핸드폰인증 우회하여 자유게시판 스팸 관련
본문
YoungCart Version 5.4.5.5.1
사용중입니다.
주말간에 아래 정보로 회원가입 후 자유게시판에 스팸 광고글을 3307건을 등록한 것을 오늘 아침 출근하자마자 발견했습니다.
근데 저희 사이트는 KCP 핸드폰 인증을 받아야지만 회원가입이 되도록 처리하였는데 아래 서버로그 보니 다른인증 방법으로 회원가입해서 들어온것 같더라구요.
(KCP 핸드폰 인증)
[07/Apr/2025:11:56:38 +0900] "GET /plugin/kcpcert/kcpcert_form.php HTTP/1.1" 200 1410
[07/Apr/2025:11:57:01 +0900] "POST /plugin/kcpcert/kcpcert_result.php
혹시 관련해서 어떤식으로 접근한건지 아는분 계실까요?
(가입정보)
ID: k118d7zgs5
이름: 4ub9e6
메일: *** 개인정보보호를 위한 이메일주소 노출방지 ***
전화번호: *** 개인정보보호를 위한 휴대폰번호 노출방지 ***
IP: 149.28.180.148
국가: Australia Sydney
벌처 호스팅
(서버로그)
149.28.180.148 - - [05/Apr/2025:01:52:05 +0900] "GET /bbs/register_form.php HTTP/1.1" 200 2409 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:2223194 pid:20058
149.28.180.148 - - [05/Apr/2025:01:52:08 +0900] "POST /bbs/register_form.php HTTP/1.1" 200 14512 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:48159 pid:20063
149.28.180.148 - - [05/Apr/2025:01:52:09 +0900] "GET /bbs/register_form.php HTTP/1.1" 200 2409 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:30268 pid:20065
149.28.180.148 - - [05/Apr/2025:01:52:10 +0900] "POST /plugin/kcaptcha/kcaptcha_session.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:24204 pid:20066
149.28.180.148 - - [05/Apr/2025:01:52:11 +0900] "GET /plugin/kcaptcha/kcaptcha_image.php?t=1743785530229 HTTP/1.1" 200 5392
149.28.180.148 - - [05/Apr/2025:01:52:17 +0900] "POST /bbs/ajax.mb_id.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:28672 pid:20074
149.28.180.148 - - [05/Apr/2025:01:52:18 +0900] "POST /bbs/ajax.mb_nick.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:30115 pid:20076
149.28.180.148 - - [05/Apr/2025:01:52:19 +0900] "POST /bbs/ajax.mb_email.php HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:27554 pid:20077
149.28.180.148 - - [05/Apr/2025:01:52:19 +0900] "POST /plugin/kcaptcha/kcaptcha_result.php HTTP/1.1" 200 1 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:22980 pid:20079
149.28.180.148 - - [05/Apr/2025:01:52:20 +0900] "POST /bbs/register_form_update.php
149.28.180.148 - - [05/Apr/2025:01:52:26 +0900] "POST /bbs/login_check.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:143684 pid:20089
149.28.180.148 - - [05/Apr/2025:01:53:21 +0900] "GET /bbs/register_form.php HTTP/1.1" 200 2409 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:37049 pid:20139
149.28.180.148 - - [05/Apr/2025:01:53:22 +0900] "POST /bbs/login_check.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:131206 pid:20141
149.28.180.148 - - [05/Apr/2025:01:53:24 +0900] "GET / HTTP/1.1" 200 9713 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:58178 pid:20143
149.28.180.148 - - [05/Apr/2025:01:53:25 +0900] "GET /bbs/write.php?bo_table=free HTTP/1.1" 200 8226 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:65867 pid:20145
149.28.180.148 - - [05/Apr/2025:01:53:26 +0900] "POST /bbs/write_token.php HTTP/1.1" 200 64 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:32604 pid:20147
149.28.180.148 - - [05/Apr/2025:01:53:26 +0900] "POST /bbs/ajax.filter.php HTTP/1.1" 200 27 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:25927 pid:20149
149.28.180.148 - - [05/Apr/2025:01:53:27 +0900] "POST /bbs/write_update.php HTTP/1.1"
149.28.180.148 - - [05/Apr/2025:01:53:28 +0900] "GET /bbs/board.php?bo_table=free&wr_id=2 HTTP/1.1" 200
149.28.180.148 - - [05/Apr/2025:01:53:53 +0900] "GET /bbs/register_form.php HTTP/1.1" 200 2409 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:37733 pid:20173
149.28.180.148 - - [05/Apr/2025:01:53:55 +0900] "POST /bbs/login_check.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:154299 pid:20175
149.28.180.148 - - [05/Apr/2025:01:53:57 +0900] "GET / HTTP/1.1" 200 9713 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:49013 pid:20178
149.28.180.148 - - [05/Apr/2025:01:53:58 +0900] "GET /bbs/write.php?bo_table=free HTTP/1.1" 200 8228 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:62227 pid:20180
149.28.180.148 - - [05/Apr/2025:01:53:59 +0900] "POST /bbs/write_token.php HTTP/1.1" 200 64 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:26118 pid:20182
149.28.180.148 - - [05/Apr/2025:01:54:00 +0900] "POST /bbs/ajax.filter.php HTTP/1.1" 200 27 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:25462 pid:20183
149.28.180.148 - - [05/Apr/2025:01:54:00 +0900] "POST /bbs/write_update.php HTTP/1.1" 302
149.28.180.148 - - [05/Apr/2025:01:54:01 +0900] "GET /bbs/board.php?bo_table=free&wr_id=3 HTTP/1.1" 200
149.28.180.148 - - [05/Apr/2025:01:54:20 +0900] "GET /bbs/register_form.php HTTP/1.1" 200 2409 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:32124 pid:20203
149.28.180.148 - - [05/Apr/2025:01:54:22 +0900] "POST /bbs/login_check.php HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:179373 pid:20205
149.28.180.148 - - [05/Apr/2025:01:54:24 +0900] "GET / HTTP/1.1" 200 9713 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36" microseconds:44399 pid:20207
답변 2
디비인젝션으로 가입했을 것입니다.
해킹으로 해당 파일을 변경해서 했는지도 봐 보세요.
변수들을 좀더 안전하게 처리하고 타입도 설정 해서 다른 것들을 추가 할 수 없도록 해야 할 것입니다
답변주셔서 감사합니다. 해당 파일들은 변경된 흔적은 없네요. 어찌 KCP핸드폰 인증없이 가입이 되었는지 희안하네요
혹시 누군가에게는 도움이 될까 싶어 자문자답 남겨요~
저는 아래 방법으로 처리하였습니다.
client-side 에서는 KCP 본인인증 여부를 체크해서 차단하지만
server-side 에서는 KCP 본인인증 여부를 $config['cf_cert_req']를 사용하고 있어서 $config['cf_cert_hp']로 반영하여 클라측과 서버측 둘다 체크되도록 수정했습니다.
( register_from_update.php 파일 내용 중 )
// 본인확인 체크
if($config['cf_cert_use'] && $config['cf_cert_hp']) { //이 부분 수정
$post_cert_no = isset($_POST['cert_no']) ? trim($_POST['cert_no']) : '';
if($post_cert_no !== get_session('ss_cert_no') || ! get_session('ss_cert_no')) {
alert("회원가입을 위해서는 본인확인을 해주셔야 합니다..");
}
}