{"id":3709,"date":"2012-11-27T22:00:10","date_gmt":"2012-11-27T20:00:10","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=3709"},"modified":"2012-11-27T23:18:55","modified_gmt":"2012-11-27T21:18:55","slug":"sql-injection-in-java-application","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2012\/11\/sql-injection-in-java-application.html","title":{"rendered":"SQL Injection in Java Application"},"content":{"rendered":"

In this post we will discuss what is an SQL Injection<\/a> attack. and how its may affect\u00a0any web application its use the back end database. Here i concentrate on java web application. Open Web Application Security Project(OWAP)<\/a> listed that SQL Injection is the top vulnerability attack for web application. Hacker’s Inject the SQL code in web request to the web application and take the control of back end database, even that back end database is not directly connected to Internet. And we will see how to solve and prevent the SQL Injection in java Web Application.<\/p>\n

For this purpose we need 1 tools. these tool are completely open source.\u00a0SQL Map – SqlMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL Injection. we can get it from here<\/a>.<\/p>\n

SQLInjection<\/span><\/p>\n

SQL injection is the technique to extract the database information through web application.
\nScenario:<\/p>\n

We have one database server [MySQL] and web application server [Tomcat]. consider that database server is not connected to internet. but its connected with application server. Now we will see using web application how to extract the information using sql-injection method.<\/em><\/p>\n

Before see the sql-injection, we create small web application. It contain single jsp page like this<\/p>\n

<form action='userCheck'>\r\n\r\n<input type='text' name='user' value=''\/>\r\n\r\n<input type='submit' value='Submit'\/>\r\n\r\n<\/form>\r\n<\/pre>\n
In userCheck Servlet receives the user input field and connect to databse server and fire the sql query based on user input and receive the ResultSet and iterate it print into the web page.
\nuserCheck servlet<\/span><\/p>\n
protected void processRequest(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {\r\n        response.setContentType('text\/html;charset=UTF-8');\r\n        PrintWriter out = response.getWriter();\r\n        try {\r\n\r\n            String user = request.getParameter('user');\r\n            Connection conn = null;\r\n            String url = 'jdbc:mysql:\/\/192.168.2.128:3306\/';\r\n            String dbName = 'anvayaV2';\r\n            String driver = 'com.mysql.jdbc.Driver';\r\n            String userName = 'root';\r\n            String password = '';\r\n            try {\r\n                Class.forName(driver).newInstance();\r\n                conn = DriverManager.getConnection(url + dbName, userName, password);\r\n\r\n                Statement st = conn.createStatement();\r\n                String query = 'SELECT * FROM  User where userId='' + user + ''';\r\n                out.println('Query : ' + query);\r\n                System.out.printf(query);\r\n                ResultSet res = st.executeQuery(query);\r\n\r\n                out.println('Results');\r\n                while (res.next()) {\r\n                    String s = res.getString('username');\r\n                    out.println('\\t\\t' + s);\r\n                }\r\n                conn.close();\r\n\r\n            } catch (Exception e) {\r\n                e.printStackTrace();\r\n            }\r\n        } finally {\r\n            out.close();\r\n        }<\/pre>\n
When we execute the above code. In normal input execution look like follows
 
<\/div> <\/div><\/p>\n
\"\"<\/a><\/p>\n
When we give the normal value like ‘ramki’ then click the submit button then output like this<\/p>\n
\"\"<\/a><\/p>\n
Its perfectly correct in normal behaviour. What happens when I put some special character or some sql statement in input box like this<\/p>\n
\"\"<\/a><\/p>\n
when we click the submit button then it show all rows in my table like this<\/p>\n
\"\"<\/a><\/p>\n
It is a big security breach in my application. what happened… is one kind of sql injection.<\/p>\n
Let’s see what happened.<\/p>\n
When I enter normal value in input box my servlet receives and substitute in the sql query and execute it.<\/p>\n
SELECT * FROM User where userId='ramki'<\/pre>\n
it’s correct and we got correct output.<\/p>\n
What happens when I put sdfssd’ or ‘1’=’1<\/p>\n
SELECT * FROM User where userId =’sdfssd’ or ‘1’=’1<\/span>‘<\/p>\n
its means<\/p>\n
SELECT * FROM User where userId ='sdfssd' or '1'='1'<\/pre>\n
like this. So our query is altered. now new query have 2 condition. 2nd condition always true. 1st condition may be or may not be true. but these 2 condition are connected with or logic. So where clause always true for all rows. the result is they bring all rows from our tables.<\/p>\n
This is called blind sql injection. If u want more details of sql injection the check here<\/p>\n