-sql injection of Java code audit serial

Objective
Recently idle to no matter, fast two years have not how to write code, intend to write a few lines of code, do code audit a year, every day to see the code is good tens of thousands of lines, suddenly found that they will not write code, really very dt. Want to start the code audit time is really very difficult, online almost can not find what Java audit data, groped for a long time, found only a point of principle, in order to learn Java code audit friend door A little entry information, began to write "Java code audit serial " series of articles , this article is suitable for beginners, Daniel left footprints, please bypass, if the code has any other problems please ignore, because that is not the focus, this slice only about SQL injection. This time wrote two simple pages, a landing page, a query ID interface, as follows:

Don't say much nonsense, start!
SQL injection principle
First look at the Baidu Encyclopedia on the introduction of SQL injection:
SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web Form to a database on a Web site that has a security vulnerability. Instead of executing the SQL statement according to the designer's intent. For example, many of the previous film and television sites leaked VIP membership password is mostly through the Web form to submit query characters, such forms are particularly vulnerable to SQL injection attacks.

Representation of SQL injection
The principle is very formal, but for beginners is very general, for the code audit is not very clear. As you summed up, SQL injection has the following 3 points in the code:
1, the transmission of parameters for the user can be controlled;
What do you mean the parameter is user controllable? In fact, the front-end incoming all parameters are user-controllable, including:

Here all the data, parameters in the background, receive the form of what? The code is as follows

Request.getparameter ("Searchword") is a way to get the parameters from the front end (and of course there are other ways, not mentioned here), and the parameters obtained from the front end are named "Searchword", That is, the value of the ID "Searchword" in the input tag in the JSP page here, as follows:

So "Searchword" is the "id" value we entered at the front end.

2. The system has not made any special character filtering for the parameters passed into the background, or the character filter is not complete.
What are special characters for SQL injection, special characters include (note case):
--, #,//(note-break)
and
Or
Select
Update
Delete
Drop
Declare
Insert
Xp_shell
(,) brackets
| |,+, (SPACE) connector
' Single quotation mark
| (vertical bar symbol)
& (& Symbols)
; (semicolon)
$ (dollar sign)
% (Percent sign)
@ (at sign)
' (single quote)
"(quotation marks)
\ ' (backslash escaped single quote)
\ "(Backslash escape quotes)
<> (angle brackets)
CR (carriage return, ASCII 0x0d)
LF (line break, ASCII 0x0a)
, (comma)
\ (back slash)

3, the SQL statement is executed in the form of stitching, the code is as follows:

Once the SQL statement is executed in a concatenation, it means that the concatenation parameter "word" is a SQL statement, not just a parameter execution, what does it mean? Details are as follows:
If Word has a value of 1, then the SQL statement becomes:
Select * FROM Test where id = 1
If Word has a value of 1 ' and ' a ' = ' A, then the SQL statement becomes:
Select * FROM Test where id = 1 ' and ' a ' = ' a

The last time you execute it in the database is

It must be understood that the Daniel will not dwell on it.
The above 3 points are the root cause of SQL injection.

SQL Page Show
Paste the SQL Injection Vulnerability page below:
Search box Input: 1

To view the execution results:

Search box Input: 1 '
To view the execution results:
Search box Input: 1 ' and ' a ' = ' a
To view the execution results:


Attempt to burst database length (process ignored):


Indicates that the database length is: 8
By the way, affix the Sqlmap:



The rest is not deep, you know better than I do.

fix for SQL injection
SQL injection in Java code repair is actually very simple, there are two main ways:
1, add the global filter, filter special characters, the way is as follows:
Xml:

In Sqlfilter.java:


The 2.SQL statement uses a parameterized query method with the following code:

Using parameterized queries is the most fundamental way to fix SQL injection.
Post-Repair Sqlmap:

Conclusion:
This article does not have much technical content and wants to have a little merit in security developers and learning code auditors. This "Java Code Audit serial article" will continue to write, I hope you have a lot of support, if there are errors and shortcomings, please point out, thank you!

-sql injection of Java code audit serial