of 21
7/26/2019 Silic Security Handbook
1/21
Silic Security andbook
* Silic Corporation Juliet,
2012, 21 44, 166
7/26/2019 Silic Security Handbook
2/21
- Silic Security
Silic.Org
1)
1.1 HTTP
1.2 IIS HTTP Trace
1.3 Apache
1.4 IIS
1.5 nginx
1.6 Nginx http
2) Apache + PHP
2.1 Apache + PHP
2.2 PHP
2.3 Apache
2.4
2.5 php socket
2.6 php
2.7 CGI
2.8
2.9 PHP Session
2.10 Apache
3)
3.1 ()Wscript.Shell
3.2
3.3
4)
4.1 Mysql.user
4.2 MySQL
7/26/2019 Silic Security Handbook
3/21
- Silic Security
Silic.Org
1)
1.1 HTTP
HTTP
HTTP/1.1 200 OK
Date: Fri, 20 May 2011 18:37:50 GMT
Server: Apache/2.2.17 (Win32) PHP/5.2.8
X-Powered-By: PHP/5.2.8
Set-Cookie: PHPSESSID=hakhoeidtb1kv78dh4aik8arc6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: lang=italian; expires=Sat, 19-May-2012 18:37:50 GMT
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
PHP php.ini(Windows php5.ini)
apache/bin/php.ini
Expose_php = off
7/26/2019 Silic Security Handbook
4/21
- Silic Security
Silic.Org
1.2 IISHTTP trace
Nessus X-Scan trace
IIS
c:\\windows\\system32\\inetsrv\\MetaBase.xml
TRACE IIS
\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE
TRACEWebDAV PUTCopyDelete
IISWindows(Apache)
1.3 Apache
1404403500
extra http-defaut.conf ServerSignature Off
7/26/2019 Silic Security Handbook
5/21
- Silic Security
Silic.Org
off
2(HTTP header)
Server: Apache/2.2.3 (CentOS) Server at xxxxxxx Port 80
extra/httpd-default.conf
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Full
ServerTokens Prod
ServerTokens Prod[uctOnly]
7/26/2019 Silic Security Handbook
6/21
- Silic Security
Silic.Org
server:Apache
ServerTokens Major (Minor 2.0)
server:apache 2
1.4 IIS
ip,,uri(User-Agent)
cookie
GB
7/26/2019 Silic Security Handbook
7/21
- Silic Security
Silic.Org
1.5 nginx
nginx nginxnginx.conf
server {
#
listen 80 default;
#
server_name localhost;
#
#access_log logshost.access.log main;
#
server_name_in_redirect off;
#
location {
root E:/Web/forum/htdocs;
index index.html index.htm;
}
#
location ~ .php$ {
# root
# root html;
#phpfastcgi
fastcgi_pass 127.0.0.19000;
#
fastcgi_index index.php;
#
fastcgi_param SCRIPT_FILENAME E:/Web/forum/htdocs$fastcgi_script_name;
#
include fastcgi_params;
}
#error_page 404 404.html;
# 50x
error_page 500 502 503 504 50x.html;
location = 50x.html {
root html;
}
}
server{}
7/26/2019 Silic Security Handbook
8/21
- Silic Security
Silic.Org
1.6 Nginx http
HTTP Header Server : nginx/1.1.15
nginx.conf
http { server_tokens off;
7/26/2019 Silic Security Handbook
9/21
- Silic Security
Silic.Org
2) Apache + PHP
2.1 Apache + PHP
apache conf/httpd.confAddType application/x-gzip
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
gzipgzip
#
AddType application/x-httpd-php .abc
.abc.html.htm.xxoo .jsp.asp
.gif .gif x-httpd-php
a.abc php abc:
.gif gif php gif
php gif phpgif
html googleGoogle gif html
7/26/2019 Silic Security Handbook
10/21
- Silic Security
Silic.Org
.htaccess
AddType application/x-httpd-php .php
AddType application/x-httpd-php .html
AddType application/x-httpd-php .htm
.php Apache php
.htaccess urlrewrite AllowOverride None
AllowOverride All httpd.conf rewrite
mod
TypesConfig conf/mime.types
AddType application/x-tar .tgz
AddType application/x-rar-compressed .rar
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
.php
2.2 PHP
PHP PHPphp.ini
php.ini disable_functions
exec()
disable_functions = exec
Windows PHPdl
Windows dl php
phpinfo
7/26/2019 Silic Security Handbook
11/21
- Silic Security
Silic.Org
Windows Apache PHPdl
PHPdl PHP
dl
WindowsApache + PHPPHP
; phpinfo
Warning: phpinfo() has been disabled for security reasons in XX.XX line x
PHP
System()
shell_exec()
passthru()
exec()
popen()
proc_open()
allow_url_fopen()
fsockopen()
pfsockopen()
7/26/2019 Silic Security Handbook
12/21
- Silic Security
Silic.Org
()
allow_url_fopen,apache_child_terminate,apache_get_modules,apache_get_version,apache_getenv,apach
e_note,apache_setenv,chgrp,chown,closelog,dbmopen,debugger_on,debugger_off,define_syslog_variabl
es,dl,dll,error_log,escapeshellcmd,escapeshellarg,exec,fsockopen,ftp,ftp_exec,fpassthru,ini_alter,leak,l
ink,listen,ln,lynx,myshellexec,readlink,shell_exec,show_source,symlink,system,ocinumcols,openlog,pass
thru,pcntl_exec,pclose,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifsto
pped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dis
patch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pc
ntl_exec,pcntl_getpriority,pcntl_setpriority,pfsockopen,popen,proc_open,proc_close,proc_get_status
,proc_nice,proc_terminate,prus,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setsid,posix_setui
d,posix_setpgid,readfile,show_source,shell,socket_bind,suexec,symlink,syslog,system,virtual,wget
*
2.3 Apache
Apache Apache
options Indexes Indexes Apache
.htaccess ()
Options Indexes
Apache
7/26/2019 Silic Security Handbook
13/21
- Silic Security
Silic.Org
2.4
MySQL root Apache
Apache Windows
httpd-vhost.conf xx.conf vhost
Include "D: /Apache/vhosts/[^. ]*"
apache/vhosts
MySQL load_file() text
MySQL.user file_privN
.
2.5 php socket
php Socket PHP Web cmd
php.ini
extension=php_sockets.dll
OK Windows
7/26/2019 Silic Security Handbook
14/21
- Silic Security
Silic.Org
2.6 php
PHP php.ini
safe_mode = On
Gid off
safe_mode_gid = Off
basedir
x:/a/b/c x:/a/b
x:/a/b/c/ x:/a/b/c
safe_mode_exec_dir =E:/Web/forum
safe_mode_include_dirdir windows linux
2.7 CGI
.htaccess
Options -ExecCGI
AddHandler cgi-script .php .php5 .pl .py .jsp .asp .aspx .shtml .sh .cgi .sql .rb
500
2.8
.htaccess
AuthType Basic
AuthName "Silic Group Hacker Army"
AuthUserFile /home/blackbap/blackbap.org/bbs/.htpasswd
Require valid-user
.htpasswd
#silic:bbs
silicbbs:532WkhU9SF/iQ
#bbs:silic
bbs:85QlNg/2GZWGY
2.9 PHP Session
PHP session
sessionphp php
2012= =
http://g.blackbap.org/index.php/first/admin
http://g.blackbap.org/index.php/first/adminhttp://g.blackbap.org/index.php/first/adminhttp://g.blackbap.org/index.php/first/admin7/26/2019 Silic Security Handbook
15/21
- Silic Security
Silic.Org
cookie PHPSESSID=123;;; PHP php
The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
in
Config.php session_start();
@session_start();
phpat @
2.10 Apache
7/26/2019 Silic Security Handbook
16/21
- Silic Security
Silic.Org
options Indexes FollowSymLinks
Apache
IndexOptions Charset=GB2312
gb2312
7/26/2019 Silic Security Handbook
17/21
- Silic Security
Silic.Org
3)
Linux
3.1()Wscript.Shell
Wscript.Shell cmd
regsvr32 /u %windir%/system32/wshom.ocx
()FSO regsvr32 /u %windir%/system32/scrrun.dll
()Shell.application regsvr32 /u %windir%/system32/shell32.dll
()Wscript.network regsvr32 /u %windir%/system32/Wshext.dll
7/26/2019 Silic Security Handbook
18/21
- Silic Security
Silic.Org
3.2
webshell
cmd
SYSTEM Administrators/Users
cmd system
attrib +a +r +s +h
cmd + -
7/26/2019 Silic Security Handbook
19/21
- Silic Security
Silic.Org
3.3
SYSTEM
C:\windows\system32\config
SECURITY.Evt
2008C:\Windows\System32\winevt\Logs
7/26/2019 Silic Security Handbook
20/21
- Silic Security
Silic.Org
SYSTEM
Administrator
7/26/2019 Silic Security Handbook
21/21
- Silic Security
Silic.Org
4)
4.1 Mysql.user
MySQL mysql db MySQL
User_info
User mysql file_prive Nroot
N rootN host
%
Func udf dll( func
func)
MySQL mysql
4.2 MySQL
MySQL 3306 MySQL my.ini
[mysqld]
# The TCP/IP Port the MySQL Server will listen on
port=3306
[mysqld]
# The TCP/IP Port the MySQL Server will listen on
port=53306
MySQL PHP host
localhostlocalhost:53306
