版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/A657997301/article/details/82594616
SQL注入
攻击原理
SQL注入是指在后台的数据库操作中,用户的输入本应作为查询或其他sql语句中的某个参数,而攻击者通过精心构造带有sql语句的输入,能够绕过系统防护,达到将输入转换为可执行代码的目的,最终系统执行攻击者的sql代码,造成破坏。攻击影响
SQL注入通常被认为有着极大的破坏性,主要原因在于这种攻击方法能够直接进入数据库,执行任意命令。主要的攻击影响包括以下几种:
1) 对查询约束进行短路 (注入“or 1=1”);
2) 获取机密信息(注入“UNION SELECT x, y FROM table”);
3) 数据恶意删除(注入“DELETE FROM table”);
4) 获取更大的权限,通向系统控制(利用木马拿到webshell);
5) 混合攻击方法(与XSS等方法组合,实现更多种的攻击方法)。防御优先级
1) 针对SQL注入,首选方案是参数化预编译,但不正确的使用预编译依然可能导致SQL注入问题,例如开发人员使用使用拼接SQL语句的预编译;
2) 白名单方法也是一种有效防御方法,可以对表名、字段名进行限制,白名单为第二选择;
3) 在预编码不能使用的场景下,使用转义方法,若有预编码方法,不需要转义;
4) 黑名单方法,最不建议使用,因为涉及到数据库不同,版本之间也有差异,很难穷举;
5) 安全配置及纵深防御也是必要的防御手段,能够增加抗攻击性,例如关闭返回错误信息,虽然不能防止攻击,但是能极大增加攻击者的攻击时间。
添加代码
views部分
在views 文件夹里新建一个File,命名为SQLController.tpl ,添加如下代码(即在body标签里改成两个表单作SQL查询对比,其他内容与index.tpl无异):
<html>
<head>
<title>Beego</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyRpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMy1jMDExIDY2LjE0NTY2MSwgMjAxMi8wMi8wNi0xNDo1NjoyNyAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNiAoTWFjaW50b3NoKSIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpFNTdGOTA3OTczQTgxMUU0QTlEQUM0NEYyRkI1NEQxQiIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpFNTdGOTA3QTczQTgxMUU0QTlEQUM0NEYyRkI1NEQxQiI+IDx4bXBNTTpEZXJpdmVkRnJvbSBzdFJlZjppbnN0YW5jZUlEPSJ4bXAuaWlkOkU1N0Y5MDc3NzNBODExRTRBOURBQzQ0RjJGQjU0RDFCIiBzdFJlZjpkb2N1bWVudElEPSJ4bXAuZGlkOkU1N0Y5MDc4NzNBODExRTRBOURBQzQ0RjJGQjU0RDFCIi8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+lsWdMwAAIvtJREFUeNrke3d81PX9//PzuX3JXXYu+7InmzCDQCDsISAbLFppa798URHroE4eddRW21rR/iy2Vm0drbL3hoBASMII2Xtfkkvucnv/Xu9PSAyKCv2p//w+eVxyufG59/s1nuP9/hzn8/nw//Mh9nq9cLvdP/oHO51OyGQyiMVisCTwPA+LxSL8z3HcjzIGkUgE8fnz57F27VqwQPyYh1arFT355JM/bygvnWOz2nxjpuZa3nr77UeOHzvWIWYDo0D80MfGjRshtlqtqKur+9ErYNXq1blqueytL/buhJIqoaO6EslRUZHdQ4e+WlBYeLq7u9vyQ49Br9ezyuOFUvi+Drlcjueee+7u4cOHZ3zb665evVrR0Nx8IiQwEH4+N9ztTdAVnpu6at7s/cOHDcsIDQnhf4wW+N4/ZNq0aaOWL1/+AeFKxLe9bv++fU1bnn1uqTIh9VRAWhbEmiho4hOxe89epKSkfHJg795ff5+J+UYQ/L5PaDabA1paWlQEbM7vem1DfX33vuMnVrzzzjuPV5VdF3l8nDfcZJpBuJRcVVdXcqef7efvjw8//OdPg4ODAjb8z/+8X1JSov/RA2AwGLwM1f1pMLdzXC4u1k0YP35zHxv7cN+aNa+HqVRJVEGqOyHoe3/ykwlZKUkvNl4uyG0TiZGXM36OXCa971JhUeu3ve97bwFGZU6nA1Kp5Lbf4/F4iIU8AhO5fT6xJiREkZiYMP52yTAmNlYaEx2z7NLJk7lFx47i4rEjUPmrZqxctXru91YB1I88DfQ7uZJlXyKR0uu/+dRiqRQcOAmdz0fnpXn6XC5nX8fIFApYbFbo2todtzs2TVhYjFoi+t+E5FTnlbLyF6oqqwxxXpGh+PK7//reAjB58uTshx56aOWDDz74nE6nM31bAJiQuZWYiYiMlGVmZGRNGpO9WSXCuK4unScsLEpkdHsPvvbGnx612uxOtUoNr9uF3p4eoTK+6+AJKFetXPlSa22NJFSrferqnj2vtLe2oq619bbmddstQOXJLVq0aFNOTs7473gd7Hb714QVC8j4MWNjnn34obOR3a2rU0y6pCkKX2poW02Su6Jkw4JZs/4YEhaGWK3WxaqnranRo4mIQCDRJMfz3ObHNs+Nj4+/Be3KUFl2PZmDr6G0rGxP+21O/I4DQBPgenq6QQhv/7bXSSQSypxbkLqDD6WfH+bOmvHrsr3/kadJfXDanahq6Ya+qxe8zQybxfzLP/35z8ckUvHSwuJCKBSKZadOnjz0523bXooIC42WiCWvP71ly4ktTz2Vt3TZsoiMjAxh7D9Zs3ZNVEhwemVtTf6HH3xw/QejQZfL1V5XW1cyb+7cvLa2ti8aGxtvaSBUKhWpK5FQBYMP5jcMLc2jkyU+BAQFQZOWCmlDM3buPQaT2YJOUy+OvrNtmorzIMLlhOF8ftzHVwvj2k2WmQtHD99QdeaEuuLUsbTJs+dNHLpokZP0xvYtW7ZsaqipjQvLyvSbMXe+fM/hYz+cDvjiiy/q33vvvfd/+9tXX/7i/PnfUwBuiQM9PT1OJq0ZG9z0QaTtg6Oi7Ib2OozQhMGrVKDbYAbn8yA+LBAzR2RCq1IgQCaFiaqHQx+LuNR+cHi8aocmELxYBH3lZemxYwekovDYR5YvWBju5ZDS2N5qqO3seOsHFUKspyOjotTlFeWu2traW+p0pVLJLViwIJ2Cg46ODstXZacmLl5x5OQJiC6Xw1tUipbODmRnZSA4PgkepR95khr4dXUhLsCPes7dxyhSDn4UDp6XC+eJVEqQFKxCja4HZodndX51HeLGjW+tbmiq/a/k8Lp16/DBBx/gdtYFRo0a7VarVTNJ5HSePXv26i0CIN26detO6n81ydnepqamE729vb7+Crjv/p+qHU53bmPRJV4doEbY6PGYtOanmLhkGUZOmoyokWNQbzChvaYGIQoJvD6vMC5SVvBQAvpvZKARGeAPrVoBKedDeYtOFZ+WOSNvxgx/Q0/PZQq+6zaZ7c6E0J///MYZh9Wqnz9//sOZWVnKmyguIoJ76qmnfqNWqxlAYeLEievo/kCFORwOVFVWxJrqq/jYKA0SZi/C6sefRtrw4ZDesL5RkZFY8ov/gVebjHaz7YaW4G7cMPCXBcRJOOEgwZVJ7ZQEL0qO7s9SSiS/jYyOTvtBWKA/ix16/X6L2Tz6/nXr5rEFDeb+SBvc9eijj76el5f3K3KB4uSkJJw4ftxMmRgQM/csXTais7pykZ++jQscng2jRIaz+flfbyM6Z9rEyWi3OsCkRP/02X2ebiIaAwNZ8g1CWzlIKwQRnuTEROHC5x9DyfN/yxoyNIU9RwkQbt+2wHJHXoCMDggIX1+zevWvCOQe37Zt23yr1coNzcpcFBkdo0pISBBWdkiaIiAwMGLTo48++OstW/7CylitUq1Cd2d0YFQ0nIFh2P7O/0FyfAIm5UwSJtcvoNgRFBUFCyeC0+MD04lU8fScDB63B+29VhgpCGIKIGeykoa0UzU4IBPxGBMVgYoO3fCRaWk7Y2JjNvzu1VfXeF0uftmKFc/1GAw9+q4uy1db/Y7NUExMjDwtPd1ZVVWVPX369Gw/4nfi7JvMD6sUqgQ/Yo4J9IF/GTV6tNra1RkrETmgHj4KDnqPydCNuXM3oD85g7PktNngpcn7qN85UV8JmDwu1NjdiJ44DbOn5wl029LQiKITR6Gjm5/bgUCqxsywAFxrqc/kVUE739j6QoDXYcPoBO3secufcNY0NT3x4ksvf0q6+78PAItgUlISR66PaQOEkXr7qgwetOY3/J577kkkdacZqglb5Th/Ah6OxyQCvIgIDXIm5nztfSaiz9KiQgSQOZJJqNRJP7BAlOutGLbuZ5g+Zz495oKM/ERYRCSGjBmDmIwsfPiHV+GhwIVSIuL85RB16wL8nWaqIjf8OD7q9IfvIXP2nBc1mvDPm5ub3f+1G2QCh01u6NChKCwsFNpisNztd4TV1dWg9hhOej7tQv4Za2ttJYIo8+1tHZQ9f0yfNl3Aj8HvM+i7cWj/AVSfPQNtcCApSp/A/a1mBzRj70IeTf6tbW9i5fIVqCGmEDJILTd5xixMWrIKrS4PbA4nAik4yaFB6HHYoQgMgohwQEl6o+mLs7HTJkx85P/JDptMJofRaGCrNoJOP3jw4IDsZVqBgA9FRUUC6jPKsjudd7ldLn9DWzOCVBSA+ipcLrhwkxU295rQRqrw8K5dOPvB3zGE+CXET0KV4REGqHO4MGzqVPrfi5NHj0HXrmPBHTiHg0p6+LBhCIyJR4fFBsJHlJGeCI6LQV7uBMREa2Aj/ODsFllkRPiKBQsWav+rFpBSZDdt2vQQ2V0F6/uxY8fijT+9Iej/0aNHC4uM9fX1uHL1CoKDg1mrMCPzZPzU3Gm1+z6HIikOakK097dtg7/cD2HhGtipR0k9ouRSAarzT2BiiBLxocFURX2VZbO7IKHPYhTJAHbEyBEIDQtHenr6l1mkCTNGio6OQWVNKRkSf4gZblisuF5eheZaCj6ZJpvNjpxxY7JHT546cs+e3Q0DAbjdJfHZs2eFUdaXEdoLi3VsklqtFm+/9TZyp+UKr2GZYcCYmJgoUNDlK1e4Q0cOj0slievxujAiLgqVF6/izd9uxeScyTQAHrV1VTA31iFHGwkDmaRzVA3DNaGQUrDcBG4ihR94iZQmyuFXTz4JtmzOgj7gM6gCPYRHUlKTPNtnoNaJ8lejtaML3Q43gohKJBQln0yNg8dOfLLn4KFDAxXAAIj1IkWXYwsU/TTRv1rcvzBJk45+4IH1H4WHhmaGh4cPWo2JQRTRlp1EiTY2TjgXYwQW1FryBOGU5T27d0ETGQIR8beazNDKsUNQ1dUJ97XzdH4Z+O5uqGUSXO3qwV8OniShAzy5IA8ZkWHwlyqA7l60kc0Npc9V3MCNAYlOLaSj52xmE1rrG6ASUaA8NFk6h8XmhCiUF4RWS2cnNOMmISFjiOGdv79nGwhAN334M888s3LDhg1bS0tLvSRdBefGIkwZ9FIvW2gynq6urgCNRpM+hMCvH7TMJhMqKysxNXeqAIZU7gI9MXbooXY4+vlnlDkxMjMyoWuqRDeVYIhMDhnvwYioSCGjZrdXyLgqOAhepwce4nNKI+pMNnRZmxBM44gg7Di7dyeSUtNIbiv6mIO1B6F+O/kOK43jWlkFqi4XYUR4ID1HusNPgc6GJuRX2qAJCUEs0e+E+QsLf/fa67+/SQewiVZUVHQSmBVRMNzMy7NeYROivvKLjIxcdO7cOcRo42AmdGfZZQDI8ODi+fNC348lKoqgHt2xc6ewtsey3m0wIkTKY92i6fjdP3ehpKMHpY0dGBkfCyVJXJebgJMokSeiTwkJQmlnD6QBKkzISIGMUCxARq+hNJZ16KENCoD5+hX8a9sbmHbPMgQEBMJGY+nUtaOzpRUXCy9h384dSJNLoKBWY1UsomTIqOIQHom7VqzA0Ozsgq3PP7/q6NGjNTetcxw/fpyt5d+y5xnH79q1awtRzrNmi1nm9XjR1tYGf7UKYaFhRGltGDlyJNP9NKgA1NfW4j+U9ThtPDNG+OBv26FV8JBTjzp7DPATSRCsViJZE0z97SF+9wlV4KCerRAHIPquqXDZLDAwJjl9AkZ6TyA9PycrGUFSEa7puklFhlNZh6OH0L6ttRl1tXUkMNuQShWUqtGAYi5UB1NY+VV1SJ0xBxs3P4biwkubli9f/sfB83v66af7MID1+a3W3zqpb1asWPHS9u3b053NznvH3zVeqIDDhw9jF2U7NS1VoLv+logn4Js6NVdwl7Ekh1OyhuLo3l1YmRSFCaOHostsQY/JTMjvhtJf1ieAaLicl8SKXIqskaMREhqK4KBAbKXP9p0+jllD0xEs46myiAo1QcQKdrTVl8FltUNDgCtX8hAnxBGryAnoIPQ+U45eCq6XKk1GVeEhfAoKIPt5C4v/nTRIlhahoaEmkr5oaGjArFmzcP/995NPl1L5dwmcX1FZgdmzZjP5K9ATCyYTKosXL6EIA+cO7kJaRDichC1yhRwmajFdV7cwWh8NnE3eYW1F/qcfQps5hASRHq6aSszOTIPGT0bv63O3jN8tPhfCA/2QEc0Yw4bSpnZYiDkYFfpuGEaWEGalHTRBGbEBtW7d5zt37maPs6A/8cQT60aNGpVN1fuf7wwAqw6iNZ71fGtrm6AEWXkHEMXZCYRSkpJRR9z/ySefCOrPz9+PBQwhBDwnT56AmCbYYPVg767jSHGx/XgOCspOKAGll+4bSO528l64/aXoPH8FDaQAwynTOVFhxN1yEll2YdCM+lotDhR1GCCnzMbKzUIGTTaHMHlvPzLecI/UVfAR/YVSG3d399QSOM987bXX/lFXX4ex48YOI0Y6cuzYsWrxnVhhBo4mU6+g/AwEcv3Iz7QAgSVYlTB5PG78OOGxasIENZX3IkrdVCNljwZsJqmaQPJ2KE2OMBB26jwLSVgrUVYHHKhpMqArqAO12h6ExkdCExZMSfAJy9/N+nbCm2yMSE/B+5/tQVlFLVLDQqn0RQId+jBQAsRkHkhlKtIIbly4cD6X6Hk6a8sxBNiU1N0bN25cM3nyZPNtSWFGiyzajIKuX7+Oy5cvUzCsAvCxwLDnmBLLysoCW7puJWQ+nX8GsdpYOM7kY3FXLyYEqhFPAklJNCehG0dB4Xw8FBSFUALHOIkc2RIFFkv8MMfggraoFg2HL6Agvxj1eiM4EkIyotTr18sRHxeBxXNnUEXYcK6qAWZiLpHoxlQ4wjTW3wSyFhJRxZeLQeaHZ6s/ubm5KC4uPrp+/fqfUKLMTLB9ZwWwfiaudzO9wFxZRXk5GQ4HDCRfkxKThBZhbMHolAUnJiaWAEeFHXv3wlVQiEWVrUgnje6l5zVkX9XUSgq2LyRU7M3enD0mpewlSknWchKkWp24dLUZtfVt6B6WgpjkOJRX1eNw/iVSmOVIDAiClQDubE0DJhC9qqV9KtBLHqKGRJU6OhrpqamIi4vFeKpKp9OFa9euVZLeMX6rF6D+5R782c+mqQMDV10puea5eu1aTlhYqCs8LJxjE2VWmDEE0/CnT59mBknE3sPoLykxhgZ3GQYCseSWNqqaAFyXi6GyehFKuj6cso4b6vIb12koLjJ6XbpUjlCxBIWE+IXnSlDX1onoIal4dfvH0KplSCacYdhQ0iJGcXMLJiTGC/zfbHXAHa2lSokn0FWQT8kmHPOH0cg2TTj+awsi/fKXJC1PPTKSPPzv6bHJZGuNy5Yua963d+8bRHtnSAlKWKlTS/ho8jbmDPVkYf9340P/PnLk+LgeCooUlYgL7ELupmFIDF5I+t8IPfG0/oIO1aTpgxrM0Pa6EMzWAZk+xw3e+rKDBx5hv0OpvyfIlFC5eBTU61BnsaOHI7GlDBOssJeymhoeBIfOA6PVBgMBZeiocaRFtOhsa4WX2pcBt0NYn5AjLS01PDs7m7t06ZKPtTZ34MABzJ8/H4SQ82wO+/Ixo7N/ciY//7ORQ4e2VNfUbHd6PHcR0PG7dux46/z58wOu6cUXX5oglSqG7zv0H+/iRbMes3Q0pGgUOiyYH4uwmMC+QDP68pLs9jLEF6PXxKG92IDmj8oQcbIVaR4xJDJRH3cLN9+gAHCE5H3/83QuB9HaZa8d5zxO/FvkhDtQhRlD0uEnPM8x241GwgT/jCGISs0k+m6Eh9SmjNopKCgYk3JyCEh5GIy9TPm+S0GpWLp06UmOqEB04MD+NYsWLSaKqL9w+tSpZ+mxw4wzly5Z8npCkHqTi1FfXMK/3v373zdHRWgC8vJmvNKtb5oi8hqDtBEmJKaqkRglQkgEGXmTkT7YS0BE0/C4BlBZmBZRHtUkaAwo+bgWzjevYKzFBz/Wu24BvwZ0fh+V+WDhfQLFBVBLWOjeFQK2o8Qse2VejB2VTpXgRxqCMk/U2EL1F0qGzG63CpiUSv1vJUt8990LEUtWma0m7927DyWlJZg/b75nyJAhj3JU6uMJ5P5+5syZq2+++eZGQvgONoiXX3nlFyqP+y/ZEf5oam5Ckd6BsdPy9CdPnRVdvFQYGBZswsKcEPx0bRa4yHjiM0p4VyN8TiNN3iVkhchLuA3ubfaLpwl7KRAFn9VD99wFTLPz8GfBcd8cAPbbRpNupwkHURUEkm+op6AWU2Z3+6ywpCdgBAFjbUsH2glrIpMSEULZZujOUbZtFJi7Fy4U1i3YQXNEWVkZY4Mzv/jFL+7Ly8trFa1du5bftGnTMWqBP7a3tw/s5mjjtHlBSnlefKAEPcT5+aU1eGd/gbJBpJXbA9Ng8EtDeYcfmutaEKc0IyhYCs5B6s7jFEqWu5F4QepyN9+oRMB5HIgapUE9YUr56UYk+8QQCfjEDQJHtkHGgRQDdFQiMhYEwgSTr4/zrzlsCIsIQ6/FDD48WthzZBdmSAg4G4lxkpOTBepjFr2kpARnz55FanLS2Wefe34lmaJGCoxbXFtb27hv377GrwLxzOnTGrp0za7aljbJwWu1KOS1iJi5ABL/IFJYYtIAcmHVZee1Anzx6kH8eo0Bd00IBe8S44YuG+DlW2w1C1KNJyE1eWUiPqaiO/NZHXKVfoPAkBsoG6YVwilAreQ0I2hySvo/iqohgVRgZ3ePgCGJKUmkICNRVl6Gjo5OgR1YAFg1sEUaxlajRo5of+XlV5YePHSovV/c8ezXra7Gun/9+o+vlVY8vONiteOKLAvROWsgDwmHm2RsMJu8z0m9bIY8JhOtCWvx4k4FSq9bwSlFwqS/xDWhBvr+9t8XdD39JRRWyl0YuyYdBRFitNkdA3LWN/BzIwiE+KxDGgQbLYaUZHSyh0CtywgTKUkxJYWtUFVWVKDXaEQEOUMmxxkWlNNjTLQRY/3r6PHj7be1KJqTk6Mgj59Y0NTGe4PSkZCixfjseIQFy+F2MC9uhIN0rIMmIQvSoEk9Cy/+24TWDhc48vJcv9NjZc/uE5iRiKD/pYKr6XuOY8vMSB4eAPXcJFwg7LAJup676acPEXg46Tw6lxOdBIQeelU0oY3KaIHN5WZqj8xaPSy9vYIMl1HZs8UZRvElJddA5sf0+Y4df2WLNTcFgA3iVlZ408Ob1vXwtscsw0wSve4zNF29Sn2uQkJCCJmLXrhIvnq4vgpnVlUWmYACzxRs+1cTbGYPq6+BKgAFxMPLoTNYaYpewT8MVAO9VC7xIHu2FmVqHm0UUCs3OPd9f8X0WADpBjtNqJfO4SWjI6NKCLe7CeyswkJMIGGAmDCFrVaziTMD19LaKtwnJ/vGyZMnK7+2N8jU3MMPPzzryKFD76anpgWwB5nn37ljZ8DphotQZIdBlNSM6qKPcLWggoBKATHp8gHJwt1Adq8DqtgRONCUhf0niUjErK3YwqUUze1uHDlqxKm9wBcXTPSw+GYVSFlNS5fBlx2CahI2rhsUOHhDlP1mAMgmzbHtIvrLFlT93UxueBEYEsouucN4Qnwb2WRm1MRUce0tLbCYLdWfff75R1QlX1v95Vl0CCiC2trbf3r3miXvTZ45Zdhzv34mZfbCmY+0eLsQSDo/PD0SnqAqlF++iIKrjTRA0Y0trZt3bXkxD3vEVPzjjBjNDWRgCJHZZAoKjAjHSIxMnExB9KKpjdJOAqV/05PkIlQBEmjHhhOXO9HlcsA0SBkKnoQt0JDDs3Neln8qOzfhkAdKekZO1XDx9CmBdJmoY5unzPbqSZl2kYehsm/454cf3vLyGZ4tXf/hD3/4uEuv33vqav6i5LwhhT1Oy2/PnT2rEUl58A4vjGQ4eI0PVnMNPGRnvb6+Vde+m+/GHj6bhwd+wRpUetKw67ROeIFY7EaIigwQydmeXj2MXW4UFXcRk0j6Kkh4H0sooXpmOFlhGTqpp400SR/fV10M/Mqp7ytcJGlZzxGe+Pi+K9HsRI/tzJvQbcqUqWSRy9llc8hII2AtKBAqITw8XPxNF24KGMA0cUe77uVxaWNc+S3F4sPygsUfVRzkXC02NO0vh73bBt5fDKe7FxyBCMdzXyae475Ue8IuLrVD+EjsviyhcxrBK2SEwCRgdE3QG3oRGhKG0msOGhjlVNS3593b64S52w6NNgCWSAVaKdNdFBWS/4Q1fZOvpKqwM9SgxzmKCE8M4CY6bCFN0UUYFpOQiHZdOwGzAw888AD5k43QU/aZcTMajZ7BW3g3BYCt/zNk3Hdg/8Wx6aOOKuo4WMQeqOfFQTEhHJIwuWCDPRKKOmcTAE9AZu4rPrZ/7YCqQBEYjobeGJwtMbML+aBWS2EmVeaiQKuVcthNYjQ0mYU2YIFzugnddVao/ST0XgkxAQ8rnaeOqq2Y+rlaQH2fsILM8cQkfJ9o6qFxFpHsyFuyFNNyp+AktUGAOkDY02CrUlOnTkVNbQ1cHnfU+vXrU7/xAgmmA8gnu198+aV7J8ePOtV9sBZKsqLKqABwGSq4/XkCJSfhmo2i7+mb8QDRD7r1L6MRFjiUUbhQTqlycVAEyYmqzPBTqqGgtlJKg5CfbyBBSOlliyMEip1dNhiJJSRyDl4KioHarJxaoZF6y9O/fuBjO8UeiFilURscs/UicMJ4LF+2jEo+w23uNbl7zb2orKoSmG38+PEYP24Cmhoa00kU3UuKkP/WK0RKy0r1CXHxn64dtQBVH1yCqNuNALE/ITyEXVqvxAk2HCZJxcLVoPj6TegDwg51GOo6nejuJHsaQtQU5kK3QU/ITD6AMtrU1IXqmk6BEaR0bqPZisvlbbC76b0in6AFPGx3irLO8+yqEKlwY7tL7DhlN6I5PQVL1t6LYKI9hUKxKyQ0dFdTUzNI0jPlZ9+/f38+JfekTqcrddjtm0eMHJH4nZfI/O6137+VFJfywtTIsWjYX4nuK+1CIMSevjVnqkABkb0+382ZH3TfQ+jFS/zRYVahq8dB3AxMypWjpvsKThVWwGDrQGqmHFW1nWhttAqTZnsOLrZhZSAn6cLA5TGDwAbs6w1sufuQTY9rQ1KwjPo8NiKSrULZL14s+IfH432vuLjYfppMj16vb33sscfuWr58WS75gNkGo/E6OcDfPPLIIwvZ2iDTCMJ3lb4aALbx8dSWp55fMfueF+anTIbhSgtsTSa4qk3w9LBscMJ6G/gbnTCYCW/ofjZ4likzubxemxsOow3BKh6rl0chNl2PhCwRAlVkY10+FJW04nJJM1xMUDlpkka7sCzmvcEuwt4Bu1yOzttLlfOp04CmaTlYtWkzMgnps7OzbTt2fH7f1q0v7Dl06NDesePGXTl08CCrCGlcXFwk2z4rKipq+vTTT+dPmzYtbsmSe96+fv362czMzDB2HcMtL5Njmx1Xrlw5uXj23b4Qr3/utWvFZC/9IHYmweciEeS2UeWKqNclfbZXcHFfmljmBl2mbigsVZiSTtqdaFRCFjhcqyKg42B1mCmITiFQLsIUtlbHk4JrqzCDO9WOEMEr9JUU43Z2XUCly4rj5EECFy/AigfWC2t9NLmdZOZeIDf7bzZRxmjpaWkN8dr4e+vr69Xr7lunpLntY2Ni30EiN/g38gZlpBS1n3zyyZ6MjAz7N14nyBRiYVHhqfvX3aeMD4zKKTlfAd4vkQaqhN3SC6fZCLe1lyjZKzgvEVNmrPdZqVL2LT3tiPbWYlSsmVrCJXB9t96K5hYzHE73DUtEOML3fUPMbifZuqce2ma7sHfIyl1M5dVD9vqkz46akZkY9+DPMHfxEjJQ8lPvv//+r7bS8de//vU6m3z/To/T6TQQ4sedP39+aHJKsob4/xS1hWCAurq62JpA1bvvvvsZBcQ+ffr0b18VZhufpWVl/37m6Wd+rgnUBB44dxV1plqIFVECfLDr+m1GPVWCFHJVMPUVOXeFP6G6HBJzO9KCzMIke4wudHTp4aE694o5gaYGupsYg5P5oeVoC4KvGaASvkcIYUm7lvOgSqtBQN40rF+8GJFR0V1RkZFnN27c+POPPvqo41Zjpn7vfvqZp+/fvHkzTxlfMWzYsHuUSmXx4CtK7uhK0fLy8taoqKjilatWzclIilEq7Dq019fDYDRTNRAyE5h4WRlTNdjM3XBYjDD3dCHYWYZ5Q3sgk7nIMTJU5wXhw/PcoGv96X6vD+1HdZAdaUaU1SssdlRxLlyPJQ+yZB6m/PKXWLZ6tYcMzx9379797IYNG3534cIFy7dd1NHR0eGpqqraPSQzMy02Lu6Xc+bMcVEwznw1CGyvgK0JYubMmd/55QTS2Bkr6Rg6JGtdY2OTdveBI7hwvR7dojDwAWGkaRSQiBQCBXqMjZibVIW8EYQnVMI+35cLHKxPGW7IZBK49W40fNQEnG+Gk9itVUZ0GB2OpAXzMGrWbMQmJHS0NDUdeXf79j/QBArZNch3chDaK99+++1/kB5QkB2e/9X3s93h2w6A4Gop4xMmTNQsXrz4aQrEQmKMuNPni1HZoIPObCEDowZns2NIuA4rpkugZrqD8bhY1H8dnXCJq8vuQWuLG1dPNUBSaYU8PBRcWjyyps/AuNzpKC29vtPn9ekPHzz41o4dO4pJxv7XX3AOCAjgSQuISRI7v1o1dxyAwcfjjz8+6je/efGfVRXl4Y2N9cGNrc1oaNahqbKcJtgNdYAXUr6v3+3ULh5SdQz13W4XJGoNVIEJNLhQxCfEQJue0aONiTXv3rPraZW/yvDSSy/tq66u9uAHPoTrA5gRutPJs+PVV18tOnz48CRCYOkTT1A0ho+ePXGcPJ2ZDn13D6G6gyjOJWyoGul/htRsbzEoKAhx8QnQdepOKeQyu5+/f8vW559/rlOnc14rKenAj3iwDROO7eO/9957uNOv0bNyYqDCMswWHhctWpRCfbaIJu6x223C83205Br4djhrIalMxvv7+VnpM7cTVzv7L6xkSVAolQI+/FjHlClT8H8FGADjk8Qr5h5T8wAAAABJRU5ErkJggg==" type="image/x-icon">
<link href="../static/css/index.css?ver=2" rel="stylesheet" type="text/css">
</head>
<body>
<div class="postform">
<p> SQL查询注入 </p>
<form id="user" action="http://127.0.0.1:8080/problems/SQLInjection" method="post">
名字:<input name="name" type="text"> <br>
密码:<input name="password" type="text"> <br>
<input type="submit" value="提交">
</form>
<br><br><br><br>
<p> SQL查询注入防范 </p>
<form id="user" action="http://127.0.0.1:8080/problems/SafeSQLInjection" method="post">
名字:<input name="name" type="text"> <br>
密码:<input name="password" type="text"> <br>
<input type="submit" value="提交">
</form>
</div>
<script src="/static/js/reload.min.js"></script>
</body>
</html>对了,我在index.css作了一点小修改(只是为了出来的表格布局好看点):
.description,
.postform {
text-align: center;
font-size: 16px;
margin-top: 100px; // 加了这一条
}controllers部分
在controllers 文件夹里新建一个go文件,命名为SQLController.go ,添加如下代码(把main.go里的数据库注册部分挪到这了,然后分别定义了两个控制器并重写了其Get和Post函数):
package controllers
import (
_ "github.com/go-sql-driver/mysql"
"fmt"
"github.com/astaxie/beego"
"github.com/astaxie/beego/orm"
"log"
"io/ioutil"
"errors"
"encoding/pem"
"crypto/x509"
"crypto/rsa"
"crypto/rand"
"encoding/base64"
)
// 对应数据库的表
type Students struct {
Id int `form:"id"`
Name string `form:"name"`
Password string `form:"password"`
Sex string `form:"sex"`
Age int `form:"age"`
Tel string `form:"tel"`
}
// 注册数据库
func RegisterDB() {
// 读取数据库配置
dbhost := beego.AppConfig.String("dbhost")
dbport := beego.AppConfig.String("dbport")
dbuser := beego.AppConfig.String("dbuser")
dbpassword := beego.AppConfig.String("dbpassword")
db := beego.AppConfig.String("db")
// 注册mysql Driver
orm.RegisterDriver("mysql", orm.DRMySQL)
// 如果使用orm.QuerySeter 进行高级查询的话,必须注册模型
orm.RegisterModel(new(Students))
// 构造conn连接
conn := dbuser + ":" + dbpassword + "@tcp(" + dbhost + ":" + dbport + ")/" + db + "?charset=utf8"
// 注册数据库连接
err := orm.RegisterDataBase("default", "mysql", conn)
if err != nil {
fmt.Println(err.Error())
} else {
fmt.Printf("数据库连接成功!%s\n", conn)
}
}
// 引入数据模型
func init() {
// 注册数据库
RegisterDB()
}
// Cool Jason
// 87654321
// 注入:
// aaa
// xxx' or '1'='1
// SQL注入问题
type SQLController struct {
beego.Controller
}
func (c *SQLController) Get() {
c.TplName = "SQLController.tpl"
}
// 获取传过来的SQL参数
func (c *SQLController) Post() {
orm.Debug = true;
o := orm.NewOrm()
o.Using("default") // 默认使用 default,你可以指定为其他数据库
// 新建一个user
u := &Students{}
// 将c,即SQLController,里存储的数据转化到user格式的u变量,注意必须传入地址
if err := c.ParseForm(u); err != nil {
log.Fatal("ParseForm err ", err)
}
// SliceArg := []string{u.Name, u.Password}
/** 【错误】直接拼接SQL语句 **/
sqlStr := "SELECT id, name, password, sex, age, tel FROM students WHERE name = '" + u.Name + "' AND password = '" + u.Password + "'"
var students [] Students
num, err := o.Raw(sqlStr).QueryRows(&students)
if err == nil {
fmt.Println("user nums: ", num)
fmt.Println(students)
/*var j int64
for j = 0; j < num; j++ {
fmt.Printf("第%d个:\n", j+1)
fmt.Printf("ID:%d\n", students[j].Id)
fmt.Printf("名字:%s\n", students[j].Name)
fmt.Printf("密码:%s\n", students[j].Password)
fmt.Printf("性别:%s\n", students[j].Sex)
fmt.Printf("年龄:%d\n", students[j].Age)
fmt.Printf("电话:%s\n\n", students[j].Tel)
}*/
}
c.TplName = "SQLController.tpl"
}
// SQL注入防范
type SafeSQLController struct {
beego.Controller
}
func (c *SafeSQLController) Get() {
c.TplName = "SQLController.tpl"
}
func (c *SafeSQLController) Post() {
orm.Debug = true;
o := orm.NewOrm()
o.Using("default") // 默认使用 default,你可以指定为其他数据库
// 新建一个user
u := &Students{}
// 将c,即SQLController,里存储的数据转化到user格式的u变量,注意必须传入地址
if err := c.ParseForm(u); err != nil {
log.Fatal("ParseForm err ", err)
}
// SliceArg := []string{u.Name, u.Password}
/** 使用预编译参数化查询 **/
sqlStr := "SELECT id, name, password, sex, age, tel FROM students WHERE name = ? AND password = ?"
var students [] Students
// 对SQL语句传入参数
num, err := o.Raw(sqlStr, u.Name, u.Password).QueryRows(&students)
if err == nil {
fmt.Println("user nums: ", num)
fmt.Println(students)
/*var j int64
for j = 0; j < num; j++ {
fmt.Printf("第%d个:\n", j+1)
fmt.Printf("ID:%d\n", students[j].Id)
fmt.Printf("名字:%s\n", students[j].Name)
fmt.Printf("密码:%s\n", students[j].Password)
fmt.Printf("性别:%s\n", students[j].Sex)
fmt.Printf("年龄:%d\n", students[j].Age)
fmt.Printf("电话:%s\n\n", students[j].Tel)
}*/
}
c.TplName = "SQLController.tpl"
}
MYSQL部分
由于我在Students结构体中新增了Password的字段,因此数据库部分也应该相应地添加上:
routers部分
对 routers/router.go 文件添加如下代码(即为上述两个控制器注册路由):
// SQL注入问题
beego.Router("/problems/SQLInjection", &controllers.SQLController{})
beego.Router("/problems/SafeSQLInjection", &controllers.SafeSQLController{})这样,无论url是访问/problems/SQLInjection 还是/problems/SafeSQLInjection,两种Get请求都能正确渲染SQLController.tpl这个页面,然后当从表单发送Post请求时,一个表单会发送至SQLController的Post函数响应并处理,而另一个表单会发送至SafeSQLController的Post函数响应并处理。
上下两个表单的安排实现了SQL注入与SQL注入防范的对照实验作用。
进行实验
现在main.go长这样,运行:
在浏览器输入http://127.0.0.1:8080/problems/SQLInjection :
对了现在的数据库存储的数据如下:
正常情况
在“SQL查询注入”的表单里填如下信息并提交:
后台显示如下:
SQL注入
在“SQL查询注入”的表单里填如下信息并提交:
后台显示如下:
可以看到,这样输入名字和密码能把数据库里全部用户的全部数据查出
SQL注入防范
在“SQL查询注入防范”的表单里填如下信息并提交:
后台显示如下:
在这个表单中,上述的注入不成功,查出的数据为空。
原因分析
表单的本意设计是输入用户和密码,能在对应数据库中查找到对应的数据信息。然而在SQLController的Post函数中,错误地直接拿用户的输入来拼接SQL语句,给攻击者提供SQL注入途径。
/** 【错误】直接拼接SQL语句 **/
sqlStr := "SELECT id, name, password, sex, age, tel FROM students WHERE name = '" + u.Name + "' AND password = '" + u.Password + "'"在这里,用户的输入对开发者来说就是危险的,不可信的。当攻击者输入”aaa“, “xxx' or '1'='1“,SQL注入便发生了。注入后的SQL语句为:
SELECT id, name, password, sex, age, tel FROM students WHERE name = 'aaa' AND password = 'xxx' or '1'='1'由于 '1'='1'为TRUE,因此name = 'aaa' AND password = 'xxx' or '1'='1'恒为TRUE,在SQL语法中,where后面的条件语句若为TRUE则表示该数据符合该查询,因此恒为TRUE则代表所有行记录都符合该查询,该注入也就把数据库的数据全泄露了。
而这里防范的做法,预编译参数化查询:
/** 使用预编译参数化查询 **/
sqlStr := "SELECT id, name, password, sex, age, tel FROM students WHERE name = ? AND password = ?"
var students [] Students
// 对SQL语句传入参数
num, err := o.Raw(sqlStr, u.Name, u.Password).QueryRows(&students)使用参数化查询,通过占位符(上面代码的问号)表示需在运行时确定的参数值,这使得SQL查询的语义逻辑被预先定义,而实际的查询参数值则等到程序运行时再确定(在o.Raw函数中再传入参数)。参数化查询使得数据库能够区分SQL语句中语义逻辑和数据参数,以确保用户输入无法改变预期的SQL查询语义逻辑。
敏感信息加解密
- 介绍
敏感数据传输过程中要防止窃取和恶意篡改。使用安全的加密算法加密传输对象可以保护数据,防止对象被非法篡改,保持其完整性。 - 场景
在以下场景中,需要对对象密封和数字签名来保证数据安全:
1) 序列化或者传输敏感数据
2) 没有使用类似SSL传输通道
3) 敏感数据需要长久保存,比如在硬盘驱动器上
下载OpenSSL并生成秘钥公钥
下载地址:传送门
下载后直接安装即可。
在
static目录下新建一个key文件夹:
生成秘钥和公钥文件:
修改代码
views部分
在views/SQLController.tpl 的标签内添加如下代码(即在第二个表单后再添加一个表单,负责向数据库添加数据):
<br><br><br><br>
<p> SQL添加加密信息 </p>
<form id="user" action="http://127.0.0.1:8080/problems/EncryptionDecrypt" method="post">
ID: <input name="id" type="text"> <br>
名字:<input name="name" type="text"> <br>
密码:<input name="password" type="text"> <br>
性别:<input name="sex" type="text"> <br>
年龄:<input name="age" type="text"> <br>
电话:<input name="tel" type="text"> <br>
<input type="submit" value="提交">
</form>controllers部分
在controllers/SQLController.go 中添加如下代码(声明一个控制器并重写Get和Post函数):
// SQL添加加密信息
type EncryptionDecryptController struct {
beego.Controller
}
func (c *EncryptionDecryptController) Get() {
c.TplName = "SQLController.tpl"
}
// 加密
func RsaEncrypt(origData []byte) ([]byte, error) {
// 读取公钥文件
publicKey, err := ioutil.ReadFile("static\\key\\public.pem")
if err != nil {
return nil, errors.New("Read public key content error.")
}
// 解码
block, _ := pem.Decode(publicKey)
if block == nil {
return nil, errors.New("public key error")
}
pubInterface, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, err
}
pub := pubInterface.(*rsa.PublicKey)
res, err := rsa.EncryptPKCS1v15(rand.Reader, pub, origData)
if err != nil {
return nil, err
}
return res, err
}
// 解密
func RsaDecrypt(ciphertext []byte) ([]byte, error) {
// 读取私钥文件
privateKey, err := ioutil.ReadFile("static\\key\\private.pem")
if err != nil {
return nil, errors.New("Read private key content error.")
}
// 解码
block, _ := pem.Decode(privateKey)
if block == nil {
return nil, errors.New("private key error!")
}
priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
return rsa.DecryptPKCS1v15(rand.Reader, priv, ciphertext)
}
func (c *EncryptionDecryptController) Post() {
orm.Debug = true;
o := orm.NewOrm()
o.Using("default") // 默认使用 default,你可以指定为其他数据库
// 新建一个user
u := Students{}
// 将c,即MainController,里存储的数据转化到user格式的u变量,注意必须传入地址
if err := c.ParseForm(&u); err != nil {
log.Fatal("ParseForm err ", err)
}
// 一、MD5加密
w := md5.New()
// 将str写入到w中
io.WriteString(w, u.Password)
// w.Sum(nil)将w的hash转成[]byte格式
md5res := fmt.Sprintf("%x", w.Sum(nil))
fmt.Println(md5res)
// 二、RSA加密
signature, err := RsaEncrypt([]byte(u.Password))
if err != nil {
fmt.Println("sign sensitive data error.", err)
return
}
// 进行base64编码
encodeString := base64.StdEncoding.EncodeToString(signature)
fmt.Println(encodeString)
// 保存到u中,再把u保存到数据库中
u.Password = encodeString
_, error := o.Insert(&u)
if error == nil {
fmt.Println("Successful")
} else {
fmt.Println("Fail")
}
/**
以下代码为查看数据库密码的操作,先进行base64解码,再进行RSA解密。
*/
// 进行base64解码
decodeBytes, err := base64.StdEncoding.DecodeString(encodeString)
if err != nil {
log.Fatalln(err)
}
// RSA解密看看密码是否相等
origData, err := RsaDecrypt(decodeBytes)
if err != nil {
panic(err)
}
// 输出原密码
fmt.Println(string(origData))
c.TplName = "SQLController.tpl"
}routers部分
在routers/router.go 中添加如下代码(为加解密的路由器添加路由):
// SQL添加加密信息
beego.Router("/problems/EncryptionDecrypt", &controllers.EncryptionDecryptController{})运行
在“SQL添加加密信息”的表单里填如下信息并提交
后台显示如下:
可以看到:
1) 第一个红框为密码进行MD5加密后的密文
2) 第二个红框为用之前生成的公钥对密码进行RSA加密后生成的密文
3) 第三个红框为用之前生成的私钥对RSA密文进行解密后生成的原密码
数据库显示如下:
提交用户数据并保存数据库成功,比如后续若有验证用户身份的系统只需要将用户提交的密码用公钥进行RSA加密然后再进行base64编码与数据库里保存的密码密文进行比对即可。