一、從HTTP請求到數據庫查詢:漏洞如何產生?
危險的參數拼接:Servlet中的經典錯誤
漏洞代碼重現:
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {String category = request.getParameter("category");String sql = "SELECT * FROM products WHERE category='" + category + "'";try (Connection conn = dataSource.getConnection();Statement stmt = conn.createStatement();ResultSet rs = stmt.executeQuery(sql)) {// 處理結果集} catch (SQLException e) {throw new ServletException(e);}
}
漏洞解析:
- 攻擊入口:直接從HttpServletRequest獲取URL參數,未做任何過濾
- SQL拼接:直接將用戶輸入拼接到SQL語句中
- 攻擊示例:當傳入
category=electronics' OR 1=1 --時,實際執行SQL變為:SELECT * FROM products WHERE category='electronics' OR 1=1 -- ' - 漏洞影響:導致返回所有產品數據,造成信息泄露
預編譯語句的正確使用姿勢
修復方案代碼:
private static final String SAFE_SQL = "SELECT * FROM products WHERE category=?";public List<Product> getProducts(String category) 
 和 TIM_Cmd())
 的完整說明)
)
)
