Hacking Book | Free Online Hacking Learning


share your technology and add some temperature for safety

Posted by patinella at 2020-03-08


Recently, I have nothing to do. I haven't written much code for nearly two years. I plan to write a few lines of code. I've been doing code audit for one year. I read tens of thousands of lines of code every day and suddenly found that I can't write code. It's really DT. It's really hard to find any Java audit data on the Internet. After a long time of searching, I only talked about some principles. In order to provide some basic data for my friends who want to learn java code audit, I started to write a series of articles on Java code audit serials. This article is suitable for beginners. Please bypass it after Daniel leaves footprints. If you want to replace If you have any other problems with the code, please ignore it, because that's not the point. This piece only deals with SQL injection. This time, I wrote two simple pages, a landing page and a query ID interface, as follows:

No more bullshit, let's go!

SQL injection principle

First look at the introduction of Baidu Encyclopedia to SQL injection:

The so-called SQL injection is to insert the SQL command into the web form to submit or input the query string of domain name or page request, and finally to cheat the server to execute malicious SQL command. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine to execute by using existing applications. It can get a database on a website with a security vulnerability by inputting (malicious) SQL statements in the web form, rather than executing the SQL statements according to the intention of the designer. For example, most of the previous video websites leaked VIP member passwords by submitting query characters through web forms, which are particularly vulnerable to SQL injection attacks.

The representation of SQL injection

The principle is very formal, but it's very general for beginners and not clear for code audit. In summary, the following three points are reflected in the code of SQL injection:

1. The parameters passed are controllable by users;

What is parameter controllable for users? In fact, all parameters passed in from the front end are user controllable, including:

After all the data and parameters here are passed into the background, what is the receiving form? The code is as follows

Request.getparameter ("searchword") is a way to obtain parameters from the front-end (there are other ways, of course, which will not be covered here). The parameter obtained from the front-end is named "searchword", that is, the value with ID "searchword" in the input tag of the JSP page, as follows:

So "searchword" is the "Id" value we enter in the front end.

2. The system does not do any special character filtering for the parameters passed into the background, or the character filtering is incomplete.

What are special characters? For SQL injection, special characters include (pay attention to case):

--, ×, / / (annotator)










(,) brackets

||, +, (space) connector

Single quotes

|(vertical bar symbol)

&& symbol

; (semicolon)

$(dollar sign)

%(percentage symbol)

@(at symbol)

'(single quotes)

"(quotation mark)

\'(backslash escape single quotes)

\(backslash escape quotes)

< > (angle bracket)

Cr (carriage return, ASCII 0x0D)

LF (line feed, ASCII 0x0a)

, (comma)


3. The SQL statement is executed in the form of splicing, and the code is as follows:

Once the SQL statement is executed in a splicing way, it means that the splicing parameter "word" means an SQL statement, not just as a parameter. What do you mean? The details are as follows:

If the value of word is 1, the SQL statement becomes:

Select * from test where id = 1

If the value of word is 1 'and' a '=' a, the SQL statement becomes:

Select * from test where id = 1’ and ‘a’=’a

The last time you execute in the database is

I think the big bulls all understand this, so I won't go into details.

The above three points are the root causes of SQL injection.

SQL page display

The following is the SQL injection vulnerability page:

Search box input: 1

View execution results:

Search box input: 1 '

View execution results:

Search box input: 1 'and' a '=' a

View execution results:

Attempt to burst database length (procedure ignored):

Indicates that the database length is: 8

Attach the sqlmap screenshot by the way:

The rest is not deep, you know better than me.

Repair of SQL injection

The repair of SQL injection in Java code is also very simple, mainly in two ways:

1. Add a global filter to filter special characters as follows:


In sqlfilter.java:

2. The SQL statement uses the parameterized query method. The code is as follows:

Using parameterized queries is the most fundamental way to fix SQL injection.

Sqlmap screenshot after repair:


This article does not have much technical content, hoping to have a little bit of merit for security developers and learning code auditors. This java code audit series will continue to be written. I hope you can support it more. If there are any mistakes and shortcomings, please point them out. Thank you!