CN112699373A - Method and device for detecting SQL injection vulnerability in batch - Google Patents
Method and device for detecting SQL injection vulnerability in batch Download PDFInfo
- Publication number
- CN112699373A CN112699373A CN202011547044.8A CN202011547044A CN112699373A CN 112699373 A CN112699373 A CN 112699373A CN 202011547044 A CN202011547044 A CN 202011547044A CN 112699373 A CN112699373 A CN 112699373A
- Authority
- CN
- China
- Prior art keywords
- sql injection
- injection vulnerability
- filtering
- request data
- detection result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002347 injection Methods 0.000 title claims abstract description 166
- 239000007924 injection Substances 0.000 title claims abstract description 166
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000001514 detection method Methods 0.000 claims abstract description 155
- 238000001914 filtration Methods 0.000 claims abstract description 86
- 238000012545 processing Methods 0.000 claims abstract description 22
- 238000004891 communication Methods 0.000 claims abstract description 18
- 230000004044 response Effects 0.000 claims description 12
- 239000003795 chemical substances by application Substances 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000012360 testing method Methods 0.000 description 19
- 230000008569 process Effects 0.000 description 9
- 230000035515 penetration Effects 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000013480 data collection Methods 0.000 description 3
- 230000008595 infiltration Effects 0.000 description 3
- 238000001764 infiltration Methods 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/955—Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
- G06F16/9566—URL specific, e.g. using aliases, detecting broken or misspelled links
Abstract
The invention discloses a method and a device for SQL injection vulnerability batch detection, wherein the method comprises the following steps: acquiring all target request data of all client-side and server communication according to a filtering rule configured by a user; obtaining an SQL injection vulnerability detection result file corresponding to each effective target request data by carrying out SQL injection vulnerability batch detection processing on all the target request data; analyzing each SQL injection vulnerability detection result file to judge whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not; and when the SQL injection vulnerability detection result file is judged to have the SQL injection vulnerability, carrying out accurate SQL injection vulnerability positioning according to the SQL injection vulnerability detection result file.
Description
Technical Field
The invention relates to the technical field of software security detection, in particular to a method and a device for SQL injection vulnerability batch detection.
Background
In recent years, database-based web applications are more and more widespread, database security problems of various business applications, and theft and tamper prevention of sensitive data are more and more severe, and SQL injection vulnerabilities, which are one of the most destructive vulnerabilities, may exist in any database-based application program. SQL is a database query and programming language for accessing data and querying, updating, and managing relational database systems. The SQL injection means that an attacker inserts an SQL command into a Web form, or inputs the SQL command into a domain name, or inserts the SQL command into a character string of a page request by using a defect that user input data in an application program is not strictly checked, and finally, the purpose of cheating a server to execute a malicious SQL command is achieved. An attacker attacks the application through SQL injection, thereby obtaining sensitive information and, in some cases, possibly causing the server rights to be lost. Therefore, for database-based business applications, defending against SQL injection is of considerable importance.
Currently, the SQL injection vulnerability detection technology is divided into two modes: automated scanning and manual infiltration. The automatic scanning tool mainly comprises a web crawler and a penetration test. Firstly, a URL list of a target system linked to a server is searched by using a web crawler, and then penetration testing is carried out on the URL list. The method can quickly detect the SQL injection vulnerability, but the coverage rate of the test data obtained by the crawler influences the detection capability. Due to the limitation and instability of the prior crawler technology, the false alarm probability and the false negative probability of most scanning tools are high, and the detection accuracy is low. Manual analysis requires the tester to have a relatively deep knowledge of the current system, filter out the target test points, and test one by one in a manual manner. Although the accuracy of vulnerability detection can be guaranteed, the technical requirement on a tester is high, and a large amount of time is consumed in the detection process, so that the efficiency is low.
By analyzing the SQL injection vulnerability detection technology, the SQL injection has very complicated and variable attack modes, and the existing detection technology cannot meet the requirements of application programs.
Disclosure of Invention
The invention provides a method and a device for detecting SQL injection vulnerabilities in batch, which fully combine the advantages of vulnerability detection tools, quickly and comprehensively collect test data through a proxy tool, further integrate an open source tool of SQLMAP for detecting and utilizing SQL injection vulnerabilities, and utilize a batch processing mode to execute vulnerability detection on data to be detected, thereby ensuring the high efficiency and accuracy of detection.
The method for the SQL injection vulnerability batch detection provided by the embodiment of the invention comprises the following steps:
acquiring all target request data of all client-side and server communication according to a filtering rule configured by a user;
obtaining an SQL injection vulnerability detection result file corresponding to each effective target request data by carrying out SQL injection vulnerability batch detection processing on all the target request data;
analyzing each SQL injection vulnerability detection result file to judge whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not;
and when the SQL injection vulnerability detection result file is judged to have the SQL injection vulnerability, carrying out accurate SQL injection vulnerability positioning according to the SQL injection vulnerability detection result file.
Preferably, after the obtaining all target request data of all clients communicating with the server, the method further includes:
extracting session information in each target request data by respectively analyzing and processing each target request data;
judging whether the session information in each target request data is effective session information or not;
and when the session information in the target request data is judged to be invalid session information, replacing the invalid session information in the target request data with valid session information.
Preferably, the filtering rules include domain name filtering, request type filtering and return code filtering; the domain name filtering comprises primary domain name filtering and secondary domain name filtering; the type filtering is filtering according to request header information, and comprises a request only displaying the URL and containing the specified character string, a request only hiding the URL and containing the specified character string and a request marking a special header; the return code filtering refers to filtering according to the server response type, and comprises modes of picture type, HTML type, TEXT/CSS type, SCRIPTS type, JSON, XML and the like.
Preferably, the obtaining all target request data of all clients communicating with the server includes:
and monitoring the communication between all the clients and the server by utilizing a SmartFiddler agent tool, and recording and storing all target request data of the communication between all the clients and the server.
Preferably, the obtaining the SQL injection vulnerability detection result file corresponding to each valid target request data by performing SQL injection vulnerability batch detection processing on all the target request data includes:
and carrying out SQL injection vulnerability batch detection processing on all target request data by utilizing an integrated SQLMAP vulnerability detection tool configured with detection rules and configuration files to obtain an SQL injection vulnerability detection result file corresponding to each effective target request data.
Preferably, the detection rules include default detection rules and custom detection rules; wherein the default detection rules include boolean-based blind notes, time-based blind notes, error-reporting-based injections, joint query injections, and heap query injections.
Preferably, the analyzing each SQL injection vulnerability detection result file to determine whether the SQL injection vulnerability detection result file has the SQL injection vulnerability includes:
analyzing each SQL injection vulnerability detection result file, and extracting SQL injection point label information in the SQL injection vulnerability detection result file;
and judging whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not according to the SQL injection point label information.
The device for the SQL injection vulnerability batch detection provided by the embodiment of the invention comprises the following steps:
the acquisition module is used for acquiring all target request data of all client-side and server communication according to the filtering rule configured by the user;
the detection module is used for carrying out SQL injection vulnerability batch detection processing on all the target request data to obtain an SQL injection vulnerability detection result file corresponding to each effective target request data;
the judging module is used for judging whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not by analyzing each SQL injection vulnerability detection result file;
and the positioning module is used for positioning the SQL injection vulnerability according to the SQL injection vulnerability detection result file when the SQL injection vulnerability is judged to exist in the SQL injection vulnerability detection result file.
Preferably, the determining module is further configured to extract session information in each target request data by analyzing and processing each target request data, determine whether the session information in each target request data is valid session information, and replace invalid session information in the target request data with valid session information when the session information in the target request data is determined to be invalid session information.
Preferably, the filtering rules include domain name filtering, request type filtering and return code filtering; the domain name filtering comprises primary domain name filtering and secondary domain name filtering; the type filtering is filtering according to request header information, and comprises a request only displaying the URL and containing the specified character string, a request only hiding the URL and containing the specified character string and a request marking a special header; the return code filtering refers to filtering according to the server response type, and comprises modes of picture type, HTML type, TEXT/CSS type, SCRIPTS type, JSON, XML and the like.
According to the scheme provided by the embodiment of the invention, the high efficiency and the accuracy of SQL injection vulnerability detection can be ensured, the conditions of missing detection and false alarm can be reduced to the maximum extent, the safety of a web application system is ensured, the research and development efficiency is improved, and the digital transformation of an enterprise is promoted.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a flowchart of a method for batch detection of SQL injection vulnerabilities according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an apparatus for SQL injection vulnerability batch detection according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a batch SQL injection vulnerability detection architecture provided by the embodiment of the present invention;
FIG. 4 is a schematic diagram of a SmartFiddler agent tool for request data collection and local storage according to an embodiment of the present invention;
fig. 5 is a schematic diagram of (a) data validity control, (b) sqmap integration and batch processing provided by an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating an operation principle of a result analysis and vulnerability location module according to an embodiment of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings, and it should be understood that the preferred embodiments described below are only for the purpose of illustrating and explaining the present invention, and are not to be construed as limiting the present invention.
Fig. 1 is a flowchart of a method for batch detection of SQL injection vulnerabilities according to an embodiment of the present invention, as shown in fig. 1, including:
step S101: acquiring all target request data of all client-side and server communication according to a filtering rule configured by a user;
step S102: obtaining an SQL injection vulnerability detection result file corresponding to each effective target request data by carrying out SQL injection vulnerability batch detection processing on all the target request data;
step S103: analyzing each SQL injection vulnerability detection result file to judge whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not;
step S104: and when the SQL injection vulnerability detection result file is judged to have the SQL injection vulnerability, carrying out accurate SQL injection vulnerability positioning according to the SQL injection vulnerability detection result file.
Preferably, after the obtaining all target request data of all clients communicating with the server, the method further includes: extracting session information in each target request data by respectively analyzing and processing each target request data; judging whether the session information in each target request data is effective session information or not; and when the session information in the target request data is judged to be invalid session information, replacing the invalid session information in the target request data with valid session information.
Preferably, the filtering rules include domain name filtering, request type filtering and return code filtering; the domain name filtering comprises primary domain name filtering and secondary domain name filtering; the type filtering is filtering according to request header information, and comprises a request only displaying the URL and containing the specified character string, a request only hiding the URL and containing the specified character string and a request marking a special header; the return code filtering refers to filtering according to the server response type, and comprises modes of picture type, HTML type, TEXT/CSS type, SCRIPTS type, JSON, XML and the like.
Preferably, the obtaining all target request data of all clients communicating with the server includes: and monitoring the communication between all the clients and the server by utilizing a SmartFiddler agent tool, and recording and storing all target request data of the communication between all the clients and the server.
Preferably, the obtaining the SQL injection vulnerability detection result file corresponding to each valid target request data by performing SQL injection vulnerability batch detection processing on all the target request data includes: and carrying out SQL injection vulnerability batch detection processing on all target request data by utilizing an integrated SQLMAP vulnerability detection tool configured with detection rules and configuration files to obtain an SQL injection vulnerability detection result file corresponding to each effective target request data.
Preferably, the detection rules include default detection rules and custom detection rules; wherein the default detection rules include boolean-based blind notes, time-based blind notes, error-reporting-based injections, joint query injections, and heap query injections.
Preferably, the analyzing each SQL injection vulnerability detection result file to determine whether the SQL injection vulnerability detection result file has the SQL injection vulnerability includes: analyzing each SQL injection vulnerability detection result file, and extracting SQL injection point label information in the SQL injection vulnerability detection result file; and judging whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not according to the SQL injection point label information.
Fig. 2 is a schematic diagram of an apparatus for SQL injection vulnerability batch detection according to an embodiment of the present invention, as shown in fig. 2, including: an obtaining module 201, configured to obtain all target request data for communication between all clients and the server according to a filtering rule configured by a user; the detection module 202 is configured to perform SQL injection vulnerability batch detection processing on all the target request data to obtain an SQL injection vulnerability detection result file corresponding to each valid target request data; the judging module 203 is configured to judge whether an SQL injection vulnerability exists in each SQL injection vulnerability detection result file by analyzing each SQL injection vulnerability detection result file; and the positioning module 204 is configured to, when it is determined that the SQL injection vulnerability exists in the SQL injection vulnerability detection result file, perform accurate positioning of the SQL injection vulnerability according to the SQL injection vulnerability detection result file.
Preferably, the determining module 203 is further configured to extract session information in each target request data by analyzing and processing each target request data, determine whether the session information in each target request data is valid session information, and replace invalid session information in the target request data with valid session information when the session information in the target request data is determined to be invalid session information.
Preferably, the filtering rules include domain name filtering, request type filtering and return code filtering; the domain name filtering comprises primary domain name filtering and secondary domain name filtering; the type filtering is filtering according to request header information, and comprises a request only displaying the URL and containing the specified character string, a request only hiding the URL and containing the specified character string and a request marking a special header; the return code filtering refers to filtering according to the server response type, and comprises modes of picture type, HTML type, TEXT/CSS type, SCRIPTS type, JSON, XML and the like.
The technical scheme of the invention is explained by combining the attached figures 3-6.
1. Aiming at the characteristics of WEB application programs, the invention establishes an accurate SQL injection vulnerability batch detection model, fully combines the advantages of automatic scanning and manual infiltration analysis, can give consideration to both detection efficiency and accuracy, and can reduce the occurrence of missing detection and false alarm. The model is a precise and rapid SQL injection vulnerability detection method integrating data customized collection and batch automatic execution. The method comprises three major parts, namely a request acquisition and storage flow, a batch execution vulnerability detection (comprising an SQL injection detection rule customization flow, an SQL injection batch penetration test flow and a test process data automatic storage flow) and a data result analysis flow, wherein each part and the corresponding function of each part are shown in table 1.
Table 1: accurate SQL injection vulnerability batch detection modules and functions
2. A method for rapidly detecting SQL injection vulnerabilities in batch is established. The SQL injection vulnerability detection based on the agent can effectively and quickly identify the SQL injection vulnerability in the tested system, and meanwhile, the vulnerability module and the corresponding request can be accurately positioned by combining test process data. The bulk SQL injection vulnerability detection architecture is shown in fig. 3.
(21) And requesting acquisition and storage. And monitoring the browser through an agent tool developed secondarily, and realizing accurate acquisition and automatic local storage of the request data.
(22) And executing vulnerability detection in batches. The SQLMAP vulnerability detection tool is integrated, the SQL injection detection rule customization module self-defines and imports payload, and the SQL injection batch detection execution module and the test result data storage module are called to finish batch vulnerability detection and execution process data storage.
(23) And (6) analyzing results. And analyzing the test result through keyword scanning, and positioning the target data request position with SQL injection vulnerability.
And the functions of analyzing, checking, injecting and the like of the SQL injection vulnerability are comprehensively realized. The SQL injection vulnerability detection model has the advantages of low implementation cost, high operation efficiency and low false alarm rate, and can effectively improve the detection capability of the SQL injection vulnerability.
3. Method for establishing request collection and storage
The key of the process is to efficiently and accurately record the data of the request to be tested through a proxy tool SmartFiddler developed secondarily. Smartfolder is an HTTP protocol debugging agent that can monitor and record all communication data and request information between clients and servers. SmartFiddler's proxy function is the precondition for realizing batch vulnerability detection, and SmartFiddler can accurately collect and record test request data by monitoring and provide data input for subsequent batch penetration detection only by accessing each input point of a web application program through a front end, and the specific operation steps and principles are shown in FIG. 4.
(31) In the smartfolder agent tool, the script editor file is modified, and the command line save instruction code is added: and realizing the storage type of the formatted data request file, setting a local storage path and a one-key storage function of the target request data.
(32) After debugging and development are completed, SmartFiddler is opened to monitor the browser, and the filter rule is a data packet capturing rule. The user can customize SmartFiddler filter rules (including domain name filtering, request type filtering and return code filtering) according to business requirements, realize filtering of server request data, monitor target request data and capture response data. The domain name filtering comprises primary domain name filtering and secondary domain name filtering, and all requests and responses under the domain name are monitored and captured by configuring the domain name filtering. The type filtering means filtering according to the request header information, and includes a method of displaying only a request containing a specified character string in the URL, a method of hiding only a request containing a specified character string in the URL, a method of marking a request with a specific header, and the like. The return code filtering refers to filtering according to the server response type, and comprises modes of picture type, HTML type, TEXT/CSS type, SCRIPTS type, JSON, XML and the like.
(33) And (4) manually browsing the test site, wherein SmartFiddler automatically records http/https requests of all client-side communication and server communication after filtering according to the rule of the step (32).
(34) After each function of the application is guaranteed to be traversed, all target request data of the smartfolder record is exported according to the command line instruction save of step (31).
After secondary development, the proxy function of SmartFiddler is a key step of the test process, and the recorded and stored data requests are all target site requests, so that the test accuracy is effectively improved; the target request data is stored according to a specific file format, data input is provided for the penetration tool, and the testing efficiency is effectively improved. The method can well make up for the defects of the automatic scanning tool in the aspect of test data collection.
4. Method for establishing batch execution vulnerability detection
The requested data acquired by SmartFiddler is connected with a SQLMAP batch processing detection program after validity check, and the detection program carries out SQL injection penetration attack on the target requested data, including the contents of batch execution program number control, SQLMAP execution control, detection result output control and the like.
<1> data validity check. Each data packet collected from smartfolder contains a complete request process, if an application program needs to be logged in to access, a target data request is analyzed, a judgment mark for judging whether token in a session is effective is extracted, and whether session information in the request is effective is checked. The valid session information is the same for each target data request, and should be replaced into each request file if it is invalid, as shown in fig. 5 (a). Examples are: analyzing the target data, and extracting a judgment sign whether the token in the session is valid. The general response status code 0 indicates that the request was successful. 10010 of the response status code indicates that the token is expired and 10011 of the response status code indicates that the token is invalid. Both states, code equals 10010 and 10011, jump to the login page, re-login and get the latest active session.
<2> SQLMAP integration and batch detection. Firstly, integrating a SQLMAP open source detection tool, and completing rule configuration through default detection rules and user-defined rules in a SQLMAP detection library, wherein the default detection rules mainly comprise Boolean-based blind notes, time-based blind notes, error reporting-based injections, joint query injections, heap query injections and the like. And then configuring the request execution path and related database information in the configuration file, and starting a batch detection program according to the configuration information so as to realize batch SQL injection detection of the target data request. In order to improve the execution efficiency, the process adopts a multi-process concurrent mode for batch infiltration execution, fully utilizes system resources, and improves the execution speed of the program, as shown in fig. 5 (b). For example, based on the boolean blind note detection rule, some of the contents are as follows:
meanwhile, intermediate data generated in the SQL injection batch detection execution process can be automatically stored locally, and each target data request file corresponds to one detection result file and is provided with a unique serial number identifier. For example, the 1_ request.xml data request file corresponds to the detection result file 1_ request.xml-result.xm.
5. Method for establishing vulnerability detection result analysis
And the result analysis module analyzes the SQL injection batch detection result, judges whether the attribute count in the SQL injection point label injection is 0 or not, and determines whether the SQL injection vulnerability exists or not. The content of the detection result file part is as follows:
< injection count >! Identified sql injection points, count representing the number of injection points >
<parameter>id</parameter>
<method>GET</method>
<point>
<type>boolean-based blind</type>
<title>OR boolean-based blind-WHERE or HAVING clause(NOT-MySQL comment)</title>
<payload>id=1'OR NOT 9058=9058#&Submit=Submit</payload>
</point>
......
</injection>
And the corresponding data request file can be located according to the serial number identification, so that the system URL address with the vulnerability can be quickly located, as shown in FIG. 6.
After the injection point is positioned, one-step penetration attack can be carried out, so that the database table structure, the table data and the like can be obtained. And giving a system reinforcement repair suggestion according to the test result.
According to the scheme provided by the embodiment of the invention, the existing automatic scanning tool is limited by the influences of single detection mode, instable crawler data collection and other factors, so that the phenomena of missing detection and false alarm are serious. This patent has proposed accurate SQL and has injected into batch vulnerability detection scheme. The accurate SQL injection batch vulnerability detection can ensure the stability and comprehensiveness of the data to be detected, and reduce the missing detection phenomenon of the data input points. And the accurate SQL is injected into batch vulnerability detection, test request data is accurately collected and recorded by means of the http proxy monitoring technology, data input is provided for subsequent batch penetration detection, and the vulnerability detection efficiency is ensured. SmartFiddler is an http protocol-based proxy tool through which web access data passes, can monitor all incoming and outgoing cookie, html, js, css, etc. data, and supports interception, retransmission, editing, and data dumping.
Although the present invention has been described in detail hereinabove, the present invention is not limited thereto, and various modifications can be made by those skilled in the art in light of the principle of the present invention. Thus, modifications made in accordance with the principles of the present invention should be understood to fall within the scope of the present invention.
Claims (10)
1. A method for SQL injection vulnerability batch detection is characterized by comprising the following steps:
acquiring all target request data of all client-side and server communication according to a filtering rule configured by a user;
obtaining an SQL injection vulnerability detection result file corresponding to each effective target request data by carrying out SQL injection vulnerability batch detection processing on all the target request data;
analyzing each SQL injection vulnerability detection result file to judge whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not;
and when the SQL injection vulnerability detection result file is judged to have the SQL injection vulnerability, carrying out accurate SQL injection vulnerability positioning according to the SQL injection vulnerability detection result file.
2. The method of claim 1, further comprising, after the obtaining all target request data for all client-server communications,:
extracting session information in each target request data by respectively analyzing and processing each target request data;
judging whether the session information in each target request data is effective session information or not;
and when the session information in the target request data is judged to be invalid session information, replacing the invalid session information in the target request data with valid session information.
3. The method of claim 1, wherein the filtering rules include domain name filtering, request type filtering, and return code filtering; the domain name filtering comprises primary domain name filtering and secondary domain name filtering; the type filtering is filtering according to request header information, and comprises a request only displaying the URL and containing the specified character string, a request only hiding the URL and containing the specified character string and a request marking a special header; the return code filtering refers to filtering according to the server response type, and comprises modes of picture type, HTML type, TEXT/CSS type, SCRIPTS type, JSON, XML and the like.
4. The method of claim 1, wherein the obtaining all target request data for all client-server communications comprises:
and monitoring the communication between all the clients and the server by utilizing a SmartFiddler agent tool, and recording and storing all target request data of the communication between all the clients and the server.
5. The method according to claim 1, wherein the obtaining the SQL injection vulnerability detection result file corresponding to each valid target request data by performing SQL injection vulnerability batch detection processing on all the target request data comprises:
and carrying out SQL injection vulnerability batch detection processing on all target request data by utilizing an integrated SQLMAP vulnerability detection tool configured with detection rules and configuration files to obtain an SQL injection vulnerability detection result file corresponding to each effective target request data.
6. The method of claim 5, wherein the detection rules include default detection rules and custom detection rules; wherein the default detection rules include boolean-based blind notes, time-based blind notes, error-reporting-based injections, joint query injections, and heap query injections.
7. The method according to claim 1, wherein the determining whether the SQL injection vulnerability detection result file has the SQL injection vulnerability comprises, by parsing each SQL injection vulnerability detection result file:
analyzing each SQL injection vulnerability detection result file, and extracting SQL injection point label information in the SQL injection vulnerability detection result file;
and judging whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not according to the SQL injection point label information.
8. The utility model provides a device of SQL injection vulnerability batch detection which characterized in that includes:
the acquisition module is used for acquiring all target request data of all client-side and server communication according to the filtering rule configured by the user;
the detection module is used for carrying out SQL injection vulnerability batch detection processing on all the target request data to obtain an SQL injection vulnerability detection result file corresponding to each effective target request data;
the judging module is used for judging whether the SQL injection vulnerability detection result file has the SQL injection vulnerability or not by analyzing each SQL injection vulnerability detection result file;
and the positioning module is used for positioning the SQL injection vulnerability according to the SQL injection vulnerability detection result file when the SQL injection vulnerability is judged to exist in the SQL injection vulnerability detection result file.
9. The apparatus according to claim 8, wherein the determining module is further configured to extract session information in each target request data by performing analysis processing on each target request data, determine whether the session information in each target request data is valid session information, and replace invalid session information in the target request data with valid session information when the session information in the target request data is determined to be invalid session information.
10. The apparatus of claim 8, wherein the filtering rules comprise domain name filtering, request type filtering, and return code filtering; the domain name filtering comprises primary domain name filtering and secondary domain name filtering; the type filtering is filtering according to request header information, and comprises a request only displaying the URL and containing the specified character string, a request only hiding the URL and containing the specified character string and a request marking a special header; the return code filtering refers to filtering according to the server response type, and comprises modes of picture type, HTML type, TEXT/CSS type, SCRIPTS type, JSON, XML and the like.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011547044.8A CN112699373A (en) | 2020-12-24 | 2020-12-24 | Method and device for detecting SQL injection vulnerability in batch |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011547044.8A CN112699373A (en) | 2020-12-24 | 2020-12-24 | Method and device for detecting SQL injection vulnerability in batch |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112699373A true CN112699373A (en) | 2021-04-23 |
Family
ID=75509612
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011547044.8A Pending CN112699373A (en) | 2020-12-24 | 2020-12-24 | Method and device for detecting SQL injection vulnerability in batch |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112699373A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
| CN102831345A (en) * | 2012-07-30 | 2012-12-19 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN106789926A (en) * | 2016-11-28 | 2017-05-31 | 浪潮软件集团有限公司 | Multi-process automatic SQL injection batch scanning tool and method |
| CN107704758A (en) * | 2017-08-25 | 2018-02-16 | 郑州云海信息技术有限公司 | A kind of SQL injection leak detection method and detection means |
| CN110324311A (en) * | 2019-05-21 | 2019-10-11 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of Hole Detection |
| CN111600885A (en) * | 2020-05-15 | 2020-08-28 | 北京铭图天成信息技术有限公司 | SQL injection vulnerability detection method and device, equipment and storage medium |
| CN111770104A (en) * | 2020-07-02 | 2020-10-13 | 浪潮云信息技术股份公司 | Web vulnerability detection method, system, terminal and computer readable storage medium |
-
2020
- 2020-12-24 CN CN202011547044.8A patent/CN112699373A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101425937A (en) * | 2007-11-02 | 2009-05-06 | 北京启明星辰信息技术有限公司 | SQL injection attack detection system suitable for high speed LAN environment |
| CN102831345A (en) * | 2012-07-30 | 2012-12-19 | 西北工业大学 | Injection point extracting method in SQL (Structured Query Language) injection vulnerability detection |
| CN106789926A (en) * | 2016-11-28 | 2017-05-31 | 浪潮软件集团有限公司 | Multi-process automatic SQL injection batch scanning tool and method |
| CN107704758A (en) * | 2017-08-25 | 2018-02-16 | 郑州云海信息技术有限公司 | A kind of SQL injection leak detection method and detection means |
| CN110324311A (en) * | 2019-05-21 | 2019-10-11 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of Hole Detection |
| CN111600885A (en) * | 2020-05-15 | 2020-08-28 | 北京铭图天成信息技术有限公司 | SQL injection vulnerability detection method and device, equipment and storage medium |
| CN111770104A (en) * | 2020-07-02 | 2020-10-13 | 浪潮云信息技术股份公司 | Web vulnerability detection method, system, terminal and computer readable storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 练坤梅等: "SQL 注入漏洞多等级检测方法研究", 《计算机科学与探索》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114244599A (en) * | 2021-12-15 | 2022-03-25 | 杭州默安科技有限公司 | Method for interfering malicious program |
| CN114244599B (en) * | 2021-12-15 | 2023-11-24 | 杭州默安科技有限公司 | Method for interfering malicious program |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101092024B1 (en) | Real-time vulnerability diagnoses and results information offer service system of web service | |
| JP6714175B2 (en) | Analysis device, analysis method, and analysis program | |
| US20060190561A1 (en) | Method and system for obtaining script related information for website crawling | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| CN108521392B (en) | Bidirectional flow SQL injection attack detection method | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| CN108664559A (en) | A kind of automatic crawling method of website and webpage source code | |
| CN104601573A (en) | Verification method and device for Android platform URL (Uniform Resource Locator) access result | |
| CN109462583A (en) | A kind of reflection-type leak detection method combined based on static and dynamic | |
| WO2014018029A1 (en) | Determining application vulnerabilities | |
| CN114244564B (en) | Attack defense method, device, equipment and readable storage medium | |
| CN111611590B (en) | Method and device for data security related to application program | |
| CN112653709A (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| CN106845248A (en) | A kind of XSS leak detection methods based on state transition graph | |
| CN113158197A (en) | SQL injection vulnerability detection method and system based on active IAST | |
| CN112699373A (en) | Method and device for detecting SQL injection vulnerability in batch | |
| CN114491560A (en) | Vulnerability detection method and device, storage medium and electronic equipment | |
| CN107566371B (en) | WebShell mining method for massive logs | |
| Qu | Research on password detection technology of iot equipment based on wide area network | |
| CN111245880B (en) | Behavior trajectory reconstruction-based user experience monitoring method and device | |
| Murínová | Application log analysis | |
| US7653742B1 (en) | Defining and detecting network application business activities | |
| Guo | Research on web data mining based on topic crawler | |
| TWI696080B (en) | System and implementing method for managing security of information based on inspection of database log file | |
| US20060256726A1 (en) | Systems and methods for viewing data in a trace buffer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210423 |
|
| RJ01 | Rejection of invention patent application after publication |