标题: MySQL for Java的SQL注入测试 [打印本页] 作者: 测试积点老人 时间: 2018-12-21 15:27 标题: MySQL for Java的SQL注入测试 只要你学JDBC,基本上所有的人都会和你说,Statement不能防止SQL注入, PreparedStatement能够防止SQL注入. 基本上参加工作了一段时间之后还是这么认为的, 没错, 这句是没有问题的, 但到底如何进行SQL注入?怎么直观的去了解SQL注入?这还是需要花一定的时间去实验的. 前提:以下的测试都是在一种理想环境下 首先准备好数据库环境, 以下是数据库的schema:
Sql代码
create database java_mysql;
use java_mysql;
drop table if exists pstest;
create table pstest(
id int(10) not null primary key auto_increment,
name varchar(32),
age int(3)
);
insert into pstest (name, age) values ('Tom', 23);
insert into pstest (name, age) values ('Tom1', 23);
insert into pstest (name, age) values ('Tom2', 23);
insert into pstest (name, age) values ('Tom3', 23);
insert into pstest (name, age) values ('Tom4', 23);
insert into pstest (name, age) values ('Tom5', 23);
以上就是建立了pstest表, 并插入了一些测试数据.
1. 测试Statement
Java代码
public class StatementTest {
public static void main(String[] args) throws SQLException {
Connection con = null;
Statement stmt = null;
// name很强大, 传入了这么多东西
String name = "Tom';delete from pstest;select * from pstest where name='Tom";
String sql = createSql(name); // SQL
System.out.println(sql);
try {
con = DBConn.getConnection();
stmt = con.createStatement();
其实上面的意图很简单:
Tom';delete from pstest;select * from pstest where name='Tom
就是想先执行一条SQL查询语句,然后把表的数据删除。
这只是理想环境. 实际上要想传入这么复杂的数据, 真的很难想象
这里将URL单独拎出来是有作用的, 继续看下面
Run一下StatementTest. 会发现报异常了:
Java代码
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'delete from pstest;select * from pstest where name='Tom'' at line 1
select id, name, age from pstest where name ='Tom';delete from pstest;select * from pstest where name='Tom';
这时候可以看到MySQL客户端
Sql代码
mysql> select id, name, age from pstest where name ='Tom';delete from pstest;select * from pstest where name='Tom';
+----+------+------+
| id | name | age |
+----+------+------+
| 1 | Tom | 23 |
+----+------+------+
1 row in set (0.00 sec) -- 执行第一条查询SQL
120719 15:54:25 23 Connect root@localhost on java_mysql
23 Query /* mysql-connector-java-5.1.20-SNAPSHOT ( Revision: ${bzr.revision-id} ) ...
23 Query SHOW WARNINGS
23 Query /* mysql-connector-java-5.1.20-SNAPSHOT ( Revision: ${bzr.revision-id} ) */SELECT @@session.auto_increment_increment
23 Query SHOW COLLATION
23 Query SET character_set_results = NULL
23 Query SET autocommit=1
23 Query select id, name, age from pstest where name = 'Tom';delete from pstest;select * from pstest where name='Tom'
23 Quit
重点是最后一条SQL.
因为数据库中的数据都还在,我们就直接执行这条SQL
Sql代码
select id, name, age from pstest where name = 'Tom';delete from pstest;select * from pstest where name='Tom'
查看MySQL的客户端
Sql代码
mysql> select id, name, age from pstest where name = 'Tom';delete from pstest;select * from pstest where name='Tom';
Empty set (0.00 sec) -- 就执行了这一条查询的SQL语句
可以看到什么的字符串已经被转义了.
让我们来看一下转义字符:
Sql代码
public class ResultSetRegressionTest extends BaseTestCase {
public void testBug33678() throws Exception {
if (!versionMeetsMinimum(4, 1)) {
return;
}
createTable("testBug33678", "(field1 INT)");
// allowMultiQueries=true设置
Connection multiConn = getConnectionWithProps("allowMultiQueries=true");
Statement multiStmt = multiConn.createStatement();
try {
multiStmt.setFetchSize(Integer.MIN_VALUE);
// 一次性执行多条SQL语句
multiStmt
.execute("SELECT 1 UNION SELECT 2; INSERT INTO testBug33678 VALUES (1); UPDATE testBug33678 set field1=2; INSERT INTO testBug33678 VALUES(3); UPDATE testBug33678 set field1=2 WHERE field1=3; UPDATE testBug33678 set field1=2; SELECT 1");