HttpServlet - help me to make 'SQL injection' - buggy code inside [message #612031] |
Fri, 11 April 2014 03:02 |
|
rc3d
Messages: 213 Registered: September 2013 Location: Baden-Württemberg
|
Senior Member |
|
|
Hi
I coded a small Servlet in Java. According to my understanding an SQL injection is possible. Backend is Oracle 10g. What input on web site I need to give, to make SQL injection?
package com.ldap;
import java.io.*;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.sql.*;
@SuppressWarnings("serial")
public class ldapCheckRole extends HttpServlet {
Connection Quelle;
Statement Abfrage;
Statement Abfrage2;
ResultSet Ergebnis;
ResultSet Ergebnis2;
public ldapCheckRole() {
}
public void init(ServletConfig config) throws ServletException {
super.init(config);
}
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String user_id = "";
String firstname = "";
String lastname = "";
String department = "";
String mailbox_id = "";
String description = "";
response.setContentType("text/html");
PrintWriter out = response.getWriter();
try {
System.out.println("GetRequest------------------------>");
user_id = request.getParameter("user_id");
user_id = user_id.toUpperCase();
System.out.println("GetRequest xxxx------------------------>"
+ user_id);
} catch (Exception e) {
e.printStackTrace();
}
try {
Connection conn = null;
String driver = "oracle.jdbc.OracleDriver";
System.out.println("Connect DB------------------------>");
Class.forName(driver);
String url = "jdbc:oracle:thin:@" + "ompora.local.net:1521:IIQ5";
conn = DriverManager.getConnection(url, "identityiq", "qm8lbGmOOBQYZUzILhyi");
Abfrage = conn.createStatement();
System.out.println("Connect DB USER_JC------------------------>"
+ user_id);
String SQLString = "SELECT ROLLEN.user_id, ROLLEN.jc_name, PROFILES.description FROM user_jc ROLLEN INNER JOIN job_code PROFILES ON ROLLEN.JC_NAME = PROFILES.JC_NAME WHERE ROLLEN.jc_name LIKE '%ldap%' AND ROLLEN.user_id ='"
+ user_id + "'";
Ergebnis = Abfrage.executeQuery(SQLString);
Abfrage2 = conn.createStatement();
System.out.println("Connect DB ENT_USER------------------------>"
+ user_id);
String SQLString2 = "SELECT user_id,firstname, lastname, department, mailbox_id from uam_ent_user where user_id='"
+ user_id + "'";
Ergebnis2 = Abfrage2.executeQuery(SQLString2);
out.println("<html><head><title>Servlet1</title></head><font face=Arial color=black</font><body>");
out.println("<TABLE border=0 frame=void>");
out.println("<tr bgcolor=#BDBDBD><td>USER_ID</td><td>Rollenname</td><td>Beschreibung</td></tr>");
while (Ergebnis.next()) {
user_id = Ergebnis.getString("user_id");
String jc_name = Ergebnis.getString("jc_name");
jc_name = Ergebnis.getString("jc_name");
description = Ergebnis.getString("description");
out.println("<tr><td>" + user_id + "</td><td>" + jc_name
+ "</td><td>" + description + "</td><td>");
}
out.println("</table>");
Ergebnis.close();
while (Ergebnis2.next()) {
user_id = Ergebnis2.getString("user_id");
firstname = Ergebnis2.getString("firstname");
lastname = Ergebnis2.getString("lastname");
department = Ergebnis2.getString("department");
mailbox_id = Ergebnis2.getString("mailbox_id");
out.println(" ");
out.println("<div style=\"color:#000000\"><p><i>Username: "
+ user_id + ", Vorname: " + firstname + ", Nachname: "
+ lastname + ", eMail: " + mailbox_id + ", Abteilung: "
+ department + "</i></p></div>");
}
Ergebnis2.close();
out.println("</body></html>");
} catch (Exception ne) {
System.out.println((new StringBuilder("error code:")).append(
ne.toString()).toString());
out.println("<hr />");
out.println("<p style=\"background-color:#FF0000\">Request Webserver not ok </p>");
out.println((new StringBuilder(
"<p style=\"background-color:#FF0000\">"))
.append(ne.toString()).append("</p>").toString());
out.println("<hr />");
System.out.println("ended NOT OK !!");
}
}
}
Tl;dr only SQL part:
String SQLString = "SELECT ROLLEN.user_id, ROLLEN.jc_name, PROFILES.description FROM user_jc ROLLEN INNER JOIN job_code PROFILES ON ROLLEN.JC_NAME = PROFILES.JC_NAME WHERE ROLLEN.jc_name LIKE '%ldap%' AND ROLLEN.user_id ='"
+ user_id + "'";
Ergebnis = Abfrage.executeQuery(SQLString);
Input is User_ID on web front end.
[Updated on: Fri, 11 April 2014 03:07] Report message to a moderator
|
|
|
|
|
|
|