ORACLE HINT 的一些BUG


AUTHOR : KJ0231320
TEAM : I.S.T.O

以下是对ORACLE HINT FUZZ的时候发现的!

select
  /*+ NO_PUSH_PRED(* dual  --)*/    * from   dual


以还有好些HINT都会出现如此语法错误或者会使当前Connection会话中断
研究了好久都没发现什么细节原因,跟踪不下去了。搁着快有半年了扔出来,后来者可以走少些弯路
顺便给出FUZZ的代码
  1. package cn.isto.fuzz.oracle;
  2. import java.sql.*;
  3. import java.util.List;
  4. public class SQLHintFuzzer {
  5.     private Object[] fuzzData=new Object[38];
  6.     private String[] hints = new String[182];
  7.     
  8.     private Connection conn;
  9.     Statement stmt = null;
  10.     private String url;
  11.     private String user;
  12.     private String pass;
  13.     private String sql1;
  14.     
  15.     private String loopCreateString(String initStr,int count){
  16.         StringBuilder tempsb = new StringBuilder();
  17.         for(int i=0;i<count;i++){
  18.             tempsb.append(initStr);
  19.         }
  20.         return tempsb.toString();
  21.     }
  22.     public SQLHintFuzzer(){
  23.         fuzzData[0]=-1;
  24.         fuzzData[1]=-2;
  25.         fuzzData[2]=0;
  26.         fuzzData[3]=1;
  27.         fuzzData[4]=2;
  28.         fuzzData[5]=2147483647;
  29.         fuzzData[6]=-2147483647;
  30.         fuzzData[7]=2147483648l;
  31.         fuzzData[8]=-2147483648;
  32.         fuzzData[9]=Long.MAX_VALUE;
  33.         fuzzData[10]=Long.MIN_VALUE;
  34.         fuzzData[11]=loopCreateString("'')",1);
  35.         fuzzData[12]=loopCreateString("/"",1);
  36.         fuzzData[13]=loopCreateString("--",1);
  37.         fuzzData[14]=loopCreateString("/*",1);
  38.         fuzzData[15]=loopCreateString("%s%s%s%s%s%s%s",1);
  39.         fuzzData[16]=loopCreateString("%x%x%x%x%x%x",1);
  40.         fuzzData[17]=loopCreateString("%d%d%d%d%d%d",1);
  41.         fuzzData[18]=loopCreateString("A",30);
  42.         fuzzData[19]=loopCreateString("A",100);
  43.         fuzzData[20]=loopCreateString("A",128);
  44.         fuzzData[21]=loopCreateString("A",256);
  45.         fuzzData[22]=loopCreateString("A",512);
  46.         fuzzData[23]=loopCreateString("A",1024);
  47.         fuzzData[24]=loopCreateString("A",2048);
  48.         fuzzData[25]=loopCreateString("A",3000);
  49.         fuzzData[26]=loopCreateString("A",4000);
  50.         fuzzData[27]=loopCreateString("A",5000);
  51.         fuzzData[28]=loopCreateString("A",6000);
  52.         fuzzData[29]=loopCreateString("A",8000);
  53.         fuzzData[30]=loopCreateString("A",10000);
  54.         fuzzData[31]=loopCreateString("A",15000);
  55.         fuzzData[32]=loopCreateString("A",20000);
  56.         fuzzData[33]=loopCreateString("A",25000);
  57.         fuzzData[34]=loopCreateString("A",30000);
  58.         fuzzData[35]=loopCreateString("A",32767);
  59.         fuzzData[36]=loopCreateString("SYS",1);
  60.         fuzzData[37]=loopCreateString("ROWID",1);
  61.         
  62.         hints[0]="ALL_ROWS";
  63.         hints[1]="AND_EQUAL";
  64.         hints[2]="ANTIJOIN";
  65.         hints[3]="APPEND";
  66.         hints[4]="BITMAP";
  67.         hints[5]="BUFFER";
  68.         hints[6]="BYPASS_RECURSIVE_CHECK";
  69.         hints[7]="BYPASS_UJVC";
  70.         hints[8]="CACHE";
  71.         hints[9]="CACHE_CB";
  72.         hints[10]="CACHE_TEMP_TABLE";
  73.         hints[11]="CARDINALITY";
  74.         hints[12]="CHOOSE";
  75.         hints[13]="CIV_GB";
  76.         hints[14]="COLLECTIONS_GET_REFS";
  77.         hints[15]="CPU_COSTING";
  78.         hints[16]="CUBE_GB";
  79.         hints[17]="CURSOR_SHARING_EXACT";
  80.         hints[18]="DEREF_NO_REWRITE";
  81.         hints[19]="DML_UPDATE";
  82.         hints[20]="DOMAIN_INDEX_NO_SORT";
  83.         hints[21]="DOMAIN_INDEX_SORT";
  84.         hints[22]="DRIVING_SITE";
  85.         hints[23]="DYNAMIC_SAMPLING";
  86.         hints[24]="DYNAMIC_SAMPLING_EST_CDN";
  87.         hints[25]="EXPAND_GSET_TO_UNION";
  88.         hints[26]="FACT";
  89.         hints[27]="FIRST_ROWS";
  90.         hints[28]="FORCE_SAMPLE_BLOCK";
  91.         hints[29]="FULL";
  92.         hints[30]="GBY_CONC_ROLLUP";
  93.         hints[31]="GLOBAL_TABLE_HINTS";
  94.         hints[32]="HASH";
  95.         hints[33]="HASH_AJ";
  96.         hints[34]="HASH_SJ";
  97.         hints[35]="HWM_BROKERED";
  98.         hints[36]="IGNORE_ON_CLAUSE";
  99.         hints[37]="IGNORE_WHERE_CLAUSE";
  100.         hints[38]="INDEX_ASC";
  101.         hints[39]="INDEX_COMBINE";
  102.         hints[40]="INDEX_DESC";
  103.         hints[41]="INDEX_FFS";
  104.         hints[42]="INDEX_JOIN";
  105.         hints[43]="INDEX_RRS";
  106.         hints[44]="INDEX_SS";
  107.         hints[45]="INDEX_SS_ASC";
  108.         hints[46]="INDEX_SS_DESC";
  109.         hints[47]="INLINE";
  110.         hints[48]="LEADING";
  111.         hints[49]="LIKE_EXPAND";
  112.         hints[50]="LOCAL_INDEXES";
  113.         hints[51]="MATERIALIZE";
  114.         hints[52]="MERGE";
  115.         hints[53]="MERGE_AJ";
  116.         hints[54]="MERGE_SJ";
  117.         hints[55]="MV_MERGE";
  118.         hints[56]="NESTED_TABLE_GET_REFS";
  119.         hints[57]="NESTED_TABLE_SET_REFS";
  120.         hints[58]="NESTED_TABLE_SET_SETID";
  121.         hints[59]="NL_AJ";
  122.         hints[60]="NL_SJ";
  123.         hints[61]="NO_ACCESS";
  124.         hints[62]="NO_BUFFER";
  125.         hints[63]="NO_EXPAND";
  126.         hints[64]="NO_EXPAND_GSET_TO_UNION";
  127.         hints[65]="NO_FACT";
  128.         hints[66]="NO_FILTERING";
  129.         hints[67]="NO_INDEX";
  130.         hints[68]="NO_MERGE";
  131.         hints[69]="NO_MONITORING";
  132.         hints[70]="NO_ORDER_ROLLUPS";
  133.         hints[71]="NO_PRUNE_GSETS";
  134.         hints[72]="NO_PUSH_PRED";
  135.         hints[73]="NO_PUSH_SUBQ";
  136.         hints[74]="NO_QKN_BUFF";
  137.         hints[75]="NO_SEMIJOIN";
  138.         hints[76]="NO_STATS_GSETS";
  139.         hints[77]="NO_UNNEST";
  140.         hints[78]="NOAPPEND";
  141.         hints[79]="NOCACHE";
  142.         hints[80]="NOCPU_COSTING";
  143.         hints[81]="NOPARALLEL";
  144.         hints[82]="NOPARALLEL_INDEX";
  145.         hints[83]="NOREWRITE";
  146.         hints[84]="OR_EXPAND";
  147.         hints[85]="ORDERED";
  148.         hints[86]="ORDERED_PREDICATES";
  149.         hints[87]="OVERFLOW_NOMOVE";
  150.         hints[88]="PARALLEL";
  151.         hints[89]="PARALLEL_INDEX";
  152.         hints[90]="PIV_GB";
  153.         hints[91]="PIV_SSF";
  154.         hints[92]="PQ_DISTRIBUTE";
  155.         hints[93]="PQ_MAP";
  156.         hints[94]="PQ_NOMAP";
  157.         hints[95]="PUSH_PRED";
  158.         hints[96]="PUSH_SUBQ";
  159.         hints[97]="REMOTE_MAPPED";
  160.         hints[98]="RESTORE_AS_INTERVALS";
  161.         hints[99]="REWRITE";
  162.         hints[100]="RULE";
  163.         hints[101]="SAVE_AS_INTERVALS";
  164.         hints[102]="SCN_ASCENDING";
  165.         hints[103]="SELECTIVITY";
  166.         hints[104]="SEMIJOIN";
  167.         hints[105]="SEMIJOIN_DRIVER";
  168.         hints[106]="SKIP_EXT_OPTIMIZER";
  169.         hints[107]="SQLLDR";
  170.         hints[108]="STAR";
  171.         hints[109]="STAR_TRANSFORMATION";
  172.         hints[110]="SWAP_JOIN_INPUTS";
  173.         hints[111]="SYS_DL_CURSOR";
  174.         hints[112]="SYS_PARALLEL_TXN";
  175.         hints[113]="SYS_RID_ORDER";
  176.         hints[114]="TIV_GB";
  177.         hints[115]="TIV_SSF";
  178.         hints[116]="UNNEST";
  179.         hints[117]="USE_ANTI";
  180.         hints[118]="USE_CONCAT";
  181.         hints[119]="USE_HASH";
  182.         hints[120]="USE_MERGE";
  183.         hints[121]="USE_NL";
  184.         hints[122]="USE_SEMI";
  185.         hints[123]="USE_TTT_FOR_GSETS";
  186.         hints[124]="BYPASS_RECURSIVE_CHECK";
  187.         hints[125]="BYPASS_UJVC";
  188.         hints[126]="CACHE_CB";
  189.         hints[127]="CACHE_TEMP_TABLE";
  190.         hints[128]="CIV_GB";
  191.         hints[129]="COLLECTIONS_GET_REFS";
  192.         hints[130]="CUBE_GB";
  193.         hints[131]="CURSOR_SHARING_EXACT";
  194.         hints[132]="DEREF_NO_REWRITE";
  195.         hints[133]="DML_UPDATE";
  196.         hints[134]="DOMAIN_INDEX_NO_SORT";
  197.         hints[135]="DOMAIN_INDEX_SORT";
  198.         hints[136]="DYNAMIC_SAMPLING";
  199.         hints[137]="DYNAMIC_SAMPLING_EST_CDN";
  200.         hints[138]="EXPAND_GSET_TO_UNION";
  201.         hints[139]="FORCE_SAMPLE_BLOCK";
  202.         hints[140]="GBY_CONC_ROLLUP";
  203.         hints[141]="GLOBAL_TABLE_HINTS";
  204.         hints[142]="HWM_BROKERED";
  205.         hints[143]="IGNORE_ON_CLAUSE";
  206.         hints[144]="IGNORE_WHERE_CLAUSE";
  207.         hints[145]="INDEX_RRS";
  208.         hints[146]="INDEX_SS";
  209.         hints[147]="INDEX_SS_ASC";
  210.         hints[148]="INDEX_SS_DESC";
  211.         hints[149]="LIKE_EXPAND";
  212.         hints[150]="LOCAL_INDEXES";
  213.         hints[151]="MV_MERGE";
  214.         hints[152]="NESTED_TABLE_GET_REFS";
  215.         hints[153]="NESTED_TABLE_SET_REFS";
  216.         hints[154]="NESTED_TABLE_SET_SETID";
  217.         hints[155]="NO_EXPAND_GSET_TO_UNION";
  218.         hints[156]="NO_FACT";
  219.         hints[157]="NO_FILTERING";
  220.         hints[158]="NO_ORDER_ROLLUPS";
  221.         hints[159]="NO_PRUNE_GSETS";
  222.         hints[160]="NO_STATS_GSETS";
  223.         hints[161]="NO_UNNEST";
  224.         hints[162]="NOCPU_COSTING";
  225.         hints[163]="OVERFLOW_NOMOVE";
  226.         hints[164]="PIV_GB";
  227.         hints[165]="PIV_SSF";
  228.         hints[166]="PQ_MAP";
  229.         hints[167]="PQ_NOMAP";
  230.         hints[168]="REMOTE_MAPPED";
  231.         hints[169]="RESTORE_AS_INTERVALS";
  232.         hints[170]="SAVE_AS_INTERVALS";
  233.         hints[171]="SCN_ASCENDING";
  234.         hints[172]="SKIP_EXT_OPTIMIZER";
  235.         hints[173]="SQLLDR";
  236.         hints[174]="SYS_DL_CURSOR";
  237.         hints[175]="SYS_PARALLEL_TXN";
  238.         hints[176]="SYS_RID_ORDER";
  239.         hints[177]="TIV_GB";
  240.         hints[178]="TIV_SSF";
  241.         hints[179]="UNNEST";
  242.         hints[180]="USE_TTT_FOR_GSETS";
  243.         //sql1 =    "select /*+" + orahint + "("+ +") */ * from dual";
  244.         //fuzzData[38]=null;
  245.         /*
  246.         numberFuzzData[0]=-1;
  247.         numberFuzzData[1]=-2;
  248.         numberFuzzData[2]=0;
  249.         numberFuzzData[3]=1;
  250.         numberFuzzData[4]=2;
  251.         numberFuzzData[5]=2147483647;
  252.         numberFuzzData[6]=-2147483647;
  253.         numberFuzzData[7]=2147483648l;
  254.         numberFuzzData[8]=-2147483648;
  255.         numberFuzzData[9]=Long.MAX_VALUE;
  256.         numberFuzzData[10]=Long.MIN_VALUE;
  257.         
  258.         fuzzData[0]=loopCreateString("''",1);
  259.         strFuzzData[1]=loopCreateString("/"",1);
  260.         strFuzzData[2]=loopCreateString("%s%s%s%s%s%s%s",1);
  261.         strFuzzData[3]=loopCreateString("%x%x%x%x%x%x",1);
  262.         strFuzzData[4]=loopCreateString("%d%d%d%d%d%d",1);
  263.         strFuzzData[5]=loopCreateString("A",30);
  264.         strFuzzData[6]=loopCreateString("A",100);
  265.         strFuzzData[7]=loopCreateString("A",128);
  266.         strFuzzData[8]=loopCreateString("A",256);
  267.         strFuzzData[9]=loopCreateString("A",512);
  268.         strFuzzData[10]=loopCreateString("A",1024);
  269.         strFuzzData[11]=loopCreateString("A",2048);
  270.         strFuzzData[12]=loopCreateString("A",3000);
  271.         strFuzzData[13]=loopCreateString("A",4000);
  272.         strFuzzData[14]=loopCreateString("A",5000);
  273.         strFuzzData[15]=loopCreateString("A",6000);
  274.         strFuzzData[16]=loopCreateString("A",8000);
  275.         strFuzzData[17]=loopCreateString("A",10000);
  276.         strFuzzData[18]=loopCreateString("A",15000);
  277.         strFuzzData[19]=loopCreateString("A",20000);
  278.         strFuzzData[20]=loopCreateString("A",25000);
  279.         strFuzzData[21]=loopCreateString("A",30000);
  280.         strFuzzData[22]=loopCreateString("A",32767);
  281.         strFuzzData[23]=null;
  282.         strFuzzData[24]=loopCreateString("SYS",1);
  283.         strFuzzData[25]=loopCreateString("ROWID",1);
  284.         */
  285.     }
  286.     public void login(String host,int port,String user,String pass,String sid) throws SQLException, ClassNotFoundException{
  287.         Class.forName("oracle.jdbc.driver.OracleDriver");
  288.         String url="jdbc:oracle:thin:@"+host+":"+port+":"+sid;
  289.         this.url=url;
  290.         this.user = user;
  291.         this.pass = pass;
  292.         connection();
  293.     }
  294.     private void connection() throws SQLException{
  295.         conn = DriverManager.getConnection(url,user,pass);
  296.     }
  297.     public void logout(){
  298.         closeAll(conn,null,null);
  299.     }
  300.     private void closeAll(Connection con,Statement stmt,ResultSet rs){
  301.         if(rs!=null){try{rs.close();}catch (Exception e) {}}
  302.         if(stmt!=null){try{stmt.close();}catch (Exception e) {}}
  303.         if(con!=null){try{con.close();}catch (Exception e) {}}
  304.     }
  305.     
  306.     
  307.     public void fuzz(){
  308.         try {
  309.             stmt = conn.createStatement();
  310.         } catch (SQLException e) {
  311.             e.printStackTrace();
  312.         }
  313.         for(int hintsc = 40 ; hintsc<hints.length; hintsc++){
  314.             System.out.println("FUZZ : "+hints[hintsc]);
  315.             for(int fuzzDc = 0; fuzzDc< fuzzData.length;fuzzDc++){
  316.                 startFuzz(stmt,hints[hintsc]+"( "+ fuzzData[fuzzDc] +" )");
  317.             }
  318.         }
  319.     }
  320.     private void startFuzz(Statement fuzzstmt,String run){
  321.         try {
  322.             sql1 = "select /*+ "+run+"*/ * from dual";
  323.             fuzzstmt.execute(sql1);
  324.             Thread.sleep(1000);
  325.         } catch (Exception e) {
  326.             System.out.println(e.getMessage());
  327.             if(e.getMessage().indexOf("socket")>-1){
  328.                 try {
  329.                     connection();
  330.                     stmt = conn.createStatement();
  331.                 } catch (SQLException e1) {
  332.                     System.out.println("error crash");
  333.                 }
  334.             }
  335.             catch0day(e.getMessage(),sql1);
  336.         }
  337.     }
  338.     private void catch0day(String e,String run){
  339.         System.out.println(e+"---"+run);
  340.     }
  341.     public static void main(String[] args) throws SQLException, ClassNotFoundException{
  342.         
  343.         SQLHintFuzzer shf = new SQLHintFuzzer();
  344.         shf.login("kj021320PC"1521"kj021320""kj021320""ORCL");
  345.         shf.fuzz();
  346.         shf.logout();
  347.     }
  348. }

你可能感兴趣的:(oracle)