java SQL流入分析程序

2012-10-28

java SQL注入分析程序DROP TABLE IF EXISTS `user`CREATE TABLE `user` (? `id` int(10) unsigned NOT NU

java SQL注入分析程序

DROP TABLE IF EXISTS `user`;
CREATE TABLE `user` (
? `id` int(10) unsigned NOT NULL auto_increment,
? `name` varchar(45) NOT NULL,
? `passwd` varchar(45) NOT NULL,
? PRIMARY KEY? (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=gb2312;

package com.liuxt;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SqlInjection {
?Connection conn=null;
?
?private void initDB(){
??
??try{
???Class.forName("com.mysql.jdbc.Driver");
???conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" +
????????????????????????????????????? "user=root&password=G@111111");

??}catch(Exception e){
??? e.printStackTrace();?
??}
??
??
?}

?private boolean queryPreUser(String name, String passwd) {
??PreparedStatement statement=null;
??try {
???String sql=this.ceatePreSql(name,passwd);
???statement=this.conn.prepareStatement(sql);
???System.out.println("sql....."+sql);
???statement.setString(1,name);
???statement.setString(2,passwd);
???ResultSet res=statement.executeQuery();
???int count=0;
???while(res.next()){
????count=res.getInt(1);
????
???}
???
???if(count==1) return true;
???else return false;
???
??} catch (SQLException e) {
???e.printStackTrace();
??}
??finally{
???try {
????statement.close();
???} catch (SQLException e) {
????e.printStackTrace();
???}
???
??}
??return false;
?}
?
?
?

?
?private String ceatePreSql(String name, String passwd) {
??StringBuilder sb=new StringBuilder();
??sb.append("select count(*) as cc from user ");
??sb.append("where name=? ");
??sb.append("and passwd=? ");
??return sb.toString();
?}

?private boolean queryUser(String name, String passwd) {
??Statement statement=null;
??try {
???statement=this.conn.createStatement();
???String sql=this.creatSql(name,passwd);
???System.out.println("sql ....."+sql);
???ResultSet res=statement.executeQuery(sql);
???int count=0;
???while(res.next()){
????count=res.getInt(1);
????
???}
???
???if(count==1) return true;
???else return false;
???
??} catch (SQLException e) {
???e.printStackTrace();
??}
??finally{
???try {
????statement.close();
???} catch (SQLException e) {
????e.printStackTrace();
???}
???
??}
??return false;
?}
?
?
?private String creatSql(String name, String passwd) {
??
??StringBuilder sb=new StringBuilder();
??sb.append("select count(*) as cc from user ");
??sb.append("where name='"+name+"' ");
??sb.append("and passwd='"+passwd+"'");
??//sb.toString();
??return sb.toString();
?}

?public static void main(String[] args) {
??
??SqlInjection dbTest=new SqlInjection();
??dbTest.initDB();
??boolean result;
??result=dbTest.queryUser("test","111");
??System.out.println("query result(in Statement) is ===="+result);
??result=dbTest.queryUser("", "' or 1=1 --'");
??System.out.println("query result(in Statement) is ===="+result);
??result=dbTest.queryUser("' or 1=1 --'", "x");
??System.out.println("query result(in Statement) is ===="+result);
??
??result=dbTest.queryPreUser("test","111");
??System.out.println("query result(in PreparedStatement) is ===="+result);
??result=dbTest.queryPreUser("", "' or 1=1 --'");
??System.out.println("query result(in PreparedStatement) is ===="+result);
??result=dbTest.queryPreUser("' or 1=1 --'", "x");
??System.out.println("query result(in PreparedStatement) is ===="+result);
?}

}

运行结果：

sql .....select count(*) as cc from user where name='test' and passwd='111'
query result(in Statement) is ====true
sql .....select count(*) as cc from user where name='' and passwd='' or 1=1 --''
query result(in Statement) is ====true
sql .....select count(*) as cc from user where name='' or 1=1 --'' and passwd='x'
query result(in Statement) is ====false
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====true
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====false
sql.....select count(*) as cc from user where name=? and passwd=?
query result(in PreparedStatement) is ====false

??}catch(Exception e){ ??? e.printStackTrace();? ??} ?? ?? ?}
?private boolean queryPreUser(String name, String passwd) { ??PreparedStatement statement=null; ??try { ???String sql=this.ceatePreSql(name,passwd); ???statement=this.conn.prepareStatement(sql); ???System.out.println("sql....."+sql); ???statement.setString(1,name); ???statement.setString(2,passwd); ???ResultSet res=statement.executeQuery(); ???int count=0; ???while(res.next()){ ????count=res.getInt(1); ???? ???} ??? ???if(count==1) return true; ???else return false; ??? ??} catch (SQLException e) { ???e.printStackTrace(); ??} ??finally{ ???try { ????statement.close(); ???} catch (SQLException e) { ????e.printStackTrace(); ???} ??? ??} ??return false; ?} ? ? ?
? ?private String ceatePreSql(String name, String passwd) { ??StringBuilder sb=new StringBuilder(); ??sb.append("select count(*) as cc from user "); ??sb.append("where name=? "); ??sb.append("and passwd=? "); ??return sb.toString(); ?}
 ?private boolean queryUser(String name, String passwd) { ??Statement statement=null; ??try { ???statement=this.conn.createStatement(); ???String sql=this.creatSql(name,passwd); ???System.out.println("sql ....."+sql); ???ResultSet res=statement.executeQuery(sql); ???int count=0; ???while(res.next()){ ????count=res.getInt(1); ???? ???} ??? ???if(count==1) return true; ???else return false; ??? ??} catch (SQLException e) { ???e.printStackTrace(); ??} ??finally{ ???try { ????statement.close(); ???} catch (SQLException e) { ????e.printStackTrace(); ???} ??? ??} ??return false; ?} ? ? ?private String creatSql(String name, String passwd) { ?? ??StringBuilder sb=new StringBuilder(); ??sb.append("select count(*) as cc from user "); ??sb.append("where name='"+name+"' "); ??sb.append("and passwd='"+passwd+"'"); ??//sb.toString(); ??return sb.toString(); ?}
?public static void main(String[] args) { ?? ??SqlInjection dbTest=new SqlInjection(); ??dbTest.initDB(); ??boolean result; ??result=dbTest.queryUser("test","111"); ??System.out.println("query result(in Statement) is ===="+result); ??result=dbTest.queryUser("", "' or 1=1 --'"); ??System.out.println("query result(in Statement) is ===="+result); ??result=dbTest.queryUser("' or 1=1 --'", "x"); ??System.out.println("query result(in Statement) is ===="+result); ?? ??result=dbTest.queryPreUser("test","111"); ??System.out.println("query result(in PreparedStatement) is ===="+result); ??result=dbTest.queryPreUser("", "' or 1=1 --'"); ??System.out.println("query result(in PreparedStatement) is ===="+result); ??result=dbTest.queryPreUser("' or 1=1 --'", "x"); ??System.out.println("query result(in PreparedStatement) is ===="+result); ?}
}
?
运行结果：
?
sql .....select count(*) as cc from user where name='test' and passwd='111' query result(in Statement) is ====true sql .....select count(*) as cc from user where name='' and passwd='' or 1=1 --'' query result(in Statement) is ====true sql .....select count(*) as cc from user where name='' or 1=1 --'' and passwd='x' query result(in Statement) is ====false sql.....select count(*) as cc from user where name=? and passwd=? query result(in PreparedStatement) is ====true sql.....select count(*) as cc from user where name=? and passwd=? query result(in PreparedStatement) is ====false sql.....select count(*) as cc from user where name=? and passwd=? query result(in PreparedStatement) is ====false 
?
?
</div>
? 5 楼 liomao 2009-07-15 SQL注入无处不在
有数据输入查询数据库而不加以限制就很容易产生注入
我在C# 的界面程序也试过SQL注入成功

热点排行

SQL Server

java SQL流入分析程序