Hi๐Ÿ‘‹๐Ÿผ Iโ€™m HAHWUL.

Offensive Security Engineer, Rubyist/Crystalist/Gopher and H4cker

Posts - Page 51 of 86

Burp Suite REST API(Burp 2.0 beta)

  • 1 min read

์ตœ๊ทผ์— Burp suite 2.0 Beta ๋ฒ„์ „์ด ๊ณต๊ฐœ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ํ˜น์—ฌ๋‚˜ ํฐ ๋ณ€ํ™”๊ฐ€ ์žˆ์„๊นŒ ๊ณต์‹ ๋ธ”๋กœ๊ทธ๋ž‘ ์ฃผ๋ณ€ ๋ฐ˜์‘?(๊ธฐ๊ปํ•ด์•ผ ํŠธ์œ„ํ„ฐ..) ์ข€ ์‚ดํŽด๋ณธ ์ดํ›„ burp pro 2.0 ์œผ๋กœ ์—…๊ทธ๋ ˆ์ด๋“œ ํ•˜์˜€์ฃ .

Read More

Arachni optimizing for fast scanning (Arachni ์Šค์บ” ์†๋„ ํ–ฅ์ƒ ์‹œํ‚ค๊ธฐ)

  • 13 min read

Arachni๋ฅผ ๊ฐ€์ง€๊ณ  ์žฌ๋ฏธ์žˆ๋Š” ๊ฒƒ๋“ค์„ ํ•˜๊ณ ์žˆ๋Š”๋ฐ, ์š”์ฆ˜ ์ฐธ ์Šค์บ” ์†๋„์— ๋Œ€ํ•ด ๊ณ ๋ฏผ์ด ๋˜๋„ค์š”. Arachni ๊ฐ€ ๋ฒค์น˜ ๋งˆํ‚น ๊ธฐ์ค€์œผ๋กœ ๊ต‰์žฅํžˆ ์ข‹์€ ์„ฑ๋Šฅ์„ ๊ฐ€์ง€๋ฉฐ ์˜คํ”ˆ์†Œ์Šค์ด์ง€๋งŒ ๊ฒฐ์ •์ ์œผ๋กœ ์–ด๋งˆ์–ด๋งˆํ•œ ์Šค์บ” ์‹œ๊ฐ„์ด ๋ฐœ๋ชฉ์„ ์žก๋Š” ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

Read More

tree๋ช…๋ น ์—†์ด ls๋กœ treeview๋กœ ๋ณด๊ธฐ(Treeview without tree command as ls)

  • ~1 min read

๊ฐœ์ธ์ ์œผ๋กœ tree ๋ช…๋ น์„ ๊ต‰์žฅํžˆ ์ž์ฃผ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ๊ฐ„ํ˜น, tree๊ฐ€ ์—†๋Š” ํ™˜๊ฒฝ์—์„œ treeview๋กœ ๋ณด๊ณ  ์‹ถ์€ ๊ฒฝ์šฐ๊ฐ€ ์žˆ๋Š”๋ฐ, ls, grep, sed 3๊ฐœ๋ฅผ ์ด์šฉํ•˜๋ฉด tree์™€ ๋น„์Šทํ•œ ํ˜•ํƒœ์˜ ์ถœ๋ ฅ์„ ์–ป์–ด๋‚ผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Read More

SpEL(Spring Expression Language) Injection & Spring boot RCE

  • 2 min read

Spring boot์œผ๋กœ ๊ตฌ์„ฑ๋œ ์„œ๋น„์Šค๋“ค์„ ์ ๊ฒ€ํ•  ๋•Œ ๊ผญ ์ฒดํฌํ•ด์•ผํ•  ๋ถ€๋ถ„ ์ค‘ ํ•˜๋‚˜๊ฐ€ SpEL RCE ์ž…๋‹ˆ๋‹ค. ๊ฐ€๋”์‹ ์ฐธ๊ณ ์‚ผ์•„ ๋ฐ๋“œํ’€์ด ์ž‘์„ฑํ•œ ๊ธ€(Spring boot RCE) ๋ณด๋Š”๋ฐ์š”, ์˜ค๋Š˜์€ ์ œ ๋ธ”๋กœ๊ทธ์— ์ข€ ์ •๋ฆฌํ•ด๋‘˜๊นŒ ํ•ฉ๋‹ˆ๋‹ค.

Read More

Consul์— ๋Œ€ํ•ด ์•Œ์•„๋ณด์ž! (Service Mesh)

  • 3 min read

์ตœ๊ทผ ์žฌ๋ฏธ์žˆ๋Š” ํ”„๋กœ์ ํŠธ๋ฅผ ํ•˜๊ณ ์žˆ๋Š”๋ฐ, Health cheak, Service discovery ์šฉ๋„๋กœ Consul์„ ์จ๋ณด๊ฒŒ ๋˜์—ˆ๊ณ  ๊ธ€๋กœ ์•ฝ๊ฐ„ ์ •๋ฆฌํ•ด๋‘ก๋‹ˆ๋‹ค. hashicorp์—์„œ ๋งŒ๋“  Consul, ๊ฑฐ๊ธฐ์„œ ์ง€์ •ํ•œ DevOps ๊ด€๋ จ ๋‚ด์šฉ ์ค‘ Monitor์— ํ•ด๋‹นํ•˜๋Š” ๋ถ€๋ถ„์ž…๋‹ˆ๋‹ค.

Read More

Git pull/push ์‹œ Password ๋ฌผ์–ด๋ณด์ง€ ์•Š๋„๋ก ์„ค์ •ํ•˜๊ธฐ(credential.helper)

  • ~1 min read

git์„ ์“ฐ๋‹ค๋ณด๋ฉด ๊ฐ„ํ˜น config ๋ฏธ์Šค, ํ™˜๊ฒฝ ๋ณ€๊ฒฝ์œผ๋กœ push/pull ๋“ฑ ๊ธฐ๋Šฅ ์‹คํ–‰ ์‹œ ๊ณ„์ •๊ณผ ํŒจ์Šค์›Œ๋“œ๋ฅผ ๋ฌผ์–ด๋ณด๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋ฐœ์ƒํ•ฉ๋‹ˆ๋‹ค.

Read More

ESI(Edge Side Include) Injection์„ ์ด์šฉํ•œ Web Attack(XSS, Session hijacking, SSRF / blackhat 2018)

  • 3 min read

์ฃผ๋ง๋™์•ˆ ์‹œ๊ฐ„๋‚˜๋ฉด ์ฒœ์ฒœํžˆ blackhat, defcon ์ž๋ฃŒ์ข€ ๋ณผ๊นŒํ•ด์„œ ๋ณด๋‹ค๋ณด๋‹ˆ ๊ธ€๋กœ ๊ณต์œ ๋“œ๋ฆฌ๋ฉด ๊ดœ์ฐฎ์„ ๊ฒƒ ๊ฐ™์€ ๋‚ด์šฉ์ด ์žˆ์–ด ํฌ์ŠคํŒ… ์ž‘์„ฑํ•ด๋ด…๋‹ˆ๋‹ค. ๋ฐ”๋กœ ESIi(ESI Injection)์— ๋Œ€ํ•œ ๋‚ด์šฉ์ž…๋‹ˆ๋‹ค.

Read More

Defcon 2018 ๋ฐœํ‘œ ์ž๋ฃŒ ๋ฐ Briefings list

  • 6 min read

์ตœ๊ทผ Blackhat 2018 USA / Defcon ํ–‰์‚ฌ๊ฐ€ ์ง„ํ–‰๋ฌ์—ˆ์Šต๋‹ˆ๋‹ค. ์ž๋ฃŒ๋„ ์Šฌ์Šฌ ์˜ฌ๋ผ์˜ค๊ณ  ์–ด๋–ค ๋‚ด์šฉ์˜ ๋ฐœํ‘œ๋“ค์ด ์žˆ์—ˆ๋Š”์ง€ Title๋งŒ ์ •๋ฆฌํ•ด๋‘ก๋‹ˆ๋‹ค. (์ฒœ์ฒœํžˆ ์ฝ์–ด๋ด์•ผ๊ฒ ๋„ค์š”, ์žฌ๋ฏธ์žˆ๋Š”๊ฑด ํฌ์ŠคํŒ…ํ•˜๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค)

Read More