ORACLE HINT 的一些BUG

原创

mb61bc2c8929091 2022-01-04 13:41:30 博主文章分类：ORACLE ©著作权

文章标签 sql oracle java 文章分类 Java 后端开发

©著作权归作者所有：来自51CTO博客作者mb61bc2c8929091的原创作品，请联系作者获取转载授权，否则将追究法律责任

AUTHOR ： KJ0231320

TEAM ： I.S.T.O

以下是对ORACLE HINT FUZZ的时候发现的！

select /*+ NO_PUSH_PRED(* dual --)*/ * from dual

以还有好些HINT都会出现如此语法错误或者会使当前Connection会话中断

研究了好久都没发现什么细节原因，跟踪不下去了。搁着快有半年了扔出来，后来者可以走少些弯路

顺便给出FUZZ的代码

package cn.isto.fuzz.oracle;
import java.sql.*;
import java.util.List;
public class SQLHintFuzzer {
private Object[] fuzzData=new Object[38];
private String[] hints = new String[182];
private Connection conn;
Statement stmt = null;
private String url;
private String user;
private String pass;
private String sql1;
private String loopCreateString(String initStr,int count){
StringBuilder tempsb = new StringBuilder();
for(int i=0;i<count;i++){
tempsb.append(initStr);
}
return tempsb.toString();
}
public SQLHintFuzzer(){
fuzzData[0]=-1;
fuzzData[1]=-2;
fuzzData[2]=0;
fuzzData[3]=1;
fuzzData[4]=2;
fuzzData[5]=2147483647;
fuzzData[6]=-2147483647;
fuzzData[7]=2147483648l;
fuzzData[8]=-2147483648;
fuzzData[9]=Long.MAX_VALUE;
fuzzData[10]=Long.MIN_VALUE;
fuzzData[11]=loopCreateString("'')",1);
fuzzData[12]=loopCreateString("/"",1);
fuzzData[13]=loopCreateString("--",1);
fuzzData[14]=loopCreateString("/*",1);
fuzzData[15]=loopCreateString("%s%s%s%s%s%s%s",1);
fuzzData[16]=loopCreateString("%x%x%x%x%x%x",1);
fuzzData[17]=loopCreateString("%d%d%d%d%d%d",1);
fuzzData[18]=loopCreateString("A",30);
fuzzData[19]=loopCreateString("A",100);
fuzzData[20]=loopCreateString("A",128);
fuzzData[21]=loopCreateString("A",256);
fuzzData[22]=loopCreateString("A",512);
fuzzData[23]=loopCreateString("A",1024);
fuzzData[24]=loopCreateString("A",2048);
fuzzData[25]=loopCreateString("A",3000);
fuzzData[26]=loopCreateString("A",4000);
fuzzData[27]=loopCreateString("A",5000);
fuzzData[28]=loopCreateString("A",6000);
fuzzData[29]=loopCreateString("A",8000);
fuzzData[30]=loopCreateString("A",10000);
fuzzData[31]=loopCreateString("A",15000);
fuzzData[32]=loopCreateString("A",20000);
fuzzData[33]=loopCreateString("A",25000);
fuzzData[34]=loopCreateString("A",30000);
fuzzData[35]=loopCreateString("A",32767);
fuzzData[36]=loopCreateString("SYS",1);
fuzzData[37]=loopCreateString("ROWID",1);
hints[0]="ALL_ROWS";
hints[1]="AND_EQUAL";
hints[2]="ANTIJOIN";
hints[3]="APPEND";
hints[4]="BITMAP";
hints[5]="BUFFER";
hints[6]="BYPASS_RECURSIVE_CHECK";
hints[7]="BYPASS_UJVC";
hints[8]="CACHE";
hints[9]="CACHE_CB";
hints[10]="CACHE_TEMP_TABLE";
hints[11]="CARDINALITY";
hints[12]="CHOOSE";
hints[13]="CIV_GB";
hints[14]="COLLECTIONS_GET_REFS";
hints[15]="CPU_COSTING";
hints[16]="CUBE_GB";
hints[17]="CURSOR_SHARING_EXACT";
hints[18]="DEREF_NO_REWRITE";
hints[19]="DML_UPDATE";
hints[20]="DOMAIN_INDEX_NO_SORT";
hints[21]="DOMAIN_INDEX_SORT";
hints[22]="DRIVING_SITE";
hints[23]="DYNAMIC_SAMPLING";
hints[24]="DYNAMIC_SAMPLING_EST_CDN";
hints[25]="EXPAND_GSET_TO_UNION";
hints[26]="FACT";
hints[27]="FIRST_ROWS";
hints[28]="FORCE_SAMPLE_BLOCK";
hints[29]="FULL";
hints[30]="GBY_CONC_ROLLUP";
hints[31]="GLOBAL_TABLE_HINTS";
hints[32]="HASH";
hints[33]="HASH_AJ";
hints[34]="HASH_SJ";
hints[35]="HWM_BROKERED";
hints[36]="IGNORE_ON_CLAUSE";
hints[37]="IGNORE_WHERE_CLAUSE";
hints[38]="INDEX_ASC";
hints[39]="INDEX_COMBINE";
hints[40]="INDEX_DESC";
hints[41]="INDEX_FFS";
hints[42]="INDEX_JOIN";
hints[43]="INDEX_RRS";
hints[44]="INDEX_SS";
hints[45]="INDEX_SS_ASC";
hints[46]="INDEX_SS_DESC";
hints[47]="INLINE";
hints[48]="LEADING";
hints[49]="LIKE_EXPAND";
hints[50]="LOCAL_INDEXES";
hints[51]="MATERIALIZE";
hints[52]="MERGE";
hints[53]="MERGE_AJ";
hints[54]="MERGE_SJ";
hints[55]="MV_MERGE";
hints[56]="NESTED_TABLE_GET_REFS";
hints[57]="NESTED_TABLE_SET_REFS";
hints[58]="NESTED_TABLE_SET_SETID";
hints[59]="NL_AJ";
hints[60]="NL_SJ";
hints[61]="NO_ACCESS";
hints[62]="NO_BUFFER";
hints[63]="NO_EXPAND";
hints[64]="NO_EXPAND_GSET_TO_UNION";
hints[65]="NO_FACT";
hints[66]="NO_FILTERING";
hints[67]="NO_INDEX";
hints[68]="NO_MERGE";
hints[69]="NO_MONITORING";
hints[70]="NO_ORDER_ROLLUPS";
hints[71]="NO_PRUNE_GSETS";
hints[72]="NO_PUSH_PRED";
hints[73]="NO_PUSH_SUBQ";
hints[74]="NO_QKN_BUFF";
hints[75]="NO_SEMIJOIN";
hints[76]="NO_STATS_GSETS";
hints[77]="NO_UNNEST";
hints[78]="NOAPPEND";
hints[79]="NOCACHE";
hints[80]="NOCPU_COSTING";
hints[81]="NOPARALLEL";
hints[82]="NOPARALLEL_INDEX";
hints[83]="NOREWRITE";
hints[84]="OR_EXPAND";
hints[85]="ORDERED";
hints[86]="ORDERED_PREDICATES";
hints[87]="OVERFLOW_NOMOVE";
hints[88]="PARALLEL";
hints[89]="PARALLEL_INDEX";
hints[90]="PIV_GB";
hints[91]="PIV_SSF";
hints[92]="PQ_DISTRIBUTE";
hints[93]="PQ_MAP";
hints[94]="PQ_NOMAP";
hints[95]="PUSH_PRED";
hints[96]="PUSH_SUBQ";
hints[97]="REMOTE_MAPPED";
hints[98]="RESTORE_AS_INTERVALS";
hints[99]="REWRITE";
hints[100]="RULE";
hints[101]="SAVE_AS_INTERVALS";
hints[102]="SCN_ASCENDING";
hints[103]="SELECTIVITY";
hints[104]="SEMIJOIN";
hints[105]="SEMIJOIN_DRIVER";
hints[106]="SKIP_EXT_OPTIMIZER";
hints[107]="SQLLDR";
hints[108]="STAR";
hints[109]="STAR_TRANSFORMATION";
hints[110]="SWAP_JOIN_INPUTS";
hints[111]="SYS_DL_CURSOR";
hints[112]="SYS_PARALLEL_TXN";
hints[113]="SYS_RID_ORDER";
hints[114]="TIV_GB";
hints[115]="TIV_SSF";
hints[116]="UNNEST";
hints[117]="USE_ANTI";
hints[118]="USE_CONCAT";
hints[119]="USE_HASH";
hints[120]="USE_MERGE";
hints[121]="USE_NL";
hints[122]="USE_SEMI";
hints[123]="USE_TTT_FOR_GSETS";
hints[124]="BYPASS_RECURSIVE_CHECK";
hints[125]="BYPASS_UJVC";
hints[126]="CACHE_CB";
hints[127]="CACHE_TEMP_TABLE";
hints[128]="CIV_GB";
hints[129]="COLLECTIONS_GET_REFS";
hints[130]="CUBE_GB";
hints[131]="CURSOR_SHARING_EXACT";
hints[132]="DEREF_NO_REWRITE";
hints[133]="DML_UPDATE";
hints[134]="DOMAIN_INDEX_NO_SORT";
hints[135]="DOMAIN_INDEX_SORT";
hints[136]="DYNAMIC_SAMPLING";
hints[137]="DYNAMIC_SAMPLING_EST_CDN";
hints[138]="EXPAND_GSET_TO_UNION";
hints[139]="FORCE_SAMPLE_BLOCK";
hints[140]="GBY_CONC_ROLLUP";
hints[141]="GLOBAL_TABLE_HINTS";
hints[142]="HWM_BROKERED";
hints[143]="IGNORE_ON_CLAUSE";
hints[144]="IGNORE_WHERE_CLAUSE";
hints[145]="INDEX_RRS";
hints[146]="INDEX_SS";
hints[147]="INDEX_SS_ASC";
hints[148]="INDEX_SS_DESC";
hints[149]="LIKE_EXPAND";
hints[150]="LOCAL_INDEXES";
hints[151]="MV_MERGE";
hints[152]="NESTED_TABLE_GET_REFS";
hints[153]="NESTED_TABLE_SET_REFS";
hints[154]="NESTED_TABLE_SET_SETID";
hints[155]="NO_EXPAND_GSET_TO_UNION";
hints[156]="NO_FACT";
hints[157]="NO_FILTERING";
hints[158]="NO_ORDER_ROLLUPS";
hints[159]="NO_PRUNE_GSETS";
hints[160]="NO_STATS_GSETS";
hints[161]="NO_UNNEST";
hints[162]="NOCPU_COSTING";
hints[163]="OVERFLOW_NOMOVE";
hints[164]="PIV_GB";
hints[165]="PIV_SSF";
hints[166]="PQ_MAP";
hints[167]="PQ_NOMAP";
hints[168]="REMOTE_MAPPED";
hints[169]="RESTORE_AS_INTERVALS";
hints[170]="SAVE_AS_INTERVALS";
hints[171]="SCN_ASCENDING";
hints[172]="SKIP_EXT_OPTIMIZER";
hints[173]="SQLLDR";
hints[174]="SYS_DL_CURSOR";
hints[175]="SYS_PARALLEL_TXN";
hints[176]="SYS_RID_ORDER";
hints[177]="TIV_GB";
hints[178]="TIV_SSF";
hints[179]="UNNEST";
hints[180]="USE_TTT_FOR_GSETS";
//sql1 = "select /*+" + orahint + "("+ +") */ * from dual";
//fuzzData[38]=null;
/*
numberFuzzData[0]=-1;
numberFuzzData[1]=-2;
numberFuzzData[2]=0;
numberFuzzData[3]=1;
numberFuzzData[4]=2;
numberFuzzData[5]=2147483647;
numberFuzzData[6]=-2147483647;
numberFuzzData[7]=2147483648l;
numberFuzzData[8]=-2147483648;
numberFuzzData[9]=Long.MAX_VALUE;
numberFuzzData[10]=Long.MIN_VALUE;
fuzzData[0]=loopCreateString("''",1);
strFuzzData[1]=loopCreateString("/"",1);
strFuzzData[2]=loopCreateString("%s%s%s%s%s%s%s",1);
strFuzzData[3]=loopCreateString("%x%x%x%x%x%x",1);
strFuzzData[4]=loopCreateString("%d%d%d%d%d%d",1);
strFuzzData[5]=loopCreateString("A",30);
strFuzzData[6]=loopCreateString("A",100);
strFuzzData[7]=loopCreateString("A",128);
strFuzzData[8]=loopCreateString("A",256);
strFuzzData[9]=loopCreateString("A",512);
strFuzzData[10]=loopCreateString("A",1024);
strFuzzData[11]=loopCreateString("A",2048);
strFuzzData[12]=loopCreateString("A",3000);
strFuzzData[13]=loopCreateString("A",4000);
strFuzzData[14]=loopCreateString("A",5000);
strFuzzData[15]=loopCreateString("A",6000);
strFuzzData[16]=loopCreateString("A",8000);
strFuzzData[17]=loopCreateString("A",10000);
strFuzzData[18]=loopCreateString("A",15000);
strFuzzData[19]=loopCreateString("A",20000);
strFuzzData[20]=loopCreateString("A",25000);
strFuzzData[21]=loopCreateString("A",30000);
strFuzzData[22]=loopCreateString("A",32767);
strFuzzData[23]=null;
strFuzzData[24]=loopCreateString("SYS",1);
strFuzzData[25]=loopCreateString("ROWID",1);
*/
}
public void login(String host,int port,String user,String pass,String sid) throws SQLException, ClassNotFoundException{
Class.forName("oracle.jdbc.driver.OracleDriver");
String url="jdbc:oracle:thin:@"+host+":"+port+":"+sid;
this.url=url;
this.user = user;
this.pass = pass;
connection();
}
private void connection() throws SQLException{
conn = DriverManager.getConnection(url,user,pass);
}
public void logout(){
closeAll(conn,null,null);
}
private void closeAll(Connection con,Statement stmt,ResultSet rs){
if(rs!=null){try{rs.close();}catch (Exception e) {}}
if(stmt!=null){try{stmt.close();}catch (Exception e) {}}
if(con!=null){try{con.close();}catch (Exception e) {}}
}
public void fuzz(){
try {
stmt = conn.createStatement();
} catch (SQLException e) {
e.printStackTrace();
}
for(int hintsc = 40 ; hintsc<hints.length; hintsc++){
System.out.println("FUZZ : "+hints[hintsc]);
for(int fuzzDc = 0; fuzzDc< fuzzData.length;fuzzDc++){
startFuzz(stmt,hints[hintsc]+"( "+ fuzzData[fuzzDc] +" )");
}
}
}
private void startFuzz(Statement fuzzstmt,String run){
try {
sql1 = "select /*+ "+run+"*/ * from dual";
fuzzstmt.execute(sql1);
Thread.sleep(1000);
} catch (Exception e) {
System.out.println(e.getMessage());
if(e.getMessage().indexOf("socket")>-1){
try {
connection();
stmt = conn.createStatement();
} catch (SQLException e1) {
System.out.println("error crash");
}
}
catch0day(e.getMessage(),sql1);
}
}
private void catch0day(String e,String run){
System.out.println(e+"---"+run);
}
public static void main(String[] args) throws SQLException, ClassNotFoundException{
SQLHintFuzzer shf = new SQLHintFuzzer();
shf.login("kj021320PC", 1521, "kj021320", "kj021320", "ORCL");
shf.fuzz();
shf.logout();
}
}