Practical Guide to Auditing MyBatis SQL Injection Vulnerabilities

Introduction

SQL injection remains one of the most frequent web security issues. Although modern Java frameworks and prepared statements have reduced its prevalence, misusing MyBatis can still introduce serious injection risks, especially for beginners performing code audits.

1. MyBatis SQL Injection Patterns

MyBatis allows SQL statements to be defined either via annotations or XML files. When writing XML, two parameter placeholders are available: #{} (prepared‑statement style) and ${} (string concatenation). Improper use of ${} leads to injection.

1.1 Fuzzy Query

Developers sometimes replace #{} with ${} to avoid errors, producing a vulnerable statement like:

Select * from news where title like ‘%${title}%’

The safe version uses #{} together with concat :

select * from news where title like concat('%', #{title}, '%')

1.2 IN Clause with Multiple Parameters

Using ${} for an IN list also creates a risk:

Select * from news where id in (${ids})

The correct approach is to keep #{} and let MyBatis expand the list via <foreach> :

id in <foreach collection="ids" item="item" open="(" separator="," close=")">${item}</foreach>

1.3 ORDER BY Clause

Dynamic ordering should be whitelisted on the Java side; otherwise, ${} can inject arbitrary column names. MyBatis‑generator sometimes generates ${} for ORDER BY, which must be reviewed.

2. Practical Auditing Workflow

Using an open‑source CMS (MCMS) as a case study, the following steps were taken:

Import the project into IntelliJ IDEA via Get from Version Control using the repository https://gitee.com/mingSoft/MCMS.git .

Search all XML files for the $ character (Ctrl+Shift+F). Identify files ending with Dao.xml , e.g., IContentDao.xml , and locate suspicious statements.

Trace the mapped Java methods (e.g., getSearchCount ) from the XML to the DAO interface, its implementation, and finally to the controller ( McmsAction ).

Inspect how request parameters are obtained (e.g., BasicUtil.getString ) and verify that no sanitization occurs before they reach the SQL.

Deploy the application and craft a payload such as http://localhost:8080/ms-mcms/mcms/search.do?categoryId=1') or updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)# to confirm that the database version is disclosed, proving the injection.

3. Summary

The key take‑aways for auditing MyBatis‑based applications are:

1. Focus on LIKE , IN , and ORDER BY constructs where ${} is used. 2. When SQL is written in XML, search for the $ placeholder and review each occurrence, especially those generated by MyBatis‑generator. 3. For annotation‑based SQL, the same principles apply; avoid concatenating raw input. 4. Perform strict parameter validation in Java code, assuming all user input may be malicious.