12306曝光sql注入漏洞,我试着发布解决方案
2012-09-29 14:57
459 查看
12306曝光sql注入漏洞,我试着发布解决方案
在项目中,运用Ibatis中Like写法,没有研究下,结果SQL语句存在SQL注入,整理下,下次谨记啊!
sql语句:
select *
from ( select 1 from poll
<dynamic prepend= " where " >
<isNotEmpty prepend=" and " property= "title" >
title like '%$title$%'
</isNotEmpty>
<isNotEmpty property="used" >
<isEqual compareValue="true" prepend= " and " property= "used" >
<![CDATA[status & 2 > 0 and status & 1 <= 0 and status & 8 <= 0 ]]>
</isEqual>
</isNotEmpty>
<isNotEmpty prepend=" and " property= "startTimeBegin" >
<![CDATA[ gmt_create >= #startTimeBegin# ]]>
</isNotEmpty>
<isNotEmpty prepend=" and " property= "startTimeEnd" >
<![CDATA[ gmt_create <= #startTimeEnd# ]]>
</isNotEmpty>
</dynamic >
limit 10000
) as t
select *
from (select 1 from poll
<dynamic prepend=" where ">
<isNotEmpty prepend=" and " property="title">
title like '%$title$%'
</isNotEmpty>
<isNotEmpty property="used">
<isEqual compareValue="true" prepend=" and " property="used">
<![CDATA[status & 2 > 0 and status & 1 <= 0 and status & 8 <= 0 ]]>
</isEqual>
</isNotEmpty>
<isNotEmpty prepend=" and " property="startTimeBegin">
<![CDATA[ gmt_create >= #startTimeBegin# ]]>
</isNotEmpty>
<isNotEmpty prepend=" and " property="startTimeEnd">
<![CDATA[ gmt_create <= #startTimeEnd# ]]>
</isNotEmpty>
</dynamic>
limit 10000
) as t
请关注此写法的:
title like '%$title$%'
title like '%$title$%'
存在SQL注入漏洞。
下面是一段单元测试:
Java代码
PollQuery query = new PollQuery();
query.setCurrentPage(1 );
query.setPageSize(50 );
query.setTitle("1231%' or '1%' = '1" ); //很简单的写法:(
List<SnsPollDO> l = pollDAO.findPollList(query);
System.out.println(l.size())
[java] view plaincopy
PollQuery query = new PollQuery();
query.setCurrentPage(1);
query.setPageSize(50);
query.setTitle("1231%' or '1%' = '1");//很简单的写法:(
List<SnsPollDO> l = pollDAO.findPollList(query);
System.out.println(l.size())
测试结果(打印处的sql语句):
select * from poll where title like '%1231%' or '1%' = '1%'
[java] view plaincopy
1. select * from poll where title like '%1231%' or '1%' = '1%'
尽管title 没匹配对,但是or后面那句是恒等的。哎!
看来下面的写法只是简单的转义下:
title like '%$title$%'
title like '%$title$%'
如何解决:
在oracle下面改成:title like '%'||#title#||'%',这样肯定是可以的。
但是在mysql中,上述写法是不行,还是有上面的问题的:
select * from poll where title like '%' ||?|| '%' order by gmt_create desc limit ?, ?
select * from poll where title like '%'||?||'%' order by gmt_create desc limit ?, ?
还能查出结果来!哎!
得用:title CONCAT('%',#title#,'%')
select * from poll where title like CONCAT( '%' ,?, '%' ) order by gmt_create desc limit ?, ?
呵呵,多次测试均没有发现问题!
本文出自 “无证程序猿” 博客,请务必保留此出处http://yjflinchong.blog.51cto.com/6851233/1165028
在项目中,运用Ibatis中Like写法,没有研究下,结果SQL语句存在SQL注入,整理下,下次谨记啊!
sql语句:
select *
from ( select 1 from poll
<dynamic prepend= " where " >
<isNotEmpty prepend=" and " property= "title" >
title like '%$title$%'
</isNotEmpty>
<isNotEmpty property="used" >
<isEqual compareValue="true" prepend= " and " property= "used" >
<![CDATA[status & 2 > 0 and status & 1 <= 0 and status & 8 <= 0 ]]>
</isEqual>
</isNotEmpty>
<isNotEmpty prepend=" and " property= "startTimeBegin" >
<![CDATA[ gmt_create >= #startTimeBegin# ]]>
</isNotEmpty>
<isNotEmpty prepend=" and " property= "startTimeEnd" >
<![CDATA[ gmt_create <= #startTimeEnd# ]]>
</isNotEmpty>
</dynamic >
limit 10000
) as t
select *
from (select 1 from poll
<dynamic prepend=" where ">
<isNotEmpty prepend=" and " property="title">
title like '%$title$%'
</isNotEmpty>
<isNotEmpty property="used">
<isEqual compareValue="true" prepend=" and " property="used">
<![CDATA[status & 2 > 0 and status & 1 <= 0 and status & 8 <= 0 ]]>
</isEqual>
</isNotEmpty>
<isNotEmpty prepend=" and " property="startTimeBegin">
<![CDATA[ gmt_create >= #startTimeBegin# ]]>
</isNotEmpty>
<isNotEmpty prepend=" and " property="startTimeEnd">
<![CDATA[ gmt_create <= #startTimeEnd# ]]>
</isNotEmpty>
</dynamic>
limit 10000
) as t
请关注此写法的:
title like '%$title$%'
title like '%$title$%'
存在SQL注入漏洞。
下面是一段单元测试:
Java代码
PollQuery query = new PollQuery();
query.setCurrentPage(1 );
query.setPageSize(50 );
query.setTitle("1231%' or '1%' = '1" ); //很简单的写法:(
List<SnsPollDO> l = pollDAO.findPollList(query);
System.out.println(l.size())
[java] view plaincopy
PollQuery query = new PollQuery();
query.setCurrentPage(1);
query.setPageSize(50);
query.setTitle("1231%' or '1%' = '1");//很简单的写法:(
List<SnsPollDO> l = pollDAO.findPollList(query);
System.out.println(l.size())
测试结果(打印处的sql语句):
select * from poll where title like '%1231%' or '1%' = '1%'
[java] view plaincopy
1. select * from poll where title like '%1231%' or '1%' = '1%'
尽管title 没匹配对,但是or后面那句是恒等的。哎!
看来下面的写法只是简单的转义下:
title like '%$title$%'
title like '%$title$%'
如何解决:
在oracle下面改成:title like '%'||#title#||'%',这样肯定是可以的。
但是在mysql中,上述写法是不行,还是有上面的问题的:
select * from poll where title like '%' ||?|| '%' order by gmt_create desc limit ?, ?
select * from poll where title like '%'||?||'%' order by gmt_create desc limit ?, ?
还能查出结果来!哎!
得用:title CONCAT('%',#title#,'%')
select * from poll where title like CONCAT( '%' ,?, '%' ) order by gmt_create desc limit ?, ?
呵呵,多次测试均没有发现问题!
本文出自 “无证程序猿” 博客,请务必保留此出处http://yjflinchong.blog.51cto.com/6851233/1165028
相关文章推荐
- XSS漏洞与SQL注入漏洞解决方案
- WEB安全:XSS漏洞与SQL注入漏洞介绍及解决方案
- WEB安全:XSS漏洞与SQL注入漏洞介绍及解决方案(转)
- 12306暴SQL注入漏洞?!这下乐大发了 推荐
- WEB安全:XSS漏洞与SQL注入漏洞介绍及解决方案
- WEB安全:XSS漏洞与SQL注入漏洞介绍及解决方案
- WEB安全:XSS漏洞与SQL注入漏洞介绍及解决方案
- 玩玩12306的SQL注入漏洞
- paip.Answer 3.0 注册功能SQL注入漏洞解决方案
- WEB安全:XSS漏洞与SQL注入漏洞介绍及解决方案
- XSS漏洞与SQL注入漏洞介绍及解决方案
- Flash Adobe发布flash漏洞暂时的解决方案
- .Net应用程序发布问题的最新解决方案,感觉比较爽(可桌面、程序中加自己的ICO及卸载等)
- IIS发布wcf服务后,点击svc不能再浏览器中打开,出现直接下载的情况的解决方案
- 蓝雨设计整站SQL注入漏洞
- 甲骨文发布Java补丁程序 修复27处漏洞
- Android WebView的Js对象注入漏洞解决方案
- Android WebView的Js对象注入漏洞解决方案
- SQL注入漏洞全接触--高级篇