.m.example.jp IP Non-authoritative answer: Name:www.m.example.jp Addresses: 192.168.0.2 192.168.0.3 172.16.44.193 C: WINDOWS>nslookup type=ns m.example.jp Server: mobile.isp.example.com Address: 10.1.1.1 Non-authoritative answer: m.example.jp nameserver = ns.m.example.jp m.example.jp nameserver = ns-itaku.server.test! Copyright 2008 2008 81
3.3 DNS DNS DNS DNS ( ) Copyright 2008 2008 82
DNS (Authoritative NS) DNS (.JP JPRS ) m.example.jp DNS ns.m.example.jp ns2.m.example.jp foobar.example.jp DNS ns.foobar.example.jp ns.extend.example.jp Copyright 2008 2008 83
DNS who@m.example.jp www.m.example.net 192.168.1.2 192.168.1.4 IP DNS 192.168.0.1 IP DNS 172.16.44.193 www.m.example.net 172.16.44.193 172.16.44.193 192.168.0.4 172.16.44.193 DNS Copyright 2008 2008 84
DNS Copyright 2008 2008 85
: / ( ) ( ) = HTTP/HTTPS : http://www.ipa.go.jp/security/fy19/reports/sequential/index.html Copyright 2008 2008 86
3.4 : DNS 2 DNS DNS DNS Copyright 2008 2008 87
DNS DNS http://www.example.jp www.example.jp 192.168.0.2 WWW.EXAMPLE.JP. A.DNS.JP. WWW.EXAMPLE.JP. NS.EXAMPLE.JP. WWW.EXAMPLE.JP. 192.168.0.2 DNS DNS 13 A.DNS.JP JP5 NS.EXAMPLE.JP example.jp. DNS DNS DNS DNS (JP ) JPRS DNS Copyright 2008 2008 88
3.5 DNS: (example.jp exmaple.jp) ns.exma ple.net root-servers.net dns.jp ns.exam ple.net example.jp ns.exmaple.jp ns2.example.jp ns2.exa mple.net LAME Delegation Copyright 2008 2008 89
LAME delegation LAME delegation DNS (Authority) 1. DNS / 2. Non-authoritative answer 3. Copyright 2008 2008 90
DNS DNS ns.exma ple.net root-servers.net dns.jp ns.exam ple.net example.jp ns.exmaple.jp ns2.example.jp ns2.exa mple.net EXMAPLE.NET DNS Copyright 2008 2008 91
SSL Copyright 2008 2008 92
3.6 LAME delegation DNS DNS DNS DNSDNS DNS ( ) NS Copyright 2008 2008 93
DNS(1) DNS whois DNS whois DNS IP nslookup NS NS OK : DNS (IPA) http://www.ipa.go.jp/security/vuln/20050627_dns.html Copyright 2008 2008 94
DNS(2) DNS Bajaj ( http://www.zonecut.net/dns/ ) Copyright 2008 2008 95
2 /Authoritative /Non-authoritative Copyright 2008 2008 96
DNS DNS DNS DNS DNS DNS DNS TCP 53/udp 53/tcp DNS EDNS0 TTL (30) Copyright 2008 2008 97
DNS LAME delegation DNSLAME Delegation DNS Copyright 2008 2008 98
IPA DNS http://www.ipa.go.jp/security/vuln/20050627_dns.html IPA http://www.ipa.go.jp/security/fy19/reports/sequential/index.html JPRS DNS http://jprs.jp/tech/ JPNIC http://www.nic.ad.jp/ja/dns/lame/announce.html Copyright 2008 2008 99
Copyright 2008 2008 100
Copyright 2008 2008 101
Copyright 2008 2008 102
1
2
3