| |
target=_blank>http://blog.naver.com/wooltary7/80009184543
¿À´Ã SQL ÁÖÀÔ °ø°ÝÀ» »çÀü¿¡ Â÷´ÜÇÏ´Â ¹æ¹ý À̶ó´Â Á¦¸ñÀÇ MS ¹®¼¸¦ Àоú½À´Ï´Ù.
ÀÌ·± Ãë¾àÁ¡ÀÌ ÀÍÈ÷ Á¸ÀçÇÑ´Ù´Â °ÍÀº ¾Ë°í ÀÖ¾úÁö¸¸...½º½º·Îµµ À¥»çÀÌÆ®¸¦ ¸¸µé¶§ ÁÖÀÇÇÏ¸é¼ ÄÚµùÀ» ÇÏÁö¸¸....ÀÎÅͳݿ£ ¾ÆÁ÷µµ ¸¹Àº »çÀÌÆ®µéÀÌ ÀÌ Ãë¾àÁ¡À» °¡Áö°í ÀÖ´Â °Í °°¾Æ¿ä...
ƯÈ÷ »ç¿ëÀÚ ÀÎÁõ ó¸®ÇÏ´Â ºÎºÐ¿¡¼ .......
¾ÆÀ̵ð¿Í Æнº¿öµå¿¡
' Or 1=1 --
¸¦ ³ÖÀ¸¸é ±×³É ·Î±×ÀΠ󸮰¡ µÇ¾î¹ö¸®´Â »çÀÌÆ®°¡ Âü ¸¹½À´Ï´Ù.
¿¹¸¦ µé¾î ´ëºÎºÐ ¾ÆÀ̵ð¿Í Æнº¿öµå ºñ±³¸¦ ´ÙÀ½°ú °°Àº Äõ¸®·Î ó¸®ÇÒ Å״ϱî¿ä..
SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password'
¹¹ ÀÌ·±½ÄÀ¸·Î¿ä...
ÀÌ°Ç Á¤»óÀûÀÎ °ÍÀÌÁö¸¸
Paul ºÎºÐÀ» ' or 1=1 -- ·Î ¹Ù²ãº¸¸é...
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password='password'
ÀÌ·¸°Ô µÇ°í -- ´ÙÀ½Àº ÁÖ¼®Ã³¸® µÇ´Ï±î....
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 ¸¸ ³²°í...
¹¹ ±×³É ·Î±×ÀÎ µÇ´Â°ÅÁÒ.....
ÀÌ°Ç ÇϳªÀÇ ¿¹ÀÌÁö¸¸...
¾ðÁ¨°¡ ASP,SQL·Î ¸¸µé¾îÁø ¸¹Àº »çÀÌÆ®µéÀ» µ¹¾Æ´Ù´Ï¸ç ÀÌÁþ¸¸ Çß¾ú´Âµ¥....
ÇÏÇÏ Á» ¾¦¾²·¯¿î ¾ê±âÁö¸¸.... »ó´ç¼öÀÇ ¼ºÀλçÀÌÆ®µéµµ ÀÌ ¹æ¹ýÀÌ ÅëÇÑ´ä´Ï´Ù...¹°·Ð À¯·á»çÀÌÆ®ÀÌÁö¿ä...
ÂÁ.....ÀÀ¿ë¸¸ Àß ÇÑ´Ù¸é Á¤¸» ¿©·¯°¡Áö ÇØÅ·À» ½ÃµµÇÒ ¼öµµ ÀÖ°Ú´õ¶ó±¸¿ä..
½ÉÁö¾î sysobjects¿¡ ´ëÇÑ select, DROP TABLE ±îÁö...
¾ÏÆ° Á¶½ÉÇØ¾ß ÇÒ Ãë¾àÁ¡ ÀÎ °Í °°½À´Ï´Ù.....
¾Æ Âü ! ¿©±â°¡½Ã¸é ÀÚ¼¼ÇÑ ¹®¼³»¿ëÀ» º¸½Ç ¼ö ÀÖ¾î¿ä...
http://www.microsoft.com/Korea/MSDN/MSDNMAG/ISSUES/2004/SQLInjection/d
efault.aspx
|