Home » Open Source » Programming Interfaces » HttpServlet - help me to make 'SQL injection' - buggy code inside (Oracle 10g and Java)
HttpServlet - help me to make 'SQL injection' - buggy code inside [message #612031] Fri, 11 April 2014 03:02 Go to previous message
rc3d
Messages: 213
Registered: September 2013
Location: Baden-Württemberg
Senior Member
Hi

I coded a small Servlet in Java. According to my understanding an SQL injection is possible. Backend is Oracle 10g. What input on web site I need to give, to make SQL injection?

package com.ldap;

import java.io.*;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.sql.*;

@SuppressWarnings("serial")
public class ldapCheckRole extends HttpServlet {
	Connection Quelle;
	Statement Abfrage;
	Statement Abfrage2;
	ResultSet Ergebnis;
	ResultSet Ergebnis2;

	public ldapCheckRole() {
	}

	public void init(ServletConfig config) throws ServletException {
		super.init(config);

	}

	public void doGet(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {
		String user_id = "";
		String firstname = "";
		String lastname = "";
		String department = "";
		String mailbox_id = "";
		String description = "";

		response.setContentType("text/html");
		PrintWriter out = response.getWriter();

		try {
			System.out.println("GetRequest------------------------>");
			user_id = request.getParameter("user_id");
			user_id = user_id.toUpperCase();
			System.out.println("GetRequest xxxx------------------------>"
					+ user_id);
		} catch (Exception e) {
			e.printStackTrace();
		}

		try {

			Connection conn = null;
			String driver = "oracle.jdbc.OracleDriver";

			System.out.println("Connect DB------------------------>");

			Class.forName(driver);

			String url = "jdbc:oracle:thin:@" + "ompora.local.net:1521:IIQ5";

			conn = DriverManager.getConnection(url, "identityiq", "qm8lbGmOOBQYZUzILhyi");

			Abfrage = conn.createStatement();
			System.out.println("Connect DB USER_JC------------------------>"
					+ user_id);

			String SQLString = "SELECT ROLLEN.user_id, ROLLEN.jc_name, PROFILES.description FROM user_jc ROLLEN INNER JOIN job_code PROFILES ON ROLLEN.JC_NAME = PROFILES.JC_NAME WHERE ROLLEN.jc_name LIKE '%ldap%' AND ROLLEN.user_id ='"
					+ user_id + "'";
			Ergebnis = Abfrage.executeQuery(SQLString);

			Abfrage2 = conn.createStatement();
			System.out.println("Connect DB ENT_USER------------------------>"
					+ user_id);
			String SQLString2 = "SELECT user_id,firstname, lastname, department, mailbox_id from uam_ent_user where user_id='"
					+ user_id + "'";
			Ergebnis2 = Abfrage2.executeQuery(SQLString2);

			out.println("<html><head><title>Servlet1</title></head><font face=Arial color=black</font><body>");
			out.println("<TABLE border=0 frame=void>");
			out.println("<tr bgcolor=#BDBDBD><td>USER_ID</td><td>Rollenname</td><td>Beschreibung</td></tr>");

			while (Ergebnis.next()) {

				user_id = Ergebnis.getString("user_id");
				String jc_name = Ergebnis.getString("jc_name");
				jc_name = Ergebnis.getString("jc_name");
				description = Ergebnis.getString("description");

				out.println("<tr><td>" + user_id + "</td><td>" + jc_name
						+ "</td><td>" + description + "</td><td>");

			}

			out.println("</table>");
			Ergebnis.close();

			while (Ergebnis2.next()) {
				user_id = Ergebnis2.getString("user_id");
				firstname = Ergebnis2.getString("firstname");
				lastname = Ergebnis2.getString("lastname");
				department = Ergebnis2.getString("department");
				mailbox_id = Ergebnis2.getString("mailbox_id");

				out.println(" ");
				out.println("<div style=\"color:#000000\"><p><i>Username: "
						+ user_id + ", Vorname: " + firstname + ", Nachname: "
						+ lastname + ", eMail: " + mailbox_id + ", Abteilung: "
						+ department + "</i></p></div>");

			}

			Ergebnis2.close();

			out.println("</body></html>");

		} catch (Exception ne) {
			System.out.println((new StringBuilder("error code:")).append(
					ne.toString()).toString());
			out.println("<hr />");
			out.println("<p style=\"background-color:#FF0000\">Request Webserver not ok </p>");
			out.println((new StringBuilder(
					"<p style=\"background-color:#FF0000\">"))
					.append(ne.toString()).append("</p>").toString());
			out.println("<hr />");
			System.out.println("ended NOT OK !!");
		}
	}
}


Tl;dr only SQL part:

			String SQLString = "SELECT ROLLEN.user_id, ROLLEN.jc_name, PROFILES.description FROM user_jc ROLLEN INNER JOIN job_code PROFILES ON ROLLEN.JC_NAME = PROFILES.JC_NAME WHERE ROLLEN.jc_name LIKE '%ldap%' AND ROLLEN.user_id ='"
					+ user_id + "'";
			Ergebnis = Abfrage.executeQuery(SQLString);


Input is User_ID on web front end.

[Updated on: Fri, 11 April 2014 03:07]

Report message to a moderator

[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: open source banking software
Next Topic: ORA-01019
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Apr 24 06:07:40 CDT 2024
.:: Forum Home :: Blogger Home :: Wiki Home :: Contact :: Privacy ::.