JDBC - Statement Injection

Other topics

Statement & SQL Injection evil

Note in this example we will use PostgreSQL DBMS, but you can use any DBMS

We will use a database bd_test witch contain a Schema: sch_test and two tables users and test :

CREATE TABLE sch_test.users
(
  id serial NOT NULL,
  username character varying,
  password character varying,
  CONSTRAINT utilisateur_pkey PRIMARY KEY (id)
) 

CREATE TABLE sch_test.test
(
  id serial NOT NULL,
  "column" character varying
)

Simple login using Statement

static String DRIVER = "org.postgresql.Driver";
static String DB_USERNAME = "postgres";
static String DB_PASSWOR = "admin";
static String DB_URL = "jdbc:postgresql://localhost:5432/bd_test";

public static void sqlInjection() {
    try {
        Class.forName(DRIVER);
        Connection connection = DriverManager.getConnection(DB_URL, DB_USERNAME, DB_PASSWOR);
        Statement statement = connection.createStatement();
        String username = "admin";
        String password = "admin";
        String query = "SELECT * FROM sch_test.users where username = '" 
                + username + "' and password = '" + password + "'";

        ResultSet result = statement.executeQuery(query);

        if (result.next()) {
            System.out.println("id = " + result.getInt("id") + " | username = "
                    + result.getString("username") + " | password = " + result.getString("password"));
        }else{
           System.out.println("Login not correct");
        }

    } catch (ClassNotFoundException | SQLException e) {
        e.printStackTrace();
    }
}

Until now every thing is normal and secure.

Login with fake username and password

The hacker or the tester can simply login or list all your users using this :

String username = " ' or ''='";
String password = " ' or ''='";

INSERT a new user

You can insert data in your table using :

String username = "'; INSERT INTO sch_test.utilisateur(id, username, password) 
                        VALUES (2, 'hack1', 'hack2');--";
String password = "any";

DELETE All users

consider the hacker know the schema of your database so he can delete all your user

String username = "'; DELETE FROM sch_test.utilisateur WHERE id>0;--";
String password = "any";

DROP Table users

The hacker can also delete your table

String username = "'; drop table sch_test.table2;--";
String password = "any";

DROP DATABASE

The worst is to drop the database

String username = "'; DROP DATABASE bd_test;--";
String password = "any";

and there are many others.

Why all this?

All this because Statement is not secure enough it execute the query like is it, for that it is recommend to use PreparedStatement instead, it is more secure that Statement.

You can find here more details PreparedStatement

Contributors

Topic Id: 9238

Example Ids: 28671

This site is not affiliated with any of the contributors.

Content on the page is taken from Stack Overflow Documentation

This site is NOT affiliated with Stack Overflow or any of the contributors. | Privacy Policy | Terms of Service