How to Detect and Exploit MyBatis SQL Injection Vulnerabilities – A Practical Guide

Preface

SQL injection remains one of the most common web security flaws; although prepared statements and ORM frameworks reduce its prevalence in Java, misusing MyBatis can still introduce serious risks. This guide uses a real‑world MyBatis misuse case to illustrate how beginners can start auditing Java web applications.

1. MyBatis SQL Injection Basics

MyBatis allows SQL statements to be written either as annotations on methods or, more commonly, in XML mapper files. Two parameter placeholders exist: # for prepared‑statement parameters and $ for direct string concatenation.

<select id="queryAll" resultMap="resultMap">
  SELECT * FROM NEWS WHERE ID = #{id}
</select>

# uses prepared statements (safe), $ concatenates raw input (dangerous).

Typical injection scenarios in MyBatis fall into three categories:

1) Fuzzy (LIKE) Queries

Select * from news where title like ‘%#{title}%’

Beginners often replace # with $ to avoid errors, opening a SQL injection vector.

select * from news where title like concat('%', #{title}, '%')

2) IN Clause with Multiple Parameters

Select * from news where id in (#{ids})

The correct approach is to use <foreach> instead of swapping # for $:

id in
<foreach collection="ids" item="item" open="(" separator="," close=")">
  #{item}
</foreach>

3) ORDER BY Clause

Map user‑supplied column names to a whitelist of allowed values in the Java layer; otherwise, $ may be used by MyBatis‑generator, creating an injection point.

2. Practical Auditing Steps

We used an open‑source CMS (MCMS) to demonstrate the workflow:

Import the project into IntelliJ IDEA : Use "Get from Version Control" with the repository https://gitee.com/mingSoft/MCMS.git and let Maven resolve dependencies.

Search for the $ token : In IDEA, press Ctrl+Shift+F, limit the scope to .xml files, and look for occurrences of $. Focus on mapper files ending with Dao.xml, e.g., IContentDao.xml.

Identify suspicious statements : Examine the found XML snippets; many use $ in LIKE, IN, or ORDER BY contexts.

Trace the mapping objects : Search for the corresponding Java method (e.g., getSearchCount) to locate the DAO interface, its implementation, and the controller handling the request.

Confirm the injection point : Follow the call chain to the controller (e.g., McmsAction) and see that user input is passed directly to BasicUtil.getString and then to SpringUtil.getRequest() without sanitization.

Validate the vulnerability : Run the application and craft a malicious request such as

http://localhost:8080/ms-mcms/mcms/search.do?categoryId=1')

or updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)#

. The response reveals the MySQL version (e.g., 5.7.27), confirming the injection.

3. Summary

The essential steps for auditing MyBatis‑based SQL injection are:

1. Focus on LIKE, IN, and ORDER BY constructs. 2. When SQL is written in XML, search for $ and analyze each occurrence, especially those generated by MyBatis‑generator. 3. The same principles apply to annotation‑based SQL. 4. Perform rigorous parameter validation in Java, assuming all user input could be malicious.