Send you the following Java learning materials, at the end of the article there is a way to receive
preface
SQL injection vulnerability is one of the most common vulnerabilities in Web security. With the use of precompilation and various ORM frameworks in Java, the injection problem is becoming less and less. Novice code auditors are often afraid of the combination of multiple frameworks of Java Web applications, and they do not know how to start. They hope that the SQL injection problem caused by the improper use of MyBatis framework can be taken as an example to give some ideas to novice code auditors.
MyBatis SQL statements can be written to class methods based on annotations, more often to XML files in the way of XML. SQL statements in MyBatis need to be written manually or generated automatically with generator. When writing XML files, MyBatis supports two parameter symbols, one is # and the other is $. Such as:
`<select id="queryAll" resultMap="resultMap">`
`SELECT * FROM NEWS WHERE ID = #{id}`
`</select>`Use precompilation, $use splicing SQL.
The cases of SQL injection vulnerability under MyBatis framework are mainly divided into the following three types:
1, fuzzy query
Select * from news where title like '%#{title}%'In this case, using the # program will report an error, so the novice programmer changes the # sign to $, which creates an SQL injection vulnerability if the Java code layer does not handle the user’s input.
Correct writing:
Select * from news where tile like concat(' % ',#{title}, '%')2. Multiple parameters after in
Mysql > SELECT * FROM ‘in’ WHERE id = ‘#’ AND id = ‘#’;
Select * from news where id in (#{ids})The correct usage is to use foreach instead of replacing # with $
`id in`
`<foreach collection="ids" item="item" open="("separatosr="," close=")">`
`#{ids}`
`</foreach>`3, the order by
This scenario should be mapped at the Java level, setting up an array of field/table names and only allowing the user to pass in index values. This ensures that the field or table name passed in is in the whitelist. Note that in the SQL statements automatically generated by myBATIS-GENERATOR, ORDER BY is also used with $, while LIKE and IN have no problems.
Second, actual combat thinking
We use an open source CMS to analyze, Java SQL injection problem is suitable for the use of backpushing, first search XML to find the possible injection vulnerabilities -> back to DAO- > and then to the implementation class -> and then through the call chain to find the front URL, find the utilization point, not to mention start
1. Idea import project
Idea home page by clicking on the Get the from Version Control, enter https://gitee.com/mingSoft/MCMS.git
The download is complete and wait for Maven to download the project
2. Search for the $keyword
Ctrl+ Shift +F calls up Find In Path, filters the suffix XML, and searches for the $keyword
According to the file name of XML with DAO as we need, take IContentDaO.xml as an example, double-click open, Ctrl +F search $, find the 16 first three selected for the database, skip,
The suspected order by is on hold
Let’s take this as an example and just look at where is IDS coming in from the front end
3. Search for mapped objects
MyBatis select id corresponds to the name of the object to be mapped, we use getSearchCount as the keyword to search for the mapped object
Search by IContentDao. Java, IContentDaoimpl. Java and McmsAction. Java, corresponding mapping object, the object’s implementation class and front controler, jump straight to the controler class
It is found that only categoryIDS is similar to the target parameter IDS, which needs further confirmation. Return to IContentDaO.java and continue to push back according to the standard stream
Find the last parameter with IDS as getSearchCount, ALT + F7 to view the call chain
Go to ContentBizImpl and confirm that the foreground parameter is CategoryIDS
Back to MCMSAction, the argument is taken by BasicUtil.GetString,
Follow up BasicUtil. Get string
Continue to springUtil.getRequest (), the front end does not do processing, SQL injection hammer
4. Vulnerability confirmation
To run the project, construct the SQL statement http://localhost:8080/ms-mcms/mcms/search.do? CategoryId =1%27)%20% 20OR + updateXML (1,concat(0x7e,(SELECT+%40%40version),0x7e),1)%23
Third, summary
The above is the basic method of SQL injection audit of MyBatis. Several points that we have not analyzed also have problems. Newbies can try to analyze different injection points to practice again, and I believe there will be more harvest. When we meet similar problems again, we can consider:
1. SQL injection audit under MyBatis framework, focusing on three aspects like, in and order by
2. When writing SQL in XML mode, you can first filter the XML file to search for $and analyze it one by one. Special attention should be paid to the order by injection of mybatis generator
3. MyBatis annotations write SQL in a similar way
4, the Java level should do a good job of parameter check, assume that the user input is malicious input, to prevent potential attacks
