简要描述: android平台使用sqlite做为数据库,对于数据库查询,如果开发者采用字符串连接方式构造SQL语句,就会产生sql注入。 详细说明: android自身实现了一个sqlite操作类SQLiteOpenHelper,我们继承此类,然后重载onCreate,onUpgrade等方法 DatabaseHelper.java如下: package com.xiaod.sqlinj; import android.content.Context; import android.database.sqlite.SQLiteDatabase; import android.database.sqlite.SQLiteDatabase.CursorFactory; import android.database.sqlite.SQLiteOpenHelper; public class DatabaseHelper extends SQLiteOpenHelper { public static final String TB_NAME="usertable"; public static final String ID="_id"; public static final String USERNAME="username"; public static final String PASSWORD="password"; DatabaseHelper(Context context, String name, CursorFactory cursorFactory, int version) { super(context, name, cursorFactory, version); } @Override public void onCreate(SQLiteDatabase db) { db.execSQL("CREATE TABLE IF NOT EXISTS "+ TB_NAME+" ("+ID+" INTEGER PRIMARY KEY,"+ USERNAME+" VARCHAR,"+PASSWORD+" VARCHAR )"); db.execSQL("INSERT INTO "+TB_NAME+"("+USERNAME+","+PASSWORD+") VALUES"+"('admin','admin888')"); db.execSQL("INSERT INTO "+TB_NAME+"("+USERNAME+","+PASSWORD+") VALUES"+"('root','root123')"); db.execSQL("INSERT INTO "+TB_NAME+"("+USERNAME+","+PASSWORD+") VALUES"+"('xiaod','xiaodwin')"); } @Override public void onUpgrade(SQLiteDatabase db, int oldVersion, int newVersion) { } @Override public void onOpen(SQLiteDatabase db) { super.onOpen(db); } } 界面上添加一个查询框,查询按钮,在textview显示查询结果 SqlinjActivity.java如下: package com.xiaod.sqlinj; import android.app.Activity; import android.database.Cursor; import android.database.sqlite.SQLiteDatabase; import android.os.Bundle; import android.view.View; import android.view.View.OnClickListener; import android.widget.Button; import android.widget.EditText; import android.widget.TextView; public class SqlinjActivity extends Activity { public static final String DB_NAME = "sqlinj.db"; public static final int VERSION = 1; private String result = ""; private TextView m_tv; private EditText m_et; DatabaseHelper m_dbhelper; SQLiteDatabase m_db; Button m_btnselect; /** Called when the activity is first created. */ @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.main); m_tv = (TextView)findViewById(R.id.tv_view); m_btnselect = (Button)findViewById(R.id.btn_select); m_et = (EditText)findViewById(R.id.et_id); m_btnselect.setOnClickListener(new OnClickListener(){ @Override public void onClick(View arg0) { // TODO Auto-generated method stub String m_id = m_et.getText().toString(); m_tv.setText(ShowData(m_id)); } }); m_dbhelper = new DatabaseHelper(this, DB_NAME, null, VERSION); m_db = m_dbhelper.getWritableDatabase(); } private String ShowData(String m_id) { result = ""; Cursor m_cursor; String m_argv[] = {m_id}; m_cursor = m_db.rawQuery("SELECT * FROM usertable WHERE _id = '" + m_id +"'", null); m_cursor.moveToFirst(); while(!m_cursor.isAfterLast()){ result += "id: " + m_cursor.getInt(0) + "\n" + "user: " + m_cursor.getString(1) + "\n" + "pass: " + m_cursor.getString(2) + "\n\n"; m_cursor.moveToNext(); } m_cursor.close(); return result; } } 漏洞 证明: 在ShowData函数中,通过传递id号,来查询记录,而54行语句SELECT * FROM usertable WHERE _id= 使用字符串连接方式,构造SQL语句。我们运行程序,测试下是否能注入。 运行后,提交1,返回正常 提交2′and ’1′=’1返回正常 提交2′and ’1′=’2查询不到数据 输入2′or _id <> ‘ 返回所有数据 修复方案: sql injection防护方式和常规思路一致,使用参数化查询 增加一个数组存储查询参数 作者:冷森@乌云
查看更多关于android系统sqlite数据库注入漏洞及修复方案 - 网站的详细内容...