数据库注入漏洞

package com.tsinghua;

import java.io.*;
import javax.servlet.http.*;

public class Login extends HttpServlet{
public void doPost(HttpServletRequest req,HttpServletResponse res){
this.doGet(req,res);
}
public void doGet(HttpServletRequest req,HttpServletResponse res){

try
{
res.setContentType("text/html;charset=gbk");//中文防止乱码

PrintWriter pw = res.getWriter();
pw.println("<html>");//html文件体
pw.println("<body>");//body体
pw.println("<hr />");//分割线
pw.println("<h1>登陆界面<h1>");
pw.println("<form action = logincl method=post>");//该段组件体和logincl体进行关联
pw.println("用户名：<input type = text name = username><br />");//用户名组件体
pw.println("密码：<input type = password name = passwd><br />");//密码组件体
pw.println("<input type = submit value = loging><br />");
pw.println("<hr />");
pw.println("<form>");
pw.println("</body>");//body体
pw.println("</html>");//html文件体
}
catch(Exception ex)
{
ex.printStackTrace();
}
}
}

package com.tsinghua;

import javax.servlet.http.*;
import java.io.*;
import java.sql.*;

public class LoginCl extends HttpServlet{
public void doGet(HttpServletRequest req,HttpServletResponse res){
this.doPost(req,res);
}
public void doPost(HttpServletRequest req,HttpServletResponse res){

Connection ct = null;
ResultSet rs = null;
Statement sm = null;

try{
//服务器接收login页面发来的用户名和密码，要用到req。
String u = req.getParameter("username");//此处填写组件名
String p = req.getParameter("passwd");//此处填写组件名

//连接到数据库

Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");

//得到链接

ct = DriverManager.getConnection("jdbc:sqlserver://localhost:1433;DatabaseName=spdb","sa","tiger");

//创建Statrment
sm=ct.createStatement();
rs=sm.executeQuery("select top 1 passwd from users where username ='"+u+"'");

if(rs.next())//帐号密码符合要求
{

//说明用户名存在
String dbPasswd=rs.getString(1);
//注入漏洞，
if(dbPasswd.equals(p)){
HttpSession hs = req.getSession(true);
hs.setMaxInactiveInterval(20);
hs.setAttribute("pass","ok");
//连接登录后的欢迎界面
//sendRedirect的作用是跳转界面
res.sendRedirect("wel?username="+u+"&passwd="+p);//该处填写域名

}

}
else
{//返回登录页面
res.sendRedirect("login");//该处填写域名
}
}
catch(Exception ex){
ex.printStackTrace();
}
finally
{
try
{
if(rs!=null)
{
rs.close();
}
if(sm!=null)
{
sm.close();
}
if(ct!=null)
{
ct.close();
}

}
catch (Exception ex)
{
ex.printStackTrace();
}
}
}

}

//欢迎界面

//登录界面
package com.tsinghua;
import javax.servlet.http.*;
import java.io.*;

public class Wel extends HttpServlet{
public void doGet(HttpServletRequest req,HttpServletResponse res){
this.doPost(req,res);
}
public void doPost(HttpServletRequest req,HttpServletResponse res){

try{
//得到session
HttpSession hs = req.getSession(true);
String valu = (String)hs.getAttribute("pass");

String u = req.getParameter("username");
String p = req.getParameter("passwd");

if(valu == null)
{
res.sendRedirect("login");

}
else
{
PrintWriter pw = res.getWriter();
pw.println("wellcome!  "+u+" your password="+p);

}

}
catch(Exception ex){
ex.printStackTrace();
}

}
}

//欢迎界面

//登录界面
package com.tsinghua;
import javax.servlet.http.*;
import java.io.*;

public class Wel extends HttpServlet{
public void doGet(HttpServletRequest req,HttpServletResponse res){
this.doPost(req,res);
}
public void doPost(HttpServletRequest req,HttpServletResponse res){

try{
//得到session
HttpSession hs = req.getSession(true);
String myname = (String)hs.getAttribute("pass");

String u = req.getParameter("username");
String p = req.getParameter("passwd");

if(myname == null)
{
res.sendRedirect("login");

}
else
{
res.setContentType("text/html;charset=gbk");//中文防止乱码
PrintWriter pw = res.getWriter();
pw.println("<img src=imgs/1.GIF ><br>");
pw.println("wellcome!  "+u+" your password="+p);
pw.println("你的用户名是："+u);

//做个超链接
pw.println("<br><a href=login>返回重新登陆</a>");

}

}
catch(Exception ex){
ex.printStackTrace();
}

}
}