WEB开发网
开发学院数据库Oracle 从黑客角度检验oracle数据库 阅读

从黑客角度检验oracle数据库

 2008-09-08 12:51:22 来源:WEB开发网   
核心提示: 注意结尾的‘q’=’q’,这样用的原因是我们可以处理第二条查询,从黑客角度检验oracle数据库(7),ASP将加他加入网页的结尾,这条语句值是真的

注意结尾的‘q’=’q’,这样用的原因是我们可以处理第二条查询,ASP将加他加入网页的结尾,这条语句值是真的。

3 Example JSP page

Package myseverlets;
  
  <….>
  
  String sql = new String(“SELECT * FROM
  
  WebUsers WHERE Username=’” +
  
  request.getParameter(“username”) + “’
  
  AND Password=’” +
  
  request.getParameter(“password”) + “’”
  
  stmt = Conn.prepareStatement(sql)
  
  Rs = stmt.executeQuery()
  
  Exploiting the problem is much simpler if you can access the source of the web
  
  page. You should not be able to see this data, however there are many bugs that
  
  allow you to view the source, and I’m sure there are still lots that have not yet been
  
  discovered.
  
  The problem with our ASP code is that we are concatenating our SQL statement
  
  together without parsing out any single quotes. Parsing out single quotes is a good
  
  first step, but its recommended that you actually use parameterized SQL statements
  
  instead.

4 有效的输入

如果用户和密码设置为:

– Username: Bob

上一页  2 3 4 5 6 7 8 9 10  下一页

Tags:黑客 角度 检验

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接