dreammaker
Reputation: 11
how to inject rule script into java.sql.Statement.executeQuery(String)?
I edit a simple jetty web application using maven. I try to inject the following rule scripts into java.sql.Statement.executeQuery(String).
RULE trace java.sql.Statement.executeQuery enter
INTERFACE ^java.sql.Statement
METHOD executeQuery(String)
AT ENTRY
IF debug("trace executeQuery(String)")
DO traceln("enter executeQuery...")
ENDRULE
RULE trace java.sql.Statement.executeUpdate enter
INTERFACE ^java.sql.Statement
METHOD executeUpdate(String)
AT ENTRY
IF TRUE
DO traceln("entering executeUpdate")
ENDRULE
I install these scripts. This is as follows:
C:\Users\ln13277429609\Desktop\gitcode\git-study\byteman-aop-version2\security_taint_webapp>bmsubmit -l src/main/resources/traceExecuteQuery.
btm
install rule trace java.sql.Statement.executeQuery enter
install rule trace java.sql.Statement.executeUpdate enter
I use mvn jetty:run-forked start this web application. its jvmArgs are as follows:
<jvmArgs>-javaagent:C:\Users\ln13277429609\.m2\repository\org\jboss\byteman\byteman\4.0.16\byteman-4.0.16.jar=listener:true,boot:C:\Users\ln13277429609\.m2\repository\org\jboss\byteman\byteman\4.0.16\byteman-4.0.16.jar -Dorg.jboss.byteman.transform.all -Dorg.jboss.byteman.verbose -Dorg.jboss.byteman.debug</jvmArgs>
When I post a request,a bug happened in the console. Theses log messagens are as follows.
[STDOUT] AccessManager:init Initialising default AccessManager
[STDOUT] TransformListener() : accepting requests on localhost:9091
[STDERR] 2021-08-15 20:49:48.802:INFO::main: Logging initialized @388ms to org.eclipse.jetty.util.log.StdErrLog
[STDERR] 2021-08-15 20:49:48.990:INFO:oejmp.Starter:main: Started Jetty Server
[STDERR] 2021-08-15 20:49:48.990:INFO:oejs.Server:main: jetty-9.4.3.v20170317
[STDERR] 2021-08-15 20:49:49.554:INFO:oejs.session:main: DefaultSessionIdManager workerName=node0
[STDERR] 2021-08-15 20:49:49.554:INFO:oejs.session:main: No SessionScavenger set, using defaults
[STDERR] 2021-08-15 20:49:49.554:INFO:oejs.session:main: Scavenging every 660000ms
[STDERR] 2021-08-15 20:49:50.364:INFO:oejsh.ContextHandler:main: Started o.e.j.m.p.JettyWebAppContext@5ba23b66{/taintwebapp,[file:///C:/Users
/ln13277429609/Desktop/gitcode/git-study/byteman-aop-version2/security_taint_webapp/src/main/webapp/],AVAILABLE}
[STDERR] 2021-08-15 20:49:50.396:INFO:oejs.AbstractConnector:main: Started ServerConnector@50a638b5{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
[STDOUT] -FQOF8GQQXS5U
[STDERR] 2021-08-15 20:49:50.396:INFO:oejs.Server:main: Started @1978ms
[STDOUT] com.mysql.jdbc.JDBC4Connection@6d234c29
[STDOUT] select * from user where loginname='admin' and password='123' and pin='456'
[STDOUT] TransformListener() : handling connection on port 9091
[STDOUT] retransforming com.mysql.jdbc.PreparedStatement
[STDOUT] retransforming com.mysql.jdbc.StatementImpl
[STDOUT] org.jboss.byteman.agent.Transformer : possible trigger for rule trace java.sql.Statement.executeUpdate enter in class com.mysql.jdbc
.StatementImpl
[STDOUT] RuleTriggerMethodAdapter.injectTriggerPoint : inserting trigger into com.mysql.jdbc.StatementImpl.executeUpdate(java.lang.String) in
t for rule trace java.sql.Statement.executeUpdate enter
[STDOUT] org.jboss.byteman.agent.Transformer : inserted trigger for trace java.sql.Statement.executeUpdate enter in class com.mysql.jdbc.Stat
ementImpl
[STDOUT] org.jboss.byteman.agent.Transformer : possible trigger for rule trace java.sql.Statement.executeQuery enter in class com.mysql.jdbc.
StatementImpl
[STDOUT] RuleTriggerMethodAdapter.injectTriggerPoint : inserting trigger into com.mysql.jdbc.StatementImpl.executeQuery(java.lang.String) jav
a.sql.ResultSet for rule trace java.sql.Statement.executeQuery enter
[STDOUT] exits unaccounted for in block B30
[STDOUT] org.jboss.byteman.agent.Transformer : unexpected error injecting trigger for rule trace java.sql.Statement.executeQuery enter into c
lass com.mysql.jdbc.StatementImpl
[STDOUT] java.lang.NullPointerException
[STDOUT] java.lang.NullPointerException
[STDOUT] at org.jboss.byteman.agent.adapter.cfg.CFG.computeContainment(CFG.java:1206)
[STDOUT] at org.jboss.byteman.agent.adapter.cfg.CFG.carryForward(CFG.java:1042)
[STDOUT] at org.jboss.byteman.agent.adapter.cfg.CFG.split(CFG.java:1320)
[STDOUT] at org.jboss.byteman.agent.adapter.RuleTriggerMethodAdapter.visitInsn(RuleTriggerMethodAdapter.java:688)
[STDOUT] at org.jboss.byteman.agent.adapter.EntryTriggerAdapter$EntryTriggerMethodAdapter.visitInsn(EntryTriggerAdapter.java:133)
[STDOUT] at org.jboss.byteman.objectweb.asm.tree.InsnNode.accept(InsnNode.java:65)
[STDOUT] at org.jboss.byteman.objectweb.asm.tree.InsnList.accept(InsnList.java:144)
[STDOUT] at org.jboss.byteman.objectweb.asm.tree.MethodNode.accept(MethodNode.java:751)
[STDOUT] at org.jboss.byteman.objectweb.asm.commons.JSRInlinerAdapter.visitEnd(JSRInlinerAdapter.java:158)
[STDOUT] at org.jboss.byteman.objectweb.asm.ClassReader.readMethod(ClassReader.java:1495)
[STDOUT] at org.jboss.byteman.objectweb.asm.ClassReader.accept(ClassReader.java:721)
[STDOUT] at org.jboss.byteman.objectweb.asm.ClassReader.accept(ClassReader.java:401)
[STDOUT] at org.jboss.byteman.agent.TransformContext.transform(TransformContext.java:152)
[STDOUT] at org.jboss.byteman.agent.Transformer.transform(Transformer.java:757)
[STDOUT] at org.jboss.byteman.agent.Transformer.tryTransform(Transformer.java:824)
[STDOUT] at org.jboss.byteman.agent.Transformer.tryTransform(Transformer.java:796)
[STDOUT] at org.jboss.byteman.agent.Transformer.transform(Transformer.java:302)
[STDOUT] at sun.instrument.TransformerManager.transform(TransformerManager.java:188)
[STDOUT] at sun.instrument.InstrumentationImpl.transform(InstrumentationImpl.java:428)
[STDOUT] at sun.instrument.InstrumentationImpl.retransformClasses0(Native Method)
[STDOUT] at sun.instrument.InstrumentationImpl.retransformClasses(InstrumentationImpl.java:144)
[STDOUT] at org.jboss.byteman.agent.Retransformer.installScript(Retransformer.java:151)
[STDOUT] at org.jboss.byteman.agent.TransformListener.handleScripts(TransformListener.java:351)
[STDOUT] at org.jboss.byteman.agent.TransformListener.loadScripts(TransformListener.java:274)
[STDOUT] at org.jboss.byteman.agent.TransformListener.handleConnection(TransformListener.java:226)
[STDOUT] at org.jboss.byteman.agent.TransformListener.run(TransformListener.java:156)
[STDOUT] com.mysql.jdbc.JDBC4Connection@51fd5918
[STDOUT] select * from user where loginname='admin' and password='123' and pin='456'
I find some scrips succeding in being injected into java.sql.Statement.executeUpdate,but not for executeQuery. So, how do I solve the problem?
Upvotes: 1
Views: 160
Answers (1)
dreammaker
Reputation: 11
mysql-connector-java-8.0.26.jar,Tomcat 7.0.99,jdk1.8.0_241,byteman 4.0.13 this is my test environment. I edit a simple java web. I'm happy to solve the problem. I only convert mysql-connector-java-5.0.38.jar to mysql-connector-java-8.0.26.jar to solve the bug. I submit the following rule script:
RULE trace java.sql.Statement.executeQuery enter
INTERFACE ^java.sql.Statement
METHOD executeQuery(String)
AT ENTRY
IF debug("trace executeQuery(String)")
DO traceln("enter executeQuery..."+$1)
ENDRULE
the following log indicates that side effect is injected to executeQuery method.
TransformListener() : handling connection on port 9091
org.jboss.byteman.agent.Transformer : possible trigger for rule trace java.sql.Statement.executeQuery enter in class com.mysql.cj.jdbc.StatementImpl
RuleTriggerMethodAdapter.injectTriggerPoint : inserting trigger into com.mysql.cj.jdbc.StatementImpl.executeQuery(java.lang.String) java.sql.ResultSet for rule trace java.sql.Statement.executeQuery enter
org.jboss.byteman.agent.Transformer : inserted trigger for trace java.sql.Statement.executeQuery enter in class com.mysql.cj.jdbc.StatementImpl
com.mysql.cj.jdbc.ConnectionImpl@7e00f47b
select * from user where loginname='admin' and password='123' and pin='456'
Rule.execute called for trace java.sql.Statement.executeQuery enter_0:0
HelperManager.install for helper class org.jboss.byteman.rule.helper.Helper
calling activated() for helper class org.jboss.byteman.rule.helper.Helper
Default helper activated
calling installed(trace java.sql.Statement.executeQuery enter) for helper classorg.jboss.byteman.rule.helper.Helper
Installed rule using default helper : trace java.sql.Statement.executeQuery enter
trace java.sql.Statement.executeQuery enter execute
rule.debug{trace java.sql.Statement.executeQuery enter_0:0} : trace executeQuery(String)
enter executeQuery...select * from user where loginname='admin' and password='123' and pin='456'
Although the bug is solved, I think the environment setting is difficult. Of course, I don't know deeply the reason why the bug happends there
Upvotes: 0
Related Questions
- Avoiding SQL injection in java
- Statement.execute(SQL) JDBC java
- How to Execute SQL Script File in Java?
- java-How to perform SQL injection for testing purposes?
- Java SQL Injection
- Executing and sql String
- Statement.executeQuery() and SQL injection
- Java JDBC exec procedure with sql statement
- How do I SQL inject a Java Statement that uses JDBC?
- How to intercept & replace SQL in jdbc driver?