CN110647749A - Second-order SQL injection attack defense method - Google Patents
Second-order SQL injection attack defense method Download PDFInfo
- Publication number
- CN110647749A CN110647749A CN201910890209.2A CN201910890209A CN110647749A CN 110647749 A CN110647749 A CN 110647749A CN 201910890209 A CN201910890209 A CN 201910890209A CN 110647749 A CN110647749 A CN 110647749A
- Authority
- CN
- China
- Prior art keywords
- sql
- data set
- keyword
- statement
- web server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347 injection Methods 0.000 title claims abstract description 49
- 239000007924 injection Substances 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000007123 defense Effects 0.000 title claims description 18
- 238000012545 processing Methods 0.000 claims description 19
- 230000004044 response Effects 0.000 claims description 10
- 230000009466 transformation Effects 0.000 claims description 10
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 238000012216 screening Methods 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 abstract description 2
- 230000001737 promoting effect Effects 0.000 abstract description 2
- 230000008569 process Effects 0.000 description 7
- 230000003068 static effect Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000006872 improvement Effects 0.000 description 4
- 238000001914 filtration Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000007781 pre-processing Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 208000006379 syphilis Diseases 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2452—Query translation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method for defending against second-order SQL injection attacks, which analyzes SQL sentences from two aspects of storage and triggering and defends the SQL sentences. On one hand, the invention greatly reduces the attack load to be stored in the database, on the other hand, the data of the database is not excessively believed, and the data is verified before being taken out and stored in the memory, thereby blocking the triggering of SQL injection attack, effectively defending the SQL injection attack behavior, and greatly promoting the safety protection of the Web server and the background database thereof.
Description
The technical field is as follows:
the invention belongs to the technical field of information, and particularly relates to a second-order SQL injection attack defense method.
Background art:
with the advent of the WEB2.0 era, database-based WEB applications are increasingly being used in business systems of various enterprises. However, if the developer lacks the corresponding security awareness, a great number of security risks may be presented to the application. There are many factors that affect the security of web applications, with SQL injection attacks being the most common and most easily implemented attack. The SQL injection attack means that an attacker inserts an SQL command into a query character string of an input domain name or a page request submitted by a Web form so as to achieve the purpose of deceiving a database to operate an instruction containing the aggressive SQL.
Patent application No. CN201610972899.2 discloses a SQL injection attack defense system and method based on syntax transformation analysis. Firstly, constructing a website program SQL statement transformation rule, and transforming SQL statements in a website program on a Web server according to the website program SQL statement transformation rule; then, an SQL access statement sent to a database by a Web server is intercepted and analyzed, if the SQL access statement has SQL keywords, the SQL access statement is judged to be an injection aggressive statement, and the SQL access statement is intercepted, otherwise, the SQL access statement is restored according to a conversion rule of a website program SQL statement and sent to the database, and the conversion rule is dynamically updated.
Patent application No. CN201710507364.2 discloses a SQL injection attack defense component and method. Similarly, firstly, the SQL sentences output by the application server are copied to generate at least two identical SQL sentences, the at least two SQL sentences generated by copying are respectively used as sub-sentences to be spliced into a combined SQL sentence, and meanwhile, all keywords in the combined SQL sentence are provided with pre-generated labels; splicing parameters input by a user into the SQL sentences processed by the SQL sentence preprocessing module; detecting whether the label of each sub-statement in the spliced SQL statement is consistent with the label added by the SQL statement preprocessing module, if so, selecting any sub-statement, removing all the labels in the sub-statement, and returning the sub-statement to the application server; otherwise, returning the instruction error information.
The traditional SQL injection attack defense model mainly performs defense from the perspective of filtering user input and comparing grammatical analysis before and after SQL sentence splicing, and the methods have good effect on first-order SQL injection, but have slight defects on the defense and detection of more complex second-order SQL injection. The second order SQL injection differs from the first order SQL injection in that the attack payload is sourced differently. The first order injection of attack loads from the user's input data and the second order injection of attack loads from the data in the database, while web applications over-believe data security from the database is the root cause of the second order SQL injection attacks.
Through the analysis of the SQL injection attack process, it can be known that the second-order SQL injection process can be divided into two parts: firstly, a storage process, namely storing the designed attack load into a database through a normal Web application function; secondly, triggering a process, namely calling the attack load stored in the database previously through legal application operation, and sending the constructed SQL statement with the bug into the database server again for execution so as to form SQL injection attack. The damage caused by the second-order SQL injection is the same as that caused by the equivalent first-order SQL injection, which may cause information leakage, data loss and tampering, and even system control. However, the second-order SQL injection is more complex, higher in concealment and not easy to detect.
The invention content is as follows:
the invention discloses a method for defending against second-order SQL injection attacks, which greatly reduces the storage of attack loads into a database on one hand, and verifies the data before taking out the database data and storing the database data into a memory without excessively believing the data of the database on the other hand, thereby blocking the trigger of the SQL injection attacks, effectively defending against the SQL injection attacks and greatly promoting the safety protection of a Web server and a background database thereof.
In order to achieve the purpose, the invention provides the following technical scheme:
a method for defending against second-order SQL injection attacks comprises the following steps:
scanning a web source program, screening SQL sentences of an INSERT type and an UPDATE type, and performing SQL keyword conversion processing on all standard SQL keywords additionally labeled character strings in the SQL sentences of the INSERT type and the UPDATE type;
intercepting SQL sentences sent to a database server by a WEB server, screening the SQL sentences, and executing a third step if the SQL sentences are INSERT types or UPDATE types; if the SQL statement is of the SELECT type, executing the step four; otherwise, directly sending the SQL statement to a database server for processing, and directly sending the response data set to a WEB server;
detecting whether the SQL statement contains the standard SQL keyword, if not, reducing the SQL keyword subjected to conversion processing, and finally sending the reduced SQL statement to a database server; if the SQL sentence contains the standard SQL keyword, judging the SQL sentence as an injection aggressive sentence, intercepting and returning a message to the WEB server;
step four, adding a fixed ID number for the SQL statement of the SELECT type;
step five, acquiring a data set corresponding to the response ID number in the database server, judging whether the data set corresponding to the response ID number contains special characters, if so, performing escape processing on the special characters, and sending a newly generated data set after processing to a WEB server; otherwise, the data set is directly sent to the WEB server.
In a further improvement, in the step one, the step of performing SQL keyword transformation processing is as follows:
(1-4) randomly generating an integer R, and then carrying out exclusive or encryption by using a shared secret key K and the R to obtain R;
(1-5) scanning a web source program, and screening out SQL statements of an INSERT type and an UPDATE type;
(1-6) for the screened SQL sentences, positioning the standard SQL keywords M in the SQL sentences by a regular expression method, converting the SQL sentences into character strings in an M + R format, wherein "+" is a character string connector, and dynamically constructing new SQL sentences by using the character strings after conversion.
In a further improvement, the third step includes the following steps:
(3-1) judging whether the SQL statement contains a character string with the same form as the standard SQL keyword, if not, executing the step (3-2); if the character strings with the same form are contained, determining whether the character strings are standard SQL keywords; if the SQL is the standard SQL keyword, judging that SQL injection attack is performed, intercepting and returning error information to the WEB server, and otherwise, executing the step (3-2);
and (3-2) positioning the standard SQL keywords after the transformation processing, removing R, restoring the SQL statement, and sending the modified SQL statement to a database server.
In a further improvement, the step five comprises the following steps:
(5-1) acquiring a data set corresponding to the response ID number in the database server;
(5-2) detecting whether the data set contains the special characters, if so, adding \ "to the special characters, performing escape processing, generating a new data set and returning the new data set to the WEB server; otherwise, returning to the WEB server normally.
In a further improvement, the special characters include characters which can cause changes in syntax and semantics of the SQL statement.
In a further refinement, the special characters include '?', ',' and 'prime'.
The invention has the following advantages:
1. according to the invention, by analyzing a large number of SQL injection attack examples, the SQL statement types which possibly cause the attack load to be stored in the database are summarized as an INSERT type and an UPDATE type. And scanning the WEB source program, only positioning the two types of SQL sentences and carrying out transformation processing on the SQL keywords contained in the SQL sentences. Compared with the prior art, the method has the advantages that the SQL keywords of all SQL statements in the WEB source program are transformed, and the operation efficiency is improved to a certain extent.
2. The traditional SQL injection attack defense model mainly performs defense from the perspective of filtering user input and comparing grammar analysis before and after SQL sentence splicing, and excessively believes the security of database data. The invention does not trust the data in the database excessively, judges whether the data in the database contains special characters which can cause second-order SQL injection attack and processes the special characters so as to achieve the aim of disabling the injection attack.
3. The invention can realize the second-order SQL injection attack defense by only deploying and configuring a proxy server between the WEB server and the database server, modifying the corresponding configuration and adding the processing method of the invention, and has the advantages of convenient deployment, simple operation and better application prospect.
Description of the drawings:
FIG. 1 is a schematic flow chart of a method for defending against second-order SQL injection attacks according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a second-order SQL injection attack defense method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating an example of the operation of the SQL keyword transformation process of FIG. 2;
FIG. 4 is a schematic diagram of an example of a portion of the operation of FIG. 2 when a user registers and inputs an attack payload containing an SQL keyword;
fig. 5 is a schematic diagram of a part of the working process of fig. 2 when a user registers an attack load of inputting a non-SQL keyword.
The specific implementation mode is as follows:
in order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, the following detailed description is made with reference to the accompanying drawings and specific embodiments.
Example 1
The method comprises the steps that an attacker registers on a certain website, a User name is input as ' test ' or 1 ' 1; -, a password is input as ' 123 ', a corresponding static SQL statement in a WEB source program is INSERT INTO User ('? ' or '? '), a randomly generated number R and a shared key K are subjected to XOR operation to obtain R6573, the static SQL statement is changed INTO INSERT6573INTO6573 User (User Name, password) VALUES6573 ('? ' or '? ') after SQL keyword transformation, the WEB server splices a static SQL statement part and a User dynamic input part, the SQL statement is INSERT 6573O 6573User (' User Name, password) VALUES6573 ('? ' or '? '), the WEB server splices the static SQL statement part and the User dynamic input part, the SQL statement part is spliced with the User ' INTO6573User ' LUES 651 ' when the SQL statement part is spliced, the SQL statement part is configured with the User ' SQL statement part, the User ' INTO6573, the SQL statement part comprises the same keyword, the SQL string is further configured with the keyword, the SQL string is input, the keyword is further analyzed, the SQL string is further stored in the WEB source program, and the SQL database is determined, the SQL database further comprises the intercepted data, and the intercepted data, the keyword is further stored in the SQL database, the keyword is further stored, and the intercepted, the SQL database comprises the keyword.
Example 2
The method comprises the following steps that an attacker registers on a certain website, a User name is input INTO 'admin', 'password is input INTO' 123 ', a corresponding static SQL statement in a WEB source program is INSERT INTO User (' userName, password) VALUES ('?' ), randomly generated numbers R and a shared key K are subjected to XOR operation to obtain R6573, the static SQL statement is changed INTO INSERT6573INTO6573 User (userName, password) VALUES6573 ('?' ), the WEB server splices the static SQL statement part with the User dynamically input part, the SQL statement is spliced INTO the INSERT6573 (userName, password) VAES 6573 ('6573'), the SQL server restores the SQL statement INTO a special SQL string 6573 database, the SQL string is restored INTO a special SQL string, the SQL string is restored by using an INSERT6573 keyword string intercepting module, the SQL string is restored INTO a keyword string, the SQL string is restored INTO a keyword, the SQL string is restored INTO the SQL database, the SQL database is restored, the key string is restored, the SQL database is restored, the key string is restored, the SQL database is restored, the steps of restoring the steps of restoring the:
$userName=mysql_escape_string($_POST["userName"]);
$oldPassword=mysql_escape_string($_POST["oldPassword"]);
$newPassword=mysql_escape_string($_POST["newPassword"]);
$Sql="SELECT*FROM User WHERE userName="$userName"
AND password="$oldPassword"";
the proxy server processing of the scheme of the invention is realized, and the special characters exist in the response data set of the database server, so that the response data set is subjected to escape processing, and the attack load is 'admin'; - "becomes" admin \ "; \\ - \\ \ is returned to the WEB server and stored in the memory. Secondly, the WEB server uses $ userName $ _ SESSION [ "userName" ]; receiving a user name from a memory, and dynamically constructing an SQL statement: UPDATE User SET PASSWORD $, $ newPassword' WHERE USERNAme ═ admin \; \\\\\\; after the statement is processed by the database, the execution result is the modified user 'admin'; the password information of the negative, but not the password of the modification user admin designed by the attacker, effectively defends the second-order SQL injection attack.
In conclusion, the proxy server which realizes the SQL injection attack defense method is deployed and configured between the WEB server and the database server, so that the attack load can be reduced and stored in the database, meanwhile, the data from the database server is verified, the second-order SQL injection attack is effectively defended, and the safety of the system is improved.
The foregoing is merely a specific example of the present invention, and it is within the scope of the invention to cover such modifications and substitutions as may be made without departing from the spirit and scope of the invention.
Claims (6)
1. A method for defending against second-order SQL injection attacks is characterized by comprising the following steps:
scanning a web source program, screening SQL sentences of an INSERT type and an UPDATE type, and performing SQL keyword conversion processing on all standard SQL keywords additionally labeled character strings in the SQL sentences of the INSERT type and the UPDATE type;
intercepting SQL sentences sent to a database server by a WEB server, screening the SQL sentences, and executing a third step if the SQL sentences are INSERT types or UPDATE types; if the SQL statement is of the SELECT type, executing the step four; otherwise, directly sending the SQL statement to a database server for processing, and directly sending the response data set to a WEB server;
detecting whether the SQL statement contains the standard SQL keyword, if not, reducing the SQL keyword subjected to conversion processing, and finally sending the reduced SQL statement to a database server; if the SQL sentence contains the standard SQL keyword, judging the SQL sentence as an injection aggressive sentence, intercepting and returning a message to the WEB server;
step four, adding a fixed ID number for the SQL statement of the SELECT type;
step five, acquiring a data set corresponding to the response ID number in the database server, judging whether the data set corresponding to the response ID number contains special characters, if so, performing escape processing on the special characters, and sending a newly generated data set after processing to a WEB server; otherwise, the data set is directly sent to the WEB server.
2. The method for second order SQL injection attack defense according to claim 1, wherein in the first step, the SQL keyword transformation processing is performed as follows:
(1-1) randomly generating an integer R, and then carrying out exclusive or encryption by using a shared secret key K and the R to obtain R;
(1-2) scanning a web source program, and screening out SQL statements of an INSERT type and an UPDATE type;
(1-3) positioning a standard SQL keyword M in the SQL sentence by using a regular expression method for the screened SQL sentence, converting the SQL sentence into a character string in an M + R format, wherein '+' is a character string connector, and dynamically constructing a new SQL sentence by using the converted character string.
3. The method of second order SQL injection attack defense of claim 1, wherein the third step comprises the steps of:
(3-1) judging whether the SQL statement contains a character string with the same form as the standard SQL keyword, if not, executing the step (3-2); if the character strings with the same form are contained, determining whether the character strings are standard SQL keywords; if the SQL is the standard SQL keyword, judging that SQL injection attack is performed, intercepting and returning error information to the WEB server, and otherwise, executing the step (3-2);
and (3-2) positioning the standard SQL keywords after the transformation processing, removing R, restoring the SQL statement, and sending the modified SQL statement to a database server.
4. The method of second order SQL injection attack defense of claim 1, wherein the step five comprises the steps of:
(5-1) acquiring a data set corresponding to the response ID number in the database server;
(5-2) detecting whether the data set contains the special characters, if so, adding \ "to the special characters, performing escape processing, generating a new data set and returning the new data set to the WEB server; otherwise, returning to the WEB server normally.
5. The method of second order SQL injection attack defense as claimed in claim 1, wherein the special characters include characters that are changes that cause syntax and semantics of SQL statements to change.
6. The method of second order SQL injection attack defense of claim 1, wherein the special characters include '? ', and '. the special characters include '? ', ' "'.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910890209.2A CN110647749A (en) | 2019-09-20 | 2019-09-20 | Second-order SQL injection attack defense method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910890209.2A CN110647749A (en) | 2019-09-20 | 2019-09-20 | Second-order SQL injection attack defense method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110647749A true CN110647749A (en) | 2020-01-03 |
Family
ID=69010869
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910890209.2A Pending CN110647749A (en) | 2019-09-20 | 2019-09-20 | Second-order SQL injection attack defense method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110647749A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111832023A (en) * | 2020-07-10 | 2020-10-27 | 厦门靠谱云股份有限公司 | SQL injection detection method and device based on C/S architecture |
CN113139180B (en) * | 2020-01-20 | 2023-12-01 | 中国电信股份有限公司 | Injection attack detection model generation device, injection attack detection device and method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106156623A (en) * | 2016-07-29 | 2016-11-23 | 江西师范大学 | Based on the SQLIA defence method being intended to |
CN106355094A (en) * | 2016-07-08 | 2017-01-25 | 耿童童 | SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation |
CN107644175A (en) * | 2017-09-13 | 2018-01-30 | 南京南瑞集团公司 | A kind of method for preventing SQL injection |
-
2019
- 2019-09-20 CN CN201910890209.2A patent/CN110647749A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106355094A (en) * | 2016-07-08 | 2017-01-25 | 耿童童 | SQL (structured query language) injection attack defensive system and defensive method based on grammar transformation |
CN106156623A (en) * | 2016-07-29 | 2016-11-23 | 江西师范大学 | Based on the SQLIA defence method being intended to |
CN107644175A (en) * | 2017-09-13 | 2018-01-30 | 南京南瑞集团公司 | A kind of method for preventing SQL injection |
Non-Patent Citations (2)
Title |
---|
王杰 等: "二阶SQL注入防御技术研究", 《电子设计工程》 * |
陈龙 等: "一种二阶SQL注入攻击防御方法", 《电脑知识与技术》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113139180B (en) * | 2020-01-20 | 2023-12-01 | 中国电信股份有限公司 | Injection attack detection model generation device, injection attack detection device and method |
CN111832023A (en) * | 2020-07-10 | 2020-10-27 | 厦门靠谱云股份有限公司 | SQL injection detection method and device based on C/S architecture |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10621349B2 (en) | Detection of malware using feature hashing | |
Bisht et al. | XSS-GUARD: precise dynamic prevention of cross-site scripting attacks | |
US10229104B2 (en) | Efficient DFA generation for non-matching characters and character classes in regular expressions | |
Sadeghian et al. | A taxonomy of SQL injection detection and prevention techniques | |
WO2019144039A1 (en) | Complex application attack quantification, testing, detection and prevention | |
US20040205411A1 (en) | Method of detecting malicious scripts using code insertion technique | |
US8387017B2 (en) | Black box testing optimization using information from white box testing | |
US20120117644A1 (en) | System and Method for Internet Security | |
Almorsy et al. | Supporting automated vulnerability analysis using formalized vulnerability signatures | |
Wu et al. | A countermeasure to SQL injection attack for cloud environment | |
CN106506462B (en) | A kind of web portal security guard method and device based on list scramble | |
Tian et al. | Attack model based penetration test for SQL injection vulnerability | |
US20200074081A1 (en) | Malware clustering based on analysis of execution-behavior reports | |
CN110704816B (en) | Interface cracking recognition method, device, equipment and storage medium | |
CN106250761B (en) | Equipment, device and method for identifying web automation tool | |
Hou et al. | A dynamic detection technique for XSS vulnerabilities | |
CN110647749A (en) | Second-order SQL injection attack defense method | |
Gupta et al. | Evaluation and monitoring of XSS defensive solutions: a survey, open research issues and future directions | |
Shahriar et al. | Automatic testing of program security vulnerabilities | |
WO2023113947A1 (en) | Code injection detection using syntactic deviation | |
Satyanarayana et al. | Static analysis tool for detecting web application vulnerabilities | |
Ma et al. | A Parse Tree-Based NoSQL Injection Attacks Detection Mechanism. | |
Bhardwaj et al. | Fuzz testing in stack-based buffer overflow | |
US12001549B1 (en) | Cybersecurity incident response techniques utilizing artificial intelligence | |
Kaiya et al. | Eliciting security requirements for an information system using asset flows and processor deployment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200103 |
|
RJ01 | Rejection of invention patent application after publication |