CN110647749A

CN110647749A - Second-order SQL injection attack defense method

Info

Publication number: CN110647749A
Application number: CN201910890209.2A
Authority: CN
Inventors: 刘敏; 曾华光
Original assignee: Hunan University
Current assignee: Hunan University
Priority date: 2019-09-20
Filing date: 2019-09-20
Publication date: 2020-01-03

Abstract

The invention discloses a method for defending against second-order SQL injection attacks, which analyzes SQL sentences from two aspects of storage and triggering and defends the SQL sentences. On one hand, the invention greatly reduces the attack load to be stored in the database, on the other hand, the data of the database is not excessively believed, and the data is verified before being taken out and stored in the memory, thereby blocking the triggering of SQL injection attack, effectively defending the SQL injection attack behavior, and greatly promoting the safety protection of the Web server and the background database thereof.

Description

Second-order SQL injection attack defense method

The technical field is as follows:

the invention belongs to the technical field of information, and particularly relates to a second-order SQL injection attack defense method.

Background art:

with the advent of the WEB2.0 era, database-based WEB applications are increasingly being used in business systems of various enterprises. However, if the developer lacks the corresponding security awareness, a great number of security risks may be presented to the application. There are many factors that affect the security of web applications, with SQL injection attacks being the most common and most easily implemented attack. The SQL injection attack means that an attacker inserts an SQL command into a query character string of an input domain name or a page request submitted by a Web form so as to achieve the purpose of deceiving a database to operate an instruction containing the aggressive SQL.

Patent application No. CN201610972899.2 discloses a SQL injection attack defense system and method based on syntax transformation analysis. Firstly, constructing a website program SQL statement transformation rule, and transforming SQL statements in a website program on a Web server according to the website program SQL statement transformation rule; then, an SQL access statement sent to a database by a Web server is intercepted and analyzed, if the SQL access statement has SQL keywords, the SQL access statement is judged to be an injection aggressive statement, and the SQL access statement is intercepted, otherwise, the SQL access statement is restored according to a conversion rule of a website program SQL statement and sent to the database, and the conversion rule is dynamically updated.

Patent application No. CN201710507364.2 discloses a SQL injection attack defense component and method. Similarly, firstly, the SQL sentences output by the application server are copied to generate at least two identical SQL sentences, the at least two SQL sentences generated by copying are respectively used as sub-sentences to be spliced into a combined SQL sentence, and meanwhile, all keywords in the combined SQL sentence are provided with pre-generated labels; splicing parameters input by a user into the SQL sentences processed by the SQL sentence preprocessing module; detecting whether the label of each sub-statement in the spliced SQL statement is consistent with the label added by the SQL statement preprocessing module, if so, selecting any sub-statement, removing all the labels in the sub-statement, and returning the sub-statement to the application server; otherwise, returning the instruction error information.

The traditional SQL injection attack defense model mainly performs defense from the perspective of filtering user input and comparing grammatical analysis before and after SQL sentence splicing, and the methods have good effect on first-order SQL injection, but have slight defects on the defense and detection of more complex second-order SQL injection. The second order SQL injection differs from the first order SQL injection in that the attack payload is sourced differently. The first order injection of attack loads from the user's input data and the second order injection of attack loads from the data in the database, while web applications over-believe data security from the database is the root cause of the second order SQL injection attacks.

Through the analysis of the SQL injection attack process, it can be known that the second-order SQL injection process can be divided into two parts: firstly, a storage process, namely storing the designed attack load into a database through a normal Web application function; secondly, triggering a process, namely calling the attack load stored in the database previously through legal application operation, and sending the constructed SQL statement with the bug into the database server again for execution so as to form SQL injection attack. The damage caused by the second-order SQL injection is the same as that caused by the equivalent first-order SQL injection, which may cause information leakage, data loss and tampering, and even system control. However, the second-order SQL injection is more complex, higher in concealment and not easy to detect.

The invention content is as follows:

the invention discloses a method for defending against second-order SQL injection attacks, which greatly reduces the storage of attack loads into a database on one hand, and verifies the data before taking out the database data and storing the database data into a memory without excessively believing the data of the database on the other hand, thereby blocking the trigger of the SQL injection attacks, effectively defending against the SQL injection attacks and greatly promoting the safety protection of a Web server and a background database thereof.

In order to achieve the purpose, the invention provides the following technical scheme:

a method for defending against second-order SQL injection attacks comprises the following steps:

scanning a web source program, screening SQL sentences of an INSERT type and an UPDATE type, and performing SQL keyword conversion processing on all standard SQL keywords additionally labeled character strings in the SQL sentences of the INSERT type and the UPDATE type;

intercepting SQL sentences sent to a database server by a WEB server, screening the SQL sentences, and executing a third step if the SQL sentences are INSERT types or UPDATE types; if the SQL statement is of the SELECT type, executing the step four; otherwise, directly sending the SQL statement to a database server for processing, and directly sending the response data set to a WEB server;

detecting whether the SQL statement contains the standard SQL keyword, if not, reducing the SQL keyword subjected to conversion processing, and finally sending the reduced SQL statement to a database server; if the SQL sentence contains the standard SQL keyword, judging the SQL sentence as an injection aggressive sentence, intercepting and returning a message to the WEB server;

step four, adding a fixed ID number for the SQL statement of the SELECT type;

step five, acquiring a data set corresponding to the response ID number in the database server, judging whether the data set corresponding to the response ID number contains special characters, if so, performing escape processing on the special characters, and sending a newly generated data set after processing to a WEB server; otherwise, the data set is directly sent to the WEB server.

In a further improvement, in the step one, the step of performing SQL keyword transformation processing is as follows:

(1-4) randomly generating an integer R, and then carrying out exclusive or encryption by using a shared secret key K and the R to obtain R;

(1-5) scanning a web source program, and screening out SQL statements of an INSERT type and an UPDATE type;

(1-6) for the screened SQL sentences, positioning the standard SQL keywords M in the SQL sentences by a regular expression method, converting the SQL sentences into character strings in an M + R format, wherein "+" is a character string connector, and dynamically constructing new SQL sentences by using the character strings after conversion.

In a further improvement, the third step includes the following steps:

(3-1) judging whether the SQL statement contains a character string with the same form as the standard SQL keyword, if not, executing the step (3-2); if the character strings with the same form are contained, determining whether the character strings are standard SQL keywords; if the SQL is the standard SQL keyword, judging that SQL injection attack is performed, intercepting and returning error information to the WEB server, and otherwise, executing the step (3-2);

and (3-2) positioning the standard SQL keywords after the transformation processing, removing R, restoring the SQL statement, and sending the modified SQL statement to a database server.

In a further improvement, the step five comprises the following steps:

(5-1) acquiring a data set corresponding to the response ID number in the database server;

(5-2) detecting whether the data set contains the special characters, if so, adding \ "to the special characters, performing escape processing, generating a new data set and returning the new data set to the WEB server; otherwise, returning to the WEB server normally.

In a further improvement, the special characters include characters which can cause changes in syntax and semantics of the SQL statement.

In a further refinement, the special characters include '?', ',' and 'prime'.

The invention has the following advantages:

1. according to the invention, by analyzing a large number of SQL injection attack examples, the SQL statement types which possibly cause the attack load to be stored in the database are summarized as an INSERT type and an UPDATE type. And scanning the WEB source program, only positioning the two types of SQL sentences and carrying out transformation processing on the SQL keywords contained in the SQL sentences. Compared with the prior art, the method has the advantages that the SQL keywords of all SQL statements in the WEB source program are transformed, and the operation efficiency is improved to a certain extent.

2. The traditional SQL injection attack defense model mainly performs defense from the perspective of filtering user input and comparing grammar analysis before and after SQL sentence splicing, and excessively believes the security of database data. The invention does not trust the data in the database excessively, judges whether the data in the database contains special characters which can cause second-order SQL injection attack and processes the special characters so as to achieve the aim of disabling the injection attack.

3. The invention can realize the second-order SQL injection attack defense by only deploying and configuring a proxy server between the WEB server and the database server, modifying the corresponding configuration and adding the processing method of the invention, and has the advantages of convenient deployment, simple operation and better application prospect.

Description of the drawings:

FIG. 1 is a schematic flow chart of a method for defending against second-order SQL injection attacks according to an embodiment of the present invention;

FIG. 2 is a schematic structural diagram of a second-order SQL injection attack defense method according to an embodiment of the present invention;

FIG. 3 is a diagram illustrating an example of the operation of the SQL keyword transformation process of FIG. 2;

FIG. 4 is a schematic diagram of an example of a portion of the operation of FIG. 2 when a user registers and inputs an attack payload containing an SQL keyword;

fig. 5 is a schematic diagram of a part of the working process of fig. 2 when a user registers an attack load of inputting a non-SQL keyword.

The specific implementation mode is as follows:

in order to make the technical problems, technical solutions and advantages to be solved by the present invention clearer, the following detailed description is made with reference to the accompanying drawings and specific embodiments.

Example 1

The method comprises the steps that an attacker registers on a certain website, a User name is input as ' test ' or 1 ' 1; -, a password is input as ' 123 ', a corresponding static SQL statement in a WEB source program is INSERT INTO User ('? ' or '? '), a randomly generated number R and a shared key K are subjected to XOR operation to obtain R6573, the static SQL statement is changed INTO INSERT6573INTO6573 User (User Name, password) VALUES6573 ('? ' or '? ') after SQL keyword transformation, the WEB server splices a static SQL statement part and a User dynamic input part, the SQL statement is INSERT 6573O 6573User (' User Name, password) VALUES6573 ('? ' or '? '), the WEB server splices the static SQL statement part and the User dynamic input part, the SQL statement part is spliced with the User ' INTO6573User ' LUES 651 ' when the SQL statement part is spliced, the SQL statement part is configured with the User ' SQL statement part, the User ' INTO6573, the SQL statement part comprises the same keyword, the SQL string is further configured with the keyword, the SQL string is input, the keyword is further analyzed, the SQL string is further stored in the WEB source program, and the SQL database is determined, the SQL database further comprises the intercepted data, and the intercepted data, the keyword is further stored in the SQL database, the keyword is further stored, and the intercepted, the SQL database comprises the keyword.

Example 2

The method comprises the following steps that an attacker registers on a certain website, a User name is input INTO 'admin', 'password is input INTO' 123 ', a corresponding static SQL statement in a WEB source program is INSERT INTO User (' userName, password) VALUES ('?' ), randomly generated numbers R and a shared key K are subjected to XOR operation to obtain R6573, the static SQL statement is changed INTO INSERT6573INTO6573 User (userName, password) VALUES6573 ('?' ), the WEB server splices the static SQL statement part with the User dynamically input part, the SQL statement is spliced INTO the INSERT6573 (userName, password) VAES 6573 ('6573'), the SQL server restores the SQL statement INTO a special SQL string 6573 database, the SQL string is restored INTO a special SQL string, the SQL string is restored by using an INSERT6573 keyword string intercepting module, the SQL string is restored INTO a keyword string, the SQL string is restored INTO a keyword, the SQL string is restored INTO the SQL database, the SQL database is restored, the key string is restored, the SQL database is restored, the key string is restored, the SQL database is restored, the steps of restoring the steps of restoring the:

$userName＝mysql_escape_string($_POST["userName"])；

$oldPassword＝mysql_escape_string($_POST["oldPassword"])；

$newPassword＝mysql_escape_string($_POST["newPassword"])；

$Sql＝"SELECT*FROM User WHERE userName＝"$userName"

AND password＝"$oldPassword""；

the proxy server processing of the scheme of the invention is realized, and the special characters exist in the response data set of the database server, so that the response data set is subjected to escape processing, and the attack load is 'admin'; - "becomes" admin \ "; \\ - \\ \ is returned to the WEB server and stored in the memory. Secondly, the WEB server uses $ userName $ _ SESSION [ "userName" ]; receiving a user name from a memory, and dynamically constructing an SQL statement: UPDATE User SET PASSWORD $, $ newPassword' WHERE USERNAme ═ admin \; \\\\\\; after the statement is processed by the database, the execution result is the modified user 'admin'; the password information of the negative, but not the password of the modification user admin designed by the attacker, effectively defends the second-order SQL injection attack.

In conclusion, the proxy server which realizes the SQL injection attack defense method is deployed and configured between the WEB server and the database server, so that the attack load can be reduced and stored in the database, meanwhile, the data from the database server is verified, the second-order SQL injection attack is effectively defended, and the safety of the system is improved.

The foregoing is merely a specific example of the present invention, and it is within the scope of the invention to cover such modifications and substitutions as may be made without departing from the spirit and scope of the invention.

Claims

1. A method for defending against second-order SQL injection attacks is characterized by comprising the following steps:

step four, adding a fixed ID number for the SQL statement of the SELECT type;

2. The method for second order SQL injection attack defense according to claim 1, wherein in the first step, the SQL keyword transformation processing is performed as follows:

(1-1) randomly generating an integer R, and then carrying out exclusive or encryption by using a shared secret key K and the R to obtain R;

(1-2) scanning a web source program, and screening out SQL statements of an INSERT type and an UPDATE type;

(1-3) positioning a standard SQL keyword M in the SQL sentence by using a regular expression method for the screened SQL sentence, converting the SQL sentence into a character string in an M + R format, wherein '+' is a character string connector, and dynamically constructing a new SQL sentence by using the converted character string.

3. The method of second order SQL injection attack defense of claim 1, wherein the third step comprises the steps of:

4. The method of second order SQL injection attack defense of claim 1, wherein the step five comprises the steps of:

5. The method of second order SQL injection attack defense as claimed in claim 1, wherein the special characters include characters that are changes that cause syntax and semantics of SQL statements to change.

6. The method of second order SQL injection attack defense of claim 1, wherein the special characters include '? ', and '. the special characters include '? ', ' "'.