java-如何为测试目的执行SQL注入? [英] java-How to perform SQL injection for testing purposes?
问题描述
我有一个网络应用程序,我正试图破坏"它.有一个需要输入用户名和密码的登录页面.假设我有一个表 Auser 用于在 MySQL 中存储用户名的信息.
I have a web application that I am trying to "break".There's a login page that requires username and password input. Let's say I have a table Auser that stores username's info in MySQL.
当我在输入凭据后点击登录时,它会执行以下代码行:
When I hit Login after keying the credentials,it executes this line of code:
String sql = "select object(o) from Auser as o where ausername='" + username + "'";
现在,我知道不使用 preparedStatement 会使 SQL 查询容易受到 SQL 注入的影响,我想执行这样的特技.我创建了一个名为 test 的虚拟表,目的是能够通过注入命令删除该表.
Now, I know not using preparedStatement makes SQL query vulnerable to SQL injection and I want to perform such a stunt. I created a dummy table called test for the purpose of able to drop this table via the injection command.
我尝试了各种方法,例如在我的用户名输入中(root 是用户名):
I tried various ways like in my username input(root is the username):
root` DROP TABLE test;
它没有用.有没有办法让我的注射成功?
And it didn't work. Is there a way to make my injection successful?
更新:
只是额外的信息,我的用户名列是VARCHAR(255),我获取用户名的方法如下:
Just extra info, my username column is VARCHAR(255) and my method for getting the username is below:
public Auser get(String username, boolean moreInfo) {
try {
Auser u = null;
String sql = "select object(o) from Auser as o where ausername='" + username + "'";
List resList = em.createQuery(sql).getResultList();
if (resList == null) { // null check for sql query / library error
msg = CoreUtil.wrapMsg(CoreUtil.FUNC_ERROR,
this.getClass().getName(), "get[" + username + "]", "query error AUSER.");
} else if (resList.isEmpty()) {
msg = "User " + username + " not found.";
} else {
u = (Auser) resList.get(0);
}
return u;
} catch (Exception e) {
msg = CoreUtil.wrapMsg(CoreUtil.FUNC_ERROR,
this.getClass().getName(), "get[" + username + "]", e.getMessage());
return null;
}
}
似乎每一个解决方案,我都尝试过不断抛出IllegalArgumetnException,表仍然存在.我只是想利用我的程序的漏洞,无论是删除表,返回所有用户信息等
Seems every solution, I tried keeps throwing IllegalArgumetnException and the table still remains.I just want to exploit the vulnerabilities of my program,it can be any kind of injection whether dropping a table, returning all users info,etc.
推荐答案
EntityManager 内置了一些(非常)基本的保护,不会在同一个 SQL 语句中运行多个命令.
The EntityManager has some (very) basic protection built in that won't run more than one command in the same SQL statement.
这将保护您免受Robert');DROP TABLE 学生;--,但它无法防止攻击者试图扩展/更改正在运行的一个查询.
This will protect you from Robert'); DROP TABLE Students; --, but it won't protect from attackers trying to expand/alter the one query that's being run.
例如,在您的代码中,攻击者可以通过输入用户名 ' OR 1 = 1 -- 来获取另一个用户的详细信息;这将使正在执行的 SQL 字符串
For example, in your code an attacker could get the details of another user by entering the username ' OR 1 = 1 --; This would make the SQL string being executed
select object(o) from Auser as o where ausername='' OR 1 = 1 --'
它将选择表中的每个用户(注意输入末尾的 -- 将注释掉注入代码之后的所有内容),并且您的方法将返回表中的第一个用户结果列表 这可能会给攻击者提供他们不应访问的另一个用户的详细信息.如果第一个帐户是管理员帐户,那么他们也可能拥有不应拥有的访问权限.
which will select every user in the table (note that the -- at the end of the input will comment out everything after the injected code), and your method will return the first user in the result list This will potentially give the attacker details about another user that they should not have access to. If the first account is an administrator account then they may also have access they should not have.
攻击者也可以通过这种方式了解表的结构 - 他们可以尝试像 ' 和 IS_ADMIN = IS_ADMIN -- 或 ' OR ID = 0 --.如果他们尝试了足够多的这些(并且像这样的攻击可以很容易地自动化),当查询没有抛出错误时,他们将找到有效的列名.然后,他们可能会进行更有针对性的注入攻击,以获得对管理员帐户的访问权限.
An attacker can also learn the structure of the table this way - they can try strings like ' and IS_ADMIN = IS_ADMIN --, or ' OR ID = 0 --. If they try enough of these (and attacks like this can be easily automated) they will find valid column names when the query doesn't throw an error. They can potentially then make a more targeted injection attack to gain access to an admin account.
他们也可能从失败的尝试返回的错误消息中学习一些东西,例如数据库平台,这可以使攻击更容易.
They might also learn things from the error message returned from a failed attempt, such as the DB platform, which can make attacks easier.
这篇关于java-如何为测试目的执行SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
