我们的一个系统(名为Bibapp https://github.com/BibApp/BibApp的开源发布数据库)进行了SQL注入尝试。它导致了这个错误报告:
A ActionView::Template::Error occurred in publications#index: Mysql::Error: Column 'authority_id' in where clause is ambiguous: SELECT `publications`.`id` AS t0_r0, `publications`.`sherpa_id` AS t0_r1, `publications`.`publisher_id` AS t0_r2, `publications`.`source_id` AS t0_r3, `publications`.`authority_id` AS t0_r4, `publications`.`name` AS t0_r5, `publications`.`url` AS t0_r6, `publications`.`code` AS t0_r7, `publications`.`issn_isbn` AS t0_r8, `publications`.`created_at` AS t0_r9, `publications`.`updated_at` AS t0_r10, `publications`.`place` AS t0_r11, `publications`.`machine_name` AS t0_r12, `publications`.`initial_publisher_id` AS t0_r13, `publishers`.`id` AS t1_r0, `publishers`.`sherpa_id` AS t1_r1, `publishers`.`publisher_source_id` AS t1_r2, `publishers`.`authority_id` AS t1_r3, `publishers`.`publisher_copy` AS t1_r4, `publishers`.`name` AS t1_r5, `publishers`.`url` AS t1_r6, `publishers`.`romeo_color` AS t1_r7, `publishers`.`copyright_notice` AS t1_r8, `publishers`.`created_at` AS t1_r9, `publishers`.`updated_at` AS t1_r10, ! `publishers`.`machine_name` AS t1_r11, `works`.`id` AS t2_r0, `works`.`type` AS t2_r1, `works`.`title_primary` AS t2_r2, `works`.`title_secondary` AS t2_r3, `works`.`title_tertiary` AS t2_r4, `works`.`affiliation` AS t2_r5, `works`.`volume` AS t2_r6, `works`.`issue` AS t2_r7, `works`.`start_page` AS t2_r8, `works`.`end_page` AS t2_r9, `works`.`abstract` AS t2_r10, `works`.`notes` AS t2_r11, `works`.`links` AS t2_r12, `works`.`work_state_id` AS t2_r13, `works`.`work_archive_state_id` AS t2_r14, `works`.`publication_id` AS t2_r15, `works`.`publisher_id` AS t2_r16, `works`.`archived_at` AS t2_r17, `works`.`created_at` AS t2_r18, `works`.`updated_at` AS t2_r19, `works`.`original_data` AS t2_r20, `works`.`batch_index` AS t2_r21, `works`.`scoring_hash` AS t2_r22, `works`.`publication_date` AS t2_r23, `works`.`language` AS t2_r24, `works`.`copyright_holder` AS t2_r25, `works`.`peer_reviewed` AS t2_r26, `works`.`machine_name` AS t2_r27, `works`.`publication_place` AS t2_r28, `works! `.`sponsor` AS t2_r29, `works`.`date_range` AS t2_r30, `works`! .`identifier` AS t2_r31, `works`.`medium` AS t2_r32, `works`.`degree_level` AS t2_r33, `works`.`discipline` AS t2_r34, `works`.`instrumentation` AS t2_r35, `works`.`admin_definable` AS t2_r36, `works`.`user_definable` AS t2_r37, `works`.`authority_publication_id` AS t2_r38, `works`.`authority_publisher_id` AS t2_r39, `works`.`initial_publication_id` AS t2_r40, `works`.`initial_publisher_id` AS t2_r41, `works`.`location` AS t2_r42, `works`.`invited` AS t2_r43, `works`.`open_access` AS t2_r44 FROM `publications` LEFT OUTER JOIN `publishers` ON `publishers`.`id` = `publications`.`publisher_id` LEFT OUTER JOIN `works` ON `works`.`publication_id` = `publications`.`id` AND work_state_id = 3 WHERE (publications.id = authority_id) AND (upper(name) like '(SELECT 1795 FROM(SELECT COUNT(*),CONCAT(0x716b6b6a71,(SELECT (ELT(1795=1795,1))),0x7178767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)%') ORDER BY upper(name) activerecord (3.0.17) lib/active_record/connection_adapters/mysql_adapter.rb:289:in `query'
我想知道这里的'Mysql :: error'是什么意思(编辑:不是与模糊列相关的实际SQL错误,请阅读下一行)。特别是我想知道这个查询是否在数据库上运行。我可以说,至少它失败了,但我不能确切地告诉我在哪里。我会假设Rails在向数据库发送查询之前有防止SQL注入的方法,但这种方法失败了吗? Bibapp运行的是旧版本的Ruby和Rails,1.8.7和3.0.17。
要获得奖金,如果数据库只记录长时间运行的查询,我如何检查数据库是否受到攻击?
答案 0 :(得分:1)
What does this Mysql::Error mean?
You are querying data from multiple tables by joining publications, publishersand works. And it is not clear to MySQL from which table you want to receive authority_id, because at least two of the three tables have a column with that name. Therefore MySQL raised this error.
Was that query ran against the database?
Yes because the error was raised by MySQL not be Rails.
Can I check I if the database was attacked if I only log slow queries?
No. If you do not log all queries then you aren't able to tell which queries have been run against the database.