CN108521392B - Bidirectional flow SQL injection attack detection method - Google Patents
Bidirectional flow SQL injection attack detection method Download PDFInfo
- Publication number
- CN108521392B CN108521392B CN201810072117.9A CN201810072117A CN108521392B CN 108521392 B CN108521392 B CN 108521392B CN 201810072117 A CN201810072117 A CN 201810072117A CN 108521392 B CN108521392 B CN 108521392B
- Authority
- CN
- China
- Prior art keywords
- sql injection
- injection attack
- regular expression
- sql
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a bidirectional flow SQL injection attack detection method, which comprises the following steps: the method comprises the following steps: matching and capturing network traffic possibly containing SQL injection attack by using a primary regular expression; step two: performing behavior judgment analysis on the captured network traffic by using a secondary regular expression; step three: and performing data extraction on the confirmed SQL injection attack traffic by using a third-level regular expression. According to the bidirectional flow behavior judgment analysis method, the truly successful SQL injection attack is filtered through the multistage regular expression, and the user information data leaked due to the successful SQL injection attack is extracted through the third-stage regular expression, so that the harmfulness of the SQL injection attack and the effectiveness of the SQL injection attack detection method are reflected.
Description
Technical Field
The invention belongs to the technical field of computers, relates to a regular expression technology, an HTTP (hyper text transport protocol) protocol and an SQL (structured query language) injection attack technology, and particularly relates to behavior judgment and analysis on the SQL injection attack, and further analyzes and extracts leaked data information of the flow of the SQL injection attack judged to be successful, so that the harmfulness of the SQL injection attack and the effectiveness of the SQL injection attack detection method can be embodied.
Background
A Regular Expression (Regular Expression) is an Expression for matching a string that conforms to a certain specified rule, and is also commonly referred to as a pattern. The application scenarios of regular expressions are very many, for example, for retrieving, replacing character string text that conforms to a specified rule/pattern, or for verifying whether a certain character string conforms to a specified feature. Regular expressions represent a series of character string texts conforming to a certain syntax rule using a single character string, and thus a character string matching rule can be defined using a regular expression.
The HTTP protocol is a stateless web communication protocol based on request and response patterns, and is a protocol belonging to an application layer. When the browser sends a Request to the web server, the web server performs corresponding processing after receiving the Request, then generates a corresponding Response and sends the Response to the browser, and the browser analyzes HTML in the Response to display a webpage to a user. The request of the HTTP protocol is divided into three parts: a request line, a request header, and a request body. The methods (methods) in the request line include GET, POST, HEAD, PUT, DELETE, TRACE, CONNECT, and OPTIONS. Among these, GET and POST are the most common methods. The response of the HTTP protocol is also divided into three parts: a response row, a response header, and a response body.
The types of SQL injection attacks can be basically divided into five types: boolean-based blind annotation, Time-based blind annotation, Error echo-based SQL injection attack, Union query-based SQL injection attack, and Stack query-based SQL injection attack. The Boolean-based blind note is mainly characterized in that a section of logic operation statement is inserted OR added into a normal SQL statement, AND the statement comprises Boolean operators such as AND, OR NOT AND the like AND features such as database built-in functions such as MAKE _ SET, ELT, IFF AND the like. The Time-based blind note (delayed injection mode) delays the execution of the SQL statement mainly by inserting or appending some Time functions in the database into the SQL statement, including the characteristics of the Time functions such as SLEEP, BENCHMARK, general _ services, waitford, regex _ SUBSTRING, and the like. The SQL injection attack based on Error playback of Error mainly adopts the mode that some special database operation statements are inserted or added into SQL statements to cause runtime errors when the SQL statements are executed in a database and Error information is returned to a client, and common functions for Error reporting when the SQL query statements are executed include functions such as EXP, JSON _ KEYS, EXTRACTVALUE, UPDATEXML, ROW, CONVERT, XMLTYPE, DUTL _ INADDR and FLOOR. The SQL injection attack based on the Union query needs to add a Union joint query statement in a normal statement, illegally obtains important data information in a database of an attacked application service program, and achieves the purpose of effectively performing the SQL injection attack. Therefore, the biggest characteristic of SQL injection attacks based on Union queries is the presence of Union query statements. SQL injection attack based on Stack query needs to insert or append a section with a semicolon in a normal statement; the initial SQL query statement effectively covers the previous query result to obtain the output result of the last query statement, so that the aim of illegally stealing data information by using the SQL injection vulnerability is fulfilled. Therefore, the biggest characteristic of SQL injection attacks based on Stack queries is the presence; "starting SQL query statement.
Disclosure of Invention
The invention aims to provide a bidirectional flow SQL injection attack detection method, which captures network flow possibly containing SQL injection attack by using a multi-level regular expression and performs behavior judgment analysis on the captured network flow, thereby judging whether the SQL injection attack is successful attack or not and extracting data information leaked due to the successful SQL injection attack.
The specific technical scheme for realizing the purpose of the invention is as follows:
a bidirectional flow SQL injection attack detection method is characterized in that: the method comprises the following steps:
step 1: matching and capturing network traffic containing suspected SQL injection attacks by using a primary regular expression;
step 2: performing behavior judgment analysis on the captured network traffic containing suspected SQL injection attack by using a secondary regular expression, and confirming the SQL injection attack traffic;
and step 3: and extracting leaked data information contained in the confirmed SQL injection attack traffic by using a third-level regular expression.
The first-level regular expression comprises: the regular expression aiming at SQL injection attack based on Boolean, the regular expression aiming at SQL injection attack based on Time, the regular expression aiming at SQL injection attack based on Error, the regular expression aiming at SQL injection attack based on Union and the regular expression aiming at SQL injection attack based on Stack; wherein the content of the first and second substances,
the regular expression aiming at the Boolean-based SQL injection attack matches and captures the flow of the SQL injection attack in a Boolean mode;
the regular expression aiming at the SQL injection attack based on the Time is matched and the flow of the SQL injection attack adopting a Time delay injection mode is captured;
the regular expression aiming at the SQL injection attack based on the Error is matched and the flow of the SQL injection attack adopting the Error echo injection mode is captured;
the regular expression aiming at the Union-based SQL injection attack is matched and the flow of the SQL injection attack of adding a Union joint query statement in a normal SQL statement in a Union mode is captured;
the regular expression aiming at the SQL injection attack based on the Stack is matched and the flow of the SQL injection attack of inserting or adding a section of SQL query statement starting with a semicolon in a normal SQL statement by adopting a Stack mode is captured.
The secondary regular expression includes: general regular expressions for SQL injection attacks, regular expressions for Boolean based SQL injection attacks, regular expressions for Time based SQL injection attacks, and regular expressions for Error based SQL injection attacks.
The behavior decision analysis is used for determining which SQL injection attacks in the traffic are successfully executed on the attacked application service program, so that data leakage occurs in the attacked application service program. The behavior decision analysis process is: firstly, analyzing request data of a session in flow, matching character strings which accord with a secondary regular expression from the request data, then searching whether response data information contains the same character strings of the expression or not by combining response data information of the session in flow, if the response data information contains the same character strings, judging the SQL injection attack as a successful attack, otherwise, judging the SQL injection attack as a failed attack; the analysis of the bidirectional traffic (namely, the request and response data in the traffic are analyzed simultaneously) can effectively improve the accuracy of detecting the SQL injection attack.
The third-level regular expression is a regular expression taking an attack identifier (characteristic character string) of SQL injection attack as a regular matching object.
The bidirectional flow SQL injection attack detection method provided by the invention captures flow possibly containing SQL injection attack by using the primary regular expression, and then performs bidirectional behavior judgment analysis on request data and response data of the primary regular expression by using the secondary regular expression to confirm whether the primary SQL injection attack is successful attack.
The invention has the beneficial effects that: the method can efficiently capture the flow of suspicious SQL injection attacks existing in the network, and meanwhile, bidirectional behavior judgment analysis is carried out on request data and response data of sessions in the captured flow to confirm whether the SQL injection attacks are successful attacks or not, and leaked data information is extracted for the successful SQL injection attacks. The SQL injection attack can be detected more accurately, and the extracted leakage data can reflect the harmfulness of the SQL injection attack and the effectiveness of the SQL injection attack detection method.
Drawings
FIG. 1 is a flow chart of the present invention;
FIG. 2 is a sample diagram of a SQL injection attack captured in the present invention;
Detailed Description
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings.
The invention discloses a bidirectional flow SQL injection attack detection method, which comprises the following steps:
step 1: matching and capturing network traffic possibly containing SQL injection attack by using a primary regular expression;
step 2: performing behavior judgment analysis on the captured network traffic by using a secondary regular expression, and confirming SQL injection attack traffic;
and step 3: and performing data extraction on the confirmed SQL injection attack traffic by using a third-level regular expression. The primary regular expression aiming at the SQL injection attack based on Boolean in the invention comprises the following steps:
Boolean_based_model=\
[
"^(POST|GET).*?(OR|AND)\s+\d+=\d+",
"^(POST|GET).*?OR\s+NOT\s+\d+=\d+",
"^(POST|GET).*?(OR|AND){0,1}\s+MAKE_SET\(\d+=\d+,\d+\)",
"^(POST|GET).*?(OR|AND){0,1}\s+ELT\(\d+=\d+,\d+\)",
"^(POST|GET).*?(OR|AND)\s+(\d+=\d+)\*\d+",
"^(POST|GET).*?IIF\(\d+=\d+,\d+,\d+/\d+\)",
]
the first-level regular expression aiming at the SQL injection attack based on the Time comprises the following steps:
Time_based_model=\
[
"^(POST|GET).*?SLEEP\(\d+\)",
"^(POST|GET).*?WAITFOR\s+DELAY\s+'[\d:]+'",
"^(POST|GET).*?BENCHMARK\(",
"^(POST|GET).*?GENERATE_SERIES\(\d+",
"^(POST|GET).*?(SYSUSERS\s+AS\s+SYS\d+,?){3,}",
"^(POST|GET).*?DBMS_PIPE\.RECEIVE_MESSAGE\(",
"^(POST|GET).*?(ALL_USERS\s+T\d+,?){3,}",
"^(POST|GET).*?(SYSIBM\.SYSTABLES\s+AS\s+T\d+(,){0,1}){3,}",
"^(POST|GET).*?UPPER\(HEX\(RANDOMBLOB",
"^(POST|GET).*?(RDB\$[\w]+\s+AS\s+T\d+,?){3,}",
"^(POST|GET).*?(DOMAIN\.[\w]+\s+AS\s+T\d+,?){3,}",
"^(POST|GET).*?REGEXP_SUBSTRING\(REPEAT",
]
the first-level regular expression aiming at the SQL injection attack based on the Error comprises the following steps:
Error_based_model=\
[
"^(POST|GET).*?EXP\(~\(SELECT\s+?\*\s+?FROM",
"^(POST|GET).*?JSON_KEYS\(\(SELECT\sCONVERT",
"^(POST|GET).*?EXTRACTVALUE\(\d+",
"^(POST|GET).*?(OR|AND)\s+UPDATEXML\([\d]+",
"^(POST|GET).*?ROW\(\d+,\d+\)\>",
"^(POST|GET).*?END\)\)::text",
"^(POST|GET).*?CONVERT\(INT",
"^(POST|GET).*?(OR|AND)\s+XMLTYPE\(CHR\(\d+\)\s+",
"^(POST|GET).*?(OR|AND)\s+DUTL_INADDR\.GET_HOST_ADDRESS\(","^(POST|GET).*?(OR|AND)\s+CTXSYS\.DRITHSX\.SN\(\d+",
"^(POST|GET).*?DBMS_UTILITY\.SQLID_TO_SQLHASH\(",
"^(POST|GET).*?FLOOR\(.+?\(\d+?\)\*\d+?\)",
]
the first-level regular expression aiming at the Union-based SQL injection attack comprises the following steps:
Union_query_model=\
[
"^(POST|GET).*?UNION(\s+ALL){0,1}\s+SELECT",
]
the first-level regular expression aiming at the SQL injection attack based on the Stack comprises the following steps:
Stack_query_model=\
[
"^(POST|GET).*?;SELECT",
"^(POST|GET).*?;UPDATE",
"^(POST|GET).*?;INSERT",
"^(POST|GET).*?;DELETE",
"^(POST|GET).*?;DROP",
"^(POST|GET).*?;WAITFOR\sDELAY",
"^(POST|GET).*?;CALL",
"^(POST|GET).*?;BEGIN",
]
according to the regular expression, a DPDK architecture is used as a basic drive and Hyperscan is used as a regular matching engine for capturing traffic, the traffic data in a network space is received, and the traffic possibly containing SQL injection attack is matched and captured. The captured traffic information comprises the IP of the client and the IP of the server, port information client _ port and server _ port, session information seq, a matched regular expression and the like, and then behavior judgment analysis is carried out on the captured traffic data.
The web service port monitored during traffic grabbing comprises the following steps:
"port":
[
{"type":"TCP","port":"79"},
{"type":"TCP","port":"80"},
{"type":"TCP","port":"81"},
{"type":"TCP","port":"1234"},
{"type":"TCP","port":"5000"},
{"type":"TCP","port":"7001"},
{"type":"TCP","port":"8000"},
{"type":"TCP","port":"8002"},
{"type":"TCP","port":"8008"},
{"type":"TCP","port":"8080"},
{"type":"TCP","port":"8081"},
{"type":"TCP","port":"8888"},
{"type":"TCP","port":"8899"},
{"type":"TCP","port":"8082"},
{"type":"TCP","port":"8088"},
{"type":"TCP","port":"9090"},
{"type":"TCP","port":"9080"},
]。
for a large amount of SQL injection attack traffic data, the behavior judgment analysis uses a multi-process concurrent mode to analyze the attack behavior state information of the SQL injection attack traffic. The analysis process of each process on SQL injection attack traffic is mainly divided into two parts, namely a session behavior parallel analysis stage and a session state reduction stage. Firstly, the parallel analysis stage of the conversation behavior mainly segments the data in the conversation file and maps the data into a single Map function operation object. And (4) judging and analyzing SQL injection attack flow data behaviors in the Map functions, and obtaining a judgment analysis result by the session object of each Map function. And secondly, in the session state reduction stage, the analysis result of the Map function is mainly reduced, and all the analysis results of the Filter function are combined into three types of session state information (normal, success and failure states). Because the successful SQL injection attack traffic can steal the data information of the attacked application service program and even take over the attacked service system, the successful SQL injection attack traffic session data is focused in the whole traffic analysis process.
In the behavior judgment analysis of the SQL injection attack, the regular expression for the SQL injection attack detection based on Boolean and Time comprises the following steps:
BOOL_TIME_MODEL=\
[
"SLEEP\(\d+\)",
"BENCHMARK\(",
"GENERATE_SERIES\([\d]+",
"DBMS_PIPE\.RECEIVE_MESSAGE\(",
"(ALL_USERS\s+T[\d]+,?){3,}",
"UPPER\(HEX\(RANDOMBLOB",
"REGEXP_SUBSTRING\(REPEAT",
"WAITFOR\s+DELAY\s+'[\d:]+'",
"(SYSUSERS\s+AS\s+SYS[\d]+,?){3,}",
"(DOMAIN\.[\w]+\s+AS\s+T[\d]+,?){3,}",
"(RDB\$[\w]+\s+AS\s+T[\d]+,?){3,}",
"(SYSIBM\.SYSTABLES\s+AS\s+T[\d]+,?){3,}",
"(OR\s+NOT|OR|AND)\s+[\d]+=[\d]+",
"(OR|AND){0,1}\s+MAKE_SET\([\d]+=[\d]+,[\d]\)",
"(OR|AND){0,1}\s+ELT\([\d]+=[\d]+,[\d]\)",
"(OR|AND){0,1}\s+\([\d]+=[\d]+\)\*[\d]+",
"CASE\s+WHEN\s+[\(]?[\d]+=[\d]+[\)]?\s+THEN\s+[\d]+",
"IIF\([\d]+=[\d]+,\d+,\d+/\d+\)",
"IF\(\d+=\d+\)",
]
according to the three injection attack principles of Boolean blind injection, Time delay injection and Stack query, the behavior analysis system does not need to conduct behavior judgment on the three single SQL injection attack flows. Because the blind injection mode based on Boolean is an attack which can be determined as successful attack only by injecting the attack traffic for a plurality of times; the single SQL injection based on the Time delay is an attack behavior which can judge whether the SQL attack flow is successful or not according to the session delay of the client and the server; the SQL injection attack based on the Stack query mode is determined by other four SQL injection modes. Therefore, when the three simple SQL injection attack traffic behavior judgment analyses are performed, only the SQL injection attack behavior detection and the SQL injection statement feature extraction are performed, and the attack traffic behavior judgment analysis is not performed.
In the behavior judgment analysis of the SQL injection attack, except for the regular expressions for the SQL injection attack detection based on Boolean and Time, a group of general SQL injection attack behavior judgment regular expressions comprises the following steps:
INJECTMODEL=\
[
"(CONCAT\(md5\(([\w']+)\)\))",
"((\s?CHAR\(\d+\)\s?){3,})",
"(\s?(CHR\(\d+\)\s?){3,})",
"(CHAR\(\d+,[\d\s,]+\))",
"SHA1\(0x([\w]+)\)",
"0x([\w]+)",
"md5\(([\w'\.]+)\)",
"((0x[\w]{2,10},){2,})",
"((char\(\d+\)[,]?){3,})",
"((chr\(\d+\)[,]?){3,})",
"SHA1\([\'\"]?([\w]+)[\"\']?\)",
"MD5\(CHAR\(([\w]+)\)\)",
"MD5\(CHAR\(((\d+,){1,}\d+)\)\)",
"SYS\.(FN_VARBINTOHEXSTR|FN_SQLVARBASETOSTR)\(HASHBYTES\('(SHA1|MD5)',\s?
'(\w+)'\)\)",
]
the group of regular expressions are suitable for behavior state judgment analysis aiming at various types of SQL injection attack traffic, and are obtained by comprehensively considering various factors such as SQL statement operation characteristics of various mainstream databases, SQL injection attack technology and the like. Firstly, request data of a session is analyzed, and a regular matching character string is obtained from the request data of the SQL injection attack session. And secondly, processing the acquired character string to obtain a data format of the character string after corresponding data processing. And finally, in combination with the response data information, the system searches the same data content of the character string in the response data, thereby judging the behavior of the SQL injection attack. If the response data contains the matched character string in the request data of the session, the SQL injection attack is judged to be successfully executed on the attacked application service program database. Otherwise, the SQL injection attack is judged not to be effectively entered into the application service program.
In addition, a set of regular expressions for Error-based SQL injection attack detection includes:
BASED_ERRROR_INJECT_MODEL=\
[
"DUPLICATE\sENTRY\s'\S+'\sFOR\sKEY\s",
"DOUBLE\sVALUE\sIS\sOUT\sOF\srange\sIn\s'EXP",
"1050\s\-\sTABLE\s'\S+'\sALREADY\sEXISTS",
"1103\s\-\sINCORRECT\sTABLE\sNAME\s'\S+'",
"1112\s\-\sTABLE\s'\S+'\sUSES\sAN\sextension\sthat\sdoesn't\sexist\sin\sthis\s
MySQL",
"1146\s\-\sTABLE\s'\S+'\sdoesn't\sexist",
"1061\s\-\sDUPLICATE\skey\sname\s'\S+'",
"1859\s\-\sDUPLICATE\sentry\sfor\skey\s'\S+'",
"ORA-13797:\sINVALID\sSQL\sID\sspecified,",
"ORA\-13828:\sgenerated\ssql\sprofile\sname\s\S+\salready\sexists",
"ORA\-22306:\stype\s\"\S+\"\salready\sexists",
"ORA\-22309:\sattribute\swith\sname\s\"\S+\"\salready\sexists",
"ORA\-26730:\s%s\s\"\S+\"\salready\sexists",
"ORA\-24146:\srule\s\S+\salready\sexists",
"ORA\-25018:\sconflicting\strigger\s\S+\salready\sexists",
"ORA\-01277:\sfile\s\"\S+\"\salready\sexists",
"ORA\-01543:\stablespace\s\"\S+\"\salready\sexists",
"ORA\-01920:\suser\sname\s\"\S+\"\sconflicts\swith\sanother\suser\sor\srole\s
name",
"ORA\-02379:\sprofile\sstring\salready\sexists",
"\[SQL\sSERVER\]SYNTAX\sERROR\sCONVERTING\sTHE\s\S+\sVALUE\s\S+\sTO\sA\sC OLUMN
\sOF\sDATA\sTYPE\sINT",
"\[SQL\sSERVER\](the\s){0,1}DATABASE\s'\S+'\salready\sexists",
"\[SQL\sSERVER\]the\sdata\stype\s\S+\salready\sexists",
"\[SQL\sSERVER\]there\salready\sexists\sa\s'\S+'\strigger",
"\[SQL\sSERVER\]\S+\s\S+\salready\sexists\sin\sthe\sdatabase",
"ERROR:\s+(column|relation)\s\"\S+\"\sdoes\snot\sexist",
"ERROR:\s+duplicate\skey\svalue\sviolates\sunique\sconstraint",
"ERROR:\s+INVALID\sINPUT\sSYNTAX\sFOR\sTYPE\sNUMERIC:",
]
among various SQL injection attack types, the Error-based injection attack method is a more specific SQL injection attack method. The principle is as follows: when the SQL statements are executed in the database, runtime errors occur and the database returns error information to the client, so that some well-constructed SQL injection attacks can steal data by using a wrong playback mode. By constructing some malicious SQL injection attack statements reporting errors at runtime, an attacker obtains data information from the content of the response error message in the echo. Therefore, for behavior judgment and analysis of injection attack traffic based on the Error echo mode, not only can the behavior of the attack be judged by combining request data and response data, but also whether the SQL injection attack is successfully executed or not can be determined by analyzing the response data in a key way.
Finally, aiming at the SQL injection attack traffic which is determined to be successful in the behavior analysis stage, whether the successful SQL injection attack traffic steals the data information of the attacked application service program needs to be further analyzed. In order to extract leaked data information contained in successful SQL injection attack flow, and combine the characteristics of penetration test of various SQL injection modes and tools and the characteristic information of a database used by an attacked application service program, the invention provides the method for extracting and analyzing the stolen data by using an attack identifier (characteristic character string) in the SQL injection attack process as a regular matching object.
Regular expressions for data extraction include:
DATA_CAPUTRE_MODEL=\
[
"MD5\(CHAR\(((\d+,){1,}\d+)\)\)",
"((char\(\d+\)[,]?){3,})",
"((chr\(\d+\)[,]?){3,})",
"(CHAR\(\d+,[\d\s,]+\))",
"((\s?CHAR\(\d+\)\s?){3,})",
"(\s?(CHR\(\d+\)\s?){3,})",
"SHA1\(0x([\w]+)\)",
"MD5\(CHAR\(([\w]+)\)\)",
"((0x[\w]{2,10},){2,})",
"0x([\w]+)",
]
the group of regular expressions can be used for determining which data information of the attacked application service program is stolen in successful SQL injection attack traffic. The core idea of data extraction is as follows: firstly, obtaining identification character string information of data according to a data extraction regular expression and an SQL injection statement. The identification string is used to mark the location of stolen data information in SQL injection attack traffic. And secondly, acquiring leaked data information from response data of SQL injection attack flow by using the identification character string information. Fig. 2 shows a successful SQL injection attack.
Claims (1)
1. A bidirectional flow SQL injection attack detection method is characterized by comprising the following steps:
step 1: matching and capturing network traffic containing suspected SQL injection attacks by using a primary regular expression;
step 2: performing behavior judgment analysis on the captured network traffic containing suspected SQL injection attack by using a secondary regular expression, and confirming the SQL injection attack traffic;
and step 3: extracting leaked data information contained in the confirmed SQL injection attack flow by using a third-level regular expression; wherein:
the first-level regular expression comprises: the regular expression aiming at SQL injection attack based on Boolean, the regular expression aiming at SQL injection attack based on Time, the regular expression aiming at SQL injection attack based on Error, the regular expression aiming at SQL injection attack based on Union and the regular expression aiming at SQL injection attack based on Stack;
the regular expression aiming at the Boolean-based SQL injection attack matches and captures the flow of the SQL injection attack in a Boolean mode;
the regular expression aiming at the SQL injection attack based on the Time is matched and the flow of the SQL injection attack adopting a Time delay injection mode is captured;
the regular expression aiming at the SQL injection attack based on the Error is matched and the flow of the SQL injection attack adopting the Error echo injection mode is captured;
the regular expression aiming at the Union-based SQL injection attack is matched and the flow of the SQL injection attack of adding a Union joint query statement in a normal SQL statement in a Union mode is captured;
matching and capturing the SQL injection attack flow of inserting or adding a section of SQL query statement starting with a semicolon in a normal SQL statement by adopting a Stack mode aiming at the SQL injection attack based on the Stack;
the secondary regular expression includes: the method comprises the steps of generating a general regular expression aiming at SQL injection attack, a regular expression aiming at SQL injection attack based on Boolean, a regular expression aiming at SQL injection attack based on Time and a regular expression aiming at SQL injection attack based on Error;
the behavioral decision analysis includes: firstly, analyzing request data of a session in flow, matching character strings which accord with a secondary regular expression from the request data, then searching whether response data information contains the same character strings of the expression or not by combining response data information of the session in flow, if the response data information contains the same character strings, judging the SQL injection attack as a successful attack, otherwise, judging the SQL injection attack as a failed attack; wherein, the same character string contained in the response data information is called as an attack identification or a characteristic character string of the SQL injection attack;
the third-level regular expression is a regular expression taking an attack identifier of SQL injection attack, namely a characteristic character string, as a regular matching object.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810072117.9A CN108521392B (en) | 2018-01-25 | 2018-01-25 | Bidirectional flow SQL injection attack detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810072117.9A CN108521392B (en) | 2018-01-25 | 2018-01-25 | Bidirectional flow SQL injection attack detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108521392A CN108521392A (en) | 2018-09-11 |
| CN108521392B true CN108521392B (en) | 2020-10-16 |
Family
ID=63432714
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810072117.9A Active CN108521392B (en) | 2018-01-25 | 2018-01-25 | Bidirectional flow SQL injection attack detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108521392B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109246113B (en) * | 2018-09-21 | 2021-08-10 | 郑州云海信息技术有限公司 | REST API SQL injection vulnerability detection method and device |
| CN110602030A (en) * | 2019-05-16 | 2019-12-20 | 上海云盾信息技术有限公司 | Network intrusion blocking method, server and computer readable medium |
| CN110535973A (en) * | 2019-09-18 | 2019-12-03 | 北京明朝万达科技股份有限公司 | A kind of detection method and device that sql injection threatens |
| CN110868403B (en) * | 2019-10-29 | 2021-08-27 | 泰康保险集团股份有限公司 | Method and equipment for identifying advanced persistent Attack (APT) |
| CN113055399A (en) * | 2021-03-31 | 2021-06-29 | 深信服科技股份有限公司 | Attack success detection method, system and related device for injection attack |
| CN117527354B (en) * | 2023-11-08 | 2024-06-21 | 北京微步在线科技有限公司 | Attack detection method and device, electronic equipment and storage medium |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101526947A (en) * | 2009-04-23 | 2009-09-09 | 山东中创软件商用中间件股份有限公司 | SQL resisting injection technology using regular expression |
| CN102682047A (en) * | 2011-10-18 | 2012-09-19 | 国网电力科学研究院 | Mixed structured query language (SQL) injection protection method |
| CN102567546B (en) * | 2012-01-18 | 2014-03-12 | 北京神州绿盟信息安全科技股份有限公司 | Structured query language (SQL) injection detection method and SQL injection detection device |
| CN102831345B (en) * | 2012-07-30 | 2015-01-28 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN106940778B (en) * | 2017-03-10 | 2020-10-16 | 华东师范大学 | Method for cracking encrypted data in support library based on GPU parallel dictionary |
-
2018
- 2018-01-25 CN CN201810072117.9A patent/CN108521392B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| 基于OSGI的防SQL注入系统;周黄江;《中国优秀硕士学位论文全文数据库》;20110215;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108521392A (en) | 2018-09-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108521392B (en) | Bidirectional flow SQL injection attack detection method | |
| CN110266669B (en) | Method and system for universal detection and positioning of Java Web framework vulnerability attack | |
| CN107273751B (en) | Multi-mode matching-based security vulnerability online discovery method | |
| Gupta et al. | PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications | |
| CN101035111B (en) | Intelligent protocol parsing method and device | |
| CN100461132C (en) | Software safety code analyzer based on static analysis of source code and testing method therefor | |
| US8225402B1 (en) | Anomaly-based detection of SQL injection attacks | |
| Rekhis et al. | A system for formal digital forensic investigation aware of anti-forensic attacks | |
| CN100483434C (en) | Method and device for recognizing virus | |
| CN105491053A (en) | Web malicious code detection method and system | |
| CN103428196A (en) | URL white list-based WEB application intrusion detecting method and apparatus | |
| CN103780614B (en) | A kind of SQL injection loophole method for digging based on simulated strike extension | |
| CN105160252A (en) | Method and apparatus for detecting structured query language injection attack | |
| CN111104579A (en) | Identification method and device for public network assets and storage medium | |
| CN109768992A (en) | Webpage malicious scanning processing method and device, terminal device, readable storage medium storing program for executing | |
| CN110096433B (en) | Method for acquiring encrypted data on iOS platform | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| CN110875928A (en) | Attack tracing method, device, medium and equipment | |
| CN111611590B (en) | Method and device for data security related to application program | |
| KR101696694B1 (en) | Method And Apparatus For Analysing Source Code Vulnerability By Using TraceBack | |
| US9600644B2 (en) | Method, a computer program and apparatus for analyzing symbols in a computer | |
| CN107704377B (en) | Method for detecting second-order taint propagation type loophole | |
| Salas et al. | Model-based security vulnerability testing | |
| Benjamin et al. | Some modeling challenges when testing rich internet applications for security | |
| CN101719906B (en) | Worm propagation behavior-based worm detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |