Shulou(Shulou.com)06/01 Report--

This article mainly explains the "Java code audit background injection vulnerability analysis", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "Java code audit background injection vulnerability example analysis" bar!

Deployment introduction

1. Download the code file, which can be debugged locally or uploaded to your own server to run.

2. Install the running program:

(1) copy the opencarrun installation package in the extracted folder to tomcat-- > webapps-- >

(2) Import sql into mysql

(3) start tomcat

(4) after startup, the front desk access address: http://localhost:8080/opencarrun/

3. Installation of development package

Open MyEclipse-- > File-- > Import-- > Select Existing Porjects into Workspace-- > Next-- > Select root directory and select opencar-- > Finish in the package file you just extracted

Sql audit process

Vulnerability location:

WebRoot\ WEB-INF\ lib\ car-weishang-1.0.jar!\ com\ weishang\ my\ admin\ DeleteAunt.class

Function module: delete external employees

Public void doGet (HttpServletRequest request,HttpServletResponse response) throws ServletException, IOException {

Response.setContentType ("text/html;charset=UTF-8")

PrintWriter out = response.getWriter ()

ShopService ss = new ShopService ()

HttpSession session = request.getSession (true)

Object user = session.getAttribute ("user")

Locale loc = new Locale ("zh", "CN")

ResourceBundle rb = ResourceBundle.getBundle ("messages", loc)

String adminTip = rb.getString ("adminTip")

String json = ""

If (user== null) {

RequestDispatcher rd = request.getRequestDispatcher ("/ WEB-INF/jsp/login.jsp")

Request.setAttribute ("tip", adminTip)

Rd.forward (request, response)

} else {

String [] auntIds = request.getParameterValues ("aunt_id")

String ids = ""

For (int I = 0; I

< auntIds.length; ++i) { ids = ids + auntIds[i] + ","; } ids = ids.substring(0, ids.length() - 1); String flag = ss.deleteAunt(ids); if (flag.equals("ok")) { json = "{\"tip\":\"" + rb.getString("delete") + rb.getString("success") + "\"}"; } else { json = "{\"tip\":\"" + rb.getString("delete") + rb.getString("failure") + "\"}"; } out.print(json); } } request.getParameterValues("aunt_id") 获取获取用户值，赋值给字符串数组变量 aunt_id, aunt_id经过处理交给ids变量,而ids变量进入deleteAunt方法，这里通过flag变量判断执行是否成功，这样只可能存在盲注了，跟进去： deleteAunt方法位于 /WebRoot/WEB-INF/lib/car-weishang-1.0.jar!/com/weishang/my/service/ShopService.class public String deleteAunt(String ids) { String sql = "delete from aunt where aunt_id in (" + ids + ")"; int flag = this.jdbc.executeUpdate(sql); this.jdbc.close(); return flag >

0? "ok": "bad"

}

From the point of view of this method, the delete operation is performed, and the variable ids, that is, our problem parameters are directly concatenated into the sql statement without compilation or filtering, resulting in injection vulnerabilities.

Repair suggestion

Do global filtering, or use parameter binding

Thank you for your reading, the above is the "Java code audit background injection vulnerability example analysis" content, after the study of this article, I believe you have a deeper understanding of the Java code audit background injection vulnerability analysis of this problem, the specific use also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.