SQL injection of Java audit
SQL injection of Java audit
0x00 Preface
As an introduction to Java Web audit, this article is also my first audit article. Later, I plan to update a small series to record the growth of my audit learning.
0x01 JDBC injection analysis
There are only a few common database connection methods in Java, namely JDBC, mybatis, and hibernate.
Injection common scenario analysis
JDBC connection is cumbersome and the most primitive connection method. Let's take a look at the most primitive connection code of JDBC
Get injection:
@WebServlet("/demo")
public class domain extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req,HttpServletResponse resp) throws ServletException,IOException {
System.out.println("get访问");
String id = req.getParameter("id");
Connection conn = null;
try {
Class.forName("com.MysqL.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:MysqL://127.0.0.1:3306/demo","root","root");
String sql = "select * from users where id = '"+id+"' ";
Statement statement = conn.createStatement();
ResultSet resultSet = statement.executeQuery(sql);
} catch (ClassNotFoundException | sqlException e) {
e.printStackTrace();
}
}
@Override
protected void doPost(HttpServletRequest req,IOException {
this.doGet(req,resp);
}
}
Here, a Serlvet is written to obtain the get value, connect to the database, use JDBC to connect, and use splicing to splice directly into the SQL statement. If such code is directly spliced without filtering before passing in, SQL injection will be generated.
In practice, if the framework is not used to use JDBC, a tool class will generally be written to complete these cumbersome configurations, but the specific implementation still calls these methods for implementation, just a simple encapsulation.
During code audit, if you see that the connection is made by JDBC, you can track his code to see if he has called his own defined filtering method. If not, there will be SQL injection. Of course, this is without precompiling.
There are many repetitions in the following, which are roughly the same. I will post some main codes for analysis later.
Post injection:
String sql = "select * from users where username = '"+username+"' and password = '"+password+"' ";
The injection of get is almost the same as that of post, but the place to obtain the value is different.
Like injection:
String name = req.getParameter("name");
String sql = "select * from users where name like '%'+name+'%'";
Header injection:
String referer = req.getHeader("referer");
String sql = "update user set referer ='"+referer+"'";
The above listed methods are the code injected by SQL through JDBC splicing.
JDBC precompiling
The definition of precompiling is to use question marks to occupy bits first, and then pass in specific values. When passing values later, the program will automatically convert the passed parameters into spring type characters and will not splice them into SQL statements to take effect.
Connection conn = JDBCUtils.getConnection();
String sql = "select * from users where username = ? and password = ?";
PreparedStatement pstmt = conn.prepareStatement(sql); //使用预编译传入sql语句
pstmt.setString(1,username); //设置第一个参数为username
pstmt.setString(2,password); //设置第二个参数为password
pstmt.executeQuery();
There are two ways for mybatis to obtain values, namely ${} and #{}.
#{}:解析的是占位符问号,可以防止sql注入,使用了预编译。
${}:直接获取值
Mybatis generally uses #{} to get values, but there are special cases.
Like injection:
Let's demonstrate with code here
select id="findlike" resultType="com.test.domain.User" parameterType="string">
select * from user where name like '%#{name}%',
</select>
When we run, we will find that the code will throw an exception directly.
Correct code:
select id="findlike" resultType="com.test.domain.User" parameterType="string">
select * from user where name like '%${name}%',
</select>
You need to use ${} to get the value.
Or
<select id="findlike" resultType="com.test.domain.User" parameterType="string">
select * from user where name like #{name}
</select>
Test class:
public void findlike(){
List<User> ming = userDao.findlike("'%'+xiao+'%'");
for (User user1 : ming) {
System.out.println(user1);
}
}
There is another way to write:
<select id="findlike" resultType="com.test.domain.User" parameterType="string">
select * from user where name like concat('%',#{name},'%')
</select>
Here, you can add two% in the front, and then pass it in. This method will not report an error, but using # direct splicing% will report an error.
Like cannot be precompiled directly. If it is passed in without processing the parameters, SQL injection will also be generated.
In post injection
Select * from news where id in (#{id}),
It is also splicing. Using precompiled code will also report errors.
Correct writing:
Select * from news where id in (${id})
Order by injection
Select * from news where title ='#{titlename}' order by #{time} asc
Error will be reported during execution
Correct writing:
Select * from news where title ='#{titlename}' order by ${time} asc
0x03 CMS audit
testing environment
IDEA :2020.1.2 X64
MysqL :5.7.26
TomCat:8.0
JDK :1.8
Build environment
Download source code
http://down.admin5.com/jsp/132874.html 。
Import the project in idea and add POM The XML file is a maven file. If the spring annotation reports an error, it means that the spring environment has not been pulled down. Refresh the POM XML file.
Port 82 is configured here, and the directory is on the default line.
The configuration Tomcat is also set to port 82
Note that the path needs the root path, otherwise when some CSS resources are loaded, the path will be loaded a lot because of the path problem.
This completes the configuration, but some get and set methods will be popular.
The solution is given in the project description document. You only need to install the Lombok plug-in and restart it. This is because some codes do not actually write get and set methods, but use the plug-in to provide them.
After these are completed, you can provide a good SQL file to import. Start up
These are the pits they have stepped on. After a period of operation is as fierce as a tiger, the start is completed. However, some errors will be reported. When importing SQL files, some execution errors are made. Several tables are not created successfully. If the table is not found when operating the table, an error will be reported.
Make do with it!
The first step must be to look at his web XML configuration to see what frameworks they use
Indeed, the CMS uses the SSM framework, that is, spring + spring MVC + mybatis
(hahaha, actually, I know from the documentation.)
Audit SQL injection
The file division is very detailed. You can clearly see its structure. Click any file under Dao file to see whether mybatis uses annotation development or configuration file development.
If you click open and don't find any mybatis annotations, you must have used the way of configuring XML.
The mapping file will be in the same directory as the Dao interface.
Let's look for the $symbol directly to see which ones directly call $for value and have not been filtered.
It is found that deletearticlebyids uses the $value.
Find the Dao interface corresponding to the configuration file
Select deletearticlebyids in the Dao interface, and click Ctrl + left to see which classes call the method.
Here I jump to an implementation class of the service layer.
It mainly focuses on the service layer code, and the filtering process will be implemented from the service layer.
No filtered code was found
Next, you can find the controller corresponding to the service. You can use the CTRL + Alt + H shortcut of idea to query the call hierarchy and see the location of the controller.
If the controller file is found, find its directory path first
/admin/article
After searching where deletearticlebyids is called and appears, you can get the specific vulnerability location.
Vulnerability location:
http://127.0.0.1:82/admin/article/delete
Access vulnerability location
Click Delete to capture packets
Throw it into sqlmap and run
Reference articles
https://mp.weixin.qq.com/s?__biz=MjM5OTk2MTMxOQ==&mid=2727827368&idx=1&sn=765d0835f0069b5145523c31e8229850&mpshare=1&scene=1&srcid=0926a6QC3pGbQ3Pznszb4n2q
https://xz.aliyun.com/t/2646#toc-1
0x04 end
The front environment was configured for a long time, which took a lot of time.