Skip to content

Commit ae7c8d3

Browse files
JoyChou93JoyChou93
committed
update readme
1 parent 5701288 commit ae7c8d3

File tree

2 files changed

+18
-46
lines changed

2 files changed

+18
-46
lines changed

README.md

Lines changed: 14 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -132,45 +132,13 @@ http://localhost:8080/xxe/DocumentBuilder_xinclude?xml=%3C%3fxml+version%3d%221.
132132

133133
### POC
134134

135-
访问
135+
访问`http://localhost:8080/sqli/jdbc?id=1' or 'a'='a`返回`joychou: 123 wilson: 456 lightless: 789`
136136

137-
```
138-
http://localhost:8080/sqli/jdbc?name=joychou' or 'a'='a
139-
```
140-
141-
返回
142-
```
143-
joychou: 123 wilson: 456 lightless: 789
144-
```
145-
146-
正常访问
147-
```
148-
http://localhost:8080/sqli/jdbc?name=joychou
149-
```
137+
正常访问`http://localhost:8080/sqli/jdbc?id=1`返回`joychou: 123`
150138

151-
返回
152-
153-
```
154-
joychou: 123
155-
```
156-
### 数据库配置
139+
### 数据库表数据SQL
157140

158141
```sql
159-
/*
160-
Navicat Premium Data Transfer
161-
162-
Source Server : localhost
163-
Source Server Type : MySQL
164-
Source Server Version : 80012
165-
Source Host : localhost:3306
166-
Source Schema : sectest
167-
168-
Target Server Type : MySQL
169-
Target Server Version : 80012
170-
File Encoding : 65001
171-
172-
Date: 22/08/2018 21:09:57
173-
*/
174142

175143
SET NAMES utf8mb4;
176144
SET FOREIGN_KEY_CHECKS = 0;
@@ -182,23 +150,27 @@ DROP TABLE IF EXISTS `users`;
182150
CREATE TABLE `users` (
183151
`name` varchar(255) NOT NULL,
184152
`password` varchar(255) NOT NULL,
185-
`isAdmin` varchar(255) NOT NULL
186-
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
153+
`isAdmin` varchar(255) NOT NULL,
154+
`id` int(10) NOT NULL AUTO_INCREMENT,
155+
PRIMARY KEY (`id`)
156+
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_0900_ai_ci;
187157

188158
-- ----------------------------
189159
-- Records of users
190160
-- ----------------------------
191161
BEGIN;
192-
INSERT INTO `users` VALUES ('joychou', '123', '1');
193-
INSERT INTO `users` VALUES ('wilson', '456', '0');
194-
INSERT INTO `users` VALUES ('lightless', '789', '0');
162+
INSERT INTO `users` VALUES ('joychou', '123', '1', 1);
163+
INSERT INTO `users` VALUES ('wilson', '456', '0', 2);
164+
INSERT INTO `users` VALUES ('lightless', '789', '0', 3);
195165
COMMIT;
196166

197167
SET FOREIGN_KEY_CHECKS = 1;
198168

169+
199170
```
200171

201172
### 说明
202173

203-
SQL注入修复方式采用预处理方式,修复见代码。
204-
Mybatis的`#{}`也是预处理方式处理SQL注入。
174+
SQL注入修复方式采用预处理方式,修复见代码。Mybatis的`#{}`也是预处理方式处理SQL注入。
175+
176+
在使用了mybatis框架后,需要进行排序功能时,在mapper.xml文件中编写sql语句时,注意orderBy后的变量要使用${},而不用#{}。因为`#{}`变量是经过预编译的,${}没有经过预编译。虽然${}存在sql注入的风险,但orderBy必须使用`${}`,因为`#{}`会多出单引号`''`导致sql语句失效。为防止sql注入只能自己判断输入的值是否是否存在SQL。

src/main/java/org/joychou/controller/SQLI.java

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ public class SQLI {
2323
@ResponseBody
2424
public static String jdbc_sqli(HttpServletRequest request){
2525

26-
String name = request.getParameter("name");
26+
String id = request.getParameter("id");
2727
String driver = "com.mysql.jdbc.Driver";
2828
String url = "jdbc:mysql://localhost:3306/sectest";
2929
String user = "root";
@@ -38,14 +38,14 @@ public static String jdbc_sqli(HttpServletRequest request){
3838

3939
// sqli vuln code 漏洞代码
4040
Statement statement = con.createStatement();
41-
String sql = "select * from users where name = '" + name + "'";
41+
String sql = "select * from users where id = '" + id + "'";
4242
System.out.println(sql);
4343
ResultSet rs = statement.executeQuery(sql);
4444

4545
// fix code 用预处理修复SQL注入
46-
// String sql = "select * from users where name = ?";
46+
// String sql = "select * from users where id = ?";
4747
// PreparedStatement st = con.prepareStatement(sql);
48-
// st.setString(1, name);
48+
// st.setString(1, id);
4949
// System.out.println(st.toString()); // 预处理后的sql
5050
// ResultSet rs = st.executeQuery();
5151

0 commit comments

Comments
 (0)