SQLGrammarException:error 正在执行作业 ORA-01722: SQL 中的数字无效 | SQL可以注入吗?
SQLGrammarException:error executing work ORA-01722: invalid number in SQL | Is it SQL Injection possible?
我是一名 Web 应用程序测试员,在测试其中一个请求时,我在断行时发现了一些 SQL 错误。有人向我建议 SQL 注入是可能的,但我不确定。任何人都可以建议在这种情况下 SQL 注入的风险吗?
#SQL 错误#
SQLGrammarException:error executing work:ORA-01722: invalid number\n in SQL: select q.* from (SELECT dailyLogTable.studentsDcid,dailyLogTable.studentId,dailyLogTable.schoolID,dailyLogTable.studentLastFirst,\n dailyLogTable.enrollStatus, dailyLogTable.activityId, dailyLogTable.notes,\n dailyLogTable.activityDate, dailyLogTable.activityTime, dailyLogTable.activityType, dailyLogTable.activityCategory, dailyLogTable.medicationDoseId, dailyLogTable.doseUnit\n FROM(\n SELECT\n hc.studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hc.id AS activityID,\n CAST(hc.COMMENTS AS VARCHAR(512)) AS notes,\n hc.contactdate AS activityDate,\n hc.timein AS activityTime,\n 'contact_log' AS activityType,\n NULL AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM HEALTHCONTACTLOG hc\n INNER JOIN STUDENTS st on hc.studentsdcid = st.dcid\n WHERE\n hc.contactdate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n hc.studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hc.id AS activityID,\n CAST(hc.COMMENTS AS VARCHAR(512)) AS notes,\n hc.PHYSICALDATE AS activityDate,\n '' AS activityTime,'physical_visit' AS activityType,\n NULL AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM HEALTHPHYSICAL hc\n INNER JOIN STUDENTS st on hc.studentsdcid = st.dcid\n WHERE\n hc.PHYSICALDATE BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n hsm.studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hsm.HEALTHSTUDMONITORID AS activityID,\n hsm.NOTES AS notes,\n hsm.MONITORINGDATE AS activityDate,\n (to_char(hsm.MONITORINGTIME, 'HH24') || ':' || to_char(hsm.MONITORINGTIME, 'MI') || ':' || to_char(hsm.MONITORINGTIME, 'SS')) AS activityTime,\n 'monitoring' AS activityType,\n cds.displayvalue AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM\n HEALTHSTUDMONITOR hsm\n inner join STUDENTS st on hsm.studentsdcid = st.dcid\n inner join codeset cds on cds.codesetid = hsm.monitoringtype\n WHERE\n hsm.MONITORINGDATE BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hc.HEALTHOFFICEVISITID AS activityID,\n hc.VISITREASONDESC AS notes,\n hc.visitdate AS activityDate,\n TO_CHAR(hc.VisitTimeIn,'HH24' || CHR(58) || 'MI') AS activityTime,\n 'office_visits' AS activityType,\n NULL AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n from HEALTHOFFICEVISIT hc\n inner join HealthMainStudRec hms ON hc.HEALTHMAINSTUDRECID = hms.HEALTHMAINSTUDRECID\n inner join STUDENTS st on hms.STUDENTID = st.id\n WHERE\n hc.visitdate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hearing.healthstudhearingid AS activityID,\n hearing.screencomment AS notes,hearing.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'hearing_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid = st.id\n INNER JOIN healthstudhearing hearing ON hearing.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n hearing.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n lead.healthstudleadid AS activityID,\n lead.screencomment AS notes,lead.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'lead_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid = st.id\n INNER JOIN healthstudlead lead ON lead.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n lead.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n oral.healthstudoralid AS activityID,\n oral.screencomment AS notes,oral.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'oral_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDORAL oral ON oral.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n oral.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n scolio.healthstudscolioid AS activityID,\n scolio.screencomment AS notes,scolio.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'scoliosis_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDSCOLIO scolio ON scolio.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n scolio.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n tb.healthstudtbid AS activityID,\n tb.screencomment AS notes,tb.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'tuberculosis_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDTB tb ON tb.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n tb.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n vision.healthstudvisionid AS activityID,\n vision.screencomment AS notes,vision.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'vision_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDVISION vision ON vision.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n vision.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n vitalsigns.healthvitalsignsid AS activityID,\n vitalsigns.screencomment AS notes,vitalsigns.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'vitals_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHVITALSIGNS vitalsigns ON vitalsigns.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n vitalsigns.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n select dcid as studentsdcid, studentId, schoolID, lastfirst as studentLastFirst, enrollStatus,\n activityID, notes, dateGiven as activityDate, timegiven as activityTime, 'medication' as activityType, displayvalue as activityCategory, medicationDoseId, doseUnit\n from (select st.dcid, st.id as studentId, st.schoolid as schoolID, dose.dategiven, dose.timegiven,st.lastfirst, cs.displayvalue, dose.note as notes, dose.id as medicationDoseId, dose.medicationrecordid as activityID, st.enroll_status as enrollStatus, med.unit as doseUnit\n from healthmedadmin dose\n inner join healthmedication med on med.id = dose.medicationrecordid\n inner join codeset cs on med.medicationname = cs.codesetid\n inner join students st on st.dcid = dose.studentsdcid\n where\n dose.dategiven between :startDate and :endDate\n union all\n select s.dcid, s.id as studentId, s.schoolid as schoolID, cd.date_value as dategiven, med.timegiven as timegiven,s.lastfirst, csmed.displayvalue, med.notes, null as medicationDoseId, med.id as activityID, s.enroll_status as enrollStatus, med.unit as doseUnit\n from students s\n inner join healthmedication med on med.studentsdcid = s.dcid\n inner join codeset csmed on csmed.codesetid = med.medicationname\n inner join calendar_day cd on cd.schoolid = s.schoolid\n where\n case\n when med.enddate is null and med.startdate < cd.date_value then 1\n when cd.date_value between med.startdate and med.enddate then 1\n end = 1\n and cd.date_value between :startDate and :endDate\n and cd.insession = 1\n and med.timegiven is not null\n and not exists (select 1 from healthmedadmin md1 where md1.medicationrecordid = med.id and cd.date_value = md1.dategiven))doses\n \n \n WHERE\n enrollStatus = :enrollStatus\n )dailyLogTable) q /*PerfCaptureIdentifier=NQ-health_nurse_daily_log.health.core.mysite.*/"
错误请求
REQUEST IMAGE
我不确定这里的“当我打破界限”是什么意思。这里好像没有SQL注入攻击。看起来请求中传递的 JSON 的 enrollStatus
为“2000 和 select sleep(10)))); --”,而不是大概的“2000”。错误消息中报告的查询正在使用绑定变量,所以这只是 Oracle 说“嘿,我正在将您传递的这个东西与数值进行比较,但我似乎无法将其转换为数字” .您传递的实际值不会出现在查询中,因此它不是 SQL 注入攻击。
现在,从安全的角度来看,错误消息泄露了关于底层模式的大量信息,我不愿意将这些信息交给攻击者。知道这些信息可能会帮助攻击者在系统的其他地方进行 SQL 注入攻击或访问他们无权访问的数据。
我是一名 Web 应用程序测试员,在测试其中一个请求时,我在断行时发现了一些 SQL 错误。有人向我建议 SQL 注入是可能的,但我不确定。任何人都可以建议在这种情况下 SQL 注入的风险吗?
#SQL 错误#
SQLGrammarException:error executing work:ORA-01722: invalid number\n in SQL: select q.* from (SELECT dailyLogTable.studentsDcid,dailyLogTable.studentId,dailyLogTable.schoolID,dailyLogTable.studentLastFirst,\n dailyLogTable.enrollStatus, dailyLogTable.activityId, dailyLogTable.notes,\n dailyLogTable.activityDate, dailyLogTable.activityTime, dailyLogTable.activityType, dailyLogTable.activityCategory, dailyLogTable.medicationDoseId, dailyLogTable.doseUnit\n FROM(\n SELECT\n hc.studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hc.id AS activityID,\n CAST(hc.COMMENTS AS VARCHAR(512)) AS notes,\n hc.contactdate AS activityDate,\n hc.timein AS activityTime,\n 'contact_log' AS activityType,\n NULL AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM HEALTHCONTACTLOG hc\n INNER JOIN STUDENTS st on hc.studentsdcid = st.dcid\n WHERE\n hc.contactdate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n hc.studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hc.id AS activityID,\n CAST(hc.COMMENTS AS VARCHAR(512)) AS notes,\n hc.PHYSICALDATE AS activityDate,\n '' AS activityTime,'physical_visit' AS activityType,\n NULL AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM HEALTHPHYSICAL hc\n INNER JOIN STUDENTS st on hc.studentsdcid = st.dcid\n WHERE\n hc.PHYSICALDATE BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n hsm.studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hsm.HEALTHSTUDMONITORID AS activityID,\n hsm.NOTES AS notes,\n hsm.MONITORINGDATE AS activityDate,\n (to_char(hsm.MONITORINGTIME, 'HH24') || ':' || to_char(hsm.MONITORINGTIME, 'MI') || ':' || to_char(hsm.MONITORINGTIME, 'SS')) AS activityTime,\n 'monitoring' AS activityType,\n cds.displayvalue AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM\n HEALTHSTUDMONITOR hsm\n inner join STUDENTS st on hsm.studentsdcid = st.dcid\n inner join codeset cds on cds.codesetid = hsm.monitoringtype\n WHERE\n hsm.MONITORINGDATE BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n st.SCHOOLID AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hc.HEALTHOFFICEVISITID AS activityID,\n hc.VISITREASONDESC AS notes,\n hc.visitdate AS activityDate,\n TO_CHAR(hc.VisitTimeIn,'HH24' || CHR(58) || 'MI') AS activityTime,\n 'office_visits' AS activityType,\n NULL AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n from HEALTHOFFICEVISIT hc\n inner join HealthMainStudRec hms ON hc.HEALTHMAINSTUDRECID = hms.HEALTHMAINSTUDRECID\n inner join STUDENTS st on hms.STUDENTID = st.id\n WHERE\n hc.visitdate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n hearing.healthstudhearingid AS activityID,\n hearing.screencomment AS notes,hearing.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'hearing_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid = st.id\n INNER JOIN healthstudhearing hearing ON hearing.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n hearing.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST AS studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n lead.healthstudleadid AS activityID,\n lead.screencomment AS notes,lead.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'lead_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid = st.id\n INNER JOIN healthstudlead lead ON lead.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n lead.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n oral.healthstudoralid AS activityID,\n oral.screencomment AS notes,oral.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'oral_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDORAL oral ON oral.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n oral.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n scolio.healthstudscolioid AS activityID,\n scolio.screencomment AS notes,scolio.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'scoliosis_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDSCOLIO scolio ON scolio.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n scolio.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n tb.healthstudtbid AS activityID,\n tb.screencomment AS notes,tb.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'tuberculosis_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDTB tb ON tb.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n tb.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n vision.healthstudvisionid AS activityID,\n vision.screencomment AS notes,vision.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'vision_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHSTUDVISION vision ON vision.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n vision.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n SELECT\n st.dcid AS studentsdcid,\n st.id AS studentId,\n mainrec.SCHOOLNUMBER AS schoolID,\n st.LASTFIRST studentLastFirst,\n st.ENROLL_STATUS AS enrollStatus,\n vitalsigns.healthvitalsignsid AS activityID,\n vitalsigns.screencomment AS notes,vitalsigns.screendate AS activityDate,\n '' AS activityTime,\n 'screening_view' AS activityType,\n 'vitals_screening' AS activityCategory,\n NULL AS medicationDoseId,\n NULL AS doseUnit\n FROM healthmainstudrec mainrec\n INNER JOIN students st ON mainrec.studentid =st.id\n INNER JOIN HEALTHVITALSIGNS vitalsigns ON vitalsigns.healthmainstudrecid = mainrec.healthmainstudrecid\n WHERE\n vitalsigns.screendate BETWEEN :startDate AND :endDate\n AND\n st.ENROLL_STATUS = :enrollStatus\n UNION ALL\n select dcid as studentsdcid, studentId, schoolID, lastfirst as studentLastFirst, enrollStatus,\n activityID, notes, dateGiven as activityDate, timegiven as activityTime, 'medication' as activityType, displayvalue as activityCategory, medicationDoseId, doseUnit\n from (select st.dcid, st.id as studentId, st.schoolid as schoolID, dose.dategiven, dose.timegiven,st.lastfirst, cs.displayvalue, dose.note as notes, dose.id as medicationDoseId, dose.medicationrecordid as activityID, st.enroll_status as enrollStatus, med.unit as doseUnit\n from healthmedadmin dose\n inner join healthmedication med on med.id = dose.medicationrecordid\n inner join codeset cs on med.medicationname = cs.codesetid\n inner join students st on st.dcid = dose.studentsdcid\n where\n dose.dategiven between :startDate and :endDate\n union all\n select s.dcid, s.id as studentId, s.schoolid as schoolID, cd.date_value as dategiven, med.timegiven as timegiven,s.lastfirst, csmed.displayvalue, med.notes, null as medicationDoseId, med.id as activityID, s.enroll_status as enrollStatus, med.unit as doseUnit\n from students s\n inner join healthmedication med on med.studentsdcid = s.dcid\n inner join codeset csmed on csmed.codesetid = med.medicationname\n inner join calendar_day cd on cd.schoolid = s.schoolid\n where\n case\n when med.enddate is null and med.startdate < cd.date_value then 1\n when cd.date_value between med.startdate and med.enddate then 1\n end = 1\n and cd.date_value between :startDate and :endDate\n and cd.insession = 1\n and med.timegiven is not null\n and not exists (select 1 from healthmedadmin md1 where md1.medicationrecordid = med.id and cd.date_value = md1.dategiven))doses\n \n \n WHERE\n enrollStatus = :enrollStatus\n )dailyLogTable) q /*PerfCaptureIdentifier=NQ-health_nurse_daily_log.health.core.mysite.*/"
错误请求 REQUEST IMAGE
我不确定这里的“当我打破界限”是什么意思。这里好像没有SQL注入攻击。看起来请求中传递的 JSON 的 enrollStatus
为“2000 和 select sleep(10)))); --”,而不是大概的“2000”。错误消息中报告的查询正在使用绑定变量,所以这只是 Oracle 说“嘿,我正在将您传递的这个东西与数值进行比较,但我似乎无法将其转换为数字” .您传递的实际值不会出现在查询中,因此它不是 SQL 注入攻击。
现在,从安全的角度来看,错误消息泄露了关于底层模式的大量信息,我不愿意将这些信息交给攻击者。知道这些信息可能会帮助攻击者在系统的其他地方进行 SQL 注入攻击或访问他们无权访问的数据。