Skip to content

selectByIds function sql injection #862

Open
@hldfight

Description

Write the following test demo:
1、UserController.java:
@controller
public class UserController {

@Autowired
UserService userService;

@RequestMapping("gets")
@ResponseBody
public List<User> getUser(String ids) {
    List<String> idList = Arrays.asList(ids.split(","));

    return userService.gets(idList);
}

}
2、UserService.java:
@service
public interface UserService {

List<User> gets(Collection<String> ids);

}
3、UserServiceImpl.java:
@service
public class UserServiceImpl implements UserService {

@Autowired
UserMapper userMapper;

@Override
public List<User> gets(Collection<String> ids) {
    if (ids == null || ids.isEmpty())
        return new ArrayList<>();
    String concatIds = StringUtils.concat(ids, "'", ",");
    return (List<User>) userMapper.selectByIds(concatIds);
}

}
4、UserMapper.java:
@org.apache.ibatis.annotations.Mapper
public interface UserMapper extends Mapper, MySqlMapper, IdsMapper {

}
5、Access the /gets route in the above demo for sql injection attack:
(1)Under normal circumstances, when the ids parameter value is passed in 1, 2, the data with id 1 and 2 can be obtained:
image
(2)But when the ids parameter value is 1') or 1=1-- -, you can get all the data in the database:
image

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions