SQL注入
所谓SQL注入,就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。
发现
在NEUMathe的登陆表单内输入了‘,没有正常的显示登陆失败,而是弹出以下界面:
### Error querying database. Cause: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 2 ### The error may exist in ssm/mapper/StudentMapperCustom.xml ### The error may involve ssm.mapper.StudentMapperCustom.checkStudentExits-Inline ### The error occurred while setting parameters ### SQL: SELECT * FROM Student WHERE Code = and Pwd = |
很明显,这是数据库错误的提示信息,注意到这一行,SELECT * FROM Student WHERE Code = and Pwd =
服务器把单引号传入sql语句中导致这句查询执行错误,于是,找到注入点,输入2016xxxx' or '1'='1
,此时,原来正常的语句由select * from student where code = '2016xxxx' and pwd = 'xxxx'
变
成了select * from student where code = '2016xxxx' or '1'='1' and pwd = 'xxxx'
,点击登陆,居然能成功登陆,pwd密码项被or后面一个恒等式架空了,于是这个语句恒为真,即可以登陆任何人的>账号。