(黄敏)安全编码实战经验

(黄敏)安全编码实战经验

1. PHP 2016/5/11
2. if you can't explain it simply, You don't understand it. know it then hack it !
5. 1.1 C Linux 64 Linux 64
6. 1.2 Linux 64
7. 1.3 Linux 64
8. 1.4 Linux 64 gcc -g overflow.c -z execstack -fno-stack-protector -o overflow.o && ./
10. func()
11. func() RIP
13. Linux 64 randomize_va_space
14. Linux 64 PHP PHP shellcode
15. Linux 64 shellcode
16. Linux 64 shellcode
17. 64 • 32 • 64 Linux Linux JMP ESP, JMP EBP printf() system() .text shellcode • • • • 64 0day 0day
18. 1.5 • • • root
19. 1.6
20. -
21. 1.7 CDN IP - CDN NS IP IP
22. IP - CDN
23. IP - CDN
24. IP - CDN • SMTP • • • • IP TCP CDN CDN IP
26. 2.1
27. 2.2 Nginx+PHP+MySQL CC
28. 2.3 CC IP (Qps) IO IO CPU IO fsocketopen() fopen() mysql_connect() memcached_connect(), curl() ... IO error_log(), fileexists() is_file() is_dir() file_put_contents() ... CPU GD GD iconv() MySQL SLEEP
29. 2.4 SQL
30. SQL
31. 2.5 SQL GBK GBK %e5%5c -> %e5%5c%5c SELECT * FROM `user` WHERE username=' \'
32. 2.6 username='lisi\'' WHERE usname='lisi''
33. 2.7 substr() SELECT * FROM `user` WHERE username='0123456789012345678901234567 891\
34. SQL • • UTF-8 mb_xxx()
35. shell web eval,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec, proc_open,proc_get_status,ini_alter,ini_alter,ini_restore, dl,pfsockopen,openlog,syslog,readlink,symlink,popepassthru, stream_socket_server
36. • extract() register_global • eval() • preg_reaplce() e PHP7 preg_replace_callback() dz
37. 2.8 $filename GAME OVER 123.php%00.jpg 123.asa IIS ../../static/common.js
38. 2.9 php version < 5.3.4 include $var;
39. 2.10 xxx.php <?php exit; ?> IO <?php xxx ?> discuz
40. 2.11 GPC GPC S S $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; mysql_query(“INSERT TABLE `user` SET regip='$ip'”); $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; $arr = array_filter(explode(',', $ip)); $ip = end($arr); $ip = long2ip(ip2long($ip));
41. 2.12 PHP
42. 2.13 C PHP JS C 'a' == 0 0x61 >0 PHP intval()
43. XSS
44. 2.14 wooyun felixk3y
45. ICC https://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php http://**.**.**.**/5107/upload/uploadFlash.php
46. Web Server Apache nginx 123.php.xxx 123.jpg/123.php php php PHP get_magic_quote_gpc() 5.4.0 register_global PHP 5.4 FALSE
47. 2.15 XSS HTML <>“& <img src=”<?php echo $user['avatar_url'];?>”> 1.jpg“ onload=”alert(123) <img src=”1.jpg”onload=”alert(123)” > $avatar_url = htmlspecialchars($_GET['avatar_url']); mysql_query(“INSERT INTO xxx SET avatar_url='$avatar_url'”); $avatar_url = htmlspecialchars($_GET['avatar_url']);
48. XSS URL cookie cookie GET POST GET POST HTTPONLY XSS
49. HTML <script> HTML onload onerror XSS tagname attrname attrvalue, css HTML XML_HTMLSax3 https://github.com/xiuno/xiunobbs/blob/master/xiunophp/xn_html_safe.func.php PHP7 Xiuno BBS
50. HTML CSS
51. 2.16 XSS
52. &
53. 3.1
54. 3.2 FTP SSH SNS QQ QQ
55. 3.3 ZhangXiaoJun 19901210 18612345678 zxj1990 zxj19901210 zxj1210 Zxj1990 zhangxiaojun1990 zhangxiaojun1210 zhang1990 zhang18612345678 12345678zhang zxj18612345678 [email protected] [email protected] [email protected] zxj12345678 12345678zxj
56. 3.4