CN106407811A - SQL injection loophole positioning detection system - Google Patents

SQL injection loophole positioning detection system Download PDF

Info

Publication number
CN106407811A
CN106407811A CN201610885677.7A CN201610885677A CN106407811A CN 106407811 A CN106407811 A CN 106407811A CN 201610885677 A CN201610885677 A CN 201610885677A CN 106407811 A CN106407811 A CN 106407811A
Authority
CN
China
Prior art keywords
program
variable
sql injection
module
sql
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610885677.7A
Other languages
Chinese (zh)
Inventor
曹卫星
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei Red Coral Software Service Co Ltd
Original Assignee
Hefei Red Coral Software Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei Red Coral Software Service Co Ltd filed Critical Hefei Red Coral Software Service Co Ltd
Priority to CN201610885677.7A priority Critical patent/CN106407811A/en
Publication of CN106407811A publication Critical patent/CN106407811A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses an SQL injection loophole positioning detection system. According to the system, a manner of utilizing simulated strikes is used for detecting whether SQL injection loopholes exist in WEB programs or not through penetration test, a program analysis technology is used for analyzing source codes, and a data flow tracing technology and a pile pitching technology are used for tracing the propagation of pollution variables, so that propagation paths of the pollution variables in the programs are given and convenience is brought to the loophole repair carried out by the maintainers. According to the system disclosed by the invention, a penetration test and program analysis technology combined method is proposed, so that the defects that the penetration analysis cannot analyze the source programs and the pure program analysis wastes time are solved, and a new thought is provided for the positioning detection of SQL injection loopholes.

Description

A kind of SQL injection loophole position detecting system
Technical field
The invention belongs to field of computer technology, particularly to information security field, more particularly to a kind of SQL injection leakage Hole position detecting system.
Background technology
With the Internet fast development, increasing WEB application all takes three-level structure:Database server, should Use server and client side.In client input data, application server builds SQL statement according to its input to user, and by SQL Sentence is delivered to and is executed operation in data base, finally returns result to user.Due to store a large amount of sensitive informations in data base, It is led to frequently to be attacked, wherein most serious is exactly SQL injection attacks.SQL injection attacks refer to attacker in legal SQL SQL keyword or operator is inserted thus changing the semanteme of SQL statement, grammatical structure, by the SQL statement of these malice in sentence Submit to data base, obtain the sensitive informations such as user name password, and then obtain host computer control authority etc..OWASP sent out in 2013 In ten big WEB application security breaches of cloth, SQL injection attacks rank the first.
Present invention proposition is a kind of to be realized injecting leakage to SQL using the method that penetration testing is combined with program analysis technique The positioning in hole.The penetration testing stage inputs station address, determines the user input point causing SQL injection, journey by simulated strike The sequence analysis phase, according to the result in penetration testing stage, passes through data flow tracking technique to leakage in WEB application system source code Hole produces process and is analyzed.
Content of the invention
It is an object of the invention to provide a kind of SQL injection loophole position detecting system, realize the positioning inspection of SQL injection loophole Survey.
The purpose of the present invention can be achieved through the following technical solutions:
A kind of SQL injection loophole position detecting system, including penetration testing unit and program analytic unit;
Described penetration testing unit includes data obtaining module, attacks character string storehouse and simulated strike module;
Described data obtaining module detection URL visit property simultaneously obtains web page source code, finds user such as and step in webpage The possible decanting point of the aspects such as land, calls attack character string to implement simulated strike to website from attack character string storehouse successively, according to Server end back page testing result judges whether success attack, if success, represents there is SQL injection loophole, by website position Put and may decanting point preserve, to use during program analysis phase;
Described program analytic unit includes source code loader, mark module, data flow tracking module, code pitching pile device And dynamic test module;
Described source code loader is loaded into, according to the result of penetration testing, the page source code that there is SQL injection loophole, Prepare for leak positioning later;
Described mark module mark pollution variable, maintenance data stream tracking technique follows the tracks of pollution variable biography in a program Broadcasting, if having the data from user input in the variable of final composition SQL query statement, concluding that this variable is SQL decanting point, Provide position and its propagation path of this variable input point;
Described code pitching pile device inserts information in a program with the dynamic operation of monitoring program, obtains polluting the biography of variable Broadcast path.
Beneficial effects of the present invention:A kind of SQL injection loophole position detecting system proposed by the invention, first passes through infiltration and surveys Test run detects in web program whether there is SQL injection loophole with the mode of simulated strike, then application program analytical technology is to source generation Code is analyzed, and maintenance data stream tracking technique, pitching pile technology are tracked to the propagation of pollution variable, finally provides pollution and becomes Amount propagation path in a program, is easy to develop the repairing that attendant carries out leak, the present invention proposes penetration testing and journey The method that sequence analytical technology combines, solves penetration testing and cannot analyze source program and pure program analysis lacking of losing time Point, is that the detection and localization of SQL injection loophole provides a kind of new thinking.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only this Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis The accompanying drawing providing obtains other accompanying drawings.
Fig. 1 is the system schematic of the present invention.
Fig. 2 is method of the present invention flow chart.
Specific embodiment
It is an object of the invention to provide a kind of SQL injection loophole position detecting system, realize the positioning inspection of SQL injection loophole Survey.
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention Accompanying drawing, is clearly and completely described to the technical scheme in the embodiment of the present invention, and described embodiment is only the present invention A part of embodiment, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not having The every other embodiment being obtained under the premise of making creative work, broadly falls into the scope of protection of the invention.
As shown in figure 1, the invention provides a kind of SQL injection loophole position detecting system, including penetration testing unit D110 and program analytic unit D120.
Described penetration testing cells D 110 includes data obtaining module M211, attacks character string storehouse DB1 and simulated strike Module M212;Data obtaining module M211 detection URL visit property simultaneously obtains web page source code, finds user such as and log in webpage Etc. aspect possible decanting point, successively from attack character string storehouse DB1 call attack character string to website implement simulated strike, according to Server end back page testing result judges whether success attack, if success, represents there is SQL injection loophole, by website position Put and may decanting point preserve, to use during program analysis phase.
Described program analytic unit D120 includes source code loader P1, mark module M213, data flow tracking module M214, code pitching pile device P2 and dynamic test module M215;Source code loader P1 is loaded into according to the result of penetration testing to be existed The page source code of SQL injection loophole, prepares for leak positioning later;Mark module M213 mark pollution variable, uses Data flow tracking technique follows the tracks of pollution variable propagation in a program, if being derived from the variable of final composition SQL query statement The data of user input, then conclude that this variable is SQL decanting point, provide position and its propagation path of this variable input point;Generation Code pitching pile device P2 inserts information in a program with the dynamic operation of monitoring program, and the pitching pile in the present invention is used for obtaining polluting variable Propagation path.
As shown in Fig. 2 a kind of SQL injection loophole position finding and detection method, comprise the following steps:
Step S1, data obtaining module M211 detects the visit property of station address U1 and obtains web page source code, and passes to Simulated strike module M212;
Step S2, simulated strike module M212 finds the possible decanting point in terms of logging in etc. as user in webpage, successively Call attack character string to implement simulated strike to website from attacking character string storehouse DB1, knot is detected according to server end back page Fruit judges whether success attack, if success, represents there is SQL injection loophole, and web site and possible decanting point are preserved, with Just use during program analysis phase;
Step S3, source code loader P1 is loaded into according to the result of simulated strike module M212 penetration testing has SQL note Enter the page source code of leak, prepare for leak positioning later;
Step S4, mark module M213 pollutes variable, is that streams of trace data is prepared;
Step S5, data flow tracking module M214 maintenance data stream tracking technique follows the tracks of pollution variable biography in a program Broadcasting, if having the data from user input in the variable of final composition SQL query statement, concluding that this variable is SQL decanting point, Provide position and its propagation path of this variable input point;
Step S6, code pitching pile device P2 inserts information in a program with the dynamic operation of monitoring program, is to collect journey The characteristic during operation of sequence, inserts one section of detection program (probe) in the specific part of tested program, but does not destroy by ranging Original logic integrity of sequence, generates program P3 containing probe;In the present invention, the probe of insertion is in order to record variable is propagated Path, detect variable be cause SQL injection loophole decanting point when, dish out its at first accept input position and its Propagation path in program, the convenient reparation to leak in the future;
Step S7, dynamic test module M215 passes through input test data, finally provides pollution variable biography in a program Broadcast path, generate the report of SQL decanting point.
A kind of SQL injection loophole position detecting system proposed by the invention, first passes through penetration testing and uses simulated strike Mode is detecting in web program whether there is SQL injection loophole, then application program analytical technology is analyzed to source code, uses Data flow tracking technique, pitching pile technology are tracked to the propagation of pollution variable, finally provide pollution variable biography in a program Broadcast path, be easy to develop the repairing that attendant carries out leak, the present invention is proposed penetration testing and tied with program analysis technique phase The method closed, solves the shortcoming that penetration testing cannot analyze source program and purely program analysis is lost time, and is SQL injection leakage The detection and localization in hole provides a kind of new thinking.
For convenience of description, it is divided into various units, module to be respectively described with function when describing apparatus above.Certainly, exist Implement the function of each unit, module can be realized in same or multiple softwares and/or hardware during the application.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can Mode by software plus necessary general hardware platform to be realized.Based on such understanding, the technical scheme essence of the application On in other words prior art is contributed partly can be embodied in the form of software product, this computer software product Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., include some instructions use so that a computer equipment (can be personal computer, server, or network equipment etc.) execution each embodiment of the application or embodiment Some partly described methods.
Device embodiments described above are only the schematically wherein said unit illustrating as separating component Can be or may not be physically separate, as the part that unit shows can be or may not be physics list Unit, you can with positioned at a place, or can also be distributed on multiple NEs.Can be selected it according to the actual needs In the purpose to realize present embodiment scheme for some or all of module.Those of ordinary skill in the art are not paying creation Property work in the case of, you can to understand and to implement.
The application can be used in numerous general or special purpose computing system environment or configuration.For example:Personal computer, service Device computer, handheld device or portable set, laptop device, multicomputer system, the system based on microprocessor, top set Box, programmable consumer-elcetronics devices, network PC, minicomputer, mainframe computer, include any of the above system or equipment Distributed computing environment etc..
The application can be described in the general context of computer executable instructions, such as program Module.Usually, program module includes execution particular task or the routine realizing particular abstract data type, program, object, group Part, data structure etc..The application can also be put into practice in a distributed computing environment, in these distributed computing environment, by The remote processing devices connected by communication network are executing task.In a distributed computing environment, program module is permissible It is located in the local and remote computer-readable storage medium including storage device.
In the description of this specification, the description of reference term " embodiment ", " example ", " specific example " etc. means It is contained at least one enforcement of the present invention in conjunction with the specific features of this embodiment or example description, structure, material or feature In example or example.In this manual, identical embodiment or example are not necessarily referring to the schematic representation of above-mentioned term. And, the specific features of description, structure, material or feature can be to close in any one or more embodiments or example Suitable mode combines.
Above content is only to present configuration example and explanation, affiliated those skilled in the art couple Described specific embodiment is made various modifications or supplements or substituted using similar mode, without departing from invention Structure or surmount scope defined in the claims, all should belong to protection scope of the present invention.

Claims (1)

1. a kind of SQL injection loophole position detecting system it is characterised in that:Including penetration testing unit and program analytic unit;
Described penetration testing unit includes data obtaining module, attacks character string storehouse and simulated strike module;
Described data obtaining module detection URL visit property simultaneously obtains web page source code, finds user such as and log in webpage The possible decanting point of aspect, calls attack character string to implement simulated strike to website from attack character string storehouse, according to service successively Device end back page testing result judges whether success attack, if success, represents there is SQL injection loophole, by web site and Possible decanting point preserves, to use during program analysis phase;
Described program analytic unit includes source code loader, mark module, data flow tracking module, code pitching pile device and moves State test module;
Described source code loader is loaded into, according to the result of penetration testing, the page source code that there is SQL injection loophole, after being The leak positioning come is prepared;
Described mark module mark pollution variable, maintenance data stream tracking technique follows the tracks of pollution variable propagation in a program, If finally there being the data from user input in the variable of composition SQL query statement, concluding that this variable is SQL decanting point, giving Go out position and its propagation path of this variable input point;
Described code pitching pile device inserts information in a program with the dynamic operation of monitoring program, obtains polluting the propagation road of variable Footpath.
CN201610885677.7A 2016-10-10 2016-10-10 SQL injection loophole positioning detection system Pending CN106407811A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610885677.7A CN106407811A (en) 2016-10-10 2016-10-10 SQL injection loophole positioning detection system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610885677.7A CN106407811A (en) 2016-10-10 2016-10-10 SQL injection loophole positioning detection system

Publications (1)

Publication Number Publication Date
CN106407811A true CN106407811A (en) 2017-02-15

Family

ID=59228921

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610885677.7A Pending CN106407811A (en) 2016-10-10 2016-10-10 SQL injection loophole positioning detection system

Country Status (1)

Country Link
CN (1) CN106407811A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108874669A (en) * 2018-06-13 2018-11-23 山东浪潮通软信息科技有限公司 A kind of method of inspection based on Web defect
CN109561112A (en) * 2019-01-25 2019-04-02 虞定生 A kind of artificial intelligence real-time detection security attack system
CN111259399A (en) * 2020-04-28 2020-06-09 深圳开源互联网安全技术有限公司 Method and system for dynamically detecting vulnerability attacks for web applications
CN111966718A (en) * 2020-09-09 2020-11-20 支付宝(杭州)信息技术有限公司 System and method for data propagation tracking of application systems
CN118445809A (en) * 2024-05-06 2024-08-06 广州锦高信息科技有限公司 System vulnerability restoration method and system based on big data

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110225430A1 (en) * 2006-01-18 2011-09-15 Sybase, Inc. Secured database system with built-in antivirus protection
CN104184728A (en) * 2014-08-14 2014-12-03 电子科技大学 Safety detection method and device for Web application system
CN104200167A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Automatic penetration testing method and system
CN105930273A (en) * 2016-05-04 2016-09-07 云南电网有限责任公司信息中心 Mobile application automation security testing platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110225430A1 (en) * 2006-01-18 2011-09-15 Sybase, Inc. Secured database system with built-in antivirus protection
CN104200167A (en) * 2014-08-05 2014-12-10 杭州安恒信息技术有限公司 Automatic penetration testing method and system
CN104184728A (en) * 2014-08-14 2014-12-03 电子科技大学 Safety detection method and device for Web application system
CN105930273A (en) * 2016-05-04 2016-09-07 云南电网有限责任公司信息中心 Mobile application automation security testing platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张莹莹等: "一种SQL注入漏洞定位检测方法", 《计算机应用与软件》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108874669A (en) * 2018-06-13 2018-11-23 山东浪潮通软信息科技有限公司 A kind of method of inspection based on Web defect
CN109561112A (en) * 2019-01-25 2019-04-02 虞定生 A kind of artificial intelligence real-time detection security attack system
CN111259399A (en) * 2020-04-28 2020-06-09 深圳开源互联网安全技术有限公司 Method and system for dynamically detecting vulnerability attacks for web applications
CN111966718A (en) * 2020-09-09 2020-11-20 支付宝(杭州)信息技术有限公司 System and method for data propagation tracking of application systems
CN111966718B (en) * 2020-09-09 2024-03-15 支付宝(杭州)信息技术有限公司 System and method for data propagation tracking of application systems
CN118445809A (en) * 2024-05-06 2024-08-06 广州锦高信息科技有限公司 System vulnerability restoration method and system based on big data

Similar Documents

Publication Publication Date Title
Fonseca et al. Evaluation of web security mechanisms using vulnerability & attack injection
CN106407811A (en) SQL injection loophole positioning detection system
Fonseca et al. Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks
Sadeghian et al. A taxonomy of SQL injection detection and prevention techniques
CN106411906A (en) SQL (Structured Query Language) injection flaw positioning and detecting method
CN106874768B (en) Penetration test method and device
Fonseca et al. Vulnerability & attack injection for web applications
Shar et al. Auditing the XSS defence features implemented in web application programs
CN111104579A (en) Identification method and device for public network assets and storage medium
CN103077348A (en) Method and device for vulnerability scanning of Web site
CN110765459A (en) Malicious script detection method and device and storage medium
CN111611590B (en) Method and device for data security related to application program
CN103647678A (en) Method and device for online verification of website vulnerabilities
Pérez et al. Lapse+ static analysis security software: Vulnerabilities detection in java ee applications
Ali et al. Protection web applications using real-time technique to detect structured query language injection attacks
CN115827610A (en) Method and device for detecting effective load
Vimala et al. VAPE-BRIDGE: Bridging OpenVAS results for automating metasploit framework
CN113849817B (en) Detection method and device for pollution loopholes of JavaScript prototype chain
CN111309589A (en) Code security scanning system and method based on code dynamic analysis
CN118036009A (en) Method and device for processing security vulnerabilities and electronic equipment
Yulianton et al. Web application vulnerability detection using taint analysis and black-box testing
Kang A review on javascript engine vulnerability mining
CN115270139B (en) IoT equipment network service automatic vulnerability analysis method and system
Yao et al. Test Model for Security Vulnerability in Web Controls based on Fuzzing.
Chen et al. A Selenium-based Web Application Automation Test Framework

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170215