FilesExpand file tree

 dev01

/

SQLI.java

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

173 lines (133 loc) · 4.7 KB

 dev01

/

SQLI.java

Top

File metadata and controls

• Code
• Blame

173 lines (133 loc) · 4.7 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

package org.joychou.controller;

import org.joychou.mapper.UserMapper;

import org.joychou.dao.User;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.web.bind.annotation.*;

import javax.servlet.http.HttpServletRequest;

import java.sql.*;

/**

* @author JoyChou ([email protected])

* @date 2018.08.22

* @desc SQL Injection

*/

@RestController

@RequestMapping("/sqli")

public class SQLI {

private static String driver = "com.mysql.jdbc.Driver";

private static String url = "jdbc:mysql://localhost:3306/java_sec_code";

private static String user = "root";

private static String password = "woshishujukumima";

@Autowired

private UserMapper userMapper;

/**

* Vul Code.

* http://localhost:8080/sqli/jdbc/vul?username=joychou

*

* @param username username

*/

@RequestMapping("/jdbc/vul")

public static String jdbc_sqli_vul(@RequestParam("username") String username){

String result = "";

try {

Class.forName(driver);

Connection con = DriverManager.getConnection(url, user, password);

if(!con.isClosed())

System.out.println("Connecting to Database successfully.");

// sqli vuln code 漏洞代码

Statement statement = con.createStatement();

String sql = "select * from users where username = '" + username + "'";

System.out.println(sql);

ResultSet rs = statement.executeQuery(sql);

System.out.println("-----------------");

while(rs.next()){

String res_name = rs.getString("username");

String res_pwd = rs.getString("password");

result += res_name + ": " + res_pwd + "\n";

System.out.println(res_name + ": " + res_pwd);

}

rs.close();

con.close();

}catch (ClassNotFoundException e) {

System.out.println("Sorry,can`t find the Driver!");

e.printStackTrace();

}catch (SQLException e) {

e.printStackTrace();

}catch (Exception e) {

e.printStackTrace();

}finally{

System.out.println("-----------------");

System.out.println("Connect database done.");

}

return result;

}

/**

* Security Code.

* http://localhost:8080/sqli/jdbc/sec?username=joychou

*

* @param username username

*/

@RequestMapping("/jdbc/sec")

public static String jdbc_sqli_sec(@RequestParam("username") String username){

String result = "";

try {

Class.forName(driver);

Connection con = DriverManager.getConnection(url, user, password);

if(!con.isClosed())

System.out.println("Connecting to Database successfully.");

// fix code

String sql = "select * from users where username = ?";

PreparedStatement st = con.prepareStatement(sql);

st.setString(1, username);

System.out.println(st.toString()); // sql after prepare statement

ResultSet rs = st.executeQuery();

System.out.println("-----------------");

while(rs.next()){

String res_name = rs.getString("username");

String res_pwd = rs.getString("password");

result += res_name + ": " + res_pwd + "\n";

System.out.println(res_name + ": " + res_pwd);

}

rs.close();

con.close();

}catch (ClassNotFoundException e) {

System.out.println("Sorry,can`t find the Driver!");

e.printStackTrace();

}catch (SQLException e) {

e.printStackTrace();

}catch (Exception e) {

e.printStackTrace();

}finally{

System.out.println("-----------------");

System.out.println("Connect database done.");

}

return result;

}

/**

* security code

* http://localhost:8080/sqli/mybatis/sec01?username=joychou

*

* @param username username

*/

@GetMapping("/mybatis/sec01")

public User mybatis_vul1(@RequestParam("username") String username) {

return userMapper.findByUserName(username);

}

/**

* security code

* http://localhost:8080/sqli/mybatis/sec02?id=1

*

* @param id id

*/

@GetMapping("/mybatis/sec02")

public User mybatis_v(@RequestParam("id") Integer id) {

return userMapper.findById(id);

}

/**

* security code

* http://localhost:8080/sqli/mybatis/sec03

**/

@GetMapping("/mybatis/sec03")

public User mybatis_vul2() {

return userMapper.OrderByUsername();

}

}