How to Detect and Exploit MyBatis SQL Injection Vulnerabilities in Java Applications

Introduction

SQL injection remains one of the most common web security issues; although Java’s prepared statements and ORM frameworks have reduced its prevalence, misuse of MyBatis can still introduce serious injection risks.

Newcomers to code auditing often feel intimidated by the many Java web frameworks. Using MyBatis as an example, this article demonstrates how improper usage can lead to SQL injection.

1. MyBatis SQL Injection

MyBatis allows SQL statements to be written either via annotations on methods or in XML mapper files.

Two parameter placeholders are supported in XML: # (safe, uses prepared statements) and $ (unsafe, concatenates raw input).

<select id="queryAll" resultMap="resultMap"> SELECT * FROM NEWS WHERE ID = #{id}</select>

Using $ leads to direct string concatenation and potential injection.

1) Fuzzy query (LIKE)

Select * from news where title like ‘%#{title}%’

Novice developers may replace # with $ to avoid errors, creating an injection point.

Correct approach:

select * from news where title like concat('%', #{title}, '%')

2) Multiple parameters after IN

Select * from news where id in (#{ids})

The proper solution is to use <foreach> instead of replacing # with $:

id in <foreach collection="ids" item="item" open="(" separator="," close=")">#{item}</foreach>

3) ORDER BY clause

When the ORDER BY field is supplied by the user, map the input to a whitelist of allowed column names in Java code. Note that MyBatis‑generator may generate $ for ORDER BY, which can be vulnerable.

2. Practical Analysis Steps

We used an open‑source CMS to demonstrate the audit process, which is suitable for reverse‑engineering Java SQL injection issues.

Import the project in IDEA via Get from Version Control using the repository https://gitee.com/mingSoft/MCMS.git and let Maven resolve dependencies.

Search for the $ symbol in XML files (Ctrl+Shift+F, filter by .xml).

Identify mapper files ending with Dao.xml, e.g., IContentDao.xml, and locate suspicious SQL statements.

Trace the corresponding select IDs to Java DAO interfaces ( IContentDao.java) and their implementations ( IContentDaoImpl.java), then follow the call chain to the controller ( McmsAction.java).

Observe that the controller receives raw parameters via BasicUtil.getString without validation, leading to an injection point.

Run the application and craft a malicious request such as

http://localhost:8080/ms-mcms/mcms/search.do?categoryId=1') or updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)#

, which returns the MySQL version 5.7.27, confirming the vulnerability.

3. Summary

Key takeaways for auditing MyBatis SQL injection:

1. Focus on the three risky patterns: LIKE , IN , and ORDER BY . 2. When SQL is written in XML, search for the $ symbol and examine each occurrence, especially those generated by MyBatis‑generator. 3. Annotation‑based SQL requires the same vigilance. 4. Always validate and whitelist parameters at the Java layer, assuming user input is malicious.