웹쉘의 현황 및 분석 - cfs3. 특히 nc.exe 프로그램으로 공격자가 원하는 서버를 열어놓은 후 피해시스템이 이 특정

Embed Size (px)

Text of 웹쉘의 현황 및 분석 - cfs3. 특히 nc.exe 프로그램으로 공격자가 원하는...

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    2007. 2.

    [: (KISA)] .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 1 -

    1.

    .

    txt, jpg, doc

    .

    asp, cgi, php, jsp

    ,

    , .

    DB

    .

    ASP2006

    .

    2.

    1)

    .

    list.asp

    .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 2 -

    list.asp

    . .

    2)

    .

    .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 3 -

    .

    3)

    DB ,

    .

    Shell

    .

    test.html

    .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 4 -

    .

    Wait command dir ,

    C .

    Notwait command

    nc.exe .

    nc.exe

    (3333) .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 5 -

    nc.exe

    .

    3 ASP2006

    .

    3. ASP2006 ASP2006

    Client-Server

    .

    ASP2006

    .

    1)

    ASP2006 .

    - 2006.asp :

    - 2006x.exe :

    - 2006z.exe : 2006.asp

    - hididi.ini :

    ASP2006 , , , Shell , ,

    .

    2006.asp .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 6 -

    .

    2)

    2006z.exe 2006.asp 2006_Lite.asp

    .

    2006.asp 2006_Lite.asp . 2006.asp

    .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 7 -

    3) -

    ASP2006 -

    . 3

    .

    2006x.exe server.asp

    2006a_Lite.asp html .

    server.asp

    . server.asp

    asp

    . ,

    ASP2006 .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 8 -

    4)

    2006a_Lite.asp.html server.asp

    .

    server.asp .

    2006x.exe 2006_Lite.asp htm

    2006_Lite.asp.htm .

    server.asp

    IE server.asp

    2006_Lite.asp . 2006_Lite.asp

    .

    5)

    .

    Execute(Session(lcxMarcos")) asp

    .

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 9 -

    4.

    1)

    . javascript html

    CGI

    .

    asp, cgi, php, jsp

    txt, hwp, doc, pdf, gif

    .

    .

    2)

    .

    [] -> [] -> [] -> []

    [] -> []

    . httpd.conf

    3) SQL Injection

    SQL Injection

    DB

    .

    ; , - (space)

    DB

    SQL Injection .

    SQL Injection

  • KrCERT-IN-2007-02 http://www.krcert.or.kr cert@krcert.or.kr

    ________________________________________________________________________________________

    __________________________________________________________________________________________

    - 10 -

    . IIS

    .

    5.

    .

    ASP2006

    .

    lcxMarcos

    Session("#"), Session("1")

    Request("#"), Request("1")

    cmd.exe command.com

    Encode

    gb2312

    charset

Recommended

View more >