# Web Security SQLab 2023 Author: Sean 韋詠祥 <br> ###### Slide: https://hackmd.io/@Sean64/sec-sqlab2023 Note: 日期:2023-06-07(三) 課程時間:10:30 - 12:00 10:30 開場 10:35 filter 10:40 Lab: My Blog 10:50 x-fwd 10:55 Lab: Cloud Drive 11:05 off-by-slash 11:10 Lab: Dynamic Pricing 11:20 Lab Demo 11:25 XXE 11:30 Lab: Import Blog Post 11:35 SSTI 11:45 Lab: WIP 11:55 PP 12:00 Lunch ---- ## About Me - Sean Wei 韋詠祥 ![](https://i.imgur.com/MWUuh5D.png) Note: - 交大 資安檢測員 竹苗區網 - 行政院 網路攻擊手 政府弱掃 - CEH 技術、(ISC)² CC 管理 ---- ## Outline - `php://filter` - X-Forwarded-For - NginX off-by-slash - XML External Entity Injection - Template Injection - Prototype Pollution --- # `php://filter` Note: Week 1 p108 https://github.com/splitline/How-to-Hack-Websites/blob/master/slides/week/week1.pdf ---- ## What is `php://` wrapper - Accessing various I/O streams - `php://stdin`, `php://stdout`, `php://stderr` - `php://input`, `php://output` - `php://filter` - `php://memory`, `php://temp`, `php://fd` Note: https://www.php.net/manual/en/wrappers.php.php ---- ## Parameters of `php://filter` - `/resource=index.php` - `/read=string.rot13` - `/read=convert.base64-encode` - `/write=zlib.deflate` ---- ## Example - `php://filter/read=string.rot13/resource=https://sean.cat/` ---- ## Lab: My Blog ![](https://hackmd.io/_uploads/HkT5MWfIn.png =x480) Note: https://ctf.sean.cat/filter/ --- # X-Forwarded-For How to get user's IP address? Note: https://devco.re/blog/2014/06/19/client-ip-detection/ ---- ## StackOverflow? ![](https://hackmd.io/_uploads/SJkeBaG8h.png =x480) ---- ## And ChatGPT ![](https://hackmd.io/_uploads/H1zQITGU3.png =x480) ---- ## What are those variables - REMOTE_ADDR - HTTP X-Forwarded-For - HTTP Client-IP ---- ## Lab: Cloud Drive ![](https://hackmd.io/_uploads/BJmWM0fU2.png =x480) Note: https://ctf.sean.cat/ip-addr ---- ## CF-Connecting-IP - Cloudflare CDN - NginX: set_real_ip_from, real_ip_header --- # NginX off-by-slash Note: Week 1 p101 ---- ## Recap: Path Traversal ![](https://hackmd.io/_uploads/SyOVrWzUh.png) ---- ## NginX Config ![](https://hackmd.io/_uploads/BybjUZMI3.png =x480) ---- ## Off-by-slash ![](https://hackmd.io/_uploads/r1a1OzfLn.png =x480) Note: Breaking Parser Logic, Orange @ Black Hat https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf ---- ## Lab: Dynamic Pricing ![](https://hackmd.io/_uploads/rkfEdGzLh.png =x480) Note: https://ctf.sean.cat/slash.php --- # XXE XML External Entity Injection ---- ## XML Syntax ```xml <?xml version="1.0" encoding="UTF-8"?> <article> <title>我的第一篇文章!</title> <summary>這是我人生中的第一篇部落格文章!我感到非常興奮</summary> </article> ``` ---- ## XML Custom Entity ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE post [ <!ENTITY title "我的第一篇文章!" > ]> <article> <title>&title;</title> <summary>這是我人生中的第一篇部落格文章!我感到非常興奮</summary> </article> ``` Note: https://portswigger.net/web-security/xxe/xml-entities ---- ## XML External Entity It could be external links ```xml <!DOCTYPE xxe [ <!ENTITY ext SYSTEM "http://cs.sean.cat/" > ]> ``` And could be local files ```xml <!DOCTYPE xxe [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]> ``` ---- ## Lab: Import Blog Post ![](https://hackmd.io/_uploads/HyZHUm7In.png =x480) Note: https://ctf.sean.cat/xxe/ --- # Template Injection Note: Week 3 p190 https://github.com/splitline/How-to-Hack-Websites/blob/master/slides/week/week3.pdf ---- ## Slide Refer to https://img.sean.taipei/2023/06/web-sec.pdf <br> Full Version: https://github.com/splitline/How-to-Hack-Websites/blob/master/slides/week/week3.pdf ---- ## Lab: WIP ---- # Prototype Pollution Note: Week 3 p172 --- ## Reference - [splitline/How-to-Hack-Websites](https://github.com/splitline/How-to-Hack-Websites) ---- # Q&A 投影片連結:https://hackmd.io/@Sean64/sec-sqlab2023 <!-- .element: class="r-fit-text" --> <br> [![CC-BY 4.0](https://mirrors.creativecommons.org/presskit/buttons/88x31/png/by.png)](https://creativecommons.org/licenses/by/4.0/deed.zh_TW) ###### 這份投影片以 [創用 CC - 姓名標示](https://creativecommons.org/licenses/by/4.0/deed.zh_TW) 授權公眾使用,原始碼及講稿請見 [此連結](https://hackmd.io/@Sean64/sec-sqlab2023/edit)。
{"metaMigratedAt":"2023-06-18T05:25:52.302Z","metaMigratedFrom":"YAML","title":"Web Security - SQLab 2023","breaks":true,"description":"Sean 韋詠祥 / 2023-06-07 10:30 / php://filter / X-Forwarded-For / NginX off-by-slash / XML External Entity Injection / Template Injection / Prototype Pollution","contributors":"[{\"id\":\"8a6148ae-d280-4bfd-a5d9-250c22d4675c\",\"add\":4515,\"del\":0}]"}
    1912 views