一、从HTTP请求到数据库查询:漏洞如何产生?
危险的参数拼接:Servlet中的经典错误
漏洞代码重现:
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {String category = request.getParameter("category");String sql = "SELECT * FROM products WHERE category='" + category + "'";try (Connection conn = dataSource.getConnection();Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery(sql)) {// 处理结果集} catch (SQLException e) {throw new ServletException(e);}
}
漏洞解析:
- 攻击入口:直接从HttpServletRequest获取URL参数,未做任何过滤
- SQL拼接:直接将用户输入拼接到SQL语句中
- 攻击示例:当传入
category=electronics' OR 1=1 --时,实际执行SQL变为:SELECT * FROM products WHERE category='electronics' OR 1=1 -- ' - 漏洞影响:导致返回所有产品数据,造成信息泄露
预编译语句的正确使用姿势
修复方案代码:
private static final String SAFE_SQL = "SELECT * FROM products WHERE category=?";public List<Product> getProducts(String category) 
 和 TIM_Cmd())
 的完整说明)
)
)
