论坛首页 Java企业应用论坛

java SQL注入分析程序

浏览 4273 次
锁定老帖子 主题:java SQL注入分析程序
精华帖 (0) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (9)
作者 正文
  • liu0107613
  • 等级: 二星会员
  • 性别:
  • 文章: 40
  • 积分: 220
  • 来自: 大连
   发表时间:2009-06-09  

DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `name` varchar(45) NOT NULL,
  `passwd` varchar(45) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=gb2312;

 

 

 

 

package com.liuxt;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SqlInjection {
 Connection conn=null;
 
 private void initDB(){
  
  try{
   Class.forName("com.mysql.jdbc.Driver");
   conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
                                      "user=root&password=G@111111");

  }catch(Exception e){
    e.printStackTrace(); 
  }
  
  
 }

 private boolean queryPreUser(String name, String passwd) {
  PreparedStatement statement=null;
  try {
   String sql=this.ceatePreSql(name,passwd);
   statement=this.conn.prepareStatement(sql);
   System.out.println("sql....."+sql);
   statement.setString(1,name);
   statement.setString(2,passwd);
   ResultSet res=statement.executeQuery();
   int count=0;
   while(res.next()){
    count=res.getInt(1);
    
   }
   
   if(count==1) return true;
   else return false;
   
  } catch (SQLException e) {
   e.printStackTrace();
  }
  finally{
   try {
    statement.close();
   } catch (SQLException e) {
    e.printStackTrace();
   }
   
  }
  return false;
 }
 
 
 

 
 private String ceatePreSql(String name, String passwd) {
  StringBuilder sb=new StringBuilder();
  sb.append("select count(*) as cc from user ");
  sb.append("where name=? ");
  sb.append("and passwd=? ");
  return sb.toString();
 }


 private boolean queryUser(String name, String passwd) {
  Statement statement=null;
  try {
   statement=this.conn.createStatement();
   String sql=this.creatSql(name,passwd);
   System.out.println("sql ....."+sql);
   ResultSet res=statement.executeQuery(sql);
   int count=0;
   while(res.next()){
    count=res.getInt(1);
    
   }
   
   if(count==1) return true;
   else return false;
   
  } catch (SQLException e) {
   e.printStackTrace();
  }
  finally{
   try {
    statement.close();
   } catch (SQLException e) {
    e.printStackTrace();
   }
   
  }
  return false;
 }
 
 
 private String creatSql(String name, String passwd) {
  
  StringBuilder sb=new StringBuilder();
  sb.append("select count(*) as cc from user ");
  sb.append("where name='"+name+"' ");
  sb.append("and passwd='"+passwd+"'");
  //sb.toString();
  return sb.toString();
 }

 public static void main(String[] args) {
  
  SqlInjection dbTest=new SqlInjection();
  dbTest.initDB();
  boolean result;
  result=dbTest.queryUser("test","111");
  System.out.println("query result(in Statement) is ===="+result);
  result=dbTest.queryUser("", "' or 1=1 --'");
  System.out.println("query result(in Statement) is ===="+result);
  result=dbTest.queryUser("' or 1=1 --'", "x");
  System.out.println("query result(in Statement) is ===="+result);
  
  result=dbTest.queryPreUser("test","111");
  System.out.println("query result(in PreparedStatement) is ===="+result);
  result=dbTest.queryPreUser("", "' or 1=1 --'");
  System.out.println("query result(in PreparedStatement) is ===="+result);
  result=dbTest.queryPreUser("' or 1=1 --'", "x");
  System.out.println("query result(in PreparedStatement) is ===="+result);
 }

}

 

运行结果:

 

sql .....select count(*) as cc from user where name='test' and passwd='111'
query result(in Statement) is ====true
sql .....select count(*) as cc from user where name='' and passwd='' or 1=1 --''
query result(in Statement) is ====true
sql .....select count(*) as cc from user where name='' or 1=1 --'' and passwd='x'
query result(in Statement) is ====false
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====true
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====false
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====false

 

 
返回顶楼
         
  • neusoft
  • 等级: 初级会员
  • 性别:
  • 文章: 17
  • 积分: 60
  • 来自: 沈阳
   发表时间:2009-06-10   最后修改:2009-06-10
在每次查询后 把记录数输出 大家就全明白了
返回顶楼
          回帖地址
0 请登录后投票
  • iaimstar
  • 等级: 四星会员
  • 性别:
  • 文章: 2619
  • 积分: 450
  • 来自: 北京
   发表时间:2009-06-10  
ls图片 好不河蟹啊
返回顶楼
          回帖地址
0 请登录后投票
  • guoxu1231
  • 等级: 初级会员
  • 性别:
  • 文章: 155
  • 积分: 90
  • 来自: 上海
   发表时间:2009-06-11  
哟  漏点了  我要报告管理员才行   绝对不能让这么不河蟹的图片出现在JE上!
返回顶楼
          回帖地址
0 请登录后投票
  • fengzhongtian
  • 等级: 初级会员
  • 性别:
  • 文章: 4
  • 积分: 30
  • 来自: 成都
   发表时间:2009-07-14  
liu0107613 写道

DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `name` varchar(45) NOT NULL,
  `passwd` varchar(45) NOT NULL,
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=gb2312;

 

 

 

 

package com.liuxt;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SqlInjection {
 Connection conn=null;
 
 private void initDB(){
  
  try{
   Class.forName("com.mysql.jdbc.Driver");
   conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
                                      "user=root&password=G@111111");

  }catch(Exception e){
    e.printStackTrace(); 
  }
  
  
 }

 private boolean queryPreUser(String name, String passwd) {
  PreparedStatement statement=null;
  try {
   String sql=this.ceatePreSql(name,passwd);
   statement=this.conn.prepareStatement(sql);
   System.out.println("sql....."+sql);
   statement.setString(1,name);
   statement.setString(2,passwd);
   ResultSet res=statement.executeQuery();
   int count=0;
   while(res.next()){
    count=res.getInt(1);
    
   }
   
   if(count==1) return true;
   else return false;
   
  } catch (SQLException e) {
   e.printStackTrace();
  }
  finally{
   try {
    statement.close();
   } catch (SQLException e) {
    e.printStackTrace();
   }
   
  }
  return false;
 }
 
 
 

 
 private String ceatePreSql(String name, String passwd) {
  StringBuilder sb=new StringBuilder();
  sb.append("select count(*) as cc from user ");
  sb.append("where name=? ");
  sb.append("and passwd=? ");
  return sb.toString();
 }


 private boolean queryUser(String name, String passwd) {
  Statement statement=null;
  try {
   statement=this.conn.createStatement();
   String sql=this.creatSql(name,passwd);
   System.out.println("sql ....."+sql);
   ResultSet res=statement.executeQuery(sql);
   int count=0;
   while(res.next()){
    count=res.getInt(1);
    
   }
   
   if(count==1) return true;
   else return false;
   
  } catch (SQLException e) {
   e.printStackTrace();
  }
  finally{
   try {
    statement.close();
   } catch (SQLException e) {
    e.printStackTrace();
   }
   
  }
  return false;
 }
 
 
 private String creatSql(String name, String passwd) {
  
  StringBuilder sb=new StringBuilder();
  sb.append("select count(*) as cc from user ");
  sb.append("where name='"+name+"' ");
  sb.append("and passwd='"+passwd+"'");
  //sb.toString();
  return sb.toString();
 }

 public static void main(String[] args) {
  
  SqlInjection dbTest=new SqlInjection();
  dbTest.initDB();
  boolean result;
  result=dbTest.queryUser("test","111");
  System.out.println("query result(in Statement) is ===="+result);
  result=dbTest.queryUser("", "' or 1=1 --'");
  System.out.println("query result(in Statement) is ===="+result);
  result=dbTest.queryUser("' or 1=1 --'", "x");
  System.out.println("query result(in Statement) is ===="+result);
  
  result=dbTest.queryPreUser("test","111");
  System.out.println("query result(in PreparedStatement) is ===="+result);
  result=dbTest.queryPreUser("", "' or 1=1 --'");
  System.out.println("query result(in PreparedStatement) is ===="+result);
  result=dbTest.queryPreUser("' or 1=1 --'", "x");
  System.out.println("query result(in PreparedStatement) is ===="+result);
 }

}

 

运行结果:

 

sql .....select count(*) as cc from user where name='test' and passwd='111'
query result(in Statement) is ====true
sql .....select count(*) as cc from user where name='' and passwd='' or 1=1 --''
query result(in Statement) is ====true
sql .....select count(*) as cc from user where name='' or 1=1 --'' and passwd='x'
query result(in Statement) is ====false
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====true
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====false
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====false

 

 

 
返回顶楼
          回帖地址
0 请登录后投票
  • liomao
  • 等级: 初级会员
  • 性别:
  • 文章: 18
  • 积分: 30
  • 来自: 广州
   发表时间:2009-07-15  
SQL注入无处不在
有数据输入查询数据库而不加以限制就很容易产生注入
我在C# 的界面程序也试过SQL注入成功
返回顶楼
          回帖地址
0 请登录后投票
论坛首页 Java企业应用版

跳转论坛:
Global site tag (gtag.js) - Google Analytics