Java SQL Inject
JDBC SQL Inject
JDBC 原生查询如果没有经过预编译,而是直接进行 SQL 语句的拼接,这时过滤不严格则会产生 SQL 注入问题,比如下面代码就是一个带有 SQL 注入漏洞的 Demo
Class.forName("com.mysql.cj.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/security?characterEncoding=utf8&useSSL=false&serverTimezone=UTC", "root", "123456");
String sql = "select * from users where id = '"+id+"'";
resp.getWriter().write("The SQL statement:" + sql + "\n");
Statement statement = conn.createStatement();
ResultSet resultSet = statement.executeQuery(sql);
预编译修复
Class.forName("com.mysql.cj.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/security?characterEncoding=utf8&useSSL=false&serverTimezone=UTC", "root", "123456");
String sql = "select * from users where id = ?";
PreparedStatement preparedStatement = conn.prepareStatement(sql);
preparedStatement.setString(1,id);
ResultSet resultSet = preparedStatement.executeQuery();
Mybatis SQL Inject
Mybatis 执行SQL语句也有预编译和直接拼接两种方法,如果直接拼接SQL语句且过滤不严格则会产生SQL注入问题,比如下面一个查询语句,使用了 ${} 直接拼接值
<select id="selectUserByName" resultType="com.mybatis.pojo.User">
SELECT * FROM Users WHERE username = '${username}'
</select>
使用 #{} 进行预编译则可以有效防御 SQL 注入问题
<select id="selectUserByName" resultType="com.mybatis.pojo.User">
SELECT * FROM Users WHERE username = '#{username}'
</select>
LIKE Query
对于 Like 查询,直接预编译则程序会抛出异常
<select id="selectUserByLikeName" resultType="com.mybatis.pojo.User">
SELECT * FROM Users WHERE username like '%#{username}#'
</select>
如果开发人员为了防止报错而改为直接取值且没有足够过滤则产生SQL注入问题
<select id="selectUserByLikeName" resultType="com.mybatis.pojo.User">
SELECT * FROM Users WHERE username like '%${username}%'
</select>
直接预编译会报错,那么就使用 concat 连接预编译,既不会抛出异常也防御了SQL注入
<select id="selectUserByLikeNameRepair" resultType="com.mybatis.pojo.User">
SELECT * FROM Users WHERE username like concat('%',#{username},'%')
</select>
IN/ORDER BY Query
同理,IN/ORDER BY 查询直接预编译也会使得程序抛出异常,如果开发人员改为直接拼接的方式构造SQL语句且没有足够过滤则会产生SQL注入
JavaWeb Inject Demo :https://github.com/ky0103/JavaSecurityDemo/tree/main/SQLInject
需要把 Myabtis/JDBC 依赖加入到 WEB-INF/lib 目录下
Java XSS
在 Java 中 XSS 的产生一般是在 Servlet 中获取到参数值,然后设置到 request 属性中,在 jsp 文件中就可以直接引用 request 中的值了,而如果没有对参数值进行过滤,那么就可能产生 XXS 问题。如下代码就没有进行过滤就设置属性值了
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String username = req.getParameter("username");
req.setAttribute("username",username);
req.getRequestDispatcher("/index.jsp").forward(req,resp);
}
XSS 防御可以利用 ESAPI
ESAPI(Enterprise Security API)是一个免费开源的Web应用程序API,目的帮助开发者开发出更加安全的代码,并且它本身就很方便调用。
依赖
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.1.1</version>
</dependency>
在存储值到 request 中前用 ESAPI 进行过滤操作
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String username = req.getParameter("username");
ESAPI.encoder().encodeForJavaScript(username);
req.setAttribute("username",username);
req.getRequestDispatcher("/index.jsp").forward(req,resp);
}
JavaWeb Inject Demo :https://github.com/ky0103/JavaSecurityDemo/tree/main/XSS
需要把 ESAPI 依赖加入到 WEB-INF/lib 目录下
Java SSRF
HttpURLConnection 类的 SSRF 只支持 HTTP/HTTPS 协议,不支持 file 等协议
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String url = req.getParameter("url");
if (url != null){
URL url1 = new URL(url);
String htmlContent;
URLConnection urlConnection = url1.openConnection();
HttpURLConnection httpURLConnection = (HttpURLConnection)urlConnection;
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream()));
StringBuffer html = new StringBuffer();
while ((htmlContent = bufferedReader.readLine()) != null){
html.append(htmlContent);
}
bufferedReader.close();
resp.getWriter().println(html);
}else {
resp.getWriter().write("?url");
}
}
URLConnection 支持 HTTP/HTTPS/file 等协议
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String url = req.getParameter("url");
if (url != null){
URL url1 = new URL(url);
String htmlContent;
URLConnection urlConnection = url1.openConnection();
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));
StringBuffer html = new StringBuffer();
while ((htmlContent = bufferedReader.readLine()) != null){
html.append(htmlContent);
}
bufferedReader.close();
resp.getWriter().println(html);
}else {
resp.getWriter().write("?url");
}
}
SSRF 下的文件下载,其实就是把响应头修改一下而已
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String fileName = "secret.txt";
resp.setHeader("content-disposition","attachment;fileName="+fileName);
String url = req.getParameter("url");
int length;
URL u = new URL(url);
InputStream inputStream = u.openStream();
byte[] bytes = new byte[1024];
while ((length = (inputStream.read(bytes))) > 0){
resp.getOutputStream().write(bytes,0,length);
}
}
SSRF 下对文件的读取,无法读取非图片类文件,但是可以探测文件是否存在
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String url = req.getParameter("url");
URL u = new URL(url);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
InputStream inputStream1 = u.openStream();
ImageInputStream imageInputStream = ImageIO.createImageInputStream(inputStream1);
BufferedImage read = ImageIO.read(imageInputStream);
ImageIO.write(read,"png",byteArrayOutputStream);
InputStream inputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
int length;
byte[] bytes = new byte[1024];
while ((length = (inputStream.read(bytes))) > 0){
resp.getOutputStream().write(bytes,0,length);
}
}
JavaWeb SSRF Demo :https://github.com/ky0103/JavaSecurityDemo/tree/main/XSS