带有dbms_random 会报sql注入

  • zb1
  • 2018-11-28 10:19

Sql: select * from user_export  order by dbms_random.value 

2018-11-28 10:15:01,624 ERROR[com.tzsw.bj.core.web.interceptor.ExceptionInterceptor:61]- com.jfinal.plugin.activerecord.ActiveRecordException: java.sql.SQLException: sql injection violation, deny object : dbms_random : select * from user_export  order by dbms_random.value 

at com.jfinal.plugin.activerecord.Model.find(Model.java:586)

at com.tzsw.bj.api.manage.model.UserExpert.extract1(UserExpert.java:73)

at com.tzsw.bj.api.manage.controller.UserExpertController.extract(UserExpertController.java:122)

at sun.reflect.GeneratedMethodAccessor77.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:606)

at com.jfinal.aop.Invocation.invoke(Invocation.java:73)

at com.jfinal.ext.interceptor.SessionInViewInterceptor.intercept(SessionInViewInterceptor.java:44)

at com.jfinal.aop.Invocation.invoke(Invocation.java:67)

at com.tzsw.bj.core.web.interceptor.ExceptionInterceptor.intercept(ExceptionInterceptor.java:37)

at com.jfinal.aop.Invocation.invoke(Invocation.java:67)

at com.jfinal.core.ActionHandler.handle(ActionHandler.java:87)

at com.jfinal.ext.handler.UrlSkipHandler.handle(UrlSkipHandler.java:46)

at com.jfinal.ext.handler.ContextPathHandler.handle(ContextPathHandler.java:48)

at com.jfinal.core.JFinalFilter.doFilter(JFinalFilter.java:73)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)

at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)

at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)

at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)

at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)

at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)

at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)

at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)

at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)

at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

at org.springframework.session.web.http.SessionRepositoryFilter.doFilterInternal(SessionRepositoryFilter.java:167)

at org.springframework.session.web.http.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:80)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)

at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)

at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)


要怎么解决


项目:JFinal

评论区

earthsomeday

2019-04-01 11:05

请问你这问题怎么处理的
 回复

dasda

2019-05-10 15:45

druid 设置wallconfig false 打完收工
 回复

潘多拉贡

2020-01-19 11:38

@dasda 请问大佬,具体是如何设置,我这边没找到wallconfig设置为false的地方
 回复

JFinal

2020-01-20 16:24

这个问题显然是 jfinal 无法干预的,是底层 JDBC 或者数据库认定你的 sql 是 sql 注入,改改 sql 或者数据库配置试试
 回复
我要反馈

热门反馈

扫码入社