SQL注入绕过：执行顺序问题分析与防御<\/h1>

0x00 背景与漏洞概述<\/h2>
本案例展示了一个由于执行顺序问题导致的SQL注入绕过场景。目标应用使用MyBatis进行SQL交互，部分业务接口通过`order by ${_parameter} desc<\/code>实现排序功能，这种动态SQL拼接方式存在SQL注入风险。<\/p>`

关键漏洞代码<\/h3>
order by ${<\/span>_parameter}<\/span> desc  \/\/ 直接拼接用户输入，存在SQL注入风险
<\/span><\/span><\/span><\/code><\/pre>0x01 现有防御措施分析<\/h2>
应用通过过滤器(Filter)对用户参数进行SQL注入检查：<\/p>
过滤器实现<\/h3>
@Override<\/span>
<\/span><\/span>public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest servletRequest,<\/span> ServletResponse servletResponse,<\/span> FilterChain chain)<\/span> 
<\/span><\/span>    throws<\/span> IOException,<\/span> ServletException {<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取请求参数
<\/span><\/span><\/span><\/span>    Map<<\/span>String,<\/span> Object><\/span> paramsMaps =<\/span> new<\/span> TreeMap<>();<\/span>
<\/span><\/span>    if<\/span> (<\/span>"POST"<\/span>.<\/span>equals<\/span>(<\/span>req.<\/span>getMethod<\/span>().<\/span>toUpperCase<\/span>()))<\/span> {<\/span>
<\/span><\/span>        String body =<\/span> requestWrapper.<\/span>getBody<\/span>();<\/span>
<\/span><\/span>        paramsMaps =<\/span> JSONObject.<\/span>parseObject<\/span>(<\/span>body,<\/span> TreeMap.<\/span>class<\/span>);<\/span>
<\/span><\/span>    }<\/span> else<\/span> {<\/span>
<\/span><\/span>        \/\/ GET请求处理
<\/span><\/span><\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    \/\/ 校验SQL注入
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>Object o :<\/span> paramsMaps.<\/span>entrySet<\/span>())<\/span> {<\/span>
<\/span><\/span>        Map.<\/span>Entry<\/span> entry =<\/span> (<\/span>Map.<\/span>Entry<\/span>)<\/span> o;<\/span>
<\/span><\/span>        Object value =<\/span> entry.<\/span>getValue<\/span>();<\/span>
<\/span><\/span>        if<\/span> (<\/span>value !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            boolean<\/span> isValid =<\/span> checkSqlInject(<\/span>value.<\/span>toString<\/span>(),<\/span> servletResponse);<\/span>
<\/span><\/span>            if<\/span> (!<\/span>isValid)<\/span> return<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    chain.<\/span>doFilter<\/span>(<\/span>requestWrapper,<\/span> servletResponse);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>SQL注入检查方法<\/h3>
private<\/span> static<\/span> final<\/span> String SQL_REGX =<\/span> ".*(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|drop|execute)\\b).*"<\/span>;<\/span>
<\/span><\/span>
<\/span><\/span>private<\/span> boolean<\/span> checkSqlInject<\/span>(<\/span>String value,<\/span> ServletResponse servletResponse)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>null<\/span> !=<\/span> value &&<\/span> value.<\/span>matches<\/span>(<\/span>SQL_REGX))<\/span> {<\/span>
<\/span><\/span>        \/\/ 拦截并返回错误
<\/span><\/span><\/span><\/span>        return<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> true<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x02 拦截器实现分析<\/h2>
应用还存在一个拦截器(Interceptor)，在其preHandle方法中使用Jsoup对所有用户输入进行HTML净化：<\/p>
拦截器实现<\/h3>
@Override<\/span>
<\/span><\/span>public<\/span> boolean<\/span> preHandle<\/span>(<\/span>HttpServletRequest request,<\/span> HttpServletResponse response,<\/span> Object handler)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    \/\/ 对请求参数进行HTML净化
<\/span><\/span><\/span><\/span>    for<\/span> (<\/span>String key :<\/span> request.<\/span>getParameterMap<\/span>().<\/span>keySet<\/span>())<\/span> {<\/span>
<\/span><\/span>        String value =<\/span> request.<\/span>getParameter<\/span>(<\/span>key);<\/span>
<\/span><\/span>        value =<\/span> sanitizeInput(<\/span>value);<\/span> 
<\/span><\/span>        request.<\/span>getParameterMap<\/span>().<\/span>replace<\/span>(<\/span>key,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> true<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> static<\/span> String sanitizeInput<\/span>(<\/span>String strHtml)<\/span> {<\/span>
<\/span><\/span>    String cleaned =<\/span> ""<\/span>;<\/span>
<\/span><\/span>    if<\/span> (<\/span>StringUtil.<\/span>isNotBlank<\/span>(<\/span>strHtml)){<\/span>
<\/span><\/span>        cleaned =<\/span> Jsoup.<\/span>clean<\/span>(<\/span>strHtml,<\/span> whitelist);<\/span>
<\/span><\/span>        return<\/span> cleaned;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> cleaned;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x03 执行顺序分析<\/h2>
Java Web请求处理流程<\/h3>

过滤器(Filter)<\/strong>：Servlet容器级别，最先执行<\/li>
拦截器(Interceptor)<\/strong>：在DispatcherServlet中处理，Controller之前执行<\/li>
Controller<\/strong>：业务逻辑处理<\/li>
Service<\/strong>：业务服务层<\/li>
<\/ol>
具体调用链<\/h3>

Tomcat的StandardWrapperValve#invoke()<\/code>创建FilterChain<\/li>
ApplicationFilterFactory.createFilterChain<\/code>创建并执行过滤器链<\/li>
所有过滤器执行完毕后，调用servlet.service(request, response)<\/code><\/li>
Spring MVC的DispatcherServlet<\/code>处理请求<\/li>
在getHandlerExecutionChain<\/code>中添加并执行拦截器<\/li>
执行Controller方法<\/li>
<\/ol>
0x04 绕过原理<\/h2>
由于过滤器先于拦截器执行，攻击者可构造特殊输入绕过SQL注入检查：<\/p>

输入：selec<\/script>t<\/code><\/li>
过滤器检查：不匹配SQL_REGX<\/code>正则（因为被<\/script><\/code>分隔）<\/li>
拦截器处理：Jsoup清理HTML标签后变为select<\/code><\/li>
最终SQL执行：order by select desc<\/code>，成功注入<\/li>
<\/ol>
示例代码<\/h3>
public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    String value =<\/span> "selec<\/script>t"<\/span>;<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"用户输入:"<\/span>+<\/span>value);<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 过滤器检查
<\/span><\/span><\/span><\/span>    if<\/span> (<\/span>null<\/span> !=<\/span> value &&<\/span> value.<\/span>matches<\/span>(<\/span>SQL_REGX))<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> Exception(<\/span>"SQL注入拦截"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 拦截器处理
<\/span><\/span><\/span><\/span>    String cleaned =<\/span> Jsoup.<\/span>clean<\/span>(<\/span>value,<\/span> whitelist);<\/span>
<\/span><\/span>    System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"处理后:"<\/span>+<\/span>cleaned);<\/span>  \/\/ 输出: select
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x05 防御建议<\/h2>


参数化查询<\/strong>：避免直接拼接SQL，使用预编译语句<\/p>
order by #<\/span>{<\/span>parameter}<\/span> desc  \/\/ 使用#{}而非${}
<\/span><\/span><\/span><\/code><\/pre><\/li>

防御措施执行顺序<\/strong>：确保净化操作在检查之前执行<\/p>
<\/li>

完善正则检测<\/strong>：<\/p>

添加对HTML标签的检测<\/li>
使用更严格的关键字匹配模式<\/li>
<\/ul>
<\/li>

统一防御层<\/strong>：将安全措施集中到同一层（如全部放在过滤器或拦截器）<\/p>
<\/li>

白名单校验<\/strong>：对于order by字段，只允许特定字段名<\/p>
<\/li>

日志监控<\/strong>：记录所有拦截的请求，便于分析攻击尝试<\/p>
<\/li>
<\/ol>
0x06 其他潜在问题<\/h2>

JSON请求处理<\/strong>：过滤器与Controller的JSON解析可能存在差异<\/li>
请求方法转换<\/strong>：GET请求在特定注解下可转为POST请求<\/li>
多阶段处理<\/strong>：参数在不同处理阶段可能被多次编码\/解码<\/li>
<\/ol>
0x07 总结<\/h2>
本案例展示了由于安全措施执行顺序不当导致的SQL注入绕过。关键在于：<\/p>

理解Filter和Interceptor的执行顺序差异<\/li>
净化操作应在检查之前执行<\/li>
防御措施需要全面考虑各种输入变形<\/li>
优先使用参数化查询等根本解决方案<\/li>
<\/ul>
通过全面分析执行流程和安全措施的交互，可以有效预防此类安全问题。<\/p>

SQL注入绕过：执行顺序问题分析与防御<\/h1>

0x00 背景与漏洞概述<\/h2> 本案例展示了一个由于执行顺序问题导致的SQL注入绕过场景。目标应用使用MyBatis进行SQL交互，部分业务接口通过order by ${_parameter} desc<\/code>实现排序功能，这种动态SQL拼接方式存在SQL注入风险。<\/p>

0x01 现有防御措施分析<\/h2> 应用通过过滤器(Filter)对用户参数进行SQL注入检查：<\/p>

0x02 拦截器实现分析<\/h2> 应用还存在一个拦截器(Interceptor)，在其preHandle方法中使用Jsoup对所有用户输入进行HTML净化：<\/p>

0x03 执行顺序分析<\/h2>

0x00 背景与漏洞概述<\/h2>
本案例展示了一个由于执行顺序问题导致的SQL注入绕过场景。目标应用使用MyBatis进行SQL交互，部分业务接口通过`order by ${_parameter} desc<\/code>实现排序功能，这种动态SQL拼接方式存在SQL注入风险。<\/p>`

0x01 现有防御措施分析<\/h2>
应用通过过滤器(Filter)对用户参数进行SQL注入检查：<\/p>

0x02 拦截器实现分析<\/h2>
应用还存在一个拦截器(Interceptor)，在其preHandle方法中使用Jsoup对所有用户输入进行HTML净化：<\/p>