AUTHOR : KJ0231320
TEAM : I.S.T.O
以下是对ORACLE HINT FUZZ的时候发现的!
select /*+ NO_PUSH_PRED(* dual --)*/ * from dual
以还有好些HINT都会出现如此语法错误或者会使当前Connection会话中断
研究了好久都没发现什么细节原因,跟踪不下去了。搁着快有半年了扔出来,后来者可以走少些弯路
顺便给出FUZZ的代码
- package cn.isto.fuzz.oracle;
- import java.sql.*;
- import java.util.List;
- public class SQLHintFuzzer {
- private Object[] fuzzData=new Object[38];
- private String[] hints = new String[182];
- private Connection conn;
- Statement stmt = null;
- private String url;
- private String user;
- private String pass;
- private String sql1;
- private String loopCreateString(String initStr,int count){
- StringBuilder tempsb = new StringBuilder();
- for(int i=0;i<count;i++){
- tempsb.append(initStr);
- }
- return tempsb.toString();
- }
- public SQLHintFuzzer(){
- fuzzData[0]=-1;
- fuzzData[1]=-2;
- fuzzData[2]=0;
- fuzzData[3]=1;
- fuzzData[4]=2;
- fuzzData[5]=2147483647;
- fuzzData[6]=-2147483647;
- fuzzData[7]=2147483648l;
- fuzzData[8]=-2147483648;
- fuzzData[9]=Long.MAX_VALUE;
- fuzzData[10]=Long.MIN_VALUE;
- fuzzData[11]=loopCreateString("'')",1);
- fuzzData[12]=loopCreateString("/"",1);
- fuzzData[13]=loopCreateString("--",1);
- fuzzData[14]=loopCreateString("/*",1);
- fuzzData[15]=loopCreateString("%s%s%s%s%s%s%s",1);
- fuzzData[16]=loopCreateString("%x%x%x%x%x%x",1);
- fuzzData[17]=loopCreateString("%d%d%d%d%d%d",1);
- fuzzData[18]=loopCreateString("A",30);
- fuzzData[19]=loopCreateString("A",100);
- fuzzData[20]=loopCreateString("A",128);
- fuzzData[21]=loopCreateString("A",256);
- fuzzData[22]=loopCreateString("A",512);
- fuzzData[23]=loopCreateString("A",1024);
- fuzzData[24]=loopCreateString("A",2048);
- fuzzData[25]=loopCreateString("A",3000);
- fuzzData[26]=loopCreateString("A",4000);
- fuzzData[27]=loopCreateString("A",5000);
- fuzzData[28]=loopCreateString("A",6000);
- fuzzData[29]=loopCreateString("A",8000);
- fuzzData[30]=loopCreateString("A",10000);
- fuzzData[31]=loopCreateString("A",15000);
- fuzzData[32]=loopCreateString("A",20000);
- fuzzData[33]=loopCreateString("A",25000);
- fuzzData[34]=loopCreateString("A",30000);
- fuzzData[35]=loopCreateString("A",32767);
- fuzzData[36]=loopCreateString("SYS",1);
- fuzzData[37]=loopCreateString("ROWID",1);
- hints[0]="ALL_ROWS";
- hints[1]="AND_EQUAL";
- hints[2]="ANTIJOIN";
- hints[3]="APPEND";
- hints[4]="BITMAP";
- hints[5]="BUFFER";
- hints[6]="BYPASS_RECURSIVE_CHECK";
- hints[7]="BYPASS_UJVC";
- hints[8]="CACHE";
- hints[9]="CACHE_CB";
- hints[10]="CACHE_TEMP_TABLE";
- hints[11]="CARDINALITY";
- hints[12]="CHOOSE";
- hints[13]="CIV_GB";
- hints[14]="COLLECTIONS_GET_REFS";
- hints[15]="CPU_COSTING";
- hints[16]="CUBE_GB";
- hints[17]="CURSOR_SHARING_EXACT";
- hints[18]="DEREF_NO_REWRITE";
- hints[19]="DML_UPDATE";
- hints[20]="DOMAIN_INDEX_NO_SORT";
- hints[21]="DOMAIN_INDEX_SORT";
- hints[22]="DRIVING_SITE";
- hints[23]="DYNAMIC_SAMPLING";
- hints[24]="DYNAMIC_SAMPLING_EST_CDN";
- hints[25]="EXPAND_GSET_TO_UNION";
- hints[26]="FACT";
- hints[27]="FIRST_ROWS";
- hints[28]="FORCE_SAMPLE_BLOCK";
- hints[29]="FULL";
- hints[30]="GBY_CONC_ROLLUP";
- hints[31]="GLOBAL_TABLE_HINTS";
- hints[32]="HASH";
- hints[33]="HASH_AJ";
- hints[34]="HASH_SJ";
- hints[35]="HWM_BROKERED";
- hints[36]="IGNORE_ON_CLAUSE";
- hints[37]="IGNORE_WHERE_CLAUSE";
- hints[38]="INDEX_ASC";
- hints[39]="INDEX_COMBINE";
- hints[40]="INDEX_DESC";
- hints[41]="INDEX_FFS";
- hints[42]="INDEX_JOIN";
- hints[43]="INDEX_RRS";
- hints[44]="INDEX_SS";
- hints[45]="INDEX_SS_ASC";
- hints[46]="INDEX_SS_DESC";
- hints[47]="INLINE";
- hints[48]="LEADING";
- hints[49]="LIKE_EXPAND";
- hints[50]="LOCAL_INDEXES";
- hints[51]="MATERIALIZE";
- hints[52]="MERGE";
- hints[53]="MERGE_AJ";
- hints[54]="MERGE_SJ";
- hints[55]="MV_MERGE";
- hints[56]="NESTED_TABLE_GET_REFS";
- hints[57]="NESTED_TABLE_SET_REFS";
- hints[58]="NESTED_TABLE_SET_SETID";
- hints[59]="NL_AJ";
- hints[60]="NL_SJ";
- hints[61]="NO_ACCESS";
- hints[62]="NO_BUFFER";
- hints[63]="NO_EXPAND";
- hints[64]="NO_EXPAND_GSET_TO_UNION";
- hints[65]="NO_FACT";
- hints[66]="NO_FILTERING";
- hints[67]="NO_INDEX";
- hints[68]="NO_MERGE";
- hints[69]="NO_MONITORING";
- hints[70]="NO_ORDER_ROLLUPS";
- hints[71]="NO_PRUNE_GSETS";
- hints[72]="NO_PUSH_PRED";
- hints[73]="NO_PUSH_SUBQ";
- hints[74]="NO_QKN_BUFF";
- hints[75]="NO_SEMIJOIN";
- hints[76]="NO_STATS_GSETS";
- hints[77]="NO_UNNEST";
- hints[78]="NOAPPEND";
- hints[79]="NOCACHE";
- hints[80]="NOCPU_COSTING";
- hints[81]="NOPARALLEL";
- hints[82]="NOPARALLEL_INDEX";
- hints[83]="NOREWRITE";
- hints[84]="OR_EXPAND";
- hints[85]="ORDERED";
- hints[86]="ORDERED_PREDICATES";
- hints[87]="OVERFLOW_NOMOVE";
- hints[88]="PARALLEL";
- hints[89]="PARALLEL_INDEX";
- hints[90]="PIV_GB";
- hints[91]="PIV_SSF";
- hints[92]="PQ_DISTRIBUTE";
- hints[93]="PQ_MAP";
- hints[94]="PQ_NOMAP";
- hints[95]="PUSH_PRED";
- hints[96]="PUSH_SUBQ";
- hints[97]="REMOTE_MAPPED";
- hints[98]="RESTORE_AS_INTERVALS";
- hints[99]="REWRITE";
- hints[100]="RULE";
- hints[101]="SAVE_AS_INTERVALS";
- hints[102]="SCN_ASCENDING";
- hints[103]="SELECTIVITY";
- hints[104]="SEMIJOIN";
- hints[105]="SEMIJOIN_DRIVER";
- hints[106]="SKIP_EXT_OPTIMIZER";
- hints[107]="SQLLDR";
- hints[108]="STAR";
- hints[109]="STAR_TRANSFORMATION";
- hints[110]="SWAP_JOIN_INPUTS";
- hints[111]="SYS_DL_CURSOR";
- hints[112]="SYS_PARALLEL_TXN";
- hints[113]="SYS_RID_ORDER";
- hints[114]="TIV_GB";
- hints[115]="TIV_SSF";
- hints[116]="UNNEST";
- hints[117]="USE_ANTI";
- hints[118]="USE_CONCAT";
- hints[119]="USE_HASH";
- hints[120]="USE_MERGE";
- hints[121]="USE_NL";
- hints[122]="USE_SEMI";
- hints[123]="USE_TTT_FOR_GSETS";
- hints[124]="BYPASS_RECURSIVE_CHECK";
- hints[125]="BYPASS_UJVC";
- hints[126]="CACHE_CB";
- hints[127]="CACHE_TEMP_TABLE";
- hints[128]="CIV_GB";
- hints[129]="COLLECTIONS_GET_REFS";
- hints[130]="CUBE_GB";
- hints[131]="CURSOR_SHARING_EXACT";
- hints[132]="DEREF_NO_REWRITE";
- hints[133]="DML_UPDATE";
- hints[134]="DOMAIN_INDEX_NO_SORT";
- hints[135]="DOMAIN_INDEX_SORT";
- hints[136]="DYNAMIC_SAMPLING";
- hints[137]="DYNAMIC_SAMPLING_EST_CDN";
- hints[138]="EXPAND_GSET_TO_UNION";
- hints[139]="FORCE_SAMPLE_BLOCK";
- hints[140]="GBY_CONC_ROLLUP";
- hints[141]="GLOBAL_TABLE_HINTS";
- hints[142]="HWM_BROKERED";
- hints[143]="IGNORE_ON_CLAUSE";
- hints[144]="IGNORE_WHERE_CLAUSE";
- hints[145]="INDEX_RRS";
- hints[146]="INDEX_SS";
- hints[147]="INDEX_SS_ASC";
- hints[148]="INDEX_SS_DESC";
- hints[149]="LIKE_EXPAND";
- hints[150]="LOCAL_INDEXES";
- hints[151]="MV_MERGE";
- hints[152]="NESTED_TABLE_GET_REFS";
- hints[153]="NESTED_TABLE_SET_REFS";
- hints[154]="NESTED_TABLE_SET_SETID";
- hints[155]="NO_EXPAND_GSET_TO_UNION";
- hints[156]="NO_FACT";
- hints[157]="NO_FILTERING";
- hints[158]="NO_ORDER_ROLLUPS";
- hints[159]="NO_PRUNE_GSETS";
- hints[160]="NO_STATS_GSETS";
- hints[161]="NO_UNNEST";
- hints[162]="NOCPU_COSTING";
- hints[163]="OVERFLOW_NOMOVE";
- hints[164]="PIV_GB";
- hints[165]="PIV_SSF";
- hints[166]="PQ_MAP";
- hints[167]="PQ_NOMAP";
- hints[168]="REMOTE_MAPPED";
- hints[169]="RESTORE_AS_INTERVALS";
- hints[170]="SAVE_AS_INTERVALS";
- hints[171]="SCN_ASCENDING";
- hints[172]="SKIP_EXT_OPTIMIZER";
- hints[173]="SQLLDR";
- hints[174]="SYS_DL_CURSOR";
- hints[175]="SYS_PARALLEL_TXN";
- hints[176]="SYS_RID_ORDER";
- hints[177]="TIV_GB";
- hints[178]="TIV_SSF";
- hints[179]="UNNEST";
- hints[180]="USE_TTT_FOR_GSETS";
- //sql1 = "select /*+" + orahint + "("+ +") */ * from dual";
- //fuzzData[38]=null;
- /*
- numberFuzzData[0]=-1;
- numberFuzzData[1]=-2;
- numberFuzzData[2]=0;
- numberFuzzData[3]=1;
- numberFuzzData[4]=2;
- numberFuzzData[5]=2147483647;
- numberFuzzData[6]=-2147483647;
- numberFuzzData[7]=2147483648l;
- numberFuzzData[8]=-2147483648;
- numberFuzzData[9]=Long.MAX_VALUE;
- numberFuzzData[10]=Long.MIN_VALUE;
- fuzzData[0]=loopCreateString("''",1);
- strFuzzData[1]=loopCreateString("/"",1);
- strFuzzData[2]=loopCreateString("%s%s%s%s%s%s%s",1);
- strFuzzData[3]=loopCreateString("%x%x%x%x%x%x",1);
- strFuzzData[4]=loopCreateString("%d%d%d%d%d%d",1);
- strFuzzData[5]=loopCreateString("A",30);
- strFuzzData[6]=loopCreateString("A",100);
- strFuzzData[7]=loopCreateString("A",128);
- strFuzzData[8]=loopCreateString("A",256);
- strFuzzData[9]=loopCreateString("A",512);
- strFuzzData[10]=loopCreateString("A",1024);
- strFuzzData[11]=loopCreateString("A",2048);
- strFuzzData[12]=loopCreateString("A",3000);
- strFuzzData[13]=loopCreateString("A",4000);
- strFuzzData[14]=loopCreateString("A",5000);
- strFuzzData[15]=loopCreateString("A",6000);
- strFuzzData[16]=loopCreateString("A",8000);
- strFuzzData[17]=loopCreateString("A",10000);
- strFuzzData[18]=loopCreateString("A",15000);
- strFuzzData[19]=loopCreateString("A",20000);
- strFuzzData[20]=loopCreateString("A",25000);
- strFuzzData[21]=loopCreateString("A",30000);
- strFuzzData[22]=loopCreateString("A",32767);
- strFuzzData[23]=null;
- strFuzzData[24]=loopCreateString("SYS",1);
- strFuzzData[25]=loopCreateString("ROWID",1);
- */
- }
- public void login(String host,int port,String user,String pass,String sid) throws SQLException, ClassNotFoundException{
- Class.forName("oracle.jdbc.driver.OracleDriver");
- String url="jdbc:oracle:thin:@"+host+":"+port+":"+sid;
- this.url=url;
- this.user = user;
- this.pass = pass;
- connection();
- }
- private void connection() throws SQLException{
- conn = DriverManager.getConnection(url,user,pass);
- }
- public void logout(){
- closeAll(conn,null,null);
- }
- private void closeAll(Connection con,Statement stmt,ResultSet rs){
- if(rs!=null){try{rs.close();}catch (Exception e) {}}
- if(stmt!=null){try{stmt.close();}catch (Exception e) {}}
- if(con!=null){try{con.close();}catch (Exception e) {}}
- }
- public void fuzz(){
- try {
- stmt = conn.createStatement();
- } catch (SQLException e) {
- e.printStackTrace();
- }
- for(int hintsc = 40 ; hintsc<hints.length; hintsc++){
- System.out.println("FUZZ : "+hints[hintsc]);
- for(int fuzzDc = 0; fuzzDc< fuzzData.length;fuzzDc++){
- startFuzz(stmt,hints[hintsc]+"( "+ fuzzData[fuzzDc] +" )");
- }
- }
- }
- private void startFuzz(Statement fuzzstmt,String run){
- try {
- sql1 = "select /*+ "+run+"*/ * from dual";
- fuzzstmt.execute(sql1);
- Thread.sleep(1000);
- } catch (Exception e) {
- System.out.println(e.getMessage());
- if(e.getMessage().indexOf("socket")>-1){
- try {
- connection();
- stmt = conn.createStatement();
- } catch (SQLException e1) {
- System.out.println("error crash");
- }
- }
- catch0day(e.getMessage(),sql1);
- }
- }
- private void catch0day(String e,String run){
- System.out.println(e+"---"+run);
- }
- public static void main(String[] args) throws SQLException, ClassNotFoundException{
- SQLHintFuzzer shf = new SQLHintFuzzer();
- shf.login("kj021320PC", 1521, "kj021320", "kj021320", "ORCL");
- shf.fuzz();
- shf.logout();
- }
- }