JSP SQL注入
Login.JSP
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <% String path = request.getContextPath(); String basePath = request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort() + path + "/"; %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <base href="<%=basePath%>"> <title>Login</title> <meta http-equiv="pragma" content="no-cache"> <meta http-equiv="cache-control" content="no-cache"> <meta http-equiv="expires" content="0"> <meta http-equiv="keywords" content="keyword1,keyword2,keyword3"> <meta http-equiv="description" content="This is my page"> </head> <body> <form method="POST" action="servlet/Login"> 用户名: <input type="text" name="UserName" value=""> <BR> 密 码: <input type="password" name="Pwd"> <BR> <input type="submit"> </form> </body> </html>
Servlet:
package servlet; import java.io.*; import javax.servlet.*; import javax.servlet.http.*; import dao.*; public class Login extends HttpServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); String strUserName = request.getParameter("UserName"); String strPwd = request.getParameter("Pwd"); String strLoginSuccess = ""; if (LoginDao.CheckUser(strUserName, strPwd)) { strLoginSuccess = "登录成功"; } else { strLoginSuccess = "登录失败"; } // 使结果显示输出中文 response.setCharacterEncoding("UTF-8"); PrintWriter out = response.getWriter(); out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">"); out.println("<HTML>"); out.println(" <meta charset='UTF-8'>"); out.println(" <HEAD><TITLE>登录结果</TITLE></HEAD>"); out.println(" <BODY>"); out.print("[" + strLoginSuccess + "]"); out.println(" </BODY>"); out.println("</HTML>"); out.flush(); out.close(); } }
DAO:
package dao; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; public class LoginDao { static String url = "jdbc:sqlserver://127.0.0.1:1433;DataBaseName=HUAWEI"; static Connection con = null; static Statement sta = null; public static boolean CheckUser(String strUserName, String strPwd) { boolean bRet = false; try { // 连接 Connc(); bRet = doLogin(strUserName, strPwd); // 关闭 Close(); } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (SQLException e) { e.printStackTrace(); } return bRet; } static void Connc() throws ClassNotFoundException, SQLException { Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver"); con = DriverManager.getConnection(url, "sa", "sa"); } static void Close() throws SQLException { if (con != null) { con.close(); con = null; } } static boolean doLogin(String myName, String pwd) { String strPwdFromDb = ""; boolean bRet = false; try { sta = con.createStatement();
ResultSet ret = sta.executeQuery("SELECT Pwd FROM [USER] WHERE UserName = '"+ myName + "' AND Pwd = '" + pwd + "'");
if (ret.next()) { bRet = true; } if (sta != null) { sta.close(); sta = null; } return bRet; } catch (SQLException e) { e.printStackTrace(); } return bRet; } }
数据库:"USER表"
| UserName | Pwd |
| Apple | 123 |
| Boy | 456 |
| Cat | 789 |
| Dog | ABC |
| NULL | NULL |
混乱SQL文:
1.Apple' or 1=1--
2.Apple' or 1=1; Update [USER] SET Pwd = '123';--
