[20160919]sql注入例子.txt
--许多开发喜欢拚接sql语句,而不是使用绑定变量,而这样带来一个问题就是给注入攻击提供了可能,从别人的网站炒一个例子:
1.环境:
SCOTT@book> @ &r/ver1
PORT_STRING VERSION BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx 11.2.0.4.0 Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
create table tx (fname varchar2(20),lname varchar2(20), id number);
insert into tx values ('aa','aaa',100);
insert into tx values ('bb','bbb',101);
commit;
create or replace procedure get_code (p_fname varchar2 default null)
is
type c is ref cursor;
cv c;
vcode tx.id%type;
v_stmt varchar2(300);
begin
v_stmt := 'select id from tx where fname='''||p_fname||'''';
dbms_output.put_line('sql query : '||v_stmt);
open cv for v_stmt;
loop
fetch cv into vcode;
exit when cv%notfound;
dbms_output.put_line('code is '||vcode);
end loop;
close cv;
exception when others then
dbms_output.put_line(sqlerrm);
dbms_output.put_line('sql query '||v_stmt);
end;
/
2.测试:
SCOTT@book> set serveroutput on
SCOTT@book> exec get_code('aa');
sql query : select id from tx where fname='aa'
code is 100
PL/SQL procedure successfully completed.
SCOTT@book> exec get_code('x'' union select id from tx where ''x''=''x');
sql query : select id from tx where fname='x' union select id from tx where 'x'='x'
code is 100
code is 101
PL/SQL procedure successfully completed.
--这就是拼接可能导致的问题。
3.我个人一直认为开发oltp系统大量的不使用绑定变量(当然前提是合理),是一个不成熟的团队,可惜国内的大部分开发团队从这点讲基本
都做不到,更可怕的是你跟他们讲依旧重复这个错误,从这点看国内开发团队大部分都长不大,都是豆腐渣团队.悲哀啊
