SQL注入攻击模拟无法正常工作

SQL injection attack simulation does not work properly

提问人:aforz 提问时间:3/23/2022 更新时间:3/23/2022 访问量:53

问:

我在教程中看到,为了在JDBC中模拟SQL注入攻击实例,它会用双引号在SQLite中编写以下语句,然后加载记录。但是当我用单引号在预言机中写相同的短语时,它会出现错误。为什么?

//in main
System.out.println("Enter a title:");
DB.querySongArtistView(scanner.nextLine());

//in database class
private static final String QUERY_SONG_ARTIST_VIEW = "SELECT ARTIST , ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='";


public Optional<List<SongArtist>> querySongArtistView(String title) {
    List<SongArtist> songArtistListView = null;
try (Statement statement = connection.createStatement();
         ResultSet resultSet = statement.executeQuery(QUERY_SONG_ARTIST_VIEW + title + "'")) {
        songArtistListView = new ArrayList<>();

        while (resultSet.next())
            songArtistListView.add(new SongArtist(resultSet.getString(1),
                    resultSet.getString(2), resultSet.getInt(3)));
    } catch (SQLException e) {
        displayExceptionMessage(e);
    }
    return Optional.ofNullable(songArtistListView);
}

本教程输入的内容:

Go Your Own Way" or 1=1 or ";

我在 Oracle 中的查询:

Go Your Own Way' or 1=1 or ';

错误:

[42000][920] ORA-00920: invalid relational operator Position: 62

我希望有效的查询,但它没有:

SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 1=1 or '';
Oracle SQL注入

评论

答:

1赞 Alex Poole 3/23/2022 #1

它抱怨这部分 - 需要将空字符串与某些东西进行比较(这有点棘手,因为 oracle 将其视为 null)。or ''

它应该适用于以下内容:

Go Your Own Way' or 'X' = 'X

这将产生

SELECT ARTIST, ALBUM , TRACK FROM SONG_ARTIST WHERE TITLE ='Go Your Own Way' or 'X' = 'X';

至少这是有效的

上一个:如何阻止SQL注入漏洞?

下一个:javax.persistence.EntityManager SQL 注入