Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] 达梦下LISTAGG(name,',') WITHIN GROUP (order by sort)解析错误导致报sql注入 #6310

Open
VanityOfWall opened this issue Dec 28, 2024 · 0 comments
Open

[BUG] 达梦下LISTAGG(name,',') WITHIN GROUP (order by sort)解析错误导致报sql注入 #6310

VanityOfWall opened this issue Dec 28, 2024 · 0 comments

Comments

@VanityOfWall
Copy link

VanityOfWall commented Dec 28, 2024
edited
Loading

Database Type

达梦

Database Version

8

Druid Version

1.1.21 和 1.2.23

JDK Version

8

Error SQL

LISTAGG(name,',') WITHIN GROUP (order by sort)

Testcase Code

No response

Stacktrace Info

No response

Error Info

Caused by: java.sql.SQLException: sql injection violation, syntax error: syntax error, error in :'THIN GROUP (order by sort) as "name', expect BY, actual LPAREN pos 39, line 1, column 39, token LPAREN : select LISTAGG(name,',') WITHIN GROUP (order by sort) as "name" from sys_org group by pid
at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:793)
at com.alibaba.druid.wall.WallFilter.connection_prepareStatement(WallFilter.java:210)
at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:568)
at com.alibaba.druid.filter.FilterAdapter.connection_prepareStatement(FilterAdapter.java:930)
at com.alibaba.druid.filter.FilterEventAdapter.connection_prepareStatement(FilterEventAdapter.java:122)
at com.alibaba.druid.filter.FilterChainImpl.connection_prepareStatement(FilterChainImpl.java:568)
at com.alibaba.druid.proxy.jdbc.ConnectionProxyImpl.prepareStatement(ConnectionProxyImpl.java:341)
at com.alibaba.druid.pool.DruidPooledConnection.prepareStatement(DruidPooledConnection.java:350)
at org.apache.ibatis.executor.statement.PreparedStatementHandler.instantiateStatement(PreparedStatementHandler.java:86)
at org.apache.ibatis.executor.statement.BaseStatementHandler.prepare(BaseStatementHandler.java:88)
at org.apache.ibatis.executor.statement.RoutingStatementHandler.prepare(RoutingStatementHandler.java:59)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.ibatis.plugin.Invocation.proceed(Invocation.java:49)
at com.baomidou.mybatisplus.extension.plugins.PaginationInterceptor.intercept(PaginationInterceptor.java:188)
at org.apache.ibatis.plugin.Plugin.invoke(Plugin.java:61)
at com.sun.proxy.$Proxy134.prepare(Unknown Source)
at com.baomidou.mybatisplus.core.executor.MybatisSimpleExecutor.prepareStatement(MybatisSimpleExecutor.java:92)
at com.baomidou.mybatisplus.core.executor.MybatisSimpleExecutor.doQuery(MybatisSimpleExecutor.java:66)
at org.apache.ibatis.executor.BaseExecutor.queryFromDatabase(BaseExecutor.java:325)
at org.apache.ibatis.executor.BaseExecutor.query(BaseExecutor.java:156)
at com.baomidou.mybatisplus.core.executor.MybatisCachingExecutor.query(MybatisCachingExecutor.java:163)
at com.baomidou.mybatisplus.core.executor.MybatisCachingExecutor.query(MybatisCachingExecutor.java:90)
at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:147)
at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:140)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:426)
... 45 more
Caused by: com.alibaba.druid.sql.parser.ParserException: syntax error, error in :'THIN GROUP (order by sort) as "name', expect BY, actual LPAREN pos 39, line 1, column 39, token LPAREN
at com.alibaba.druid.sql.parser.SQLParser.printError(SQLParser.java:344)
at com.alibaba.druid.sql.parser.SQLParser.accept(SQLParser.java:352)
at com.alibaba.druid.sql.parser.SQLSelectParser.parseGroupBy(SQLSelectParser.java:777)
at com.alibaba.druid.sql.dialect.db2.parser.DB2SelectParser.query(DB2SelectParser.java:99)
at com.alibaba.druid.sql.parser.SQLSelectParser.query(SQLSelectParser.java:362)
at com.alibaba.druid.sql.parser.SQLSelectParser.select(SQLSelectParser.java:61)
at com.alibaba.druid.sql.parser.SQLStatementParser.parseSelect(SQLStatementParser.java:2562)
at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:248)
at com.alibaba.druid.sql.parser.SQLStatementParser.parseStatementList(SQLStatementParser.java:182)
at com.alibaba.druid.wall.WallProvider.checkInternal(WallProvider.java:624)
at com.alibaba.druid.wall.WallProvider.check(WallProvider.java:578)
at com.alibaba.druid.wall.WallFilter.checkInternal(WallFilter.java:782)
... 76 more

druid版本无论1.1.21和1.2.23都会出现,listagg() within group 好像被解析成thin group导入报sql注入错误,除非关闭防火墙功能,否则都会报错
@VanityOfWall VanityOfWall changed the title [BUG] 达梦下LISTAGG(name,',') WITHIN GROUP (order by sort)检测错误 [BUG] 达梦下LISTAGG(name,',') WITHIN GROUP (order by sort)解析错误导致报sql注入 Dec 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VanityOfWall