MySQL注入攻击
web应用程序对用户输入数据的合法性没有判断,攻击者可以在web应用程序中事先定义好的查询语句的结尾上添加额外的SQL语句,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步得到相应的数据信息
数据表
CREATE TABLE USER(
uid INT PRIMARY KEY AUTO_INCREMENT,
uname VARCHAR(20),
upassword VARCHAR(20)
);
INSERT INTO USER(uname,upassword) VALUES('mark','123'),('tom','789');
SELECT * FROM USER;
注入攻击
SELECT * FROM USER WHERE uname='dada' AND upassword='ds' OR 1=1;
Java测试
public class JDBCAttack {
private static Scanner sc;
public static void main(String[] args) {
/*
* 获取用户输入的用户名和密码
*/
sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String name = sc.next();
System.out.println("请输入密码:");
String pass = sc.next();
/*
* 连接数据库进行注入攻击
*/
try {
// 注册数据库
Class.forName("com.mysql.jdbc.Driver");
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
String url = "jdbc:mysql://localhost:3306/mybase";
String username = "root";
String password = "root";
Connection conn = null;
Statement st = null;
ResultSet rs = null;
try {
// 获取连接
conn = DriverManager.getConnection(url, username, password);
//获取执行者
st = conn.createStatement();
//sql语句,执行验证查询
String sql = "SELECT * FROM USER WHERE uname='" + name + "' AND upassword='" + pass + "'";
System.out.println(sql);
//执行sql语句
rs = st.executeQuery(sql);
if(rs.next()){
System.out.println("用户名和密码验证通过!");
}
else {
System.out.println("用户名和密码验证不通过!");
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
try {
rs.close();
st.close();
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
测试结果