content
Foreword:
The numerical input of SQL injection vulnerability has been completed earlier. In fact, there are many other types of injection for SQL injection vulnerability, such as: character injection, wide byte injection, etc. There are also many corresponding bypass methods. The task this time is to write a character SQL injection vulnerability.
1. Introduction
For character SQL injection, the principle is similar to that of numeric SQL injection. The only difference is that in numeric SQL injection, the user inputs a numeric type of data from the front end, and the server receives it and splices it directly into a predetermined SQL statement. Vulnerabilities that lead to injection occur. For character SQL injection, it may be necessary to consider the way the backend server uses to splicing user input data, such as single quotes or double quotes? Are there any parentheses, etc. If they are added, you need to consider the issue of single and double quotation marks or the closure of parentheses.
Since the basic contents such as vulnerability principle and vulnerability exploitation method are similar to digital SQL injection, and the relevant contents have been elaborated in the previous article, they will not be repeated here.
Second, the project configuration
pom.xml import related dependencies
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.4</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>sqli</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>sqli</name>
<description>sqli</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
It is also necessary to configure application.properties, connect to the database, and configure the matching path
spring.datasource.url = jdbc:mysql://127.0.0.1:3306/pikachu?useUnicode=true&characterEncoding=utf-8&serverTimezone=GMT%2B8
spring.datasource.username = root
spring.datasource.password = root
spring.datasource.driverClassName = com.mysql.jdbc.Driver
spring.thymeleaf.prefix = classpath:/templates/
3. Code writing
First create a springboot project, which is the same as the digital creation process and related settings
Implement the controller layer, indexController, and match the front-end request to the specified HTML interface
indexController.java
package com.example.sqli.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class indexController {
@RequestMapping(value={
"/","/index.html"})
public String index(){
return "index";
}
@RequestMapping(value={
"sqli_char"})
public String sqli_char_index(){
return "sqli_char";
}
}
Then implement the back-end core code of character SQL injection to construct a vulnerability environment
sqli_char.java
//字符型SQL注入漏洞(测试payload:' or 1=1 #)
@RequestMapping("char")
public String sqli_char(@RequestParam(value = "id",required = false) String id, Model model) throws SQLException {
Connection connection = dataSource.getConnection();
Statement stmt = connection.createStatement();
sql="select * from users where id = '"+ id +"'";
System.out.println(sql);
ResultSet rs = stmt.executeQuery(sql);
// 通过此对象可以得到表的结构,包括,列名,列的个数,列数据类型
while (rs.next()) {
Object value = rs.getObject("username");//获取列对应的值。
System.out.println(value);
model.addAttribute("id",value);
}
rs.close();
connection.close();
System.out.println("model:"+model);
return "sqli_char";
}
Then write simple front-end test code
index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>SQL注入</title>
</head>
<body>
<input type="button" value="字符型有回显注入"
onclick="javascrtpt:window.location.href='http://localhost:8080/sqli_char'" />
</body>
</html>
Character SQL injection front-end test code
sqli_char.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>字符型SQL注入</title>
</head>
<body>
<form action="http://localhost:8080/sqli/char" method="get">
请输入学号ID: <input type="text" name="id" />
<input type="submit" value="查找" />
</form>
</body>
</html>
Fourth, run the test
Character SQL injection front-end test interface
payload:' or 1=1 #
echo the result:
![[External link image transfer failed, the source site may have anti-leech mechanism, it is recommended to save the image and upload it directly (img-B4y7gPZ4-1647523757379) (project record.assets/image-20220313195925346.png)]](https://img-blog.csdnimg.cn/55cdf608999e456fada40bbb9e1b69db.png)
Find all usernames
The rest of the test payload is similar to the digital idea, so it will not be tested here, after all, it is not writeup.