開發學校雲端服務的奇技淫巧(tips for building third-party school service)
TRANSCRIPT
-
Tips for Building Third-Party School Service
-
Ma Sheng-Hao (aaaddress1, aka adr)TDOHacker Debug Guy
Speaker TDOHConf 2016 HITCON CMT 2015 SITCON 2016 HITCON CMT 2016 Lightning Talk BSidesLV ICNC MC2015
C/C++, C#, VB, MASM, Python, Swift, Node.js, Java Windows
, , , cuteRansomware, Adr'sFB
-
Sorry, Node.js
-
CoC O__Q
-
murmur
-
....
-
HTTP
-
HTTP
-
User Application Browser Mobile Apps
HTTP
-
User Application Browser Mobile Apps
HTTP
-
Browser
HTTP
1. 2. 3. 4.
5.
e.g. Chrome, Firefox, Safari
-
Browser
1. 2.
CookieHeaderBody
HTTP
-
HTTP
-
Browser
HTTP Traffic Analytics Browser (Static)
-
HTTP
-
HTTP
-
HTTP
-
HTTP
-
HTTP
-
1. 2.
-
HTTP
-
HTTP
-
BOT
-
BOT
Application
POST/GET
-
Application School Server
POST /Login HTTP/1.1usr=adr&pass=handsome
HTTP/1.1 200 OK Set-Cookie: gg=ininder;
BOT
-
Application School Server
GET /helloWorld HTTP/1.1 Cookie: gg=ininder;
HTTP/1.1 200 OK hello world! adr
Cookie: gg=ininder;
BOT
-
Application School Server
GET /helloWorld HTTP/1.1 Cookie: gg=ininder;
HTTP/1.1 200 OK hello world! adr
Cookie: gg=ininder;
UI
BOT
-
Application School Server
GET /timeTable HTTP/1.1 Cookie: gg=ininder;
HTTP/1.1 200 OK english
Cookie: gg=ininder;
BOT
-
Application School Server
Cookie: gg=ininder;
BOT
-
Application School Server
Cookie: gg=ininder;
BOT
-
Android Windows iOS
-
Android Windows iOS
App.java App.cpp App.swift
-
...
-
Application (User Side)
School Server
Cookie: gg=ininder;
-
Application User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
-
Node.js + Express
-
Application User Side
Cookie: gg=ininder;
-
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com girls=will&love=it
-
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog
Header
-
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog
Query
-
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog Body (POST)
-
Node.js + Request
-
BOT School Server
Cookie: gg=ininder;
-
Application (User Side)
School Server
Cookie: gg=ininder;
-
Application School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
-
Session
-
Application School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
-
Application School Server
Cookie: key=9487;
Cookie: gg=SESSION[9487];
-
SESSION RAM
...
-
SESSION RAM
...
HTTP Status 500
-
Cookie
-
Cookie
-
Cookie
-
1. JS : substr, split, charAt, slice, 2. : ^123([\d]+)$ 3. Cheerio.js
-
JS var Str = Hello world
> Str = Str.slice(Str.indexOf('>') + 1) > Str = Str.slice(0, Str.indexOf(
-
var Str = Hello world
> Str.match(/[^\x20]+([^
-
Cheerio.jsvar Str = Hello world
> Str = require(cheerio).load(Str)('title').text() > Str.split(\x20')[1] 'world'
-
aaaddress1/m00d1e.js
-
Header
-
CAPTCHA
-
CAPTCHA
-
30cm.tw/?p=512
-
CAPTCHA
-
CAPTCHA
-
CAPTCHA
-
CAPTCHA
-
CAPTCHA
-
CAPTCHA
-
CAPTCHA
-
CAPTCHA
-
aaaddress1/easyChptchaOCR
-
Moodle
-
Browser User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
-
Browser User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
-
Browser User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
Cross-site request forgery
-
Content Security Policy (CSP)
-
isu.30cm.tw/isuMoodle
-
isu.30cm.tw/isuMoodle
-
Cross Domain Login Moodle
-
Browser User Side
School Server
Cookie: gg=ininder;
-
Browser User Side
Cookie: gg=ininder;
iframe moodle Javascript
-
IFRAME User Side
Moodle
USERNAME = usr & PASSWORD = pass
-
IFRAME User Side
Moodle
Cookie: gg=ininder;
-
Browser User Side
Moodle
Cookie: gg=ininder;
-
Browser User Side
Moodle
Cookie: gg=ininder;
-
github.com/aaaddress1/isuMaster-NodeJS
-
github.com/Valve/fingerprintjs
http://github.com/Valve/fingerprintjs
-
github.com/aaaddress1/isuMaster-NodeJS
http://github.com/aaaddress1/isuMaster-NodeJS