Shulou(Shulou.com)06/01 Report--

What are the three ways of SQL injection attack under Mybatis framework? in order to solve this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

1. SQL injection of Mybatis

Mybatis's SQL statements can be written on class methods based on annotations, and more often on xml files as xml.

SQL statements in Mybatis need to be written manually or generated automatically with generator. When writing xml files, Mybatis supports two parameter symbols, one is # and the other is $. For example:

SELECT * FROM NEWS WHERE ID = # {id} select >

Using precompilation, $uses splicing SQL.

There are three main situations that are prone to SQL injection vulnerabilities under the MyBatis framework:

1. Fuzzy query

Select * from news where title like'% # {title}%'

In this case, using the # program will report an error, and the novice programmer will change the # number to $, so that if the user input is not processed at the java code level, there will be a SQL injection vulnerability.

Write it correctly:

Select * from news where tile like concat ('%', # {title},'%')

2. Multiple parameters after in

Using # in multiple id queries after in will also report an error.

Select * from news where id in (# {ids})

The correct usage is to use foreach instead of replacing # with $

Id in# {ids}

3. After order by

This scenario should be mapped at the Java level, setting up an array of field / table names that only allow users to pass in index values. This ensures that the field or table name passed in is in the whitelist. It is important to note that in the SQL statements automatically generated by mybatis-generator, order by also uses $, while like and in are fine.

II. Thinking of actual combat

We use an open source cms to analyze the java sql injection problem. It is suitable to use reverse push. First, search xml to find possible injection loopholes. → is pushed back to DAO →, and then to the implementation class →, and then find the foreground URL through the call chain to find the utilization point.

1. Idea Import Project

Click Get from Version Control on the home page of Idea and enter https://gitee.com/mingSoft/MCMS.git

Download is complete. Wait for maven to download the project.

2. Search for the keyword $

Ctrl+shift+F calls up Find in Path, filters the suffix xml, and searches for the $keyword

According to the file name, xml with Dao is what we need. Take IContentDao.xml as an example, double-click to open it, ctrl + F to search for $, find 16 of the first three for database selection, skip

Continue to see suspected order by on hold for the time being.

Continuing to look down and find multiple common splices, this is easier to use. Let's take this as an example to find out where the ids is passed in from the front end.

3. Search for mapping objects

The select id of MyBatis corresponds to the name of the object to be mapped. We use getSearchCount as the keyword to search for the mapped object

IContentDao.java,IContentDaoimpl.java and McmsAction.java are found, corresponding to the mapped object, the object implementation class and the front-end controler, respectively, and jump directly to the controler class

It is found that only categoryIds is similar to the target parameter ids. Further confirmation is needed. Return to IContentDao.java and continue to push back according to the standard stream.

Find the last parameter where ids is getSearchCount, and alt+f7 to view the call chain

Switch to ContentBizImpl and confirm that the foreground parameter is categoryIds.

Return to McmsAction, and the parameters are received by BasicUtil.getString

Follow up BasicUtil.getString

Continue to jump to SpringUtil.getRequest (), the front end is not processed, and sql is injected into the real hammer.

4. Vulnerability confirmation

When the project is running, construct the sql statement http://localhost:8080/ms-mcms/mcms/search.do?categoryId=1%27)%20%20or+updatexml(1,concat(0x7e,(SELECT+%40%40version),0x7e),1)%23 to get the version 5.7.27 of mysql to verify that the injection exists.

When we encounter similar problems again, we can consider:

1. Audit SQL injection under MyBatis framework, focusing on like,in and order by in three aspects.

2. When writing sql in xml mode, you can first filter the xml file to search for $, analyze it one by one, and pay special attention to the order by injection of mybatis-generator.

3. MyBatis annotations are similar in writing sql.

4. Parameters should be checked at the java level, assuming that the user input is malicious, so as to guard against potential attacks.

The answers to the questions about the three ways of SQL injection attacks under the Mybatis framework are shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.