MyBatis Generator生成的$ sql是否存在注入风险详解

目录
  • 代理商sql注入问题排查
  • 准备测试demo
    • entity
      • Product.java
      • ProductExample.java
    • 控制层ProductController.java
    • service层
      • ProductService.java
      • ProductServiceImpl.java
    • mapper
      • ProductController.java
      • ProductController.xml
  • 测试
    • 测试1:正常逻辑测试
    • 测试2:测试不存在的表字段
    • 测试3:like注入测试1
    • 测试3:like注入测试2
  • 结论
  • 附录

代理商sql注入问题排查

经全面排查,代理商中sql层使用'$'获取对象的只有一种类型,代码格式如下:

<sql id="Example_Where_Clause">
   <!-- WARNING - @mbggenerated This element is automatically generated by
      MyBatis Generator, do not modify. -->
  <where>
      <foreach collection="oredCriteria" item="criteria" separator="or">
         <if test="criteria.valid">
            <trim prefix="(" suffix=")" prefixOverrides="and">
               <foreach collection="criteria.criteria" item="criterion">
                  <choose>
                     <when test="criterion.noValue">
                        and ${criterion.condition}
                     </when>
                     <when test="criterion.singleValue">
                        and ${criterion.condition} #{criterion.value}
                     </when>
                     <when test="criterion.betweenValue">
                        and ${criterion.condition} #{criterion.value} and
                        #{criterion.secondValue}
                     </when>
                     <when test="criterion.listValue">
                        and ${criterion.condition}
                        <foreach collection="criterion.value" item="listItem"
  open="(" close=")" separator=",">
                           #{listItem}
                        </foreach>
                     </when>
                  </choose>
               </foreach>
            </trim>
         </if>
      </foreach>
   </where>
</sql>

接下来我们在测试demo中复现下情况:

准备测试demo

entity

Product.java

普通实体类,对应数据库中product表,表结构见附录:

package com.zhrb.springcloud.entity;
import lombok.Data;
import lombok.ToString;
/**
 * @ClassName Product
 * @Description TODO
  * @Author Administrator
 * @Date 2019/9/3 14:26
 * @Version
  */ @Data @ToString public class Product {
    //主键
  private Long pid;
    //产品名称
  private String productName;
    // 来自哪个数据库,因为微服务架构可以一个服务对应一个数据库,同一个信息被存储到不同数据库
  private String dbSource;
}

ProductExample.java

同代理商环境一样的动态条件类:

package com.zhrb.springcloud.entity;
import java.util.ArrayList;
import java.util.List;
/**
 * @ClassName ProductExample
 * @Description TODO
  * @Author Administrator
 * @Date 2019/9/20 9:07
 * @Version
  */ public class ProductExample {
    /**
 * This field was generated by MyBatis Generator. * This field corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected String orderByClause;
    /**
 * This field was generated by MyBatis Generator. * This field corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected boolean distinct;
    /**
 * This field was generated by MyBatis Generator. * This field corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected List<Criteria> oredCriteria;
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public ProductExample() {
        oredCriteria = new ArrayList<Criteria>();
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void setOrderByClause(String orderByClause) {
        this.orderByClause = orderByClause;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public String getOrderByClause() {
        return orderByClause;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void setDistinct(boolean distinct) {
        this.distinct = distinct;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public boolean isDistinct() {
        return distinct;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public List<Criteria> getOredCriteria() {
        return oredCriteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void or(Criteria criteria) {
        oredCriteria.add(criteria);
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public Criteria or() {
        Criteria criteria = createCriteriaInternal();
        oredCriteria.add(criteria);
        return criteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public Criteria createCriteria() {
        Criteria criteria = createCriteriaInternal();
        if (oredCriteria.size() == 0) {
            oredCriteria.add(criteria);
        }
        return criteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected Criteria createCriteriaInternal() {
        Criteria criteria = new Criteria();
        return criteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void clear() {
        oredCriteria.clear();
        orderByClause = null;
        distinct = false;
    }
    /**
 * This class was generated by MyBatis Generator. * This class corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected abstract static class GeneratedCriteria {
        protected List<Criterion> criteria;
        protected GeneratedCriteria() {
            super();
            criteria = new ArrayList<Criterion>();
        }
        public boolean isValid() {
            return criteria.size() > 0;
        }
        public List<Criterion> getAllCriteria() {
            return criteria;
        }
        public List<Criterion> getCriteria() {
            return criteria;
        }
        protected void addCriterion(String condition) {
            if (condition == null) {
                throw new RuntimeException("Value for condition cannot be null");
            }
            criteria.add(new Criterion(condition));
        }
        protected void addCriterion(String condition, Object value, String property) {
            if (value == null) {
                throw new RuntimeException("Value for " + property + " cannot be null");
            }
            criteria.add(new Criterion(condition, value));
        }
        protected void addCriterion(String condition, Object value1, Object value2, String property) {
            if (value1 == null || value2 == null) {
                throw new RuntimeException("Between values for " + property + " cannot be null");
            }
            criteria.add(new Criterion(condition, value1, value2));
        }
        public Criteria andIdIsNull() {
            addCriterion("PID is null");
            return (Criteria) this;
        }
        public Criteria andIdIsNotNull() {
            addCriterion("PID is not null");
            return (Criteria) this;
        }
        public Criteria andIdEqualTo(String value) {
            addCriterion("PID =", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdNotEqualTo(String value) {
            addCriterion("PID <>", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdGreaterThan(String value) {
            addCriterion("PID >", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdGreaterThanOrEqualTo(String value) {
            addCriterion("PID >=", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdLessThan(String value) {
            addCriterion("PID <", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdLessThanOrEqualTo(String value) {
            addCriterion("PID <=", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdLike(String value) {
            addCriterion("PID like", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdNotLike(String value) {
            addCriterion("PID not like", value, "pid");
            return (Criteria) this;
        }
        public Criteria andIdIn(List<String> values) {
            addCriterion("PID in", values, "pid");
            return (Criteria) this;
        }
        public Criteria andIdNotIn(List<String> values) {
            addCriterion("PID not in", values, "pid");
            return (Criteria) this;
        }
        public Criteria andIdBetween(String value1, String value2) {
            addCriterion("PID between", value1, value2, "pid");
            return (Criteria) this;
        }
        public Criteria andIdNotBetween(String value1, String value2) {
            addCriterion("PID not between", value1, value2, "pid");
            return (Criteria) this;
        }
    }
    /**
 * This class was generated by MyBatis Generator. * This class corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated do_not_delete_during_merge
 */  public static class Criteria extends GeneratedCriteria {
        protected Criteria() {
            super();
        }
    }
    /**
 * This class was generated by MyBatis Generator. * This class corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public static class Criterion {
        private String condition;
        private Object value;
        private Object secondValue;
        private boolean noValue;
        private boolean singleValue;
        private boolean betweenValue;
        private boolean listValue;
        private String typeHandler;
        public String getCondition() {
            return condition;
        }
        public Object getValue() {
            return value;
        }
        public Object getSecondValue() {
            return secondValue;
        }
        public boolean isNoValue() {
            return noValue;
        }
        public boolean isSingleValue() {
            return singleValue;
        }
        public boolean isBetweenValue() {
            return betweenValue;
        }
        public boolean isListValue() {
            return listValue;
        }
        public String getTypeHandler() {
            return typeHandler;
        }
        protected Criterion(String condition) {
            super();
            this.condition = condition;
            this.typeHandler = null;
            this.noValue = true;
        }
        protected Criterion(String condition, Object value, String typeHandler) {
            super();
            this.condition = condition;
            this.value = value;
            this.typeHandler = typeHandler;
            if (value instanceof List<?>) {
                this.listValue = true;
            } else {
                this.singleValue = true;
            }
        }
        protected Criterion(String condition, Object value) {
            this(condition, value, null);
        }
        protected Criterion(String condition, Object value, Object secondValue, String typeHandler) {
            super();
            this.condition = condition;
            this.value = value;
            this.secondValue = secondValue;
            this.typeHandler = typeHandler;
            this.betweenValue = true;
        }
        protected Criterion(String condition, Object value, Object secondValue) {
            this(condition, value, secondValue, null);
        }
    }
}

控制层ProductController.java

package com.zhrb.springcloud.controller;
import com.zhrb.springcloud.entity.Product;
import com.zhrb.springcloud.entity.ProductExample;
import com.zhrb.springcloud.service.ProductService;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.mybatis.spring.annotation.MapperScan;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import java.util.Collection;
import java.util.List;
/**
 * @ClassName ProductController
 * @Description TODO
  * @Author zhrb
 * @Date 2019/9/3 15:18
 * @Version
  */ @RestController @RequestMapping("/product")
@MapperScan("com.zhrb.springcloud.mapper")
@Api(value = "/product",description = "商品管理 程序员小圈圈",position = 1)
public class ProductController {
    @Autowired
  private ProductService productService;

    @ApiOperation(value="测试是否预编译", notes="测试是否预编译")
    @GetMapping(value = "/testList")
    public List<Product> testList() {
        ProductExample example = new ProductExample();
        example.createCriteria().andIdLike("1' or '1=1");
        List<Product> productList = productService.list(example);
        for (Product p :productList){
            p.setProductName(p.getProductName()+"本条数据来自8001");
        }
        return productList;
    }
}

service层

ProductService.java

package com.zhrb.springcloud.service;
import com.zhrb.springcloud.entity.Product;
import com.zhrb.springcloud.entity.ProductExample;
import java.util.List;
/**
 * @ClassName ProductService
 * @Description TODO
  * @Author Administrator
 * @Date 2019/9/3 15:15
 * @Version
  */ public interface ProductService {
    List<Product> list(ProductExample example);
}

ProductServiceImpl.java

package com.zhrb.springcloud.service.impl;
import com.zhrb.springcloud.entity.Product;
import com.zhrb.springcloud.entity.ProductExample;
import com.zhrb.springcloud.mapper.ProductMapper;
import com.zhrb.springcloud.service.ProductService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import java.util.List;
/**
 * @ClassName ProductServiceImpl
 * @Description TODO
  * @Author Administrator
 * @Date 2019/9/3 15:16
 * @Version
  */   @Service public class ProductServiceImpl implements ProductService{
    @Autowired
  private ProductMapper productMapper;

    @Override
  public List<Product> list(ProductExample example) {
        return productMapper.testList(example);
    }
}

mapper

ProductController.java

package com.zhrb.springcloud.mapper;
import com.zhrb.springcloud.entity.Product;
import com.zhrb.springcloud.entity.ProductExample;
import org.apache.ibatis.annotations.Mapper;
import java.util.List;
/**
 * @ClassName ProductMapper
 * @Description TODO
  * @Author Administrator
 * @Date 2019/9/3 14:55
 * @Version
  */
  @Mapper
  public interface ProductMapper {

    List<Product> testList(ProductExample example);
}

ProductController.xml

<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE  mapper  PUBLIC  "-//mybatis.org//DTD Mapper 3.0//EN"   "http://mybatis.org/dtd/mybatis-3-mapper.dtd"> <mapper namespace="com.zhrb.springcloud.mapper.ProductMapper">

    <select id="testList" parameterType="com.zhrb.springcloud.entity.ProductExample" resultType="com.zhrb.springcloud.entity.Product">
        select
        pid, product_name, db_source
        from product
        <if test="_parameter != null" >
            <include refid="Example_Where_Clause" />
        </if>
        <if test="orderByClause != null" >
            order by ${orderByClause}
        </if>
    </select>
    <sql id="Example_Where_Clause" >
        <!--
 WARNING - @mbggenerated This element is automatically generated by MyBatis Generator, do not modify. -->  <where >
            <foreach collection="oredCriteria" item="criteria" separator="or" >
                <if test="criteria.valid" >
                    <trim prefix="(" suffix=")" prefixOverrides="and" >
                        <foreach collection="criteria.criteria" item="criterion" >
                            <choose >
                                <when test="criterion.noValue" >
                                    and ${criterion.condition}
                                </when>
                                <when test="criterion.singleValue" >
                                    and ${criterion.condition} #{criterion.value}
                                </when>
                                <when test="criterion.betweenValue" >
                                    and ${criterion.condition} #{criterion.value} and #{criterion.secondValue}
                                </when>
                                <when test="criterion.listValue" >
                                    and ${criterion.condition}
                                    <foreach collection="criterion.value" item="listItem" open="(" close=")" separator="," >
                                        #{listItem}
                                    </foreach>
                                </when>
                            </choose>
                        </foreach>
                    </trim>
                </if>
            </foreach>
        </where>
    </sql>
</mapper>

测试

测试1:正常逻辑测试

首先按照正常代码逻辑测试,校验代码是否成功,测试结果截图如下:

可以看到调用成功,证明代码逻辑没问题,接下来进行异常测试:

测试2:测试不存在的表字段

修改ProductExample.java如下(数据库中字段为pid,无id,故先将pid改为id测试不存在字段编译过程):

package com.zhrb.springcloud.entity;
import java.util.ArrayList;
import java.util.List;
/**
 * @ClassName ProductExample
 * @Description TODO
  * @Author Administrator
 * @Date 2019/9/20 9:07
 * @Version
  */ public class ProductExample {
    /**
 * This field was generated by MyBatis Generator. * This field corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected String orderByClause;
    /**
 * This field was generated by MyBatis Generator. * This field corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected boolean distinct;
    /**
 * This field was generated by MyBatis Generator. * This field corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected List<Criteria> oredCriteria;
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public ProductExample() {
        oredCriteria = new ArrayList<Criteria>();
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void setOrderByClause(String orderByClause) {
        this.orderByClause = orderByClause;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public String getOrderByClause() {
        return orderByClause;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void setDistinct(boolean distinct) {
        this.distinct = distinct;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public boolean isDistinct() {
        return distinct;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public List<Criteria> getOredCriteria() {
        return oredCriteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void or(Criteria criteria) {
        oredCriteria.add(criteria);
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public Criteria or() {
        Criteria criteria = createCriteriaInternal();
        oredCriteria.add(criteria);
        return criteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public Criteria createCriteria() {
        Criteria criteria = createCriteriaInternal();
        if (oredCriteria.size() == 0) {
            oredCriteria.add(criteria);
        }
        return criteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected Criteria createCriteriaInternal() {
        Criteria criteria = new Criteria();
        return criteria;
    }
    /**
 * This method was generated by MyBatis Generator. * This method corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public void clear() {
        oredCriteria.clear();
        orderByClause = null;
        distinct = false;
    }
    /**
 * This class was generated by MyBatis Generator. * This class corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  protected abstract static class GeneratedCriteria {
        protected List<Criterion> criteria;
        protected GeneratedCriteria() {
            super();
            criteria = new ArrayList<Criterion>();
        }
        public boolean isValid() {
            return criteria.size() > 0;
        }
        public List<Criterion> getAllCriteria() {
            return criteria;
        }
        public List<Criterion> getCriteria() {
            return criteria;
        }
        protected void addCriterion(String condition) {
            if (condition == null) {
                throw new RuntimeException("Value for condition cannot be null");
            }
            criteria.add(new Criterion(condition));
        }
        protected void addCriterion(String condition, Object value, String property) {
            if (value == null) {
                throw new RuntimeException("Value for " + property + " cannot be null");
            }
            criteria.add(new Criterion(condition, value));
        }
        protected void addCriterion(String condition, Object value1, Object value2, String property) {
            if (value1 == null || value2 == null) {
                throw new RuntimeException("Between values for " + property + " cannot be null");
            }
            criteria.add(new Criterion(condition, value1, value2));
        }
        public Criteria andIdIsNull() {
            addCriterion("id is null");
            return (Criteria) this;
        }
        public Criteria andIdIsNotNull() {
            addCriterion("id is not null");
            return (Criteria) this;
        }
        public Criteria andIdEqualTo(String value) {
            addCriterion("id =", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdNotEqualTo(String value) {
            addCriterion("id <>", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdGreaterThan(String value) {
            addCriterion("id >", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdGreaterThanOrEqualTo(String value) {
            addCriterion("id >=", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdLessThan(String value) {
            addCriterion("id <", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdLessThanOrEqualTo(String value) {
            addCriterion("id <=", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdLike(String value) {
            addCriterion("id like", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdNotLike(String value) {
            addCriterion("id not like", value, "id");
            return (Criteria) this;
        }
        public Criteria andIdIn(List<String> values) {
            addCriterion("id in", values, "id");
            return (Criteria) this;
        }
        public Criteria andIdNotIn(List<String> values) {
            addCriterion("id not in", values, "id");
            return (Criteria) this;
        }
        public Criteria andIdBetween(String value1, String value2) {
            addCriterion("id between", value1, value2, "id");
            return (Criteria) this;
        }
        public Criteria andIdNotBetween(String value1, String value2) {
            addCriterion("id not between", value1, value2, "id");
            return (Criteria) this;
        }
    }
    /**
 * This class was generated by MyBatis Generator. * This class corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated do_not_delete_during_merge
 */  public static class Criteria extends GeneratedCriteria {
        protected Criteria() {
            super();
        }
    }
    /**
 * This class was generated by MyBatis Generator. * This class corresponds to the database table CPT_DLS_CONFIG * * @mbggenerated
  */
  public static class Criterion {
        private String condition;
        private Object value;
        private Object secondValue;
        private boolean noValue;
        private boolean singleValue;
        private boolean betweenValue;
        private boolean listValue;
        private String typeHandler;
        public String getCondition() {
            return condition;
        }
        public Object getValue() {
            return value;
        }
        public Object getSecondValue() {
            return secondValue;
        }
        public boolean isNoValue() {
            return noValue;
        }
        public boolean isSingleValue() {
            return singleValue;
        }
        public boolean isBetweenValue() {
            return betweenValue;
        }
        public boolean isListValue() {
            return listValue;
        }
        public String getTypeHandler() {
            return typeHandler;
        }
        protected Criterion(String condition) {
            super();
            this.condition = condition;
            this.typeHandler = null;
            this.noValue = true;
        }
        protected Criterion(String condition, Object value, String typeHandler) {
            super();
            this.condition = condition;
            this.value = value;
            this.typeHandler = typeHandler;
            if (value instanceof List<?>) {
                this.listValue = true;
            } else {
                this.singleValue = true;
            }
        }
        protected Criterion(String condition, Object value) {
            this(condition, value, null);
        }
        protected Criterion(String condition, Object value, Object secondValue, String typeHandler) {
            super();
            this.condition = condition;
            this.value = value;
            this.secondValue = secondValue;
            this.typeHandler = typeHandler;
            this.betweenValue = true;
        }
        protected Criterion(String condition, Object value, Object secondValue) {
            this(condition, value, secondValue, null);
        }
    }
}

测试结果如下:

可以看到,编译出错,证明此时虽然用的是$取值,也经过了预编译,继续看下面。

测试3:like注入测试1

代码及结果截图如下:

从上面的图可以得知:

此种注入,在封装Criteria时把传入的参数整体当做一个对象然后传递下去,本次测试如上图1,打了两个断点,但是没执行到第二个断点处即中断执行,后台日志报错,证明此种注入sql有误无法正常执行。

测试3:like注入测试2

代码及结果截图如下:

like注入测试1中我们debug可以看到参数似乎拼接方式有误,那么本次注入即正常注入方式,debug看参数,如果将

andIdLike 值设置为:‘1' or ‘1=1'

数据上执行的sql理论上是:

SELECT * from product WHERE pid LIKE '1' or '1=1';

在数据库中执行此条sql结果如下:

但是demo执行查询结果为空,并且控制台报错,证明此种注入亦不能注入成功。

结论

经以上demo测试,此种$获取值不会受到sql注入的影响,常规sql注入失败。

附录

数据库表结构:

/*
Navicat MySQL Data Transfer
Source Server         : BWG-104.225.147.76
Source Server Version : 50644
Source Host           : 104.225.147.76:3306
Source Database       : springcloud_db01
Target Server Type    : MYSQL
Target Server Version : 50644
File Encoding         : 65001
Date: 2019-09-20 10:23:41
*/
SET FOREIGN_KEY_CHECKS=0;
-- ----------------------------
-- Table structure for product
-- ----------------------------
DROP TABLE IF EXISTS `product`;
CREATE TABLE `product` (
  `pid` bigint(20) NOT NULL AUTO_INCREMENT,
  `product_name` varchar(50) DEFAULT NULL,
  `db_source` varchar(50) DEFAULT NULL,
  PRIMARY KEY (`pid`)
) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=utf8;
-- ----------------------------
-- Records of product
-- ----------------------------
INSERT INTO `product` VALUES ('1', '手机', 'springcloud_db01');
INSERT INTO `product` VALUES ('2', '冰箱', 'springcloud_db01');
INSERT INTO `product` VALUES ('3', '电脑', 'springcloud_db01');
INSERT INTO `product` VALUES ('4', '洗衣机', 'springcloud_db01');
INSERT INTO `product` VALUES ('5', '电视', 'springcloud_db01');
INSERT INTO `product` VALUES ('6', '音响', 'springcloud_db01');

以上为个人经验,希望能给大家一个参考,也希望大家多多支持我们。

(0)

相关推荐

  • MyBatis下SQL注入攻击的3种方式

    目录 前言 Mybatis框架下易产生SQL注入漏洞的情况主要分为以下三种: 1.模糊查询 2.in 之后的多个参数 3.order by 之后 二.实战思路 三.总结 前言 SQL注入漏洞作为WEB安全的最常见的漏洞之一,在java中随着预编译与各种ORM框架的使用,注入问题也越来越少.新手代码审计者往往对Java Web应用的多个框架组合而心生畏惧,不知如何下手,希望通过Mybatis框架使用不当导致的SQL注入问题为例,能够抛砖引玉给新手一些思路. Mybatis的SQL语句可以基于注解的

  • 浅谈mybatis中的#和$的区别 以及防止sql注入的方法

    mybatis中的#和$的区别 1. #将传入的数据都当成一个字符串,会对自动传入的数据加一个双引号.如:order by #user_id#,如果传入的值是111,那么解析成sql时的值为order by "111", 如果传入的值是id,则解析成的sql为order by "id". 2. $将传入的数据直接显示生成在sql中.如:order by $user_id$,如果传入的值是111,那么解析成sql时的值为order by user_id,  如果传入的

  • Java的MyBatis框架中MyBatis Generator代码生成器的用法

    关于Mybatis Generator MyBatis Generator (MBG) 是一个Mybatis的代码生成器 MyBatis 和 iBATIS. 他可以生成Mybatis各个版本的代码,和iBATIS 2.2.0版本以后的代码. 他可以内省数据库的表(或多个表)然后生成可以用来访问(多个)表的基础对象. 这样和数据库表进行交互时不需要创建对象和配置文件. MBG的解决了对数据库操作有最大影响的一些简单的CRUD(插入,查询,更新,删除)操作. 您仍然需要对联合查询和存储过程手写SQL

  • 详解Mybatis框架SQL防注入指南

    前言 SQL注入漏洞作为WEB安全的最常见的漏洞之一,在java中随着预编译与各种ORM框架的使用,注入问题也越来越少.新手代码审计者往往对Java Web应用的多个框架组合而心生畏惧,不知如何下手,希望通过Mybatis框架使用不当导致的SQL注入问题为例,能够抛砖引玉给新手一些思路. 一.Mybatis的SQL注入 Mybatis的SQL语句可以基于注解的方式写在类方法上面,更多的是以xml的方式写到xml文件.Mybatis中SQL语句需要我们自己手动编写或者用generator自动生成.

  • MyBatis Generator生成的$ sql是否存在注入风险详解

    目录 代理商sql注入问题排查 准备测试demo entity Product.java ProductExample.java 控制层ProductController.java service层 ProductService.java ProductServiceImpl.java mapper ProductController.java ProductController.xml 测试 测试1:正常逻辑测试 测试2:测试不存在的表字段 测试3:like注入测试1 测试3:like注入测试

  • Mybatis逆向生成使用扩展类的实例代码详解

    1.背景介绍 用的mybatis自动生成的插件,然而每次更改数据库的时候重新生成需要替换原有的mapper.xml文件,都要把之前业务相关的sql重新写一遍,感觉十分麻烦,就想着把自动生成的作为一个基础文件,然后业务相关的写在扩展文件里面,这样更改数据库后只需要把所有基础文件替换掉就可以了 2.代码 2.1 BaseMapper.java 把自动生成的方法都抽到一个base类,然后可以写一些公共的方法 /** * @author 吕梁山 * @date 2019/4/23 */ public i

  • MyBatis Generator生成代码及使用方式详解

    为什么要有mybatis mybatis 是一个 Java 的 ORM 框架,ORM 的出现就是为了简化开发.最初的开发方式是业务逻辑和数据库查询逻辑是分开的,或者在程序中编写 sql 语句,或者调用 sql 存储过程.这样导致思维需要在语言逻辑和 sql 逻辑之间切换,导致开发效率低下.所以出现了一系列的 ORM 框架,ORM 框架将数据库表和 Java 对象对应起来,当操作数据库时,只需要操作对象的 Java 对象即可,例如设置几个 and 条件,只需要设置几个属性即可. 为什么要有myba

  • MyBatis 动态SQL和缓存机制实例详解

    有的时候需要根据要查询的参数动态的拼接SQL语句 常用标签: - if:字符判断 - choose[when...otherwise]:分支选择 - trim[where,set]:字符串截取,其中where标签封装查询条件,set标签封装修改条件 - foreach: if案例 1)在EmployeeMapper接口文件添加一个方法 public Student getStudent(Student student); 2)如果要写下列的SQL语句,只要是不为空,就作为查询条件,如下所示,这样

  • Web网络安全漏洞分析SQL注入原理详解

    目录 一.SQL注入的基础 1.1 介绍SQL注入 1.2 注入的原理 1.3 与MySQL注入相关的知识 MySQL查询语句 limit的用法 需要记住的几个函数 注释符 内联注释 一.SQL注入的基础 1.1 介绍SQL注入 SQL注入就是指Web应用程序对用户输入数据的合法性没有判断,前端传入后端的参数是攻击者可控的,并且参数带入数据库查询,攻击者可以通过构造不同的SQL语句来实现对数据库的任意操作. 下面以PHP语句为例. $query = "SELECT * FROM users WH

  • SQL 使用 VALUES 生成带数据的临时表实例代码详解

    VALUES 是 INSER 命令的子句. INSERT INOT 表名(列名1,列名2,-) VALUES(值1,值2,-) --语法: --SELECT * FROM ( --VALUES -- (1,2,3,......) -- ,(1,2,3,......) -- ,(1,2,3,......) -- ,(1,2,3,......) -- ,(1,2,3,......) -- ,(1,2,3,......) --) AS t(c1,c2,c3......) SELECT * FROM (

  • Mybatis开发要点-resultType和resultMap有什么区别详解

    目录 一.resultType 1.resultType介绍 2.映射规则 3.自动映射注意事项 4.代码演示 1.t_user_test.sql准备 2.实体类 3.Mapper接口类 4.Mapper xml 5.配置文件 6.启动测试类 7.执行结果 二.resultMap 1.resultMap  介绍 2.resultMap属性 3.使用场景 4.resultMap子元素属性 5.代码演示 1.mapper接口 2.Mapper.xml 3.启动测试 4.执行结果 三.结论 Mybat

  • Java Mybatis的初始化之Mapper.xml映射文件的详解

    目录 解析Mapper文件入口 解析Mapper文件 总结 前言: 解析完全局配置文件后接下来就是解析Mapper文件了,它是通过XMLMapperBuilder来进行解析的 解析Mapper文件入口 XMLMapperBuilder的parse()方法: public void parse() { if (!configuration.isResourceLoaded(resource)) { configurationElement(parser.evalNode("/mapper"

  • mybatis实现对数据的增删查改实例详解

    前期准备 新建java工程或java wweb工程,需要导入以下的包, 基本工作已经完成,接下来开始进入正题. 新建实体类 新建与数据库表对应的实体类 package com.edu.hpu.domain; /** * @author Administrator *user表所对应的实体类 */ public class User { //实体类的属性和表的字段名称一一对应 private int id; private String name; private int age; //对属性进行

  • mybatis的mapper.xml中resultMap标签的使用详解

    1.前言 最近博主在做一个ssm框架的共享汽车管理系统,其中,数据库字段设计的有下划线方式,a_username,然后在写mapper.xml里面的sql语句的时候,一直出现查询语句查询的值为null的情况.或者是resultMap标签和驼峰规则不太明白的同学,可以看这里. 于是顺便梳理一下. 2.关于resultMap 2.1.什么是resultMap? 在mybatis中有一个resultMap标签,它是为了映射select查询出来结果的集合,其主要作用是将实体类中的字段与数据库表中的字段进

随机推荐