一个简单的SQL注入
本例采用JSP+Servlet+Mysql:
1. 数据库:
数据库名:sqlinject
CREATE DATABASE sqlinject;
建user表:
Table: user
Create Table: CREATE TABLE `user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`name` varchar(20) NOT NULL,
`sex` varchar(20) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=utf8
表中一些记录:
mysql> select * from user;
+----+--------+------+
| id | name | sex |
+----+--------+------+
| 1 | benson | m |
| 2 | jerry | f |
| 3 | Mike | m |
| 4 | Jenny | f |
| 5 | Rose | f |
+----+--------+------+
5 rows in set (0.00 sec)
JSP页面和Servlet:
1.index.jsp:负责接受用户的输入(输入用户名和选择性别)
SQL注入测试姓名:
性别:
男
女
QueryServlet处理类:
package zjut.tsw.servlet;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import zjut.tsw.vo.User;
public class QueryServlet extends HttpServlet {
/**
*
*/
private static final long serialVersionUID = 1L;
ArrayList users = null;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
request.setCharacterEncoding("utf-8");
response.setContentType("text/html;charset=utf-8");
// 获取姓名和性别
String name = request.getParameter("name");
String sex = request.getParameter("sex");
// debug
System.out.println("name is:" + name + "\nsex is:" + sex);
users = query(name, sex);
request.setAttribute("users", users);
request.getRequestDispatcher("/query.jsp").forward(request, response);
return;
}
public ArrayList query(String name, String sex) {
Connection conn = getConnection();
if(conn == null) System.out.println("conn is null");
Statement stmt = null;
ResultSet rs = null;
String sql = "select * from user where" + " sex='" + sex + "' and name='" + name + "'";
// debug
System.out.println(sql);
ArrayList users = new ArrayList(); // 保存用户
try {
stmt = conn.createStatement();
rs = stmt.executeQuery(sql);
while (rs.next()) {
User user = new User();
user.setName(rs.getString("name"));
user.setSex(rs.getString("sex"));
users.add(user);
}
return users;
} catch (SQLException e) {
e.printStackTrace();
return null;
}
}
// connect to db
public static Connection getConnection() {
Connection conn = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/sqlinject", "root", "root");
return conn;
} catch (ClassNotFoundException cnfe) {
cnfe.printStackTrace();
return null;
} catch (SQLException e) {
e.printStackTrace();
return null;
}
}
}
VO:User
package zjut.tsw.vo;
public class User {
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getSex() {
return sex;
}
public void setSex(String sex) {
this.sex = sex;
}
private String name;
private String sex;
@Override
public String toString() {
return "username is:" + name + "sex is:" + sex;
}
}
结果页面 query.jsp
查询结果姓名:${user.name },性别${user.sex }
web.xml
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
QueryServlet
zjut.tsw.servlet.QueryServlet
QueryServlet
/query.do
index.jsp
界面效果:
登录界面:
SQL注入:
结果:
这里在姓名输入框里输入了' or 'hack'='hack (hack名字是随意取的)
在地址栏中,%27代表单引号,+号代表一个空格,%3D代表=号,可以用JAVA的URLEncoder类和URLDecoder类进行转换
所有的记录都被查询出来了。
看下MyEclipse打印的SQL调试语句:
name is:' or 'hack'='hack
sex is:m
select * from user where sex='m' and name='' or 'hack'='hack'
Over...
5楼z11013853911小时前PreparedStatement pst=conn.PreparedStatment(sql);npst.SetString(n,xxx)n```````````````n楼主的例子是最经典的sql注入例子4楼csh6243661889小时前这种问题该怎么解决呢?3楼imfam520昨天 19:221、不用数据库n2、使用一个存储过程n3、过滤非法字符2楼sushengmiyan昨天 18:27不错1楼woshimaijunjinzhen昨天 17:57最经典的sql注入例子,一般都是用PreparedStatment,不自己拼接字符串