hunt.database.Statement存在识别参数错误和SQL注入风险 #48
Comments
|
We will do more tests about this. Thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
问题方法:private string sql(SqlConnection conn)
重现代码:
auto db = new Database("mysql://root:root@localhost:3306/asp?charset=utf8mb4");
auto conn = db.getConnection();
Statement stmt = db.prepare(conn, "SELECT * FROM sys_user where Name = :username ");
//下面一行会发生错误:username后缺少空格会导致参数无法被替换导致SQL错误
//Statement stmt = db.prepare(conn, "SELECT * FROM sys_user where Name = :username");
// 这里可以直接注入成功,说明字符串是直接拼接的
stmt.setParameter("username", "' OR ''='");
RowSet rs = stmt.query();
foreach (row; rs)
{
writeln(row["Name"]);
}
conn.close();
db.close();
readln();
结果:输出了所有数据
The text was updated successfully, but these errors were encountered: