[英]Trying to implement an SQL vulnerability in a java web application. Java + MySQL
This is a bit of an odd one.这有点奇怪。 For my uni final project I'm trying to develop a vulnerable web application as an educational tool.对于我的 uni 期末项目,我正在尝试开发一个易受攻击的 Web 应用程序作为教育工具。 One of the vulnerabilities I want to implement is an SQL vulnerability where the user could perform an SQL injection through a 'product search' page on the site.我想要实施的漏洞之一是 SQL 漏洞,用户可以通过该站点上的“产品搜索”页面执行 SQL 注入。
The problem is that somewhere along the way the inputs seem to be getting sanitised automatically which means I am unable to perform an injection attack.问题是在输入过程中的某个地方似乎正在自动清理,这意味着我无法执行注入攻击。 I made a test record of just a single quote (') and this is returned when a single quote in put into the search.我只做了一个单引号 (') 的测试记录,当单引号输入到搜索中时会返回这个记录。 If the input was not sanitised it would return an error, right?如果输入没有被清理,它会返回一个错误,对吧? I'm thinking this could be a feature of the software I'm using that I'll need to disable or use an older version, or I've accidentally set it up in such a way that this is happening.我想这可能是我正在使用的软件的一个功能,我需要禁用或使用旧版本,或者我不小心以这种方式设置了它。 If anyone knows why this might be happening, any help would be massively appreciated!如果有人知道为什么会发生这种情况,将不胜感激! :) :)
I have a database set up in MySQL Community Server 8.0.13 and a simple application made using JSPs.我在 MySQL Community Server 8.0.13 中设置了一个数据库和一个使用 JSP 制作的简单应用程序。 I have included source code below.我在下面包含了源代码。
The 'Product Search' page: “产品搜索”页面:
<%@page import="java.sql.Connection"%>
<%@page import="databaseManagement.DBConnection"%>
<%@page import="java.sql.ResultSet"%>
<%@page import="java.sql.SQLException"%>
<%@page import="java.sql.Connection"%>
<%@page import="java.sql.PreparedStatement"%>
<?xml version="1.0" encoding="ISO-8859-1" ?>
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Search Our Products</title>
</head>
<body>
<h1>Search for a product</h1>
<form method="post" action="ProductSearch">
Search: <input type="text" name="Search"> <br>
<input type="submit" value="Go">
<%@taglib uri="http://java.sun.com/jstl/core_rt" prefix="c"%><br>
<table align="left" border="1">
<tr>
<th>ID</th>
<th>Name</th>
<th>Description</th>
<th>Price</th>
</tr>
<c:forEach var="product" items="${r1}">
<tr bgcolor="">
<td>${product.id}</td>
<td>${product.name}</td>
<td>${product.description}</td>
<td>${product.price}</td>
</tr>
</c:forEach>
</table>
</form>
</body>
</html>
The java servlet: Java servlet:
import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.ArrayList;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import databaseManagement.DBConnection;
import databaseManagement.Product;
@WebServlet("/ProductSearch")
public class ProductSearch extends HttpServlet {
private static final long serialVersionUID = 1L;
public ProductSearch() {
super();
// TODO Auto-generated constructor stub
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// TODO Auto-generated method stub
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// TODO Auto-generated method stub
String searchTerm = request.getParameter("Search");
searchTerm = "%" + searchTerm + "%";
ArrayList<Product> ab = new ArrayList();
try {
String sql1 = "select * from products where name like ?;";
DBConnection db = new DBConnection();
Connection con = db.getConnection();
PreparedStatement ps = con.prepareStatement(sql1);
ps.setString(1, searchTerm);
ResultSet rs = ps.executeQuery();
while (rs.next()) {
Product b = new Product();
b.setId(rs.getInt("id"));
b.setName(rs.getString("name"));
b.setDescription(rs.getString("description"));
b.setPrice(rs.getString("price"));
ab.add(b);
}
request.setAttribute("r1", ab);
request.getRequestDispatcher("productSearch.jsp").forward(request, response);
}
catch (Exception s2) {
s2.printStackTrace();
}
}
}
It's PreparedStatement
who's sanitising your inputs. PreparedStatement
正在清理您的输入。 Instead of setting your parameters, simply concat them to the sql.无需设置参数,只需将它们连接到 sql。
Fragment of doPost method that should be placed to accept SQL injection:应该放置以接受 SQL 注入的 doPost 方法的片段:
....
try {
String sql1 = "select * from products where name like '"+searchTerm+"';";
DBConnection db = new DBConnection();
Connection con = db.getConnection();
Statement ps = con.createStatement();
ResultSet rs = ps.executeQuery();
while (rs.next()) {
....
PreparedStatement prevents SQL Injection, so use Statement instead. PreparedStatement 可防止 SQL 注入,因此请改用 Statement。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.