CN111767577A - SQL injection risk detection method and device, electronic device and storage medium - Google Patents
SQL injection risk detection method and device, electronic device and storage medium Download PDFInfo
- Publication number
- CN111767577A CN111767577A CN202010644001.5A CN202010644001A CN111767577A CN 111767577 A CN111767577 A CN 111767577A CN 202010644001 A CN202010644001 A CN 202010644001A CN 111767577 A CN111767577 A CN 111767577A
- Authority
- CN
- China
- Prior art keywords
- request
- sql injection
- sql
- injection request
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000002347 injection Methods 0.000 title claims abstract description 289
- 239000007924 injection Substances 0.000 title claims abstract description 289
- 238000001514 detection method Methods 0.000 title claims description 36
- 238000004088 simulation Methods 0.000 claims abstract description 61
- 238000000034 method Methods 0.000 claims abstract description 31
- 230000002787 reinforcement Effects 0.000 claims description 26
- 238000004590 computer program Methods 0.000 claims description 15
- 230000000694 effects Effects 0.000 abstract description 4
- 238000012545 processing Methods 0.000 description 10
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- XDLMVUHYZWKMMD-UHFFFAOYSA-N 3-trimethoxysilylpropyl 2-methylprop-2-enoate Chemical compound CO[Si](OC)(OC)CCCOC(=O)C(C)=C XDLMVUHYZWKMMD-UHFFFAOYSA-N 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000010606 normalization Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003014 reinforcing effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application relates to a method and a device for detecting SQL injection risk, an electronic device and a storage medium, wherein the method for detecting the SQL injection risk comprises the following steps: acquiring an SQL injection request; sending the SQL injection request to a simulation protection system; judging whether an event corresponding to the SQL injection request occurs in the simulation protection system or not according to the SQL injection request; in the event that an event corresponding to the SQL injection request occurs in the simulation protection system, the SQL injection request is marked as a risk request. By the method and the device, the problem that in the related art, the risk of the SQL injection request cannot be judged, so that the protection system needs to intercept each SQL injection request one by one to increase the load of the protection system is solved, and the technical effect of reducing the load of the database protection system is achieved.
Description
Technical Field
The embodiment of the application relates to the technical field of databases, in particular to a method and a device for detecting SQL injection risks, an electronic device and a storage medium.
Background
A Database System (DBS) is an ideal data processing System developed to meet the needs of data processing, and is also a software System that provides data for storage, maintenance, and application systems that can be actually operated, and is an aggregate of storage media, processing objects, and management systems. With the rapid development of the internet and the mobile internet, more and more application services are accessed into the network, and most of the network services are based on database systems, which have massive user data, and once the data is leaked, the data can bring huge losses to the economy and spirit of users. Therefore, security protection of database systems is a focus of attention in the internet field today.
The SQL (Structured Query Language, SQL for short) injection attack is an attack method that can make a program execute malicious SQL codes by initiating a request, thereby achieving the purpose of acquiring or controlling data in a database. Therefore, how to detect and prevent the SQL injection attack becomes a key for improving the security protection capability of the database system.
At present, in the related art, a detection technology for SQL injection attack often only can expose an attack behavior of an attacker, but cannot expose a risk that the attack behavior may cause, for example, injection judgment and inspection are performed on each SQL statement, and if an SQL injection request is sent, the SQL statement is intercepted. Such technical precautions present the following technical drawbacks: the really risky SQL injection attack may be hidden in a large number of invalid SQL injection requests, and since the risk of the SQL injection requests cannot be judged, the protection system needs to intercept each SQL injection request one by one, which increases the load of the protection system and causes the low processing efficiency of the database protection system.
Aiming at the problem that the protection system needs to intercept each SQL injection request one by one to increase the load of the protection system due to the fact that the risk of the SQL injection request cannot be judged in the related technology, an effective solution is not provided.
Disclosure of Invention
The embodiment of the application provides a method and a device for detecting SQL injection risks, an electronic device and a storage medium, and aims to at least solve the problem that in the related art, the risk of SQL injection requests cannot be judged, so that a protection system needs to intercept each SQL injection request one by one, and the load of the protection system is increased.
In a first aspect, an embodiment of the present application provides a method for detecting an SQL injection risk, which is applied to protect an SQL injection risk of a database system, and the method includes: acquiring an SQL injection request; sending the SQL injection request to a simulation protection system; judging whether an event corresponding to the SQL injection request occurs in the simulation protection system or not according to the SQL injection request; marking the SQL injection request as a risk request in case of occurrence of an event corresponding to the SQL injection request in the simulation protection system.
In some embodiments, before sending the SQL injection request to a simulation protection system, the method further comprises: and removing redundant characters, line feeds and comments in the SQL injection request according to a preset SQL statement template, and replacing the placeholders of constants and variables in the SQL injection request by using uniform symbols to obtain a standardized SQL injection request.
In some of these embodiments, obtaining the SQL injection request comprises: acquiring an SQL request; and carrying out SQL injection detection on the SQL request, recording the SQL request with the injection request, and obtaining the SQL injection request.
In some embodiments, performing SQL injection detection on an SQL request, and recording the SQL request with an injection request, obtaining the SQL injection request includes: carrying out SQL injection detection on the SQL request, and sending the SQL request to a database system under the condition that the SQL request is detected to have no injection request; and under the condition that the SQL request is detected to have the injection request, recording the SQL request with the injection request to obtain the SQL injection request.
In some embodiments, after obtaining the SQL injection request, the method further comprises: obtaining a protection configuration of the database system, wherein the protection configuration comprises at least one of: the anti-dragging library protection table and the anti-collision library SQL template are configured in the database system; intercepting the access of the SQL injection request under the condition that the query times of the SQL injection request on the anti-dragging library protection table exceed a preset threshold; or the standardized SQL injection request is matched in the SQL template of the anti-collision library, and the SQL injection request is intercepted under the condition that the SQL injection request is failed to be matched.
In some of these embodiments, the simulated protection system comprises at least one of: the system comprises a protection system capable of accepting the simulation SQL injection request and a protection module embedded in the database system and capable of accepting the simulation SQL injection request.
In some embodiments, after marking the SQL injection request as a risk request, the method further comprises: matching the information of the SQL injection request in a preset reinforcement scheme library, and sending a reinforcement scheme matched with the SQL injection request in the preset reinforcement scheme library to the database system; and according to the reinforcement scheme, carrying out safety reinforcement on the database system.
In a second aspect, an embodiment of the present application provides an apparatus for detecting an SQL injection risk, where the apparatus includes: the acquisition module is used for acquiring the SQL injection request; the sending module is used for sending the SQL injection request to a simulation protection system; the judging module is used for judging whether an event corresponding to the SQL injection request occurs in the simulation protection system or not according to the SQL injection request; the matching module is used for marking the SQL injection request as a risk request under the condition that an event corresponding to the SQL injection request occurs in the simulation protection system.
In a third aspect, an embodiment of the present application provides an electronic apparatus, including a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the computer program to perform the SQL injection risk detection method according to the first aspect.
In a fourth aspect, an embodiment of the present application provides a storage medium, where a computer program is stored in the storage medium, where the computer program is configured to execute the SQL injection risk detection method according to the first aspect when running.
Compared with the related art, the method, the device, the electronic device and the storage medium for detecting the SQL injection risk solve the problem that in the related art, the risk of the SQL injection request cannot be judged, so that the protection system needs to intercept each SQL injection request one by one, and further the load of the protection system is increased, and the technical effect of reducing the load of the database protection system is achieved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of other features, objects, and advantages of the embodiments of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the embodiments of the application and are not intended to limit the embodiments of the application in any way. In the drawings:
fig. 1 is a flow chart of a method for SQL injection risk detection according to an embodiment of the present application;
FIG. 2 is a flow chart of a method for SQL injection risk detection according to the preferred embodiment of the present application;
fig. 3 is a schematic structural diagram of an SQL injection risk detection apparatus according to an embodiment of the present application;
fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The present embodiment provides a method for detecting an SQL injection risk, and fig. 1 is a flowchart of the method for detecting an SQL injection risk according to the embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, obtaining SQL injection request.
In the case that the embodiment of the present application is applied to the NGINX server, the SQL injection request may be recorded and acquired based on a log recording function in the NGINX server, and in other embodiments, the SQL injection request may also be acquired through an IIS (Internet Identity system, abbreviated as IIS) of the WINDOWS system.
In one embodiment, obtaining the SQL injection request comprises: acquiring an SQL request; and carrying out SQL injection detection on the SQL request, and recording the SQL request with the injection request to obtain the SQL injection request.
In this embodiment, it can be detected whether the SQL request has an injection request through the existing SQL injection syntax, for example: whether the SQL request has the SQL sentences corresponding to the SQL injection syntax or not can be detected based on the SQL injection syntaxes such as Boolean-based blanking SQL injection, Error-based SQLinject, UNION query SQL injection, Stackedqueries SQL injection and Time-based blanking SQL injection, and when the SQL request has the SQL sentences corresponding to the SQL injection syntax, the SQL request is judged to have the injection request, so that the SQL injection request is obtained.
In other embodiments, SQL injection detection may be performed on an SQL request through keyword detection, for example, when a keyword such as an union, sleep, load _ file, and the like exists in the SQL request, it may be determined that the SQL request has an injection request.
In one embodiment, the SQL injection detection is performed on the SQL request, and the SQL request with the injection request is recorded, and obtaining the SQL injection request includes: SQL injection detection is carried out on the SQL request, and the SQL request is sent to a database system under the condition that the SQL request is detected to have no injection request; and under the condition that the SQL request is detected to have the injection request, recording the SQL request with the injection request to obtain the SQL injection request.
In this embodiment, when it is detected that there is no injection request for the SQL request, the SQL request is sent to the database system, so that the secure SQL request sent by the user or the administrator is prevented from being intercepted.
And step S102, sending the SQL injection request to the simulation protection system.
In one embodiment, the simulated protection system comprises at least one of: the system comprises a protection system capable of accepting the simulation SQL injection request and a protection module embedded in the database system and capable of accepting the simulation SQL injection request.
In this embodiment, the simulation protection system may be a protection system that can independently accept the simulation SQL injection request, or may be a protection module that can accept the simulation SQL injection request and is embedded in the database system, where a protection capability of the simulation protection system against the SQL injection attack is smaller than or equal to that of the protected database system, for example, a number of rows of the anti-drag library protection table configured in the simulation protection system is smaller than a number of rows of the anti-drag library protection table configured in the protected database system.
Step S103, judging whether an event corresponding to the SQL injection request occurs in the simulation protection system according to the SQL injection request.
In this embodiment, by setting the simulation protection system whose protection capability against the SQL injection attack is less than or equal to that of the protected database system, if the SQL injection request is directly sent to the database system, and the database system sends an event corresponding to the SQL injection request, the SQL injection request is sent to the simulation protection system, and the simulation protection system also generates an event corresponding to the SQL injection request, thereby ensuring that the response capability of the simulation protection system against the SQL injection request is greater than or equal to that of the database system, and improving the security protection capability of the database system against the SQL injection attack.
And step S104, marking the SQL injection request as a risk request under the condition that the event corresponding to the SQL injection request occurs in the simulation protection system.
In this embodiment, the risk operation of the SQL injection request includes at least one of the following: dragging and colliding the library.
In this embodiment, after the SQL injection request sends the simulation protection system, whether the SQL injection request is risky may be determined by determining whether an event corresponding to the SQL injection request occurs in the simulation protection system.
Take the example of time delay based injection, "http:// hello. com/view? AND q ═ abc' AND (SELECT × FROM (SELECT (SLEEP (5))) VCVe) OR 1 ═ is sent to the simulation protection system, the SQL injection request can make the query SLEEP of the simulation protection system for 5 seconds, AND if the query SLEEP of the simulation protection system occurs for 5 seconds, the SQL injection request is judged to have risk.
The SQL injection detection technology in the related art usually performs injection judgment and check on each SQL statement, and intercepts the SQL statement if an SQL injection request is sent. Such technical precautions present the following technical drawbacks: the really risky SQL injection attack may be hidden in a large number of invalid SQL injection requests, and since the risk of the SQL injection requests cannot be judged, the protection system needs to intercept each SQL injection request one by one, which increases the load of the protection system and causes the low processing efficiency of the database protection system.
Through the steps S101 to S104, in this embodiment, the SQL injection request is sent to the simulation protection system, and whether the SQL injection request has a risk is determined based on whether an event corresponding to the SQL injection request occurs in the simulation protection system, so that a problem that in the related art, the risk of the SQL injection request cannot be determined, so that the protection system needs to intercept each SQL injection request one by one, thereby increasing the load of the protection system is solved, and a technical effect of reducing the load of the database protection system is achieved.
The embodiments of the present application are described and illustrated below by means of preferred embodiments.
Fig. 2 is a flowchart of a SQL injection risk detection method according to a preferred embodiment of the present application, and as shown in fig. 2, the flowchart includes the following steps:
step S201, an SQL injection request is acquired.
Step S202, according to a preset SQL statement template, removing redundant characters, line feeds and comments in the SQL injection request, and replacing placeholders of constants and variables in the SQL injection request with uniform symbols to obtain a standardized SQL injection request.
In this embodiment, the SQL injection request may be normalized by removing the line feed and the comments in the SQL injection request, for example, when the number of consecutive null characters is greater than one, one of the null characters is retained, and the other null characters are referred to as extra null characters, and the extra null characters are removed; SQL injection requests may be standardized by replacing constants and variable placeholders in the SQL injection request with uniform symbols, e.g., using "? "place placeholders for constants and variables in the SQL inject request.
In other embodiments, all characters in the SQL injection request may also be unified into upper case or lower case.
For example, the SQL injection request is: SELECT/. test/. ID
FROM USER MEMO where ID ═ xxx # limit # off set #, # rownum #, normalized as follows: SELECT ID FROM CSER MEMO WHERE ID? LIMIT? Is it? .
By carrying out standardized processing on the SQL injection requests, different SQL injection requests of the same type can be converted into the same standardized SQL injection request, meanwhile, events which can occur in a simulation protection system by non-standardized SQL injection requests can be unpredictable, events which can occur in the simulation protection system by standardized SQL injection requests can be predictable, and the system can respond in time under the condition that the events corresponding to the SQL injection requests occur in the simulation protection system.
Step S203, obtaining a protection configuration of the database system, where the protection configuration includes at least one of: the anti-dragging library protection table and the anti-collision library SQL template are configured in the database system; intercepting the access of the SQL injection request under the condition that the query times of the SQL injection request on the anti-dragging library protection table exceed a preset threshold; or the standardized SQL injection request is matched in the SQL template of the anti-collision library, and the SQL injection request is intercepted under the condition that the SQL injection request is not matched.
In this embodiment, the preset threshold may be set to 5, and when the number of queries to the drag-prevention library protection table in the SQL injection request exceeds 5 times, the SQL injection request is marked as a risk request and the access of the SQL injection request is intercepted.
In this embodiment, the standardized SQL injection requests are matched in the crash library SQL template, and the standardized SQL injection requests can convert different SQL injection requests of the same type into the same standardized SQL injection request, thereby facilitating matching in the crash library SQL template.
In other embodiments, a return threshold may also be set for the anti-dragging library protection table, and when the same IP queries the anti-dragging library protection table and the number of queries is greater than the preset threshold and the number of return lines of the anti-dragging library protection table is greater than the return threshold (for example, greater than 5 lines), the SQL injection request is marked as a risk request, and access of the risk request is intercepted.
And step S204, sending the SQL injection request to the simulation protection system.
Step S205, according to the SQL injection request, determine whether an event corresponding to the SQL injection request occurs in the simulation protection system.
Step S206, under the condition that the event corresponding to the SQL injection request occurs in the simulation protection system, the SQL injection request is marked as a risk request.
Step S207, matching information of the SQL injection request in a preset reinforcement scheme library, and sending a reinforcement scheme matched with the SQL injection request in the preset reinforcement scheme library to a database system; and carrying out security reinforcement on the database system according to the reinforcement scheme.
In this embodiment, to protect the security of the database system itself, security reinforcement and defense work may be performed on the database system. On one hand, interception can be carried out from a flow level through tools such as a firewall and the like so as to prohibit the SQL injection request from entering a database system; on the other hand, security operations such as permission reinforcement and patch upgrading can be carried out on the Web service of the database system and related components of the database system. The security operations may include security reinforcing of the database system's operating system, network devices, servers, databases, ensuring correct access control permissions and security of service configurations, and upgrading related components to the latest version, updating vulnerability patches in time to protect against historical vulnerabilities.
Through the steps S201 to S207, it is ensured that the system can respond in time when an event corresponding to the SQL injection request occurs in the simulation protection system by standardizing the SQL injection request, and the security protection capability of the database system is further improved by obtaining the reinforcement scheme to perform security reinforcement on the database system.
The present embodiment further provides a device for detecting SQL injection risk, where the system is used to implement the foregoing embodiments and preferred embodiments, and the description already made is omitted here for brevity. As used hereinafter, the terms "module," "unit," "subunit," and the like may implement a combination of software and/or hardware for a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a schematic structural diagram of an SQL injection risk detection apparatus according to an embodiment of the present application, and as shown in fig. 3, the SQL injection risk detection apparatus includes: an obtaining module 30, configured to obtain an SQL injection request; a sending module 31 coupled to the obtaining module 30, configured to send the SQL injection request to the simulation protection system; a judging module 32 coupled to the sending module 31, configured to judge whether an event corresponding to the SQL injection request occurs in the simulation protection system according to the SQL injection request; and the matching module 33 is coupled to the judging module 32 and is used for marking the SQL injection request as a risk request in the case that an event corresponding to the SQL injection request occurs in the simulation protection system.
In some embodiments, the apparatus for detecting SQL injection risk further includes a normalization module coupled to the obtaining module 30, configured to remove unnecessary characters, line feeds, and comments in the SQL injection request according to a preset SQL statement template, and replace placeholders of constants and variables in the SQL injection request with uniform symbols, so as to obtain a normalized SQL injection request.
In some embodiments, the obtaining module 30 includes an obtaining subunit and a detecting subunit coupled to the obtaining subunit, where the obtaining subunit is configured to obtain the SQL request, and the detecting subunit is configured to perform SQL injection detection on the SQL request, record the SQL request with the injection request, and obtain the SQL injection request.
In some embodiments, the detection subunit is further configured to perform SQL injection detection on the SQL request, and send the SQL request to the database system when detecting that there is no injection request for the SQL request; and under the condition that the SQL request is detected to have the injection request, recording the SQL request with the injection request to obtain the SQL injection request.
In some embodiments, the apparatus for detecting SQL injection risk further includes an intercepting module coupled to the obtaining module 30, configured to obtain a protection configuration of the database system, where the protection configuration includes at least one of: the anti-dragging library protection table and the anti-collision library SQL template are configured in the database system; intercepting the access of the SQL injection request under the condition that the query times of the SQL injection request on the anti-dragging library protection table exceed a preset threshold; or the standardized SQL injection request is matched in the SQL template of the anti-collision library, and the SQL injection request is intercepted under the condition that the SQL injection request is not matched.
In some of these embodiments, the simulated protection system comprises at least one of: the system comprises a protection system capable of accepting the simulation SQL injection request and a protection module embedded in the database system and capable of accepting the simulation SQL injection request.
In some embodiments, the apparatus for detecting SQL injection risk further includes a reinforcement module coupled to the matching module 33, configured to match information of the SQL injection request in a preset reinforcement scheme library, and send a reinforcement scheme matched with the SQL injection request in the preset reinforcement scheme library to the database system; and carrying out security reinforcement on the database system according to the reinforcement scheme.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment further provides an electronic device, fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 4, the electronic device includes a memory 404 and a processor 402, the memory 404 stores a computer program, and the processor 402 is configured to execute the computer program to perform the steps in any of the method embodiments.
Specifically, the processor 402 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
The processor 402 reads and executes the computer program instructions stored in the memory 404 to implement any one of the methods for detecting SQL injection risk in the above embodiments.
Optionally, the electronic apparatus may further include a transmission device 406 and an input/output device 408, where the transmission device 406 is connected to the processor 402, and the input/output device 408 is connected to the processor 402.
Optionally, in this embodiment, the processor 402 may be configured to execute the following steps by a computer program:
and S1, acquiring the SQL injection request.
And S2, sending the SQL injection request to the simulation protection system.
And S3, judging whether an event corresponding to the SQL injection request occurs in the simulation protection system according to the SQL injection request.
S4, in case of an event corresponding to the SQL injection request occurring in the simulation protection system, marking the SQL injection request as a risk request.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the SQL injection risk detection method in the foregoing embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; when executed by a processor, the computer program implements any one of the methods for detecting SQL injection risk in the above embodiments.
The SQL injection detection technology in the related art usually performs injection judgment and check on each SQL statement, and intercepts the SQL statement if an SQL injection request is sent. Such technical precautions present the following technical drawbacks: the really risky SQL injection attack may be hidden in a large number of invalid SQL injection requests, and since the risk of the SQL injection requests cannot be judged, the protection system needs to intercept each SQL injection request one by one, which increases the load of the protection system and causes the low processing efficiency of the database protection system.
Compared with the related art, the embodiment of the application has the following advantages:
(1) according to the method and the device, the SQL injection request is sent to the simulation protection system, whether the SQL injection request has risks or not is judged based on whether the event corresponding to the SQL injection request occurs in the simulation protection system or not, the problem that in the related technology, the risk of the SQL injection request cannot be judged, so that the protection system needs to intercept each SQL injection request one by one, and then the load of the protection system is increased is solved, and the technical effect of reducing the load of the database protection system is achieved.
(2) According to the embodiment of the application, through the standardized SQL injection request, the system can respond in time under the condition that the event corresponding to the SQL injection request occurs in the simulation protection system, and the database system is reinforced safely by acquiring the reinforcement scheme, so that the safety protection capability of the database system is further improved.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A method for detecting SQL injection risk is applied to protecting SQL injection risk of a database system, and is characterized by comprising the following steps:
acquiring an SQL injection request;
sending the SQL injection request to a simulation protection system;
judging whether an event corresponding to the SQL injection request occurs in the simulation protection system or not according to the SQL injection request;
marking the SQL injection request as a risk request in case of occurrence of an event corresponding to the SQL injection request in the simulation protection system.
2. The method for risk detection of SQL injection according to claim 1, wherein before sending the SQL injection request to a simulation protection system, the method further comprises:
and removing redundant characters, line feeds and comments in the SQL injection request according to a preset SQL statement template, and replacing the placeholders of constants and variables in the SQL injection request by using uniform symbols to obtain a standardized SQL injection request.
3. The method for risk detection of SQL injection according to claim 1, wherein obtaining an SQL injection request comprises:
acquiring an SQL request;
and carrying out SQL injection detection on the SQL request, recording the SQL request with the injection request, and obtaining the SQL injection request.
4. The method for detecting SQL injection risk according to claim 3, wherein SQL injection detection is performed on SQL requests, and the SQL requests with injection requests are recorded, and obtaining SQL injection requests includes:
carrying out SQL injection detection on the SQL request, and sending the SQL request to a database system under the condition that the SQL request is detected to have no injection request;
and under the condition that the SQL request is detected to have the injection request, recording the SQL request with the injection request to obtain the SQL injection request.
5. The SQL injection risk detection method according to claim 2, wherein after acquiring the SQL injection request, the method further comprises:
obtaining a protection configuration of the database system, wherein the protection configuration comprises at least one of: the anti-dragging library protection table and the anti-collision library SQL template are configured in the database system;
intercepting the access of the SQL injection request under the condition that the query times of the SQL injection request on the anti-dragging library protection table exceed a preset threshold; or
And matching the standardized SQL injection request in the SQL template of the anti-collision library, and intercepting the SQL injection request under the condition that the SQL injection request is failed to be matched.
6. The SQL injection risk detection method of claim 1, wherein the simulation protection system comprises at least one of: the system comprises a protection system capable of accepting the simulation SQL injection request and a protection module embedded in the database system and capable of accepting the simulation SQL injection request.
7. The SQL injection risk detection method according to claim 1, wherein after marking the SQL injection request as a risk request, the method further comprises:
matching the information of the SQL injection request in a preset reinforcement scheme library, and sending a reinforcement scheme matched with the SQL injection request in the preset reinforcement scheme library to the database system;
and according to the reinforcement scheme, carrying out safety reinforcement on the database system.
8. An apparatus for risk detection of SQL injection, the apparatus comprising:
the acquisition module is used for acquiring the SQL injection request;
the sending module is used for sending the SQL injection request to a simulation protection system;
the judging module is used for judging whether an event corresponding to the SQL injection request occurs in the simulation protection system or not according to the SQL injection request;
the matching module is used for marking the SQL injection request as a risk request under the condition that an event corresponding to the SQL injection request occurs in the simulation protection system.
9. An electronic device comprising a memory, a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the SQL injection risk detection method according to any of claims 1 to 7.
10. A storage medium having stored thereon a computer program, wherein the computer program is configured to execute the SQL injection risk detection method according to any of claims 1 to 7 when running.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010644001.5A CN111767577A (en) | 2020-07-07 | 2020-07-07 | SQL injection risk detection method and device, electronic device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010644001.5A CN111767577A (en) | 2020-07-07 | 2020-07-07 | SQL injection risk detection method and device, electronic device and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111767577A true CN111767577A (en) | 2020-10-13 |
Family
ID=72723919
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010644001.5A Withdrawn CN111767577A (en) | 2020-07-07 | 2020-07-07 | SQL injection risk detection method and device, electronic device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111767577A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113190839A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack protection method and system based on SQL injection |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102567546A (en) * | 2012-01-18 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Structured query language (SQL) injection detection method and SQL injection detection device |
CN105046150A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for preventing structured query language (SQL) implantation |
CN110245195A (en) * | 2019-04-29 | 2019-09-17 | 北京邮电大学 | Structured query language based on honey pot system injects detection method and device |
-
2020
- 2020-07-07 CN CN202010644001.5A patent/CN111767577A/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102567546A (en) * | 2012-01-18 | 2012-07-11 | 北京神州绿盟信息安全科技股份有限公司 | Structured query language (SQL) injection detection method and SQL injection detection device |
CN105046150A (en) * | 2015-08-06 | 2015-11-11 | 福建天晴数码有限公司 | Method and system for preventing structured query language (SQL) implantation |
CN110245195A (en) * | 2019-04-29 | 2019-09-17 | 北京邮电大学 | Structured query language based on honey pot system injects detection method and device |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113190839A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack protection method and system based on SQL injection |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021109669A1 (en) | Method and device for detecting malicious domain name access, and computer readable storage medium | |
Deswarte et al. | Remote integrity checking: How to trust files stored on untrusted servers | |
US10430586B1 (en) | Methods of identifying heap spray attacks using memory anomaly detection | |
US7818781B2 (en) | Behavior blocking access control | |
US11086983B2 (en) | System and method for authenticating safe software | |
Stokes et al. | WebCop: Locating Neighborhoods of Malware on the Web. | |
RU2723665C1 (en) | Dynamic reputation indicator for optimization of computer security operations | |
WO2014071867A1 (en) | Program processing method and system, and client and server for program processing | |
CN110086827B (en) | SQL injection verification method, server and system | |
CN112291258B (en) | Gateway risk control method and device | |
US20180026986A1 (en) | Data loss prevention system and data loss prevention method | |
US11652818B2 (en) | Method and apparatus for accessing service system | |
US20230222226A1 (en) | Memory scan-based process monitoring | |
US10339307B2 (en) | Intrusion detection system in a device comprising a first operating system and a second operating system | |
US11520886B2 (en) | Advanced ransomware detection | |
US9219728B1 (en) | Systems and methods for protecting services | |
CN107623693B (en) | Domain name resolution protection method, device, system, computing equipment and storage medium | |
US20220201016A1 (en) | Detecting malicious threats via autostart execution point analysis | |
CN111767577A (en) | SQL injection risk detection method and device, electronic device and storage medium | |
CN110990844B (en) | Cloud data protection method based on kernel, cloud server and system | |
US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
CN105791221B (en) | Rule issuing method and device | |
US20230122784A1 (en) | Browser-level runtime supply chain security and attack detection | |
CN106790169B (en) | Protection method and device for scanning of scanning equipment | |
US11468074B1 (en) | Approximate search of character strings |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20201013 |