|
http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1178 [º¹»ç]
* Script »ðÀÔ °ø°ÝÀ» ´çÇß´ÂÁö È®ÀÎÇÏ´Â Äõ¸®
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
exec ('select ['+@C+'] from ['+@T+'] where ['+@C+'] like ''%<script%</script>''');
-- print 'select ['+@C+'] from ['+@T+'] where ['+@C+'] like ''%<script%</script>'''
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
* À§ÀÇ °ø°ÝÀ» ´çÇßÀ» ¶§ º¹¿øÇÏ´Â Äõ¸® (100% ´Ù µÇ´Â °ÍÀº ¾Æ´Ô - º°µµ È®ÀÎ ÇÊ¿ä)
* ÇØÅ· ½Ã ±æÀÌ°¡ ±ä °æ¿ì¿¡´Â ©¸®°í µé¾î°¡´Â Çö»óÀÌ ¹ß»ýÇÔ - ÀÌ °æ¿ì¿¡´Â º¹¿øÀ» Çصµ ¿ø»óº¹±¸°¡ ¾ÈµÊ
* ¹é¾÷ ¹ÞÀº °ÍÀ» º¹¿øÇÏ´Â ¼ö ¹Û¿¡´Â ¾øÀ½
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script%</script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
DB injection °ø°Ý?
±¸±Û¿¡¼ <script src= 0.js ¶ó°í °Ë»öÇÏ¸é ³î¶ö Á¤µµ·Î ¸¹Àº »çÀÌÆ®µéÀÌ DB °ø°ÝÀ» ¹Þ¾ÒÀ½À» È®ÀÎ ÇÏ½Ç ¼ö ÀÖÀ»°Ì´Ï´Ù.
Á¦°¡ °ü¸®ÇÏ´Â »çÀÌÆ® ¶ÇÇÑ À§¿Í°°Àº ½ºÅ©¸³Æ® »ðÀÔµÇ¾î ¼ö¸¹Àº »çÀÌÆ®¸¦ ã¾Æ ´Ù´Ï¸ç º¹±¸ÇÏ°í ³ª¸§´ë·Î º¸¾ÈÇÏ´Â ¹æ¹ýÀ» Á¢ÇÏ°Ô µÈ °ÍÀ» ¿Ã·Á º¾´Ï´Ù.
1. °ø°Ý À¯Çü :
SQL injection ȨÆäÀÌÁö »óÀÇ DB»ç¿ëÇÏ´Â ÆäÀÌÁö¸¦ °ø°Ý Áï, À¥¼Ò½º Ãë¾àÇÑ °÷À» ÅëÇØ DB¸¦ °ø°Ý.
Ư¼ö ÄÚµå »ðÀÔÇؼ DB¿¡ ½ºÅ©¸³Æ®¸¦ »ðÀÔÇÏ¿© Á¢¼ÓÇÏ´Â »ç¿ëÀÚ¿¡°Ô ¾Ç¼ºÄڵ带 ¼³Ä¡ÇÏ´Â À¯Çü.
2. Á¶Ä¡ ½Ã ÁÖÀÇ »çÇ×
1) ȨÆäÀÌÁö º¯Á¶¸¦ ÅëÇØ ¾Ç¼ºÄÚµå ¸µÅ©¸¦ »ðÀÔÇÑ°Ô ¾Æ´Ï¶ó, SQL injection ±â¹ýÀ» ÀÌ¿ëÇØ DB ÄÁÅÙÃ÷¿¡ »ðÀÔÇÑ °ÍÀÔ´Ï´Ù.
2) Á¶Ä¡ ½Ã DBA ÀÇ µµ¿òÀ» ¹Þ´Â°Ô ÁÁ½À´Ï´Ù.
3) °ø°Ý ¶§¹®¿¡ ±âÁ¸ÀÇ µ¥ÀÌÅÍ°¡ ÀϺΠµ¡¾º¿öÁ® º¯°æµÇ¾úÀ» ¼ö ÀÖ½À´Ï´Ù. ÀÌ·² ¶© ¹é¾÷ÀÇ µµ¿òÀ» ¹Þ¾Æ¾ß °ÚÁö¸¸, ÀϺΠµ¥ÀÌÅÍÀÇ À¯½ÇÀº ¾î¿ ¼ö ¾øÀ» µí...
4) ±Ùº» ¿øÀÎÀº »çÀÌÆ®°¡ SQL injection °ø°Ý¿¡ Ãë¾àÇÏ°Ô °³¹ßµÇ¾î ÀÖ¾î¼ ±×·¸½À´Ï´Ù. °ø°Ý Æ÷ÀÎÆ®¸¦ ÆľÇÇؼ ¿ÜÁÖ°³¹ß ¾÷ü, ȤÀº ³»ºÎ°³¹ßÆÀÀ» ÅëÇØ ¼Ò½º¸¦ ¼öÁ¤Çϼ¼¿ä.
5) ¼Ò½º¸¦ ¼öÁ¤ÇÒ ¼ö ¾ø´Â °æ¿ì À¥ ¹æȺ®ÀÌ µµ¿òÀÌ µÉ ¼öµµ ÀÖ½À´Ï´Ù. ±×·¯³ª, Á¦Ç° µµÀԽà ¸é¹ÐÈ÷ °ËÅäÇÏ½Ç ÇÊ¿ä°¡ ÀÖ½À´Ï´Ù. ´Ü¼ø ÆÐÅÏ ¸ÅĪ ÇüŸ¦ »ç¿ëÇؼ, º¸À¯ÆÐÅÏ°ú 1byte ¸¸ Ʋ·Áµµ ŽÁö ¸øÇÏ´Â Á¦Ç°ÀÌ ¸î °³ ÀÖ´õ±º¿ä.
3. °ø°ÝÀ¸·Î »ý±ä DB table »èÁ¦
comd_list Å×ÀÌºí »èÁ¦
ahcmd Å×ÀÌºí »èÁ¦
foofoofoo Å×ÀÌºí »èÁ¦
Reg_Arrt Å×ÀÌºí »èÁ¦
comd_list Å×ÀÌºí »èÁ¦
D99_CMD Å×ÀÌºí »èÁ¦
D99_TMP Å×ÀÌºí »èÁ¦
Kill_kk Å×ÀÌºí »èÁ¦
jiaozhu Å×ÀÌºí »èÁ¦
4. »ðÀÔ ½ºÅ©¸³Æ® Á¦°Å º¹±¸
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype<object id=sayboxtistorycom4534743 codeBase=http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0 height="100%" width="100%" classid=clsid:d27cdb6e-ae6d-11cf-96b8-444553540000> <object width="100%" height="100%" wmode="transparent" id="sayboxtistorycom4534743" src="http://cfs.tistory.com/blog/plugins/CallBack/callback.swf?destDocId=callbacknestsayboxtistorycom4534743&id=453&callbackId=sayboxtistorycom4534743&host=http://saybox.tistory.com&float=left&" allowScriptAccess="always" menu="false" type="application/x-shockwave-flash" ></object></object>= 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script src=http://s.ardoshanghai.com/s.js></script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
'½ºÅ©¸³Æ® ºÎºÐÀº »ðÀÔµÈ ½ºÅ©¸³Æ®¸¦ ÀÔ·Â
5. º¸¾È Àû¿ë 1 - MSSQL ¸Þ¸ð¸®¿¡¼ À§ÇèÇÑ spµéÀ» ³»¸°´Ù.
º¸¾È»ó À§ÇùÀÌ µÉ ¼ö ÀÖ´Â °³Ã¼µé¿¡ ´ëÇÏ¿© ÀÏ¹Ý »ç¿ëÀÚ ±×·ìÀÇ »ç¿ë±ÇÇÑÀ» Á¦ÇÑÇÑ´Ù.
SP µî·ÏÇØÁ¦´Â À§ÇèÀ» °¨¾ÈÇØ¾ß ÇϹǷΠ¸Þ¸ð¸®¿¡¼¸¸ ³»¸°´Ù. ´ÜÁ¡, ÀçºÎÆõǰųª DB Àç½ÃÀ۽à ´Ù½Ã ¾Æ·¡ Äõ¸® ½ÇÇà ÇÒ°Í!
dbcc xp_cmdshell(free)
dbcc xp_dirtree(free)
dbcc xp_regdeletekey(free)
dbcc xp_regenumvalues(free)
dbcc xp_regread(free)
dbcc xp_regwrite(free)
dbcc sp_makewebtask(free)
6. º¸¾È Àû¿ë 2
¹«¾ùº¸´Ù DB ÀÎÁ§¼ÇÀÌ ¹ß»ýÇÑ ¿øÀÎÀÎ ·Î±×ÀÎ, ȸ¿ø°¡ÀÔ, °Ô½ÃÆÇ µî »ç¿ëÀÚ°¡ DB¸¦ Á¢ÇÏ°Ô µÇ´Â ¼Ò½º °³¹ß½Ã Ư¼ö ¹®ÀÚ º¸¾È Àû¿ë ¾ÈµÈ °æ¿ì°¡ °¡Àå À¯·ÂÇÏ´Ù.
·Î±×ÀÎ, ȸ¿ø°¡ÀÔ, ¾ÆÀ̵ð ºñ¹øã±â, °Ô½ÃÆÇ µîÀÌ °³¹ßÀÚ°¡ °³¹ßÇÏ¸é¼ DB¸¦ °ø°ÝÇÒ¸¸ÇÑ Æ¯¼ö ¹®ÀÚ¿¡ ´ëÇÑ Â÷´Ü ±â´ÉÀ» Àû¿ëÇÏÁö ¾ÊÀº ¹®Á¦·Î ÆǴܵÊ. ¼Ò½º¸¦ ¸ðµÎ °³¼± ÇؾßÇÔ.
-subroutine- |
Hit : 7972 Date : 2009/01/11 01:55
|
1581, 
21/80 
