CN106250768A - A kind of behavioral value method of database object script security breaches - Google Patents
A kind of behavioral value method of database object script security breaches Download PDFInfo
- Publication number
- CN106250768A CN106250768A CN201610585405.5A CN201610585405A CN106250768A CN 106250768 A CN106250768 A CN 106250768A CN 201610585405 A CN201610585405 A CN 201610585405A CN 106250768 A CN106250768 A CN 106250768A
- Authority
- CN
- China
- Prior art keywords
- test
- database
- data
- storehouse
- security breaches
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The present invention relates to information security technology, it is desirable to provide a kind of behavioral value method of database object script security breaches.The behavioral value method of this kind of database object script security breaches comprises the steps: the object in data to be tested storehouse, list structure, part table data are copied to test database;Obtain the object that in test database, all users write;By the character string in permeability parameters storehouse as incoming parameter, attempt performing all objects having parameter in test database;Object judges whether to insert in test table test data, if being described this object to there are security breaches after attempting calling;List the infiltration character string of security breaches object name, parameter name and correspondence, form scan report output.The present invention can be on the premise of not affecting data to be tested storehouse, by penetration testing, behavior analysis, the security breaches that in Finding Object, the hazard ratio such as SQL injection is bigger.
Description
Technical field
The present invention is about field of information security technology, particularly to the behavior of a kind of database object script security breaches
Detection method.
Background technology
Along with the development of information technology, data the Kucheng core asset of a lot of enterprises, the particularly enterprise such as finance, the Internet
Industry, once the break down business of whole enterprise of data base paralyses at once, and therefore database security is increasingly by the weight of people
Depending on.Database Systems are increasingly advanced at present, and the most from strength to strength, people can develop various object and supply function on the database
Application call, the most various storing processs, view, trigger etc., this facilitate that the exploitation of application program, but also carry simultaneously
Carry out various safety problem.Owing to these objects operate on database server, energy immediate operand is according to storehouse, if data base
When object developer develops be not intended to or have a mind to make a mistake, it is possible to back door can be left on the database or make database lost number
According to, data base all can be caused tremendous influence by these.Therefore extremely important to the security audit of these object scripts, but very
Being lacking in experience due to auditor time many or neglect, the security risk of these object scripts can not all be found.And very
Owing to not having auditor time many, data base directly write into by these scripts.Therefore method must be had to send out the most all sidedly
Security risk in existing script, reduces the difficulty of script security audit.
The most common database security scanning software predominantly detects Database Systems configuration risk and database software basis
The security breaches of body, analysis is all the information of Database Systems, the function not being analyzed database object script.
Summary of the invention
Present invention is primarily targeted at and overcome deficiency of the prior art, it is provided that be a kind of it can be found that database object foot
The method of safety leak.For solving above-mentioned technical problem, the solution of the present invention is:
A kind of behavioral value method of database object script security breaches is provided, is used for treating Test database object foot
This security breaches detect, and the behavioral value method of described database object script security breaches comprises the steps:
(1) by the object in data to be tested storehouse, list structure, part table data, (part table data refer to that each table starts
100 data, all replicate data volumes too big, if the exterior and the interior unsure according to may some objects just cannot normally perform) duplication
To test database;
Described test database use one with data to be tested storehouse with type with the empty database of version number, and testing
Data base creates a test table;
(2) object that in test database, all users write is obtained;Specifically include following sub-step:
Step D: in test database, obtains list object with SELECT statement from Database Systems view;
Step E: in the object that will obtain in step D, do not have the object filter of call parameters to fall;
(3) by the character string in permeability parameters storehouse as incoming parameter, all in trial execution test database have parameter
Object;Specifically include following sub-step:
Step F: take the object that step E returns;
Step G: take a character string in permeability parameters storehouse as call parameters, the object that trial execution obtains;
Described permeability parameters storehouse refers to the set of (being formed according to conventional leak infiltration experience) infiltration character string, for right
Parameter carries out penetration testing;
(4) object judges whether to insert in test table test data after attempting calling, and exists if being described this object
Security breaches;Specifically include following sub-step:
Step H: object judges after performing whether test the exterior and the interior inserts test data:
If test the exterior and the interior has data to illustrate, this object has security breaches, writes down object oriented, parameter name, and infiltration
Character string, and delete test data;
If test the exterior and the interior does not has data, circulation performs step G, step H, until completing all characters in permeability parameters storehouse
The penetration testing of string;
Step I: circulation perform step F, step G, step H, until complete to step E return all objects perform knot
Really behavior judges;
(5) listing the infiltration character string of security breaches object name, parameter name and correspondence, i.e. draw in step H has peace
The full object oriented of leak, parameter name and infiltration character string, form scan report output.
In the present invention, described step (1) specifically includes following sub-step:
Step A: prepare one and (compare as test database with the empty database of version number with type with data to be tested storehouse
Such as Oracle 10.2.0.1.0), and create a test table;
Step B: connect data to be tested storehouse and test database by manager's account;
Step C: obtain the object script in data to be tested storehouse, list structure with SELECT statement, then use CREATE statement
In test database, re-create object and table (obtains the part number of each table in data to be tested storehouse with SELECT statement
According to, such as 100, then insert test database with INSERT statement).
Compared with prior art, the invention has the beneficial effects as follows:
The present invention generates test database according to data base to be detected, then to data base on test database
Script carries out penetration testing, therefore can be on the premise of not affecting data to be tested storehouse, by penetration testing, behavior analysis, finds
The security breaches that in object, the hazard ratio such as SQL injection is bigger.
Owing to the present invention permeates on test database, in this way it is avoided that treating scan database causes
Infringement, user also can quickly position the scripting object of security breaches simultaneously, and can effectively reduce the rate of false alarm of leak.
Accompanying drawing explanation
Fig. 1 is the workflow diagram of the present invention.
Detailed description of the invention
Firstly the need of explanation, the present invention relates to database technology, be that computer technology is in field of information security technology
A kind of application.During the realization of the present invention, the application of multiple software function module can be related to.It is applicant's understanding that such as
Read over application documents, the accurate understanding present invention realize principle and goal of the invention after, combining existing known technology
In the case of, those skilled in the art can use its software programming technical ability grasped to realize the present invention, all Shens of the present invention completely
Please this category of all genus of mentioning of file, applicant will not enumerate.
With detailed description of the invention, the present invention is described in further detail below in conjunction with the accompanying drawings:
As shown in Figure 1, it is assumed that Oracle10g data base will be carried out object script security breaches behavioral value, specifically wrap
Include following step:
Step A: first determine type and the version number of data base to be detected, such as Oracle 10.2.0.1.0, then
An other computer is installed the data base of an identical version, we it be called test database, and create a name
For the table of TestTable, add field strTest of a character string type;
Step B: connect data base to be detected and test database by manager's account;
Step C: obtain the object script in data to be tested storehouse, list structure with SELECT statement, then use CREATE statement
Object and table is re-created in test database.The part number of each table in data to be tested storehouse is obtained with SELECT statement
According to, such as 100, then insert test database with INSERT statement, make test database and data to be tested storehouse protect as far as possible
Hold consistent;
Step D: in test database, obtains object with SELECT statement from Database Systems view All_SOURCE
Title and incoming parameter list, such as:
Object oriented is test, and incoming parameter is the parameter of a VARCHAR2 type;
Step E: the object filter not having incoming parameter is fallen;
Step F: take the object that step E returns, such as test (VARCHAR2);
Step G: take a character string in permeability parameters storehouse as call parameters, attempt the object that execution obtains, such as:
First the function F1 of establishment one insertion test data:
CREATE OR REPLACE FUNCTION F1RETURN NUMBER AUTHID CURRENT_USER AS
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE'insert into TestTable
value(\‘test\’)';COMMIT;RETURN(0);END;
Then penetration testing object is called:
begin test('.”||F1()||””)--','a');end;
Step H: object judges after performing to test whether the exterior and the interior inserts test data, uses select*from
TestTable statement is checked, if the exterior and the interior has test data, illustrates that this object has security breaches, writes down object name test and ginseng
Several param1, and the character string of infiltration '. " | | F1 () | | " ")--', ' a', then delete test data delete
from TestTable;
Step I: if test the exterior and the interior does not has data, circulation performs step G, step H, until completing institute in permeability parameters storehouse
There is the penetration testing of character string;
Step J: circulation performs step F, step G, step H, step I, until completing all objects that step E returns
Perform result behavior to judge;
Step K: the have object oriented of security breaches, parameter name and the infiltration character string that draw in step H are listed, shape
Become scan report to be supplied to user, refer to table 1 below.
Table 1 scan report table
| Object name | Parameter name | Infiltration character string |
| test | param1 | '.”||F1()||””)--','a' |
It is only the specific embodiment of the present invention finally it should be noted that listed above.It is clear that the invention is not restricted to
Above example, it is also possible to have many variations.Those of ordinary skill in the art directly can lead from present disclosure
The all deformation gone out or associate, are all considered as protection scope of the present invention.
Claims (2)
1. a behavioral value method for database object script security breaches, for treating the peace of Test database object script
Full leak detects, it is characterised in that the behavioral value method of described database object script security breaches includes following step
Rapid:
(1) object in data to be tested storehouse, list structure, part table data are copied to test database;
Described test database use one with data to be tested storehouse with type with the empty database of version number, and testing data
Storehouse creates a test table;
(2) object that in test database, all users write is obtained;Specifically include following sub-step:
Step D: in test database, obtains list object with SELECT statement from Database Systems view;
Step E: in the object that will obtain in step D, do not have the object filter of call parameters to fall;
(3) by the character string in permeability parameters storehouse as incoming parameter, all in trial execution test database have the right of parameter
As;Specifically include following sub-step:
Step F: take the object that step E returns;
Step G: take a character string in permeability parameters storehouse as call parameters, the object that trial execution obtains;
Described permeability parameters storehouse refers to permeate the set of character string, for parameter is carried out penetration testing;
(4) object judges whether to insert in test table test data, if being described this object to there is safety after attempting calling
Leak;Specifically include following sub-step:
Step H: object judges after performing whether test the exterior and the interior inserts test data:
If test the exterior and the interior has data to illustrate, this object has security breaches, writes down object oriented, parameter name, and infiltration
Character string, and delete test data;
If test the exterior and the interior does not has data, circulation performs step G, step H, until completing all character strings in permeability parameters storehouse
Penetration testing;
Step I: circulation performs step F, step G, step H, until completing the execution result row to all objects that step E returns
For judging;
(5) listing the infiltration character string of security breaches object name, parameter name and correspondence, i.e. draw in step H has safe leakage
The object oriented in hole, parameter name and infiltration character string, form scan report output.
The behavioral value method of a kind of database object script security breaches the most according to claim 1, it is characterised in that
Described step (1) specifically includes following sub-step:
Step A: prepare one with data to be tested storehouse with type with the empty database of version number as test database, and create
One test table;
Step B: connect data to be tested storehouse and test database by manager's account;
Step C: obtain the object script in data to be tested storehouse, list structure with SELECT statement, then surveying with CREATE statement
Examination data base re-creates object and table.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610585405.5A CN106250768B (en) | 2016-07-21 | 2016-07-21 | A kind of behavioral value method of database object script security breaches |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610585405.5A CN106250768B (en) | 2016-07-21 | 2016-07-21 | A kind of behavioral value method of database object script security breaches |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106250768A true CN106250768A (en) | 2016-12-21 |
| CN106250768B CN106250768B (en) | 2019-02-22 |
Family
ID=57603368
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610585405.5A Active CN106250768B (en) | 2016-07-21 | 2016-07-21 | A kind of behavioral value method of database object script security breaches |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106250768B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229681A (en) * | 2017-05-09 | 2017-10-03 | 北京潘达互娱科技有限公司 | A kind of database operation method and device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101676908A (en) * | 2008-09-17 | 2010-03-24 | 中兴通讯股份有限公司 | Method and device for detecting integrity of database objects |
| EP2244418A1 (en) * | 2008-07-28 | 2010-10-27 | Chengdu Huawei Symantec Technologies Co., Ltd. | Database security monitoring method, device and system |
| CN102541729A (en) * | 2010-12-31 | 2012-07-04 | 航空工业信息中心 | Detection device and method for security vulnerability of software |
| CN102760096A (en) * | 2011-04-27 | 2012-10-31 | 阿里巴巴集团控股有限公司 | Test data generation method, unit testing method and unit testing system |
| CN103095681A (en) * | 2012-12-03 | 2013-05-08 | 微梦创科网络科技(中国)有限公司 | Loophole detection method and device |
| CN103473381A (en) * | 2013-10-13 | 2013-12-25 | 陈志德 | Database security assessment method |
| CN105160252A (en) * | 2015-08-10 | 2015-12-16 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting structured query language injection attack |
| CN105512017A (en) * | 2014-09-22 | 2016-04-20 | 阿里巴巴集团控股有限公司 | Database compatibility detection method and device |
-
2016
- 2016-07-21 CN CN201610585405.5A patent/CN106250768B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2244418A1 (en) * | 2008-07-28 | 2010-10-27 | Chengdu Huawei Symantec Technologies Co., Ltd. | Database security monitoring method, device and system |
| CN101676908A (en) * | 2008-09-17 | 2010-03-24 | 中兴通讯股份有限公司 | Method and device for detecting integrity of database objects |
| CN102541729A (en) * | 2010-12-31 | 2012-07-04 | 航空工业信息中心 | Detection device and method for security vulnerability of software |
| CN102760096A (en) * | 2011-04-27 | 2012-10-31 | 阿里巴巴集团控股有限公司 | Test data generation method, unit testing method and unit testing system |
| CN103095681A (en) * | 2012-12-03 | 2013-05-08 | 微梦创科网络科技(中国)有限公司 | Loophole detection method and device |
| CN103473381A (en) * | 2013-10-13 | 2013-12-25 | 陈志德 | Database security assessment method |
| CN105512017A (en) * | 2014-09-22 | 2016-04-20 | 阿里巴巴集团控股有限公司 | Database compatibility detection method and device |
| CN105160252A (en) * | 2015-08-10 | 2015-12-16 | 北京神州绿盟信息安全科技股份有限公司 | Method and apparatus for detecting structured query language injection attack |
Non-Patent Citations (1)
| Title |
|---|
| 隋亮: ""基于渗透测试的SQL注入漏洞检测与防范"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107229681A (en) * | 2017-05-09 | 2017-10-03 | 北京潘达互娱科技有限公司 | A kind of database operation method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106250768B (en) | 2019-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057424B2 (en) | Database query injection detection and prevention | |
| US10198580B2 (en) | Behavior specification, finding main, and call graph visualizations | |
| CN100504904C (en) | Windows concealed malevolence software detection method | |
| US8245194B2 (en) | Automatically generating unit test cases which can reproduce runtime problems | |
| CN110266669A (en) | A kind of Java Web frame loophole attacks the method and system of general detection and positioning | |
| CN106055980B (en) | A kind of rule-based JavaScript safety detecting method | |
| US8151247B2 (en) | Test data management | |
| CN106022135A (en) | Automatic detection system capable of dynamically determining XSS vulnerability | |
| CN104995630A (en) | Security scan based on dynamic taint | |
| KR101579493B1 (en) | Staging control method for source code, Computer program for the same, Recording medium storing computer program for the same | |
| Ghabi et al. | Code patterns for automatically validating requirements-to-code traces | |
| CN106295338A (en) | A kind of SQL leak detection method based on artificial neural network | |
| CN106294162B (en) | A kind of third party's component method for testing security based on data mining | |
| CN107491691A (en) | A kind of long-range forensic tools Safety Analysis System based on machine learning | |
| US6694290B1 (en) | Analyzing an extended finite state machine system model | |
| CN115827610A (en) | Method and device for detecting effective load | |
| US10789159B2 (en) | Non-regressive injection of deception decoys | |
| US6853963B1 (en) | Analyzing an extended finite state machine system model | |
| CN106250768A (en) | A kind of behavioral value method of database object script security breaches | |
| CN106227812B (en) | A kind of auditing method of database object script security risk | |
| CN107844703B (en) | Client security detection method and device based on Android platform Unity3D game | |
| CN107957954B (en) | Method and system for improving test data security in Linux system | |
| CN106156348B (en) | A kind of auditing method of database object script risky operation | |
| CN103441985B (en) | A kind of SQL injection loophole detection method for COOKIE mode | |
| Shegokar et al. | A survey on SQL injection attack, detection and prevention techniques |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Applicant after: Hangzhou Annan information technology Limited by Share Ltd Address before: 310051 15-storey Zhongcai Building, Tonghe Road, Binjiang District, Hangzhou City, Zhejiang Province Applicant before: Dbappsecurity Co.,ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |