CN108616527A - One kind is towards SQL injection bug excavation method and device - Google Patents

One kind is towards SQL injection bug excavation method and device Download PDF

Info

Publication number
CN108616527A
CN108616527A CN201810340129.5A CN201810340129A CN108616527A CN 108616527 A CN108616527 A CN 108616527A CN 201810340129 A CN201810340129 A CN 201810340129A CN 108616527 A CN108616527 A CN 108616527A
Authority
CN
China
Prior art keywords
attack
delay
sql
vector
matrix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810340129.5A
Other languages
Chinese (zh)
Inventor
黄娜娜
钱亚东
丁红卫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou University
Original Assignee
Guizhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou University filed Critical Guizhou University
Priority to CN201810340129.5A priority Critical patent/CN108616527A/en
Publication of CN108616527A publication Critical patent/CN108616527A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses one kind towards SQL injection bug excavation method and device, the Detection accuracy for improving loophole, and reduces the operating load of Web application vulnerability scanning systems when detecting.This method is:According to desired delay time in actual response time and vector of attack calculated similarity carry out the judgement of loophole presence or absence.Due within the close moment response time by network influenced it is almost the same, when calculating desired delay time and the similarity of actual response time, similar amplitude of variation will not cause conclusive influence to the result of calculation of similarity, so not interfering with the accuracy that loophole has judgement.Therefore, can ensure different network conditions and have with target environment under, program can fast and accurately detect time-based SQL injection loophole, meanwhile, also effectively reduce the operating load that judgement SQL injection loophole is brought to Web application vulnerability scanning systems.

Description

One kind is towards SQL injection bug excavation method and device
Technical field
The present invention relates to network security technologies, more particularly to one kind is towards SQL injection bug excavation method and device.
Background technology
Structured query language (Structured Query Language, SQL) injection is normal during Web applications are safe See loophole.In being applied there are the Web of SQL injection, the aacode defect that attacker applies using the Web, by by sql command It is inserted into any Application Parameters value that can influence data base querying, spoofing server executes the malice SQL lives being inserted into It enables, to obtain the sensitive information of Web applications or even control the entire server of Web applications.Therefore, it is necessary to design effectively SQL injection detection method detect SQL injection loophole, to prevent SQL injection from attacking.
In practical application, SQL injection detection method is also SQL injection attack method, is to be attacked using the SQL injection of setting It hits method to attack destination server, SQL injection loophole whether there is according to the feedback and judge of destination server.
The blind notes of SQL are generally divided into 3 classes:Boolean type, time type and error injection type.
In short, currently based on the time SQL injection Hole Detection there are the problem of it is as follows:
1) in limited detection time, mass data can not be obtained and go to assess current network condition;
2) it in the case where not considering time loss, obtains mass data and needs to send a large amount of request, mostly concurrently sweeping It can pose a big pressure to destination server website in the case of retouching, while consume stock number increase;
3) due to the unstability of network in scanning process, can not designing one, rationally effectively response time section is estimated Algorithm;
4) it is the accuracy for ensureing scanning result, delay function is used for multiple times and is judged, and when the delay of single Between it is all longer, cause entire scan take it is very long;
5) when executing the vector of attack containing delay functions such as sleep (), delay () for database, attack is performed The case where integral multiple of time described in vector, traditional judgment method based on time interval can cause to fail to report;
6) time-based for using the vector of attack for repeating feature expression containing banchmark () etc. to do When SQL injection Hole Detection, due to different target environment execute a feature expression time be not it is fixed, pass The judgment method based on time interval of system is easily reported by mistake.
It can be seen that existing time type SQL injection leak detection method can not fast and accurately carry out being based on the time SQL injection loophole detection.It fails to report, report by mistake moreover, often will appear using existing detection method, seriously affecting Web and answer With the detection performance of vulnerability scanning system entirety.
Invention content
The embodiment of the present invention provides one kind towards SQL injection bug excavation method and device, to the time type SQL improved The Detection accuracy of injection loophole, and reduce the operating load of Web application vulnerability scanning systems when detecting.
Specific technical solution provided in an embodiment of the present invention is as follows:
One kind towards SQL injection bug excavation method, including:
It determines object to be measured, and is indicated according to the first delay instruction for including in selected delay matrix and the second delay, The first SQL vector of attack and the 2nd SQL vector of attack are generated respectively.
For object to be measured, the first SQL vector of attack and the 2nd SQL vector of attack, and recording responses matrix are sent successively, Record has the first response time of corresponding first SQL vector of attack, and corresponding 2nd SQL attacks respectively in the response matrix Second response time of vector;
The similarity for calculating the delay matrix and the response matrix, when determining that the similarity reaches given threshold, Judge existence time type SQL injection loophole.
In this way, can be according to the calculated similarity of desired delay time institute in actual response time and vector of attack Carry out the judgement of loophole presence or absence.For using the vector of attack of delay function, longer delay time need not be reused, Also whether consistent with desired delay time without the concern for actual delay time;Feature expression is repeated for using Vector of attack, without the concern for different target single execute time difference.Moreover, because within the close moment response time by The network influence arrived is almost the same, when calculating the similarity of desired delay time and actual response time, similar variation Amplitude will not cause conclusive influence to the result of calculation of similarity, so not interfering with the accuracy that loophole has judgement. It may therefore be assured that under different network conditions and different target environments, program can fast and accurately detect to be based on The SQL injection loophole of time, meanwhile, also effectively reduce what judgement SQL injection loophole was brought to Web application vulnerability scanning systems Operating load.
Preferably, in the first delay instruction and the second delay instruction, the delay duration for needing to execute directly is had recorded, Alternatively, the impact factor for indicating that feature expression repeats number is had recorded, to indicate delay duration indirectly.
Preferably, being directed to object to be measured, the first SQL vector of attack and the 2nd SQL vector of attack are sent successively, including:
Object linking based on object to be measured characterization and object to be detected, and attacked based on the first SQL The 2nd SQL vector of attack of vector sum, generates the first query-attack and the second query-attack respectively;
First query-attack and the second query-attack are sent to the object to be measured, wherein receiving successively When stating the response of the first query-attack, second query-attack is retransmited.
Preferably, after recording the response matrix, in the similarity for calculating the delay matrix and the response matrix Before, further comprise:
Second response time is compared with the delay duration of the second delay instruction characterization, however, it is determined that described Second response time was the integral multiple of the delay duration of the second delay instruction characterization, then judgement is able to carry out similarity and sentences It is disconnected;Wherein, the second delay indicates that corresponding delay duration is more than the first delay and indicates corresponding delay duration.
Preferably, further comprising:
If it is determined that second response time is not the integral multiple of the delay duration of the second delay instruction characterization, wealth is sentenced Surely time type SQL injection loophole is not present.
Preferably, the similarity of the delay matrix and the response matrix is calculated, including:
The similarity of the delay matrix and response matrix is calculated using following formula:
Wherein, t0Indicate the first delay instruction, t1Indicate that the second delay instruction, r indicate corresponding first SQL vector of attack note First response time of record, r1Indicate the second response time of corresponding 2nd SQL vector of attack record.
One kind towards SQL injection bug excavation method and device, including:
Generation unit, for determining object to be measured, and according to the first delay instruction for including in selected delay matrix and Second delay instruction, generates the first SQL vector of attack and the 2nd SQL vector of attack respectively;
Communication unit sends the first SQL vector of attack and the 2nd SQL vector of attack successively for being directed to object to be measured, and Recording responses matrix, record had to the first response time with regard to the first SQL vector of attack and right respectively in the response matrix Answer the second response time of the 2nd SQL vector of attack;
Judging unit, the similarity for calculating the delay matrix and the response matrix determine that the similarity reaches When to threshold value, existence time type SQL injection loophole is judged.
In this way, can be according to the calculated similarity of desired delay time institute in actual response time and vector of attack Carry out the judgement of loophole presence or absence.For using the vector of attack of delay function, need not reuse compared with the long delay time, Without the concern for actual delay time whether with desired delay time one everywhere;Feature representation is repeated for using Vector of attack, the time difference executed without the concern for different target unit.Moreover, because within the close moment response time by Network influence it is almost the same, when calculating desired delay time and the similarity of actual response time, similar variation Amplitude will not cause conclusive influence to the result of calculation of similarity, so not interfering with the accuracy that loophole has judgement. It may therefore be assured that under different network conditions and different target environments, program can fast and accurately detect to be based on The SQL injection loophole of time, Zhou Shi are also effectively reduced, and judgement SQL injection loophole is brought to Web application vulnerability scanning systems Operating load.
Preferably, during the first delay instruction and the second delay that the generation unit is selected indicate, directly have recorded The delay duration executed is needed, alternatively, the impact factor for indicating that feature expression repeats number is had recorded, to indicate indirectly Delay duration.
Preferably, it is directed to object to be measured, it is described logical when sending the first SQL vector of attack and the 2nd SQL vector of attack successively Letter unit is used for:
Object linking based on object to be measured characterization and object to be detected, and attacked based on the first SQL The 2nd SQL vector of attack of vector sum, generates the first query-attack and the second query-attack respectively;
First query-attack and the second query-attack are sent to the object to be measured, wherein receiving successively When stating the response of the first query-attack, second query-attack is retransmited.
Preferably, after recording the response matrix, in the similarity for calculating the delay matrix and the response matrix, The judging unit is further used for:
Preferably, the judging unit is further used for:
If it is determined that second response time is not the integral multiple of the delay duration of the second delay instruction characterization, then sentence Surely time type SQL injection loophole is not present.
Preferably, when calculating the similarity of the delay matrix and the response matrix, the judging unit is used for:
The similarity of the delay matrix and response matrix is calculated using following formula:
Wherein, t0Indicate the first delay instruction, t1Indicate the second delay instruction, r0Indicate corresponding first SQL vector of attack note First response time of record, r1Indicate the second response time of corresponding 2nd SQL vector of attack record.
Description of the drawings
Fig. 1 is detection time type SQL injection loophole flow diagram in the embodiment of the present application;
Fig. 2 is detection time type SQL injection loophole detail flowchart in the embodiment of the present application;
Fig. 3 is detection device illustrative view of functional configuration in the embodiment of the present application.
Specific implementation mode
The present invention is to solve the above-mentioned problems so that can automatic by program, fast and accurately detect to be based on the time The SQL injection of type, it is proposed that a kind of SQL times of environment self-adaption inject detection method.This method is:It successively sends twice The SQL vector of attack of delay instruction is carried, then records the corresponding response time respectively, then, calculates two SQL vector of attack Similarity between the delay matrix of composition and the response matrix of two response times composition, after determining that similarity reaches threshold value, Judge existence time type SQL injection loophole.
The preferred embodiment of the present invention is described in detail below in conjunction with the accompanying drawings.
In the embodiment of the present invention, in order to adapt to different Network status and different target environments, an environment is devised The adaptive SQL times inject detection method, as shown in fig.1, being as follows:
Step 100:It determines object to be measured, and is prolonged according to the first delay instruction for including in selected delay matrix and second When indicate, generate the first SQL vector of attack and the 2nd SQL vector of attack respectively.
Specifically, in the embodiment of the present application, web crawlers technology may be used, obtain Object linking to be detected and to be checked Parameter is surveyed, so-called parameter to be detected can be the parameter in Object linking to be detected, can be the ginseng in HTTP request head Number, can also be the HTTP request of POST types post data in parameter etc..In order to ensure not deposited at parameter to be detected In SQL injection, the present embodiment, needs to be detected for each detection parameters to be measured, therefore, be waited for described in step 100 It surveys one that target refers to Object linking and waits for parameter.
Then, delay matrix is chosen, T=[t are denoted as0,t1]T, the general vector of attack of constructing SQL time injection detection is (i.e. SQL vector of attack) time_inj_F (T), specifically, vector of attack matrix is as follows:
Time_inj_F (T)=[time_inj_F (t0),time_inj_F(t1)]T
Wherein, time_inj_F () indicate to choose for detecting the function that the SQL times inject, tiIndicate delay instruction, Such as:t0Indicate the first delay instruction that the first SQL vector of attack uses, t1Indicate the second delay that the 2nd SQL vector of attack uses Instruction;Wherein, two kinds of realization methods may be used in so-called delay instruction:
The first realization method is:Being had recorded in delay instruction needs the delay duration executed (directly to have recorded delay The value of duration);
Second of realization method be:Delay instruction has recorded the impact factor for indicating that feature expression repeats number (value for indicating delay duration indirectly).
Under second of realization method, it is provided with specified feature expression inside program, when carrying out SQL attacks, only needs It is arranged and repeats the impact factor of number (such as:2) then can impact factor multiplier coefficient be set inside program to be repeated Number is executed, such as:2 × 10000=20000 times, then destination server, when executing query sentence of database, database can incite somebody to action Specified feature expression execution is above-mentioned to repeat number, when to cause destination server returning response content in time Phase delay.
Obviously, the first realization method is either used, or uses second of realization method, delay instruction can be with table The delay duration (directly characterization or indirectly characterization) of one setting of sign
For example, when time_inj_F () is selected as the delay functions such as sleep () or delay (), tiIt is exactly the phase Hope the duration of database delay, in seconds;When being selected as the functions such as banchmark (), tiIt is exactly desired character expression Formula is repeatedly executed the impact factor of number, i=0, and 1.
Under normal conditions, t0, t1It is different, preferably.ti∈ { 1,2 }, in seconds, i.e. t0=1 second, t1=2 seconds.
Step 110:For object to be measured, the first SQL vector of attack and the 2nd SQL vector of attack are sent successively, and record Response matrix, record has the first response time of corresponding first SQL vector of attack, and corresponding second respectively in the response matrix Second response time of SQL vector of attack.
Preferably, Object linking that can be based on object to be measured characterization when executing step 110 and object to be measured, with And it is based on the first SQL vector of attack and the 2nd SQL vector of attack, the first query-attack and the second query-attack are generated respectively, so Afterwards, the first query-attack and the second query-attack are sent to object to be measured successively, wherein it is optional, receiving the first attack When the response of request, the second query-attack is retransmited.
Specifically, when executing step 110, it can be according to current Object linking to be detected and object to be detected, construction Query-attack Q (T) containing vector of attack time_inj_F (T), specifically, query-attack matrix is as follows:
Q (T)=[Q (t0),Q(t1)]T
Wherein, Q (ti) and time_inj_F (ti) correspond, i=0,1;Indicate Q (t0) it is corresponding time_inj_F (t0) query-attack, Q (t1) it is corresponding time_inj_F (t1) query-attack, specifically, the Q when sending query-attack (T), according to i=0,1 sequence is sent successively.
Further, the corresponding query-attack sent, records corresponding first response time and the second response time respectively, Specifically, response matrix is denoted as R:R=[r0,r1]TR=D (T)+Δ T can also be denoted as, wherein r0Indicate corresponding first SQL First response time of vector of attack record, r1Indicate the second response time of corresponding 2nd SQL vector of attack record, D (T) generations Table executes taking for time_inj_F (T) vector of attack, D (T)=[D (t0),D(t1)]T, Δ T by raw requests response time And wave time two parts composition affected by environment, Δ T=[Δ t0,Δt1]T.Therefore, it can obtain:
Step 120:The similarity for calculating above-mentioned delay matrix and response matrix determines that the similarity reaches given threshold When, judge existence time type SQL injection loophole.
Preferably, before calculating similarity, when first can carry out rounding to the second response time, and calculate the second response Between whether be the second delay instruction characterization delay duration integral multiple, carry out follow-up similarity calculation if so, determining, it is no Then, time type SQL injection loophole is not present in judgement.
For example, to r1Rounding is denoted as round (r1), and judge round (r1) whether it is t1Integral multiple, if so, after It is continuous to execute subsequent similarity calculation, it to be injected otherwise it is assumed that there is no the SQL times.
Specifically, the similarity of delay matrix and response matrix is denoted as S, preferably, following manner calculating may be used S:
In present example, since the transmission interval of the first SQL vector of attack and the 2nd SQL vector of attack is very short, So within short time, Twice requests influenced by change of network environment it is almost the same, in other words, the first response time and Second response time was influenced by normal environment and what is generated fluctuates, and will not exert a decisive influence to the calculating of similarity.Institute With Δ T influences very little in calculating process on calculated similarity S, has:
On the other hand, once the response time is really influenced by abnormal environment and fluctuated, Δ T is in calculating process Being influenced on calculated similarity S will be very big, and S ≈ 1 will no longer be set up.Accordingly, it is considered to influenced to environment under normal circumstances It fluctuates, in the present embodiment, preferably, by being set as 0.999 for judging that the SQL times inject the similarity threshold that whether there is, I.e.:If similarity S > 0.999, then it is assumed that there are SQL injection loopholes.Certainly, the similarity calculation used in the present embodiment is public Formula and corresponding threshold value are only for example, according to different application environments, calculation formula, the setting of threshold value and indicative character value Being adjusted flexibly for adaptability can be carried out, details are not described herein.
As shown in fig.2, the complete application flow of above-described embodiment is as follows:
Step 200:Obtain Object linking to be detected and corresponding parameter to be detected.
In the present embodiment, by taking a parameter to be detected as an example.
Step 201:The constructing SQL time injects general vector of attack time_inj_F (ti), i=0,1.
Step 202:Construct the request Q (t containing vector of attacki), and remember that the response time is ri
Step 203:Request Q (t are sent successively according to the sequence of i=0,1i), and remember that the response time is ri
Step 204:To response time r1Rounding is denoted as round (r1)。
Step 205:Judge round (r1) whether it is t1Integral multipleIf so, thening follow the steps 207;Otherwise, step is executed 206。
Step 206:Judge that there is no the SQL times to inject, that is, time type SQL injection loophole is not present, and flow terminates.
Step 207:Calculate [t0,t1]TWith [r0,r1]TSimilarity S.
Step 208:Judge whether the value of S is more than 0.999If so, thening follow the steps 209;Otherwise, step 206 is executed.
Step 209:Judge that there are the SQL times to inject, i.e., existence time type SQL injection loophole, flow terminate.
It follows that in the embodiment of the present invention, the SQL for successively sending carrying different delayed time instruction twice in a short time is attacked The amount of hitting to, the delay instruction carried twice can regard desired delay time as, then, be recorded twice and send SQL vector of attack The respective response time, then, what calculating was formed by the delay matrix that SQL vector of attack forms twice and by the response time twice The similarity of response matrix.Due to influence basic one of the fluctuating change to the response of Twice requests of network environment in a short time It causing, therefore, if it is desired to delay time is similar with actual response time, then illustrates Object linking there are the SQL times to inject, because Destination server performs delay instruction, delays corresponding duration.
The present embodiment is suitable under different Network status and different target environments, no matter using containing sleep (), The vector of attack of any functions such as delay (), banchmark () can fast and accurately detect time-based SQL notes Enter loophole.
As shown in fig.3, in the embodiment of the present invention, detection device includes that generation unit 30, communication unit 31 and judgement are single Member 32, wherein
Generation unit 30 is indicated for determining object to be measured, and according to the first delay for including in selected delay matrix With the second delay instruction, the first SQL vector of attack and the 2nd SQL vector of attack are generated respectively.
Communication unit 31 sends the first SQL vector of attack and the 2nd SQL vector of attack successively for being directed to object to be measured, And recording responses matrix, record has the first response time of corresponding first SQL vector of attack respectively in response matrix, and corresponding Second response time of the 2nd SQL vector of attack;
Judging unit 32 is used for the similarity of computation delay matrix and response matrix, determines that similarity reaches given threshold When, judge existence time type SQL injection loophole.
Preferably, during the first delay instruction and the second delay that generation unit 30 is selected indicate, directly has recorded needs and hold Capable delay duration, alternatively, the impact factor for indicating that feature expression repeats number is had recorded, when being delayed with indirect instruction It is long.
Preferably, it is directed to object to be measured, and when sending the first SQL vector of attack and the 2nd SQL vector of attack successively, communication unit Member 31 is used for:
Mesh village link based on object to be measured characterization and object to be measured, and it is based on the first SQL vector of attack and second SQL vector of attack gives birth to the first query-attack and the second query-attack respectively;
The first query-attack and the second query-attack are sent to object to be measured, wherein asked receiving the first attack successively When the response asked, the second query-attack is retransmited.
Preferably, after recording responses matrix, before the similarity of computation delay matrix and response matrix, judging unit 32 are further used for:
Second response time was compared with the delay duration of the second delay instruction characterization, however, it is determined that the second response time For the integral multiple of the delay duration of the second delay instruction characterization, then judgement is able to carry out similarity judgement;Wherein, the second delay refers to Show that corresponding delay duration is more than the first delay and indicates corresponding delay duration.
Preferably, judging unit 32 is further used for:
If it is determined that the second response time was not the integral multiple of the delay duration of the second delay instruction characterization, then judgement is not present Time type SQL injection loophole.
Preferably, when the similarity of computation delay matrix and response matrix, judging unit 32 is used for:
The similarity of the delay matrix and response matrix is calculated using following formula:
Wherein, t0Indicate the first delay instruction, t1Indicate the second delay instruction, r0Indicate corresponding first SQL vector of attack note First response time of record, r1Indicate the second response time of corresponding 2nd SQL vector of attack record.
In conclusion in the embodiment of the present invention, no longer go to estimate the response in the presence of assuming loophole by a large amount of data Time interval, but carried out according to the calculated similarity of desired delay time institute in actual response time and vector of attack The judgement of loophole presence or absence.For using the vector of attack of delay function, longer delay time need not be reused, also not It needs to consider whether actual delay time is consistent with desired delay time;Attacking for feature expression is repeated for using The amount of hitting to, the time difference executed without the concern for different target single.Moreover, because the response time is subject within the close moment Network influence is almost the same, when calculating desired delay time and the similarity of actual response time, similar variation width Degree will not cause conclusive influence to the result of calculation of similarity, so not interfering with the accuracy that loophole has judgement.Cause This, it is ensured that under different network conditions and different target environments, when program can fast and accurately detect to be based on Between SQL injection loophole, meanwhile, also effectively reduce the fortune brought to Web application vulnerability scanning systems of judgement SQL injection loophole Row load.
In addition, scheme provided in an embodiment of the present invention has the following advantages:
1) it goes to assess current network condition without obtaining mass data, simplifies operating procedure.
2) it is not necessarily to send a large amount of acquisition request data, it therefore, will not be to destination server station in the case of how concurrent Point poses a big pressure, and avoids stock number consumption excessive.
3) it is not necessarily to design effective response time section, avoid caused by due to the response time, section setting was unreasonable accidentally Sentence or fails to judge;
4) judged it is not necessary that delay function is used for multiple times, the entirety that determination flow is greatly saved takes.
5) it should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer journey Sequence product.Therefore, complete hardware embodiment, complete software embodiment or combining software and hardware aspects can be used in the present invention The form of embodiment.Moreover, the present invention can be used in one or more wherein include computer usable program code calculating The computer program implemented in machine usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The present invention is the flow chart with reference to the method, equipment (system) and computer program product implemented according to the present invention And/or block diagram describes.It should be understood that each flow in flowchart and/or the block diagram can be realized by computer program instructions And/or the combination of the flow and/or box in box and flowchart and/or the block diagram.These computer programs can be provided to refer to Enable the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to generate One machine so that by computer or the processor of other programmable data processing devices to generate a machine so that logical The instruction for crossing computer or the processor execution of other programmable data processing devices generates for realizing in one stream of flow chart The device for the function of being specified in journey or multiple flows and/or one box of block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate in computer implemented processing equipment so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows/or one, block diagram The step of function of being specified in box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, those skilled in the art can carry out the embodiment of the present invention various modification and variations without departing from this hair The spirit and scope of bright embodiment.If to be noted in this way, these modifications and variations of the embodiment of the present invention belong to right of the present invention And its within the scope of equivalent technologies, then the present invention is also intended to include these modifications and variations.

Claims (6)

1. a kind of method of detection SQL injection loophole, which is characterized in that the described method comprises the following steps:
(1) it determines object to be measured, and is indicated according to the first delay instruction for including in selected delay matrix and the second delay, point It Sheng Cheng not the first SQL vector of attack and the 2nd SQL vector of attack;
(2) it is directed to object to be measured, sends the 2nd SQL vector of attack of the first SQL vector of attack, and recording responses matrix, institute successively Stating in response matrix record respectively has the first response time of corresponding first SQL vector of attack, and corresponding 2nd SQL attack to Second response time of amount;
(3) similarity for calculating the delay matrix and the response matrix is sentenced when determining that the similarity reaches given threshold Determine existence time type SQL injection loophole.
2. the method as described in claim 1, which is characterized in that in the first delay instruction and the second delay instruction, directly Have recorded and need the delay duration that executes, alternatively, have recorded the impact factor for indicating that feature expression repeats data, with Connect instruction delay duration.
3. the method as described in claim 1, which is characterized in that be directed to object to be measured, successively send the first SQL vector of attack and 2nd SQL vector of attack, including:
Object linking based on object to be measured characterization and object to be detected, and it is based on the first SQL vector of attack With the 2nd SQL vector of attack, the first query-attack and the second query-attack are generated respectively;
First query-attack and the second query-attack are sent to the object to be measured, wherein receiving described the successively When the response of one query-attack, second query-attack is retransmited.
4. method as claimed in claim 1,2 or 3, which is characterized in that after recording the response matrix, prolong described in calculating When matrix and the response matrix similarity before, further comprise:
Second response time is compared with the delay duration of the second delay instruction characterization, however, it is determined that described second Response time is the integral multiple of the delay duration of the second delay instruction characterization, then judgement is able to carry out similarity judgement;Its In, the second delay indicates that corresponding delay duration is more than the first delay and indicates corresponding delay duration.
5. method as claimed in claim 4, which is characterized in that further comprise:If it is determined that second response time is not Time type SQL injection loophole is not present in the integral multiple of the delay duration of the second delay instruction characterization, then judgement.
6. method as claimed in claim 1,2 or 3, which is characterized in that calculate the delay matrix and the response matrix phase Like degree, including:The similarity of the delay matrix and response matrix is calculated using following formula:
Wherein, t0Indicate the first delay instruction, t1Indicate the second delay instruction, r0Indicate corresponding first SQL vector of attack record First response time, r1Indicate the second response time of corresponding 2nd SQL vector of attack record.
CN201810340129.5A 2018-04-16 2018-04-16 One kind is towards SQL injection bug excavation method and device Pending CN108616527A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810340129.5A CN108616527A (en) 2018-04-16 2018-04-16 One kind is towards SQL injection bug excavation method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810340129.5A CN108616527A (en) 2018-04-16 2018-04-16 One kind is towards SQL injection bug excavation method and device

Publications (1)

Publication Number Publication Date
CN108616527A true CN108616527A (en) 2018-10-02

Family

ID=63660365

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810340129.5A Pending CN108616527A (en) 2018-04-16 2018-04-16 One kind is towards SQL injection bug excavation method and device

Country Status (1)

Country Link
CN (1) CN108616527A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109657472A (en) * 2018-10-11 2019-04-19 平安科技(深圳)有限公司 SQL injection leak detection method, device, equipment and readable storage medium storing program for executing
CN111258892A (en) * 2020-01-12 2020-06-09 大连理工大学 SQL injection test case generation method based on combined variation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105072095A (en) * 2015-07-20 2015-11-18 北京神州绿盟信息安全科技股份有限公司 Method of detecting SQL (Structured Query Language) injection vulnerability and device

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105072095A (en) * 2015-07-20 2015-11-18 北京神州绿盟信息安全科技股份有限公司 Method of detecting SQL (Structured Query Language) injection vulnerability and device

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109657472A (en) * 2018-10-11 2019-04-19 平安科技(深圳)有限公司 SQL injection leak detection method, device, equipment and readable storage medium storing program for executing
CN109657472B (en) * 2018-10-11 2023-09-22 平安科技(深圳)有限公司 SQL injection vulnerability detection method, device, equipment and readable storage medium
CN111258892A (en) * 2020-01-12 2020-06-09 大连理工大学 SQL injection test case generation method based on combined variation
CN111258892B (en) * 2020-01-12 2022-11-18 大连理工大学 SQL injection test case generation method based on combined variation

Similar Documents

Publication Publication Date Title
CN105072095B (en) A kind of method and device detecting SQL injection loophole
US11893112B2 (en) Quantitative digital sensor
US20180012144A1 (en) Incremental and speculative analysis of javascripts based on a multi-instance model for web security
Antunes et al. Effective detection of SQL/XPath injection vulnerabilities in web services
JP6557774B2 (en) Graph-based intrusion detection using process trace
US10467081B2 (en) Enabling symptom verification
Alserhani et al. MARS: multi-stage attack recognition system
JP5081480B2 (en) Software behavior modeling device, software behavior modeling method, software behavior verification device, and software behavior verification method
Hu et al. Attack scenario reconstruction approach using attack graph and alert data mining
CN110647750B (en) File integrity measurement method and device, terminal and security management center
Schneider et al. Online model-based behavioral fuzzing
JP6548837B2 (en) Evaluation device, evaluation method of security product and evaluation program
Qi et al. Subnet replacement: Deployment-stage backdoor attack against deep neural networks in gray-box setting
Hou et al. A dynamic detection technique for XSS vulnerabilities
CN108234441B (en) Method, apparatus, electronic device and storage medium for determining forged access request
US20210034489A1 (en) Physical Execution Monitor
CN108616527A (en) One kind is towards SQL injection bug excavation method and device
CN109302433A (en) Detection method, device, equipment and the storage medium of remote command execution loophole
Sukhwani et al. A survey of anomaly detection techniques and hidden markov model
Samir et al. A Self-Configuration Controller To Detect, Identify, and Recover Misconfiguration at IoT Edge Devices and Containerized Cluster System.
JP2006146600A (en) Operation monitoring server, terminal apparatus and operation monitoring system
EP4341838A1 (en) Malware protection
CN115017512A (en) Unauthorized access vulnerability testing method and device based on block chain
CN109583204B (en) Method for monitoring static object tampering in mixed environment
Stavrou et al. Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20181002

WD01 Invention patent application deemed withdrawn after publication