2020-02-08Jsp挖掘(2)-sql注入及防护

作者: thelostworldSec | 来源:发表于2020-02-08 11:24 被阅读0次

sql注入及防护

一、常见获取变量

request.getParameter()

request.getCookies()

防护1:

如何防止sql注入数字型： Integer.parseInt(s) 字符型： String.replace("'","''"); //oracle、 mssql String.replace("'","\\'");//mysql

防护2:正则表达式过滤

防护3:使用参数化查询执行sql语句（预编译的方式）

使用参数化查询执行sql语句（预编译的方式） String selectStatement = "SELECT * FROM User WHERE userId = ? "; PreparedStatement prepStmt = con.prepareStatement(selectStatement); prepStmt.setString(1, userId); ResultSet rs = prepStmt.executeQuery();

二、实战演练

测试路径http://127.0.0.1:8080/wavsep/index-sql.jsp

1、返回值500报错的注入漏洞：

(1)、登陆字符绕过（Case1-InjectionInLogin-String-LoginBypass-WithErrors.jsp）

Injection into string values in the scope of a query within a login page with erroneous responses. Barriers: None SQL Statement Context: SELECT (WHERE Clause) Sample Exploit Structures: 'or'[value]'='[value] 'or [value]=[value][comment][space] Examples of Login Bypass Exploits: Exploit (both input fields): 'or'7'='7 Independent Exploit 1: ' or 7=7--%20 Independent Exploit 2: ' or 7=7#%20 Independent Exploit 3: ' or 7=7/*%20

进入测试一：

访问显示 login failed登陆失败，用户名密码不正确，发现登陆是通过get在url里面提交参数 username&password

测试利用exp both来尝试：

?username='or'7'='7&password='or'7'='7

绕过登陆获取user1的回显。

进行分析源码的漏洞存在原因：

数据库登陆查询的语句：存在字符串拼接

String username = request.getParameter("username"); String password = request.getParameter("password"); ... String SqlString = "SELECT username, password " + "FROM users " + "WHERE username='" + username + "'" + " AND password='" + password + "'"; ...

用户登陆插入：?username='or'7'='7&password='or'7'='7 SQL语句发生变化如下：

原SQL查询语句 String SqlString = "SELECT username, password " + "FROM users " + "WHERE username='" + username + "'" + " AND password='" + password + "'"; ----------------------------------------------------------- 插入?username='or'7'='7&password='or'7'='7 String SqlString = "SELECT username, password " + "FROM users " + "WHERE username='" + 'or'7'='7 + "'" + " AND password='" + 'or'7'='7 + "'"; 转换一下实际的数据库的查询的SQL语句： select username,password from users where username='' or 7'='7'And password='' or 7'='7';

通过username='' or 7'='7'And password='' or 7'='7' ，表述传参数查询额度数据是空或者是为真数据库返回回来的值是true，查询成功，最后用户登陆成功。

exp1是第一个两个条件username password需要两个参数都需要为真（true）。

Independent Exploit 1: ' or 7=7--%20 Independent Exploit 2: ' or 7=7#%20 Independent Exploit 3: ' or 7=7/*%20

上面的三个是通过--%20、#%20、/*%20三个将数据后面的参数注释了，后面的参数将不参与数据的参数查询。

怎么进行防护

如何防止sql注入数字型： Integer.parseInt(s) 字符型： String.replace("'","''"); //oracle、 mssql String.replace("'","\\'");//mysql

本次测试使用的是mysql数据看

防护的代码：replace("'","\\'")

Connection conn = null; try { String username = request.getParameter("username").replace("'","\\'"); #使用replace函数过滤单引号 String password = request.getParameter("password").replace("'","\\'"); #使用replace函数过滤单引号 conn = ConnectionPoolManager.getConnection(); System.out.print("Connection Opened Successfully\n"); String SqlString = "SELECT username, password " + "FROM users " + "WHERE username='" + username + "'" + " AND password='" + password + "'"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(SqlString); if(rs.next()) { out.println("hello " + rs.getString(1)); } else { out.println("login failed"); }

再次提交参数：不能绕过登陆

还有另外一种方式可以通过预编译方式：

使用参数化查询执行sql语句（预编译的方式）

预编译方式： "select * from users where username=? and password=?" 使用参数化查询执行sql语句（预编译的方式） String selectStatement = "SELECT * FROM User WHERE userId = ? "; PreparedStatement prepStmt = con.prepareStatement(selectStatement); prepStmt.setString(1, userId); ResultSet rs = prepStmt.executeQuery();

实际代码修改：

原始代码： Connection conn = null; try { String username = request.getParameter("username"); String password = request.getParameter("password"); conn = ConnectionPoolManager.getConnection(); System.out.print("Connection Opened Successfully\n"); String SqlString = "SELECT username, password " + "FROM users " + "WHERE username='" + username + "'" + " AND password='" + password + "'"; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(SqlString); if(rs.next()) { out.println("hello " + rs.getString(1)); } else { out.println("login failed"); } 修改的代码： ------------------------------------------------------------------------------ Connection conn = null; try { String username = request.getParameter("username"); String password = request.getParameter("password"); conn = ConnectionPoolManager.getConnection(); System.out.print("Connection Opened Successfully\n"); String SqlString = "SELECT username, password " + "FROM users " + "WHERE username=?" + #修改将username改为？采用预编译的方式 " AND password=?"; #修改将password改为？采用预编译的方式 PreparedStatement prepStmt = conn.prepareStatement(SqlString); #修改的连接方式查询 prepStmt.setString(1, username); #添加对应参数的查询 prepStmt.setString(2, password); ResultSet rs = prepStmt.executeQuery(); if(rs.next()) { out.println("hello " + rs.getString(1)); } else { out.println("login failed"); }

修改后的访问结果：可以防止SQl注入

(2)、Union查询注入（Case2-InjectionInSearch-String-UnionExploit-WithErrors.jsp）

Injection into string values in the scope of a query within a search page with erroneous responses. Barriers: None SQL Statement Context: SELECT (WHERE Clause) Sample Exploit Structures: ' UNION SELECT [int], [string], [string] FROM [table] [comment mark][space] Examples of Union Exploits: Exploit: 'or'7'='7 MSSQL Exploit: ' UNION SELECT id, name, 'jfks' FROM sysobjects--%20 MySQL Exploit: ' UNION SELECT 1, table_name, 'jfks' FROM information_schema.tables--%20 MySQL Exploit (No Comments): ' UNION SELECT 1, table_name, 'jfks' FROM information_schema.tables WHERE table_name like'%25

通过union联合查询返回获取数据库的表名：' UNION SELECT 1, table_name, 'jfks' FROM information_schema.tables--%20

查看对应的代码：

主要是代码模糊查询。还有就是SQL语句拼接查询，没有进行参数预编译和参数替换。

String msg = request.getParameter("msg"); //获取参数-前台参数传递获取 conn = ConnectionPoolManager.getConnection(); System.out.print("Connection Opened Successfully\n"); //SQL查询语句 String SqlString = "SELECT msgid, title, message " + "FROM messages " + "WHERE message like'" + msg + "%'"; //sql语句模糊查询 Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(SqlString);

(2)、order查询（Case5-InjectionInSearchOrderBy-String-BinaryDeliberateRuntimeError-With200Errors.jsp）

存在问题代码：

特殊的情况的是sql防止注入：（下面的情况不是数字型也不是字符型）

String order = request.getParameter("orderby"); ... String SqlString = "SELECT msgid, title, message " + "FROM messages " + "ORDER BY " + order; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(SqlString); 问题分析：还是存在字符串拼接的问题下面的order通过表里面的字段，这个字段应该有自己相应的长度，所以限制order传入字段的长度通过限制sql查询的传入参数的长度，来限制sql注入。 ------------------------------------------------------------------------------ String order = request.getParameter("orderby"); if (order.length() > 10){ //添加的长度的判断，限制查询的传入长度 return; } ... String SqlString = "SELECT msgid, title, message " + "FROM messages " + "ORDER BY " + order; Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(SqlString); 尝试预编译方式： String order = request.getParameter("orderby"); ... String SqlString = "SELECT msgid, title, message " + "FROM messages " + "ORDER BY ?";//预编译方式 PreparedStatement prepStmt = conn.prepareStatement(SqlString); prepStmt.setString(1, order); ResultSet rs = prepStmt.executeQuery();

修改限制访问数据长度对于的防护代码：if (order.length() > 10) return；

不再有相关的sql异常的报错回显

不能获取数据

采用预编译方式：还是能够正常的获取数据

获取数据

三、防护总结：

获取前段的传递的参数。

request.getParameter() request.getCookies()

防护1:

如何防止sql注入数字型： Integer.parseInt(s) 字符型： String.replace("'","''"); //oracle、 mssql String.replace("'","\\'");//mysql

防护2:正则表达式过滤

防护3:使用参数化查询执行sql语句（预编译的方式）

使用参数化查询执行sql语句（预编译的方式） String selectStatement = "SELECT * FROM User WHERE userId = ? "; PreparedStatement prepStmt = con.prepareStatement(selectStatement); prepStmt.setString(1, userId); ResultSet rs = prepStmt.executeQuery();

防护4:一些特殊的更具查询的具体需要，可以限制查询传入的参数的长度（orderby的情况）

四、课后了解（需要科学上网）

https://www.owasp.org/index.php/Preventing_SQL_Injection_in_Java