카테고리 없음
SSRF
공쓰기
2022. 5. 26. 16:30
▶ SSRF 1번
문제
http://normalskinfosec.com:8080/include/db_conf.php
▶ SSRF 2번
문제
<?php header("Content-Type: text/html; charset=UTF-8");?>
<?php include_once "include/common/declare.php";?>
<?php include_once "../request_log_ssrf2.php";?>
<?php
$user = nvl( $_GET['title'],'1');
if ( $_SESSION["ADMIN_YN"] === "Y" ){
echo $_SESSION["ADMIN_YN"];
?>
<!doctype html>
<html lang="ko" style="height:100%;">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" />
<title>EQST 보안교육센터</title>
<link rel="shortcut icon" href="favicon.ico">
<link rel="stylesheet" href="../css/style.css" />
<script type="text/javascript" src="../js/libs/jquery-1.11.3.min.js"></script>
<script type="text/javascript" src="../js/libs/jquery-ui.js"></script>
<script type="text/javascript" src="../js/libs/jquery.bxslider.min.js"></script>
<script type="text/javascript" src="../js/libs/nice-select/nice-select.js"></script>
<script type="text/javascript" src="../js/libs/dotdotdot/dotdotdot.js"></script>
<script type="text/javascript" src="../js/libs/datepicker.js"></script>
<!--<script type="text/javascript" src="./commons.js"></script>-->
<link rel="stylesheet" href="../css/libs/jquery-ui.css" />
<script type="text/javascript">
$(function() {
$.customFn = {
boardReg : function(){
$("#searchForm").submit();
},
sortingProcess : function(){
$('#pageIndex').val('1');
$("#searchForm").attr("action", "notice.php");
$("#searchForm").submit();
},
searchProcess : function(){
$('#pageIndex').val('1');
if($("#startDt").val() != ""){
if($("#endDt").val() == ""){
alert("작성일을 입력해주세요.");
return false;
}
}
if($("#endDt").val() != ""){
if($("#startDt").val() == ""){
alert("작성일을 입력해주세요.");
return false;
}
}
$("#searchForm").submit();
}
};
$(document).ready(function() {
if($("#userName").val() == ''){
alert("로그인이 필요합니다.");
location.href = "/login.php";
return;
}
var query = '';
if($("#keyword").val() != ''){
query = query + '&searchType='+$("#searchType").val()+'&keyword='+$("#keyword").val();
}
if($("#startDt").val() != ''){
query = query + '&startDt='+$("#startDt").val()+'&endDt='+$("#endDt").val();
}
if($("#sorting").val() != ''){
query = query + '&sorting='+$("#sorting").val();
}
});
btnReg = $("#btnReg");
btnSearch = $("#btnSearch");
sortingTitle = $("#sortingTitle");
sortingRegUserNm = $("#sortingRegUserNm");
sortingRegDt = $("#sortingRegDt");
sortingTitle2 = $("#sortingTitle2");
sortingRegUserNm2 = $("#sortingRegUserNm2");
sortingRegDt2 = $("#sortingRegDt2");
//게시물 등록
btnReg.click(function(e) {
e.preventDefault();
$.customFn.boardReg();
});
/*
//search 버튼 클릭시
btnSearch.click(function(e){
e.preventDefault();
$.customFn.searchProcess();
});
*/
sortingTitle.click(function(e){
e.preventDefault();
$('#sorting').val('title');
$("#sotingAd").val("ASC");
/*if ($("#sotingAd").val() == "" ){
$("#sotingAd").val("ASC");
}else if ($("#sotingAd").val() == "DESC" ) {
$("#sotingAd").val("ASC");
}else{
$("#sotingAd").val("DESC");
}*/
$.customFn.sortingProcess();
});
sortingTitle2.click(function(e){
e.preventDefault();
$('#sorting').val('title');
$("#sotingAd").val("DESC");
$.customFn.sortingProcess();
});
sortingRegUserNm.click(function(e){
e.preventDefault();
$('#sorting').val('regUserNm');
$("#sotingAd").val("ASC");
/*if ($("#sotingAd").val() == "" ){
$("#sotingAd").val("ASC");
}else if ($("#sotingAd").val() == "DESC" ) {
$("#sotingAd").val("ASC");
}else{
$("#sotingAd").val("DESC");
}*/
$.customFn.sortingProcess();
});
sortingRegUserNm2.click(function(e){
e.preventDefault();
$('#sorting').val('regUserNm');
$("#sotingAd").val("DESC");
$.customFn.sortingProcess();
});
sortingRegDt.click(function(e){
e.preventDefault();
$('#sorting').val('REG_DT');
$("#sotingAd").val("ASC");
/*if ($("#sotingAd").val() == "" ){
$("#sotingAd").val("ASC");
}else if ($("#sotingAd").val() == "DESC" ) {
$("#sotingAd").val("ASC");
}else{
$("#sotingAd").val("DESC");
}*/
$.customFn.sortingProcess();
});
sortingRegDt2.click(function(e){
e.preventDefault();
$('#sorting').val('REG_DT');
$("#sotingAd").val("DESC");
$.customFn.sortingProcess();
});
});
function search(){
if (window.event.keyCode == 13) {
$.customFn.searchProcess();
}
}
function goView(ol){
document.searchForm.board_id.value=ol;
document.searchForm.action = "noticeview.php";
document.searchForm.method = "GET";
document.searchForm.submit();
}
</script>
</head>
<body class="set_size">
<!--[s] header -->
<?php include_once('./include/header.php') ?>
<!--[e] header -->
<!--[s] main-container-->
<div class="main-container" id="main-container">
<script type="text/javascript">
try{ace.settings.check('main-container' , 'fixed')}catch(e){}
</script>
<!--[s] main-content-->
<div class="main-content">
<div class="main-content-inner">
<div class="page-content">
<div class="page-header">
<h1>
<i class="ace-icon fa fa-ellipsis-v orange"></i>
DB 연결 페이지(비공개)
</h1><br>
<span id="search_word"></span>
</div>
<div class="hr10"></div>
<font size=3 >
<table width=30% >
<form method=post>
<tr ><td width=50% align=right style="padding: 10px;"> <font color=#ff9933>Remote Host IP: </td><td width=50% align=center> <font color=#ff9933><input type=text name=host value="127.0.0.1"></td></tr>
<tr><td width=50% align=right> <font color=#ff9933>DB Username: </td><td width=50% align=center> <font color=#ff9933><input type=text name=uname value=></td></tr>
<tr><td width=50% align=right> <font color=#ff9933>DB Password: </td><td width=50% align=center> <font color=#ff9933><input type=text name=pass value=></td></tr>
</table>
<br>
<input type=submit name=sbmt value="DB 접속하기">
</form>
<?php
if(isset($_POST['sbmt']))
{
$host=trim($_POST['host']);
$uname=trim($_POST['uname']);
$pass=trim($_POST['pass']);
$db = db::getInstance($host, $uname, $pass);
$return = $db->getanswer();
echo '<br><br>'.$return;
}
?>
<script>
$('#keyword').on('keyup', function(e) {
e.preventDefault();
//var ov = '검색 결과 : ' + $('#keyword').val();
//$('#search_word').html(ov);
var queryString = $("form[name=searchForm]").serialize() ;
$.ajax({
type : 'post',
url : './noticeHTML.php',
data : queryString,
dataType : 'html',
error: function(xhr, status, error){
alert(error);
},
success : function(dataov){
$('tbody').html(dataov);
},
});
});
</script>
<!--[s] wrap_pagenation -->
<div class="box_table_bottom">
<div class="pull-center">
<!--[s] pagenation -->
<ul class="pagination">
<?php
pagingType2( $rowsCntArr["tCnt"] , $pageIndex , 10 , $pageSize , $_SERVER[PHP_SELF] , '');
?>
</ul>
<!--[e] pagenation -->
</div>
</div>
<!--[s] wrap_pagenation -->
</div><!-- [e] col-xs-12-->
</div><!--[e] row-->
</div><!-- /.page-content -->
</div>
</div><!-- /.main-content -->
</div><!-- /.main-container -->
</body>
</html>
<?php
}
else
{
echo("<script>location.replace('admin_login.php');</script>");
}
?>
<?php header("Content-Type: text/html; charset=UTF-8");?>
<?php include_once "include/common/declare.php";?>
<?php include_once "../request_log_ssrf2.php";?>
<?php
$user = nvl( $_GET['title'],'1');
?>
<!doctype html>
<html lang="ko" style="height:100%;">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" />
<title>EQST 보안교육센터</title>
<link rel="shortcut icon" href="favicon.ico">
<link rel="stylesheet" href="../css/style.css" />
<script type="text/javascript" src="../js/libs/jquery-1.11.3.min.js"></script>
<script type="text/javascript" src="../js/libs/jquery-ui.js"></script>
<script type="text/javascript" src="../js/libs/jquery.bxslider.min.js"></script>
<script type="text/javascript" src="../js/libs/nice-select/nice-select.js"></script>
<script type="text/javascript" src="../js/libs/dotdotdot/dotdotdot.js"></script>
<script type="text/javascript" src="../js/libs/datepicker.js"></script>
<!--<script type="text/javascript" src="./commons.js"></script>-->
<link rel="stylesheet" href="../css/libs/jquery-ui.css" />
<script type="text/javascript">
$(function() {
$.customFn = {
boardReg : function(){
$("#searchForm").submit();
},
sortingProcess : function(){
$('#pageIndex').val('1');
$("#searchForm").attr("action", "notice.php");
$("#searchForm").submit();
},
searchProcess : function(){
$('#pageIndex').val('1');
if($("#startDt").val() != ""){
if($("#endDt").val() == ""){
alert("작성일을 입력해주세요.");
return false;
}
}
if($("#endDt").val() != ""){
if($("#startDt").val() == ""){
alert("작성일을 입력해주세요.");
return false;
}
}
$("#searchForm").submit();
}
};
$(document).ready(function() {
if($("#userName").val() == ''){
alert("로그인이 필요합니다.");
location.href = "/login.php";
return;
}
var query = '';
if($("#keyword").val() != ''){
query = query + '&searchType='+$("#searchType").val()+'&keyword='+$("#keyword").val();
}
if($("#startDt").val() != ''){
query = query + '&startDt='+$("#startDt").val()+'&endDt='+$("#endDt").val();
}
if($("#sorting").val() != ''){
query = query + '&sorting='+$("#sorting").val();
}
});
btnReg = $("#btnReg");
btnSearch = $("#btnSearch");
sortingTitle = $("#sortingTitle");
sortingRegUserNm = $("#sortingRegUserNm");
sortingRegDt = $("#sortingRegDt");
sortingTitle2 = $("#sortingTitle2");
sortingRegUserNm2 = $("#sortingRegUserNm2");
sortingRegDt2 = $("#sortingRegDt2");
//게시물 등록
btnReg.click(function(e) {
e.preventDefault();
$.customFn.boardReg();
});
/*
//search 버튼 클릭시
btnSearch.click(function(e){
e.preventDefault();
$.customFn.searchProcess();
});
*/
sortingTitle.click(function(e){
e.preventDefault();
$('#sorting').val('title');
$("#sotingAd").val("ASC");
/*if ($("#sotingAd").val() == "" ){
$("#sotingAd").val("ASC");
}else if ($("#sotingAd").val() == "DESC" ) {
$("#sotingAd").val("ASC");
}else{
$("#sotingAd").val("DESC");
}*/
$.customFn.sortingProcess();
});
sortingTitle2.click(function(e){
e.preventDefault();
$('#sorting').val('title');
$("#sotingAd").val("DESC");
$.customFn.sortingProcess();
});
sortingRegUserNm.click(function(e){
e.preventDefault();
$('#sorting').val('regUserNm');
$("#sotingAd").val("ASC");
/*if ($("#sotingAd").val() == "" ){
$("#sotingAd").val("ASC");
}else if ($("#sotingAd").val() == "DESC" ) {
$("#sotingAd").val("ASC");
}else{
$("#sotingAd").val("DESC");
}*/
$.customFn.sortingProcess();
});
sortingRegUserNm2.click(function(e){
e.preventDefault();
$('#sorting').val('regUserNm');
$("#sotingAd").val("DESC");
$.customFn.sortingProcess();
});
sortingRegDt.click(function(e){
e.preventDefault();
$('#sorting').val('REG_DT');
$("#sotingAd").val("ASC");
/*if ($("#sotingAd").val() == "" ){
$("#sotingAd").val("ASC");
}else if ($("#sotingAd").val() == "DESC" ) {
$("#sotingAd").val("ASC");
}else{
$("#sotingAd").val("DESC");
}*/
$.customFn.sortingProcess();
});
sortingRegDt2.click(function(e){
e.preventDefault();
$('#sorting').val('REG_DT');
$("#sotingAd").val("DESC");
$.customFn.sortingProcess();
});
});
function search(){
if (window.event.keyCode == 13) {
$.customFn.searchProcess();
}
}
function goView(ol){
document.searchForm.board_id.value=ol;
document.searchForm.action = "noticeview.php";
document.searchForm.method = "GET";
document.searchForm.submit();
}
</script>
</head>
<body class="set_size">
<!--[s] header -->
<?php include_once('./include/header.php') ?>
<!--[e] header -->
<!--[s] main-container-->
<div class="main-container" id="main-container">
<script type="text/javascript">
try{ace.settings.check('main-container' , 'fixed')}catch(e){}
</script>
<!--[s] main-content-->
<div class="main-content">
<div class="main-content-inner">
<div class="page-content">
<div class="page-header">
<h1>
<i class="ace-icon fa fa-ellipsis-v orange"></i>
관리자 페이지(비공개)
</h1><br>
<span id="search_word"></span>
</div>
<div class="hr10"></div>
<form name="LoginFm" id="LoginFm" method="POST" >
<input type="hidden" name="returnurl" id="returnurl" value="" >
<!--[s] wrap_login-->
<div class="wrap_login" >
<ul class="box_login">
<li class="tit"> 관리자 페이지</li>
<li><input type="text" name="login_id" value="" tabindex="1" id="login_id" placeholder="아이디" class="userID" /></li>
<li><input type="password" name="login_pwd" value="" tabindex="2" id="login_pwd" placeholder="패스워드" class="userPW" /></li>
<li class="line_btn">
<input class="btn_login" type=submit name=okdk value="로그인">
</li>
</ul>
</div>
<!--[e] wrap_login-->
</form>
<?php
if(isset($_POST['okdk']))
{
$id=trim($_POST['login_id']);
$pw=trim($_POST['login_pwd']);
if($id === "adminuser" && $pw === "adminpassword")
{
$_SESSION['ADMIN_YN'] = "Y";
echo("<script>location.replace('admin.php');</script>");
}
else
{
echo "<br><br>아이디/패스워드가 일치하지 않습니다.";
}
//$file=trim('192.168.2.142/'.$_POST['file']);
}
?>
<script>
$('#keyword').on('keyup', function(e) {
e.preventDefault();
//var ov = '검색 결과 : ' + $('#keyword').val();
//$('#search_word').html(ov);
var queryString = $("form[name=searchForm]").serialize() ;
$.ajax({
type : 'post',
url : './noticeHTML.php',
data : queryString,
dataType : 'html',
error: function(xhr, status, error){
alert(error);
},
success : function(dataov){
$('tbody').html(dataov);
},
});
});
</script>
<!--[s] wrap_pagenation -->
<div class="box_table_bottom">
<div class="pull-center">
<!--[s] pagenation -->
<ul class="pagination">
<?php
pagingType2( $rowsCntArr["tCnt"] , $pageIndex , 10 , $pageSize , $_SERVER[PHP_SELF] , '');
?>
</ul>
<!--[e] pagenation -->
</div>
</div>
<!--[s] wrap_pagenation -->
</div><!-- [e] col-xs-12-->
</div><!--[e] row-->
</div><!-- /.page-content -->
</div>
</div><!-- /.main-content -->
</div><!-- /.main-container -->
</body>
</html>
<?php
include_once "include/common/property.php";
include_once "include/common/class.db.php";
include_once "include/common/common.function.php";
?>
<?php
class db extends mysqli {
private static $instance;
private static $instance1;
public static function getInstance($_db, $_db_user, $_db_pass){
if( ! isset( self::$instance ) ){
//self::$instance = new db( db_host , db_user , db_pass , db_db );
// op db [host: mariadb, ID:ssrf_user, PW:ssrf12#$]
self::$instance = new db( "mariadb" , $_db_user, $_db_pass, "skinfosec" );
}
return self::$instance;
}
public static function getAutoInstance($_db){
if ($_db == ''){
if( ! isset( self::$instance ) ){
//self::$instance = new db( db_host , db_user , db_pass , db_db );
self::$instance = new db( "mariadb" , "ssrf_user" , "ssrf12#$" , "skinfosec" );
}
return self::$instance;
}else{
if( ! isset( self::$instance1 ) ){
//self::$instance1 = new db( db_host , db_user , db_pass , $_db );
self::$instance1 = new db("mariadb" , "ssrf_user" , "ssrf12#$" , "skinfosec" );
}
return self::$instance1;
}
}
public function __construct( $host , $user , $pass , $db ){
$this->connect( $host , $user , $pass , $db );
$this->set_charset( 'utf8' );
}
public function __destruct() {
$this->close();
}
public function selectS( $query ){
$data = array();
$result = $this->query( $query );
if( $result != null ){
while( $row = $result->fetch_object() ){
$data[] = $row;
}
}
if( count( $data ) == 0 ){
return null;
}else{
return $data;
}
}
public function insertS( $query ){
$result = $this->query( $query );
return $this->insert_id;
}
public function updateS( $query ){
$result = $this->query( $query );
return $this->affected_rows;
}
public function deleteS( $query ){
$result = $this->query( $query );
return $this->affected_rows;
}
public function getanswer(){
$returnArr = array();
$seqCnt = "select answer_column from ssrf_answer";
$returnArr = $this->selectS($seqCnt);
return $returnArr[0]->answer_column;
}
}
?>
▶ SSRF 3번
문제
▶ SSRF 4번
문제
http://normalskinfosec2.com:8080/include/db_conf.php
▶ 데이터 평문 전송
문제
▶ 디렉토리
문제
