Upload
sheng-hao-ma
View
2.343
Download
3
Embed Size (px)
Citation preview
Tips for Building Third-Party School Service
Ma Sheng-Hao (aaaddress1, aka adr)TDOHacker Debug Guy
Speaker TDOHConf 2016 HITCON CMT 2015 SITCON 2016 HITCON CMT 2016 Lightning Talk BSidesLV ICNC MC2015
C/C++, C#, VB, MASM, Python, Swift, Node.js, Java Windows
, , , cuteRansomware, Adr'sFB
Sorry, Node.js
CoC O__Q
murmur
....
HTTP
HTTP
User Application Browser Mobile Apps
HTTP
User Application Browser Mobile Apps
HTTP
Browser
HTTP
1. 2. 3. 4.
5.
e.g. Chrome, Firefox, Safari
Browser
1. 2.
CookieHeaderBody
HTTP
HTTP
Browser
HTTP Traffic Analytics Browser (Static)
HTTP
HTTP
HTTP
HTTP
HTTP
1. 2.
HTTP
HTTP
BOT
BOT
Application
POST/GET
Application School Server
POST /Login HTTP/1.1usr=adr&pass=handsome
HTTP/1.1 200 OK Set-Cookie: gg=ininder;
BOT
Application School Server
GET /helloWorld HTTP/1.1 Cookie: gg=ininder;
HTTP/1.1 200 OK hello world! adr
Cookie: gg=ininder;
BOT
Application School Server
GET /helloWorld HTTP/1.1 Cookie: gg=ininder;
HTTP/1.1 200 OK hello world! adr
Cookie: gg=ininder;
UI
BOT
Application School Server
GET /timeTable HTTP/1.1 Cookie: gg=ininder;
HTTP/1.1 200 OK english
Cookie: gg=ininder;
BOT
Application School Server
Cookie: gg=ininder;
BOT
Application School Server
Cookie: gg=ininder;
BOT
Android Windows iOS
Android Windows iOS
App.java App.cpp App.swift
...
Application (User Side)
School Server
Cookie: gg=ininder;
Application User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
Node.js + Express
Application User Side
Cookie: gg=ininder;
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com girls=will&love=it
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog
Header
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog
Query
HTTP Basic
POST /?act=InInDer HTTP/1.1 HOST: big.gg.com adr=have&cat=dog Body (POST)
Node.js + Request
BOT School Server
Cookie: gg=ininder;
Application (User Side)
School Server
Cookie: gg=ininder;
Application School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
Session
Application School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
Application School Server
Cookie: key=9487;
Cookie: gg=SESSION[9487];
SESSION RAM
...
SESSION RAM
...
HTTP Status 500
Cookie
Cookie
Cookie
1. JS : substr, split, charAt, slice, 2. : ^123([\d]+)$ 3. Cheerio.js
JS var Str = Hello world
> Str = Str.slice(Str.indexOf('>') + 1) > Str = Str.slice(0, Str.indexOf(
var Str = Hello world
> Str.match(/[^\x20]+([^
Cheerio.jsvar Str = Hello world
> Str = require(cheerio).load(Str)('title').text() > Str.split(\x20')[1] 'world'
aaaddress1/m00d1e.js
Header
CAPTCHA
CAPTCHA
30cm.tw/?p=512
CAPTCHA
CAPTCHA
CAPTCHA
CAPTCHA
CAPTCHA
CAPTCHA
CAPTCHA
CAPTCHA
aaaddress1/easyChptchaOCR
Moodle
Browser User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
Browser User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
Browser User Side
School Server
Cookie: gg=ininder;
Cookie: gg=ininder;
Cross-site request forgery
Content Security Policy (CSP)
isu.30cm.tw/isuMoodle
isu.30cm.tw/isuMoodle
Cross Domain Login Moodle
Browser User Side
School Server
Cookie: gg=ininder;
Browser User Side
Cookie: gg=ininder;
iframe moodle Javascript
IFRAME User Side
Moodle
USERNAME = usr & PASSWORD = pass
IFRAME User Side
Moodle
Cookie: gg=ininder;
Browser User Side
Moodle
Cookie: gg=ininder;
Browser User Side
Moodle
Cookie: gg=ininder;
github.com/aaaddress1/isuMaster-NodeJS
github.com/Valve/fingerprintjs
http://github.com/Valve/fingerprintjs
github.com/aaaddress1/isuMaster-NodeJS
http://github.com/aaaddress1/isuMaster-NodeJS