上周六单位被扫描出SQL注入漏洞 经过检查,发现ibatis框架都可能出现这个问题.
如果有需求,让你实现页面grid所有字段都能排序,你会怎么做呢? 最简单的做法就是从页面把字段名,排序类型传回来,然后拼接在SQL里面.(在使用EasyUI前端框架的时候,这样做非常容易) 然后修改ibatis框架,将order by #排序字段# #排序类型#改为 order by $排序字段$ $排序类型$ 实现所谓的动态查询,就像下面的链接所写的 http://blog.sina.com.cn/s/blog_4dacfb0101016y6b.html
实验模拟这个过程, create table t (id int primary key ,name varchar(20),grade int); insert into t values(1,'edmond',1); insert into t values(2,'edmond',2); insert into t values(3,'edmond',1); insert into t values(4,'edmond',3); insert into t values(5,'edmond',1); insert into t values(6,'edmond',5);
- public class Test {
- private static String URL = "jdbc:mysql://127.0.0.1:3306/mvbox";
- private static String USERNAME = "xx";
- private static String PWD = "xx";
- public static void main(String[] args) throws Exception {
- //模拟从页面传输过来的参数
- String name = "edmond";
- String sort = "grade";
- String order = "desc";
- dao(name, sort, order);
- }
- private static void dao(String name, String sort, String order) throws Exception {
- Class.forName("com.mysql.jdbc.Driver");
- Connection con = DriverManager.getConnection(URL, USERNAME, PWD);
- PreparedStatement ps = con.prepareStatement("select id,name,grade from t where name=? order by " + sort + " " + order);
- ps.setString(1, name);
- ResultSet rs = ps.executeQuery();
- while (rs.next()) {
- System.out.println(rs.getInt(1) + " " + rs.getString(2) + " " + rs.getInt(3));
- }
- con.close();
- }
- }
上面的代码模拟了ibatis使用$符号实现动态排序查询的场景.运行结果如下 可以看到上述代码存在注入漏洞 如果对参数order注入如下内容,即可以作为暴力攻破帐号密码的方式,又可以使用sleep挂起数据库. String order = "desc,(select if(substring(user(),1,2)='xx',sleep(4),-1))";
攻击方式参考: http://www.jxcm.net/shujuku/64.html
如何避免注入攻击,并且用ibatis实现动态排序查询呢? 我感觉可以使用受控注入的方式.(自己想的一个名词) 在监听器中获取数据库所有的列名称,然后使用AOP拦截DAO层的方法, 将前台传入的参数,对比监听器中获取的数据库列名称,如果没有任何匹配,则直接报错,或者给一个默认的排序 ibatis的SQL还是使用$符号的方式.
模拟代码如下
- import java.sql.Connection;
- import java.sql.DriverManager;
- import java.sql.PreparedStatement;
- import java.sql.ResultSet;
- import java.sql.SQLException;
- import java.util.ArrayList;
- import java.util.List;
- public class Test {
- private static String URL = "jdbc:mysql://127.0.0.1:3306/mvbox";
- private static String USERNAME = "xx";
- private static String PWD = "xx";
- private static List<String> fieldList = new ArrayList<String>();
- private static void getAllField() throws Exception {
- Class.forName("com.mysql.jdbc.Driver");
- Connection con = DriverManager.getConnection(URL, USERNAME, PWD);
- PreparedStatement ps = con
- .prepareStatement("select column_name from information_schema.columns where table_schema not in ('information_schema','test','mysql','information_schema')");
- ResultSet rs = ps.executeQuery();
- while (rs.next()) {
- fieldList.add(rs.getString(1));
- }
- rs.close();
- ps.close();
- con.close();
- }
- public static void main(String[] args) throws Exception {
- // 模拟监听器启动
- getAllField();
- // 模拟从页面传输过来的参数
- String name = "edmond";
- String sort = "grade";
- String order ="desc,(select if(substring(user(),1,2)='xx',sleep(4),-1))";
- daoProxy(name, sort, order);
- }
- private static void daoProxy(String name, String sort, String order)
- throws Exception {
- if (fieldList.contains(sort)
- && (order.toLowerCase().equals("desc") || order.toLowerCase()
- .equals("asc"))) {
- dao(name, sort, order);
- } else {
- // 记录日志,进行错误处理
- System.out.println("黑客,你妈妈喊你回家吃饭");
- }
- }
- private static void dao(String name, String sort, String order)
- throws Exception {
- Class.forName("com.mysql.jdbc.Driver");
- Connection con = DriverManager.getConnection(URL, USERNAME, PWD);
- PreparedStatement ps = con
- .prepareStatement("select id,name,grade from t where name=? order by "
- + sort + " " + order);
- ps.setString(1, name);
- ResultSet rs = ps.executeQuery();
- while (rs.next()) {
- System.out.println(rs.getInt(1) + " " + rs.getString(2) + " "
- + rs.getInt(3));
- }
- con.close();
- }
- }
可以看到,在DAO层拦截之后,在daoProxy中已经过滤了注入攻击. 这样即可以保证安全,又可以让代码优雅.