728x90 강의 및 교육/Inflearn - Webgoat27 Vulnerable Components - Exploiting CVE-2013-7285 (XStream) XStream can be used for Remote Code Execution. https://x-stream.github.io/CVE-2013-7285.html XStream - CVE-2013-7285 CVE-2013-7285 Vulnerability CVE-2013-7285: XStream can be used for Remote Code Execution. Affected Versions All versions until and including version 1.4.6 are affected, but a workaround exist. Version 1.4.10 is affected if the security framework has not be x-stream.github.io Descr.. 2022. 3. 14. SQL Injection (mitigation) SQL 방어책 단일 엔티티로 데이터를 처리하고 SQL 쿼리에 삽입 Parameterized Queries String query = "SELECT * FROM users WHERE last_name = ?"; PreparedStatement statement = connection.prepareStatement(query); statement.setString(1, accountName); ResultSet results = statement.executeQuery(); SQL문을 미리 컴파일하여 실행할 쿼리문에 삽입해야 하는 "매개변수"만 제공하면 된다. Stored Procedures 저장된 프로시저 Safe Stored Procedure (Microsoft SQL Server) CREATE PROC.. 2022. 3. 8. SQL Injection (advanced) ',+,|| allows string concatenation Char() strings without quotes Example: SELECT * FROM users WHERE name = '+char(27) OR 1=1 Union 두 개의 Select 결과를 하나로 합침 / 중복은 하나로 표시 / 컬럼의 개수가 같아야하고 데이터 타입이 동일 SELECT * FROM [A] UNION (ALL) SELECT * FROM [B] SELECT first_name FROM user_system_data UNION SELECT login_count FROM user_data; Join 둘 이상의 테이블을 연결하여 데이터 검색 SELECT [Columns] FROM [A] INNER JOIN [B] ON [A... 2022. 3. 7. SQL Injection (intro) SQL Injection - DBMS를 공격 DML SELECT [열] FROM [테이블] WHERE [조건] select department from employees where userid=96134 UPDATE [테이블] SET [열] = '변경할값' WHERE [조건] update employees set department = 'Sales' where userid = 89762 DDL alter table UserTbl add Birth varchar(6) NULL alter table employees add phone varchar(20) DCL GRANT [객체권한명] (컬럼) ON [객체명] TO { 유저명 | 롤명 | PUBLC} [WITH GRANT OPTION] grant selec.. 2022. 3. 6. 이전 1 2 3 4 ··· 7 다음 728x90
