FilesExpand file tree

 master

/

SQLI.java

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

198 lines (158 loc) · 5.55 KB

 master

/

SQLI.java

Top

File metadata and controls

• Code
• Blame

198 lines (158 loc) · 5.55 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

package org.joychou.controller;

import org.joychou.mapper.UserMapper;

import org.joychou.dao.User;

import org.joychou.security.SecurityUtil;

import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.beans.factory.annotation.Value;

import org.springframework.web.bind.annotation.*;

import java.sql.*;

import java.util.List;

/**

* SQL Injection

*

* @author JoyChou @2018.08.22

*/

@SuppressWarnings("Duplicates")

@RestController

@RequestMapping("/sqli")

public class SQLI {

private static Logger logger = LoggerFactory.getLogger(SQLI.class);

private static String driver = "com.mysql.jdbc.Driver";

@Value("${spring.datasource.url}")

private String url;

@Value("${spring.datasource.username}")

private String user;

@Value("${spring.datasource.password}")

private String password;

@Autowired

private UserMapper userMapper;

/**

* Vuln Code.

* http://localhost:8080/sqli/jdbc/vul?username=joychou

*

* @param username username

*/

@RequestMapping("/jdbc/vuln")

public String jdbc_sqli_vul(@RequestParam("username") String username) {

StringBuilder result = new StringBuilder();

try {

Class.forName(driver);

Connection con = DriverManager.getConnection(url, user, password);

if (!con.isClosed())

System.out.println("Connect to database successfully.");

// sqli vuln code

Statement statement = con.createStatement();

String sql = "select * from users where username = '" + username + "'";

logger.info(sql);

ResultSet rs = statement.executeQuery(sql);

while (rs.next()) {

String res_name = rs.getString("username");

String res_pwd = rs.getString("password");

String info = String.format("%s: %s\n", res_name, res_pwd);

result.append(info);

logger.info(info);

}

rs.close();

con.close();

} catch (ClassNotFoundException e) {

logger.error("Sorry,can`t find the Driver!");

} catch (SQLException e) {

logger.error(e.toString());

}

return result.toString();

}

/**

* Security Code.

* http://localhost:8080/sqli/jdbc/sec?username=joychou

*

* @param username username

*/

@RequestMapping("/jdbc/sec")

public String jdbc_sqli_sec(@RequestParam("username") String username) {

StringBuilder result = new StringBuilder();

try {

Class.forName(driver);

Connection con = DriverManager.getConnection(url, user, password);

if (!con.isClosed())

System.out.println("Connecting to Database successfully.");

// fix code

String sql = "select * from users where username = ?";

PreparedStatement st = con.prepareStatement(sql);

st.setString(1, username);

logger.info(st.toString()); // sql after prepare statement

ResultSet rs = st.executeQuery();

while (rs.next()) {

String res_name = rs.getString("username");

String res_pwd = rs.getString("password");

String info = String.format("%s: %s\n", res_name, res_pwd);

result.append(info);

logger.info(info);

}

rs.close();

con.close();

} catch (ClassNotFoundException e) {

logger.error("Sorry, can`t find the Driver!");

e.printStackTrace();

} catch (SQLException e) {

logger.error(e.toString());

}

return result.toString();

}

/**

* vuln code

* http://localhost:8080/sqli/mybatis/vuln01?username=joychou' or '1'='1

*

* @param username username

*/

@GetMapping("/mybatis/vuln01")

public List<User> mybatisVuln01(@RequestParam("username") String username) {

return userMapper.findByUserNameVuln01(username);

}

/**

* vul code

* http://localhost:8080/sqli/mybatis/vuln02?username=joychou' or '1'='1' %23

*

* @param username username

*/

@GetMapping("/mybatis/vuln02")

public List<User> mybatisVuln02(@RequestParam("username") String username) {

return userMapper.findByUserNameVuln02(username);

}

// http://localhost:8080/sqli/mybatis/orderby/vuln03?sort=1 desc%23

@GetMapping("/mybatis/orderby/vuln03")

public List<User> mybatisVuln03(@RequestParam("sort") String sort) {

return userMapper.findByUserNameVuln03(sort);

}

/**

* security code

* http://localhost:8080/sqli/mybatis/sec01?username=joychou

*

* @param username username

*/

@GetMapping("/mybatis/sec01")

public User mybatisSec01(@RequestParam("username") String username) {

return userMapper.findByUserName(username);

}

/**

* http://localhost:8080/sqli/mybatis/sec02?id=1

*

* @param id id

*/

@GetMapping("/mybatis/sec02")

public User mybatisSec02(@RequestParam("id") Integer id) {

return userMapper.findById(id);

}

/**

* http://localhost:8080/sqli/mybatis/sec03

*/

@GetMapping("/mybatis/sec03")

public User mybatisSec03() {

return userMapper.OrderByUsername();

}

@GetMapping("/mybatis/orderby/sec04")

public List<User> mybatisOrderBySec04(@RequestParam("sort") String sort) {

return userMapper.findByUserNameVuln03(SecurityUtil.sqlFilter(sort));

}

}