How to Spot MyBatis SQL Injection Vulnerabilities: A Practical Guide

Introduction

SQL injection remains one of the most common web security flaws. Although Java’s use of prepared statements and ORM frameworks reduces the risk, improper use of MyBatis can still introduce injection vulnerabilities.

1. MyBatis SQL Injection Patterns

MyBatis allows SQL to be defined either with annotations or in XML files. Two parameter placeholders exist: # for safe prepared‑statement parameters and $ for direct string substitution. Using $ can lead to injection.

1) Fuzzy query (LIKE)

Incorrect usage:

Select * from news where title like ‘%#{title}%’

When # is replaced by $, the query becomes vulnerable.

Correct usage:

select * from news where title like concat('%', #{title}, '%')

2) IN clause with multiple parameters

Incorrect usage: Select * from news where id in (#{ids}) Replacing # with $ causes injection.

Correct usage with foreach:

id in <foreach collection="ids" item="item" open="(" separator="," close=")">#{item}</foreach>

3) ORDER BY clause

Dynamic ORDER BY should be whitelisted on the Java side. MyBatis‑generator may generate $ for ORDER BY, which can be exploited if not validated.

2. Practical Auditing Workflow

Import the target project into IntelliJ IDEA using Get from Version Control with the repository URL https://gitee.com/mingSoft/MCMS.git.

Search for the $ symbol in XML files (Ctrl+Shift+F, filter by *.xml). Identify files containing potential injection points, e.g., IContentDao.xml.

Locate the corresponding Java mapper interfaces and implementation classes (e.g., IContentDao.java, IContentDaoImpl.java) and trace the call chain to the controller ( McmsAction.java).

Verify the vulnerability by running a crafted request such as

http://localhost:8080/ms-mcms/mcms/search.do?categoryId=1') or updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)#

, which returns the MySQL version, confirming injection.

3. Summary

When auditing MyBatis applications, focus on three typical injection vectors: LIKE , IN , and ORDER BY . Search XML files for the $ placeholder, pay special attention to code generated by MyBatis‑generator, and always validate or whitelist dynamic parameters on the Java side.

1. In MyBatis, audit SQL injection by concentrating on LIKE, IN, and ORDER BY. 2. When SQL is written in XML, search for $ and review each occurrence, especially those generated by MyBatis‑generator. 3. Annotation‑based SQL requires the same careful analysis. 4. Perform strict parameter validation in Java, assuming all user input may be malicious.