Security Seminar

Download Security Seminar

Post on 02-Jan-2016

61 views

Category:

Documents

5 download

Embed Size (px)

DESCRIPTION

SPARCS 10 wiki. Security Seminar. Security for who?. Security for Developers Vulnerabilities in In Web In System Administrators - Wheel ! System-Level Settings Log Analysis. Vulnerabilities. Web Vulnerabilities SQL Injection Cross-Site Scripting System Vulnerabilities - PowerPoint PPT Presentation

TRANSCRIPT

PowerPoint

Security SeminarSPARCS 10 wikiSecurity for who?Security forDevelopersVulnerabilities inIn WebIn SystemAdministrators - Wheel !System-Level SettingsLog AnalysisVulnerabilitiesWeb VulnerabilitiesSQL InjectionCross-Site Scripting

System VulnerabilitiesStack OverflowFormat String BugHeap Overflow

SQL InjectionSQL Query

select * from user where id=$id and pw=$pw

id pw user table

select * from user where id=asdf and pw=1234

SQL Injectionselect * from user where id=$id and pw=$pw

$pw = or 1=1#?

SQL Injectionselect * from user where id=asdf and pw= or 1=1#

And or where true

admin

or 1=1 and id id#SQL InjectionSelect 1 union select 3 -> 1 3

Union .SQL InjectionIf(mysql_query(select key from users where id=$id and password=$pw) == hello)

$pw = union select hello#

Query .Solution Quotes SelectUnionSQL-Injection Library Cross-Site Scripting

open

Stack OverflowStack overflow

System Hacking

Buffer Checking Setuid bitrwx ,

Setuid

$find / -perm -4000 2>/dev/nullBuffer OverflowBuffer

Setuid Stack Structure

Vulnerable FunctionsStrcpy(src,dest)

Src dest ,

Return addr Stack OverflowLocal Variable Shellcode Opcode

Shellcode Local Variable Address Return Addr Overwrite

SolutionPlan A -_-;ASLRAddress space layout randomizationOffset Exploit Non-executable Stack Format String BugPrintf(1234%n,&i);

i String , 4

Vulnerable CodePrintf(argv[1]);

Str format string format string

Payload Example\x5c\xf9\xff\xbfAAAA\x5d\xf9\xff\xbfBBBB\x5e\xf9\xff\xbfCCCC\x5f\xf9\xff\xbf%c%c%c%c%128c%n%230c%n%126c%n%4c%nSolutionPrintf(str) -> printf(%s,str)

Programmers Perspective input input !

Safe Library

Questions?synthdnb@gmail.com