add mybatis sql

Author: JoyChou93

java-sec-code.iml

@@ -171,5 +171,14 @@
     <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-security:2.1.5.RELEASE" level="project" />
     <orderEntry type="library" name="Maven: commons-net:commons-net:3.6" level="project" />
     <orderEntry type="library" name="Maven: commons-httpclient:commons-httpclient:3.1" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-starter:1.3.2" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework.boot:spring-boot-starter-jdbc:1.5.1.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-jdbc:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:8.5.11" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-jdbc:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.springframework:spring-tx:4.3.6.RELEASE" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:1.3.2" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis:mybatis:3.4.6" level="project" />
+    <orderEntry type="library" name="Maven: org.mybatis:mybatis-spring:1.3.2" level="project" />
   </component>
 </module>

pom.xml

@@ -169,6 +169,14 @@
             <version>3.1</version>
         </dependency>
 
+
+        <!-- mybatis -->
+        <dependency>
+            <groupId>org.mybatis.spring.boot</groupId>
+            <artifactId>mybatis-spring-boot-starter</artifactId>
+            <version>1.3.2</version>
+        </dependency>
+
     </dependencies>
 
     <dependencyManagement>

src/main/java/org/joychou/controller/SQLI.java

@@ -1,9 +1,10 @@
 package org.joychou.controller;
 
 
-import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.ResponseBody;
+import org.joychou.mapper.UserMapper;
+import org.joychou.dao.User;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.*;
 
 import javax.servlet.http.HttpServletRequest;
 import java.sql.*;
@@ -15,44 +16,46 @@
  * @desc    SQL Injection
  */
 
-@Controller
+@RestController
 @RequestMapping("/sqli")
 public class SQLI {
 
-    @RequestMapping("/jdbc")
-    @ResponseBody
-    public static String jdbc_sqli(HttpServletRequest request){
+    private static String driver = "com.mysql.jdbc.Driver";
+    private static String url = "jdbc:mysql://localhost:3306/java_sec_code";
+    private static String user = "root";
+    private static String password = "woshishujukumima";
 
-        String name = request.getParameter("name");
-        String driver = "com.mysql.jdbc.Driver";
-        String url = "jdbc:mysql://localhost:3306/sectest";
-        String user = "root";
-        String password = "woshishujukumima";
+    @Autowired
+    private UserMapper userMapper;
+
+
+    /**
+     * Vul Code.
+     * http://localhost:8080/sqli/jdbc/vul?username=joychou
+     *
+     * @param username username
+     */
+    @RequestMapping("/jdbc/vul")
+    public static String jdbc_sqli_vul(@RequestParam("username") String username){
         String result = "";
         try {
             Class.forName(driver);
-            Connection con = DriverManager.getConnection(url,user,password);
+            Connection con = DriverManager.getConnection(url, user, password);
 
             if(!con.isClosed())
                 System.out.println("Connecting to Database successfully.");
 
             // sqli vuln code 漏洞代码
              Statement statement = con.createStatement();
-             String sql = "select * from users where name = '" + name + "'";
+             String sql = "select * from users where username = '" + username + "'";
              System.out.println(sql);
              ResultSet rs = statement.executeQuery(sql);
 
-            // fix code 用预处理修复SQL注入
-//            String sql = "select * from users where name = ?";
-//            PreparedStatement st = con.prepareStatement(sql);
-//            st.setString(1, name);
-//            System.out.println(st.toString());  // 预处理后的sql
-//            ResultSet rs = st.executeQuery();
 
             System.out.println("-----------------");
 
             while(rs.next()){
-                String res_name = rs.getString("name");
+                String res_name = rs.getString("username");
                 String res_pwd = rs.getString("password");
                 result +=  res_name + ": " + res_pwd + "\n";
                 System.out.println(res_name + ": " + res_pwd);
@@ -77,4 +80,94 @@ public static String jdbc_sqli(HttpServletRequest request){
         return result;
     }
 
+
+    /**
+     * Security Code.
+     * http://localhost:8080/sqli/jdbc/sec?username=joychou
+     *
+     * @param username username
+     */
+    @RequestMapping("/jdbc/sec")
+    public static String jdbc_sqli_sec(@RequestParam("username") String username){
+
+        String result = "";
+        try {
+            Class.forName(driver);
+            Connection con = DriverManager.getConnection(url, user, password);
+
+            if(!con.isClosed())
+                System.out.println("Connecting to Database successfully.");
+
+
+            // fix code
+            String sql = "select * from users where username = ?";
+            PreparedStatement st = con.prepareStatement(sql);
+            st.setString(1, username);
+            System.out.println(st.toString());  // sql after prepare statement
+            ResultSet rs = st.executeQuery();
+
+            System.out.println("-----------------");
+
+            while(rs.next()){
+                String res_name = rs.getString("username");
+                String res_pwd = rs.getString("password");
+                result +=  res_name + ": " + res_pwd + "\n";
+                System.out.println(res_name + ": " + res_pwd);
+
+            }
+            rs.close();
+            con.close();
+
+
+        }catch (ClassNotFoundException e) {
+            System.out.println("Sorry,can`t find the Driver!");
+            e.printStackTrace();
+        }catch (SQLException e) {
+            e.printStackTrace();
+        }catch (Exception e) {
+            e.printStackTrace();
+
+        }finally{
+            System.out.println("-----------------");
+            System.out.println("Connect database done.");
+        }
+        return result;
+    }
+
+
+    /**
+     * security code
+     * http://localhost:8080/sqli/mybatis/sec01?username=joychou
+     *
+     * @param username username
+     */
+    @GetMapping("/mybatis/sec01")
+    public User mybatis_vul1(@RequestParam("username") String username) {
+        return userMapper.findByUserName(username);
+    }
+
+
+
+    /**
+     * security code
+     * http://localhost:8080/sqli/mybatis/sec02?id=1
+     *
+     * @param id id
+     */
+    @GetMapping("/mybatis/sec02")
+    public User mybatis_v(@RequestParam("id") Integer id) {
+        return userMapper.findById(id);
+    }
+
+
+    /**
+     * security code
+     * http://localhost:8080/sqli/mybatis/sec03
+     **/
+    @GetMapping("/mybatis/sec03")
+    public User mybatis_vul2() {
+        return userMapper.OrderByUsername();
+    }
+
+
 }

src/main/java/org/joychou/controller/jsonp/JSONP.java

@@ -57,7 +57,7 @@ private static String emptyReferer(HttpServletRequest request, HttpServletRespon
     /**
      * Adding callback or cback on parameter can automatically return jsonp data.
      * http://localhost:8080/jsonp/advice?callback=test
-     * http://localhost:8080/jsonp/advice?cback=test
+     * http://localhost:8080/jsonp/advice?_callback=test
      *
      * @return Only return object, AbstractJsonpResponseBodyAdvice can be used successfully.
      *         Such as JSONOjbect or JavaBean. String type cannot be used.

src/main/java/org/joychou/dao/User.java

@@ -0,0 +1,34 @@
+package org.joychou.dao;
+
+import java.io.Serializable;
+
+public class User implements Serializable {
+    private static final long serialVersionUID = 1L;
+    private Integer id;
+    private String username;
+    private String password;
+
+    public Integer getId() {
+        return id;
+    }
+    public void setId(Integer id) {
+        this.id = id;
+    }
+
+
+    public String getUsername() {
+        return username;
+    }
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+
+    public String getPassword() {
+        return password;
+    }
+    public void setPassword(String password) {
+        this.password = password;
+    }
+
+}

src/main/java/org/joychou/mapper/UserMapper.java

@@ -0,0 +1,18 @@
+package org.joychou.mapper;
+
+import org.apache.ibatis.annotations.Mapper;
+import org.apache.ibatis.annotations.Param;
+import org.apache.ibatis.annotations.Select;
+import org.joychou.dao.User;
+
+@Mapper
+public interface UserMapper {
+
+    // If using simple sql, we can use annotation.
+    @Select("select * from users where username = #{username}")
+    User findByUserName(@Param("username") String username);
+
+    User findById(Integer id);
+
+    User OrderByUsername();
+}

src/main/resources/application.properties

@@ -1,4 +1,11 @@
 
+spring.datasource.url=jdbc:mysql://127.0.0.1:3306/java_sec_code?useUnicode=true&characterEncoding=utf8&useSSL=false&serverTimezone=GMT%2B8
+spring.datasource.username=root
+spring.datasource.password=woshishujukumima
+spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
+mybatis.mapper-locations=classpath:mapper/*.xml
+
+
 # Spring Boot Actuator Vulnerable Config
 management.security.enabled=false
 # logging.config=classpath:logback-online.xml

src/main/resources/mapper/UserMapper.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
+
+<mapper namespace="org.joychou.mapper.UserMapper">
+
+    <resultMap type="org.joychou.dao.User" id="User">
+        <id column="id" property="id" javaType="java.lang.Integer" jdbcType="NUMERIC"/>
+        <id column="username" property="username" javaType="java.lang.String" jdbcType="VARCHAR"/>
+        <id column="password" property="password" javaType="java.lang.String" jdbcType="VARCHAR"/>
+    </resultMap>
+
+    <!--<select id="findByUserName" resultMap="User">-->
+	    <!--select * from users where username = #{username}-->
+    <!--</select>-->
+
+    <select id="findById" resultMap="User">
+        select * from users where id = #{id}
+    </select>
+
+    <select id="OrderByUsername" resultMap="User">
+        select * from users order by id asc limit 1
+    </select>
+</mapper>