java SQL流入分析程序

在每次查询后 把记录数输出 大家就全明白了

ls图片 好不河蟹啊

哟  漏点了  我要报告管理员才行   绝对不能让这么不河蟹的图片出现在JE上!

<div class="quote_title">liu0107613 写道</div>
<div class="quote_div">
<p>DROP TABLE IF EXISTS `user`;<br>CREATE TABLE `user` (<br>? `id` int(10) unsigned NOT NULL auto_increment,<br>? `name` varchar(45) NOT NULL,<br>? `passwd` varchar(45) NOT NULL,<br>? PRIMARY KEY? (`id`)<br>) ENGINE=InnoDB DEFAULT CHARSET=gb2312;</p>
<p>?</p>
<p>?</p>
<p>?</p>
<p>?</p>
<p>package com.liuxt;</p>
<p>import java.sql.Connection;<br>import java.sql.DriverManager;<br>import java.sql.PreparedStatement;<br>import java.sql.ResultSet;<br>import java.sql.SQLException;<br>import java.sql.Statement;</p>
<p>public class SqlInjection {<br>?Connection conn=null;<br>?<br>?private void initDB(){<br>??<br>??try{<br>???Class.forName("com.mysql.jdbc.Driver");<br>???conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + <br>????????????????????????????????????? "<a href="mailto:user=root&amp;[email protected]">user=root&amp;[email protected]</a>");</p>
<p>??}catch(Exception e){<br>??? e.printStackTrace();?<br>??}<br>??<br>??<br>?}</p>
<p>?private boolean queryPreUser(String name, String passwd) {<br>??PreparedStatement statement=null;<br>??try {<br>???String sql=this.ceatePreSql(name,passwd);<br>???statement=this.conn.prepareStatement(sql);<br>???System.out.println("sql....."+sql);<br>???statement.setString(1,name);<br>???statement.setString(2,passwd);<br>???ResultSet res=statement.executeQuery();<br>???int count=0;<br>???while(res.next()){<br>????count=res.getInt(1);<br>????<br>???}<br>???<br>???if(count==1) return true;<br>???else return false;<br>???<br>??} catch (SQLException e) {<br>???e.printStackTrace();<br>??}<br>??finally{<br>???try {<br>????statement.close();<br>???} catch (SQLException e) {<br>????e.printStackTrace();<br>???}<br>???<br>??}<br>??return false;<br>?}<br>?<br>?<br>?</p>
<p>?<br>?private String ceatePreSql(String name, String passwd) {<br>??StringBuilder sb=new StringBuilder();<br>??sb.append("select count(*) as cc from user ");<br>??sb.append("where name=? ");<br>??sb.append("and passwd=? ");<br>??return sb.toString();<br>?}</p>
<p><br>?private boolean queryUser(String name, String passwd) {<br>??Statement statement=null;<br>??try {<br>???statement=this.conn.createStatement();<br>???String sql=this.creatSql(name,passwd);<br>???System.out.println("sql ....."+sql);<br>???ResultSet res=statement.executeQuery(sql);<br>???int count=0;<br>???while(res.next()){<br>????count=res.getInt(1);<br>????<br>???}<br>???<br>???if(count==1) return true;<br>???else return false;<br>???<br>??} catch (SQLException e) {<br>???e.printStackTrace();<br>??}<br>??finally{<br>???try {<br>????statement.close();<br>???} catch (SQLException e) {<br>????e.printStackTrace();<br>???}<br>???<br>??}<br>??return false;<br>?}<br>?<br>?<br>?private String creatSql(String name, String passwd) {<br>??<br>??StringBuilder sb=new StringBuilder();<br>??sb.append("select count(*) as cc from user ");<br>??sb.append("where name='"+name+"' ");<br>??sb.append("and passwd='"+passwd+"'");<br>??//sb.toString();<br>??return sb.toString();<br>?}</p>
<p>?public static void main(String[] args) {<br>??<br>??SqlInjection dbTest=new SqlInjection();<br>??dbTest.initDB();<br>??boolean result;<br>??result=dbTest.queryUser("test","111");<br>??System.out.println("query result(in Statement) is ===="+result);<br>??result=dbTest.queryUser("", "' or 1=1 --'");<br>??System.out.println("query result(in Statement) is ===="+result);<br>??result=dbTest.queryUser("' or 1=1 --'", "x");<br>??System.out.println("query result(in Statement) is ===="+result);<br>??<br>??result=dbTest.queryPreUser("test","111");<br>??System.out.println("query result(in PreparedStatement) is ===="+result);<br>??result=dbTest.queryPreUser("", "' or 1=1 --'");<br>??System.out.println("query result(in PreparedStatement) is ===="+result);<br>??result=dbTest.queryPreUser("' or 1=1 --'", "x");<br>??System.out.println("query result(in PreparedStatement) is ===="+result);<br>?}</p>
<p>}</p>
<p>?</p>
<p>运行结果：</p>
<p>?</p>
<p><span style="color: #ff6600;">sql .....select count(*) as cc from user where name='test' and passwd='111'<br>query result(in Statement) is ====true<br>sql .....select count(*) as cc from user where name='' and passwd='' or 1=1 --''<br>query result(in Statement) is ====true<br>sql .....select count(*) as cc from user where name='' or 1=1 --'' and passwd='x'<br>query result(in Statement) is ====false<br>sql.....select count(*) as cc from user where name=? and passwd=? <br>query result(in PreparedStatement) is ====true<br>sql.....select count(*) as cc from user where name=? and passwd=? <br>query result(in PreparedStatement) is ====false<br>sql.....select count(*) as cc from user where name=? and passwd=? <br>query result(in PreparedStatement) is ====false<br></span></p>
<p>?</p>
<p>?</p>
</div>
<p>?</p>

SQL注入无处不在
有数据输入查询数据库而不加以限制就很容易产生注入
我在C# 的界面程序也试过SQL注入成功