CN106407811A - SQL injection loophole positioning detection system - Google Patents
SQL injection loophole positioning detection system Download PDFInfo
- Publication number
- CN106407811A CN106407811A CN201610885677.7A CN201610885677A CN106407811A CN 106407811 A CN106407811 A CN 106407811A CN 201610885677 A CN201610885677 A CN 201610885677A CN 106407811 A CN106407811 A CN 106407811A
- Authority
- CN
- China
- Prior art keywords
- program
- variable
- sql injection
- module
- sql
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses an SQL injection loophole positioning detection system. According to the system, a manner of utilizing simulated strikes is used for detecting whether SQL injection loopholes exist in WEB programs or not through penetration test, a program analysis technology is used for analyzing source codes, and a data flow tracing technology and a pile pitching technology are used for tracing the propagation of pollution variables, so that propagation paths of the pollution variables in the programs are given and convenience is brought to the loophole repair carried out by the maintainers. According to the system disclosed by the invention, a penetration test and program analysis technology combined method is proposed, so that the defects that the penetration analysis cannot analyze the source programs and the pure program analysis wastes time are solved, and a new thought is provided for the positioning detection of SQL injection loopholes.
Description
Technical field
The invention belongs to field of computer technology, particularly to information security field, more particularly to a kind of SQL injection leakage
Hole position detecting system.
Background technology
With the Internet fast development, increasing WEB application all takes three-level structure:Database server, should
Use server and client side.In client input data, application server builds SQL statement according to its input to user, and by SQL
Sentence is delivered to and is executed operation in data base, finally returns result to user.Due to store a large amount of sensitive informations in data base,
It is led to frequently to be attacked, wherein most serious is exactly SQL injection attacks.SQL injection attacks refer to attacker in legal SQL
SQL keyword or operator is inserted thus changing the semanteme of SQL statement, grammatical structure, by the SQL statement of these malice in sentence
Submit to data base, obtain the sensitive informations such as user name password, and then obtain host computer control authority etc..OWASP sent out in 2013
In ten big WEB application security breaches of cloth, SQL injection attacks rank the first.
Present invention proposition is a kind of to be realized injecting leakage to SQL using the method that penetration testing is combined with program analysis technique
The positioning in hole.The penetration testing stage inputs station address, determines the user input point causing SQL injection, journey by simulated strike
The sequence analysis phase, according to the result in penetration testing stage, passes through data flow tracking technique to leakage in WEB application system source code
Hole produces process and is analyzed.
Content of the invention
It is an object of the invention to provide a kind of SQL injection loophole position detecting system, realize the positioning inspection of SQL injection loophole
Survey.
The purpose of the present invention can be achieved through the following technical solutions:
A kind of SQL injection loophole position detecting system, including penetration testing unit and program analytic unit;
Described penetration testing unit includes data obtaining module, attacks character string storehouse and simulated strike module;
Described data obtaining module detection URL visit property simultaneously obtains web page source code, finds user such as and step in webpage
The possible decanting point of the aspects such as land, calls attack character string to implement simulated strike to website from attack character string storehouse successively, according to
Server end back page testing result judges whether success attack, if success, represents there is SQL injection loophole, by website position
Put and may decanting point preserve, to use during program analysis phase;
Described program analytic unit includes source code loader, mark module, data flow tracking module, code pitching pile device
And dynamic test module;
Described source code loader is loaded into, according to the result of penetration testing, the page source code that there is SQL injection loophole,
Prepare for leak positioning later;
Described mark module mark pollution variable, maintenance data stream tracking technique follows the tracks of pollution variable biography in a program
Broadcasting, if having the data from user input in the variable of final composition SQL query statement, concluding that this variable is SQL decanting point,
Provide position and its propagation path of this variable input point;
Described code pitching pile device inserts information in a program with the dynamic operation of monitoring program, obtains polluting the biography of variable
Broadcast path.
Beneficial effects of the present invention:A kind of SQL injection loophole position detecting system proposed by the invention, first passes through infiltration and surveys
Test run detects in web program whether there is SQL injection loophole with the mode of simulated strike, then application program analytical technology is to source generation
Code is analyzed, and maintenance data stream tracking technique, pitching pile technology are tracked to the propagation of pollution variable, finally provides pollution and becomes
Amount propagation path in a program, is easy to develop the repairing that attendant carries out leak, the present invention proposes penetration testing and journey
The method that sequence analytical technology combines, solves penetration testing and cannot analyze source program and pure program analysis lacking of losing time
Point, is that the detection and localization of SQL injection loophole provides a kind of new thinking.
Brief description
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
Have technology description in required use accompanying drawing be briefly described it should be apparent that, drawings in the following description be only this
Inventive embodiment, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
The accompanying drawing providing obtains other accompanying drawings.
Fig. 1 is the system schematic of the present invention.
Fig. 2 is method of the present invention flow chart.
Specific embodiment
It is an object of the invention to provide a kind of SQL injection loophole position detecting system, realize the positioning inspection of SQL injection loophole
Survey.
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, is clearly and completely described to the technical scheme in the embodiment of the present invention, and described embodiment is only the present invention
A part of embodiment, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not having
The every other embodiment being obtained under the premise of making creative work, broadly falls into the scope of protection of the invention.
As shown in figure 1, the invention provides a kind of SQL injection loophole position detecting system, including penetration testing unit
D110 and program analytic unit D120.
Described penetration testing cells D 110 includes data obtaining module M211, attacks character string storehouse DB1 and simulated strike
Module M212;Data obtaining module M211 detection URL visit property simultaneously obtains web page source code, finds user such as and log in webpage
Etc. aspect possible decanting point, successively from attack character string storehouse DB1 call attack character string to website implement simulated strike, according to
Server end back page testing result judges whether success attack, if success, represents there is SQL injection loophole, by website position
Put and may decanting point preserve, to use during program analysis phase.
Described program analytic unit D120 includes source code loader P1, mark module M213, data flow tracking module
M214, code pitching pile device P2 and dynamic test module M215;Source code loader P1 is loaded into according to the result of penetration testing to be existed
The page source code of SQL injection loophole, prepares for leak positioning later;Mark module M213 mark pollution variable, uses
Data flow tracking technique follows the tracks of pollution variable propagation in a program, if being derived from the variable of final composition SQL query statement
The data of user input, then conclude that this variable is SQL decanting point, provide position and its propagation path of this variable input point;Generation
Code pitching pile device P2 inserts information in a program with the dynamic operation of monitoring program, and the pitching pile in the present invention is used for obtaining polluting variable
Propagation path.
As shown in Fig. 2 a kind of SQL injection loophole position finding and detection method, comprise the following steps:
Step S1, data obtaining module M211 detects the visit property of station address U1 and obtains web page source code, and passes to
Simulated strike module M212;
Step S2, simulated strike module M212 finds the possible decanting point in terms of logging in etc. as user in webpage, successively
Call attack character string to implement simulated strike to website from attacking character string storehouse DB1, knot is detected according to server end back page
Fruit judges whether success attack, if success, represents there is SQL injection loophole, and web site and possible decanting point are preserved, with
Just use during program analysis phase;
Step S3, source code loader P1 is loaded into according to the result of simulated strike module M212 penetration testing has SQL note
Enter the page source code of leak, prepare for leak positioning later;
Step S4, mark module M213 pollutes variable, is that streams of trace data is prepared;
Step S5, data flow tracking module M214 maintenance data stream tracking technique follows the tracks of pollution variable biography in a program
Broadcasting, if having the data from user input in the variable of final composition SQL query statement, concluding that this variable is SQL decanting point,
Provide position and its propagation path of this variable input point;
Step S6, code pitching pile device P2 inserts information in a program with the dynamic operation of monitoring program, is to collect journey
The characteristic during operation of sequence, inserts one section of detection program (probe) in the specific part of tested program, but does not destroy by ranging
Original logic integrity of sequence, generates program P3 containing probe;In the present invention, the probe of insertion is in order to record variable is propagated
Path, detect variable be cause SQL injection loophole decanting point when, dish out its at first accept input position and its
Propagation path in program, the convenient reparation to leak in the future;
Step S7, dynamic test module M215 passes through input test data, finally provides pollution variable biography in a program
Broadcast path, generate the report of SQL decanting point.
A kind of SQL injection loophole position detecting system proposed by the invention, first passes through penetration testing and uses simulated strike
Mode is detecting in web program whether there is SQL injection loophole, then application program analytical technology is analyzed to source code, uses
Data flow tracking technique, pitching pile technology are tracked to the propagation of pollution variable, finally provide pollution variable biography in a program
Broadcast path, be easy to develop the repairing that attendant carries out leak, the present invention is proposed penetration testing and tied with program analysis technique phase
The method closed, solves the shortcoming that penetration testing cannot analyze source program and purely program analysis is lost time, and is SQL injection leakage
The detection and localization in hole provides a kind of new thinking.
For convenience of description, it is divided into various units, module to be respectively described with function when describing apparatus above.Certainly, exist
Implement the function of each unit, module can be realized in same or multiple softwares and/or hardware during the application.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
Mode by software plus necessary general hardware platform to be realized.Based on such understanding, the technical scheme essence of the application
On in other words prior art is contributed partly can be embodied in the form of software product, this computer software product
Can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., include some instructions use so that a computer equipment
(can be personal computer, server, or network equipment etc.) execution each embodiment of the application or embodiment
Some partly described methods.
Device embodiments described above are only the schematically wherein said unit illustrating as separating component
Can be or may not be physically separate, as the part that unit shows can be or may not be physics list
Unit, you can with positioned at a place, or can also be distributed on multiple NEs.Can be selected it according to the actual needs
In the purpose to realize present embodiment scheme for some or all of module.Those of ordinary skill in the art are not paying creation
Property work in the case of, you can to understand and to implement.
The application can be used in numerous general or special purpose computing system environment or configuration.For example:Personal computer, service
Device computer, handheld device or portable set, laptop device, multicomputer system, the system based on microprocessor, top set
Box, programmable consumer-elcetronics devices, network PC, minicomputer, mainframe computer, include any of the above system or equipment
Distributed computing environment etc..
The application can be described in the general context of computer executable instructions, such as program
Module.Usually, program module includes execution particular task or the routine realizing particular abstract data type, program, object, group
Part, data structure etc..The application can also be put into practice in a distributed computing environment, in these distributed computing environment, by
The remote processing devices connected by communication network are executing task.In a distributed computing environment, program module is permissible
It is located in the local and remote computer-readable storage medium including storage device.
In the description of this specification, the description of reference term " embodiment ", " example ", " specific example " etc. means
It is contained at least one enforcement of the present invention in conjunction with the specific features of this embodiment or example description, structure, material or feature
In example or example.In this manual, identical embodiment or example are not necessarily referring to the schematic representation of above-mentioned term.
And, the specific features of description, structure, material or feature can be to close in any one or more embodiments or example
Suitable mode combines.
Above content is only to present configuration example and explanation, affiliated those skilled in the art couple
Described specific embodiment is made various modifications or supplements or substituted using similar mode, without departing from invention
Structure or surmount scope defined in the claims, all should belong to protection scope of the present invention.
Claims (1)
1. a kind of SQL injection loophole position detecting system it is characterised in that:Including penetration testing unit and program analytic unit;
Described penetration testing unit includes data obtaining module, attacks character string storehouse and simulated strike module;
Described data obtaining module detection URL visit property simultaneously obtains web page source code, finds user such as and log in webpage
The possible decanting point of aspect, calls attack character string to implement simulated strike to website from attack character string storehouse, according to service successively
Device end back page testing result judges whether success attack, if success, represents there is SQL injection loophole, by web site and
Possible decanting point preserves, to use during program analysis phase;
Described program analytic unit includes source code loader, mark module, data flow tracking module, code pitching pile device and moves
State test module;
Described source code loader is loaded into, according to the result of penetration testing, the page source code that there is SQL injection loophole, after being
The leak positioning come is prepared;
Described mark module mark pollution variable, maintenance data stream tracking technique follows the tracks of pollution variable propagation in a program,
If finally there being the data from user input in the variable of composition SQL query statement, concluding that this variable is SQL decanting point, giving
Go out position and its propagation path of this variable input point;
Described code pitching pile device inserts information in a program with the dynamic operation of monitoring program, obtains polluting the propagation road of variable
Footpath.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610885677.7A CN106407811A (en) | 2016-10-10 | 2016-10-10 | SQL injection loophole positioning detection system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610885677.7A CN106407811A (en) | 2016-10-10 | 2016-10-10 | SQL injection loophole positioning detection system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106407811A true CN106407811A (en) | 2017-02-15 |
Family
ID=59228921
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610885677.7A Pending CN106407811A (en) | 2016-10-10 | 2016-10-10 | SQL injection loophole positioning detection system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106407811A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108874669A (en) * | 2018-06-13 | 2018-11-23 | 山东浪潮通软信息科技有限公司 | A kind of method of inspection based on Web defect |
CN109561112A (en) * | 2019-01-25 | 2019-04-02 | 虞定生 | A kind of artificial intelligence real-time detection security attack system |
CN111259399A (en) * | 2020-04-28 | 2020-06-09 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting vulnerability attacks for web applications |
CN111966718A (en) * | 2020-09-09 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | System and method for data propagation tracking of application systems |
CN118445809A (en) * | 2024-05-06 | 2024-08-06 | 广州锦高信息科技有限公司 | System vulnerability restoration method and system based on big data |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110225430A1 (en) * | 2006-01-18 | 2011-09-15 | Sybase, Inc. | Secured database system with built-in antivirus protection |
CN104184728A (en) * | 2014-08-14 | 2014-12-03 | 电子科技大学 | Safety detection method and device for Web application system |
CN104200167A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Automatic penetration testing method and system |
CN105930273A (en) * | 2016-05-04 | 2016-09-07 | 云南电网有限责任公司信息中心 | Mobile application automation security testing platform |
-
2016
- 2016-10-10 CN CN201610885677.7A patent/CN106407811A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110225430A1 (en) * | 2006-01-18 | 2011-09-15 | Sybase, Inc. | Secured database system with built-in antivirus protection |
CN104200167A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Automatic penetration testing method and system |
CN104184728A (en) * | 2014-08-14 | 2014-12-03 | 电子科技大学 | Safety detection method and device for Web application system |
CN105930273A (en) * | 2016-05-04 | 2016-09-07 | 云南电网有限责任公司信息中心 | Mobile application automation security testing platform |
Non-Patent Citations (1)
Title |
---|
张莹莹等: "一种SQL注入漏洞定位检测方法", 《计算机应用与软件》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108874669A (en) * | 2018-06-13 | 2018-11-23 | 山东浪潮通软信息科技有限公司 | A kind of method of inspection based on Web defect |
CN109561112A (en) * | 2019-01-25 | 2019-04-02 | 虞定生 | A kind of artificial intelligence real-time detection security attack system |
CN111259399A (en) * | 2020-04-28 | 2020-06-09 | 深圳开源互联网安全技术有限公司 | Method and system for dynamically detecting vulnerability attacks for web applications |
CN111966718A (en) * | 2020-09-09 | 2020-11-20 | 支付宝(杭州)信息技术有限公司 | System and method for data propagation tracking of application systems |
CN111966718B (en) * | 2020-09-09 | 2024-03-15 | 支付宝(杭州)信息技术有限公司 | System and method for data propagation tracking of application systems |
CN118445809A (en) * | 2024-05-06 | 2024-08-06 | 广州锦高信息科技有限公司 | System vulnerability restoration method and system based on big data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Fonseca et al. | Evaluation of web security mechanisms using vulnerability & attack injection | |
CN106407811A (en) | SQL injection loophole positioning detection system | |
Fonseca et al. | Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks | |
Sadeghian et al. | A taxonomy of SQL injection detection and prevention techniques | |
CN106411906A (en) | SQL (Structured Query Language) injection flaw positioning and detecting method | |
CN106874768B (en) | Penetration test method and device | |
Fonseca et al. | Vulnerability & attack injection for web applications | |
Shar et al. | Auditing the XSS defence features implemented in web application programs | |
CN111104579A (en) | Identification method and device for public network assets and storage medium | |
CN103077348A (en) | Method and device for vulnerability scanning of Web site | |
CN110765459A (en) | Malicious script detection method and device and storage medium | |
CN111611590B (en) | Method and device for data security related to application program | |
CN103647678A (en) | Method and device for online verification of website vulnerabilities | |
Pérez et al. | Lapse+ static analysis security software: Vulnerabilities detection in java ee applications | |
Ali et al. | Protection web applications using real-time technique to detect structured query language injection attacks | |
CN115827610A (en) | Method and device for detecting effective load | |
Vimala et al. | VAPE-BRIDGE: Bridging OpenVAS results for automating metasploit framework | |
CN113849817B (en) | Detection method and device for pollution loopholes of JavaScript prototype chain | |
CN111309589A (en) | Code security scanning system and method based on code dynamic analysis | |
CN118036009A (en) | Method and device for processing security vulnerabilities and electronic equipment | |
Yulianton et al. | Web application vulnerability detection using taint analysis and black-box testing | |
Kang | A review on javascript engine vulnerability mining | |
CN115270139B (en) | IoT equipment network service automatic vulnerability analysis method and system | |
Yao et al. | Test Model for Security Vulnerability in Web Controls based on Fuzzing. | |
Chen et al. | A Selenium-based Web Application Automation Test Framework |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170215 |