SQL 인젝션 보고서
개 요
데이터베이스와 연동된 웹 어플리케이션에서 SQL 질의문에 대한 필터링이 제대로 이루어지지 않을 경우 공격자가 입력이 가능한 폼(웹 브라우저 주소입력창
또는 로그인 폼 등)에 조작된 질의문을 삽입하여 웹 서버의 데이터베이스 정보를 열람 또는 조작을 할 수 있는 취약점
진단결과
2016-11-25 13:07:43
GET
http://testphp.vulnweb.com/listproducts.php?cat=1' and 1=1#
1' and 1=1#
SQL syntax
2016-11-25 13:07:44
GET
http://testphp.vulnweb.com/listproducts.php?cat=1' and 1=2#
1' and 1=2#
SQL syntax
2016-11-25 13:07:45
GET
http://testphp.vulnweb.com/listproducts.php?cat=AND (select 1)=1
AND (select 1)=1
SQL syntax
2016-11-25 13:07:51
GET
http://testphp.vulnweb.com/listproducts.php?cat=AND (select 1)=2
AND (select 1)=2
SQL syntax
2016-11-25 13:07:53
GET
http://testphp.vulnweb.com/listproducts.php?cat= and 1=1
and 1=1
SQL syntax
2016-11-25 13:07:54
GET
http://testphp.vulnweb.com/listproducts.php?cat= and 1=2
and 1=2
SQL syntax
2016-11-25 13:07:57
GET
http://testphp.vulnweb.com/listproducts.php?cat= and sleep(3);
and sleep(3);
SQL syntax
2016-11-25 13:07:59
GET
http://testphp.vulnweb.com/listproducts.php?cat= SELECT SLEEP(3)--
SELECT SLEEP(3)--
SQL syntax
2016-11-25 13:08:00
GET
http://testphp.vulnweb.com/listproducts.php?cat= 1; waitfor delay '00:00:03'--
1; waitfor delay '00:00:03'--
SQL syntax
2016-11-25 13:08:04
GET
http://testphp.vulnweb.com/listproducts.php?cat= %22 src=http://ahoon/;?
" src=http://ahoon/;?
SQL syntax
2016-11-25 13:08:05
GET
http://testphp.vulnweb.com/listproducts.php?cat=+union+select+1,2,3/*
+union+select+1,2,3/*
SQL syntax
2016-11-25 13:08:07
GET
http://testphp.vulnweb.com/listproducts.php?cat=/*uni X on*/union/*sel X ect*/select+1,2,3/*
/*uni X on*/union/*sel X ect*/select+1,2,3/*
SQL syntax
2016-11-25 13:08:10
GET
http://testphp.vulnweb.com/listproducts.php?cat=+un/**/ion+sel/**/ect+1,2,3--
+un/**/ion+sel/**/ect+1,2,3--
SQL syntax
2016-11-25 13:08:12
GET
http://testphp.vulnweb.com/listproducts.php?cat=;select+1,2,3+from+users+where+id=1--
;select+1,2,3+from+users+where+id=1--
SQL syntax
2016-11-25 13:08:13
GET
http://testphp.vulnweb.com/listproducts.php?cat= union/* and b=*/select 1,2
union/* and b=*/select 1,2
SQL syntax
2016-11-25 13:08:15
GET
http://testphp.vulnweb.com/listproducts.php?cat=+OR+0x50=0x50
+OR+0x50=0x50
SQL syntax
2016-11-25 13:08:17
GET
http://testphp.vulnweb.com/listproducts.php?cat= %7C%7C 2=2--
|| 2=2--
SQL syntax
2016-11-25 13:08:18
GET
http://testphp.vulnweb.com/listproducts.php?cat=0x610x6e0x64+70x3d7
0x610x6e0x64+70x3d7
SQL syntax
조치사항
[패턴문자]
' union
" select
insert
# drop
( update
) from
; where
@ join
= substr (oracle)
* user_tables (oracle)
/ user_table_columns (oracle)
+ subsring (ms-sql)
information_schema (mysql) sysobjects (ms-sql)
table_schema (mysql) declare (ms-sql)
/* */
&& openrowset
xp_ or
and %

- 패턴 문자 필터링
- 언어별 디버깅 모드시 상세한 에러출력 금지(사용자 정의 에러 사용 권장)

JSP SQL Injection 시큐어 코딩


page.jsp 파일중에서
String param = request.getParameter('field');

Pattern PreventChar = Pattern.compile("['\"\\-#()@;=*/+]");
String filteredData = PreventChar.matcher(param).replaceAll("");

OR

String[] PreventChars = {"'","\""...} //위 표에 있는 데이터 나열함.

for (int i=0; i< PreventChars.length; i++) {
if(param.indexOf(PreventChars[i]) != -1){
System.out.println("금지된 키워드 사용입니다.");
return false;
}
}

db.jsp 파일중에서
PreparedStatement stmt = conn.prepareStatement("select * from table where field1=? and field2=?");
stmt.setString(1, value1);
stmt.setString(2, value2);
 
ResultSet rs = stmt.executeQuery();


PHP SQL Injection 시큐어 코딩


page.php 파일중에서
$param = $_POST['field'] or $_GET['field'];

$filtereddata = htmlspecialchars($param);
$filtereddata = strip_tags($filtereddata);
$filtereddata = mysql_real_escape_string($filtereddata);

OR

$PreventChars = array("'","\""...); //위 표에 있는 데이터 나열함.

foreach($PreventChars as $keyword){
$param = str_replace($keyword,"",$param);
}


db.php 파일중에서
$value =$filtereddata;
$sth = $dbh->prepare('select field1, field2...from table where field1 = :field1');
$sth->bindValue(':field1',$value,PDO:PARAM:STR,10);
$sth->execute();



ASP.NET (C#) 시큐어 코딩(MSDN 참조)



page.aspx 파일중에서
<%@ language="C#" %>
<form id="form1" runat="server">
    <asp:TextBox ID="SSN" runat="server"/>
    <asp:RegularExpressionValidator ID="regexpSSN" runat="server"        
                                    ErrorMessage="Incorrect SSN Number"
                                    ControlToValidate="SSN"        
                                    ValidationExpression="^\d{3}-\d{2}-\d{4}$" />
</form>

page.apsx.cs 파일중에서
if (Regex.IsMatch(Request.Cookies["SSN"], "^\d{3}-\d{2}-\d{4}$"))
{
    // access the database
}
else
{
    // handle the bad input
}

using System;
using System.Text.RegularExpressions;

public void CreateNewUserAccount(string name, string password)
{
    // Check name contains only lower case or upper case letters,
    // the apostrophe, a dot, or white space. Also check it is
    // between 1 and 40 characters long
    if ( !Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$"))
      throw new FormatException("Invalid name format");

    // Check password contains at least one digit, one lower case
    // letter, one uppercase letter, and is between 8 and 10
    // characters long
    if ( !Regex.IsMatch(passwordTxt.Text,
                      @"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" ))
      throw new FormatException("Invalid password format");

    // Perform data access logic (using type safe parameters)
    ...
}
db.cs 파일중에서
using System.Data;
using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(
"LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;

myCommand.Fill(userDataset);
}

[참고사이트]

https://msdn.microsoft.com/en-us/library/ff648339.aspx