java-如何执行SQL注入以进行测试？

Question

I have a web application that I am trying to "break".There's a login page that requires username and password input. Let's say I have a table Auser that stores username's info in MySQL.

When I hit Login after keying the credentials,it executes this line of code:

String sql = "select object(o) from Auser as o where ausername='" + username + "'";

Now, I know not using preparedStatement makes SQL query vulnerable to SQL injection and I want to perform such a stunt. I created a dummy table called test for the purpose of able to drop this table via the injection command.

I tried various ways like in my username input(root is the username):

root` DROP TABLE test;

And it didn't work. Is there a way to make my injection successful?

Update :

Just extra info, my username column is VARCHAR(255) and my method for getting the username is below:

public Auser get(String username, boolean moreInfo) {
 try {
  Auser u = null;
  String sql = "select object(o) from Auser as o where ausername='" + username + "'";
  List resList = em.createQuery(sql).getResultList();
  if (resList == null) { // null check for sql query / library error
   msg = CoreUtil.wrapMsg(CoreUtil.FUNC_ERROR,
    this.getClass().getName(), "get[" + username + "]", "query error AUSER.");
  } else if (resList.isEmpty()) {
   msg = "User " + username + " not found.";
  } else {
   u = (Auser) resList.get(0);
  }
  return u;
 } catch (Exception e) {
  msg = CoreUtil.wrapMsg(CoreUtil.FUNC_ERROR,
   this.getClass().getName(), "get[" + username + "]", e.getMessage());
  return null;
 }
}

Seems every solution, I tried keeps throwing IllegalArgumetnException and the table still remains.I just want to exploit the vulnerabilities of my program,it can be any kind of injection whether dropping a table, returning all users info,etc.

Answer 1

The EntityManager has some (very) basic protection built in that won't run more than one command in the same SQL statement.

This will protect you from Robert'); DROP TABLE Students; -- Robert'); DROP TABLE Students; -- Robert'); DROP TABLE Students; -- , but it won't protect from attackers trying to expand/alter the one query that's being run.

For example, in your code an attacker could get the details of another user by entering the username ' OR 1 = 1 -- ; This would make the SQL string being executed

select object(o) from Auser as o where ausername='' OR 1 = 1 --'

which will select every user in the table (note that the -- at the end of the input will comment out everything after the injected code), and your method will return the first user in the result list This will potentially give the attacker details about another user that they should not have access to. If the first account is an administrator account then they may also have access they should not have.

An attacker can also learn the structure of the table this way - they can try strings like ' and IS_ADMIN = IS_ADMIN -- , or ' OR ID = 0 -- . If they try enough of these (and attacks like this can be easily automated) they will find valid column names when the query doesn't throw an error. They can potentially then make a more targeted injection attack to gain access to an admin account.

They might also learn things from the error message returned from a failed attempt, such as the DB platform, which can make attacks easier.

Answer 2

String sql = "select object(o) from Auser as o where ausername='" + username + "'";

If you want to delete the test table

username = "x'; DROP TABLE test AND '1'='1"

If you want to see all fields of all ausers entries

username = "x' OR '1'='1"