sql注入hook不全的问题 #8

feng3 · 2017-09-14T01:44:50Z

测试发现，对于以下的sql注入漏洞，是无法检测的：

	String username = request.getParameter("username");
	String order = request.getParameter("order");
	String sql= "select host,user from user where user=? order by host "+order;
	//System.out.println(sql);
	PreparedStatement preState = conn.prepareStatement(sql);
	preState.setString(1, username);
	ResultSet rs = preState.executeQuery();

其根源在于未hook预编译相关的方法。
对于mysql来说可以通过以下方式来解决：
添加SQLConnectionHook类（这里只覆盖了mysql，其他的请官方补充吧）

public class SQLConnectionHook extends AbstractClassHook {
    private String type;
    private String[] exceptions;
    /**
     * (none-javadoc)
     *
     * @see com.fuxi.javaagent.hook.AbstractClassHook#getType()
     */
    @Override
    public String getType() {
        return "sql";
    }
    @Override
    public boolean isClassMatched(String className) {
        /* MySQL */
        if ("com/mysql/jdbc/ConnectionImpl".equals(className)
                || "com/mysql/cj/jdbc/ConnectionImpl".equals(className)) {
            this.type = "mysql";
            this.exceptions = new String[]{"java/sql/SQLException"};
            return true;
        }
        /* SQLite */
 
        /* Oracle */
 
        /* SQL Server */
 
        /* PostgreSQL */
 
        return false;
    }
    @Override
    protected MethodVisitor hookMethod(int access, String name, String desc, String signature, String[] exceptions, MethodVisitor mv) {
        boolean hook = false;
        if (name.equals("prepareStatement") && Arrays.equals(exceptions, this.exceptions)) {
            if (desc.equals("(Ljava/lang/String;)Ljava/sql/PreparedStatement;")
                    ) {
                hook = true;
            }
        } 
        return hook ? new AdviceAdapter(Opcodes.ASM5, mv, access, name, desc) {
            @Override
            protected void onMethodEnter() {
                push(type);
                loadArg(0);
                invokeStatic(Type.getType(HookHandler.class),
                        new Method("checkSQL", "(Ljava/lang/String;Ljava/lang/String;)V"));
            }
        } : mv;
    }
}

The text was updated successfully, but these errors were encountered:

CaledoniaProject · 2017-09-29T05:42:11Z

如QQ群里讨论，预计在0.30版本增加（下个版本0.20）

CaledoniaProject · 2018-04-25T02:56:39Z

放 v0.31 了，测试下没有性能的话，问题我们就加上

CaledoniaProject · 2018-05-09T09:21:42Z

由 @feng 反馈，建议把spring data jpa、hibernate等主流持久层框架都测一遍

CaledoniaProject · 2018-07-26T02:58:48Z

已经正式支持 prepared statement，关闭这个 ISSUE

CaledoniaProject added the enhancement label Sep 29, 2017

CaledoniaProject added this to the 0.30 milestone Sep 29, 2017

CaledoniaProject modified the milestones: 0.30, 0.29 Nov 10, 2017

CaledoniaProject modified the milestones: 0.29, 0.23 Dec 11, 2017

soulfy mentioned this issue Mar 9, 2018

关于sql Hook问题 #104

Closed

CaledoniaProject closed this as completed Jul 26, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sql注入hook不全的问题 #8

sql注入hook不全的问题 #8

feng3 commented Sep 14, 2017 •

edited by CaledoniaProject

Loading

CaledoniaProject commented Sep 29, 2017

CaledoniaProject commented Apr 25, 2018

CaledoniaProject commented May 9, 2018

CaledoniaProject commented Jul 26, 2018

sql注入hook不全的问题 #8

sql注入hook不全的问题 #8

Comments

feng3 commented Sep 14, 2017 • edited by CaledoniaProject Loading

CaledoniaProject commented Sep 29, 2017

CaledoniaProject commented Apr 25, 2018

CaledoniaProject commented May 9, 2018

CaledoniaProject commented Jul 26, 2018

feng3 commented Sep 14, 2017 •

edited by CaledoniaProject

Loading