How to Spot and Exploit MyBatis SQL Injection Vulnerabilities

Preface

SQL injection is one of the most common web security vulnerabilities. In Java, the adoption of prepared statements and ORM frameworks has reduced many injection issues, but beginners often feel overwhelmed by the combination of multiple frameworks in Java web applications. This article uses a misuse of the MyBatis framework that leads to SQL injection as a concrete example to give newcomers a practical audit workflow.

1. MyBatis SQL Injection

MyBatis SQL statements can be written as annotations on methods or, more commonly, in XML mapper files. When writing XML, MyBatis supports two parameter placeholders: # for prepared‑statement parameters and $ for direct string concatenation.

<select id="queryAll" resultMap="resultMap">
  SELECT * FROM NEWS WHERE ID = #{id}
</select>

Using # triggers prepared‑statement handling, while $ performs raw concatenation and can introduce injection.

1) Fuzzy query (LIKE)

Select * from news where title like '%#{title}%'

Beginners often replace # with $ to avoid errors, which opens a SQL injection path.

Correct usage:

select * from news where title like concat('%', #{title}, '%')

2) Multiple parameters after IN

Select * from news where id in (#{ids})

The proper approach is to use a foreach element instead of substituting # with $:

id in
<foreach collection="ids" item="item" open="(" separator="," close=")">
  #{item}
</foreach>

3) ORDER BY clause

For ORDER BY, the application should map user input to a whitelist of column names or indices in the Java layer, ensuring only allowed fields are used. Note that MyBatis‑generator may generate $ in ORDER BY statements, which requires special attention.

2. Practical Audit Steps

1) Import the project into IDEA

In IDEA, click *Get from Version Control* and enter https://gitee.com/mingSoft/MCMS.git. Wait for Maven to download dependencies.

2) Search for the $ placeholder

Press Ctrl+Shift+F, filter for *.xml, and search for $. Files whose name contains *Dao* are likely targets; open IContentDao.xml and locate occurrences of $.

3) Trace the mapping object

Search for the method ID (e.g., getSearchCount) to find the corresponding DAO interface ( IContentDao.java), its implementation ( IContentDaoImpl.java), and the controller ( McmsAction.java).

In the controller, the parameter categoryIds is passed directly to BasicUtil.getString, which ultimately calls SpringUtil.getRequest() without any sanitization—confirming an injection point.

4) Verify the vulnerability

Run the application and craft a request such as:

http://localhost:8080/ms-mcms/mcms/search.do?categoryId=1')  or updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)#

The response reveals the MySQL version (e.g., 5.7.27), confirming the SQL injection.

3. Summary

These are the essential steps for auditing MyBatis SQL injection:

1. Focus on three risky patterns in MyBatis: LIKE , IN , and ORDER BY . 2. When SQL is written in XML, search for the $ placeholder, then analyze each occurrence, paying special attention to MyBatis‑generator generated ORDER BY statements. 3. Annotation‑based SQL follows the same principles. 4. At the Java layer, always validate and whitelist parameters, assuming user input is malicious.