BestHub
Sign in
Information Security 7 min read

Auditing MyBatis SQL Injection Vulnerabilities: Common Pitfalls and Practical Steps

This article explains how to identify and exploit MyBatis‑based SQL injection vulnerabilities by examining XML and annotation mappings, covering common pitfalls such as fuzzy queries, IN clauses, and ORDER BY, and provides a step‑by‑step practical analysis using a real open‑source CMS project.

Top Architect
Top Architect
Top Architect
Auditing MyBatis SQL Injection Vulnerabilities: Common Pitfalls and Practical Steps

MyBatis allows SQL statements to be written either in annotations or in XML files. Two parameter placeholders exist: # for prepared statements (safe) and $ for direct string concatenation (unsafe).

Common injection scenarios :

1. Fuzzy query

<select id="queryAll" resultMap="resultMap">
  SELECT * FROM NEWS WHERE ID = #{id}
</select>

When developers replace # with $ to avoid errors, user input is concatenated directly, creating a SQL injection risk.

select * from news where title like ‘%#{title}%’

The correct, safe version uses concat with the # placeholder:

select * from news where title like concat('%', #{title}, '%')

2. IN clause with multiple parameters

select * from news where id in (#{ids})

Using # here also fails; the proper solution is to generate the list with a <foreach> tag.

id in
<foreach collection="ids" item="item" open="(" separator="," close=")">
  #{item}
</foreach>

3. ORDER BY clause

For dynamic ordering, map allowed column names on the Java side and only accept an index value, ensuring the column name is whitelisted. Note that MyBatis‑generator may emit $ for ORDER BY, which must be reviewed.

Practical analysis steps :

Import the target open‑source CMS project (e.g., https://gitee.com/mingSoft/MCMS.git ) into IDEA and let Maven resolve dependencies.

Search for the $ character in all .xml files (Ctrl+Shift+F) to locate potential injection points.

Identify DAO XML files (e.g., IContentDao.xml ) and examine the SQL statements containing $ .

Trace the corresponding Java interfaces and implementation classes (e.g., IContentDao.java , IContentDaoImpl.java ) and the controller that receives the front‑end parameters.

Confirm the vulnerability by sending a crafted request such as http://localhost:8080/ms-mcms/mcms/search.do?categoryId=1') or updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)# , which returns the MySQL version, proving injection.

Images illustrating the IDE steps and search results are included in the original article.

Conclusion :

1. When auditing MyBatis, focus on the three risky patterns: LIKE , IN , and ORDER BY . 2. For XML‑based SQL, filter files by the $ symbol and review each occurrence, especially those generated by MyBatis‑generator. 3. Annotation‑based SQL follows the same principles. 4. On the Java side, always validate and sanitize user inputs, assuming they may be malicious.
JavaMyBatissecuritySQL injectionvulnerability assessment
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment