📄 perlfilterlecture.html
字号:
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/aa//g; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg; #convert url encoding to ascii </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>A way to defeat this 'aa' filter would be to url
encode your 'aa' as '%61%61'. This next filtering problem is almost the
same as this one. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>+Filters that filter previous filters
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This is a strange one I found pretty earily in my
perl journey. This one is simular to the '.../...//' trick discribed
eariler. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>What happends is that one filter is looking for a
string, and another filter changes the string later. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>So an attacker can get a string to pass the first
filter, and then have the next filter(s) change the string into a
dangerous one. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>An example is easier to follow: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/<!--(.|\n)*-->//g; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/javascript//ig; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Above we have the most common used filter to
prevent ssi and a filter for 'javascript'. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The way to get around this filter is to use the
'javascript' filter inorder to change a string into ssi. So if:
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = '<javascript!-- #exec cmd="rm -rf
/home/you/www" -->'; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Then $blah will pass the first filter without
getting changed, and then be turned into '<!-- #exec cmd="rm -rf
/home/you/www" -->' which is a bad string, and would have been filtered
by the first filter. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This technique can also be used with only one
filter. You've already seen this in the '.../...//' example I talked
about. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>+Multiple inputted variables forgotten in the
filters </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This technique is more used on the output side of
things (html, flat databases, etc..), or when dealing with filepaths. But
I've seen it turn up in odd places, so keep an eye open for it.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The deal with this problem is that your filters
may work perfect, they may filter out every possible bad string and any of
the other technqiues used to evade are stopped. But.. when the bad string
is split between two variables your filters do not find it. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Here is an example with filepaths (pretend all
directory transversal is stopped): </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/\.\./; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>erm </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/\.\.//; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$file =~ s/\.\.//; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>open(FILE "/home/user/${blah}$file");
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>If $blah = '.'; and $bleh = './anotheruser/file';
the whole filename becomes: '/home/user/../anotheruser/file' </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This problem is seen alot when filters try
stopping ssi or cross site scriptting. If two variables are printed to
html, then you need to make sure they aren't evading your filters.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>A fairly hard problem to fix indeed. Purhaps
putting all output into one variable and then filtering output is the best
solution. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>-- </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>That's pretty much it for the lecture, I will just
throw one more evasion technique for a poor perl filter that is used all
the time. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/<!--(.|\n)*-->//g; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>I've already said that this filter is used to stop
ssi. But from my testings there is a way around this filter. That is if:
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = '<!-- #exec cmd="rm -rf /home/you/www"
- ->'; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Notice the space in '- ->' at the end.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Now $blah will pass the filter and still will get
parsed by ssi. Atleast from my testing, if you can please try this on your
box and email me if '- ->' works (try it with include, not exec as you
might have exec disabled). </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>These types of attacks where inserting characters
can be a big problem if you don't know all the variables of the system and
the details of how they work. Also you can find new ways to exploit very
common filters this way, so experiment alot with what is and what isn't
possible. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>-- </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Now time for discussion, I will try to answer any
questions (if you have any) or help you better understand anything. This
part might be editted in the log posted to bsrf website. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Please try to refrain from talking unless you have
a question or are adding to the disscussion. Do not talk about other
things which aren't reguarding perl filters. </FONT></TD></TR>
<TR>
<TD> </TD>
<TD> </TD></TR>
<TR>
<TD colSpan=2><FONT color=#ffffff>--- b0iler sets modes [#bsrf -m]
</FONT></TD></TR>
<TR>
<TD> </TD>
<TD> </TD></TR>
<TR>
<TD><FONT color=#ffffff><Strider></FONT></TD>
<TD><FONT color=#ffffff>nice lec b0iler =) </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>no questions worry me. ether it was good or people
don't care much. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><luCky></FONT></TD>
<TD><FONT color=#ffffff>is this gonna be on a website </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>luCky: yes it will be on
http://b0iler.eyeonsecurity.net tonight and maybe http://blacksun.box.sk
if they upload it </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><Vegas></FONT></TD>
<TD><FONT color=#ffffff>b0iler YOU ARE A FUCKING BASTARD </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><Vegas></FONT></TD>
<TD><FONT color=#ffffff>pvt now </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><dksk8></FONT></TD>
<TD><FONT color=#ffffff>lol </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><Strider></FONT></TD>
<TD><FONT color=#ffffff>LMAO! </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><Strider></FONT></TD>
<TD><FONT color=#ffffff>rofl </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><dksk8></FONT></TD>
<TD><FONT color=#ffffff>roflmao </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><dksk8></FONT></TD>
<TD><FONT color=#ffffff>no questions just <Vegas> b0iler YOU ARE A
FUCKING BASTARD </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>To conclude the lecture I would like to comment on
how obese cyrus is. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff><yank> Cyrus: eat a duck. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff><yank> I mean dick. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff><b0iler> he'll eat both. and then a chicken.
</FONT></TD></TR></TBODY></TABLE><BR><BR>About 4 hours after my lecture I reread
it and noticed that I completely forgot to mention a couple of things which my
"Hacking CGI - Security and Exploitation" paper covers. This is how perl's
reg ex uses "globing" to find strings. Which means it will match the first
part (starting at the begining), and then find the last part starting at the end
going backwards. This is dangerous if you are trying to correct any
string. Read the paper for a better explaination, but here is a quick
example: <BR><BR>$blah = '<script><script>alert("this is not
filtered well");</script></script>';<BR>$blah =~
s/<script>(.*)<\/script>/[script]$1[\/script]/ig; <BR><BR>This will
result in the s/// finding the first <script> and then going to end and
finding the last </script>. it will only replace these with the
[]'s, it will leave the middle ones untouched. So $blah will be:
[script]<script>alert('this is not filtered
well');</script>[/script] <BR><BR>The other is quite simple. The
fact that .* will match any character. Or atleast that's what many scripts
seem to think. Perl will match any character up until a newline, unless
the /s switch is given or the newline is specificly matched. This means
trouble for things like: <BR><BR>$blah =
"<script\n>alert('unfiltered');</script\n>";<BR>$blah =~
s/<(.*)>/[$1]/g; <BR><BR>Now this will match the first < then it will
match some characters, but then it runs into a newline before the closing
>. So the pattern does not match and the filter does nothing, but the
html tags still work (atleast in browsers I tested). <BR><BR>If you find anymore
problems in perl filters please email me about them with a clear discription and
some examples. b0iler@hotmail.com <BR><BR><BR><FONT
color=#ffffff><B>[-----]</B> <BR><BR><A
href="http://b0iler.eyeonsecurity.net/">http://b0iler.eyeonsecurity.net/</A>
- is my homepage <BR><BR>I got tons of tutorials, mini-tutorials, advisories,
and code written by me there. Come check out what I'm up to and possibly
learn a bit. This lecture was orignally given for http://blacksun.box.sk
but anyone has permission to mirror it as long as it is mirrored in whole and
proper credit is given to the author. Also a link to
http://b0iler.eyeonsecurity.net would be nice. <BR><BR><B>[-----]</B> </FONT></FONT></BODY></HTML>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -