CN116915454A - SQL injection vulnerability detection method and device, electronic equipment and storage medium - Google Patents
SQL injection vulnerability detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116915454A CN116915454A CN202310833281.8A CN202310833281A CN116915454A CN 116915454 A CN116915454 A CN 116915454A CN 202310833281 A CN202310833281 A CN 202310833281A CN 116915454 A CN116915454 A CN 116915454A
- Authority
- CN
- China
- Prior art keywords
- expression
- decoding operation
- vulnerability detection
- decoding
- candidate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 70
- 238000002347 injection Methods 0.000 title claims abstract description 50
- 239000007924 injection Substances 0.000 title claims abstract description 50
- 230000014509 gene expression Effects 0.000 claims abstract description 212
- 238000012545 processing Methods 0.000 claims abstract description 33
- 238000000034 method Methods 0.000 claims abstract description 29
- 238000010606 normalization Methods 0.000 claims abstract description 16
- 238000006243 chemical reaction Methods 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 14
- 230000001131 transforming effect Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 239000000243 solution Substances 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The application provides a SQL injection vulnerability detection method, a device, electronic equipment and a storage medium, which are used for improving the accuracy of SQL injection vulnerability detection. The method comprises the following steps: acquiring load information in a user request; performing decoding operation on the load information to obtain a first expression; carrying out semantic normalization processing on the first expression to obtain a second expression; and performing vulnerability detection on the second expression to obtain a vulnerability detection result. According to the method and the device, after the second expression is obtained by carrying out decoding operation and semantic normalization processing on the load information requested by the user, vulnerability detection is carried out on the second expression with definite meaning, so that the vulnerability detection efficiency and accuracy can be improved.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and apparatus for detecting an SQL injection vulnerability, an electronic device, and a storage medium.
Background
Structured query language (Structured Query Language, SQL) injection vulnerability is a widely applied and highly threatening Web attack technique that can fool an interpreter's attack load, execute aggressive commands or access unauthorized data by guessing and verifying the target system's SQL execution logic. The attack has strong concealment, and the attacked Web application system can generate leakage or damage of sensitive information, thereby causing serious influence on normal business.
The existing method for detecting SQL injection holes mainly matches user requests in a regular expression mode to obtain hole detection results. However, an attacker can write a user request by using means such as confusion for bypassing the regular, and the corresponding regular can only write more complex expressions for bypassing the regular, so that the regular expressions which need to be maintained are more and more complex, and the detection efficiency and the accuracy are lower.
Disclosure of Invention
The application provides a SQL injection vulnerability detection method, a device, electronic equipment and a storage medium, which are used for improving the efficiency and accuracy of SQL injection vulnerability detection.
In a first aspect, an embodiment of the present application provides a method for detecting an SQL injection vulnerability, where the method includes:
acquiring load information in a user request; the load information is used for representing user-controlled data in the user request;
performing decoding operation on the load information to obtain a first expression;
carrying out semantic normalization processing on the first expression to obtain a second expression;
and performing vulnerability detection on the second expression to obtain a vulnerability detection result.
According to the embodiment of the application, after the load information in the user request is obtained, the load information is subjected to decoding operation and semantic normalization processing to obtain the second expression with definite semantics, and the vulnerability detection is performed on the second expression, so that the vulnerability detection efficiency and accuracy can be improved.
An optional implementation manner is that the decoding operation is performed on the load information to obtain a first expression, which includes:
performing multiple decoding operations on the load information to obtain a first expression; the decoding operation includes a URL decoding operation, a base64 decoding operation, a base32 decoding operation, and a hexadecimal decoding operation;
wherein, the decoding operation is executed once, comprising the following steps:
and sequentially executing the URL decoding operation, the base64 decoding operation, the base32 decoding operation and the hexadecimal decoding operation on the payload information.
The embodiment of the application carries out multiple decoding operations on the load information, so that the complexity of the user request can be reduced, and the first expression with definite semantics can be obtained.
An optional implementation manner is that the semantic normalization processing is performed on the first expression to obtain a second expression, which includes:
performing special character conversion and logic character conversion on the first expression to obtain a first candidate expression;
performing keyword conversion on the first candidate expression to obtain a second candidate expression;
executing the execution statement in the second candidate expression to obtain an execution result;
and updating the execution statement in the second candidate expression to the execution result to obtain the second expression.
According to the embodiment of the application, the first expression is subjected to special character conversion, logic character conversion, keyword conversion and sentence conversion, so that the semantic normalization processing of the first expression is completed, and the second expression with definite semantic is obtained, thereby improving the accuracy of subsequent vulnerability detection based on the second expression.
An optional implementation manner is that the keyword conversion is performed on the first candidate expression to obtain a second candidate expression, which includes:
determining character strings similar to the keywords in the first candidate expression through fuzzy matching;
and replacing the keyword with a character string similar to the keyword in the first candidate expression to obtain the second candidate expression.
According to the embodiment of the application, the character strings similar to the keywords in the first candidate expression are updated to the corresponding keywords, so that the second candidate expression with definite semantics can be obtained.
An optional implementation manner, the updating the execution statement in the second candidate expression to the execution result includes:
determining keywords in the execution statement;
and updating the execution statement in the second candidate expression into the execution result and the keyword.
An optional implementation manner is that performing vulnerability detection on the second expression to obtain a vulnerability detection result includes:
performing feature matching on the second expression and the regular expression;
if the matching fails, determining that the leak detection result is that SQL injection leak is not detected; or,
and if the matching is successful, determining that the leak detection result is that the SQL injection leak is detected.
Because the embodiment of the application carries out regular expression matching on the second expression with definite meaning and is characterized by SQL injection holes, the number of regular expressions needing to be maintained can be reduced, the maintenance cost is reduced, and the hole detection efficiency and accuracy can be improved.
In a second aspect, an embodiment of the present application provides an SQL injection vulnerability detection apparatus, including:
the acquisition unit is used for acquiring the load information in the user request; the load information is used for representing user-controlled data in the user request;
the decoding unit is used for performing decoding operation on the load information to obtain a first expression;
the processing unit is used for carrying out semantic normalization processing on the first expression to obtain a second expression;
and the detection unit is used for carrying out vulnerability detection on the second expression to obtain a vulnerability detection result.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory and a processor, where the memory stores a computer program that can be executed on the processor, and when the computer program is executed by the processor, the method for detecting an SQL injection hole according to the first aspect is implemented.
In a fourth aspect, an embodiment of the present application further provides a computer storage medium, where computer program instructions are stored, which when executed on a computer, cause the computer to perform the SQL injection vulnerability detection method as described in the first aspect.
The technical effects caused by any implementation manner of the second aspect to the fourth aspect may refer to the technical effects caused by the corresponding implementation manner of the first aspect, and are not described herein.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a SQL injection vulnerability detection method according to an embodiment of the application;
FIG. 2 is a schematic diagram illustrating a decoding operation according to an embodiment of the present application;
FIG. 3 is a schematic diagram illustrating a complete flow of SQL injection vulnerability detection according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an SQL injection vulnerability detection device according to an embodiment of the present application;
fig. 5 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Some terms appearing hereinafter are explained:
regular expression (Regular Expression): also called regular expressions, often abbreviated in code as regex, regex p or RE, is a concept of computer science. Regular expressions are typically used to retrieve, replace, text that meets a certain pattern (rule).
The regular expression is a logic formula for operating on character strings, and refers to a "regular character string" composed of specific characters defined in advance and combinations of the specific characters. This "regular string" is used to express a filtering logic for the string.
The word "exemplary" is used hereinafter to mean "serving as an example, embodiment, or illustration. Any embodiment described as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments.
The terms "first," "second," and the like herein are used for descriptive purposes only and are not to be construed as either explicit or implicit relative importance or to indicate the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature, and in the description of embodiments of the application, unless otherwise indicated, the meaning of "a plurality" is two or more.
The existing method for detecting SQL injection holes mainly matches user requests in a regular expression mode to obtain hole detection results. However, an attacker can write a user request by using means such as confusion for bypassing the regular, and the corresponding regular can only write more complex expressions for bypassing the regular, so that the regular expressions which need to be maintained are more and more complex, and the detection efficiency and the accuracy are lower.
Based on the above problems, the embodiment of the application provides a method, a device, an electronic device and a storage medium for detecting SQL injection holes, wherein the method comprises the following steps: acquiring load information in a user request; decoding the load information to obtain a first expression; carrying out semantic normalization processing on the first expression to obtain a second expression; and performing vulnerability detection on the second expression to obtain a vulnerability detection result.
As shown in fig. 1, the method for detecting the SQL injection vulnerability provided by the embodiment of the application comprises the following steps:
s101: load information in the user request is acquired.
Wherein the payload information is used to characterize the data of the user control in the user request.
In some embodiments, embodiments of the present application receive a user request and obtain payload information in the user request. The user request may be, for example, a hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) request. Among them, HTTP requests include, but are not limited to: post request, get request.
After receiving a user request, the embodiment of the application acquires the data which is input by the user control in the user request, and takes the data which is controlled by the user as load information.
For example, the embodiment of the application can use the body parameter in the post request as the load information in the post request.
For another example, the embodiment of the present application may further use, as the payload information, the query parameter in the get request and data that may be tampered by the user, such as cookie, referer, content-type and user-agent, in header information in the get request. Wherein the query parameter may be in url in the get request? The latter parameters.
S102: and decoding the load information to obtain a first expression.
In some embodiments, the embodiments of the present application may perform multiple decoding operations on the payload information to obtain the first expression.
It should be noted that the decoding operation includes, but is not limited to: URL decoding operations, base64 decoding operations, base32 decoding operations, and hexadecimal decoding operations.
In specific implementation, the embodiment of the application executes a decoding operation once, and comprises the following steps:
the URL decoding operation, the base64 decoding operation, the base32 decoding operation, and the hexadecimal decoding operation are sequentially performed on the payload information.
In some embodiments, the foregoing decoding operation may be repeated multiple times to obtain the first expression. For example, the embodiment of the present application may perform 5 decoding operations to obtain the first expression.
In other embodiments, after an expression obtained by performing a plurality of decoding operations consecutively does not change, the expression is output as the first expression.
For example, the embodiment of the present application performs 5 decoding operations, and sequentially obtains expression 1, expression 2, expression 3, expression 4, and expression 5. Wherein expression 1, expression 2, expression 3, and expression 4 are different. Expression 4 is identical to expression 5, and expression 4 representing the 4 th decoding operation is identical to expression 5 representing the 5 th decoding operation. Then, the embodiment of the present application may output expression 5 or expression 4 as the first expression.
Through the above decoding process, the embodiment of the present application can basically break the encoding and decoding means, such as replacing the space with% 20, replacing the admin with ywrtaw4=and the like, and bypassing means in the payload information, and then the payload information is converted into the first expression.
In some embodiments, as shown in fig. 2, an embodiment of the present application provides a schematic flow chart of decoding operation. As shown in fig. 2, the method comprises the following steps:
s201: determining whether the URL encoding feature is met; if yes, go to step S202; if not, go to step 203.
In some embodiments, the execution body is the payload information when the decoding operation is first executed. Specifically, in the first decoding operation, the embodiment of the present application determines whether the payload information conforms to the URL encoding feature.
In some embodiments, when performing non-first decoding operations, the execution subject is an expression resulting from the last decoding operation. Specifically, in the non-first decoding operation, the embodiment of the application determines whether the expression obtained in the last decoding operation accords with the URL coding feature.
S202: URL decoding is performed.
In some embodiments, in the first decoding operation, when the embodiment of the application determines that the payload information accords with the URL coding feature, URL decoding operation is performed on the payload information.
In some embodiments, in a non-first decoding operation, when the embodiment of the application determines that the expression obtained by the last decoding operation accords with the URL coding feature, URL decoding is performed on the expression obtained by the last decoding operation.
S203: determining whether the base64 encoding feature is met; if yes, go to step 204; if not, step 205 is performed.
In implementation, the embodiment of the application can determine whether the load information accords with the characteristic of being subjected to base64 coding, and can also determine whether the load information after URL decoding accords with the characteristic of being subjected to base64 coding.
S204: base64 decoding is performed.
In some embodiments, the embodiments of the present application may perform base64 decoding on the payload information, and may also perform base64 decoding on the payload information after URL decoding.
S205: determining whether the base32 encoding feature is met; if yes, go to step S206; if not, step S207 is performed.
In some implementations, the information for determining whether the base32 coding feature is met according to the embodiment of the present application may be: payload information, or URL decoded payload information, or base64 decoded payload information, or URL and base64 decoded payload information.
S206: base32 decoding is performed.
In some embodiments, the embodiments of the present application may perform base32 decoding on the payload information, or the URL decoded payload information, or the base64 decoded payload information, or the URL and base64 decoded payload information.
S207: determining whether the hexadecimal coded features are met; if yes, go to step 208; if not, go to step 208.
In some embodiments, the information that determines whether it meets the hexadecimal encoded feature may be: load information, or URL decoded load information, or base64 decoded load information, or URL and base64 decoded load information, or base32 decoded load information, or URL and base32 decoded load information, or base64 and base32 decoded load information, or URL, base64 and base32 decoded load information.
S208: hexadecimal decoding is performed.
In some embodiments, the embodiments of the present application may perform hexadecimal decoding on the payload information, or the payload information decoded by the URL, or the payload information decoded by the base64, or the payload information decoded by the URL and the base64, or the payload information decoded by the base32, or the payload information decoded by the URL and the base32, or the payload information decoded by the base64 and the base32, or the payload information decoded by the URL, the base64, and the base 32.
S209: determining whether the execution times of the decoding operation reach a set value; if yes, go to step S210; if not, step S201 is performed.
The one-time execution process of the decoding operation is as follows: URL codec, base64 codec, base32 codec, and hexadecimal codec are sequentially performed.
S210: the first expression is output.
In some embodiments, the first expression may be: the payload information, or the URL decoded payload information, or the base64 decoded payload information, or the URL and base64 decoded payload information, or the base32 decoded payload information, or the URL and base32 decoded payload information, or the base64 and base32 decoded payload information, or the URL, base64 and base32 decoded payload information, or the hexadecimal decoded payload information, or the URL and hexadecimal decoded payload information, or the base64 and hexadecimal decoded payload information, or the URL, base64 and hexadecimal decoded payload information, or the base32 and hexadecimal decoded payload information, or the URL, base32 and hexadecimal decoded payload information, or the base32 and hexadecimal decoded payload information, or the base64, base32 and hexadecimal decoded payload information, or the URL, base64, base32 and hexadecimal decoded payload information.
The embodiment of the application can restore some codes imposed by bypassing the regular expression in the user request for confusion by performing multiple decoding operations on the load information.
Currently, an attacker typically uses the characteristics of the SQL language to specially modify the payload information to bypass matching of regular expressions. For example, the SQL language is not case-specific, the keyword select has SELECT, select, seLect and other 64 writing methods, and the use of functions, such as CONCAT ('se', 'lec','t'), can make the sentence expression more vague, and the regular expression is difficult to express such complex semantics, so that the complexity of the regular expression needs to be reduced by performing semantic normalization conversion on the load information.
S103: and carrying out semantic normalization processing on the first expression to obtain a second expression.
In some embodiments, the embodiment of the present application may perform special character conversion and logical character conversion on the first expression to obtain a first candidate expression.
In specific implementation, the embodiment of the present application may perform the special character conversion operation in the following manner:
mode 1: special characters to be executed in place of spaces in the first expression are, for example: "+", "%20", "/", "% a0", etc. are all converted to spaces.
Mode 2: a plurality of consecutive spaces are converted into one space.
Mode 3: will "+|! The following is carried out "convert to" = ", convert" < > "to" Σ! = ", will multiple" +|! "convert to at most one" ≡! ".
Mode 4: the non-executing strings annotated with the annotators are deleted according to the SQL syntax.
In specific implementation, the embodiment of the present application may perform the logical character conversion operation in the following manner:
the embodiment of the application can convert all the logic expressions in the first expression into four expression modes of 'or', 'and', 'not', 'xor'. For example, "& &" in the first expression is converted to "and".
After the first candidate expression is obtained, the embodiment of the application can also perform keyword conversion on the first candidate expression to obtain the second candidate expression.
In specific implementation, the embodiment of the application can determine the character strings similar to the keywords in the first candidate expression through fuzzy matching.
According to the embodiment of the application, the keyword can be replaced with the character string similar to the keyword in the first candidate expression, so that the second candidate expression is obtained.
For example, the embodiment of the present application determines that the character string similar to the keyword "select" in the first candidate expression is "selectttt" by fuzzy matching. Then, the embodiment of the present application may convert "Selectttt" in the first candidate expression to "select".
According to the embodiment of the application, the character strings similar to the keywords in the first candidate expression can be completely converted into the standard SQL keywords through fuzzy matching, so that the purpose of reducing the complexity of the expression is achieved.
The embodiment of the application can convert all SQL keywords in the second candidate expression into lower case or upper case.
In some embodiments, embodiments of the present application may also convert all of the SQL keywords in the first candidate expression into lower case or upper case. And, the SQL keywords of the subsequent transformation are consistent with the SQL keywords in the first candidate expression. That is, the SQL keywords in the second candidate expression are unified as uppercase or lowercase.
After the second candidate expression is obtained, the embodiment of the application can execute the execution statement in the second candidate expression to obtain the execution result. The embodiment of the application can update the execution statement in the second candidate expression to the execution result to obtain the second expression.
In some embodiments, the embodiments of the present application may pre-execute the execution statement that may be directly executed in the second candidate expression. The execution statement may be a function that does not interact with the database, such as subtstr (aadmin, 3, 5), or a short statement that is directly executed, such as with 1=1.
The embodiment of the application pre-executes the execution statement in the second candidate expression to obtain an execution result. For example, the execution result of "subtstr (aadmin, 3, 5)" is "admin", and the execution result of "and 1=1" is "and true".
In some embodiments, embodiments of the present application may determine whether an execution statement contains keywords. When the execution statement does not contain the keywords, the execution statement is directly updated into an execution result. For example, "subtstr (aadmin, 3, 5)" in the second candidate expression is updated to "admin", and "and 1=1" is updated to "and true".
When the execution statement includes a keyword, the embodiment of the present application may update the execution statement in the second candidate expression to the execution result and the keyword.
In some embodiments, the embodiment of the application can perform semantic normalization processing on the first expression for multiple times to obtain the second expression.
S104: and performing vulnerability detection on the second expression to obtain a vulnerability detection result.
In some embodiments, the embodiment of the present application may perform feature matching on the second expression and the regular expression, to determine whether the second expression includes features of the SQL injection hole.
In implementation, the embodiment of the application can adopt the regular expression to match the characteristics defined as malicious injection in the second expression, so as to obtain a matching result.
In some embodiments, if the matching fails, the embodiment of the present application determines that the vulnerability detection result is that no SQL injection vulnerability is detected. The embodiment of the application can release the user request.
In other embodiments, if the matching is successful, the embodiment of the present application may determine that the vulnerability detection result is that an SQL injection vulnerability is detected. The embodiment of the application can intercept the user request and send out SQL injection alarm.
For example, the embodiment of the application can introduce the SQL injection vulnerability detection method by using a common user name password verification example in the SQL injection vulnerability, as follows:
the user request received by the embodiment of the application can be a request triggered by login operation, the request needs the user to input a user name and a password, and the user request is as follows:
http:www.example.com/login.html/?username=/*user*/YWRtaW4=+suBstr(co NcAt('aao','rrrrr'),3,2)+1!!=1--%20&password=123456。
first, the embodiment of the application obtains the load information in the user request.
In implementation, the embodiment of the application can analyze the input of the user in the user request:
username=/*user*/YWRtaW4=+suBstr(coNcAt('aao','rrrrr'),3,2)+1!!=1%20&password=123456。
the embodiment of the application can take the input of the user as the load information.
And secondly, decoding the load information to obtain a first expression.
The embodiment of the application decodes the load information, decodes YWRtaW4= "in the load information into" admin "through base64, and decodes"% 20 "into space through URL, thereby obtaining a first expression: username=/user/admin= +subestr (cobcat ('aao', 'rrrrr'), 3, 2) +1-! The following is carried out =1— password=123456.
Thirdly, carrying out semantic normalization processing on the first expression to obtain a second expression.
Special character conversion: wherein "+_s in the first expression-! The following is carried out "is equivalent to" = "," - "and following spaces compose an annotator and an in-line annotation/, where the first expression becomes: username = admin subestr (conncat ('aao', 'rrrrr'), 3, 2) 1 = 1.
Case-to-case conversion: converting the expression obtained through special character conversion into lower case, and obtaining a second candidate expression: username = admin subsstr (concat ('aao', 'rrrrr'), 3, 2)) 1 = 1.
Function execution: "substract (concat ('aao', 'rrrrr'), 3, 2))" in the second candidate expression is executed, and the execution result thereof is substituted for "substract (concat ('aao', 'rrr'), 3, 2))" in the second candidate expression, at which time the second candidate expression is converted into the second expression: username=adminor 1=1.
Fourth, performing vulnerability detection on the second expression to obtain a vulnerability detection result.
The embodiment of the application can perform regular matching on the second expression, match the second expression to the SQL injection feature 'adminor 1=1', and determine that the user request contains SQL injection holes.
The embodiment of the application can intercept the user request and send out alarm information.
The embodiment of the application carries out regular matching on the load information subjected to decoding operation and semantic normalization processing, thereby reducing the semantic complexity of the expression subjected to regular matching and further improving the detection efficiency and accuracy.
As shown in fig. 3, an embodiment of the present application provides a complete flow diagram of an SQL injection vulnerability detection method, which includes the following steps:
s301: load information in the user request is acquired.
Wherein the payload information is used to characterize the data of the user control in the user request.
S302: and carrying out multiple decoding operations on the load information to obtain a first expression.
Among them, decoding operations include, but are not limited to: URL decoding operations, base64 decoding operations, base32 decoding operations, and hexadecimal decoding operations.
In some embodiments, embodiments of the present application perform a decoding operation comprising the steps of:
the URL decoding operation, the base64 decoding operation, the base32 decoding operation, and the hexadecimal decoding operation are sequentially performed on the payload information.
S303: and performing special character conversion and logic character conversion on the first expression to obtain a first candidate expression.
S304: and determining character strings similar to the keywords in the first candidate expression through fuzzy matching.
S305: and replacing the keyword with a character string similar to the keyword in the first candidate expression to obtain a second candidate expression.
S306: executing the execution statement in the second candidate expression to obtain an execution result.
S307: determining whether the execution statement contains a keyword; if yes, go to step S308; if not, step S309 is performed.
S308: and updating the execution statement in the second candidate expression into an execution result and a keyword to obtain the second expression.
S309: and updating the execution statement in the second candidate expression to an execution result to obtain the second expression.
S310: and performing feature matching on the second expression and the regular expression.
S311: if the matching fails, determining that the leak detection result is that the SQL injection leak is not detected.
S312: and releasing the user request.
S313: if the matching is successful, determining that the vulnerability detection result is that the SQL injection vulnerability is detected.
S314: intercepting a user request and sending SQL injection alarm information.
Based on the same inventive concept, the embodiment of the application also provides an SQL injection vulnerability detection device, and because the principle of solving the problem of the device is similar to that of the SQL injection vulnerability detection method, the device can be implemented by referring to the method embodiment, and the repetition is omitted.
As shown in fig. 4, a structural block diagram of an SQL injection vulnerability detection apparatus provided by an embodiment of the present application includes:
an obtaining unit 401, configured to obtain load information in a user request; the load information is used for representing user-controlled data in the user request;
a decoding unit 402, configured to perform a decoding operation on the payload information to obtain a first expression;
a processing unit 403, configured to perform semantic normalization processing on the first expression to obtain a second expression;
and the detection unit 404 is configured to perform vulnerability detection on the second expression to obtain a vulnerability detection result.
In an alternative embodiment, the decoding unit 402 is specifically configured to:
performing multiple decoding operations on the load information to obtain a first expression; the decoding operation includes a URL decoding operation, a base64 decoding operation, a base32 decoding operation, and a hexadecimal decoding operation;
wherein, the decoding operation is executed once, comprising the following steps:
and sequentially executing the URL decoding operation, the base64 decoding operation, the base32 decoding operation and the hexadecimal decoding operation on the payload information.
In an alternative embodiment, the processing unit 403 is specifically configured to:
performing special character conversion and logic character conversion on the first expression to obtain a first candidate expression;
performing keyword conversion on the first candidate expression to obtain a second candidate expression;
executing the execution statement in the second candidate expression to obtain an execution result;
and updating the execution statement in the second candidate expression to the execution result to obtain the second expression.
In an alternative embodiment, the processing unit 403 is specifically configured to:
determining character strings similar to the keywords in the first candidate expression through fuzzy matching;
and replacing the keyword with a character string similar to the keyword in the first candidate expression to obtain the second candidate expression.
In an alternative embodiment, the processing unit 403 is specifically configured to:
determining keywords in the execution statement;
and updating the execution statement in the second candidate expression into the execution result and the keyword.
In an alternative embodiment, the detecting unit 404 is specifically configured to:
performing feature matching on the second expression and the regular expression;
if the matching fails, determining that the leak detection result is that SQL injection leak is not detected; or,
and if the matching is successful, determining that the leak detection result is that the SQL injection leak is detected.
Corresponding to the embodiment of the SQL injection vulnerability detection method, the embodiment of the application also provides electronic equipment. The electronic device may be a server, or may be a terminal such as a mobile terminal or a computer.
The electronic device comprises at least a memory for storing data and a processor for data processing. Among them, for a processor for data processing, when performing processing, a microprocessor, a CPU, a GPU (Graphics Processing Unit, a graphics processing unit), a DSP, or an FPGA may be employed. For the memory, the memory stores operation instructions, which may be computer executable codes, to implement each step in the flow of the SQL injection vulnerability detection method according to the embodiment of the present application.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application; as shown in fig. 5, the electronic device 100 according to the embodiment of the present application includes: a processor 101, a display 102, a memory 103, an input device 106, a bus 105, and a communication module 104; the processor 101, memory 103, input device 106, display 102, and communication module 104 are all coupled via a bus 105, and the bus 105 is used to transfer data between the processor 101, memory 103, display 102, communication module 104, and input device 106.
The memory 103 may be used to store software programs and modules, such as program instructions/modules corresponding to the SQL injection vulnerability detection method in the embodiment of the present application, and the processor 101 executes the software programs and modules stored in the memory 103, thereby executing various functional applications and data processing of the electronic device 100, such as the SQL injection vulnerability detection method provided in the embodiment of the present application. The memory 103 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program of at least one application, and the like; the storage data area may store data created according to the use of the electronic device 100 (e.g., relevant data such as vulnerability rules), etc. In addition, memory 103 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.
The processor 101 is a control center of the electronic device 100, connects various parts of the entire electronic device 100 using the bus 105 and various interfaces and lines, and performs various functions of the electronic device 100 and processes data by running or executing software programs and/or modules stored in the memory 103, and invoking data stored in the memory 103. Alternatively, the processor 101 may include one or more processing units, such as a CPU, GPU, digital processing unit, or the like.
The processor 101 may present the alert information to the user via the display 102.
The processor 101 may also be connected to a network through the communication module 104 to obtain a user request, etc.
The input device 106 is mainly used to obtain input operations by a user, and the input device 106 may be different when the electronic devices are different. For example, when the electronic device is a computer, the input device 106 may be an input device such as a mouse, keyboard, etc.; when the electronic device is a portable device such as a smart phone or a tablet computer, the input device 106 may be a touch screen.
The embodiment of the application also provides a computer readable storage medium for the SQL injection vulnerability detection method, namely, the content is not lost after power failure. The storage medium has stored therein a software program comprising program code which, when executed on a computing device, when read and executed by one or more processors, implements a solution for any of the above methods for SQL injection vulnerability detection of embodiments of the application.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (10)
1. The SQL injection vulnerability detection method is characterized by comprising the following steps of:
acquiring load information in a user request; the load information is used for representing user-controlled data in the user request;
performing decoding operation on the load information to obtain a first expression;
carrying out semantic normalization processing on the first expression to obtain a second expression;
and performing vulnerability detection on the second expression to obtain a vulnerability detection result.
2. The method of claim 1, wherein the decoding the payload information to obtain a first expression comprises:
performing multiple decoding operations on the load information to obtain a first expression; the decoding operation includes a URL decoding operation, a base64 decoding operation, a base32 decoding operation, and a hexadecimal decoding operation;
wherein, the decoding operation is executed once, comprising the following steps:
and sequentially executing the URL decoding operation, the base64 decoding operation, the base32 decoding operation and the hexadecimal decoding operation on the payload information.
3. The method of claim 1, wherein the semantically normalizing the first expression to obtain a second expression comprises:
performing special character conversion and logic character conversion on the first expression to obtain a first candidate expression;
performing keyword conversion on the first candidate expression to obtain a second candidate expression;
executing the execution statement in the second candidate expression to obtain an execution result;
and updating the execution statement in the second candidate expression to the execution result to obtain the second expression.
4. The method of claim 3, wherein keyword transforming the first candidate expression to obtain a second candidate expression comprises:
determining character strings similar to the keywords in the first candidate expression through fuzzy matching;
and replacing the keyword with a character string similar to the keyword in the first candidate expression to obtain the second candidate expression.
5. A method according to claim 3, wherein said updating the execution statement in the second candidate expression to the execution result comprises:
determining keywords in the execution statement;
and updating the execution statement in the second candidate expression into the execution result and the keyword.
6. The method according to any one of claims 1-5, wherein performing the vulnerability detection on the second expression to obtain a vulnerability detection result includes:
performing feature matching on the second expression and the regular expression;
if the matching fails, determining that the leak detection result is that SQL injection leak is not detected; or,
and if the matching is successful, determining that the leak detection result is that the SQL injection leak is detected.
7. An SQL injection vulnerability detection device, comprising:
the acquisition unit is used for acquiring the load information in the user request; the load information is used for representing user-controlled data in the user request;
the decoding unit is used for performing decoding operation on the load information to obtain a first expression;
the processing unit is used for carrying out semantic normalization processing on the first expression to obtain a second expression;
and the detection unit is used for carrying out vulnerability detection on the second expression to obtain a vulnerability detection result.
8. The apparatus according to claim 7, wherein the decoding unit is specifically configured to:
performing multiple decoding operations on the load information to obtain a first expression; the decoding operation includes a URL decoding operation, a base64 decoding operation, a base32 decoding operation, and a hexadecimal decoding operation;
wherein, the decoding operation is executed once, comprising the following steps:
and sequentially executing the URL decoding operation, the base64 decoding operation, the base32 decoding operation and the hexadecimal decoding operation on the payload information.
9. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program executable on the processor, the computer program, when executed by the processor, implementing the method of any of claims 1-6.
10. A computer readable storage medium having a computer program stored therein, characterized in that the computer program, when executed by a processor, implements the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310833281.8A CN116915454A (en) | 2023-07-07 | 2023-07-07 | SQL injection vulnerability detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310833281.8A CN116915454A (en) | 2023-07-07 | 2023-07-07 | SQL injection vulnerability detection method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116915454A true CN116915454A (en) | 2023-10-20 |
Family
ID=88350417
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310833281.8A Pending CN116915454A (en) | 2023-07-07 | 2023-07-07 | SQL injection vulnerability detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116915454A (en) |
-
2023
- 2023-07-07 CN CN202310833281.8A patent/CN116915454A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108090351B (en) | Method and apparatus for processing request message | |
| US9405910B2 (en) | Automatic library detection | |
| US10325097B2 (en) | Static detection of context-sensitive cross-site scripting vulnerabilities | |
| CN110581864B (en) | Method and device for detecting SQL injection attack | |
| CN106815524B (en) | Malicious script file detection method and device | |
| CN112015430A (en) | JavaScript code translation method and device, computer equipment and storage medium | |
| CN111339531B (en) | Malicious code detection method and device, storage medium and electronic equipment | |
| CN111314388B (en) | Method and apparatus for detecting SQL injection | |
| WO2021042508A1 (en) | Webpage generation method and device, computer device and storage medium | |
| US20190372880A1 (en) | Deserialization service | |
| WO2021175053A1 (en) | Method and apparatus for executing functional module in virtual machine | |
| CN110618999A (en) | Data query method and device, computer storage medium and electronic equipment | |
| Gupta et al. | A client‐server JavaScript code rewriting‐based framework to detect the XSS worms from online social network | |
| CN104239753B (en) | Tamper detection method for text documents in cloud storage environment | |
| US20180314683A1 (en) | Method and device for processing natural language | |
| CN114626061A (en) | Webpage Trojan horse detection method and device, electronic equipment and medium | |
| CN112600864A (en) | Verification code verification method, device, server and medium | |
| CN116055067B (en) | Weak password detection method, device, electronic equipment and medium | |
| CN117493483A (en) | Data desensitizing method, device, electronic equipment and readable storage medium | |
| CN116361793A (en) | Code detection method, device, electronic equipment and storage medium | |
| CN111355709A (en) | Data verification method and device, electronic equipment and computer readable storage medium | |
| CN116915454A (en) | SQL injection vulnerability detection method and device, electronic equipment and storage medium | |
| CN115859273A (en) | Method, device and equipment for detecting abnormal access of database and storage medium | |
| CN113821448A (en) | Webshell code detection method and device and readable storage medium | |
| Gupta et al. | POND: polishing the execution of nested context-familiar runtime dynamic parsing and sanitisation of XSS worms on online edge servers of fog computing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |