深入浅析.NET应用程序SQL注入

1.准备工具:SQL SERVER ，Visual Studio

2.数据库脚本和.net代码(c#)

3.SqlServer Profiler

SQL脚本代码:

USE MASTER GO--检索SQLTMP数据库是否存在IF EXISTS(SELECT * FROM SYSDATABASES WHERE name = 'SQLTMP')--删除SQLTMP数据库DROP DATABASE SQLTMPGO--创建数据库CREATE DATABASE SQLTMPGO--使用SQLTMP数据库USE SQLTMPGO-------------创建一张表用来验证SQL注入漏洞------------------检索表是否存在IF EXISTS(SELECT * FROM SYSOBJECTS WHERE name = 'admin')--删除表DROP TABLE adminGO--创建表CREATE TABLE admin(id INT PRIMARY KEY IDENTITY(1,1),--设置主键name VARCHAR(20) NOT NULL,--用户名pass VARCHAR(20) NOT NULL--密码)-------------插入一条测试数据---------------------------INSERT INTO admin VALUES('admin','admin')--查询插入数据SELECT * FROM admin

下面是一段验证用户名密码的C#代码:

<font size="3" color="#ff00ff">using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Data;using System.Data.SqlClient;namespace SQLTmp{class Program{//数据库连接字符串public static String strCon = "Data Source=.;Initial Catalog=SQLTMP;Integrated Security=True";//创建数据库连接对象static SqlConnection SqlCon = new SqlConnection(strCon);static void Main(string[] args){Console.WriteLine("请输入用户名:");String name = Console.ReadLine();Console.WriteLine("请输入密码:");String pass = Console.ReadLine();try{Program p = new Program();//打开数据库连接p.Open();string sql = "SELECT COUNT(*) FROM admin WHERE name = '"+name+"'AND pass = '"+pass+"'";SqlCommand sqlcom = new SqlCommand(sql, SqlCon);int i = (int)sqlcom.ExecuteScalar();if (i > 0){Console.WriteLine("登录成功！");}else{Console.WriteLine("登录失败!");}Console.ReadLine();}catch (Exception){throw;}finally {//关闭数据库连接pass.Clone();}}//打开数据库连接public void Open(){//关闭状态下打开数据库连接if (SqlCon.State == ConnectionState.Closed){SqlCon.Open();}//中断情况下打开数据库连接if (SqlCon.State == ConnectionState.Broken){//关闭SqlCon.Close();SqlCon.Open();}}//关闭数据库连接public void Close() {if (SqlCon.State == ConnectionState.Open || SqlCon.State == ConnectionState.Broken){SqlCon.Close();}}}}</font>

我们来测试一下

输入正确的账号密码:

admin admin

登录成功

输入错误的账号密码:

test test

登录失败

我们在用户名输入:' or 1=1--

密码:123