📄 perlfilterlecture.html
字号:
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = $ENV{'QUERY_STRING'}; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>if($blah =~ m/[^a-zA-Z0-9\.\-_]/){ die "bad
characters, only allowed a-zA-Z0-9 . - and _\n"; } </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>print `cat $blah`; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Ok, enough with the background info. Lets learn
how to break these things shall we? </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>-- </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>My Exploiting Filters Process: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The way I do it is to first look for common
mistakes in filters. I don't even really think about what should or
shouldn't be allowed in. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I first see if they are filtering bad input or
only allowing good input. If it is only allowing good input then my
testing will most likely be short. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I will see what I can do with the allowed
characters, most likely not much. Then I will go over the rest of the
script and see if anything perticular can be harmed with any of the
allowed characters. These are mostly design flaws which the filters allow
to be exploited. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>If they are filtering bad input, then things get a
bit more fun =) </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Before even looking at what the script does I will
see if they forgot any of the basics: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Did they forget any bad characters? </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Can the filter be evaded with character insertion?
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Do they filter in the correct order? </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Did they forget to filter any user input?
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I make notes of any possible problems and then I
go look over what the script does in detail. After I look over the design
of the script I look for specific calls which can be abused. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I then go back to the filters and see if any combo
of allowed characters can abuse these calls. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>If nothing pops up at me I'll go sit and think
about way to evade the filter. Sometimes I'll have to do alot of testing
inorder to see how the filter works in certain situations and if anything
can be slipped by. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I've learned alot from testing filters for holes
when I was new to perl auditting. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Just brainstorming about possible ways to defeat
filters is about the best advice I can give. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>It is also a very good idea to know alot about the
other factors at play. Many times you can find a little/unknown feature in
something which the script does not filter for. If the programmer didn't
know a character did something then they will probably not filter for it.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>-- </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Actually Exploiting Filters: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This will hopefully be the bulk of the lecture,
and where you learn the most important bits of information. This is in no
way a complete list or anything, I hope some of you find new methods of
evading filters and share them with me ( b0iler@hotmail.com )
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I do not wish to feed the script kiddies out there
by giving away exact ways to exploit filters, but it's a nessassary evil
inorder for others to learn security. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I'll start with directory transversal filters. The
basics being these: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/\.\.//g; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/\.\.\///g; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/\.//; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/[^\w\._\-]//; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>There are more, but these are a few of them. The
first one filters for the string '..' So to evade this one you can do
something like: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = '.\./'; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Which will get by the filter and still go back a
directory. This trick also works for the next one, which filters for '../'
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>But this one has another problem. It takes out any
string that matches '../' this means 'ab../cd' would turn into 'abcd' and
something like: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = '.../...//'; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Now after the filter removes any '../' from $blah
it becomes '../' so to fix this we need to add a loop to the filter, deny
user input, or not replace the string with nothing. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>a loop example would be: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>while($blah =~ /\.\.\//){ $blah =~ s/\.\.\///; }
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Denying user input example: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>if($blah =~ /\.\.\//){ die "illegal string in
input.\n"; } </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>replacing the string with something example:
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/\.\.\//_/; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>All these would stop the '.../...//' attack. The
last one would turn '.../...//' into '._._/' </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Now the 3rd filter works good for getting rid of
any reverse directory transversals ('../'), but it cannot be used if the
'.' is needed for input. There isn't really anyway around this unless you
specify a full pathname starting at root, ex. '/etc/passwd' which has not
'.' in it. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The 4th is the best of the these filters, it is
only allowing what we know is good. No suprises that we didn't think of
can get in there. It might be a good idea to also filter for '..' with
this one just in case. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Lets move on from directory transversal filters
and discuss the main techniques used with defeating filters. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>+Complete lack of filters </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This is a pretty obvious way of getting past
filters, if they don't exist they cannot stop you. ;) </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Many times programmers have no clue about security
don't put any filters in or they forget one or two needed filters.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Always take the time to think about everything the
user inputs and weather you should filter it or not. When in doubt I would
say filter atleast for the allowed characters just to be safe.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>+Filters that forget characters </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This is close to the forgetting filters one, but
this time the programmer was trying to be secure, but forgot a key
string/character. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Most of the time it is because the programmer does
not know that the string they missed can be used to cause damage.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>For instance, a newbie linux user might not know
that && can be used to issue additional commands. So they forget
this filter even when filtering for | and ; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>sorry, *nix user </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>print `cat /etc/passwd && less
/etc/hosts`; #to demonstrate how multiple commands can be used with
&& </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Inorder to deal with any type of shell commands I
would suggest being an expert in the shell, learning alot about the
different ways perl can open a shell, and filter really good (only
allowing what is good). </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Check my paper:
http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm for more examples
of this technique. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>+Filters that are in the wrong order </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>It is a good idea to take time out and think of
what order your filters should come in. If you filter something in the
wrong order problems can occur. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The most widely avalible example of this would be
something like: </FONT></TD></TR>
<TR>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -