sql注入hook不全的问题 #8
Description
测试发现,对于以下的sql注入漏洞,是无法检测的:
String username = request.getParameter("username");
String order = request.getParameter("order");
String sql= "select host,user from user where user=? order by host "+order;
//System.out.println(sql);
PreparedStatement preState = conn.prepareStatement(sql);
preState.setString(1, username);
ResultSet rs = preState.executeQuery();
其根源在于未hook预编译相关的方法。
对于mysql来说可以通过以下方式来解决:
添加SQLConnectionHook类(这里只覆盖了mysql,其他的请官方补充吧)
public class SQLConnectionHook extends AbstractClassHook {
private String type;
private String[] exceptions;
/**
* (none-javadoc)
*
* @see com.fuxi.javaagent.hook.AbstractClassHook#getType()
*/
@Override
public String getType() {
return "sql";
}
@Override
public boolean isClassMatched(String className) {
/* MySQL */
if ("com/mysql/jdbc/ConnectionImpl".equals(className)
|| "com/mysql/cj/jdbc/ConnectionImpl".equals(className)) {
this.type = "mysql";
this.exceptions = new String[]{"java/sql/SQLException"};
return true;
}
/* SQLite */
/* Oracle */
/* SQL Server */
/* PostgreSQL */
return false;
}
@Override
protected MethodVisitor hookMethod(int access, String name, String desc, String signature, String[] exceptions, MethodVisitor mv) {
boolean hook = false;
if (name.equals("prepareStatement") && Arrays.equals(exceptions, this.exceptions)) {
if (desc.equals("(Ljava/lang/String;)Ljava/sql/PreparedStatement;")
) {
hook = true;
}
}
return hook ? new AdviceAdapter(Opcodes.ASM5, mv, access, name, desc) {
@Override
protected void onMethodEnter() {
push(type);
loadArg(0);
invokeStatic(Type.getType(HookHandler.class),
new Method("checkSQL", "(Ljava/lang/String;Ljava/lang/String;)V"));
}
} : mv;
}
}