비박스를 활용한 웹 모의해킹 완벽 실습 - SQL 기초

출처

인프런, 비박스를 활용한 웹 모의해킹 완벽 실습 6강 https://www.inflearn.com/course/%EB%B9%84%EB%B0%95%EC%8A%A4-%EB%AA%A8%EC%9D%98%ED%95%B4%ED%82%B9-%EC%8B%A4%EC%8A%B5/


SQL 인젝션 기초

SQL 기초

1. Bee-Box 터미널에 가서 다음 명령어 입력

root@bee-box:/var/www/bWAPP# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:512             0.0.0.0:*               LISTEN      5985/inetd      
tcp        0      0 0.0.0.0:513             0.0.0.0:*               LISTEN      5985/inetd      
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      5985/inetd      
tcp        0      0 0.0.0.0:9443            0.0.0.0:*               LISTEN      6602/lighttpd   
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      5844/mysqld     
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      6098/smbd       
tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      6128/Xvnc       
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      5961/nginx      
tcp        0      0 0.0.0.0:3632            0.0.0.0:*               LISTEN      5946/distccd    
tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN      6128/Xvnc       
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      6493/proftpd: (acce
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      5095/cupsd      
tcp        0      0 0.0.0.0:9080            0.0.0.0:*               LISTEN      6602/lighttpd   
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      6054/master     
tcp        0      0 0.0.0.0:666             0.0.0.0:*               LISTEN      5922/bwapp_movie_se
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      5961/nginx      
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      6098/smbd       
tcp6       0      0 :::80                   :::*                    LISTEN      6576/apache2    
tcp6       0      0 :::6001                 :::*                    LISTEN      6128/Xvnc       
tcp6       0      0 :::22                   :::*                    LISTEN      5718/sshd       
tcp6       0      0 :::443                  :::*                    LISTEN      6576/apache2
  • 3306에서 mysql이 사용되고 있음
root@bee-box:/var/www/bWAPP# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 15
Server version: 5.0.96-0ubuntu3 (Ubuntu)

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
  • -u: user 지정
  • -p: 패스워드 입력
  • ctrl + L: 화면 정리

데이터베이스 구조

image

2. 데이터베이스 확인하기

mysql> show databases;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    16
Current database: *** NONE ***

+--------------------+
| Database           |
+--------------------+
| information_schema | 
| bWAPP              | 
| drupageddon        | 
| mysql              | 
+--------------------+
4 rows in set (0.01 sec)

3. 새로운 데이터베이스 만들기

mysql> create database testdb;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| bWAPP              | 
| drupageddon        | 
| mysql              | 
| testdb             | 
+--------------------+
5 rows in set (0.00 sec)

4. 데이터베이스 선택하고 테이블 만들기

mysql> use testdb;
Database changed
mysql> create table testtable1(
    -> no int not null,
    -> name varchar(10) not null,
    -> id varchar(10) not null,
    -> pass varchar(20) not null);
Query OK, 0 rows affected (0.01 sec)

mysql> show tables;
+------------------+
| Tables_in_testdb |
+------------------+
| testtable1       | 
+------------------+
1 row in set (0.00 sec)

mysql> desc testtable1
    -> ;
+-------+-------------+------+-----+---------+-------+
| Field | Type        | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| no    | int(11)     | NO   |     | NULL    |       | 
| name  | varchar(10) | NO   |     | NULL    |       | 
| id    | varchar(10) | NO   |     | NULL    |       | 
| pass  | varchar(20) | NO   |     | NULL    |       | 
+-------+-------------+------+-----+---------+-------+
4 rows in set (0.00 sec)
  • not null은 값이 무조건 들어가야 된다는 뜻

5. 데이터 집어넣기

mysql> insert into testtable1 values(1, "Sun", "isc0304", "test1234");
Query OK, 1 row affected (0.01 sec)

mysql> select * from testtable1
    -> ;
+----+------+---------+----------+
| no | name | id      | pass     |
+----+------+---------+----------+
|  1 | Sun  | isc0304 | test1234 | 
+----+------+---------+----------+
1 row in set (0.01 sec)
  • insert는 데이터 삽입 명령어
  • select는 테이블을 선택하는 명령어
  • *은 모든 값을 검색하겠다는 뜻
  • 값을 마저 넣어보면
mysql> insert into testtable1 values(2, "black", "hat", "python");
Query OK, 1 row affected (0.00 sec)

mysql> insert into testtable1 values(3, "practical", "malware", "analysis");
Query OK, 1 row affected (0.00 sec)

mysql> insert into testtable1 values(4, "python", "hacking", "programming");
Query OK, 1 row affected (0.00 sec)

mysql> insert into testtable1 values(5, "coding", "interview", "analysis");
Query OK, 1 row affected (0.01 sec)

mysql> insert into testtable1 values(6, "john", "gray", "love");
Query OK, 1 row affected (0.00 sec)

mysql> insert into testtable1 values(7, "lego", "mindstorm", "ev3");
Query OK, 1 row affected (0.00 sec)

mysql> select * from testtable1
    -> ;
+----+-----------+-----------+-------------+
| no | name      | id        | pass        |
+----+-----------+-----------+-------------+
|  1 | Sun       | isc0304   | test1234    | 
|  2 | black     | hat       | python      | 
|  3 | practical | malware   | analysis    | 
|  4 | python    | hacking   | programming | 
|  5 | coding    | interview | analysis    | 
|  6 | john      | gray      | love        | 
|  7 | lego      | mindstorm | ev3         | 
+----+-----------+-----------+-------------+
7 rows in set (0.00 sec)

SQL 기본 문법 1

  • SELECT + WHERE 데이터 조건 검색
종류 연산자 설명
비교 =, <, >, <=, >=, !=, <> 두 값을 비교
논리 AND, OR, NOT 조건과 조건을 결합
범위 BETWEEN a AND b a와 b 사이에 존재하는지 검사
집합 IN 해당 값이 목록에 존재하는지 검사
패턴 LIKE 문자열의 패턴 검사

6. 비교와 논리를 이용하여 검색하기

mysql> select * from testtable1 where no=1;
+----+------+---------+----------+
| no | name | id      | pass     |
+----+------+---------+----------+
|  1 | Sun  | isc0304 | test1234 | 
+----+------+---------+----------+
1 row in set (0.00 sec)

mysql> select * from testtable1 where no=2;
+----+-------+-----+--------+
| no | name  | id  | pass   |
+----+-------+-----+--------+
|  2 | black | hat | python | 
+----+-------+-----+--------+
1 row in set (0.00 sec)

mysql> select * from testtable1 where no>2;
+----+-----------+-----------+-------------+
| no | name      | id        | pass        |
+----+-----------+-----------+-------------+
|  3 | practical | malware   | analysis    | 
|  4 | python    | hacking   | programming | 
|  5 | coding    | interview | analysis    | 
|  6 | john      | gray      | love        | 
|  7 | lego      | mindstorm | ev3         | 
+----+-----------+-----------+-------------+
5 rows in set (0.00 sec)

mysql> select * from testtable1 where no=2 or no=1;
+----+-------+---------+----------+
| no | name  | id      | pass     |
+----+-------+---------+----------+
|  1 | Sun   | isc0304 | test1234 | 
|  2 | black | hat     | python   | 
+----+-------+---------+----------+
2 rows in set (0.00 sec)

7. 범위와 집합 검색하기

mysql> select * from testtable1 where no between 1 and 4;
+----+-----------+---------+-------------+
| no | name      | id      | pass        |
+----+-----------+---------+-------------+
|  1 | Sun       | isc0304 | test1234    | 
|  2 | black     | hat     | python      | 
|  3 | practical | malware | analysis    | 
|  4 | python    | hacking | programming | 
+----+-----------+---------+-------------+
4 rows in set (0.00 sec)

mysql> select * from testtable1 where name in ("Sun");
+----+------+---------+----------+
| no | name | id      | pass     |
+----+------+---------+----------+
|  1 | Sun  | isc0304 | test1234 | 
+----+------+---------+----------+
1 row in set (0.00 sec)

mysql> select * from testtable1 where name in ("black");
+----+-------+-----+--------+
| no | name  | id  | pass   |
+----+-------+-----+--------+
|  2 | black | hat | python | 
+----+-------+-----+--------+
1 row in set (0.00 sec)

mysql> select * from testtable1 where name in ("Sun", "black");
+----+-------+---------+----------+
| no | name  | id      | pass     |
+----+-------+---------+----------+
|  1 | Sun   | isc0304 | test1234 | 
|  2 | black | hat     | python   | 
+----+-------+---------+----------+
2 rows in set (0.01 sec)

8. 패턴 검색하기

mysql> select * from testtable1 where name like "Sun"
    -> ;
+----+------+---------+----------+
| no | name | id      | pass     |
+----+------+---------+----------+
|  1 | Sun  | isc0304 | test1234 | 
+----+------+---------+----------+
1 row in set (0.00 sec)

mysql> select * from testtable1 where name like "S%";
+----+------+---------+----------+
| no | name | id      | pass     |
+----+------+---------+----------+
|  1 | Sun  | isc0304 | test1234 | 
+----+------+---------+----------+
1 row in set (0.00 sec)

mysql> select * from testtable1 where name like "%a%";
+----+-----------+---------+----------+
| no | name      | id      | pass     |
+----+-----------+---------+----------+
|  2 | black     | hat     | python   | 
|  3 | practical | malware | analysis | 
+----+-----------+---------+----------+
2 rows in set (0.00 sec)

mysql> select * from testtable1 where name like "%l%";
+----+-----------+-----------+----------+
| no | name      | id        | pass     |
+----+-----------+-----------+----------+
|  2 | black     | hat       | python   | 
|  3 | practical | malware   | analysis | 
|  7 | lego      | mindstorm | ev3      | 
+----+-----------+-----------+----------+
3 rows in set (0.00 sec)

SQL 기본 문법 2

  • SELECT + limit 검색 레코드 수 제한
사용 방법 설명
limit 1 레코드 1개 출력
limit 0, 2 첫 번째(0) 레코드부터 2개의 레코드를 가져옴

–> 어디서부터 어디까지만 출력해라

9. limit을 이용해 원하는 수만큼 출력하기

mysql> select * from testtable1 limit 3;
+----+-----------+---------+----------+
| no | name      | id      | pass     |
+----+-----------+---------+----------+
|  1 | Sun       | isc0304 | test1234 | 
|  2 | black     | hat     | python   | 
|  3 | practical | malware | analysis | 
+----+-----------+---------+----------+
3 rows in set (0.00 sec)

mysql> select * from testtable1 limit 0,3;
+----+-----------+---------+----------+
| no | name      | id      | pass     |
+----+-----------+---------+----------+
|  1 | Sun       | isc0304 | test1234 | 
|  2 | black     | hat     | python   | 
|  3 | practical | malware | analysis | 
+----+-----------+---------+----------+
3 rows in set (0.00 sec)

mysql> select * from testtable1 limit 1,3;
+----+-----------+---------+-------------+
| no | name      | id      | pass        |
+----+-----------+---------+-------------+
|  2 | black     | hat     | python      | 
|  3 | practical | malware | analysis    | 
|  4 | python    | hacking | programming | 
+----+-----------+---------+-------------+
3 rows in set (0.00 sec)

mysql> select * from testtable1 limit 2,3;
+----+-----------+-----------+-------------+
| no | name      | id        | pass        |
+----+-----------+-----------+-------------+
|  3 | practical | malware   | analysis    | 
|  4 | python    | hacking   | programming | 
|  5 | coding    | interview | analysis    | 
+----+-----------+-----------+-------------+
3 rows in set (0.00 sec)

SQL 기본 문법 3

  • SELECT + UNION 여러 조회 결과를 결합하여 출력
  • UNION에 연결되는 두 테이블의 컬럼의 수가 일치되어야 함

10. 테이블 하나 더 만들기

mysql> create table uniontb(
    ->   var1 varchar(10) not null,
    ->   var2 varchar(10) not null,
    ->   var3 varchar(10) not null,
    ->   var4 varchar(10) not null);
Query OK, 0 rows affected (0.01 sec)

mysql> insert into uniontb values("Building", "Machine", "Learning", "Systems");
Query OK, 1 row affected (0.00 sec)

mysql> insert into uniontb values("with", "Python", "Seven", "Language");
Query OK, 1 row affected (0.00 sec)

mysql> select * from uniontb;
+----------+---------+----------+----------+
| var1     | var2    | var3     | var4     |
+----------+---------+----------+----------+
| Building | Machine | Learning | Systems  | 
| with     | Python  | Seven    | Language | 
+----------+---------+----------+----------+
2 rows in set (0.00 sec)

mysql> select * from testtable1;
+----+-----------+-----------+-------------+
| no | name      | id        | pass        |
+----+-----------+-----------+-------------+
|  1 | Sun       | isc0304   | test1234    | 
|  2 | black     | hat       | python      | 
|  3 | practical | malware   | analysis    | 
|  4 | python    | hacking   | programming | 
|  5 | coding    | interview | analysis    | 
|  6 | john      | gray      | love        | 
|  7 | lego      | mindstorm | ev3         | 
+----+-----------+-----------+-------------+
7 rows in set (0.00 sec)
  • uniontb와 testtable1의 column수가 같으므로 합치는 작업을 할 것
  • column의 수가 같아야만 합칠 수 있음

11. 테이블 합치기

 select * from testtable1 union select * from uniontb;
+----------+-----------+-----------+-------------+
| no       | name      | id        | pass        |
+----------+-----------+-----------+-------------+
| 1        | Sun       | isc0304   | test1234    | 
| 2        | black     | hat       | python      | 
| 3        | practical | malware   | analysis    | 
| 4        | python    | hacking   | programming | 
| 5        | coding    | interview | analysis    | 
| 6        | john      | gray      | love        | 
| 7        | lego      | mindstorm | ev3         | 
| Building | Machine   | Learning  | Systems     | 
| with     | Python    | Seven     | Language    | 
+----------+-----------+-----------+-------------+
9 rows in set (0.00 sec)

12. 앞 테이블에는 거짓을 뒤 테이블에는 참인 명령을 써보기

mysql> select * from testtable1 where 1=2 union select * from uniontb;
+----------+---------+----------+----------+
| no       | name    | id       | pass     |
+----------+---------+----------+----------+
| Building | Machine | Learning | Systems  | 
| with     | Python  | Seven    | Language | 
+----------+---------+----------+----------+
2 rows in set (0.00 sec)

mysql> select * from testtable1 where no=8 union select * from uniontb;
+----------+---------+----------+----------+
| no       | name    | id       | pass     |
+----------+---------+----------+----------+
| Building | Machine | Learning | Systems  | 
| with     | Python  | Seven    | Language | 
+----------+---------+----------+----------+
2 rows in set (0.00 sec)
  • where 1=2where no=8은 거짓이므로 뒤 uniontb의 내용만 나오게 됨
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema | 
| bWAPP              | 
| drupageddon        | 
| mysql              | 
| testdb             | 
+--------------------+
5 rows in set (0.01 sec)
  • information schema: 다른 데이터베이스를 조회할 수 있는 테이블
  • information schema를 악용할 수 있음 –> 앞에 쿼리는 거짓, 뒤에는 테이블을 넣는 방법으로 가능

Comments