jdbc

JDBC - Statement Injection

Introduction#

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

In this section we will talk about that and its relation with JDBC Statement.

Statement & SQL Injection evil

Note in this example we will use PostgreSQL DBMS, but you can use any DBMS

We will use a database bd_test witch contain a Schema: sch_test and two tables users and test :

CREATE TABLE sch_test.users
(
  id serial NOT NULL,
  username character varying,
  password character varying,
  CONSTRAINT utilisateur_pkey PRIMARY KEY (id)
) 

CREATE TABLE sch_test.test
(
  id serial NOT NULL,
  "column" character varying
)

Simple login using Statement

static String DRIVER = "org.postgresql.Driver";
static String DB_USERNAME = "postgres";
static String DB_PASSWOR = "admin";
static String DB_URL = "jdbc:postgresql://localhost:5432/bd_test";

public static void sqlInjection() {
    try {
        Class.forName(DRIVER);
        Connection connection = DriverManager.getConnection(DB_URL, DB_USERNAME, DB_PASSWOR);
        Statement statement = connection.createStatement();
        String username = "admin";
        String password = "admin";
        String query = "SELECT * FROM sch_test.users where username = '" 
                + username + "' and password = '" + password + "'";

        ResultSet result = statement.executeQuery(query);

        if (result.next()) {
            System.out.println("id = " + result.getInt("id") + " | username = "
                    + result.getString("username") + " | password = " + result.getString("password"));
        }else{
           System.out.println("Login not correct");
        }

    } catch (ClassNotFoundException | SQLException e) {
        e.printStackTrace();
    }
}

Until now every thing is normal and secure.

Login with fake username and password

The hacker or the tester can simply login or list all your users using this :

String username = " ' or ''='";
String password = " ' or ''='";

INSERT a new user

You can insert data in your table using :

String username = "'; INSERT INTO sch_test.utilisateur(id, username, password) 
                        VALUES (2, 'hack1', 'hack2');--";
String password = "any";

DELETE All users

consider the hacker know the schema of your database so he can delete all your user

String username = "'; DELETE FROM sch_test.utilisateur WHERE id>0;--";
String password = "any"; 

DROP Table users

The hacker can also delete your table

String username = "'; drop table sch_test.table2;--";
String password = "any";

DROP DATABASE

The worst is to drop the database

String username = "'; DROP DATABASE bd_test;--";
String password = "any";

and there are many others.

Why all this?

All this because Statement is not secure enough it execute the query like is it, for that it is recommend to use PreparedStatement instead, it is more secure that Statement.

You can find here more details https://stackoverflow.com/documentation/jdbc/2939/preparedstatement#t=201702251258180739518


This modified text is an extract of the original Stack Overflow Documentation created by the contributors and released under CC BY-SA 3.0 This website is not affiliated with Stack Overflow