Shulou(Shulou.com)06/01 Report--

How to inject SQL into Java security coding? for this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a simpler and easier way.

With the development of the Internet, Java language is widely used in financial services, e-commerce, big data technology and so on. Java secure coding specification has long been an indispensable part of SDL. This paper takes Hibernate and MyBatis, two frameworks widely used in Java project, as examples to introduce how to avoid several coding methods of SQL injection in the coding process, including in-depth analysis of precompilation and explanation of several "misunderstandings" in precompilation understanding.

At present, Hibernate and MyBatis are the two frameworks widely used in java projects. Due to the ease of use of Hibernate, Hibernate was widely used in previous projects, but later, due to the intrusive nature of Hibernate, it was gradually replaced by MyBatis. Next, we will build vulnerability environments for Hibernate and MyBatis based on SpringBoot.

two。 Configuration description

SpringBoot uses 2.3.1.RELEASEJI MySQL version 5.7.20. The database has a table user_tbl. The data are as follows:

3. Hibernate

Hibernate is an open source object-relational mapping framework, which encapsulates JDBC with very lightweight objects, and is a fully automatic ORM framework. Hibernate automatically generates SQL statements and executes them automatically.

(1) Environment building

The structure is as follows: ctl is the control layer, service is the service layer, and dao is the persistence layer. In order to facilitate the failure to follow the standard interface, we only focus on the part of the vulnerability.

Under Beans, User.java pairs are used as user_ TFL table structure.

We use the / inject interface, p to accept external parameters, to query the list of User, and use fastjson to format the output.

Let's go back to the dao layer.

1) SQL injection

SQL injection We use string concatenation:

Visit http://localhost:8080/inject?p=m and run directly with SQLMap:

It's easy to inject data.

2) HQL injection

HQL (Hibernate Query Language) is a statement specifically used by Hibernate to query data, which is different from SQL,HQL 's object-oriented way of thinking. The table name corresponds to the entity configuration above. The use of HQL injection is more difficult than that of SQL injection. For example, programmers do not map system tables, so it is almost impossible to obtain attributes through system tables. At the same time, because HQL has poor support for complex statements, it takes more time for attackers to construct available payload. More detailed syntax can be found:

Https://docs.huihoo.com/Hibernate/reference-v3_zh-cn/queryhql.html

3) pre-compilation

We use the way we use setParameter, which is what we know as precompilation.

Query query = (Query) this.entityManager.createQuery ("from User u where u.userName like: userName", User.class); query.setParameter ("userName", "%" + username+ "%")

Normal results are obtained after visiting http://localhost:8080/inject?p=m.

Execute the injection statement:

The http://localhost:8080/inject?p=m'or'1' like'1 return is empty.

Let's take a look at what the setParameter approach does to our SQL statement. We call the breakpoint to the bindPreparedStatement of Loader.class. It is found that after precompilation, SQL becomes:

Select user0_.id as id1_0_, user0_.password as password2_0_, user0_.username as username3_0_ from user_tbl user0_ where user0_.username like'%'or''1% 'like''1%'

And leave it to hikari to handle. It is found that our single quotation marks are changed into two single quotes, that is, the incoming data is changed into a string.

Break the breakpoint to the ClientPreparedQueryBindings.setString of mysql-connector-java (also known as the JDBC driver package). This is where the parameters are set.

Take a look at the algorithm:

String parameterAsString = x; boolean needsQuoted = true; if (this.isLoadDataQuery | | this.isEscapeNeededForString (x, stringLength)) {needsQuoted = false; StringBuilder buf = new StringBuilder ((int) ((double) x.length () * 1.1D)); buf.append ('\'); for (int I = 0; I

< stringLength; ++i) { char c = x.charAt(i); switch(c) { case '\u0000': buf.append('\\'); buf.append('0'); break; case '\n': buf.append('\\'); buf.append('n'); break; case '\r': buf.append('\\'); buf.append('r'); break; case '\u001a': buf.append('\\'); buf.append('Z'); break; case '"': if (this.session.getServerSession().useAnsiQuotedIdentifiers()) { buf.append('\\'); } buf.append('"'); break; case '\'': buf.append('\''); buf.append('\''); break; case '\\': buf.append('\\'); buf.append('\\'); break; case '¥': case '₩': if (this.charsetEncoder != null) { CharBuffer cbuf = CharBuffer.allocate(1); ByteBuffer bbuf = ByteBuffer.allocate(1); cbuf.put(c); cbuf.position(0); this.charsetEncoder.encode(cbuf, bbuf, true); if (bbuf.get(0) == 92) { buf.append('\\'); } } buf.append(c); break; default: buf.append(c); } } buf.append('\''); 可以看到mysql-connector-java主要是将将我们’转为了’’,对于转义的\会变为\\,比如对于这种SQL： SELECT user0_.id AS id1_0_,user0_. PASSWORD AS password2_0_,user0_.username AS username3_0_ FROM user_tbl user0_ WHERE user0_.username LIKE '%\' or username = 0x6d #%' 也会变为： SELECT user0_.id AS id1_0_,user0_. PASSWORD AS password2_0_,user0_.username AS username3_0_ FROM user_tbl user0_ WHERE user0_.username LIKE '%\\'' or username = 0x6d #%' 有人会说那我们使用select * from user_tbl where id = 1 and user() = 0x726f6f74406c6f63616c686f7374 这种类似的语句，全程没有jdbc里面的危险字符是不是就可以绕过了?mysql-connector-java里面有个非常巧妙的点是，他会根据你传入的类型判断。比如传入的为int类型。就会走setInt。传入的为string就会走setString。所以这段语句还是会被select * from user_tbl where id = 1 ‘and user() = 0x726f6f74406c6f63616c686f7374’ 我们看到SQL预编译的算法也是非常简单。 4. MyBatis MyBatis是一流的持久性框架，支持自定义SQL，存储过程和高级映射。MyBatis可以使用简单的XML或注释进行配置。现在目前国内大部分公司都是采用的MyBatis框架。 (1) 环境搭建： 下面为我们项目目录结构： (2) 使用#{}的方式 #{}也就是我们熟知的预编译方式。 访问http://localhost:8080/getList?p=m 后正常的返回：

Use http://localhost:8080/getList?p=m' or'1' like'1

The result returned is empty. There is no injection.

We break the breakpoint on the invoke method of PreparedStatementLogger, which is actually a proxy method. Here we see the complete SQL statement.

Similarly, we break the breakpoint at: ClientPreparedQueryBindings.setString will also go in.

The pre-compilation mechanism of Hibernate and MyBatis is the same.

(3) use ${}

The way of ${} is the string concatenation of MyBatis.

Using SQLMap, you can easily run out of data:

(4) about OrderBy

It has been said before that the sentences after Order By will not participate in pre-compilation. This sentence is wrong. Order By will also participate in pre-compilation. As we can see from jdbc's setString algorithm above, it is because setString adds''before and after the parameter to become a string. Causing Order By to lose its original meaning. It can only be said that the pre-compiled Order By is not applicable. So the suggestion for this kind of Order By defense is to write directly in the code. For Order By injection, we can get the data by returning the data in different order.

(5) about useServerPrepStmts

In fact, it is only when JDBC turns on useServerPrepStmts=true that it is really precompiled. But if it is the concatenation of strings, precompilation has no effect. You can see it from the query log of MySQL. You can see the statement of Prepare. There is also SQL injection.

The way we use placeholders:

There is no SQL injection in the above statement.

I think that's why useServerPrepStmts=true doesn't turn on JDBC by default.

This is the answer to the question about how to inject Java security coding SQL. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.