๐Ÿ•น๏ธ 6. ํŒŒ์ผ ์—…๋กœ๋“œ

๐Ÿ•น๏ธ ๋ชจ์˜ํ•ดํ‚น ์ฒดํ—˜ ๋„์ „

๐Ÿ•น๏ธ ๋ชจ์˜ํ•ดํ‚น ์ฒดํ—˜ ๋”ฐ๋ผํ•˜๊ธฐ โ–ถSTEP_1) '๊ธ€์“ฐ๊ธฐ' ๋ฒ„ํŠผ ํด๋ฆญ

STEP_2) ์ž„์˜์˜ ๊ฒŒ์‹œ๊ธ€ ๋‚ด์šฉ ์ž‘์„ฑ ๋ฐ JSP ์›น ์‰˜ ํŒŒ์ผ ์—…๋กœ๋“œ ํ›„ '๊ธ€ ์—…๋กœ๋“œ' ๋ฒ„ํŠผ ํด๋ฆญ

STEP_3) ํŒ์—… ์ฐฝ์„ ํ†ตํ•ด ์ •์ƒ์ ์œผ๋กœ ๊ฒŒ์‹œ๊ธ€ ์—…๋กœ๋“œ ๋˜์—ˆ์Œ์„ ํ™•์ธ

STEP_4) ์—…๋กœ๋“œ ๋œ ๊ฒŒ์‹œ๊ธ€ ์กฐํšŒ

STEP_5) ๋ธŒ๋ผ์šฐ์ € ๊ฐœ๋ฐœ์ž ๋„๊ตฌ(F12)๋ฅผ ํ†ตํ•ด ์ฒจ๋ถ€๋œ ํŒŒ์ผ์˜ URL ์ •๋ณด ํ™•์ธ

STEP_6) cmd ํŒŒ๋ผ๋ฏธํ„ฐ ๋ฐ์ดํ„ฐ ๊ฐ’(๋ฆฌ๋ˆ…์Šค ๋ช…๋ น์–ด ls)์„ ํฌํ•จํ•˜์—ฌ ํš๋“ํ•œ URL ์ •๋ณด๋กœ ์ ‘๊ทผ ์‹œ๋„

STEP_7) ์ •์ƒ์ ์œผ๋กœ ๋™์ž‘ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธ

STEP_8) cmd ํŒŒ๋ผ๋ฏธํ„ฐ ๋ฐ์ดํ„ฐ ๊ฐ’์œผ๋กœ 'flag.txt' ํŒŒ์ผ์„ ์ฐพ๋Š” ๋ช…๋ น์–ด(find / -name flag.txt)๋ฅผ ํฌํ•จํ•˜์—ฌ ์š”์ฒญ ์‹œ ํ•ด๋‹น ํŒŒ์ผ์˜ ์œ„์น˜ ์ •๋ณด ํ™•์ธ ๊ฐ€๋Šฅ

STEP_9) cmd ํŒŒ๋ผ๋ฏธํ„ฐ ๋ฐ์ดํ„ฐ ๊ฐ’์œผ๋กœ 'flag.txt' ํŒŒ์ผ ์กฐํšŒ ๋ช…๋ น์–ด(cat /๊ฒฝ๋กœ/flag.txt)๋ฅผ ํฌํ•จํ•˜์—ฌ ์š”์ฒญ ์‹œ FLAG ๊ฐ’ ํ™•์ธ ๊ฐ€๋Šฅ


O ํŒŒ์ผ ์—…๋กœ๋“œ ๊ธฐ๋Šฅ์„ ์ด์šฉํ•˜์—ฌ ์‹œ์Šคํ…œ ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” ์„œ๋ฒ„ ์‚ฌ์ด๋“œ ์Šคํฌ๋ฆฝํŠธ ๋ฐ ์›น ํ”„๋กœ๊ทธ๋žจ ๋“ฑ ์•…์˜์ ์ธ ํŒŒ์ผ์„ ์—…๋กœ๋“œ ํ•  ์ˆ˜ ์žˆ๋Š” ์ทจ์•ฝ์ 


O ๊ทผ๊ฑฐ ์ž๋ฃŒ

โ˜ž ์ฃผ์š”์ •๋ณดํ†ต์‹ ๊ธฐ๋ฐ˜์‹œ์„ค ๊ธฐ์ˆ ์  ์ทจ์•ฝ์  ๋ถ„์„ ํ‰๊ฐ€ ์ƒ์„ธ ๊ฐ€์ด๋“œ(p.707)


O ํŒ๋‹จ ๊ธฐ์ค€

์–‘ํ˜ธ์—…๋กœ๋“œ ๋˜๋Š” ํŒŒ์ผ์— ๋Œ€ํ•œ ํ™•์žฅ์ž ๊ฒ€์ฆ์ด ์ด๋ฃจ์–ด์ง€๋Š” ๊ฒฝ์šฐ
์ทจ์•ฝ์—…๋กœ๋“œ ๋˜๋Š” ํŒŒ์ผ์— ๋Œ€ํ•œ ํ™•์žฅ์ž ๊ฒ€์ฆ์ด ์ด๋ฃจ์–ด์ง€์ง€ ์•Š๋Š” ๊ฒฝ์šฐ


O ์ ๊ฒ€ ๋ฐฉ๋ฒ•

- ์Šคํฌ๋ฆฝํŠธ ํŒŒ์ผ (ASP, JSP, PHP, ASPX ๋“ฑ)์—…๋กœ๋“œ ์‹œ๋„

: ์‚ฌ์šฉ์ž ๊ฒŒ์‹œํŒ์— ํŒŒ์ผ ์ฒจ๋ถ€ ๊ธฐ๋Šฅ์„ ํ†ตํ•ด Server Side ScriptํŒŒ์ผ ์—…๋กœ๋“œ๊ฐ€ ๊ฐ€๋Šฅํ•œ์ง€ ํ™•์ธ

: ์—…๋กœ๋“œ ๋œ Server Side ScriptํŒŒ์ผ์ด ๋ธŒ๋ผ์šฐ์ € ์ฃผ์†Œ ์ฐฝ์—์„œ ์‹คํ–‰์ด ๊ฐ€๋Šฅํ•œ์ง€ ํ™•์ธ

: ์—…๋กœ๋“œ ํŒŒ์ผ ํ™•์žฅ์ž ์šฐํšŒ ๊ธฐ๋ฒ• ์‚ฌ์šฉ

: ํ™•์žฅ์ž ๋Œ€์†Œ๋ฌธ์ž ๋ณ€๊ฒฝ (ex: jsp → JsP,JSp)

: ํ™•์žฅ์ž ๋ณ€๊ฒฝ (ex: jsp → jspx, jsv, jsw ๋“ฑ / asp → cer, asa๋“ฑ / php → php3, cgi๋“ฑ)

: ์ข…๋‹จ ๋ฌธ์ž์—ด ์ถ”๊ฐ€ (Linux : .jsp → .jsp.jpg / Windows : .asp → .asp;.jpg) ์€ URL ๋””์ฝ”๋”ฉ ํ›„ ์‚ฝ์ž…


O ์กฐ์น˜ ๋ฐฉ๋ฒ•

- ์„œ๋น„์Šค๋ฅผ ์œ„ํ•ด ํ—ˆ์šฉ๋˜๋Š” ํŒŒ์ผ์˜ ํ™•์žฅ์ž ์™ธ์˜ ํŒŒ์ผ์€ ์—…๋กœ๋“œ๊ฐ€ ๋ถˆ๊ฐ€๋Šฅํ•˜๋„๋ก ๊ตฌํ˜„

: avi, exe ๋“ฑ์˜ ๋™์˜์ƒ, ์‹คํ–‰ ํŒŒ์ผ ๋“ฑ ์•…์„ฑ์ฝ”๋“œ๊ฐ€ ํฌํ•จ๋  ์ˆ˜ ์žˆ๋Š” ์ฝ˜ํ…์ธ ๋ฅผ ์—…๋กœ๋“œ ํ•˜์ง€ ๋ชปํ•˜๋„๋ก ํ•„ํ„ฐ๋ง ์ ์šฉ

- ํŒŒ์ผ ์—…๋กœ๋“œ ๊ธฐ๋Šฅ์ด ์žˆ๋Š” ๋ชจ๋“  ๊ณณ์— ์„œ๋ฒ„ ์‚ฌ์ด๋“œ ์Šคํฌ๋ฆฝํŠธ ํŒŒ์ผ์˜ ์—…๋กœ๋“œ ๋ฐ ์‹คํ–‰ ๊ธˆ์ง€

์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ๋ฅผ ์›น ๋””๋ ‰ํ„ฐ๋ฆฌ ์™ธ๋ถ€๋กœ ์„ค์ • 

: ์›น ๋””๋ ‰ํ„ฐ๋ฆฌ ๋‚ด์— ์žˆ์–ด์•ผ ํ•˜๋Š” ๊ฒฝ์šฐ ํ•ด๋‹น ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ์—์„œ ์„œ๋ฒ„ ์‚ฌ์ด๋“œ ์Šคํฌ๋ฆฝํŠธ ์‹คํ–‰ ์†์„ฑ ์ œ๊ฑฐ

- ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ๊ฒฝ๋กœ ๊ฐ’ ์ž…๋ ฅ ๋ฐ›์•„ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ ๊ฒฝ๋กœ๊ฐ€ ๋ณ€์กฐ๋˜์ง€ ์•Š๊ฒŒ ๊ฒ€์ฆ ๋กœ์ง ๊ตฌํ˜„

: "../", "..\"๋“ฑ๊ณผ ๊ฐ™์€ ๋ฌธ์ž์—ด์ด ํฌํ•จ๋˜์–ด ์žˆ์„ ๊ฒฝ์šฐ ์—๋Ÿฌ์ฒ˜๋ฆฌ

: ์ง€์ •๋œ ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ ๋ฌธ์ž๋งŒ ํฌํ•จ๋  ์ˆ˜ ์žˆ๋„๋ก ๊ฒ€์ฆ 

- ํŒŒ์ผ ๋ช…์„ ๋‚œ์ˆ˜ํ™”ํ•˜์—ฌ ์œ ์ถ” ๋ถˆ๊ฐ€๋Šฅํ•˜๋„๋ก ๊ตฌํ˜„

- ์‘๋‹ต ๊ฐ’์— ์—…๋กœ๋“œ ๊ฒฝ๋กœ ๋…ธ์ถœ ์ œํ•œ

- ์ฃผ๊ธฐ์ ์œผ๋กœ ์—…๋กœ๋“œ ๋˜์–ด ์žˆ๋Š” ํŒŒ์ผ๋“ค์„ ๋Œ€์ƒ์œผ๋กœ ๋ฐ”์ด๋Ÿฌ์Šค ๊ฒ€์‚ฌ ์‹ค์‹œ


O ์‹œํ์–ด ์ฝ”๋”ฉ(Secure Coding) ์˜ˆ์‹œ

# ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ ์‹คํ–‰๊ถŒํ•œ ์ œ๊ฑฐ ๋ฐฉ๋ฒ• (IIS) โ–ถ

1. ์‹œ์ž‘ > ์ œ์–ดํŒ > ๊ด€๋ฆฌ๋„๊ตฌ > ์ธํ„ฐ๋„ท ์„œ๋น„์Šค ๊ด€๋ฆฌ์ž > ๋“ฑ๋ก์ •๋ณด > ํ™ˆ ๋””๋ ‰ํ„ฐ๋ฆฌ > ํ•ด๋‹น ์—…๋กœ๋“œ ํด๋” ์„ ํƒ

2. ์‹คํ–‰ ๊ถŒํ•œ์„ "์—†์Œ"์œผ๋กœ ์„ค์ •


# ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ ์‹คํ–‰๊ถŒํ•œ ์ œ๊ฑฐ ๋ฐฉ๋ฒ• (Apache) โ–ถ

- httpd.conf ๋‚ด์šฉ ์ˆ˜์ •

<Directory "/usr/local/apache">
 AllowOverride FileInfo


# ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ์— '.htaccess' ํŒŒ์ผ ์ƒ์„ฑ ํ›„ ์„œ๋ฒ„ ์Šคํฌ๋ฆฝํŠธ ์‹คํ–‰ ์ œํ•œ โ–ถ
<FileMatch "(\.(asp|aspx|cer|jsp|jspx|php|htm|html))$"> Order allow, deny
ย  ย  Deny from all
</FileMatch>


# JAVA โ–ถ
.....
String fileName = file.getOriginalFilename().toLowerCase();
String fileExt = fileName.substring(fileName.lastIndexOf('.') + 1);

// ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ ๋ฐฉ์‹์œผ๋กœ ์—…๋กœ๋“œ ํŒŒ์ผ์˜ ํ™•์žฅ์ž๋ฅผ ์ฒดํฌํ•œ๋‹ค
if( !fileExt.equals("jpg") && !fileExt.equals("png") ) {
    out.println("");
    return;
}

// ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ ์œ„์น˜๋Š” ์›น ๋””๋ ‰ํ„ฐ๋ฆฌ์˜ ๋ฐ–์— ์œ„์น˜ ์‹œํ‚จ๋‹ค
String uploadPath = "/upload/img/";

// ํƒ€์ž„๋ฐ์ดํ„ฐ ๊ฐ’์„ ํŒŒ์ผ ๋ช…์œผ๋กœ ์‚ฌ์šฉํ•œ๋‹ค
String timeDate = new String(date.format(today).toString();

// ํ™•์žฅ์ž ๊ฒ€์ฆ์ด ์™„๋ฃŒ๋œ fileExt ํ™•์žฅ์ž ๋ณ€์ˆ˜ ๋ฐ”์ธ๋”ฉ
String uploadFilePath = uploadPath + timeDate + "." + fileExt;

/* ํŒŒ์ผ ์—…๋กœ๋“œ ๋กœ์ง ์ˆ˜ํ–‰ */
.....


# ASP โ–ถ
.....
fileExt = Mid(fileName, InstrRev(fileName, ".")+1)

// ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ ๋ฐฉ์‹์œผ๋กœ ์—…๋กœ๋“œ ํŒŒ์ผ์˜ ํ™•์žฅ์ž๋ฅผ ์ฒดํฌํ•œ๋‹ค
IF fileExt <> "jpg" and fileExt <> "png" and fileExt <> "gif" Then
    Response.Write("")
    Response.End
End IF

// ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ ์œ„์น˜๋Š” ์›น ๋””๋ ‰ํ„ฐ๋ฆฌ์˜ ๋ฐ–์— ์œ„์น˜ ์‹œํ‚จ๋‹ค
uploadPath = "E:\upload\pds\";

// ํƒ€์ž„๋ฐ์ดํ„ฐ ๊ฐ’์„ ํŒŒ์ผ ๋ช…์œผ๋กœ ์‚ฌ์šฉํ•œ๋‹ค
timeDate = DateDiff("s", CDate("1970-01-01 00:00:00"), now()) - (9*60*60)

// ํ™•์žฅ์ž ๊ฒ€์ฆ์ด ์™„๋ฃŒ๋œ fileExt ํ™•์žฅ์ž ๋ณ€์ˆ˜ ๋ฐ”์ธ๋”ฉ
uploadFilePath = uploadPath & timeDate & "." & fileExt;

/* ํŒŒ์ผ ์—…๋กœ๋“œ ๋กœ์ง ์ˆ˜ํ–‰ */
.....


# PHP โ–ถ
.....
$fileExt = strtolower(substr($fileName, strrpos($fileName, ".")+1));

// ํ™”์ดํŠธ๋ฆฌ์ŠคํŠธ ๋ฐฉ์‹์œผ๋กœ ์—…๋กœ๋“œ ํŒŒ์ผ์˜ ํ™•์žฅ์ž๋ฅผ ์ฒดํฌํ•œ๋‹ค
if ($fileExt != "jpg" && $fileExt != "png" && $fileExt != "gif") {
    echo "";
    exit;
}

// ์—…๋กœ๋“œ ๋””๋ ‰ํ„ฐ๋ฆฌ ์œ„์น˜๋Š” ๋‹คํ๋จผํŠธ ๋ฃจํŠธ(์›น ๋””๋ ‰ํ„ฐ๋ฆฌ)์˜ ๋ฐ–์— ์œ„์น˜ ์‹œํ‚จ๋‹ค
$uploadPath = "/uploads/img/";

// ํƒ€์ž„๋ฐ์ดํ„ฐ ๊ฐ’์„ ํŒŒ์ผ ๋ช…์œผ๋กœ ์‚ฌ์šฉํ•œ๋‹ค
$timeDate = time();

// ํ™•์žฅ์ž ๊ฒ€์ฆ์ด ์™„๋ฃŒ๋œ fileExt ํ™•์žฅ์ž ๋ณ€์ˆ˜ ๋ฐ”์ธ๋”ฉ
$uploadFilePath = $uploadPath . $timeDate . "." . $fileExt;

/* ํŒŒ์ผ ์—…๋กœ๋“œ ๋กœ์ง */
.....
์นด์นด์˜คํ†ก ์ฑ„๋„ ์ฑ„ํŒ…ํ•˜๊ธฐ ๋ฒ„ํŠผ