{"id":68,"date":"2018-11-28T15:31:05","date_gmt":"2018-11-28T15:31:05","guid":{"rendered":"https:\/\/blog.rubiya.kr\/?p=68"},"modified":"2018-11-28T16:05:48","modified_gmt":"2018-11-28T16:05:48","slug":"2016-whitehat-contest-final-writeup","status":"publish","type":"post","link":"https:\/\/blog.rubiya.kr\/index.php\/2018\/11\/28\/2016-whitehat-contest-final-writeup\/","title":{"rendered":"2016 Whitehat Contest Final writeup"},"content":{"rendered":"

\uce68\ud574\ub300\uc751\uc740 2\ubb38\uc81c\uac00 \ucd9c\uc81c\ub418\uc5c8\uace0 \ubb38\uc81c\ub2f9 \uc11c\ubc84 1\ub300\uc529\uc744 \uac01 \ud300\uc5d0\uac8c \uc9c0\uae09\ud588\ub2e4.<\/p>\n

\uc790\uc2e0\uc758 \uc11c\ubc84\uc758 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b4 Flag\ub97c \uc778\uc99d\ud558\uba74 ssh\uacc4\uc815\uc744 \uc8fc\uc5b4 \ud328\uce58\uac00 \uac00\ub2a5\ud558\uace0,
\n\ub2e4\ub978\ud300\uc758 \ud328\uce58\uac00 \uc548\ub41c \uc11c\ubc84\ub97c \uacf5\uaca9\ud574 \ucd94\uac00\ub4dd\uc810\uc774 \uac00\ub2a5\ud558\ub2e4.<\/p>\n

—-
\n\uacbd\uc0c1\ubd81\ub3c4 \ubb38\uc81c\ub294 \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778, \uc0ac\uc9c4\uc62c\ub9ac\uae30 \uae30\ub2a5\uc774 \uc788\ub2e4.<\/p>\n

$uploadfile = $uploaddir . basename($_FILES[‘ufl’][‘name’]);
\nif (move_uploaded_file($_FILES[‘ufl’][‘tmp_name’], $uploadfile)){<\/p>\n

\uc0ac\uc9c4\uc744 \uc62c\ub9b4 \ub54c \ubcc4\ub3c4\uc758 \ud544\ud130\ub9c1\uc774 \uc5c6\uc73c\ub2c8 webshell upload\uac00 \uac00\ub2a5\ud558\ub2e4.
\n\ub2e4\ub4e4 \uac04\ub2e8\ud788 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b4\uc5b4 \uc778\uc99d\ud558\uace0 \ud328\uce58\ud588\ub2e4.<\/p>\n

\uadf8\ub7f0\ub370 \uc0ac\uc2e4 \ub098\ub294 \ub300\ud68c\uc7a5\uc5d0 30\ubd84 \uc9c0\uac01\ud588\uace0 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b8 \uc2dc\uc810\uc5d0\uc11c 1\uac1c\ud300\uc744 \uc81c\uc678\ud558\uace0 \ubaa8\ub4e0 \uc11c\ubc84\uac00 \ud328\uce58\ub418\uc5b4 \uc788\uc5c8\ub2e4.
\n\ub2e4\ub978 7\uac1c\ud300\uc758 flag\ub97c \uc5bb\uace0\uc2f6\ub2e4.
\n\uc6f9\uc0ac\uc774\ud2b8\uac00 \uc804\ubc18\uc801\uc73c\ub85c \uc544\uc8fc \ucde8\uc57d\ud588\uae30\uc5d0 \ub2e4\ub978 \ubca1\ud130\ub97c \ud1b5\ud574 Flag\ub97c \uc5bb\uc744 \uc218 \uc788\uc744\uac70\ub77c \uc0dd\uac01\ud574\uc11c \uacc4\uc18d \uc18c\uc2a4\ucf54\ub4dc\ub97c \uc77d\uc5b4\ubcf4\uc558\ub2e4.<\/p>\n

if (preg_match(“\/[;`|&]\/”, $filename)) {
\n die(“\ud30c\uc77c\uba85\uc5d0 \uc720\ud6a8\ud558\uc9c0 \uc54a\uc740 \ubb38\uc790\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.”);
\n}
\nsystem(“rm -rf “.$row[‘filename’]);<\/p>\n

\uc0ac\uc9c4\uc744 \uc0ad\uc81c\ud560 \ub54c SQL Injection\uc744 \ud1b5\ud574 \uc6d0\ud558\ub294 filename\uc744 \ub9ac\ud134\uc2dc\ud0a4\uace0 linefeed\ub97c \ud1b5\ud574 \ud544\ud130\ub97c \uc6b0\ud68c\ud574\uc11c OS Command Injection\uc774 \uac00\ub2a5\ud558\ub2e4.<\/p>\n

Payload\ub294 del.php?idx=1 union select 1,2,’%0als -al’,4,5– – \uc774\ub7f0 \ubaa8\uc591\uc774 \ub418\uc5c8\ub2e4.<\/p>\n

\ub2e4\ub4e4 1\ubc88\uc9f8 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b8 \uc2dc\uc810\uc5d0\uc11c \ud328\uce58\ub97c \ub05d\ub0c8\uae30\uc5d0 \uc774 \ucd94\uac00\uc801\uc778 \ucde8\uc57d\uc810\uc744 \ud1b5\ud574\uc11c \ubaa8\ub4e0 \ud300\uc758 Flag\ub97c \uc5bb\uc744 \uc218 \uc788\uc5c8\ub2e4.<\/p>\n

system() \ud568\uc218\ub97c unlink() \ud568\uc218\ub85c \ub300\uccb4\ud574\uc11c OS Command Injection\uc744 \ub9c9\ub294 \ubc29\ubc95\uc73c\ub85c \ud328\uce58\ud588\ub2e4.<\/p>\n

—-
\n\uc804\ub77c\ubd81\ub3c4 \ubb38\uc81c\ub294 \ud3c9\ubc94\ud55c \uac1c\uc778 \ube14\ub85c\uadf8\uc778\ub370 LFI \ucde8\uc57d\uc810\uc774 \uc874\uc7ac\ud55c\ub2e4.<\/p>\n

php wrapper\ub97c \uc0ac\uc6a9\ud574\uc11c \uc18c\uc2a4\ucf54\ub4dc leak\uc774 \uac00\ub2a5\ud558\ub2e4.
\n?page=php:\/\/filter\/convert.base64-encode\/resource=index<\/p>\n

\uc544\ub798\ub294 \ud575\uc2ec\uc774 \ub418\ub294 \ucf54\ub4dc\uc774\ub2e4.
\n<\/p>\n

Remote Code Excution\uc744 \ud574\uc57c\ud558\ub294\ub370 include\ud560 \ub54c “.php”\uac00 \uac70\uc2ac\ub9b0\ub2e4.
\nzip:\/\/ wrapper\ub97c \uc0ac\uc6a9\ud574\uc11c \uc6b0\ud68c\uac00 \uac00\ub2a5\ud558\ub2e4.<\/p>\n

?page=zip:\/\/\/foo%23bar
\n\uc774\ub807\uac8c \uacf5\uaca9\ud558\uba74 \/foo \ud30c\uc77c\uc744 \uc555\ucd95\ud574\uc81c\ud574\uc11c bar.php\ub97c include\ud55c\ub2e4.
\n\uc774\uc81c \uc6d0\ud558\ub294 \uc7a5\uc18c\uc5d0 \ud30c\uc77c\uc744 \uc62c\ub9ac\ub294\uac8c \ubb38\uc81c\ub2e4.<\/p>\n

\ud6c4\uc220\ub420 \uacf5\uaca9\uc758 \uc6d0\ub9cc\ud55c \uc774\ud574\ub97c \uc704\ud574 php\uc758 \ud30c\uc77c \uc5c5\ub85c\ub4dc \ubc29\uc2dd\uc744 \uc124\uba85\ud558\uaca0\ub2e4.
\n\uc11c\ubc84\uc5d0\uc11c \ud30c\uc77c \uc5c5\ub85c\ub4dc\uac00 \ud65c\uc131\ud654\ub418\uc5b4\uc788\uc744\uacbd\uc6b0 \ub9ac\ud018\uc2a4\ud2b8 \ud30c\uc77c\uc774 \uc874\uc7ac\ud558\uba74 php \ucf54\ub4dc\ub97c \uc2e4\ud589\ud558\uae30 \uc804\uc5d0
\n\/tmp\/php[0-9a-zA-Z]{6} \ub77c\ub294\uacf3\uc5d0 \uc784\uc2dc\ub85c \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud574\uc8fc\uace0, php\ucf54\ub4dc\uc758 \uc2e4\ud589\uc774 \ub05d\ub098\uba74 \ub2e4\uc2dc \uc0ad\uc81c\ud55c\ub2e4.
\n\uadf8\ub9ac\uace0 php \ucf54\ub4dc\uc5d0\uc11c\ub294 $_FILES[‘name’][‘tmp_name’] \ub77c\ub294 \ubcc0\uc218\uc5d0 \ud574\ub2f9 \uc784\uc2dc \ud30c\uc77c\uc758 \uc774\ub984\uc774 \ub2f4\uae34\ub2e4.<\/p>\n

\uadf8\ub7ec\ubbc0\ub85c debug_mode \ub97c \ud1b5\ud574\uc11c \uc6b0\ub9ac\uac00 Upload\ud55c \ud30c\uc77c\uc758 tmp_name\uc744 \uc54c \uc218 \uc788\uace0, \ud574\ub2f9 \ud30c\uc77c\uc744 include \ud560 \uc218 \uc788\ub2e4.<\/p>\n

\uc5ec\uae30\uc11c \ubb38\uc81c\uac00 \uc0dd\uae34\ub2e4.
\n1. Request\uc5d0 zip \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud568\uacfc \ub3d9\uc2dc\uc5d0 \ud574\ub2f9 \ud30c\uc77c\uc758 \uacbd\ub85c\uac00 \ub2f4\uae34 \ud398\uc774\ub85c\ub4dc\ub97c \ubcf4\ub0b8\ub2e4.
\n2. \uc11c\ubc84\uc5d0\uc11c zip\ud30c\uc77c\uc744 \/tmp\/php[0-9a-zA-Z]{6} \uc5d0 \uc5c5\ub85c\ub4dc\ud55c\ub2e4.
\n3. php \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\uba74\uc11c zip wrapper\ub97c \ud1b5\ud574 \uc784\uc2dc\ud30c\uc77c\uc744 unzip\ud55c\ub2e4.<\/p>\n

\uc774 \uc21c\uc11c\ub85c \uacf5\uaca9\ub418\ub294\ub370, \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud560 \ub54c \uc774 \ud30c\uc77c\uc774 \uc5b4\ub290 \uc774\ub984\uc744 \uac00\uc9c0\uac8c \ub420\uc9c0 \ubbf8\ub9ac \uc54c \uc218 \uc5c6\ub2e4.<\/p>\n

\uc774 \uc2dc\uc810\uc5d0\uc11c debug_mode \uad00\ub828 \ubd84\uae30\ubb38\uc744 \ub2e4\uc2dc \ud55c \ubc88 \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n

ob_start();
\n var_dump(get_defined_vars());
\n ob_flush();
\n ob_end_clean();<\/p>\n

\uc774\ub7f0 \ucf54\ub4dc\uac00 \uc788\ub294\ub370 ob_ \uc2dc\ub9ac\uc988 \ud568\uc218\ub4e4 php\ub85c \uc6f9 irc\ub97c \uad6c\ud604\ud574\ubcfc \ub54c \ubcf8\uc801\uc788\ub2e4.
\nphp \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\ub294 \ub3c4\uc911\uc5d0 \uac12\uc744 \ucd9c\ub825\ud574\uc8fc\ub294 \uc5ed\ud560\uc774\uc600\ub2e4. ( http:\/\/php.net\/manual\/kr\/function.ob-flush.php )
\n\uadf8\ub807\ub2e4\uba74 index.php \ud30c\uc77c\uc5d0\uac8c index.php \ud30c\uc77c\uc744 include \uc2dc\ucf1c \ubb34\ud55c\ub8e8\ud504\uc5d0 \ube60\uc9c0\uac8c \ud574\uc11c,<\/p>\n

3. php \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\uba74\uc11c zip wrapper\ub97c \ud1b5\ud574 \uc784\uc2dc\ud30c\uc77c\uc744 unzip\ud55c\ub2e4.<\/p>\n

\uc774 \ubd80\ubd84\uc5d0\uc11c \uc2dc\uac04\uc774 \uc9c0\uc5f0\ub418\uba74, php \ucf54\ub4dc\uc758 \uc2e4\ud589\uc774 \ub05d\ub09c \ud6c4 \uc784\uc2dc\ud30c\uc77c\uc744 \uc0ad\uc81c\ud558\ub294 \ud589\ub3d9 \ub610\ud55c \uc9c0\uc5f0\ub418\uba70,
\nob_flush() \ud568\uc218 \ub355\ubd84\uc5d0 \uc9c0\uc5f0\ub418\uae30 \uc774\uc804\uc758 \ucd9c\ub825\uac12. \uc989 \/tmp\/php[0-9a-zA-Z]{6} \uc758 \uc774\ub984\ub610\ud55c \uc54c \uc218 \uc788\ub2e4.
\n\ub530\ub77c\uc11c Race Condition\uc774 \uac00\ub2a5\ud558\ub2e4.<\/p>\n

\uadf8\ub7ec\ubbc0\ub85c
\n?page=index&debug_mode=31337 \uc5d0 zip file\uc744 Upload\ud558\uba74
\n\/tmp\/php[0-9a-zA-Z]{6} \uc758 \ud30c\uc77c\uba85\uc744 \ucd9c\ub825\ud574\uc900 \ud6c4 \ubb34\ud55c\ub8e8\ud504\uc5d0 \ube60\uc838 delay\uac00 \ub418\uace0
\n\ucd9c\ub825\ub41c \ud30c\uc77c\uba85\uc744 \ubc14\ud0d5\uc73c\ub85c ?page=zip:\/\/\/tmp\/phpabcdef%23bar&cmd=ls -al \uc5d0 \uc811\uc18d\ud574\uc8fc\uba74
\n\uc544\uc9c1 \uc0ad\uc81c\ub418\uc9c0 \uc54a\uc740 \uc784\uc2dc\ud30c\uc77c\uc744 unzip\ud558\uace0 include\ud574\uc11c Remote Code Excution\uc744 \ud560 \uc218 \uc788\ub2e4.<\/p>\n

include \ud560 \ub54c \ubcc0\uc218 \uc55e\uc5d0 “.\/” \ub97c \ubd99\uc5ec\uc11c wrapper \uc0ac\uc6a9\uc744 \ub9c9\ub294 \ubc29\ubc95\uc73c\ub85c \ud328\uce58\ud588\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"

\uce68\ud574\ub300\uc751\uc740 2\ubb38\uc81c\uac00 \ucd9c\uc81c\ub418\uc5c8\uace0 \ubb38\uc81c\ub2f9 \uc11c\ubc84 1\ub300\uc529\uc744 \uac01 \ud300\uc5d0\uac8c \uc9c0\uae09\ud588\ub2e4. \uc790\uc2e0\uc758 \uc11c\ubc84\uc758 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b4 Flag\ub97c \uc778\uc99d\ud558\uba74 ssh\uacc4\uc815\uc744 \uc8fc\uc5b4 \ud328\uce58\uac00 \uac00\ub2a5\ud558\uace0, \ub2e4\ub978\ud300\uc758 \ud328\uce58\uac00 \uc548\ub41c \uc11c\ubc84\ub97c \uacf5\uaca9\ud574 \ucd94\uac00\ub4dd\uc810\uc774 \uac00\ub2a5\ud558\ub2e4. —- \uacbd\uc0c1\ubd81\ub3c4 \ubb38\uc81c\ub294 \ud68c\uc6d0\uac00\uc785, \ub85c\uadf8\uc778, \uc0ac\uc9c4\uc62c\ub9ac\uae30 \uae30\ub2a5\uc774 \uc788\ub2e4. $uploadfile = $uploaddir . basename($_FILES[‘ufl’][‘name’]); if (move_uploaded_file($_FILES[‘ufl’][‘tmp_name’], $uploadfile)){ \uc0ac\uc9c4\uc744 \uc62c\ub9b4 \ub54c \ubcc4\ub3c4\uc758 \ud544\ud130\ub9c1\uc774 \uc5c6\uc73c\ub2c8 webshell upload\uac00 \uac00\ub2a5\ud558\ub2e4. \ub2e4\ub4e4 \uac04\ub2e8\ud788 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b4\uc5b4 \uc778\uc99d\ud558\uace0 \ud328\uce58\ud588\ub2e4. \uadf8\ub7f0\ub370 \uc0ac\uc2e4 \ub098\ub294 \ub300\ud68c\uc7a5\uc5d0 30\ubd84 \uc9c0\uac01\ud588\uace0 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b8 \uc2dc\uc810\uc5d0\uc11c 1\uac1c\ud300\uc744 \uc81c\uc678\ud558\uace0 \ubaa8\ub4e0 \uc11c\ubc84\uac00 \ud328\uce58\ub418\uc5b4 \uc788\uc5c8\ub2e4. \ub2e4\ub978 7\uac1c\ud300\uc758 flag\ub97c \uc5bb\uace0\uc2f6\ub2e4. \uc6f9\uc0ac\uc774\ud2b8\uac00 \uc804\ubc18\uc801\uc73c\ub85c \uc544\uc8fc \ucde8\uc57d\ud588\uae30\uc5d0 \ub2e4\ub978 \ubca1\ud130\ub97c \ud1b5\ud574 Flag\ub97c \uc5bb\uc744 \uc218 \uc788\uc744\uac70\ub77c \uc0dd\uac01\ud574\uc11c \uacc4\uc18d \uc18c\uc2a4\ucf54\ub4dc\ub97c \uc77d\uc5b4\ubcf4\uc558\ub2e4. if (preg_match(“\/[;`|&]\/”, $filename)) { die(“\ud30c\uc77c\uba85\uc5d0 \uc720\ud6a8\ud558\uc9c0 \uc54a\uc740 \ubb38\uc790\uac00 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4.”); } system(“rm -rf “.$row[‘filename’]); \uc0ac\uc9c4\uc744 \uc0ad\uc81c\ud560 \ub54c SQL Injection\uc744 \ud1b5\ud574 \uc6d0\ud558\ub294 filename\uc744 \ub9ac\ud134\uc2dc\ud0a4\uace0 linefeed\ub97c \ud1b5\ud574 \ud544\ud130\ub97c \uc6b0\ud68c\ud574\uc11c OS Command Injection\uc774 \uac00\ub2a5\ud558\ub2e4. Payload\ub294 del.php?idx=1 union select 1,2,’%0als -al’,4,5– – \uc774\ub7f0 \ubaa8\uc591\uc774 \ub418\uc5c8\ub2e4. \ub2e4\ub4e4 1\ubc88\uc9f8 \ucde8\uc57d\uc810\uc744 \ucc3e\uc544\ub0b8 \uc2dc\uc810\uc5d0\uc11c \ud328\uce58\ub97c \ub05d\ub0c8\uae30\uc5d0 \uc774 \ucd94\uac00\uc801\uc778 \ucde8\uc57d\uc810\uc744 \ud1b5\ud574\uc11c \ubaa8\ub4e0 \ud300\uc758 Flag\ub97c \uc5bb\uc744 \uc218 \uc788\uc5c8\ub2e4. system() \ud568\uc218\ub97c unlink() \ud568\uc218\ub85c \ub300\uccb4\ud574\uc11c OS Command Injection\uc744 \ub9c9\ub294 \ubc29\ubc95\uc73c\ub85c \ud328\uce58\ud588\ub2e4. —- \uc804\ub77c\ubd81\ub3c4 \ubb38\uc81c\ub294 \ud3c9\ubc94\ud55c \uac1c\uc778 \ube14\ub85c\uadf8\uc778\ub370 LFI \ucde8\uc57d\uc810\uc774 \uc874\uc7ac\ud55c\ub2e4. php wrapper\ub97c \uc0ac\uc6a9\ud574\uc11c \uc18c\uc2a4\ucf54\ub4dc leak\uc774 \uac00\ub2a5\ud558\ub2e4. ?page=php:\/\/filter\/convert.base64-encode\/resource=index \uc544\ub798\ub294 \ud575\uc2ec\uc774 \ub418\ub294 \ucf54\ub4dc\uc774\ub2e4. Remote Code Excution\uc744 \ud574\uc57c\ud558\ub294\ub370 include\ud560 \ub54c “.php”\uac00 \uac70\uc2ac\ub9b0\ub2e4. zip:\/\/ wrapper\ub97c \uc0ac\uc6a9\ud574\uc11c \uc6b0\ud68c\uac00 \uac00\ub2a5\ud558\ub2e4. ?page=zip:\/\/\/foo%23bar \uc774\ub807\uac8c \uacf5\uaca9\ud558\uba74 \/foo \ud30c\uc77c\uc744 \uc555\ucd95\ud574\uc81c\ud574\uc11c bar.php\ub97c include\ud55c\ub2e4. \uc774\uc81c \uc6d0\ud558\ub294 \uc7a5\uc18c\uc5d0 \ud30c\uc77c\uc744 \uc62c\ub9ac\ub294\uac8c \ubb38\uc81c\ub2e4. \ud6c4\uc220\ub420 \uacf5\uaca9\uc758 \uc6d0\ub9cc\ud55c \uc774\ud574\ub97c \uc704\ud574 php\uc758 \ud30c\uc77c \uc5c5\ub85c\ub4dc \ubc29\uc2dd\uc744 \uc124\uba85\ud558\uaca0\ub2e4. \uc11c\ubc84\uc5d0\uc11c \ud30c\uc77c \uc5c5\ub85c\ub4dc\uac00 \ud65c\uc131\ud654\ub418\uc5b4\uc788\uc744\uacbd\uc6b0 \ub9ac\ud018\uc2a4\ud2b8 \ud30c\uc77c\uc774 \uc874\uc7ac\ud558\uba74 php \ucf54\ub4dc\ub97c \uc2e4\ud589\ud558\uae30 \uc804\uc5d0 \/tmp\/php[0-9a-zA-Z]{6} \ub77c\ub294\uacf3\uc5d0 \uc784\uc2dc\ub85c \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud574\uc8fc\uace0, php\ucf54\ub4dc\uc758 \uc2e4\ud589\uc774 \ub05d\ub098\uba74 \ub2e4\uc2dc \uc0ad\uc81c\ud55c\ub2e4. \uadf8\ub9ac\uace0 php \ucf54\ub4dc\uc5d0\uc11c\ub294 $_FILES[‘name’][‘tmp_name’] \ub77c\ub294 \ubcc0\uc218\uc5d0 \ud574\ub2f9 \uc784\uc2dc \ud30c\uc77c\uc758 \uc774\ub984\uc774 \ub2f4\uae34\ub2e4. \uadf8\ub7ec\ubbc0\ub85c debug_mode \ub97c \ud1b5\ud574\uc11c \uc6b0\ub9ac\uac00 Upload\ud55c \ud30c\uc77c\uc758 tmp_name\uc744 \uc54c \uc218 \uc788\uace0, \ud574\ub2f9 \ud30c\uc77c\uc744 include \ud560 \uc218 \uc788\ub2e4. \uc5ec\uae30\uc11c \ubb38\uc81c\uac00 \uc0dd\uae34\ub2e4. 1. Request\uc5d0 zip \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud568\uacfc \ub3d9\uc2dc\uc5d0 \ud574\ub2f9 \ud30c\uc77c\uc758 \uacbd\ub85c\uac00 \ub2f4\uae34 \ud398\uc774\ub85c\ub4dc\ub97c \ubcf4\ub0b8\ub2e4. 2. \uc11c\ubc84\uc5d0\uc11c zip\ud30c\uc77c\uc744 \/tmp\/php[0-9a-zA-Z]{6} \uc5d0 \uc5c5\ub85c\ub4dc\ud55c\ub2e4. 3. php \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\uba74\uc11c zip wrapper\ub97c \ud1b5\ud574 \uc784\uc2dc\ud30c\uc77c\uc744 unzip\ud55c\ub2e4. \uc774 \uc21c\uc11c\ub85c \uacf5\uaca9\ub418\ub294\ub370, \ud30c\uc77c\uc744 \uc5c5\ub85c\ub4dc\ud560 \ub54c \uc774 \ud30c\uc77c\uc774 \uc5b4\ub290 \uc774\ub984\uc744 \uac00\uc9c0\uac8c \ub420\uc9c0 \ubbf8\ub9ac \uc54c \uc218 \uc5c6\ub2e4. \uc774 \uc2dc\uc810\uc5d0\uc11c debug_mode \uad00\ub828 \ubd84\uae30\ubb38\uc744 \ub2e4\uc2dc \ud55c \ubc88 \uc0b4\ud3b4\ubcf4\uc790. ob_start(); var_dump(get_defined_vars()); ob_flush(); ob_end_clean(); \uc774\ub7f0 \ucf54\ub4dc\uac00 \uc788\ub294\ub370 ob_ \uc2dc\ub9ac\uc988 \ud568\uc218\ub4e4 php\ub85c \uc6f9 irc\ub97c \uad6c\ud604\ud574\ubcfc \ub54c \ubcf8\uc801\uc788\ub2e4. php \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\ub294 \ub3c4\uc911\uc5d0 \uac12\uc744 \ucd9c\ub825\ud574\uc8fc\ub294 \uc5ed\ud560\uc774\uc600\ub2e4. ( http:\/\/php.net\/manual\/kr\/function.ob-flush.php ) \uadf8\ub807\ub2e4\uba74 index.php \ud30c\uc77c\uc5d0\uac8c index.php \ud30c\uc77c\uc744 include \uc2dc\ucf1c \ubb34\ud55c\ub8e8\ud504\uc5d0 \ube60\uc9c0\uac8c \ud574\uc11c, 3. php \ucf54\ub4dc\uac00 \uc2e4\ud589\ub418\uba74\uc11c zip wrapper\ub97c \ud1b5\ud574 \uc784\uc2dc\ud30c\uc77c\uc744 unzip\ud55c\ub2e4. \uc774 \ubd80\ubd84\uc5d0\uc11c \uc2dc\uac04\uc774 \uc9c0\uc5f0\ub418\uba74, php \ucf54\ub4dc\uc758 \uc2e4\ud589\uc774 \ub05d\ub09c \ud6c4 \uc784\uc2dc\ud30c\uc77c\uc744 \uc0ad\uc81c\ud558\ub294 \ud589\ub3d9 \ub610\ud55c \uc9c0\uc5f0\ub418\uba70, ob_flush() \ud568\uc218 \ub355\ubd84\uc5d0 \uc9c0\uc5f0\ub418\uae30 \uc774\uc804\uc758 \ucd9c\ub825\uac12. \uc989 \/tmp\/php[0-9a-zA-Z]{6} \uc758 \uc774\ub984\ub610\ud55c \uc54c \uc218 \uc788\ub2e4. \ub530\ub77c\uc11c Race Condition\uc774 \uac00\ub2a5\ud558\ub2e4. \uadf8\ub7ec\ubbc0\ub85c ?page=index&debug_mode=31337 \uc5d0 zip file\uc744 Upload\ud558\uba74 \/tmp\/php[0-9a-zA-Z]{6} \uc758 \ud30c\uc77c\uba85\uc744 \ucd9c\ub825\ud574\uc900 \ud6c4 \ubb34\ud55c\ub8e8\ud504\uc5d0 \ube60\uc838 delay\uac00 \ub418\uace0 \ucd9c\ub825\ub41c \ud30c\uc77c\uba85\uc744 \ubc14\ud0d5\uc73c\ub85c ?page=zip:\/\/\/tmp\/phpabcdef%23bar&cmd=ls -al \uc5d0 \uc811\uc18d\ud574\uc8fc\uba74 \uc544\uc9c1 \uc0ad\uc81c\ub418\uc9c0 \uc54a\uc740 \uc784\uc2dc\ud30c\uc77c\uc744 unzip\ud558\uace0 include\ud574\uc11c Remote Code Excution\uc744 \ud560 \uc218 \uc788\ub2e4. include \ud560 \ub54c \ubcc0\uc218 \uc55e\uc5d0 “.\/” \ub97c \ubd99\uc5ec\uc11c wrapper \uc0ac\uc6a9\uc744 \ub9c9\ub294 \ubc29\ubc95\uc73c\ub85c \ud328\uce58\ud588\ub2e4.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/68"}],"collection":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":3,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions"}],"predecessor-version":[{"id":84,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions\/84"}],"wp:attachment":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/categories?post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/tags?post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}