12306 SQL注入
更可笑的最基本的“SQL 注入”都不防止。你用Hibernate 也就罢了,居然不用其对象方法,而是直接拼装 SQL 语句,这要多菜鸟的水平才做得出来啊。测试,框架,规范设计都是作坊式的才写得出来。就是我的开发组都不会犯这样的错误。
Hibernate 虽然开发方便,但是存在严重的效率问题。Hibernate 不适合大数据类型开发是人所共知的事情。http://www.wooyun.org/bugs/wooyun-2010-012758
缺陷编号: WooYun-2012-12758
漏洞标题: 12306漏洞一包裹
相关厂商: 中国铁道科学研究院
漏洞作者: qiaoy
提交时间: 2012-09-27
漏洞类型: SQL注射漏洞
危害等级: 高
漏洞状态: 厂商已经确认
漏洞来源: http://www.wooyun.org
Tags标签: 无
org.springframework.dao.DataIntegrityViolationException: could not execute que
ry; SQL [select * from tb_info_clcs where flag = 'Y' and czdm ='G' and ziz l
ike '%1'%' order by cxdm ]; nested exception is org.hibernate.exception.DataEx
ception: could not execute query
at org.springframework.orm.hibernate3.SessionFactoryUtils.convertHibernateAcc
essException(SessionFactoryUtils.java:642)
at org.springframework.orm.hibernate3.HibernateAccessor.convertHibernateAcces
sException(HibernateAccessor.java:412)
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTe
mplate.java:411)
at org.springframework.orm.hibernate3.HibernateTemplate.executeFind(Hibernate
Template.java:343)
at com.dzsw.dao.impl.CommonDaoImpl.getListBySql(CommonDaoImpl.java:621)
at com.dzsw.service.self.information.impl.FwcszsService.query1(FwcszsService.
java:27)
at sun.reflect.GeneratedMethodAccessor132.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorIm
pl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(Ao
pUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoi
nt(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Refle
ctiveMethodInvocation.java:150)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(
TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Refle
ctiveMethodInvocation.java:172)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(Exp
oseInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Refle
ctiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopP
roxy.java:202)
at $Proxy138.query1(Unknown Source)
at com.dzsw.web.action.information.ClcscxAction.clcscx(ClcscxAction.java:91)
at sun.reflect.GeneratedMethodAccessor155.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorIm
pl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultAction
Invocation.java:452)
at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultAc
tionInvocation.java:291)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:254)
at com.dzsw.web.interceptor.SecuritySignatureInterceptor.intercept(SecuritySi
gnatureInterceptor.java:69)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.DefaultWorkflowInterceptor.doIntercept
(DefaultWorkflowInterceptor.java:176)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(Meth
odFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.validator.ValidationInterceptor.doIntercept(Valida
tionInterceptor.java:263)
at org.apache.struts2.interceptor.validation.AnnotationValidationInterceptor.
doIntercept(AnnotationValidationInterceptor.java:68)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(Meth
odFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor.intercept(C
onversionErrorInterceptor.java:133)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(Para
metersInterceptor.java:207)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(Meth
odFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(Para
metersInterceptor.java:207)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(Meth
odFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(
StaticParametersInterceptor.java:190)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at org.apache.struts2.interceptor.MultiselectInterceptor.intercept(Multiselec
tInterceptor.java:75)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInter
ceptor.java:94)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadI
nterceptor.java:243)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(Model
DrivenInterceptor.java:100)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept
(ScopedModelDrivenInterceptor.java:141)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at org.apache.struts2.interceptor.debugging.DebuggingInterceptor.intercept(De
buggingInterceptor.java:270)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(Chaining
Interceptor.java:145)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(Prepare
Interceptor.java:171)
at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(Meth
odFilterInterceptor.java:98)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nIntercep
tor.java:176)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletC
onfigInterceptor.java:164)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterc
eptor.java:190)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(
ExceptionMappingInterceptor.java:187)
at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvoca
tion.java:248)
at org.apache.struts2.impl.StrutsActionProxy.execute(StrutsActionProxy.java:5
2)
at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:498
)
at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOp
erations.java:77)
at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFi
lter(StrutsPrepareAndExecuteFilter.java:91)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56
)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(Ch
aracterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerReques
tFilter.java:76)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56
)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter
.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56
)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wra
pRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run
(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubj
ect.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServle
tContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContex
t.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1
490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: org.hibernate.exception.DataException: could not execute query
at org.hibernate.exception.SQLStateConverter.convert(SQLStateConverter.java:1
02)
at org.hibernate.exception.JDBCExceptionHelper.convert(JDBCExceptionHelper.ja
va:66)
at org.hibernate.loader.Loader.doList(Loader.java:2536)
at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2276)
at org.hibernate.loader.Loader.list(Loader.java:2271)
at org.hibernate.loader.custom.CustomLoader.list(CustomLoader.java:316)
at org.hibernate.impl.SessionImpl.listCustomQuery(SessionImpl.java:1842)
at org.hibernate.impl.AbstractSessionImpl.list(AbstractSessionImpl.java:165)
at org.hibernate.impl.SQLQueryImpl.list(SQLQueryImpl.java:157)
at com.dzsw.dao.impl.CommonDaoImpl$12.doInHibernate(CommonDaoImpl.java:623)
at com.dzsw.dao.impl.CommonDaoImpl$12.doInHibernate(CommonDaoImpl.java:1)
at org.springframework.orm.hibernate3.HibernateTemplate.doExecute(HibernateTe
mplate.java:406)
... 85 more
Caused by: java.sql.SQLSyntaxErrorException: ORA-00911: invalid character
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:
207)
at oracle.jdbc.driver.T4CPreparedStatement.executeForDescribe(T4CPreparedStat
ement.java:884)
at oracle.jdbc.driver.OracleStatement.executeMaybeDescribe(OracleStatement.ja
va:1167)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.ja
va:1289)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedS
tatement.java:3593)
at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStat
ement.java:3637)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeQuery(OraclePrepa
redStatementWrapper.java:1495)
at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeQuery(NewProxyPr
eparedStatement.java:76)
at org.hibernate.jdbc.AbstractBatcher.getResultSet(AbstractBatcher.java:208)
at org.hibernate.loader.Loader.getResultSet(Loader.java:1953)
at org.hibernate.loader.Loader.doQuery(Loader.java:802)
at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.
java:274)
at org.hibernate.loader.Loader.doList(Loader.java:2533)
... 94 more
看看这样的查询语句:
select * from tb_info_clcs where flag = 'Y' and czdm ='G' and ziz like '%1'%' order by cxdm
没有防SQL注入
看看所用的技术:struts2+hibernate3+spring+weblogic
上图