Home » Open Source » Programming Interfaces » HttpServlet - help me to make 'SQL injection' - buggy code inside (Oracle 10g and Java)
HttpServlet - help me to make 'SQL injection' - buggy code inside [message #612031] Fri, 11 April 2014 03:02 Go to next message
rc3d
Messages: 171
Registered: September 2013
Location: Baden-Württemberg
Senior Member
Hi

I coded a small Servlet in Java. According to my understanding an SQL injection is possible. Backend is Oracle 10g. What input on web site I need to give, to make SQL injection?

package com.ldap;

import java.io.*;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.sql.*;

@SuppressWarnings("serial")
public class ldapCheckRole extends HttpServlet {
	Connection Quelle;
	Statement Abfrage;
	Statement Abfrage2;
	ResultSet Ergebnis;
	ResultSet Ergebnis2;

	public ldapCheckRole() {
	}

	public void init(ServletConfig config) throws ServletException {
		super.init(config);

	}

	public void doGet(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {
		String user_id = "";
		String firstname = "";
		String lastname = "";
		String department = "";
		String mailbox_id = "";
		String description = "";

		response.setContentType("text/html");
		PrintWriter out = response.getWriter();

		try {
			System.out.println("GetRequest------------------------>");
			user_id = request.getParameter("user_id");
			user_id = user_id.toUpperCase();
			System.out.println("GetRequest xxxx------------------------>"
					+ user_id);
		} catch (Exception e) {
			e.printStackTrace();
		}

		try {

			Connection conn = null;
			String driver = "oracle.jdbc.OracleDriver";

			System.out.println("Connect DB------------------------>");

			Class.forName(driver);

			String url = "jdbc:oracle:thin:@" + "ompora.local.net:1521:IIQ5";

			conn = DriverManager.getConnection(url, "identityiq", "qm8lbGmOOBQYZUzILhyi");

			Abfrage = conn.createStatement();
			System.out.println("Connect DB USER_JC------------------------>"
					+ user_id);

			String SQLString = "SELECT ROLLEN.user_id, ROLLEN.jc_name, PROFILES.description FROM user_jc ROLLEN INNER JOIN job_code PROFILES ON ROLLEN.JC_NAME = PROFILES.JC_NAME WHERE ROLLEN.jc_name LIKE '%ldap%' AND ROLLEN.user_id ='"
					+ user_id + "'";
			Ergebnis = Abfrage.executeQuery(SQLString);

			Abfrage2 = conn.createStatement();
			System.out.println("Connect DB ENT_USER------------------------>"
					+ user_id);
			String SQLString2 = "SELECT user_id,firstname, lastname, department, mailbox_id from uam_ent_user where user_id='"
					+ user_id + "'";
			Ergebnis2 = Abfrage2.executeQuery(SQLString2);

			out.println("<html><head><title>Servlet1</title></head><font face=Arial color=black</font><body>");
			out.println("<TABLE border=0 frame=void>");
			out.println("<tr bgcolor=#BDBDBD><td>USER_ID</td><td>Rollenname</td><td>Beschreibung</td></tr>");

			while (Ergebnis.next()) {

				user_id = Ergebnis.getString("user_id");
				String jc_name = Ergebnis.getString("jc_name");
				jc_name = Ergebnis.getString("jc_name");
				description = Ergebnis.getString("description");

				out.println("<tr><td>" + user_id + "</td><td>" + jc_name
						+ "</td><td>" + description + "</td><td>");

			}

			out.println("</table>");
			Ergebnis.close();

			while (Ergebnis2.next()) {
				user_id = Ergebnis2.getString("user_id");
				firstname = Ergebnis2.getString("firstname");
				lastname = Ergebnis2.getString("lastname");
				department = Ergebnis2.getString("department");
				mailbox_id = Ergebnis2.getString("mailbox_id");

				out.println(" ");
				out.println("<div style=\"color:#000000\"><p><i>Username: "
						+ user_id + ", Vorname: " + firstname + ", Nachname: "
						+ lastname + ", eMail: " + mailbox_id + ", Abteilung: "
						+ department + "</i></p></div>");

			}

			Ergebnis2.close();

			out.println("</body></html>");

		} catch (Exception ne) {
			System.out.println((new StringBuilder("error code:")).append(
					ne.toString()).toString());
			out.println("<hr />");
			out.println("<p style=\"background-color:#FF0000\">Request Webserver not ok </p>");
			out.println((new StringBuilder(
					"<p style=\"background-color:#FF0000\">"))
					.append(ne.toString()).append("</p>").toString());
			out.println("<hr />");
			System.out.println("ended NOT OK !!");
		}
	}
}


Tl;dr only SQL part:

			String SQLString = "SELECT ROLLEN.user_id, ROLLEN.jc_name, PROFILES.description FROM user_jc ROLLEN INNER JOIN job_code PROFILES ON ROLLEN.JC_NAME = PROFILES.JC_NAME WHERE ROLLEN.jc_name LIKE '%ldap%' AND ROLLEN.user_id ='"
					+ user_id + "'";
			Ergebnis = Abfrage.executeQuery(SQLString);


Input is User_ID on web front end.

[Updated on: Fri, 11 April 2014 03:07]

Report message to a moderator

Re: HttpServlet - help me to make 'SQL injection' - buggy code inside [message #612032 is a reply to message #612031] Fri, 11 April 2014 03:17 Go to previous messageGo to next message
Michel Cadot
Messages: 58545
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Yes it is possible to sql inject your code. I will not put an example although it is quite simple.
You know it so why don't you use bind variables instead?
And bind variables will also greatly improve the performances of your instance.

Re: HttpServlet - help me to make 'SQL injection' - buggy code inside [message #612033 is a reply to message #612032] Fri, 11 April 2014 03:42 Go to previous messageGo to next message
rc3d
Messages: 171
Registered: September 2013
Location: Baden-Württemberg
Senior Member
Please help me with example. Database user has only 'SELECT' privileges. I wish to learn, I tried so many injection and was never successful. It's 100% my code and behind a firewall.

Why I don't use bind variables? I am still learning, attended a few weeks ago Oracle 'Java Fundamentals' training. Version 0.0002 will be with bind variables.
Re: HttpServlet - help me to make 'SQL injection' - buggy code inside [message #612034 is a reply to message #612033] Fri, 11 April 2014 03:48 Go to previous messageGo to next message
Michel Cadot
Messages: 58545
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator

Post what you have tried.
Just write your query and try to replace user_id by anything to change the query behaviour. Hint: you can have the whole table rows.
Note that bind variables are for any programming language.

Re: HttpServlet - help me to make 'SQL injection' - buggy code inside [message #612822 is a reply to message #612034] Fri, 25 April 2014 07:06 Go to previous message
rc3d
Messages: 171
Registered: September 2013
Location: Baden-Württemberg
Senior Member
Please post working code. I tried months ago and don't remember what I did. So I will learn. Thank you
Previous Topic: open source banking software
Next Topic: ORA-01019
Goto Forum:
  


Current Time: Thu Jul 24 23:32:00 CDT 2014

Total time taken to generate the page: 0.11352 seconds