我有一个查询,它从具有多个搜索过滤器的数据库中获取数据。我正在使用预准备语句来构造where条件并在查询中设置值。
计划:
sql = "SELECT coalesce(parent_id,siteid) as siteid, address,
state, status, plan, remarks, FROM archive LEFT OUTER JOIN site_mappings ON
site_dn = mrbts AND siteid = child_site_id where UPPER(mrbts) like UPPER(?)
and ((UPPER(technology) like UPPER(?)))"
preparedStatement= connection.prepareStatement(sql);
int positionIndex = 1
while (iterator.hasNext()) {
Integer key = iterator.next();
if (key == 6) {
String value = filterMap.get(key);
String[] filterPatterns = value.trim().split(" ");
for (int i = 0; i < filterPatterns.length; i++) {
preparedStatement.setString(positionIndex++, "%" + filterPatterns[i] + "%");
}
} else {
preparedStatement.setString(positionIndex++, "%" + filterMap.get(key) + "%");
}
}
preparedStatement.executeQuery();
示例SQL查询:
SELECT coalesce(parent_id,siteid) as siteid, address, state, status, plan,
remarks, FROM archive LEFT OUTER JOIN site_mappings ON site_dn = mrbts AND
siteid = child_site_id where UPPER(mrbts) like UPPER('%4105%') and
((UPPER(technology) like UPPER('%LTE%')))
在安全扫描期间,它会导致搜索
中以下输入的漏洞示例请求 https://1.1.1.1/sample_servlet/DataServlet?TYPE=getListDataURL“ - p sSortDir_0 --suffix ='' - level = 3 --method = POST --data =”sEcho = 1&amp; iColumns = 11&amp; sColumns =&amp; iDisplayStart = 0&amp; iDisplayLength = 10&amp; mDataProp_0 =动作&安培; mDataProp_1 =钻取&安培; mDataProp_2 = modifiedtime&安培; mDataProp_3 = SITEID&安培; SSEARCH =安培; bRegex =假安培; sSearch_0 =安培; bRegex_0 =假安培; bSearchable_0 =真安培; sSearch_1 =安培; bRegex_1 =假安培; bSearchable_1 =真安培; sSearch_2 = &安培; bRegex_2 =假安培; bSearchable_2 =真安培;的 sSearch_3 = '%2B(SELECT * FROM(选择(睡眠(20)))一)%2B' 和; bRegex_3 =假安培; bSearchable_3 =真安培; iSortCol_0 = 2&amp; sSortDir_0 = desc&amp; iSortingCols = 1&amp; bSortable_0 = false&amp; bSortable_1 = false&amp; bSortable_2 = true&amp; bSortable_3 = true&amp; REQUESTTYPE = getListData“-a
请求1: sSearch_3='%2b(select*from(select(sleep(20)))a)%2b'
我猜SQL查询将形成如下
SELECT coalesce(parent_id,siteid) as siteid, address, state, status, plan,
remarks, FROM archive LEFT OUTER JOIN site_mappings ON site_dn = mrbts AND
siteid = child_site_id where UPPER(mrbts) like UPPER('%4105%') and
((UPPER(technology) like UPPER('%2b(select*from(select(sleep(20)))a)%2b'')))
回复:{"iTotalRecords":3,"aaData":[],"count":{"planning":3},"iTotalDisplayRecords":0,"sEcho":1,"isTableFiltered":true}
请求2:`sSearch_3 ='
回复:{"iTotalRecords":0,"aaData":[],"iTotalDisplayRecords":0,"sError":"Db error while fetching data","sEcho":1}
请求3:`sSearch_3 =“
回复:{"iTotalRecords":0,"aaData":[],"iTotalDisplayRecords":0,"sEcho":1,"isTableFiltered":true}
在上面的请求中,它没有获取任何数据库内容。它仍然可以传染? 如何删除这个小问题。
Burp工具报告SQL注入。
参数似乎容易受到SQL注入攻击。该 有效载荷'+(选择*来自(选择(睡眠(20)))a)+'已在提交 sSearch_3参数。该应用程序需要20012毫秒 响应请求,与原始的10毫秒相比 请求,表示注入的SQL命令导致时间延迟