?? perlfilterlecture.html
字號:
<HTML><HEAD><TITLE>Problems in Perl Filters - by b0iler</TITLE>
</HEAD>
<BODY bgColor=black><FONT color=#ffffff>
<hr color="#808080" width="60%" size="1">
<H1 align="center"><font size="4">Problems in Perl Filters</font></H1>
<p align="center"> by <a href="mailto:b0iler@hotmail.com">b0iler</a> <BR> lecture given on
may 17th in irc.unixhideout.con #bsrf<BR> Written for :<BR> <A
href="http://b0iler.eyeonsecurity.net/">http://b0iler.eyeonsecurity.net/</A> -
my site full of other cool tutorials<BR> <A
href="http://blacksun.box.sk/">http://blacksun.box.sk/</A> - a legendary site
full of original tutorials </p>
<hr color="#808080" width="60%" size="1">
<p align="left"><BR><BR>--- b0iler has changed the topic to:
Blacksun Research Facility - <a href="http://blacksun.box.sk">http://blacksun.box.sk</a> - lecture in progress:
"Problems in Perl Filters" - msg questions during lecture to b0iler. <BR>---
b0iler sets modes [#bsrf +m]<BR>
</p>
<TABLE cellSpacing=2 cellPadding=0 width="100%">
<TBODY>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD width="100%"><FONT color=#ffffff>Common Filtering Problems in
Perl.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>--intro</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This lecture may also be helpful to other
languages, but the exact syntax and ideas are for perl.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This lecture will be +m and all questions will be
msg'd to me, msg me questions anytime and I will ether answer them at that
time, or save it till the end.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This lecture may go at a slow pace, this is so I
can think things out.. since my planning of this lecture was pretty weak.
If you get bored, too bad XD~</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>--</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The Main Concepts in Evading Perl Filters
Are:</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Complete lack of filters.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Filters that forget characters.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Filters that are in the wrong order.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Filters that filter previous filters (or filter
themselves! I'll explain later).</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>And multiple inputted variables forgotten in the
filters.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>--</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The What and Why of Perl Filters:</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Lets get into what perl filters are and why they
are so important in terms of security.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Filters are ways perl programers stop bad things
from happening. It's my way of saying things that change something.. most
of the time it is just reg ex.</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>For example, if you do: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = `cat $ENV{'QUERY_STRING'}`; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Then attackers can easily input something like:
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>script.cgi?/etc/password </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Which would read your password file, or they could
be even more tricky and do something to this effect: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>script.cgi?file.txt;rm -rf anything/ </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>(need to url encode some characters) </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>So perl programmers filter out characters which
can do bad things. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This is a pretty good idea, and almost every
script should have some kind of filtering system set up. Although even one
flaw in a filtering system can lead to alot of security headaches.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>-- </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Types Of Filtering: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>There are two main types of filtering, they are:
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>input </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>output </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>The input filtering is the most used, and is
usually the most serious for security. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>It comes before any action is taken on the user
input. This will stop any bad characters from effecting the actions of the
script. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Many people make the mistake to only filter input.
Although not always nessasary, output filtering is very useful in stopping
file reading vulnerabilities, cross site scriptting, and other attacks.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Output filtering is filtering things right before
they are outputted to the client, database, file, or other outputs.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Some times the output filtering may look to be
pointless, but data may have been changed throughout the script's
execution, so checking to make sure nothing bad is outputted can be a good
idea even when you are fairly sure nothing bad can be. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>-- </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Ways of Filtering: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>There is also two main ways of filtering:
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Filtering bad input </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Allowing good input </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>There are also other possible ways to filter, such
as length checking, pattern checking, and other odd ones. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Filtering bad input is the most used, and the one
with the most mistakes by the programmers. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>When filtering bad input it is extremely easy to
forget something or not know of a feature in perl or a feature in an
external program which your script uses. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>These forgotten filters can lead to
vulnerabilities very easily. It just takes the attacker awhile to think up
of creative ways to evade the filters or to do something a different way -
if one way is filtered do it a different way which isn't filtered.
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Allowing good input is the preferred way of
stopping bad input from becoming a security problem. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This is because you are only allowing the good
character to get by, and stopping all possible bad combinations which
would have been hard to filter out with filtering bad input. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Sometimes allowing input is almost impossible if
you want to give users any flexability. You cannot always hold them to a
set of characters, but you need to make a desision on how much importance
should go into security and how much into useability. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>Here is an example of filtering bad input:
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = $ENV{'QUERY_STRING'}; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/\;//; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>print `cat $blah`; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This will stop people from doing `cat
file.txt;touch file2.txt` (using the ; to issue another command).
</FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>But if you read my "Hacking CGI - Security and
Exploitation" tutorial (
http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm ) then you will
read about the number of ways to use different methods to do things in
system commands. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>It is extremely hard to stop all the possible
combinations of bad input individually. So instead lets take a look at
only allowing good input: </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah = $ENV{'QUERY_STRING'}; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>$blah =~ s/[^a-zA-Z0-9\.\-_]//g; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>print `cat $blah`; </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>print `cat $blah`; #* </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This will stop anything that might not be good in
a filename from being cat'd. But there is another method of allowing good
input that I prefer. </FONT></TD></TR>
<TR>
<TD><FONT color=#ffffff><b0iler></FONT></TD>
<TD><FONT color=#ffffff>This method is denying access to anything if the
user inputs a character not allowed: </FONT></TD></TR>
<TR>
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -