Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
SQL Injection Basics
Kentaro Kuribayashi
October 02, 2012
Technology
8
16k
SQL Injection Basics
社内勉強会用資料です。
Kentaro Kuribayashi
October 02, 2012
Tweet
Share
More Decks by Kentaro Kuribayashi
See All by Kentaro Kuribayashi
kentaro
2
510
kentaro
1
1k
kentaro
0
120
kentaro
1
490
kentaro
3
480
kentaro
0
430
kentaro
3
1.3k
kentaro
3
570
kentaro
0
12k
Other Decks in Technology
See All in Technology
line_developers
PRO
1
590
yashi8484
0
130
miu_crescent
0
310
kazeburo
2
130
shwars
0
110
shirayanagiryuji
1
180
yoku0825
PRO
2
670
nnstt1
2
120
kenya888
1
110
tatsy
0
130
jaguar_imo
0
120
hacker2202
0
100
Featured
See All Featured
deanohume
294
28k
ammeep
657
54k
jponch
103
5.1k
bryan
32
3.5k
pedronauck
652
110k
mojombo
359
62k
rmw
12
870
lynnandtonic
272
16k
sferik
613
55k
tenderlove
54
3.5k
destraynor
221
47k
mthomps
38
2.3k
Transcript
42-ΠϯδΣΫγϣϯͷ ݪཧɾݪଇ @kentaro ܀ྛ݈ଠ paperboy&co. http://www.flickr.com/photos/vissago/3270115155/
@kentaro ΤϯδχΞ 1FSMFS ϧϏʔετ ʮͪʯʮͪ ͺʔʯ࢝ऀ /FX ܀ྛ݈ଠ paperboy&co.
‣42-ΠϯδΣΫγϣϯࣗମͷৄࡉ ޙड़ͷࢀߟจݙΛࢀরͷ͜ͱ ‣͜͜Ͱ42-ΠϯδΣΫγϣϯΛ ࢝Ίͱ͢Δɺ͘8FCηΩϡϦςΟ ʹؔ͢Δݪཧɾݪଇʹ͍ͭͯड़·͢ લఏ
42-ΠϯδΣΫγϣϯɺ42-ͷݺͼग़͠ํʹෆඋ͕͋Δ߹ʹൃੜ͢Δ੬ ऑੑͰ͢ɻΞϓϦέʔγϣϯʹ42-ΠϯδΣΫγϣϯ੬ऑੑ͕͋Δ߹ɺҎԼ ͷΑ͏ͳӨڹΛड͚ΔՄೳੑ͕͋Γ·͢ɻͯ͢ɺ߈ܸऀ͕ೳಈతʹ ར༻ऀͷ ؔ༩ͳ͠Ͱ αʔόʔΛ߈ܸͰ͖·͢ɻ ‣σʔλϕʔεͷͯ͢ͷใ͕֎෦͔Β౪·ΕΔ ‣σʔλϕʔεͷ༰͕ॻ͖͑ΒΕΔ ‣ೝূΛճආ͞ΕΔ *%ͱύεϫʔυΛ༻͍ͣʹϩάΠϯ͞ΕΔ
‣ͦͷଞɺσʔλϕʔεαʔόʔ্ͷϑΝΠϧͷಡΈग़͠ɺॻ͖ࠐΈɺϓϩά ϥϜͷ࣮ߦͳͲΛߦΘΕΔ 42-ΠϯδΣΫγϣϯ ʰମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯͷ࡞ΓํʱQ ҎԼʰಙؙຊʱ
$sql = "SELECT * FROM user WHERE uid = "
. $uid . " AND provider = '" . $provider . "'"; ΠϯδΣΫγϣϯͷྫ SELECT * FROM user WHERE uid = 9999 AND provider = ''; DELETE FROM user; -- ͠$provider͕͜͏ͩͬͨΒ '; DELETE FROM user; -- ʘ ?P? ʗ
͠੬ऑੑ͕͋ͬͨΒ ใ͕ྲྀग़ͨ͠߹ʹاۀଘଓͷةػʹͭͳ͕Γ͔Ͷͳ͍ɻ ใॲཧਪਐػߏʢ*1"ʣ42-ΠϯδΣΫγϣϯʹΑΔඃ͔Β ͷ෮چίετԯԁΛ͑͏Δͱ͓ͯ͠Γɺ࣮ࡍʹαϯυϋ εͷࣄྫͰิঈͷΈͰ໊ʹԁ૬ͷظݶ ͖ΫϨδοτΛෛ୲͍ͯ͠Δɻิঈͷ΄͔ʹઐՈʹΑΔௐ ࠪɺγεςϜͷೖΕସ͑ɺސ٬ରԠɺҰ࣌ดʹΑΔӦۀػձͷ ҳࣦɺ෩ධඃͱ͍ͬͨෛ୲͕͋Γɺ42-ΠϯδΣΫγϣϯؚ ΊηΩϡϦςΟରࡦݫີʹߦ͏͖Ͱ͋Δɻ IUUQKBXJLJQFEJBPSHXJLJ42-ΠϯδΣΫγϣϯ
੬ऑੑͷछྨ ʰಙؙຊʱQ
ΠϯδΣΫγϣϯܥ ʰಙؙຊʱQ 42-ΠϯδΣΫγϣϯ੬ऑੑ͕ൃੜ͢ΔݪҼɺͱͱʮσʔλʯΛఆ͠ ͍ͯΔͱ͜ΖʹγϯάϧΫΥʔτʮʯΛͬͯσʔλ෦ΛऴΘΒͤɺ42- จͷߏΛมԽͤͨ͞ͱ͜Ζʹ͋Γ·͢ɻ͜ͷݪཧଞͷΠϯδΣΫγϣϯܥ ੬ऑੑͰಉ͡Ͱ͢ɻσʔλͷதʹҾ༻ූσϦϛλͳͲʮσʔλͷऴʯΛ ࣔ͢ϚʔΫΛࠞೖͤͯ͞ɺͦͷޙͷจࣈྻͷߏΛมԽͤ͞ΔͷͰ͢ɻ
ݪཧ ‣94442-ΠϯδΣΫγϣϯɺ ى͜Δݪཧಉ͡ ‣)5.-ʹͤΑ42-ʹͤΑɺ8FCΞ ϓϦͷมͱ·ͬͨ͘ผͷϧʔϧ ʹΑͬͯߏங͞ΕΔจࣈྻ ‣ͦΕΒͷੈքͷϧʔϧΛཚ͞ͳ͍Α ͏ʹҙ͢Δඞཁ͕͋Δͱ͍͏Ͱಉ ͡
ݩʑɺ)5.-Λग़ྗ͢Δͱ͖ɺͦͷग़ྗશମʹରͯ͠ʮʯʮʯʮʯͷ Τεέʔϓॲཧͷݕ౼͕ཁٻ͞Ε͍ͯΔͷͰ͋ͬͯɺ$(*ೖྗʹґଘ͍ͯ͠Δ ͔Ͳ͏͔ແؔͰ͋Δɻͦ͜ͷߟ͑ํʹʮແಟԽʯͩͷʮແԽʯͩͷʮফ ಟʯͩͷʮαχλΠζʯͩͷʮαχλΠδϯάʯͩͷͱ͍͏ʢ࠷ۙྲྀߦͷʣൃ ग़ͯ͜ͳ͍ɻ ʮαχλΠζݴ͏ͳΩϟϯϖʔϯʯͱԿ͔ http://takagi-hiromitsu.jp/diary/20051227.html#p02 ݪཧ
ೖྗͷݕূʁ ‣όϦσʔγϣϯΞϓϦతʹॏཁ ‣ͨͩ͠ɺͦΕΞϓϦͷ༷ͷ Ͱ͋ͬͯɺ42-ΠϯδΣΫγϣϯͱ ؔͳ͍ ‣݁Ռతʹཱͭ͜ͱ͋Δ͚ͩ
αχλΠζʁ ‣͍͏ͳ CZͻΖΈͪΎઌੜ ‣Ͳ͏ͤ࿙ΕΔ ‣લड़ͷ௨Γɺҧ͏ϧʔϧͷจࣈྻΛ ࡞͠Α͏ͱ͍ͯ͠Δͷ͔ͩΒʮԚ છʯ͞ΕͯΑ͏͕ͳΜͩΖ͏͕ɺશͯ దʹॲஔ͢Δ͖
҉ͷલఏΛආ͚Δ ‣$entry->user_idʹ͔͋͠Γಘͳ͍ ͱ͍͏લఏʹཔΒͳ͍ ‣ͦΕ͕ຊʹͦ͏͔ͳΜͯΘ͔Βͳ͍͠ɺ Βͳ͍ؒʹલఏ͕มΘΔ͔͠Εͳ͍ ‣ੲ͋ͬͨmagic_quotes_gpc=onͱ͔֎ "select * from user
where user_id = " . $entry->user_id
είʔϓΛڱΊΔ ‣มͷείʔϓͰ͖Δ͚ͩڱ͍ํ͕Α͍ͱ ͍͏ϓϩάϥϛϯάͷݪଇΛద༻ ‣άϩʔόϧมΛͰ͖Δ͚ͩආ͚Δ͖Ͱ͋ Δͷͱಉ༷ ‣ۙͷίʔυͷΈͰ҆શੑΛ֬ೝͰ͖Δํ͕ Α͍ ‣ίʔυ͔Βԕ͘ΕͨॴͰอূ͞Ε͍ͯΔ ͔͠Εͳ͍ ͜ͱʹͨΑͬͯॲཧΛม͑Δ
͖Ͱͳ͍
ग़ྗͷۙͰॲஔ ‣ϓϩάϥϜͷม ϢʔβೖྗͰ%#͔Β ͖ͨͷͰͳΜͰ ͱ)5.-42-Λ݁߹ ͢Δࡍʹɺͦͷ݁߹ͷۙͰɺ)5.-42- ͷϧʔϧʹ߹ΘͤͨͳΜΒ͔ͷॲஔΛࢪ͢ ‣)5.-ͳΒhtmlspecialchars($str, ENT_QUOTES)͢Δ͠ɺ42-ͳΒϓϨʔεϗϧ μΛ͏ͳͲ
42-ΠϯδΣΫγϣϯͷࠜຊతղܾͷجຊόΠϯυػߏΛ༻͢Δ͜ͱͰ͢ ͕ɺԿΒ͔ͷཧ༝ʹΑΓόΠϯυػߏͰ࣮Ͱ͖ͳ͍߹ɺΤεέʔϓॲཧ ʹΑΔରࡦࠜຊతղܾͷҰͭʹͳΔͱ͍ͯ͠·͢ɻ͔͠͠ɺ্ͷҾ༻෦ʹ ͋ΔΑ͏ʹɺ42-ʹͱͬͯಛผͳҙຯΛ࣋ͭه߸ʢϝλจࣈʣɺσʔλϕʔ εΤϯδϯʹΑͬͯҟͳΔͷͰ͋ΓɺڥʹԠͯ͡ରࡦ͢Δඞཁ͕͋Γ· ͢ɻ ʰ҆શͳΣϒαΠτͷ࡞Γํผɿʮ҆શͳ42-ͷݺͼग़͠ํʯʱQ ݪଇ
mysql_queryؔ ‣ඇਪͰ͢ ‣Θͳ͍Α͏ʹ $sql = vsprintf( "SELECT * FROM user
WHERE uid = %d AND provider = '%s'", array_map('mysql_real_escape_string', array($uid, $provider)) ); $result = mysql_query($sql);
1&"3%# $result = $db->query( "SELECT * FROM user WHERE uid
= ? AND provider = ?", array($uid, $provider) ); ‣։ൃఀࢭ͍ͯ͠·͢ ‣Θͳ͍Α͏ʹ
1%0 ‣ʮ1%0ʹ͓͚ΔҰԠͷ҆શએݴͱΔ ʯIUUQCMPHUPLVNBSVPSH QEPIUNMΑΓվมͷ্ܝࡌ $dbh = new PDO('mysql:host=hostname;dbname=dbname;charset=utf8', “user”, “pass”);
// ੩తϓϨʔεϗϧμΛࢦఆ $dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $sth = $dbh->prepare("SELECT * FROM user WHERE uid =? AND provider = ?"); $sth->setFetchMode(PDO::FETCH_NUM); $sth->bindParam(1, $uid, PDO::PARAM_INT); $sth->bindParam(2, $provider, PDO::PARAM_STR); $sth->execute();
1&"3.%# ‣ʰಙؙຊʱQΑΓɺվมͷ্ܝࡌ header('Content-Type: text/html; charset=UTF-8'); $mdb2 = MDB2::connect('mysql://user:pass@hostname/dbname? charset=utf8'); $sql
= "SELECT * FROM user WHERE id = ? AND provider = ?"; $stmt = $mdb2->prepare($sql, array($uid, $provider)); $rs = $stmt->execute(array($author));
ԿΛ͍͍͑ͷʁ ‣1)1Ҏલͷ1%0จࣈίʔυ·ΘΓ Ͱ͍Ζ͍Ζ໘ ‣1&"3.%#Λ͏ͷ͕ແͦ͏ ‣͍ͣΕʹͤΑɺͪΌΜͱจࣈίʔυΛࢦఆ͠ ·͠ΐ͏ ‣ৄ͘͠ʮ1%0ʹ͓͚ΔҰԠͷ҆શએݴͱ ΔʯIUUQCMPHUPLVNBSVPSH QEPIUNMࢀরͷ͜ͱ
·ͱΊ ‣ม͕Ͳ͏͍͏Ͱ͋Δ͔ʹؔΘΒͣɺม ͷΛؚΉ42-ΛΈཱͯΔ߹ɺඞͣϓ ϨʔεϗϧμʔΛ͏ͳΓɺΤεέʔϓ͢Δͳ Γ͢Δ લऀɺಛʹ੩తϓϨʔεϗϧμΛ͏ ‣҉ͷલఏʹͨΑΒͣɺ҆શੑΛۙͰ֬ೝ Ͱ͖ΔΑ͏ʹ͢Δ ‣42-ΠϯδΣΫγϣϯʹݶΒͣɺಉ༷ͷΠϯ δΣΫγϣϯܥ੬ऑੑ
લड़ Ͱಉ༷
੩తϓϨʔεϗϧμʹؔ͢Δิ https://twitter.com/tokuhirom/status/253499819136520193 https://twitter.com/tokuhirom/status/253501614747439104 ‣ϝϞϦΛແବʹফඅ ͢Δͱ͍͏ʁ ‣ΫϥΠΞϯτ͕ͪΌ Μͱεςʔτϝϯτϋ ϯυϥΛ։์ͯ͠Ε ͳ͍ʁ ‣IUUQCMPHFWFSRVFVFDPN
DIJCB
༨ஊ ಙؙઌੜʹ͓͖͍͖ͨͩ·ͨ͠ https://twitter.com/ockeghem/status/253128283795886080
ࢀߟจݙ ‣ʮαχλΠζݴ͏ͳΩϟϯϖʔϯʯͱԿ͔ ‣IUUQUBLBHJIJSPNJUTVKQEJBSZIUNMQ ‣ʰମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯ ͷ࡞Γํʱ ಙؙߒɾஶ ‣IUUQXXXTCDSKQQSPEVDUTIUNM ‣ʰ҆શͳΣϒαΠτͷ࡞Γํผʮ҆શͳ 42-ͷݺͼग़͠ํʯʱ ‣IUUQXXXJQBHPKQTFDVSJUZWVMOEPDVNFOUT
XFCTJUF@TFDVSJUZ@TRMQEG