网页sql注入大全(sql注入简单例子)

2种SQL注入演示，不知道密码也可以登录

-- 正常登录
select * from login1 where username ='zhangsan'and password = '123'
-- 用户名任意，密码输入: ' or '1'='1
select * FROM login1 where username = 'xyz' and password = '' or '1'='1'
-- 用户名zhangsan已知的情况下，用户名输入: zhangsan' -- (zhangsan' 空格--空格) 密码输入: 任意
select * from login1 where username ='zhangsan' -- ' and password = 'xxx'

登陆成功

或者


登陆成功

只修改dao层实现就可以,try代码有问题的话会不执行，直接catch了，数据库url错误之类的。

IUserDao2.java

package com.heima.dao;

import com.heima.pojo.Client;

import java.util.List;

public interface IUserDao2 {
    List findClient(String userName, String password);
}

UserDaoImpl2.java

package com.heima.dao.impl;

import com.heima.dao.IUserDao2;
import com.heima.pojo.Client;

import java.sql.*;
import java.util.ArrayList;
import java.util.List;

public class UserDaoImpl2 implements IUserDao2 {
    @Override
    public List findClient(String userName, String password1) {
        //用占位符防止sql注入的写法
        // String sql = "select * from login1 where userName = ? and password = ?";
        // List clientList = jdbcTemplate.query(sql, new BeanPropertyRowMapper<>(Client.class), userName, password);
        // return clientList;
        List clientList = new ArrayList<>();
        //错误写法，add()的空指针异常，无法添加list，直接catch了
        //List clientList = null;
        Connection con = null;
        Statement st = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            con = DriverManager.getConnection("jdbc:mysql://localhost:3306/user_manager","root","root");
            st = con.createStatement();
            String sql = "select * from login1 where username ='" + userName + "'and password = '" + password1 + "'";
            System.out.println("sql = " + sql);
            rs = st.executeQuery(sql);
            while (rs.next()) {
                String username = rs.getString("username");
                String password = rs.getString("password");
                Client client = new Client();
                client.setUserName(username);
                client.setPassword(password);
                clientList.add(client);
                System.out.println("client = " + client);
            }

        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            try {
                if (rs != null) {
                    rs.close();
                }
            } catch (SQLException e) {
                e.printStackTrace();
            }
            try {
                if (st != null) {
                    st.close();
                }
            } catch (SQLException e) {
                e.printStackTrace();
            }
            try {
                if (con != null) {
                    con.close();
                }
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }
        return clientList;
    }
}

Client.java

package com.heima.pojo;

public class Client {
    private int id;
    private String userName;
    private String password;


    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getUserName() {
        return userName;
    }

    public void setUserName(String userName) {
        this.userName = userName;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }
}

LoginServlet.java

package com.heima.web;

import com.heima.pojo.Client;
import com.heima.service.IUserService;
import com.heima.service.impl.UserServiceImpl;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;

@WebServlet(urlPatterns = "/loginServlet")
public class LoginServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        doPost(request, response);
    }

    @Override
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        //0.处理post请求数据乱码
        request.setCharacterEncoding("UTF-8");
        String userName = request.getParameter("userName");
        String password = request.getParameter("password");
        IUserService userService = new UserServiceImpl();
        List clientList = userService.findClient(userName, password);
        //3.给浏览器生成响应信息
        //如果能查到数据
        if (clientList!=null&&clientList.size()>0){
            //跳转到success.html
            request.getRequestDispatcher("/success.jsp").forward(request,response);
        }else{
            //没有查到数据    跳转到error.jsp
            request.getRequestDispatcher("/error.jsp").forward(request,response);
        }
    }
}

login.html

    
    
    
    

    
    
    
    



    

        

            
登录页面
            
            
            登录
        
    

注入删表命令，没成功，有语法错误

select * from login1 where username = 'x' and password = 'y';delete from login1 where '1'='1'

rs = st.executeQuery(sql);
可能是java执行sql时候语句出错
在navicat中是可以执行的