CN107203718B - Detection method and system for SQL command injection - Google Patents
Detection method and system for SQL command injection Download PDFInfo
- Publication number
- CN107203718B CN107203718B CN201710454512.9A CN201710454512A CN107203718B CN 107203718 B CN107203718 B CN 107203718B CN 201710454512 A CN201710454512 A CN 201710454512A CN 107203718 B CN107203718 B CN 107203718B
- Authority
- CN
- China
- Prior art keywords
- sql
- command
- template
- injection
- segment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Injection Moulding Of Plastics Or The Like (AREA)
Abstract
The application discloses a detection method for SQL command injection, which comprises the following steps: acquiring request data submitted to a service end; collecting database protocol flow from a service end to a database end, and extracting and injecting an SQL command segment from the database protocol flow; and judging whether the SQL command segment can be detected to be injected in the request data or not, and if the SQL command segment is detected, then SQL command injection exists. The method can detect the SQL command injected in the external command by a detection method of SQL command injection which is more effective, higher in accuracy rate and unnecessary to be frequently updated under the condition that the SQL command injection in the external command cannot be avoided, so that the safety of data in an enterprise background database is guaranteed. The application also discloses a detection system for SQL command injection, which has the beneficial effects.
Description
Technical Field
The present application relates to the field of data detection technologies, and in particular, to a detection method and system for SQL command injection.
Background
In the current internet era, more and more enterprises migrate services to the internet, while numerous enterprise service applications are mainly interactively realized in a WEB manner, and data interacted in the WEB manner also enters a service system in the manner and is finally stored in a background database of the enterprise, so that the importance of the data in the background database is self-evident to the enterprise mainly developing WEB application software.
The interaction realized through the WEB is inherently good, but has potential risks. Some malicious attackers intend to avoid the attention of background program developers, insert a string of an SQL (Structured Query Language) command into a form submitted in a WEB manner, a command of inputting a domain name and a page request, and inject the malicious SQL command into a normal access command by using a vulnerability of a WEB application program to deceive a server to execute the malicious SQL command, so that the aim of attacking a database server or stealing data is achieved, and a serious threat is caused to the security of data in an enterprise background database.
In the prior art, SQL command injection is mainly prevented in a 'vaccination' mode, in other words, a characteristic library is formed according to the SQL command injection attack characteristics, and the characteristic library is used for detecting whether all external commands carry SQL commands expressed as the same characteristic library or not, so that the method on one hand excessively depends on the updating of the characteristic library, and once the updating is not timely, the attack cannot be prevented; on the other hand, as long as the original SQL command is slightly changed and mutated, the formed feature library is different from the original one, that is, the normal command is intercepted in the case that the mutated new SQL command is difficult to prevent and has accidental injury. In conclusion, the existing method cannot effectively prevent SQL command injection.
Therefore, a problem to be solved by those skilled in the art is how to provide a detection mechanism for SQL command injection that is more effective and more accurate without frequent updates under the condition that SQL command injection is inevitably included in an external command.
Disclosure of Invention
The application aims to provide a detection method and a detection system for SQL command injection, which can detect the injected SQL command in the external command and ensure the safety of data in an enterprise background database by a detection method which is more effective, higher in accuracy rate and unnecessary to be frequently updated under the condition that the SQL command injection is inevitably contained in the external command.
In order to solve the above technical problem, the present application provides a detection method for SQL command injection, including:
acquiring request data submitted to a service end;
collecting database protocol flow from the service end to a database end, and extracting and injecting an SQL command segment from the database protocol flow;
and judging whether the SQL injection command segment can be detected in the request data, if so, then SQL command injection exists.
Optionally, extracting the SQL command injection segment from the database protocol traffic includes:
extracting SQL commands from the database protocol traffic;
performing templating processing on the SQL command to obtain an SQL template, and comparing every two SQL templates to obtain a comparison result;
and extracting the SQL injection command segment from the SQL template according to the comparison result.
Optionally, performing templating processing on the SQL command to obtain an SQL template, and comparing every two SQL templates to obtain a comparison result, including:
performing the templating process on the first SQL command to obtain an SQL baseline template;
performing the templating processing on the other SQL commands except the first SQL to obtain a new SQL template;
splitting the SQL baseline template and the new SQL template by a minimum unit to respectively obtain a first set and a second set;
performing matching operation on the minimum unit in the first set and the minimum unit in the second set to obtain a matching ratio;
and comparing the matching proportion with a threshold value to obtain a comparison result.
Optionally, comparing the matching ratio with a threshold to obtain a comparison result, including:
judging whether the matching proportion exceeds a threshold value;
and if the matching proportion exceeds the threshold, adding a suspected SQL injection risk mark to the new SQL template.
Optionally, extracting the SQL command injection segment from the SQL template according to the comparison result includes:
extracting the injected SQL command segment from the new SQL template to which the tag is attached.
The present application further provides a detection system for SQL command injection, which includes:
the request data acquisition unit is used for acquiring request data submitted to the service end;
the acquisition and extraction unit is used for acquiring the database protocol traffic from the service end to the database end and extracting the SQL injection command segment from the database protocol traffic;
and the detection unit is used for judging whether the SQL injection command segment can be detected in the request data or not, and if the SQL injection command segment is detected, SQL command injection exists.
Optionally, the collecting and extracting unit includes:
the first extraction subunit is used for extracting the SQL command from the database protocol flow;
the templating subunit is used for performing templating processing on the SQL command to obtain SQL templates, and comparing every two SQL templates to obtain a comparison result;
and the second extraction subunit is used for extracting the SQL injection command segment from the SQL template according to the comparison result.
Optionally, the templating subunit includes:
the first template processing module is used for carrying out templating processing on the first SQL command to obtain an SQL baseline template;
the second template processing module is used for carrying out the templating processing on the other SQL commands except the first SQL to obtain a new SQL template;
the splitting module is used for splitting the SQL baseline template and the new SQL template by a minimum unit to respectively obtain a first set and a second set;
the matching module is used for executing matching operation on the minimum unit in the first set and the minimum unit in the second set to obtain a matching proportion;
and the comparison module is used for comparing the matching proportion with a threshold value to obtain a comparison result.
Optionally, the comparison module includes:
the judging submodule is used for judging whether the matching proportion exceeds a threshold value;
and the marking sub-module is used for adding a mark of suspected SQL injection risk to the new SQL template if the matching proportion exceeds the threshold value.
Optionally, the second extraction subunit includes:
an extraction module for extracting the injected SQL command segment from the new SQL template to which the tag is attached.
According to the detection method for SQL command injection, request data submitted to a service end is collected; collecting database protocol flow from the service end to a database end, and extracting and injecting an SQL command segment from the database protocol flow; and judging whether the SQL injection command segment can be detected in the request data, if so, then SQL command injection exists.
Obviously, according to the technical scheme provided by the application, double-end matching detection is performed in the request data and the database protocol flow, if the same SQL command injection section extracted from the database protocol flow is detected in the request data, SQL command injection is determined to exist, the traditional detection method identified by a feature library is broken, the SQL command injected in the external command is detected by a detection method which is more effective and higher in accuracy rate and does not need to be updated frequently under the condition that the SQL command injection is contained in the external command, and the safety of data in an enterprise background database is better guaranteed. The application also provides a detection system for SQL command injection, which has the beneficial effects and is not repeated herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a detection method for SQL command injection according to an embodiment of the present application;
fig. 2 is a flowchart of another detection method for SQL command injection according to an embodiment of the present application;
fig. 3 is a flowchart of another detection method for SQL command injection according to the embodiment of the present application;
fig. 4 is a flowchart of another detection method for SQL command injection according to an embodiment of the present application;
fig. 5 is a flowchart of a further detection method for SQL command injection according to an embodiment of the present application;
fig. 6 is a schematic diagram of double-end matching detection in the detection method for SQL command injection according to the embodiment of the present application;
fig. 7 is a structural diagram of a detection system for SQL command injection according to an embodiment of the present application.
Detailed Description
The core of the application is to provide a detection method and a detection system for SQL command injection, which are used for detecting the SQL command injected in the external command by a detection method for SQL command injection which is more effective and higher in accuracy rate and does not need to be updated frequently under the condition that the SQL command injection is contained in the external command, so that the safety of data in an enterprise background database can be better guaranteed.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
With reference to fig. 1, fig. 1 is a flowchart of a detection method for SQL command injection according to an embodiment of the present application.
The method specifically comprises the following steps:
s101: acquiring request data submitted to a service end;
the step aims to collect and provide request data submitted to a service end, and carries out matching detection on an external command validation end in subsequent steps, namely, an SQL injection command segment extracted from database protocol traffic which is about to reach a database end in the request data submitted to the service end.
The request data submitted to the business end is commands such as form submission or domain name or page request input through a WEB mode, and since a WEB application program developer can not be in the face of checking, a malicious external attacker intends to inject malicious SQL commands into various request data submitted at the business front end through the WEB mode, the SQL commands are usually embodied in a character string query mode, and the final purpose of the SQL commands is to bypass a protection cheating server of the server to execute the injected SQL malicious commands in the mode.
S102: collecting database protocol flow from a service end to a database end, and extracting and injecting an SQL command segment from the database protocol flow;
the step aims to extract and obtain an injection SQL command segment from the database protocol traffic which is about to reach a database end, wherein the injection SQL command segment is obtained from the database protocol traffic of the data flow from the service end to the database end, so the extraction of the injection SQL command segment from the database protocol traffic is because the database protocol traffic is about to reach the database end immediately for effective use, and SQL commands are generally carried in the database protocol traffic, if the database protocol traffic really carries the injection SQL command segment, once the database end is entered, the injection SQL command segment is executed along with other normal request commands, the attack operation is carried out or corresponding sensitive data information is obtained according to the will of an external attacker, and for a developer of a WEB application program, the information of the user can be leaked once the sensitive data is lost and is destroyed almost destructively, further, the evaluation of the program is reduced, and even other application programs are transferred, so that serious consequences can be caused.
The method for extracting the SQL command segment from the database protocol traffic includes extracting the SQL command segment from the database protocol traffic, and extracting the SQL command segment from the database protocol traffic, where the method is different based on different application developers, different hardware devices, different data existence modes, and other factors.
In other embodiments that follow, a detailed description will be made of how the injected SQL command segment is finally extracted from the database protocol traffic.
S103: judging whether the SQL injection command segment can be detected in the request data;
on the basis of S102, matching detection is performed on various form data, input domain names, query requests, and the like submitted to the service end, which are acquired in S101, of the injection SQL command segment extracted in S102, aiming at determining whether the same command segment as the injection SQL command segment can be queried in the request data, so as to perform subsequent determination and processing operations.
S104: there is SQL command injection.
This step is established in that after the detection in S103, the SQL command injection behavior is determined to exist if the injected SQL command segment finally extracted in S102 is actually detected in the request data submitted to the external command input.
Further, after it is determined that the SQL command injection behavior does exist, the database protocol traffic injected with the SQL command segment may be prevented from being validated at the database end in various ways, that is, the database protocol traffic that is about to reach the database end is intercepted, and a background program development manager is warned through various preset paths, so as to achieve the warning effect, for example, pop-up window prompting, sending an alarm sound, sending an email or a short message to a manager, and the like are performed on a background management interface.
Based on the technical scheme, the detection method for SQL command injection provided by the embodiment of the application performs double-end matching detection in the request data and the database protocol flow, if the same SQL injection command segment extracted from the database protocol flow is detected in the request data, SQL command injection is determined to exist, the traditional detection method identified by a feature library is broken, and the SQL command injected in the external command is detected by a detection method which is more effective and higher in accuracy rate and does not need to be updated frequently under the condition that the SQL command injection is contained in the external command, so that the safety of data in an enterprise background database is better guaranteed.
With reference to fig. 2, fig. 2 is a flowchart of another detection method for SQL command injection according to the embodiment of the present application.
The present embodiment is a specific limitation on the step S102 in the previous embodiment, and other steps are substantially the same as those in the previous embodiment and are not described herein again.
The method specifically comprises the following steps:
s201: collecting database protocol flow from a service end to a database end;
s202: extracting SQL commands from database protocol traffic;
i.e., the operation of extracting the SQL command is performed from the database protocol traffic, the SQL command segment comprising the main part of the SQL command and the injected SQL command segment.
S203: performing templating processing on the SQL command to obtain SQL templates, and comparing every two SQL templates to obtain a comparison result;
the SQL commands extracted from S202 are subjected to templating, and usually, a plurality of SQL commands can be extracted from the database protocol traffic, that is, after each SQL command is subjected to the templating, a plurality of SQL commands are obtained, and in the obtained plurality of SQL commands, two SQL commands are compared with each other to determine whether a difference exists between the templates or whether the difference is large enough. Specifically, whether the extracted SQL commands are subjected to the templating processing serially one by one or all the extracted SQL commands are subjected to the templating processing simultaneously in parallel should be selected based on a certain principle according to different practical situations, and the present invention is not limited specifically herein.
The templating process is to form the SQL command into a template according to a certain processing operation, i.e., to remove variable parameters in the SQL command and to retain the fixed and unchangeable part of the SQL command as the templating process. For example, for example: after the SQL command "select from user name ═ u1 'and password ═ 123456'" is extracted into a template according to the removed variables and the retained fixed parts, the process is performed because u1 is a variable of the name and 123456 is a variable of the password in the SQL command, and they are regarded as a variable $, and finally such a template is obtained.
The SQL commands extracted from the database protocol flow are all subjected to the templating treatment to obtain a plurality of SQL templates, the purpose of comparison between every two SQL templates is to compare whether the two SQL templates have the difference and the difference size, the comparison modes are various, the SQL templates can be considered according to various factors such as the scale of application program developers, the use of hardware equipment, setting habits and the like and can be changed according with the benefits of the SQL templates based on certain principles, and the SQL templates are not specifically limited. Other embodiments will be described in detail later.
S204: and extracting the SQL command injection segment from the SQL template according to the comparison result.
Based on the comparison result of S203, the comparison result shows that the similarity of the two SQL templates compared with each other is very high, and meanwhile, the parts of the two SQL templates that are different from each other are obtained, and are substantially the same as the other SQL template, and only a few different parts exist, and these many different parts are the injection SQL command segment that needs to be extracted.
With reference to fig. 3, fig. 3 is a flowchart of another detection method for SQL command injection according to the embodiment of the present application.
This embodiment is a specific limitation on S202 in the second embodiment, and assuming that a plurality of SQL commands can be extracted from the database protocol traffic, other steps are substantially the same as those in the previous embodiment, and are not described herein again.
The method specifically comprises the following steps:
s301: performing templating processing on the first SQL command to obtain an SQL baseline template;
firstly, performing template processing of removing variables and reserving a fixed part on one SQL command to obtain the SQL baseline template. The method for selecting one of the plurality of SQL commands is various, and can follow various principles, for example, considering that the SQL commands have a set of writing formats which are not changed too much, the minimum unit number for forming the command can be selected to be the minimum, because the minimum number is easier to have the same part with other SQL commands, the common point is easy to find, and the common point is better to be used as a baseline template; and random selection can be performed, because the final target is that the templates formed by every two SQL commands are compared, no matter what principle is based, only two SQL commands need to be compared, and the selection is not specifically limited.
S302: performing templating processing on the other SQL commands except the first SQL command to obtain a new SQL template;
corresponding to S203, a serial processing mode or a parallel processing mode may be selected, each of which has respective advantages, and the advantage of the serial processing mode is that processing capacity and resources can be occupied as little as possible; the parallel processing mode has the advantages that the templating process can be completed as quickly as possible, time is saved, and flexible selection and switching can be realized according to actual conditions.
S303: splitting the SQL baseline template and the new SQL template by the minimum unit to respectively obtain a first set and a second set;
this process is described here by an actual splitting process:
SQL baseline template: select from user name $ 'and password $'; the new SQL template is as follows: selecting from user name where name $ 'and password $' or $, splitting the two templates according to the original arrangement sequence and the minimum unit of the configuration command to obtain a first set and a second set respectively, wherein the first set and the second set comprise the following minimum units.
Wherein the first set: { select from, username, where, name ═ $ and, password ═ $' }; a second set: { select from, user name, where, name $ ', and, password $', or $ }.
Of course, there are many methods for splitting, and this embodiment describes only one method that may be used in general, that is, the difference between two templates in the subsequent step can be obtained by comparing the two templates, and is not limited in particular.
S304: performing matching operation on the minimum unit in the first set and the minimum unit in the second set to obtain a matching ratio;
in the step, a minimum unit is sequentially selected from the first set in sequence to perform matching comparison in the second set, so as to determine whether the same minimum unit can be matched in the second set. That is, first take the split minimum unit of select from in the second set for matching comparison, and obviously find the same minimum unit in the first minimum unit in the second set, and then change the next minimum unit: the username again matches in the second set, and so on.
In the example given in this embodiment, it is clear that the similarity is 85.7%, and there are 6 minimum units that are the same.
S304: and comparing the matching proportion with a threshold value to obtain a comparison result.
The threshold in this step is a rough similarity range set by the application developer based on self understanding and certain knowledge of the SQL command, that is, whether the new SQL template is trimmed and mutated according to the SQL baseline template or completely different from the SQL baseline template as another SQL baseline template is determined by the set threshold. In general, the similarity range set by the threshold is not fixed, and manufacturers of various applications may make certain differentiated changes based on different importance and scale and various factors and for various reasons, and the specific range of the threshold is not limited herein. For example, a more suitable threshold may be 55-70%, and if within the threshold, the new SQL template is deemed similar to the SQL baseline template and subsequent operations are performed with similar results.
With reference to fig. 4, fig. 4 is a flowchart of another detection method for SQL command injection according to the embodiment of the present application.
This embodiment is a specific limitation on the step S304 in the third embodiment, and other steps are substantially the same as those in the previous embodiment and are not described herein again.
The method specifically comprises the following steps:
s401: performing matching operation on the minimum unit in the first set and the minimum unit in the second set to obtain a matching ratio;
s402: judging whether the matching proportion exceeds a threshold value;
assuming that the threshold is 60%, that is, the new SQL template should be considered to be substantially the same as the SQL baseline template when the matching ratio exceeds 60%, and the remaining different part is extracted by the subsequent processing process as the SQL command segment to be injected; and when the matching proportion is lower than the threshold value of 60%, the two SQL templates are determined to be basically different, and the new SQL template which is basically different is used as a new SQL baseline template for subsequent matching.
S403: adding a suspected SQL injection risk mark to the new SQL template;
the step is established in the judgment of S402, and the judgment result shows that the matching ratio exceeds the threshold, it can be determined that the new SQL template is trimmed and mutated based on the SQL baseline template, and is not a new SQL baseline template, so that a suspected SQL injection risk marker is added to the new SQL template, which is convenient for identification in the subsequent detection step.
With reference to fig. 5, fig. 5 is a flowchart of a detection method for SQL command injection according to an embodiment of the present application.
In this embodiment, two SQL commands are extracted from the database protocol traffic in a specific actual scenario, and a command for inputting a domain name is submitted to a service end in a WEB manner. Wherein, the two SQL commands are respectively:
select*from username where name=’LHD’and password=’11223344’;
select*from username where name=’LHD’and password=’11223344’or 10=10。
s501: collecting an input domain name command submitted to a service end;
s502: collecting database protocol flow from a service end to a database end;
s503: extracting two SQL commands from the database protocol flow;
s504: sequentially carrying out templating processing on the two SQL commands to obtain an SQL baseline template and a new SQL template;
obtaining an SQL baseline template: select from user name $ 'and password $'; the new SQL template is as follows: select from user name $ 'and password $' or $.
S505: splitting the two obtained templates according to the minimum unit to obtain a first set and a second set;
obtaining a first set: { select from, username, where, name ═ $ and, password ═ $' }; a second set: { select from, user name, where, name $ ', and, password $', or $ }.
S506: performing a matching operation on the smallest unit in the first set and the smallest unit in the second set;
s507: the matching proportion of the first set and the second set is 85.7%, and unmatched injection SQL command segments are extracted;
if the same minimum units are 6 and the second set has 7 minimum units, the matching proportion is obviously 85.7%, and the unmatched injection SQL command segments are extracted accordingly: or 10 ═ 10.
S508: performing matching detection in the input domain name command by injecting an SQL command segment;
and extracting the SQL injection command segments: the or 10 is matched and collated with the request data submitted in the WEB manner collected at the service end, aiming to see whether the SQL-injected command segment appears in the request data, and the collating manner is independent of where the SQL-injected command segment is specifically injected in the SQL command, and refer to fig. 6 as a schematic diagram of a method for specifically matching and collating.
The method for double-end contrast detection in the application is adopted in the step, the defect that the detection cannot be easily caused in the contrast detection of a feature library used in the traditional method can be well avoided, the minimum unit is directly used for one-to-one contrast detection, and no matter which position of the SQL command segment is inserted into the request data, the SQL command segment can be found and detected as long as the SQL command segment exists, and the defect that the SQL command in the prior art has different feature libraries and cannot be detected due to different insertion positions in the traditional method can be avoided.
S509: detecting the same SQL command segment;
and detecting the same SQL command segment, and judging that SQL injection risks exist.
S510: and reminding the application background developer by popping up a warning popup window.
Based on the technical scheme, the detection method for SQL command injection provided by the embodiment of the application performs double-end matching detection in the request data and the database protocol flow, if the same SQL injection command segment extracted from the database protocol flow is detected in the request data, SQL command injection is determined to exist, the traditional detection method identified by a feature library is broken, and the SQL command injected in the external command is detected by a detection method which is more effective and higher in accuracy rate and does not need to be updated frequently under the condition that the SQL command injection is contained in the external command, so that the safety of data in an enterprise background database is better guaranteed.
The above-mentioned modes are only specific examples provided from practical point of view, and other modes can be adopted to achieve the same effect, and are not limited in detail herein.
Referring to fig. 7, fig. 7 is a block diagram illustrating a structure of a detection system for SQL command injection according to an embodiment of the present disclosure.
The system may include:
a request data acquisition unit 100, configured to acquire request data submitted to a service end;
the acquisition and extraction unit 200 is used for acquiring database protocol traffic from a service end to a database end and extracting an SQL (structured query language) command segment from the database protocol traffic;
the detecting unit 300 is configured to determine whether the SQL command segment is injected into the request data, and if the SQL command segment is injected, the SQL command is injected.
Wherein, this collection extraction unit 200 includes:
the first extraction subunit is used for extracting the SQL command from the database protocol flow;
the templating subunit is used for performing templating processing on the SQL command to obtain SQL templates, and comparing every two SQL templates to obtain a comparison result;
and the second extraction subunit is used for extracting the SQL command segment from the SQL template according to the comparison result.
Wherein, this templating subunit includes:
the first template processing module is used for performing templating processing on the first SQL command to obtain an SQL baseline template;
the second template processing module is used for carrying out templating processing on the other SQL commands except the first SQL to obtain a new SQL template;
the splitting module is used for splitting the SQL baseline template and the new SQL template by the minimum unit to respectively obtain a first set and a second set;
the matching module is used for executing matching operation on the minimum unit in the first set and the minimum unit in the second set to obtain a matching proportion;
and the comparison module is used for comparing the matching proportion with a threshold value to obtain a comparison result.
Wherein, this contrast module includes:
the judgment submodule is used for judging whether the matching proportion exceeds a threshold value;
and the marking sub-module is used for adding a mark of suspected SQL injection risk to the new SQL template if the matching proportion exceeds a threshold value.
Wherein the second extraction subunit comprises:
and the extraction module is used for extracting the SQL injection command segment from the new SQL template with the additional mark.
The embodiments are described in a progressive mode in the specification, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The detection method and system for SQL command injection provided by the present application are introduced in detail above. The principles and embodiments of the present application are explained herein using specific examples, which are provided only to help understand the method and the core idea of the present application. It should be noted that, for those skilled in the art, it is possible to make several improvements and modifications to the present application without departing from the principle of the present application, and such improvements and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
Claims (4)
1. A detection method for SQL command injection is characterized by comprising the following steps:
acquiring request data submitted to a service end;
collecting database protocol flow from the service end to a database end, and extracting and injecting an SQL command segment from the database protocol flow;
judging whether the SQL injection command segment can be detected in the request data or not, and if the SQL injection command segment is detected, then SQL command injection exists;
extracting an SQL (structured query language) command injection segment from the database protocol traffic, wherein the SQL command injection segment comprises the following steps:
extracting SQL commands from the database protocol traffic;
performing templating processing on the SQL command to obtain an SQL template, and comparing every two SQL templates to obtain a comparison result;
extracting different parts from the SQL template according to the comparison result to be used as the SQL injection command segments;
performing templating processing on the SQL command to obtain an SQL template, and comparing every two SQL templates to obtain a comparison result, wherein the steps of:
performing the templating process on the first SQL command to obtain an SQL baseline template;
performing the templating processing on the other SQL commands except the first SQL to obtain a new SQL template;
splitting the SQL baseline template and the new SQL template by a minimum unit to respectively obtain a first set and a second set;
performing matching operation on the minimum unit in the first set and the minimum unit in the second set to obtain a matching ratio;
judging whether the matching proportion exceeds a threshold value;
and if the matching proportion exceeds the threshold, adding a suspected SQL injection risk mark to the new SQL template.
2. The method according to claim 1, wherein extracting the SQL command-injected segment from the SQL template according to the comparison result comprises:
extracting the injected SQL command segment from the new SQL template to which the tag is attached.
3. A detection system for SQL command injection, comprising:
the request data acquisition unit is used for acquiring request data submitted to the service end;
the acquisition and extraction unit is used for acquiring the database protocol traffic from the service end to the database end and extracting the SQL injection command segment from the database protocol traffic;
the detection unit is used for judging whether the SQL injection command segment can be detected in the request data or not, and if the SQL injection command segment is detected, SQL command injection exists;
the collection and extraction unit includes:
the first extraction subunit is used for extracting the SQL command from the database protocol flow;
the templating subunit is used for performing templating processing on the SQL command to obtain SQL templates, and comparing every two SQL templates to obtain a comparison result;
the second extraction subunit is used for extracting different parts from the SQL template according to the comparison result to be used as the SQL injection command segments;
wherein the templating subunit includes:
the first template processing module is used for carrying out templating processing on the first SQL command to obtain an SQL baseline template;
the second template processing module is used for carrying out the templating processing on the other SQL commands except the first SQL to obtain a new SQL template;
the splitting module is used for splitting the SQL baseline template and the new SQL template by a minimum unit to respectively obtain a first set and a second set;
the matching module is used for executing matching operation on the minimum unit in the first set and the minimum unit in the second set to obtain a matching proportion;
the comparison module is used for judging whether the matching proportion exceeds a threshold value; and if the matching proportion exceeds the threshold, adding a suspected SQL injection risk mark to the new SQL template.
4. The detection system according to claim 3, wherein the second extraction subunit comprises:
an extraction module for extracting the injected SQL command segment from the new SQL template to which the tag is attached.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710454512.9A CN107203718B (en) | 2017-06-15 | 2017-06-15 | Detection method and system for SQL command injection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710454512.9A CN107203718B (en) | 2017-06-15 | 2017-06-15 | Detection method and system for SQL command injection |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107203718A CN107203718A (en) | 2017-09-26 |
| CN107203718B true CN107203718B (en) | 2021-05-04 |
Family
ID=59907080
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710454512.9A Active CN107203718B (en) | 2017-06-15 | 2017-06-15 | Detection method and system for SQL command injection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107203718B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109067717B (en) * | 2018-07-20 | 2021-06-11 | 西安四叶草信息技术有限公司 | Method and device for detecting SQL injection vulnerability |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101370008A (en) * | 2007-08-13 | 2009-02-18 | 杭州安恒信息技术有限公司 | System for real-time intrusion detection of SQL injection WEB attacks |
| CN101610271A (en) * | 2009-07-21 | 2009-12-23 | 国网电力科学研究院 | A kind of database safeguarding method based on the data flow reduction technique |
| CN101901219A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Detection method for injection attack of database and system |
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| CN105046150A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for preventing structured query language (SQL) implantation |
| CN106650454A (en) * | 2017-01-03 | 2017-05-10 | 郑州云海信息技术有限公司 | SQL injection attack detection method and apparatus |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130007882A1 (en) * | 2011-06-28 | 2013-01-03 | The Go Daddy Group, Inc. | Methods of detecting and removing bidirectional network traffic malware |
-
2017
- 2017-06-15 CN CN201710454512.9A patent/CN107203718B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101370008A (en) * | 2007-08-13 | 2009-02-18 | 杭州安恒信息技术有限公司 | System for real-time intrusion detection of SQL injection WEB attacks |
| CN101901219A (en) * | 2009-05-27 | 2010-12-01 | 北京启明星辰信息技术股份有限公司 | Detection method for injection attack of database and system |
| CN101610271A (en) * | 2009-07-21 | 2009-12-23 | 国网电力科学研究院 | A kind of database safeguarding method based on the data flow reduction technique |
| CN104484474A (en) * | 2014-12-31 | 2015-04-01 | 南京盾垒网络科技有限公司 | Database security auditing method |
| CN105046150A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for preventing structured query language (SQL) implantation |
| CN106650454A (en) * | 2017-01-03 | 2017-05-10 | 郑州云海信息技术有限公司 | SQL injection attack detection method and apparatus |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107203718A (en) | 2017-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200195667A1 (en) | Url attack detection method and apparatus, and electronic device | |
| US11030311B1 (en) | Detecting and protecting against computing breaches based on lateral movement of a computer file within an enterprise | |
| US10621349B2 (en) | Detection of malware using feature hashing | |
| US8479296B2 (en) | System and method for detecting unknown malware | |
| CN108920947B (en) | Abnormity detection method and device based on log graph modeling | |
| US8549314B2 (en) | Password generation methods and systems | |
| CN107204960B (en) | Webpage identification method and device and server | |
| JP5460887B2 (en) | Classification rule generation device and classification rule generation program | |
| CN110602029B (en) | Method and system for identifying network attack | |
| CN109635569B (en) | Vulnerability detection method and device | |
| CN113656807B (en) | Vulnerability management method, device, equipment and storage medium | |
| US20160188882A1 (en) | Software nomenclature system for security vulnerability management | |
| CN105072214B (en) | C&C domain name recognition methods based on domain name feature | |
| US20140215629A1 (en) | CVSS Information Update by Analyzing Vulnerability Information | |
| KR20120078018A (en) | System and method for detecting malwares in a file based on genetic map of the file | |
| US9692771B2 (en) | System and method for estimating typicality of names and textual data | |
| CN107016298B (en) | Webpage tampering monitoring method and device | |
| US20170277887A1 (en) | Information processing apparatus, information processing method, and computer readable medium | |
| US20150213272A1 (en) | Conjoint vulnerability identifiers | |
| CN112016078B (en) | Sealing detection method and device for login equipment, server and storage medium | |
| CN108769070A (en) | One kind is gone beyond one's commission leak detection method and device | |
| CN112769803B (en) | Network threat detection method and device and electronic equipment | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| US20190294803A1 (en) | Evaluation device, security product evaluation method, and computer readable medium | |
| CN107203718B (en) | Detection method and system for SQL command injection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |