CN101267357B - A SQL injection attack detection method and system - Google Patents
A SQL injection attack detection method and system Download PDFInfo
- Publication number
- CN101267357B CN101267357B CN2007101453988A CN200710145398A CN101267357B CN 101267357 B CN101267357 B CN 101267357B CN 2007101453988 A CN2007101453988 A CN 2007101453988A CN 200710145398 A CN200710145398 A CN 200710145398A CN 101267357 B CN101267357 B CN 101267357B
- Authority
- CN
- China
- Prior art keywords
- sql
- injection attacks
- sql injection
- value
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
An SQL injection attack detecting method and system are provided, comprising building phase of SQL injection attack detecting knowledge base and detecting phase for real-time SQL injection attack. The build of SQL injection attack detecting knowledge base comprises collection of SQL injection attack sample for sorts of scenes, classification of SQL injection ways, and build of SQL injection attack detecting grammar rules aiming at sorts of SQL injection ways; the detecting phase for real-time SQL injection attack comprises extraction and decoding of user inputting data in HTTP request message and matching of the SQL injection attack detecting grammar rules and so on. This invention defines the SQL injection attack detecting grammar rules by using SQL grammar instead of defining the SQL injection attack detecting grammar rules based on the traditional attack characteristic. The invention overcomes shortcomings of uneasy extraction and inclined fraud of the attach characteristic sign of the SQL injection attack incident, which significantly reduces rate of wrong report and rate of missing report while invading the detecting system for detecting SQL injection attack.
Description
Technical field
The present invention relates to network security detection technique field, particularly a kind of SQL detection method for injection attack and system that can be used for intrusion detection defence product.
Background technology
SQL (Structure Query Language; SQL) is a kind of inquiry, insertion, renewal and deleted data; generation, modification and delete database object; database security mechanism is provided; data base integrity and data protection control are that the conventional data of data base-oriented is handled linguistic norm.The SQL injection attacks is meant the defective that the assailant utilizes existing application user input data not to be endured strict scrutiny and filters, and the sql command of malice is injected into the background data base engine carries out, and reaches to steal data even control database the server purpose.The root of SQL injection loophole is to have used user input data to construct dynamic SQL statements in the application program, and user input data is not done safety inspection and filtration.The SQL injection loophole can be present in any application program of utilizing background data base, and modal have web applications such as ASP/JSP/Perl.Web application is the application model of communicating by letter between a kind of employing http protocol (Hypertext Transfer Protocol, HTML (Hypertext Markup Language)) realization client and server.The SQL injection attacks that the present invention is absorbed in the web application detects.
Utilize the SQL injection loophole, the assailant can walk around the application program verification process, steals and distort application program backstage sensitive data, increases the Administrator account, uploads and download illegal file and wooden horse, corpse are installed, even control entire database server.The SQL injection attacks has become current the most serious security attack incident.According to statistics, 60% belong to SQL injection attacks incident in the security incident that takes place at present.2006, international leak organized CVE to announce that 1078 SQL inject the security breaches incidents, surpass its announcement the leak sum 50%.Even more serious is, the SQL of these announcements injects the security breaches incident and only comes from statistics to the SQL injection loophole of general purpose application program, at all can't the adding up of a large amount of SQL injection loopholes that is present in special-purpose web application (comprising bank, government affairs net).
The generality of SQL injection loophole problem and seriousness have caused the attention of client and network security circle, and some network invasion monitorings/defence manufacturer is also studied the detection of SQL injection attacks, and have proposed some SQL injection detection methods.But, these SQL detection method for injection attack all are based on the attack signature signature detection technology of traditional intruding detection system, such as in finding the user input data territory, having comprised ' during SELECT ' keyword, expression has detected possible SQL injection attacks attempt.There is following problem in this SQL detection method for injection attack of continuing to use traditional intruding detection system attack signature signature: SQL injection attacks characteristic signature is difficult to accurate extraction, causes rate of false alarm very high; SQL injection attacks characteristic signature is cheated easily, causes rate of failing to report very high.
Summary of the invention
The present invention seeks to overcome to have now in the SQL detection method for injection attack and sign easily by shortcomings such as deceptions with attack signature, a kind of SQL detection method for injection attack and system based on SQL injection attacks detection syntax rule is provided owing to the extraction of attack signature signature is inaccurate.SQL injection attacks of the present invention detects according to being: though SQL injection attacks gimmick is changeable, ten thousand become not from its track: it injects partly or entirely accord with SQL grammer of part.
The objective of the invention is to be achieved through the following technical solutions:
A kind of SQL detection method for injection attack comprises that the SQL injection attacks detects construction of knowledge base and real-time SQL injection attacks detects two stages, wherein,
A) the described SQL injection attacks detection construction of knowledge base stage may further comprise the steps:
101. collect the SQL injection attacks sample under the various scenes;
102. these samples are classified by { dynamic sql template type, SQL decanting point position } preface idol, and each class is represented a kind of SQL injection attacks gimmick;
Detect rule 103. set up the SQL injection attacks of accord with SQL grammer for all kinds of SQL injection attacks gimmicks;
104. the SQL injection attacks detection rule of all accord with SQL grammers is put in order, forms the SQL injection attacks and detect knowledge base;
B) described real-time SQL injection attacks detection-phase may further comprise the steps:
201. from the HTTP request, extract the user input data that may comprise the SQL injection attacks, comprise URL parameter, COOKIE and FORM form data;
202. according to the user data type, user input data is divided into a plurality of { title, value } preface idol, is expressed as { NAME, VALUE};
203. to each NAME, and in the VALUE} preface idol { the VALUE} word string is decoded by the HTTP coding/decoding method, is reduced into original format of user data;
204. { VALUE} word string for each decoded reduction, whether detect it detects in the knowledge base a certain top SQL injection attacks with the SQL injection attacks of previous structure and detects syntax rule and be complementary: if coupling, then detected corresponding SQL injection attacks attempt, jumped to step 205 and carry out; Otherwise, return;
205. produce a relevant SQL injection attacks alert event.
A kind of SQL injection attack detection system, wherein, described SQL injection attack detection system comprises three modules:
The user data acquisition module is intercepted and captured the HTTP request that Web user submits to, extracts the user input data that may comprise the SQL injection attacks from the HTTP request, comprises URL parameter, form data and COOKIE data;
SQL injection attacks detection module, at first, the user input data that the user data acquisition module is extracted carry out by type NAME, VALUE} preface idol is cut apart; Then, { the VALUE} word string is pressed the decoding of HTTP decoding rule to each; At last, for { the VALUE} word string after each decoded reduction, under numeric field occupation mode and textview field occupation mode, adopt SQL lexical analyzer and SQL syntax analyzer to carry out morphological analysis and grammer identification respectively, if after should decoding reduction { the VALUE} word string is injected with a certain top SQL and is detected the syntax rule coupling, then produces SQL injection alarm signal.
SQL injects alarm module, reception is injected alarm signal from the SQL that SQL injection attacks detection module produces, extract the critical data of this SQL injection attacks incident, described critical data can comprise main frame, URL, the initial data of user's submission and the combination in any of decoded user data; The SQL that reports injects alert event and can be presented on the local warning screen, also can be sent on the remote alarms screen, checks for the network manager.
Preferably, in the SQL detection method for injection attack of the present invention, detect the construction of knowledge base stage at the SQL injection attacks, when setting up SQL injection detection rule for all types of SQL injection gimmicks, the SQL injection detection rule of setting up is that the SQL injection of accord with SQL grammer detects syntax rule, and these SQL inject the detection syntax rule and covered all SQL injection orders that the type SQL injection gimmick is supported.
Preferably, in the SQL detection method for injection attack of the present invention, detect the construction of knowledge base stage at the SQL injection attacks, after the SQL that has set up the accord with SQL grammer for all types of SQL injection gimmicks injects the detection rule, can detect syntax rule based on all SQL injection attacks and create corresponding SQL lexical analyzer and SQL syntax analyzer.
Preferably, SQL detection method for injection attack of the present invention is at real-time SQL injection attacks detection-phase, when according to data type user input data being cut apart: for URL parameter type user input data, by “ ﹠amp; " and "=" character the URL parameter is divided into a plurality of { NAME, VALUE} preface idols; For COOKIE type of user input data, by "; " and "=" character the COOKIE word string is divided into a plurality of { NAME, VALUE} preface idols; For FORM form types user input data, decode by the form data coded format of appointment in the http protocol header, and then be divided into a plurality of { NAME, VALUE} preface idols.
Preferably, SQL detection method for injection attack of the present invention, at real-time SQL injection attacks detection-phase, after its decoding reduction the matching process that VALUE} word string and SQL injection attacks detect syntax rule may further comprise the steps:
501. suppose after the decoding to be detected reduction { the VALUE} word string will appear in certain type dynamic sql template in the numeric field mode, adopt described SQL lexical analyzer to carry out morphological analysis, obtain the SQL flag sequence;
502. the SQL flag sequence of step 501 being exported by described SQL syntax analyzer carries out the identification of SQL injection attacks grammer, in case find that this SQL flag sequence meets a certain SQL injection attacks and detects syntax rule, then { detected a SQL injection attacks incident in the VALUE} word string, jumped to step 505 and carry out at this; Otherwise execution in step 503;
503. suppose after the decoding to be detected reduction { the VALUE} word string will appear in certain type dynamic sql template in the textview field mode, at first the VALUE} word string about add single quote character respectively, adopt described SQL lexical analyzer to analyze then, obtain the SQL flag sequence;
504. the SQL flag sequence of step 503 being exported by described SQL syntax analyzer carries out the identification of SQL injection attacks grammer, in case find that this SQL flag sequence meets a certain SQL injection attacks and detects syntax rule, then { detected a SQL injection attacks incident in the VALUE} word string, jumped to step 505 and carry out at this; Otherwise finish;
Preferably, SQL detection method for injection attack of the present invention, the SQL of SQL injection attacks detection-phase injects the grammer matching process in real time, to after the decoding reduction { when the VALUE} word string carries out detecting based on the SQL injection attacks that the SQL injection attacks detects the syntax rule coupling, can adopt the textview field mode to carry out first round SQL injection attacks earlier and detect, and then adopt the numeric field mode to carry out second and take turns the detection of SQL injection attacks.
SQL detection method for injection attack of the present invention and system's beneficial effect are: the present invention uses the SQL syntactic definition to detect rule at the SQL injection attacks of all kinds of SQL injection attacks gimmicks, rather than sign based on the attack signature of traditional intruding detection system and to define the SQL injection attacks and detect rule, the attack signature signature that has effectively overcome SQL injection attacks incident is difficult for extracting and easily by shortcomings such as deceptions, rate of false alarm and rate of failing to report in the time of can reducing intruding detection system detection SQL injection attacks greatly.The inventive method need not to set up the normal behaviour model, has overcome the problem concerning study in traditional method for detecting abnormality.Though the sql command that the hacker injects when initiating the SQL injection attacks has very big flexibility, but it injects the necessary accord with SQL grammer of part, therefore, detect rule by SQL injection attacks and have versatility, can detect the SQL injection attacks incident of middle-and-high-ranking level for various SQL injection attacks gimmick definition accord with SQL grammers.In addition, the SQL grammer relevant with each relational database has good stability, just may expand its SQL grammer for general when the database redaction occurs, therefore, SQL injection attacks detection rule based on the SQL syntactic definition has good stability equally, need not frequent updating.SQL detection method for injection attack of the present invention and system can be widely used in all network security products that need detect the SQL injection attacks/filter such as intruding detection system/intrusion prevention system.
Description of drawings
Fig. 1 detects the construction of knowledge base flow chart for the SQL injection attacks that this SQL injects detection method;
Fig. 2 injects the detection-phase workflow diagram for the real-time SQL that this SQL injects detection method;
Fig. 3 is the SQL injection attacks detection syntax rule matching process that the real-time SQL of the inventive method injects detection-phase;
Fig. 4 is a SQL injection attack detection system module map of the present invention.
Embodiment
The present invention is further described below in conjunction with drawings and Examples.
SQL detection method for injection attack of the present invention comprises two working stages: the SQL injection attacks detects construction of knowledge base stage and real-time SQL injection attacks detection-phase.
As shown in Figure 1, the described SQL injection attacks detection construction of knowledge base stage may further comprise the steps:
101) the SQL injection attacks sample under the various scenes of collection;
The dynamic sql function of having used each relational database to support in the Web database program exploitation that has its source in that the SQL injection loophole exists.Each popular relational database comprises that MS SQL Server, ORACLE, DB2, Informix, MySQL, PostgreSQL etc. are supported in use dynamic sql function in the exploitation of Web database program.In general Web database program exploitation, the dynamic sql template that may use comprises SELECT, INSERT, DELETE, UPDATE and subquery etc.And when using these dynamic sql templates to carry out the exploitation of Web database program,, then all might introduce the SQL injection loophole if user input data is not endured strict scrutiny and filter.Such as, for SELECT type dynamic sql template, in the exploitation of Web database program, generally in WHERE clause, introduce user input data.ASP (the Active Server Page of MS SQL SERVER database is used on backstage as shown in table 1, the activity service script) in the programmed scripts, the name numeric field data that its SELECT type dynamic sql template has directly used the user to submit to, and do not have it to endure strict scrutiny and filter, therefore just introduced the SQL injection loophole; The assailant can in the name territory, import " ann '; Delete from authors where ' 1 '<' 2 ", like this, be submitted to the SQL statement of carrying out on the backstage and just become " select*from authorswhere au_lname=' ann '; Delete from authors where ' 1 '<' 2 ' ", if authority allows, the hacker then might successfully realize deletion to the Authors table by this SQL injection attacks like this!
There is the ASP script of SQL injection loophole in table 1
| Set?conn=Server.CreateObject(″ADODB.Connection″) conn.open″testpubs″,″userl″,″123456″ Set?SQLStmt=Server.CreateObject(″ADODB.Command″) Set?RS=Server.CreateObject(″ADODB.Recordset″) name=Request.Form(″name″) CommandString=″select*from?authors?where?au_fname=’″+name+″’″ SQLStmt.CommandText=CommandString Set?SQLStmt.ActiveConnection=Conn RS.Open?SQLStmt |
The same with SELECT type dynamic sql template, for other type dynamic sql template,, then will introduce the SQL injection loophole if the data that the user is submitted to do not endure strict scrutiny and filter and be applied directly in the dynamic sql template.
102) the SQL injection attacks sample of collecting is classified;
For foregoing each dynamic sql template, may there be a plurality of SQL decanting points position in every class dynamic sql template, such as, for UPDATE type dynamic sql template, its SQL decanting point position may be arranged in the WHERE clause of this template, also may be arranged in the SET clause of this template.For every class dynamic sql template, different SQL decanting points have determined hacker's SQL to inject gimmick, have also just determined the hacker can be injected into the syntax rule of the sql command in this dynamic sql template.Such as, for the UPDATE type dynamic sql template shown in the table 2, its Salary decanting point position is different fully with the spendable sql command grammer in User decanting point position: the SALARY decanting point is arranged in the SET clause of UPDATE type dynamic sql template, can inject " 123 Where USER=' xiaoye '--" in the SALARY territory, the SQL statement of then submitting to the backstage to carry out becomes " UPDATE Employees SET SALARY=123 WHEREUSER=' xiaoye '--WHERE USER=xiaoming ", like this, this SQL injection attacks is that the employee's of xiaoye wage is revised as 123 with name; The User decanting point is arranged in the WHERE clause of this template, can in the User territory, inject " xiaoming ' or ' 1 '=' 1 ", then be submitted to the SQL statement of carrying out on the backstage and become " UPDATE Employees SET SALARY=123 WHERE USER=' xiaoming ' or ' 1 '=' 1 ' ", like this, this SQL injection attacks all is revised as 123 with all employee's wages.Here, the SQL in Salary territory and User territory injection command syntax is different fully, and they can not exchange, otherwise can cause SQL to inject failure.
There is the UPDATE type dynamic sql template of two SQL decanting points in table 2
Salary=Request.Form(″Salary″);User=Request.Cookie(″User″) CmdStr=”UPDATE?Employees?SET?SALARY=”+Salary?+“WHERE?USER=
  |
As can be seen, for one type dynamic sql template, may there be a plurality of SQL decanting points in it, and the sql command grammer that each SQL decanting point allows to inject is different.Therefore, SQL injection attacks sample is being carried out the branch time-like, the present invention adopts { dynamic sql template type, the SQL decanting point } preface even partition method, such as, with { UPDATE template, SET clause's decanting point } be divided into a class, and be divided into another kind of with { UPDATE template, WHERE clause decanting point }.The every class SQL injection attacks sample that sorts out in a manner described belongs to a kind of SQL injection attacks gimmick, and the every class SQL that sorts out injects gimmick and is easy to one or a few SQL injection attacks detection syntax rule description.
103) set up the SQL injection attacks for all kinds of SQL injection attacks gimmicks and detect the grammer recognition rule;
For every class SQL injection attacks gimmick of classifying in a manner described, it is also few that the SQL of its support injects the syntax rule of ordering, and can enumerate out by the mode of enumerating, thereby obtain corresponding top SQL injection attacks detection syntax rule.Table 3 is that the present invention is that all kinds of SQL inject the top SQL injection attacks detection syntax rule that gimmick is set up.
Table 3 injects the SQL injection attacks detection syntax rule that gimmick is set up for each SQL
| SQL injects the gimmick classification | The SQL injection attacks that this SQL injects the gimmick correspondence detects syntax rule |
| { SELECT, WHERE clause } | 1.1)scalar_exp{AND|OR}search_condition[sql-statement-list]1.2)scalar_exp[{AND|OR}search_condition][GROUP-Clause][Having-Clause][Order-clause][compute-clause][sql-statement-list]1.3)scalar_exp?[{AND|OR}?search_condition]?UNION?select_statement[sql-statement-list]1.4)scalar_exp[;]sql-statement-list |
| { DELETE, WHERE clause } | 2.1)scalar_exp{AND/OR?search?condition}[sql-statement-list]2.2)scalar_exp[;]sql-statement-list |
| { UPDATE, Where clause } | 3.1)scalar_exp{AND|OR}search_condition[sql-statement-list]3.2)scalar_exp[{AND|OR}search_condition][GROUP-Clause][Having-Clause][Order-clause][compute-clause][sql-statement-list]3.3)scalar_exp [{AND|OR}?search_condition]?UNION?select_statement[sql-statement-list]3.4)scalar_exp[;]sql-statement-list |
| { UPDATE, SET clause } | 4.1)scalar_exp[;]sql-statement-list4.2)scalar_exp‘,’field_assign_list[where-clause][sql-statement-list] |
| { INSERT, VALUES clause } | 5.1)scalar?exp‘,’insert?atom?list‘)’[;][sql-statement-list]5.2)scalar_exp‘)’[;]sql-statement-list |
| { SubQury, Where clause } | 6.1)scalar_exp[{AND/OR?search?condition}]‘)’UNION?select-statement[;][sql-statement-list]6.2)scalar_exp{AND/OR?searchc?ondition}‘)’[;]sql-statement-list6.3)scalar_exp‘)’[;]sql-statement-list |
At last, with reference to the SQL99 syntax gauge of the ANSI of International Standards Organization, appear at the syntax rule that each top SQL injection attacks detects the clause in the syntax rule in the definition list 3 for each relational database definition.The top SQL injection attacks of definition detects syntax rule in the table 3, and be all SQL syntax rules of accord with SQL 99 standards of each relevant clause's definition, constitute all SQL injection attacks detection syntax rule storehouses that are used to discern all types of SQL injection gimmicks in the inventive method jointly.
For make those of ordinary skills on top of the top SQL injection attacks in the table 3 detect syntax rule, and can design corresponding SQL lexical analyzer and SQL syntax analyzer in view of the above.
Below with in the natural language description table 3 being the top SQL injection attacks detection of each bar syntax rule that all types of SQL inject gimmick foundation.
[one] the sql command syntactic structure of { SELECT, WHERE clause } class SQL injection attacks gimmick
【1.1】scmar_exp{AND|OR}search_condition[sql-statement-list]
The SQL injection attacks detects syntax rule 1.1 expressions, suppose that current dynamic sql template is the SELECT template, SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression, then with a SQL query expression formula that connects by AND or OR; May follow one or more SQL statement at last, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-SELECT template.
【1.2】scalar_exp?[{AND|OR}search_condition]?[GROUP-Clause][Having-Clause]?[Order-clause]?[compute-clause][sql-statement-list]
The SQL injection attacks detects syntax rule 1.2 expressions, supposes that current dynamic sql template is the SELECT template, and SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then may be with a SQL query expression formula that connects by AND or OR; Then, may follow a combination in any by Group clause, Having clause, Order clause and compute clause; May follow one or more SQL statement at last, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-SELECT template.
【1.3】scalar_exp[{AND|OR}search_condition]UNION?select_statement[sql-statement-list]
The SQL injection attacks detects syntax rule 1.3 expressions, suppose that current dynamic sql template is the SELECT template, SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression, then may be with a SQL query expression formula that connects by AND or OR; Then with a SELECT statement that connects by the UNION keyword; At last, may follow one or more SQL statement, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-SELECT template.
【1.4】scalar_exp[;]sql-statement-list
The SQL injection attacks detects syntax rule 1.4 expressions, supposes that current dynamic sql template is the SELECT template, and SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, may follow a branch; The one or more SQL statement of heel, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-SELECT template.
[two] the sql command syntactic structure of { DELETE, WHERE clause } class SQL injection attacks gimmick
【2.1】scalar_exp{AND/OR?search_condition}[sql-statement-list]
The SQL injection attacks detects syntax rule 2.1 expressions, supposes that current dynamic sql template is the DELETE template, and SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, may be with a SQL query expression formula that connects by AND or OR; May follow one or more SQL statement at last, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-DELETE template.
【2.2】scalar_exp[;]sql-statement-list
The SQL injection attacks detects syntax rule 2.1 expressions, supposes that current dynamic sql template is the DELETE template, and SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, may follow a branch; The one or more SQL statement of heel, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-DELETE template.
[three] the sql command syntactic structure of { UPDATE, WHERE clause } class SQL injection attacks gimmick
【3.1】scalar_exp{AND|OR}search_condition[sql-statement-list]
The SQL injection attacks detects syntax rule 3.1 expressions, suppose that current dynamic sql template is the UPDATE template, SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression, then with a SQL query expression formula that connects by AND or OR; May follow one or more SQL statement at last, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-UPDATE template.
【3.2】scalar_exp?[{AND|OR}search_condition]?[GROUP-Clause][Having-Clause]?[Order-clause]?[compute-clause][sql-statement-list]
The SQL injection attacks detects syntax rule 3.2 expressions, supposes that current dynamic sql template is the UPDATE template, and SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then may be with a SQL query expression formula that connects by AND or OR; Then, may follow a combination in any by Group clause, Having clause, Order clause and compute clause; May follow one or more SQL statement at last, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-UPDATE template.
【3.3】scalar_exp[{AND|OR}search_condition]UNION?select_statement[sql-statement-list]
The SQL injection attacks detects syntax rule 3.3 expressions, suppose that current dynamic sql template is the UPDATE template, SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression, then may be with a SQL query expression formula that connects by AND or OR; Then with a SELECT statement that connects by the UNION keyword; At last, may follow one or more SQL statement, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-UPDATE template.
【3.4】scalar_exp[;]sql-statement-list
The SQL injection attacks detects syntax rule 3.4 expressions, supposes that current dynamic sql template is the UPDATE template, and SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, may follow a branch; The one or more SQL statement of heel, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-UPDATE template.
[four] the sql command syntactic structure of { UPDATE, SET clause } class SQL injection attacks gimmick
【4.1】scalar_exp[;]sql-statement-list
The SQL injection attacks detects syntax rule 4.1 expressions, supposes that current dynamic sql template is the UPDATE template, and SQL decanting point position is arranged in SET clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, may follow a branch; The one or more SQL statement of heel, then the user input data in this user input fields is exactly a SQL injection attacks attempt at SET clause in dynamic sql-UPDATE template.
【4.2】scalar_exp‘,’field_assign_list?[where-clause][sql-statement-list]
The SQL injection attacks detects syntax rule 4.2 expressions, supposes that current dynamic sql template is the UPDATE template, and SQL decanting point position is arranged in SET clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, may follow a comma; Then with a series of field assign clauses; Then, may follow a Where clause; May follow one or more SQL statement at last, then the user input data in this user input fields is exactly a SQL injection attacks attempt at SET clause in dynamic sql-UPDATE template.
[five] the sql command syntactic structure of { INSERT, VALUES clause } class SQL injection attacks gimmick
【5.1】scalar_exp‘,’insert_atom_list‘)’[;][sql-statement-list]
The SQL injection attacks detects syntax rule 5.1 expressions, supposes that current dynamic sql template is the INSERT template, and SQL decanting point position is arranged in VALUES clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, with a comma; Then with a series of field value expression formula clauses; Then, may follow a branch; May follow one or more SQL statement at last, then the user input data in this user input fields is exactly a SQL injection attacks attempt at VALUES clause in dynamic sql-INSERT template.
【5.2】scalar_exp‘)’[;]sql-statement-list
The SQL injection attacks detects syntax rule 5.2 expressions, supposes that current dynamic sql template is the INSERT template, and SQL decanting point position is arranged in VALUES clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, with a bracket character; At last, may follow one or more SQL statement, then the user input data in this user input fields is exactly a SQL injection attacks attempt at VALUES clause in dynamic sql-INSERT template.
[six] the sql command syntactic structure of { SubQuery, Where clause } class SQL injection attacks gimmick
【6.1】scalar_exp?[{AND/OR?search_condition}]‘)’UNIONselect-statement[;][sql-statement-list]
The SQL injection attacks detects syntax rule 6.1 expressions, suppose that current dynamic sql template is a SELECT subquery template, SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, may be with a query expression that connects by AND or OR keyword; Then, with a bracket character; Then with a SELECT statement that connects by the UNION keyword; Then, may follow a branch; At last, may follow one or more SQL statement, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-SELECT subquery template.
【6.2】scalar_exp?{AND/OR?search_condition}‘)’?[;]sql-statement-list
The SQL injection attacks detects syntax rule 6.2 expressions, suppose that current dynamic sql template is a SELECT subquery template, SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, with a query expression that connects by AND or OR keyword; Then, with a bracket character; Then, may follow a branch; At last, may follow one or more SQL statement, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-SELECT subquery template.
【6.3】scalar_exp‘)’[;]sql-statement-list
The SQL injection attacks detects syntax rule 6.3 expressions, suppose that current dynamic sql template is a SELECT subquery template, SQL decanting point position is arranged in Where clause, if the data format that detects in certain user input fields is: at first be a scalar expression; Then, with a bracket character; Then, may follow a branch; At last, with one or more SQL statement, then the user input data in this user input fields is exactly a SQL injection attacks attempt at Where clause in dynamic sql-SELECT subquery template.
104) detect syntax rule storehouse constructing SQL morphology and syntax analyzer based on the SQL injection attacks;
At first, construct one and meet ANSI-SQL99 standard SQL lexical analyzer, to realize that decoded { the VALUE} word string is carried out morphological analysis, identifies a series of SQL mark, comprises marks such as SQL reserved word, oeprator, various constants to reduction to be detected.Then, inject SQL syntax analyzer of detection syntax rule set structure based on the SQL that sets up previously, to realize syntactic analysis, see whether it injects the pairing top SQL injection attacks detection syntax rule of gimmick with a certain SQL and be complementary to the SQL marked flows of exporting by the SQL lexical analyzer.
SQL lexical analyzer of the present invention can be constructed by hand, also can adopt automatic lexical analyzer Core Generator structure, such as FLEX lexical analyzer Core Generator (a kind of popular lexical analyzer Core Generator of increasing income).Equally, SQL syntax analyzer of the present invention can be constructed by hand, also can adopt automatic syntax analyzer Core Generator structure, such as BISON syntax analyzer instrument (a kind of popular syntax analyzer Core Generator of increasing income).
Real-time each step of SQL injection attacks detection-phase of the present invention as shown in Figure 2.For making those of ordinary skills can understand the present invention, introduce the execution details of real-time each step of SQL injection attacks detection-phase below in detail.
201) from the HTTP request, extract the user input data that may comprise the SQL injection attacks, comprise URL parameter, COOKIE and FORM form data;
In the Web database application, the user uses the Web browser input to need the data of handling, and submits data processing request to by http protocol, presents data processed result to the user simultaneously; Web Application Server is handled request based on http protocol message sink user data and is obtained user's input data, according to service logic user input data is carried out analyzing and processing.Web Application Server may need to visit the back-end data database data in whole service logical process process.Web Application Server may be constructed dynamic SQL statements and be submitted to background data base and be carried out, to realize the visit to background data base.Web Application Server is when the structure dynamic SQL statements, generally need to use the input data of obtaining from Web user, and directly in dynamic SQL statements, use, if these user input datas that obtain are not done close inspection and filtration, then may introduce the SQL injection loophole.In the web application, will be from the input data owner that Web user obtains from URL (Universal Resource Locator, uniform resource locator) parameter, COOKIE (a kind of user obtains the technology of input data from the Web client) and three data sources of FORM form data, therefore, these three data sources are emphasis that the SQL injection attacks detects.
When obtaining the input data of Web user's submission, can adopt following several method: 1) intercept and capture all HTTP network messages that mail to Web Application Server from the Web client with bypass or bridge joint or routing mode, after the HTTP network message flowed reorganization and http protocol parsing, from the http protocol message header, extract URL parameter, COOKIE and FORM form data; 2) intercept and capture the data processing request that Web user submits in the HTTP Proxy mode, from this http protocol message, directly extract out URL parameter, COOKIE and FORM form data based on http protocol; 3) intercept and capture the data processing request that Web Application Server will be handled in the mode that is embedded in Web Application Server, from this http protocol message, directly extract URL parameter, COOKIE and FORM form data based on http protocol.
202) according to the user data type, the user data of submitting to is divided into a plurality of { title, value } preface idol, be expressed as { NAME, VALUE};
In the web application, these three data sources of URL parameter, COOKIE and form data have comprised the input data that Web user submits to, are the positions that possible introduce the SQL injection loophole, are the monitoring emphasis of SQL detection method for injection attack of the present invention.The form example of three types the user input data that the present invention supports is as shown in table 4.
Table 4 the present invention supports the form example of three types user input data
| The URL parameter | /cgi-bin/getinfo?tid=123&tname=xiaoye |
| COOKIE | Sid=12345-234;Channel=movie |
| Form data | name=xiaoming&title=hello+how+are+you%3F |
According to the http protocol standard, the URL parameter is positioned at the afterbody of url string, and by "? " Character segmentation is opened, and the back is a plurality of by “ ﹠amp; " form opened of Character segmentation is { NAME, the VALUE} preface idol of NAME=VALUE; COOKIE be a plurality of by "; " form opened of Character segmentation is { NAME, the VALUE} preface idol of NAME=VALUE; The form data of basic coding form is a plurality of by “ ﹠amp; " form opened of Character segmentation is { NAME, the VALUE} preface idol of NAME=VALUE.Therefore, { NAME when VALUE} preface idol is cut apart, need determine { the NAME of the type user input data according to the type of user input data in that user input data is carried out, the VALUE} decollator, and then just can complete successfully correctly cutting apart to user input data according to the decollator of appointment.Such as, for the URL parameter example in the table 4, { they are { tid, 123} and { tname, xiaoye} for NAME, VALUE} preface idol can be partitioned into two.
203) to each NAME, and in the VALUE} preface idol { the VALUE} word string is decoded by the HTTP coding/decoding method, is reduced into original format of user data;
According to the http protocol standard as can be known, Web browser is to { coding method of VALUE} word string is: for the character that does not have special implication and can correctly print, behind its coding still is original characters, in the URL parameter example in the table 4, preface idol TID, among the 123} { VALUE} word string " 123 " belongs to this situation; Have special implication or unprintable character for those, then adopt the %XX hexadecimal code, in the form data example in the table 4, preface idol { Title, among the hello+how+are+you%3F} { in the VALUE} word string " hello+how+are+you%3F ", space character is encoded as "+" character, "? " character is encoded as %3F.Therefore, to { when the VALUE} word string is decoded, only need just can be correctly decoded out the initial data that the user imports according to the coding rule of http protocol, such as in the table 4 VALUE} word string " hello+how+are+you%3F " will be decoded as " hello how are you? "
204) detect syntax rule based on the SQL injection attacks of previous structure, to each decoded reduction { the VALUE} word string is carried out the grammer coupling, whether comprises the attempt of SQL injection attacks to detect;
Each decoded reduction the VALUE} word string, if it is used to construct certain type dynamic SQL statements by web application, then its occupation mode has two kinds:
The textview field occupation mode: promptly user input data is taken as the use of text type data, when the structure dynamic SQL statements, will add single quotation marks on the user input data both sides.As the USER territory in the UPDATE type dynamic sql template in the table 2, the USER numeric field data that this template is submitted the user to is regarded as and is text class data, if from the value in the USER territory that the user obtains is xiaoye, then in this dynamic sql template, can add single quotation marks respectively, thereby become on its both sides ' xiaoye '.
The data field occupation mode: promptly user input data is taken as the use of numeric type data, and when the structure dynamic SQL statements, user input data can't be by two single quotation marks parcels.As the pairing user input data in SALARY territory in the UPDATE type dynamic sql template in the table 2,, still be 123 when then in this dynamic sql template, using if be 123 from the value in the SALARY territory that the user obtains.
For the user input data under the textview field occupation mode, it need increase single quote character in use about it, and for the user input data under the numeric field occupation mode, then need not about it, to add single quote character in use, therefore, SQL morphological analysis result under numeric field occupation mode and the textview field occupation mode is different fully, and SQL morphological analysis result directly has influence on follow-up SQL syntactic analysis result.
The inventive method is the irrelevant SQL detection method for injection attack of a kind of and concrete web application.The inventive method is when carrying out the detection of SQL injection attacks to user input data, possibly can't predict the occupation mode of user input data in web application is numeric field or textview field occupation mode.Therefore, { VALUE} carries out the SQL injection attacks when detecting to the inventive method decoded to reducing, under the user input data occupation mode of two kinds of hypothesis, carry out the SQL injection attacks respectively and detect scanning, promptly at first hypothesis reduction decoded { the VALUE} word string is used in the dynamic sql template in the numeric field mode, detects it by the numeric field occupation mode and whether comprises the SQL injection attacks; If do not detect attack, then decoded { the VALUE} word string is used in the dynamic sql template with the textview field occupation mode, detects it by the textview field occupation mode and whether comprises the SQL injection attacks for hypothesis reduction.
Below in conjunction with accompanying drawing 3 explanation SQL detection method for injection attack of the present invention after to the decoding reduction the SQL injection attacks of VALUE} word string detects the syntax rule matching process:
501. after the hypothesis decoding reduction { the VALUE} word string is used in the dynamic sql template in the numeric field mode, with after the decoding reduction { the VALUE} word string is directly inputted to described SQL lexical analyzer and carries out morphological analysis, obtains the SQL flag sequence under the numeric field occupation mode;
502. described SQL syntax analyzer carries out detecting based on the SQL injection attacks grammer coupling of syntax rule to the SQL flag sequence of step 501 output, detect the syntax rule coupling if find this SQL flag sequence and a certain top SQL injection attacks, then detected a SQL injection attacks, jumped to step 505 and carry out; Otherwise, continue execution in step 503;
503. after the hypothesis decoding reduction { the VALUE} word string is used in the dynamic sql template in the textview field mode, at first after decoding reduction, { add a single quote character about the VALUE} word string respectively, be input to described SQL lexical analyzer then and carry out morphological analysis, obtain the SQL flag sequence;
504. described SQL syntax analyzer carries out detecting based on the SQL injection attacks grammer coupling of syntax rule to the SQL flag sequence of step 503 output, if find this SQL flag sequence and a certain top SQL injection attacks syntax rule coupling, then detect a SQL injection attacks, jumped to step 505; Otherwise expression is { detecting any SQL injection attacks attempt, returning after the decoding reduction not in the VALUE} word string.
SQL injection attacks recited above detects in the syntax rule matching process, to after the decoding reduction { twice SQL injection attacks of VALUE} word string detects the order of scanning and can change, can suppose earlier to reduce promptly that decoded { the VALUE} word string is used in the dynamic sql template in the textview field mode, detects it by the textview field occupation mode and whether comprises the SQL injection attacks; If do not detect attack, then decoded { the VALUE} word string is used in the dynamic sql template with the numeric field occupation mode, detects it by the numeric field occupation mode and whether comprises the SQL injection attacks for hypothesis reduction.
As shown in Figure 4, SQL injection attack detection system of the present invention comprises three modules:
User data acquisition module: intercept and capture the HTTP request that Web user submits to, from the HTTP request, extract the user input data that may comprise the SQL injection attacks, comprise URL parameter, form data and COOKIE data;
SQL injection attacks detection module: at first, the data that the user data acquisition module is extracted by the user data type carry out NAME, VALUE} preface idol is cut apart; Then, { VALUE} presses the decoding of HTTP decoding rule to each; At last, for { the VALUE} word string after each decoded reduction, under numeric field occupation mode and textview field occupation mode, adopt described SQL lexical analyzer and SQL syntax analyzer to carry out morphological analysis and syntax rule coupling respectively, thereby find possible SQL injection attacks attempt.
SQL injects alarm module: receive the SQL that produces from SQL injection attacks detection module and inject alarm signal, extract the critical data of this SQL injection attacks incident, described critical data can comprise main frame, URL, the initial data of user's submission and the combination in any of decoded user data; The SQL that reports injects alert event and can be presented on the local warning screen, also can be sent on the remote alarms screen, checks for the network manager.
The user data acquisition module connects and Data transmission is given SQL injection attacks detection module, and SQL injection attacks detection module connects and Data transmission is injected alarm module to SQL.
Each implementation step that the present invention relates to for those of ordinary skills are fully understood provides a specific embodiment below.Supposed to intercept a http protocol request as shown in table 5.
At first, from this HTTP request message, obtain the user input data in URL parameter, COOKIE and these three territories of FORM form data that may comprise the SQL injection attacks.Here,
The URL parameter is " uid=12345+union+select+*+from users﹠amp; Uname=xiaoye ";
COOKIE is " SID=123456-23455; Channel=movie%27+or+%271%27%3D%271 ";
The FORM form data is empty.
One in table 5 comprises the http protocol request example of SQL injection attacks
| GET/cgi-bin/getinfo.exe?uid=12345+union+select+*+from?users &uname=xiaoye?HTTP/1.1\r\n ACCEPT:image/gif,image/jpeg\r\n ACCEPT-Language:zh-cn\r\n ACCEPT-Encoding:gzip,deflate\r\n User-Agent:mozilla/4.0\r\n Host:www.testhost.com\r\n Connection:Keep-Alive\r\n Cookie:SID=123456-23455;Channel=movie%27+or+%271%27%3D%271\r\n \r\n |
Then, to above-mentioned user input data by data type carry out NAME, VALUE} preface idol is cut apart, and obtains:
URL parameter: { uid, 12345+union+select+*+from users}, { uname, xiaoye}
COOKIE:{SID,123456-23455},{Channel,movie%27+or+%271%27%3D%271}
Then, according to http protocol decoding standard to each NAME, and in the VALUE} preface idol the VALUE} word string is decoded, and after the reduction that obtains decoding the VALUE} word string:
In the URL parameter after the decoding reduction the VALUE} word string: 12345 union select*from users},
{xiaoye}
Among the COOKIE after the decoding reduction the VALUE} word string: 123456-23455}, movie ' or ' 1 '=' 1}
At last, to after each decoding reduction the VALUE} word string detects the syntax rule matching process based on the SQL injection attacks and carries out the SQL injection attacks and detect:
For { VALUE} word string { the 12345 union select*from users}: at first after the decoding reduction, suppose that it uses in the numeric field mode in the dynamic sql template, use described SQL lexical analyzer, obtain following SQL flag sequence (12345, union, select, *, from, users); Use described SQL syntax analyzer that this SQL flag sequence is carried out the syntax rule coupling then, find that the top SQL injection attacks described in itself and the table 2 detects syntax rule (scalar_exp[{AND|OR}search_condition] UNION select_statement [sql-statement-list]) coupling, then in the UID territory of URL parameter, detected a SQL injection attacks attempt, produce the SQL injection attacks and report to the police, and finish the SQL injection attacks of this UID thresholding is detected;
For { VALUE} word string { the xiaoye}: at first, suppose that it uses in the numeric field mode in the dynamic sql template, use described SQL lexical analyzer to carry out morphological analysis, obtain following SQL flag sequence (xiaoye) after the decoding reduction; Use described SQL syntax analyzer that this SQL marked flows is carried out grammer identification then, this SQL flag sequence does not inject with any top SQL described in the table 2 and detects the syntax rule coupling; After the hypothesis decoding reduction { { xiaoye} uses in the textview field mode in the dynamic sql template VALUE} word string, at first about it, add single quote character respectively, obtain { ' xiaoye ' }, then, use described SQL lexical analyzer to carry out morphological analysis, obtain following SQL flag sequence (' xiaoye '); Use described SQL syntax analyzer that this SQL marked flows is carried out the grammer coupling then, this SQL marked flows is not injected with any top SQL described in the table 2 and is detected the syntax rule coupling; Therefore in the uname territory of URL parameter, do not detect the attempt of SQL injection attacks;
For { VALUE} word string { the 123456-23455}: at first after the decoding reduction, suppose that it uses in the numeric field mode in the dynamic sql template, use described SQL lexical analyzer to carry out morphological analysis, obtain following SQL marked flows (123456,-, 23455); Use described SQL syntax analyzer that this SQL flag sequence is carried out grammer identification then, though this SQL flag sequence is a SQL expression, it does not detect the syntax rule coupling with any top SQL injection attacks described in the table 2; After the hypothesis decoding reduction { { 123456-23455} uses in the textview field mode in the dynamic sql template VALUE} word string, at first about it, add single quote character respectively, obtain { ' 123456-23455 ' }, then, use described SQL lexical analyzer to carry out morphological analysis, obtain following SQL flag sequence (' 123456-23455 '); Use described SQL syntax analyzer that this SQL marked flows is carried out grammer identification then, this SQL marked flows does not detect the syntax rule coupling with any top SQL injection attacks described in the table 2; Therefore in the UID territory of COOKIE, do not detect the attempt of SQL injection attacks;
For { VALUE} word string { movie ' or ' 1 '=' 1}: at first, suppose that it uses in the numeric field mode in the dynamic sql template, use described SQL lexical analyzer to carry out morphological analysis after the decoding reduction, obtain following SQL flag sequence (movie, ' or ', 1, '=, 1); Use described SQL syntax analyzer that this SQL flag sequence is carried out grammer identification then, this SQL marked flows is not injected with any top SQL described in the table 2 and is detected the syntax rule coupling; After the hypothesis decoding reduction { { movie ' or ' 1 '=' 1} uses in the textview field mode in the dynamic sql template VALUE} word string, at first about it, add single quote character respectively, obtain { ' movie ' or ' 1 '=' 1 ' }, then, use described SQL lexical analyzer to carry out morphological analysis, obtain following SQL flag sequence (' movie ', or, ' 1 ',=, ' 1 '), top SQL injection attacks detection syntax rule in this SQL flag sequence and the table 2 (scalar_exp{AND|OR}search_condition[sql-statement-list]) coupling, therefore, in the Channel territory of COOKIE, detected a SQL injection attacks attempt, produced the SQL injection attacks and report to the police.
Claims (7)
1. a SQL detection method for injection attack comprises that the SQL injection attacks detects construction of knowledge base and real-time SQL injection attacks detects two stages, it is characterized in that:
A) the described SQL injection attacks detection construction of knowledge base stage may further comprise the steps:
101. collect the SQL injection attacks sample under the various scenes;
102. these samples are classified by { dynamic sql template type, SQL decanting point position } preface idol, on behalf of a kind of SQL, each class sample inject gimmick;
Detect syntax rule 103. set up the SQL injection attacks of accord with SQL grammer for all kinds of SQL injection attacks gimmicks;
104. the SQL injection attacks detection syntax rule of all accord with SQL grammers is put in order, forms the SQL injection attacks and detect knowledge base;
B) described real-time SQL injection attacks detection-phase may further comprise the steps:
201. from the HTTP request, extract the user input data that may comprise the SQL injection attacks, comprise URL parameter, COOKIE and FORM form data;
202. according to the user data type, user input data is divided into a plurality of { title, value } preface idol, is expressed as { NAME, VALUE};
203. to each NAME, and in the VALUE} preface idol { the VALUE} word string press HTTP decoding standard and is decoded, and is reduced into original format of user data;
204. for each decoded reduction { the VALUE} word string detects it and whether detects in the knowledge base a certain top SQL injection attacks with the SQL injection attacks and detect syntax rule and be complementary: if do not match then finish; Otherwise expression has detected corresponding SQL injection attacks, execution in step 205;
205. produce a SQL injection attacks attempt alert event.
2. SQL detection method for injection attack as claimed in claim 1, it is characterized in that: described SQL injection attacks detects in the step 103 in construction of knowledge base stage, the SQL injection attacks of setting up for all kinds of SQL injection attacks gimmicks detects syntax rule is that the SQL of accord with SQL grammer injects the syntax rule of order, and these SQL injection attacks detect syntax rules and covered the type SQL and inject all SQL that gimmick supports and inject order.
3. SQL detection method for injection attack as claimed in claim 1, it is characterized in that: described SQL injection attacks detects in the step 104 in construction of knowledge base stage, has based on all SQL injection attacks detection syntax rules to create corresponding SQL lexical analyzer and SQL syntax analyzer.
4. SQL detection method for injection attack as claimed in claim 1 is characterized in that, in the step 202 of described real-time SQL injection attacks detection-phase: for URL parameter type user data, by “ ﹠amp; " and "=" character the URL parameter is divided into a plurality of { NAME, VALUE} preface idols; For COOKIE type of user data, by "; " and "=" character the COOKIE word string is divided into a plurality of { NAME, VALUE} preface idols; For FORM form types user data, decode by the form data coded format of appointment in the http protocol header, and then be divided into a plurality of { NAME, VALUE} preface idols.
5. SQL detection method for injection attack as claimed in claim 3, it is characterized in that: after reducing for each decoding to be detected the VALUE} word string, the SQL injection attacks of described real-time SQL injection attacks detection-phase detects the syntax rule matching process and may further comprise the steps:
501. suppose after the decoding to be detected reduction { the VALUE} word string will appear in certain type dynamic sql template in the numeric field mode, adopt described SQL lexical analyzer to analyze, and obtain the SQL flag sequence;
Detect the syntax rule coupling 502. the SQL flag sequence of exporting in the step 501 is carried out the SQL injection attacks by described SQL syntax analyzer, detect the syntax rule coupling in case find this SQL flag sequence and a certain top SQL injection attacks, then { detected a SQL injection attacks incident in the VALUE} word string, jumped to step 505 and carry out at this; Otherwise execution in step 503;
503. suppose after the decoding to be detected reduction { the VALUE} word string will appear in certain type dynamic sql template in the textview field mode, at first the VALUE} word string about add single quote character respectively, adopt described SQL lexical analyzer to analyze then, obtain the SQL flag sequence;
Detect the syntax rule coupling 504. the SQL flag sequence of exporting in the step 503 is carried out the SQL injection attacks by described SQL syntax analyzer, detect the syntax rule coupling in case find this SQL flag sequence and a certain top SQL injection attacks, then { detected a SQL injection attacks incident in the VALUE} word string, jumped to step 505 and carry out at this; Otherwise, finish { the SQL injection attacks testing process of VALUE} word string;
Inject alarm signal 505. produce a SQL.
6. SQL detection method for injection attack as claimed in claim 5, it is characterized in that, the SQL injection attacks of described real-time SQL injection attacks detection-phase detects in the syntax rule matching process, to after the decoding reduction { when the VALUE} word string carries out detecting based on the SQL injection attacks that the SQL injection attacks detects the syntax rule coupling, can adopt the textview field mode to carry out first round SQL injection attacks earlier and detect, and then adopt the numeric field mode to carry out second and take turns the detection of SQL injection attacks.
7. SQL injection attack detection system is characterized in that comprising three modules:
The user data acquisition module is intercepted and captured the HTTP request that Web user submits to, extracts the user input data that may comprise the SQL injection attacks from the HTTP request, comprises URL parameter, FORM form data and COOKIE data;
SQL injection attacks detection module, the user input data that the user data acquisition module is extracted by the user data type carry out NAME, VALUE} preface idol is cut apart; Then, { VALUE} presses the decoding of HTTP decoding standard to each; At last, for { the VALUE} word string after each decoded reduction, under numeric field occupation mode and textview field occupation mode, adopt SQL lexical analyzer and SQL syntax analyzer to carry out morphological analysis and syntactic analysis respectively, if detect the syntax rule coupling with a certain top SQL injection attacks, then produce SQL and inject alarm signal;
SQL injects alarm module, reception is injected alarm signal from the SQL that SQL injection attacks detection module produces, extract the critical data of this SQL injection attacks incident, described critical data can comprise main frame, URL, the initial data of user's submission and the combination in any of decoded user data; The SQL that reports injects alert event and can be presented on the local warning screen, also can be sent on the remote alarms screen, checks for the network manager;
The user data acquisition module connects and Data transmission is given SQL injection attacks detection module, and SQL injection attacks detection module connects and Data transmission is injected alarm module to SQL.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101453988A CN101267357B (en) | 2007-03-13 | 2007-09-17 | A SQL injection attack detection method and system |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710064356.1 | 2007-03-13 | ||
| CN200710064356 | 2007-03-13 | ||
| CN2007101453988A CN101267357B (en) | 2007-03-13 | 2007-09-17 | A SQL injection attack detection method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101267357A CN101267357A (en) | 2008-09-17 |
| CN101267357B true CN101267357B (en) | 2010-11-17 |
Family
ID=39989504
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101453988A Expired - Fee Related CN101267357B (en) | 2007-03-13 | 2007-09-17 | A SQL injection attack detection method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101267357B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833270A (en) * | 2012-09-18 | 2012-12-19 | 山石网科通信技术(北京)有限公司 | Method and device for detecting SQL (structured query language) injection attacks and firewall with device |
| CN103678118A (en) * | 2013-10-18 | 2014-03-26 | 北京奇虎测腾科技有限公司 | Method and device for compliance detection of Java source code |
| CN104123497A (en) * | 2014-07-04 | 2014-10-29 | 北京神州绿盟信息安全科技股份有限公司 | SQL injection prevention method, device and system |
Families Citing this family (46)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101448007B (en) * | 2008-12-31 | 2012-11-21 | 中国电力科学研究院 | Attack prevention system based on structured query language (SQL) |
| CN101895517B (en) * | 2009-05-19 | 2013-05-15 | 北京启明星辰信息技术股份有限公司 | Method and device for extracting script semantics |
| CN101901222B (en) * | 2009-05-27 | 2012-07-18 | 北京启明星辰信息技术股份有限公司 | Method and system for analyzing and matching SQLs (Structured Query Languages) |
| CN102045319B (en) * | 2009-10-21 | 2013-06-12 | ***通信集团山东有限公司 | Method and device for detecting SQL (Structured Query Language) injection attack |
| CN102073640B (en) * | 2009-11-19 | 2013-12-18 | 阿里巴巴集团控股有限公司 | Method, system and server for testing structured query language (SQL) statements |
| CN101977180B (en) * | 2010-06-08 | 2013-06-19 | 南京大学 | Security protocol authentication method based on flaw attack |
| CN101902470B (en) * | 2010-07-14 | 2013-08-21 | 南京大学 | Form feature-based Web security vulnerability dynamic testing method |
| CN102136051B (en) * | 2011-05-06 | 2013-02-20 | 南开大学 | Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model |
| CN102185930B (en) * | 2011-06-09 | 2013-04-03 | 北京理工大学 | Method for detecting SQL (structured query language) injection vulnerability |
| CN102682047A (en) * | 2011-10-18 | 2012-09-19 | 国网电力科学研究院 | Mixed structured query language (SQL) injection protection method |
| CN102413127A (en) * | 2011-11-09 | 2012-04-11 | 中国电力科学研究院 | Database generalization safety protection method |
| CN102841990B (en) * | 2011-11-14 | 2015-07-22 | 哈尔滨安天科技股份有限公司 | Method and system for detecting malicious codes based on uniform resource locator |
| CN103902606B (en) * | 2012-12-28 | 2018-07-06 | 腾讯科技(深圳)有限公司 | The data processing method and system of a kind of database |
| CN104348795B (en) * | 2013-07-30 | 2019-09-20 | 深圳市腾讯计算机***有限公司 | The method and device of CGI(Common gateway interface) business intrusion prevention |
| CN103559444B (en) * | 2013-11-05 | 2017-08-04 | 星云融创(北京)科技有限公司 | A kind of sql injects detection method and device |
| CN103607391B (en) * | 2013-11-19 | 2017-02-01 | 北京航空航天大学 | SQL injection attack detection method based on K-means |
| CN103744802B (en) * | 2013-12-20 | 2017-05-24 | 北京奇安信科技有限公司 | Method and device for identifying SQL injection attacks |
| CN104050151A (en) * | 2014-06-05 | 2014-09-17 | 北京江南天安科技有限公司 | Security incident feature analysis method and system based on predicate deduction |
| CN104036186B (en) * | 2014-07-02 | 2017-02-15 | 郑州云海信息技术有限公司 | Anti-attack engine implementation method |
| CN105553917B (en) * | 2014-10-28 | 2020-05-12 | 腾讯科技(深圳)有限公司 | Method and system for detecting webpage bugs |
| CN104715018B (en) * | 2015-02-04 | 2018-04-20 | 同程网络科技股份有限公司 | The anti-SQL injection method of intelligence based on semantic analysis |
| CN106209488B (en) * | 2015-04-28 | 2021-01-29 | 北京瀚思安信科技有限公司 | Method and device for detecting website attack |
| CN105046150B (en) * | 2015-08-06 | 2017-10-17 | 福建天晴数码有限公司 | Prevent the method and system of SQL injection |
| CN107291761A (en) * | 2016-04-05 | 2017-10-24 | 北京优朋普乐科技有限公司 | The matching process and device of a kind of regular expression |
| CN106548071A (en) * | 2016-08-09 | 2017-03-29 | 北京安天电子设备有限公司 | A kind of method and system of dynamic detection SQL decanting point |
| CN106407803B (en) * | 2016-08-30 | 2019-06-14 | 北京奇虎科技有限公司 | The detection method and device of SQL injection loophole |
| CN107784228A (en) * | 2016-08-31 | 2018-03-09 | 百度在线网络技术(北京)有限公司 | SQL injection attack detection and device |
| CN106845237A (en) * | 2017-01-23 | 2017-06-13 | 北京安华金和科技有限公司 | A kind of SQL injection methods of risk assessment based on SQL statement |
| CN107026851A (en) * | 2017-03-22 | 2017-08-08 | 西安电子科技大学 | A kind of real-time system guard method based on stream data processing |
| CN107590387A (en) * | 2017-09-04 | 2018-01-16 | 杭州安恒信息技术有限公司 | EL expression formula injection loopholes detection method, device and electronic equipment |
| CN107832618B (en) * | 2017-09-20 | 2019-12-24 | 武汉虹旭信息技术有限责任公司 | SQL injection detection system and method based on fine-grained authority control |
| CN107566392B (en) * | 2017-09-22 | 2020-02-11 | 北京知道创宇信息技术股份有限公司 | Detection method for error reporting type SQL injection, proxy server and storage medium |
| CN107483510B (en) * | 2017-10-09 | 2020-11-24 | 杭州安恒信息技术股份有限公司 | Method and device for improving attack detection accuracy of Web application layer |
| CN108549814A (en) * | 2018-03-24 | 2018-09-18 | 西安电子科技大学 | A kind of SQL injection detection method based on machine learning, database security system |
| CN109309666A (en) * | 2018-08-22 | 2019-02-05 | 中国平安财产保险股份有限公司 | Interface security control method and terminal device in a kind of network security |
| CN109660499B (en) * | 2018-09-13 | 2021-07-27 | 创新先进技术有限公司 | Attack interception method and device, computing equipment and storage medium |
| CN109194677A (en) * | 2018-09-21 | 2019-01-11 | 郑州云海信息技术有限公司 | A kind of SQL injection attack detection, device and equipment |
| CN109165130B (en) * | 2018-09-30 | 2022-01-25 | 福建星瑞格软件有限公司 | Test method and device for verifying decoding database package |
| CN110535973A (en) * | 2019-09-18 | 2019-12-03 | 北京明朝万达科技股份有限公司 | A kind of detection method and device that sql injection threatens |
| CN113141332B (en) * | 2020-01-17 | 2023-03-21 | 深信服科技股份有限公司 | Command injection identification method, system, equipment and computer storage medium |
| CN111488585B (en) * | 2020-04-17 | 2023-06-27 | 北京墨云科技有限公司 | Deep learning-based attack vector generation method for vulnerability detection |
| CN114666078B (en) * | 2020-12-08 | 2022-12-20 | 北京中科网威信息技术有限公司 | Method and system for detecting SQL injection attack, electronic equipment and storage medium |
| CN113407885B (en) * | 2021-06-23 | 2024-04-12 | 中移(杭州)信息技术有限公司 | XPath data tampering alarm method, device, equipment and readable storage medium |
| CN113992447B (en) * | 2021-12-28 | 2022-03-15 | 北京未来智安科技有限公司 | SQL injection alarm processing method and device |
| CN114884686B (en) * | 2022-03-17 | 2024-03-08 | 新华三信息安全技术有限公司 | PHP threat identification method and device |
| CN117271376A (en) * | 2023-11-22 | 2023-12-22 | 天津华来科技股份有限公司 | SQLMap-based interface SQL injection detection optimization method |
-
2007
- 2007-09-17 CN CN2007101453988A patent/CN101267357B/en not_active Expired - Fee Related
Non-Patent Citations (1)
| Title |
|---|
| 李文锋,林天峰.SQL注入攻击.计算机与网络.2004,2004(24),54-55,57. * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833270A (en) * | 2012-09-18 | 2012-12-19 | 山石网科通信技术(北京)有限公司 | Method and device for detecting SQL (structured query language) injection attacks and firewall with device |
| CN103678118A (en) * | 2013-10-18 | 2014-03-26 | 北京奇虎测腾科技有限公司 | Method and device for compliance detection of Java source code |
| CN103678118B (en) * | 2013-10-18 | 2016-09-28 | 北京奇虎测腾科技有限公司 | The compliance detection method of a kind of Java source code and device |
| CN104123497A (en) * | 2014-07-04 | 2014-10-29 | 北京神州绿盟信息安全科技股份有限公司 | SQL injection prevention method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101267357A (en) | 2008-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101267357B (en) | A SQL injection attack detection method and system | |
| CN103559444B (en) | A kind of sql injects detection method and device | |
| CN103297435B (en) | A kind of abnormal access behavioral value method and system based on WEB daily record | |
| CN101425937B (en) | SQL injection attack detection system suitable for high speed LAN environment | |
| CN101459548B (en) | Script injection attack detection method and system | |
| CN108776671A (en) | A kind of network public sentiment monitoring system and method | |
| US8321396B2 (en) | Automatically extracting by-line information | |
| CN102833270A (en) | Method and device for detecting SQL (structured query language) injection attacks and firewall with device | |
| CN102622443A (en) | Customized screening system and method for microblog | |
| CN107943838B (en) | Method and system for automatically acquiring xpath generated crawler script | |
| CN104572977B (en) | A kind of agricultural product quality and safety event online test method | |
| CN101290624B (en) | News web page metadata automatic extraction method | |
| CN102890702A (en) | Internet forum-oriented opinion leader mining method | |
| CN111899089A (en) | Enterprise risk early warning method and system based on knowledge graph | |
| CN101388763A (en) | SQL injection attack detection system supporting multiple database types | |
| CN103067387B (en) | A kind of anti-phishing monitoring system and method | |
| CN108416034B (en) | Information acquisition system based on financial heterogeneous big data and control method thereof | |
| CN103186663A (en) | Video-based online public opinion monitoring method and system | |
| CN111444353A (en) | Construction and use method of warning situation knowledge graph | |
| CN102833269A (en) | Detection method and device for cross site scripting and firewall with device | |
| CN115293723A (en) | Network public opinion heat analysis system based on big data analysis | |
| CN112328936A (en) | Website identification method, device and equipment and computer readable storage medium | |
| CN110020161B (en) | Data processing method, log processing method and terminal | |
| CN101895517B (en) | Method and device for extracting script semantics | |
| CN107040532B (en) | Data evaluation device using verification code for verification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101117 Termination date: 20160917 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |