WO2020073493A1 - Sql injection vulnerability detection method, apparatus and device, and readable storage medium - Google Patents

Sql injection vulnerability detection method, apparatus and device, and readable storage medium Download PDF

Info

Publication number
WO2020073493A1
WO2020073493A1 PCT/CN2018/122811 CN2018122811W WO2020073493A1 WO 2020073493 A1 WO2020073493 A1 WO 2020073493A1 CN 2018122811 W CN2018122811 W CN 2018122811W WO 2020073493 A1 WO2020073493 A1 WO 2020073493A1
Authority
WO
WIPO (PCT)
Prior art keywords
request
response page
sequence
url
response
Prior art date
Application number
PCT/CN2018/122811
Other languages
French (fr)
Chinese (zh)
Inventor
何双宁
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020073493A1 publication Critical patent/WO2020073493A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the present application relates to the field of communication technology, and in particular to a method, device, device, and readable storage medium for SQL injection vulnerability detection.
  • the current detection method for SQL (Structured Query Language, Structured Query Language) injection vulnerability is a detection method based on Boolean judgment.
  • the current SQL injection vulnerability detection method based on boolean judgment in terms of detecting sequence requests, is usually an original URL request, and then construct a logically true SQL statement parameter value, a logically false SQL statement parameter value request, a total of 3 requests .
  • Content-Length content length of the website response
  • the accuracy of detecting whether a URL request has a SQL injection vulnerability through URL detection is low.
  • the main purpose of this application is to provide a method, device, equipment and readable storage medium for SQL injection vulnerability detection, aiming to solve the existing technical problem of low accuracy in detecting SQL injection vulnerability.
  • the SQL injection vulnerability detection method includes the steps of:
  • the SQL injection vulnerability detection device includes:
  • the determining module is used to determine the detection point of the URL request after obtaining the URL request of the uniform resource locator of the website to be tested;
  • a construction module configured to construct a sequence request corresponding to a Boolean logic parameter of the detection point
  • An obtaining module used to obtain a response page obtained after executing the URL request and the sequence request;
  • An analysis module configured to perform a similarity analysis on the response page to obtain a similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request;
  • the determining module is further configured to determine that the URL request has a SQL injection vulnerability if the similarity value meets a preset condition.
  • the present application also provides a SQL injection vulnerability detection device
  • the SQL injection vulnerability detection device includes a memory, a processor, and a computer that is stored on the memory and can run on the processor Read instructions, when the computer-readable instructions are executed by the processor, implement the steps of the SQL injection vulnerability detection method as described above.
  • the present application also provides a computer-readable storage medium, the computer-readable storage medium stores computer-readable instructions, the computer-readable instructions are executed by the processor to achieve the above Steps of SQL injection vulnerability detection method.
  • This application constructs a sequence request corresponding to a Boolean logic parameter corresponding to a URL request detection point, executes the URL request and the URL request corresponding to the sequence request, obtains the response page obtained after executing the URL request and the sequence request, and performs a similarity analysis on the response page to obtain the URL
  • the similarity value between the response page corresponding to the request and the response page corresponding to each request in the sequence request if the similarity value meets the preset condition, it is determined that there is a SQL injection vulnerability in the URL request, which is judged according to the similarity between the response pages Whether there are SQL injection vulnerabilities in URL requests, which improves the accuracy of detecting SQL injection vulnerabilities.
  • FIG. 1 is a schematic flowchart of a preferred embodiment of a method for detecting SQL injection vulnerability in this application
  • FIG. 2 is a functional schematic block diagram of a preferred embodiment of a SQL injection vulnerability detection device of the present application
  • FIG. 3 is a schematic structural diagram of a hardware operating environment involved in an embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a preferred embodiment of a SQL injection vulnerability detection method of this application.
  • the embodiment of the present application provides an embodiment of the SQL injection vulnerability detection method. It should be noted that although the logic sequence is shown in the flowchart, in some cases, the illustrated sequence may be performed in an order different from here. Or describe the steps.
  • SQL injection vulnerability detection methods are applied to servers or terminals.
  • Terminals can include mobile terminals such as mobile phones, tablets, laptops, PDAs, personal digital assistants (Personal Digital Assistants, PDAs), and fixed terminals such as digital TVs and desktop computers. terminal.
  • PDAs Personal Digital Assistants
  • fixed terminals such as digital TVs and desktop computers. terminal.
  • the execution body is omitted to explain each embodiment.
  • SQL injection vulnerability detection methods include:
  • Step S10 After obtaining the URL request of the uniform resource locator of the website to be tested, determine the detection point of the URL request, and construct a sequence request corresponding to a Boolean logic parameter of the detection point.
  • a URL request corresponds to at least one detection point.
  • the URL request is an initial request to enter the website through web crawlers or network traffic.
  • the constructed Boolean logic parameter sequence request includes at least one logically true condition URL request and one logically false condition URL request. If there are multiple detection points in the URL request, it is necessary to construct a corresponding Boolean logic parameter sequence request for each detection point.
  • a request for constructing a logically true parameter value at the parameter value of the URL detection point param_a that is, constructing a logically true condition URL request, such as a logically true condition URL request can be expressed as: http: / /www.test.com/test?
  • the value request is a URL request that constructs a logical false condition.
  • Step S20 Obtain a response page obtained after executing the URL request and the sequence request, and perform a similarity analysis on the response page to obtain a response page corresponding to the URL request and a response page corresponding to each request in the sequence request The similarity value between.
  • each request corresponds to a response page. Therefore, there are at least three response pages obtained in the embodiments of the present application, which are respectively a response page corresponding to a URL request and a response page corresponding to a logically true URL request.
  • the response page corresponding to the URL request with logically false conditions.
  • the algorithms used for similarity analysis include but are not limited to cosine distance, Euclidean distance and Jaccard coefficient.
  • step S20 includes:
  • Step a Obtain the response page obtained after executing the URL request and the sequence request, and calculate the Jieka between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request German coefficient.
  • the response page obtained after executing the URL request is recorded as the first response page
  • the response page obtained after executing each request in the sequence request is recorded as the sequence response page
  • the first response page and each The Jeckard coefficients between pages in the sequence response are defined as the ratio of the intersection between set A and set B and the union between set A and set B, defined as follows:
  • J (A, B) the Jaccard coefficient J (A, B) is defined as 1, that is, the value of J (A, B) is 1, J (A, B) ⁇ [0, 1], the closer the value of J (A, B) is to 1, the more similar the response page corresponding to set A is to the response page corresponding to set B.
  • J (A, B) 1, it indicates that the response page corresponding to set A The same response page as set B.
  • step a includes:
  • Step a1 Obtain a response page corresponding to the execution of the URL request and the sequence request, and divide the text corresponding to the first response page and the sequence response page into character segments according to a preset line break.
  • the first response page obtained after executing the URL request, and the sequence response page obtained after executing each request in the sequence request are obtained, the text in the first response page and the sequence response page is obtained, and line breaks in the text are used
  • the character divides the text corresponding to the first response page and the sequence response page into character segments. It should be noted that, during the process of generating the response page, the corresponding line break will be automatically generated in the text corresponding to the response page. When the types of the first response page and the sequence response page are different, the corresponding line breaks are also different.
  • HTML Hyper Text Markup Language, Super Text Markup Language
  • ⁇ br> can insert a simple line break
  • ⁇ br> tag is an empty tag (meaning it has no end tag, so This is wrong: ⁇ br> ⁇ /br>).
  • XHTML eXtensible HyperText Markup Language, Extensible Hypertext Markup Language
  • the newline character in a word document is a newline symbol, and its function is to display a newline, but it is not a true paragraph mark, and its newline is not a restart of a paragraph in the true sense, so the text divided by the newline is actually still a paragraph In, all operations based on paragraphs in the word document will not recognize the newline character as the end of the paragraph.
  • the first response page and the sequence response page are HTML documents. After determining that a response page is an HTML document, perform DOM parsing (Document Object Model) on the HTML document to generate a DOM tree corresponding to the response page, and extract text from the DOM nodes of the DOM tree to obtain the The corresponding text on the response page, and then divide the text into character segments according to the line breaks.
  • DOM parsing Document Object Model
  • the process of detecting whether the response page is an HTML document is: detecting whether the response page carries HTML tags, where HTML DOM defines a standard method for accessing and manipulating the HTML document; DOM expresses the HTML document as a tree structure. It should be noted that HTML tags are pre-set and stored according to the HTML document in the form of tree structure. If it is detected that the response page carries HTML tags, it is determined that the response page is an HTML document; if it is detected that the response page does not carry HTML tags, it is determined that the response page is not an HTML document.
  • Step a2 Divide the character segment into character strings according to a preset separator, and correspondingly obtain elements corresponding to the first response page and the sequence response page.
  • the character segments corresponding to the first response page and the sequence response page are obtained, the character segments are divided into corresponding character strings according to the preset separators, and the elements in the corresponding set of the first response page and the corresponding set of the sequence response page are correspondingly obtained Elements.
  • the separator includes but is not limited to spaces, commas, semicolons, periods, exclamations, and question marks in the character segment. It can be understood that the string corresponding to the first response page is the element in the set corresponding to the first response page, and the string corresponding to the sequence response page is the element in the set corresponding to the sequence response page. In the response page, a string is the first element.
  • Step a3 Calculate the intersection and union of elements between the first response page and each of the sequence response pages, and divide the intersection by the corresponding union to obtain the corresponding Jaccard coefficient.
  • A can represent a set of elements corresponding to the first response page
  • B can represent a set of elements corresponding to one of the sequence response pages.
  • Step b Corresponding to the Jaccard coefficient as the similarity value between the first response page and each of the sequence response pages.
  • the Jeckard coefficient is correspondingly used as the similarity value between the first response page and each sequence response page. It can be understood that, when the value of the Jeckard coefficient approaches 1, the similarity between the first response page and the corresponding sequence response page; when the value of the Jeckard coefficient approaches 0, indicates the first response The less similar the page is to the corresponding sequence response page.
  • Step S30 if the similarity value meets a preset condition, it is determined that the URL request has a SQL injection vulnerability.
  • the number of URL requests corresponding to sequence requests is different, and the corresponding preset conditions are also different, that is, the number of sequence response pages is different, and the corresponding preset conditions are different.
  • the similarity value satisfies the preset condition
  • it is determined that there is a SQL injection vulnerability in the URL request that is, a SQL injection vulnerability is determined on the website to be tested.
  • the SQL injection vulnerability is due to a problem with the input verification of the WEB application, which leads the attacker to inject maliciously constructed SQL statements into the back-end database through the input point of the WEB application for execution, and achieve the purpose of forming a malicious attack on the database.
  • the full name of WEB is World Wide Web, which is the global wide area network, also known as the World Wide Web, commonly known as the website; it is a global, dynamic, interactive, cross-platform distributed graphical information system based on hypertext and HTTP.
  • a sequence request corresponding to a Boolean logic parameter corresponding to a URL request detection point is constructed, a URL request corresponding to the URL request and the sequence request is executed, a response page obtained after executing the URL request and the sequence request is obtained, and a similarity analysis is performed on the response page to obtain The similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request; if the similarity value meets the preset condition, it is determined that there is a SQL injection vulnerability in the URL request. Determine whether there is a SQL injection vulnerability in the URL request, which improves the accuracy of detecting SQL injection vulnerabilities.
  • step c a request for constructing a logically true condition for each detection point in the URL request is recorded as the first true request.
  • a logical true condition URL request is constructed for each detection point in the URL request, which is recorded as the first true request.
  • Step d Construct a request for a logical false condition for each detection point in the URL request, and record it as a first false request to form a sequence request including the first true request and the first false request.
  • the first true request and the first false request constitute a sequence request corresponding to the URL request detection point.
  • Step S30 includes:
  • Step e if it is determined that the first Jaccard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold, the first response page is determined Whether the second Jaccard coefficient between the third response pages corresponding to the first fake request is less than the second threshold.
  • the first Jaccard coefficient and the second Jaccard coefficient are the similarity values between corresponding response pages.
  • the first threshold and the second threshold may be set according to specific needs, and the first threshold and the second threshold may be equal or different.
  • both the first threshold and the second threshold can be set to 0.99, or the first threshold can be set to 0.99, the second threshold can be set to 0.98, and so on.
  • the response page may change dynamically.
  • the reason for the change may be caused by changes in the current time and current weather status of the website to be tested; or due to network fluctuations, some content in the response page has not been loaded. Caused by the completion. However, under normal circumstances, the content of the response page is very small, so the similarity between the first response page and the second response page will be high.
  • Step f If the second Jaccard coefficient is less than the second threshold, it is determined that there is a SQL injection vulnerability in the URL request.
  • the second Jaccard coefficient is less than the second threshold, it is determined that there is a SQL injection vulnerability in the corresponding detection point of the URL request, that is, the URL request has SQL injection vulnerability; if it is determined that the second Jaccard coefficient is greater than or equal to the second threshold, It is determined that there is no SQL injection vulnerability at the corresponding detection point in the URL request.
  • the similarity analysis is performed on the first response page and the second response page to determine whether the current test environment is stable.
  • the test environment includes a network environment and a server environment. It can be understood that the URL request corresponding to the second response page is a true request. If the test environment is stable, the similarity between the first response page and the second response page should be close to 1, or equal to 1, therefore, the first The threshold should be set to a value close to 1, or equal to 1.
  • the response page between the URL request and the first fake request should be different, or even completely different, so the second The threshold should be set to a value close to 1, or equal to 1.
  • Step d1 A request to construct a logical false condition for each detection point in the URL request is recorded as a first false request, and a confirmation request to construct a logical true condition for the first true request is recorded as a second true request.
  • Step d2 construct a confirmation request of a logical false condition for the first false request, and record it as a second false request to form a request including the first true request, the first false request, the second true request, and the second false request Sequence request.
  • the first fake request After constructing the first fake request, construct a URL confirmation request for the logically false condition for the first fake request, and record it as the second fake request.
  • Step S30 also includes:
  • Step g If it is determined that the first Indonesia coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold, the first response page is determined Whether the second Jaccard coefficient between the third response pages corresponding to the first fake request is less than the second threshold.
  • the second true request, the first false request and the second false request execute the URL request, the first true request, the first false request, the second true request and the second in the website to be tested Fake request, the first response page obtained after executing the URL request, the second response page obtained after executing the first true request, the third response page obtained after executing the first false request, the third page obtained after executing the second true request Four response pages, and the fifth response page obtained after the execution of the second fake request, and calculate and calculate the Jackard coefficient between the first and second response pages, which is recorded as the first Jackard coefficient, and calculate the first The Jackard coefficient between a response page and the third response page is recorded as the second Jackard coefficient. If it is determined that the first Jaccard coefficient is greater than the first threshold, it is determined whether the second Jaccard coefficient is less than the second threshold.
  • Step h if the second Jackard coefficient is less than the second threshold, determine a third Jackard coefficient between the first response page and the fourth response page corresponding to the second true request, And calculate the first difference between the third Jaccard coefficient and the first Jaccard coefficient.
  • the third Jackard coefficient between the first and fourth response pages is calculated, and the third Jackard coefficient and the first Jackard coefficient are calculated.
  • the difference between them is recorded as the first difference, and it is determined whether the first difference is less than the third threshold.
  • the third threshold can be set according to specific needs, such as 0.01. It should be noted that, for ease of comparison, the first difference is the absolute value of the difference between the third Jaccard coefficient and the first Jaccard coefficient.
  • Step i if the first difference is less than the third threshold, determine a fourth Jakarta coefficient between the first response page and the fifth response page corresponding to the second fake request, and calculate the The second difference between the fourth Jaccard coefficient and the second Jaccard coefficient.
  • the fourth Jaccard coefficient between the first response page and the fifth response page corresponding to the second fake request is calculated, and the fourth Jaccard coefficient is subtracted from the second
  • the Jeckard coefficient is used to calculate the difference between the fourth Jeckard coefficient and the second Jeckard coefficient, and is recorded as the second difference.
  • the second difference is the absolute value of the difference between the fourth Jaccard coefficient and the second Jaccard coefficient.
  • the fourth threshold may be equal to the third threshold, or may not be equal to the third threshold. Further, if the first difference is greater than or equal to the third threshold, it is determined that there is no SQL injection vulnerability at the corresponding detection point in the URL request.
  • Step j if the second difference is less than the fourth threshold, it is determined that there is a SQL injection vulnerability in the URL request.
  • the second difference is less than the fourth threshold, it is determined that there is a SQL injection vulnerability in the corresponding detection point in the URL request, that is, there is a SQL injection vulnerability in the website to be tested. Further, if it is determined that the second difference is greater than or equal to the fourth threshold, it is determined that there is no SQL injection vulnerability at the corresponding detection point in the URL request.
  • This embodiment constructs two true requests and two false requests, confirms the first true request through the second true request, ensures the validity of the logical true detection corresponding to the first true request, and confirms the first through the second false request
  • a false request ensures the validity of the logical false detection corresponding to the first false request, further improves the accuracy of detecting SQL injection vulnerabilities, and reduces the false positive rate and false negative rate of SQL injection vulnerability detection.
  • underreporting is in the detection of WEB security vulnerabilities. If a URL request is originally vulnerable, but is not detected, it is called underreporting. False positives are detected in WEB security vulnerabilities. If a URL request does not have vulnerabilities, it is mistakenly detected as vulnerabilities, which is called false positives.
  • the SQL injection vulnerability detection device includes:
  • the determining module 10 is configured to determine the detection point of the URL request after obtaining the URL request of the uniform resource locator of the website to be tested;
  • a construction module 20 configured to construct a sequence request corresponding to a Boolean logic parameter of the detection point
  • the obtaining module 30 is configured to obtain a response page obtained after executing the URL request and the sequence request;
  • the analysis module 40 is configured to perform similarity analysis on the response page to obtain a similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request;
  • the determining module 10 is further configured to determine that there is a SQL injection vulnerability in the URL request if the similarity value meets a preset condition.
  • the constructing module 20 is further configured to construct a request for a logically true condition for each detection point in the URL request, and record it as the first true request; construct one for each detection point in the URL request
  • the logically false condition request is recorded as a first false request to form a sequence request including the first true request and the first false request.
  • the construction module 20 is further configured to construct a request for a logical false condition for each detection point in the URL request, denoted as a first false request, and construct a logical true condition for the first true request
  • a confirmation request is recorded as a second true request
  • a confirmation request that constructs a logical false condition for the first false request is recorded as a second false request to form the first true request, the first false request, and the second true request
  • the determination module 10 further includes:
  • the first determining unit is configured to determine if the first Jaccard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold Whether the second Jaccard coefficient between the first response page and the third response page corresponding to the first fake request is less than a second threshold;
  • the first determining unit is configured to determine that there is a SQL injection vulnerability in the URL request if the second Jaccard coefficient is less than the second threshold.
  • the determination module 10 further includes:
  • a second judging unit which is used for judging if the first Jaccard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than the first threshold Whether the second Jaccard coefficient between the first response page and the third response page corresponding to the first fake request is less than a second threshold;
  • a second determining unit configured to determine the third master between the first response page and the fourth response page corresponding to the second true request if the second Jackard coefficient is less than the second threshold Card coefficient
  • a first calculation unit configured to calculate a first difference between the third Jaccard coefficient and the first Jaccard coefficient
  • the second determining unit is further configured to determine the fourth Jaccard between the first response page and the fifth response page corresponding to the second fake request if the first difference is less than the third threshold coefficient;
  • the first calculation unit is further used to calculate a second difference between the fourth Jaccard coefficient and the second Jaccard coefficient
  • the second determining unit is further configured to determine that the URL request has a SQL injection vulnerability if the second difference is less than a fourth threshold.
  • analysis module 40 includes:
  • a second calculation unit configured to calculate the Jackard coefficient between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request;
  • the third determining unit is configured to correspond the Jaccard coefficient as a similarity value between the first response page and each of the sequence response pages.
  • the second calculation unit includes:
  • a calculation subunit used for calculating the intersection and union of elements between the first response page and each of the sequence response pages, dividing the intersection by the corresponding union to obtain the corresponding Jaccard coefficient .
  • FIG. 3 is a schematic structural diagram of a hardware operating environment involved in a solution of an embodiment of the present application.
  • FIG. 3 is a schematic diagram of the hardware operating environment of the SQL injection vulnerability detection device.
  • the SQL injection vulnerability detection device in the embodiment of the present application may be a terminal device such as a PC or a portable computer.
  • the SQL injection vulnerability detection device may include: a processor 1001, such as a CPU, a memory 1005, a user interface 1003, a network interface 1004, and a communication bus 1002.
  • the communication bus 1002 is used to implement connection communication between these components.
  • the user interface 1003 may include a display (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
  • the network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface).
  • the memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as a disk memory.
  • the memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
  • the SQL injection vulnerability detection device may also include a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and so on.
  • RF Radio Frequency
  • the structure of the SQL injection vulnerability detection device shown in FIG. 3 does not constitute a limitation on the SQL injection vulnerability detection device, and may include more or fewer components than the illustration, or a combination of certain components, Or different component arrangements.
  • the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and computer-readable instructions.
  • the operating system is a program that manages and controls the hardware and software resources of the SQL injection vulnerability detection device, and supports the operation of computer-readable instructions and other software or programs.
  • the user interface 1003 can be used for the terminal held by the user to perform data communication with the terminal held by the user;
  • the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server;
  • the processor 1001 It can be used to call computer-readable instructions stored in the memory 1005 and execute the steps of the SQL injection vulnerability detection method as described above.
  • the specific implementation of the SQL injection vulnerability detection device of the present application is basically the same as the above embodiments of the SQL injection vulnerability detection method, which will not be repeated here.
  • embodiments of the present application also provide a computer-readable storage medium having computer-readable instructions stored on the computer-readable storage medium, the computer-readable instructions being executed by a processor to implement the SQL injection vulnerability described above The steps of the detection method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Computer And Data Communications (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

An SQL injection vulnerability detection method, apparatus and device, and a readable storage medium, the method comprising the steps of: determining a detection point of a uniform resource locator (URL) request for a website to be tested after obtaining the URL request, and constructing a sequence request for Boolean logic parameters corresponding to the detection point (S10); acquiring response pages obtained after executing the URL request and the sequence request, and performing similarity analysis on the response pages to obtain a similarity value between the response page corresponding to the URL request and a response page corresponding to each request in the sequence request (S20); and if the similarity value satisfies a preset condition, determining that an SQL injection vulnerability exists in the URL request (S30). With the present method, whether the SQL injection vulnerability exists in the URL request or not is determined according to the similarity between the response pages, and the accuracy rate of detecting SQL injection vulnerability is thus improved.

Description

SQL注入漏洞检测方法、装置、设备及可读存储介质SQL injection vulnerability detection method, device, equipment and readable storage medium
本申请要求于2018年10月11日提交中国专利局、申请号为201811188829.3、发明名称为“SQL注入漏洞检测方法、装置、设备及可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在申请中。This application requires the priority of the Chinese patent application submitted to the China Patent Office on October 11, 2018 with the application number 201811188829.3 and the invention titled "SQL injection vulnerability detection method, device, equipment and readable storage medium" Incorporated by reference in the application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种SQL注入漏洞检测方法、装置、设备及可读存储介质。The present application relates to the field of communication technology, and in particular to a method, device, device, and readable storage medium for SQL injection vulnerability detection.
背景技术Background technique
目前对SQL(Structured Query Language,结构化查询语言)注入漏洞的检测方法通过是基于布尔判断的检测方法。目前基于布尔判断的SQL注入漏洞检测方法,在检测序列请求方面,通常是原始URL请求一次,再构造一次逻辑真的SQL语句参数值,一次逻辑假的SQL语句参数值的请求,共3次请求。在对比判断多次请求的网站响应页面时,通常是根据网站响应的报文长度(Content-Length)来判断是否存在SQL注入漏洞。但是由于网络波动,服务器负载状态变化等不稳定性因素,以及Web2.0时代下的动态网页的出现,导致通过布尔判断来检测URL请求是否存在SQL注入漏洞的准确率低下。The current detection method for SQL (Structured Query Language, Structured Query Language) injection vulnerability is a detection method based on Boolean judgment. The current SQL injection vulnerability detection method based on boolean judgment, in terms of detecting sequence requests, is usually an original URL request, and then construct a logically true SQL statement parameter value, a logically false SQL statement parameter value request, a total of 3 requests . When comparing and judging the website response page of multiple requests, it is usually based on the content length of the website response (Content-Length) to determine whether there is a SQL injection vulnerability. However, due to instability factors such as network fluctuations, changes in server load status, and the emergence of dynamic web pages in the Web2.0 era, the accuracy of detecting whether a URL request has a SQL injection vulnerability through URL detection is low.
发明内容Summary of the invention
本申请的主要目的在于提供一种SQL注入漏洞检测方法、装置、设备及可读存储介质,旨在解决现有的检测SQL注入漏洞的准确率低下的技术问题。The main purpose of this application is to provide a method, device, equipment and readable storage medium for SQL injection vulnerability detection, aiming to solve the existing technical problem of low accuracy in detecting SQL injection vulnerability.
为实现上述目的,本申请提供一种SQL注入漏洞检测方法,所述SQL注入漏洞检测方法包括步骤:In order to achieve the above purpose, this application provides a SQL injection vulnerability detection method. The SQL injection vulnerability detection method includes the steps of:
当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点,并构造所述检测点对应布尔逻辑参数的序列请求;After obtaining the URL request of the uniform resource locator of the website to be tested, determine the detection point of the URL request, and construct a sequence request corresponding to the detection point corresponding to a Boolean logic parameter;
获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值;Obtaining a response page obtained after executing the URL request and the sequence request, and performing a similarity analysis on the response page to obtain a relationship between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request Similarity value
若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。If the similarity value meets a preset condition, it is determined that the URL request has a SQL injection vulnerability.
此外,为实现上述目的,本申请还提供一种SQL注入漏洞检测装置,所述SQL注入漏洞检测装置包括:In addition, in order to achieve the above purpose, the present application also provides a SQL injection vulnerability detection device. The SQL injection vulnerability detection device includes:
确定模块,用于当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点;The determining module is used to determine the detection point of the URL request after obtaining the URL request of the uniform resource locator of the website to be tested;
构造模块,用于构造所述检测点对应布尔逻辑参数的序列请求;A construction module, configured to construct a sequence request corresponding to a Boolean logic parameter of the detection point;
获取模块,用于获取执行所述URL请求和所述序列请求后得到的响应页面;An obtaining module, used to obtain a response page obtained after executing the URL request and the sequence request;
分析模块,用于对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值;An analysis module, configured to perform a similarity analysis on the response page to obtain a similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request;
所述确定模块还用于若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。The determining module is further configured to determine that the URL request has a SQL injection vulnerability if the similarity value meets a preset condition.
此外,为实现上述目的,本申请还提供一种SQL注入漏洞检测设备,所述SQL注入漏洞检测设备包括存储器、处理器和存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述计算机可读指令被所述处理器执行时实现如上所述的SQL注入漏洞检测方法的步骤。In addition, in order to achieve the above object, the present application also provides a SQL injection vulnerability detection device, the SQL injection vulnerability detection device includes a memory, a processor, and a computer that is stored on the memory and can run on the processor Read instructions, when the computer-readable instructions are executed by the processor, implement the steps of the SQL injection vulnerability detection method as described above.
此外,为实现上述目的,本申请还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如上所述的SQL注入漏洞检测方法的步骤。In addition, in order to achieve the above object, the present application also provides a computer-readable storage medium, the computer-readable storage medium stores computer-readable instructions, the computer-readable instructions are executed by the processor to achieve the above Steps of SQL injection vulnerability detection method.
本申请通过构造URL请求检测点对应布尔逻辑参数的序列请求,执行URL请求和序列请求对应的URL请求,获取执行URL请求和序列请求后得到的响应页面,对响应页面进行相似度分析,得到URL请求对应响应页面与序列请求中每一请求对应响应页面之间的相似度值;若相似度值满足预设条件,则确定URL请求存在SQL注入漏洞,通过根据响应页面之间的相似度来判断URL请求是否存在SQL注入漏洞,提高了检测SQL注入漏洞的准确率。This application constructs a sequence request corresponding to a Boolean logic parameter corresponding to a URL request detection point, executes the URL request and the URL request corresponding to the sequence request, obtains the response page obtained after executing the URL request and the sequence request, and performs a similarity analysis on the response page to obtain the URL The similarity value between the response page corresponding to the request and the response page corresponding to each request in the sequence request; if the similarity value meets the preset condition, it is determined that there is a SQL injection vulnerability in the URL request, which is judged according to the similarity between the response pages Whether there are SQL injection vulnerabilities in URL requests, which improves the accuracy of detecting SQL injection vulnerabilities.
附图说明BRIEF DESCRIPTION
图1是本申请SQL注入漏洞检测方法较佳实施例的流程示意图;FIG. 1 is a schematic flowchart of a preferred embodiment of a method for detecting SQL injection vulnerability in this application;
图2为本申请SQL注入漏洞检测装置较佳实施例的功能示意图模块图;2 is a functional schematic block diagram of a preferred embodiment of a SQL injection vulnerability detection device of the present application;
图3是本申请实施例方案涉及的硬件运行环境的结构示意图。FIG. 3 is a schematic structural diagram of a hardware operating environment involved in an embodiment of the present application.
本申请目的的实现、功能特点及优点将结合实施例,参照附图做进一步说明。The implementation, functional characteristics and advantages of the present application will be further described in conjunction with the embodiments and with reference to the drawings.
具体实施方式detailed description
应当理解,此处所描述的具体实施例仅仅用以解释本申请,并不用于限定本申请。It should be understood that the specific embodiments described herein are only used to explain the present application, and are not used to limit the present application.
本申请提供一种SQL注入漏洞检测方法,参照图1,图1为本申请SQL注入漏洞检测方法较佳实施例的流程示意图。This application provides a SQL injection vulnerability detection method. Referring to FIG. 1, FIG. 1 is a schematic flowchart of a preferred embodiment of a SQL injection vulnerability detection method of this application.
本申请实施例提供了SQL注入漏洞检测方法的实施例,需要说明的是,虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤。The embodiment of the present application provides an embodiment of the SQL injection vulnerability detection method. It should be noted that although the logic sequence is shown in the flowchart, in some cases, the illustrated sequence may be performed in an order different from here. Or describe the steps.
SQL注入漏洞检测方法应用于服务器或者终端中,终端可以包括诸如手机、平板电脑、笔记本电脑、掌上电脑、个人数字助理(Personal Digital Assistant,PDA)等移动终端,以及诸如数字TV、台式计算机等固定终端。在SQL注入漏洞检测方法的各个实施例中,为了便于描述,省略执行主体进行阐述各个实施例。SQL注入漏洞检测方法包括:SQL injection vulnerability detection methods are applied to servers or terminals. Terminals can include mobile terminals such as mobile phones, tablets, laptops, PDAs, personal digital assistants (Personal Digital Assistants, PDAs), and fixed terminals such as digital TVs and desktop computers. terminal. In each embodiment of the SQL injection vulnerability detection method, for convenience of description, the execution body is omitted to explain each embodiment. SQL injection vulnerability detection methods include:
步骤S10,当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点,并构造所述检测点对应布尔逻辑参数的序列请求。Step S10: After obtaining the URL request of the uniform resource locator of the website to be tested, determine the detection point of the URL request, and construct a sequence request corresponding to a Boolean logic parameter of the detection point.
当获取到待测试网站的URL请求后,确定URL请求中的检测点,并构造该检测点对应的布尔逻辑参数的序列请求。其中,一个URL请求至少对应一个检测点。URL检测点是在访问一个URL向网站发起请求时,向网站发起的HTTP(Hyper Text Transfer Protocol,超文本传输协议)协议Request的所有用户可构造输入的地方。例如GET参数,POST的form表单参数,POST的JSON(JavaScript Object Notation,JavaScript对象简谱)格式数据值,Request的头部字段等等。如某个URL请求为:http://www.test.com/test?param_a=1,那么GET参数param_a就是一个检测点。该URL请求是通过网络爬虫或者网络流量等方式进入网站中的初始请求。After obtaining the URL request of the website to be tested, the detection point in the URL request is determined, and a sequence request of Boolean logic parameters corresponding to the detection point is constructed. Among them, a URL request corresponds to at least one detection point. A URL detection point is a place where all users of the HTTP (Hyper Text Transfer Protocol) protocol request initiated to the website can construct input when accessing a URL to initiate a request to the website. For example, GET parameters, POST form form parameters, POST JSON (JavaScript Object Notation, JavaScript object notation) format data values, Request header fields and so on. If a URL request is: http://www.test.com/test? param_a = 1, then the GET parameter param_a is a detection point. The URL request is an initial request to enter the website through web crawlers or network traffic.
需要说明的是,在所构造的布尔逻辑参数的序列请求中,至少包括一个逻辑真条件的URL请求和一个逻辑假条件的URL请求。若URL请求中有多个检测点,则需要分别为每个检测点构造对应的布尔逻辑参数的序列请求。如针对上述所描述URL请求,在URL检测点param_a的参数值处构造一个逻辑真的参数值的请求,即构造逻辑真条件的URL请求,如逻辑真条件的URL请求可表示为:http://www.test.com/test?param_a=1and 1=1,其中“and 1=1”便是构造的布尔逻辑真的SQL(Structured Query Language,结构化查询语言)语句;在URL检测点param_a的参数值处构造一个逻辑假的参数值的请求,即构造逻辑假条件的URL请求,如逻辑假条件的URL请求可表示为:http://www.test.com/test?param_a=1and 1=2,其中“and  1=2”便是构造的布尔逻辑假的SQL语句。It should be noted that the constructed Boolean logic parameter sequence request includes at least one logically true condition URL request and one logically false condition URL request. If there are multiple detection points in the URL request, it is necessary to construct a corresponding Boolean logic parameter sequence request for each detection point. As for the URL request described above, a request for constructing a logically true parameter value at the parameter value of the URL detection point param_a, that is, constructing a logically true condition URL request, such as a logically true condition URL request can be expressed as: http: / /www.test.com/test? param_a = 1 and 1 = 1, where "and 1 = 1" is a constructed Boolean logic true SQL (Structured Query Language, Structured Query Language) statement; construct a logical false parameter at the parameter value of the URL detection point param_a The value request is a URL request that constructs a logical false condition. For example, a URL request for a logical false condition can be expressed as: http://www.test.com/test? param_a = 1 and 1 = 2, where “and 1 = 2” is the constructed Boolean logic false SQL statement.
步骤S20,获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值。Step S20: Obtain a response page obtained after executing the URL request and the sequence request, and perform a similarity analysis on the response page to obtain a response page corresponding to the URL request and a response page corresponding to each request in the sequence request The similarity value between.
当构造URL请求的检测点对应布尔逻辑参数的序列请求后,在待测试网站中执行该URL请求,以及在待测试网站中执行该序列请求对应的每一URL请求,得到对应的响应页面,并对所得到的响应页面进行相似度分析,得到URL请求对应响应页面与序列请求中每一请求对应响应页面之间的相似度值。需要说明的是,每一请求都对应一个响应页面,因此,本申请实施例中所得的响应页面至少为三个,分别为URL请求对应的响应页面,逻辑真条件的URL请求对应的响应页面,逻辑假条件的URL请求对应的响应页面。其中,相似度分析所采用的算法包括但不限于余弦距离、欧式距离和杰卡德系数。After constructing the sequence request of the Boolean logic parameter corresponding to the detection point of the URL request, execute the URL request in the website to be tested, and execute each URL request corresponding to the sequence request in the website to be tested, and obtain the corresponding response page, and Perform a similarity analysis on the obtained response page to obtain a similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request. It should be noted that each request corresponds to a response page. Therefore, there are at least three response pages obtained in the embodiments of the present application, which are respectively a response page corresponding to a URL request and a response page corresponding to a logically true URL request. The response page corresponding to the URL request with logically false conditions. Among them, the algorithms used for similarity analysis include but are not limited to cosine distance, Euclidean distance and Jaccard coefficient.
进一步的,步骤S20包括:Further, step S20 includes:
步骤a,获取执行所述URL请求和所述序列请求后对应得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数。Step a: Obtain the response page obtained after executing the URL request and the sequence request, and calculate the Jieka between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request German coefficient.
具体地,获取执行URL请求后所得的响应页面,记为第一响应页面,以及获取执行序列请求中每一请求后所得的响应页面,记为序列响应页面,并计算第一响应页面和每一序列响应页面之间的杰卡德系数。Jaccard(杰卡德)系数定义为集合A与集合B之间的交集和集合A与集合B之间并集的比值,定义如下:Specifically, the response page obtained after executing the URL request is recorded as the first response page, and the response page obtained after executing each request in the sequence request is recorded as the sequence response page, and the first response page and each The Jeckard coefficients between pages in the sequence response. The Jaccard coefficient is defined as the ratio of the intersection between set A and set B and the union between set A and set B, defined as follows:
Figure PCTCN2018122811-appb-000001
Figure PCTCN2018122811-appb-000001
其中,当集合A和集合B都为空集时,杰卡德系数J(A,B)定义为1,即J(A,B)的值为1,J(A,B)∈[0,1],J(A,B)的值越接近1,表示集合A对应的响应页面和集合B对应的响应页面越相似,当J(A,B)=1时,表明集合A对应的响应页面和集合B对应的响应页面相同。Among them, when both set A and set B are empty sets, the Jaccard coefficient J (A, B) is defined as 1, that is, the value of J (A, B) is 1, J (A, B) ∈ [0, 1], the closer the value of J (A, B) is to 1, the more similar the response page corresponding to set A is to the response page corresponding to set B. When J (A, B) = 1, it indicates that the response page corresponding to set A The same response page as set B.
进一步地,步骤a包括:Further, step a includes:
步骤a1,获取执行所述URL请求和所述序列请求后对应得到的响应页面,根据预设的换行符将所述第一响应页面和所述序列响应页面对应的文本分割成字符段。Step a1: Obtain a response page corresponding to the execution of the URL request and the sequence request, and divide the text corresponding to the first response page and the sequence response page into character segments according to a preset line break.
具体地,获取执行URL请求后所得的第一响应页面,以及获取执行序列请求中每一请求后所得的序列响应页面,获取第一响应页面和序列响应页面中的文本,并根据文本中的换行符将第一响应页面和序列响应页面对应的文本分割成字符段。需要说明的是,在生成响应页面过程中,会在响应页面对应的文本中自动生成对应的换行符。当 第一响应页面和序列响应页面类型不同时,对应的换行符也不一样。如HTML(Hyper Text Markup Language,超级文本标记语言)文档对应的换行符为<br>,<br>可插入一个简单的换行符,<br>标签是空标签(意味着它没有结束标签,因此这是错误的:<br></br>)。在XHTML(eXtensible Hyper Text Markup Language,可扩展超文本标记语言)中,把结束标签放在开始标签中,也就是<br/>。word文档的换行符是一种换行符号,它的作用是换行显示,但是它不是真正的段落标记,它的换行不是真正意义上的重起一段,因此被换行符分割的文字其实仍然还是一个段落中的,word文档中基于段落的所有操作都是不会识别换行符为段落结尾的。Specifically, the first response page obtained after executing the URL request, and the sequence response page obtained after executing each request in the sequence request are obtained, the text in the first response page and the sequence response page is obtained, and line breaks in the text are used The character divides the text corresponding to the first response page and the sequence response page into character segments. It should be noted that, during the process of generating the response page, the corresponding line break will be automatically generated in the text corresponding to the response page. When the types of the first response page and the sequence response page are different, the corresponding line breaks are also different. For example, HTML (Hyper Text Markup Language, Super Text Markup Language) document corresponding line break is <br>, <br> can insert a simple line break, <br> tag is an empty tag (meaning it has no end tag, so This is wrong: <br> </br>). In XHTML (eXtensible HyperText Markup Language, Extensible Hypertext Markup Language), put the end tag in the start tag, which is <br/>. The newline character in a word document is a newline symbol, and its function is to display a newline, but it is not a true paragraph mark, and its newline is not a restart of a paragraph in the true sense, so the text divided by the newline is actually still a paragraph In, all operations based on paragraphs in the word document will not recognize the newline character as the end of the paragraph.
进一步地,为了提高得到第一响应页面和序列响应页面对应元素的效率,在得到第一响应页面和序列响应页面后,判断第一响应页面和序列响应页面是否为HTML文档。当确定某个响应页面为HTML文档后,对HTML文档进行DOM解析(Document Object Model,文档对象模型),以生成该响应页面对应的DOM树,从DOM树的DOM节点中提取文本,以得到该响应页面对应文本,然后再根据换行符将该文本分割成字符段。当确定某个响应页面不是HTML文档后,直接根据对应的预设换行符将该不是HTML文档的响应页面对应文本分割成多个字符段。Further, in order to improve the efficiency of obtaining corresponding elements of the first response page and the sequence response page, after the first response page and the sequence response page are obtained, it is determined whether the first response page and the sequence response page are HTML documents. After determining that a response page is an HTML document, perform DOM parsing (Document Object Model) on the HTML document to generate a DOM tree corresponding to the response page, and extract text from the DOM nodes of the DOM tree to obtain the The corresponding text on the response page, and then divide the text into character segments according to the line breaks. When it is determined that a response page is not an HTML document, the text corresponding to the response page that is not an HTML document is divided into multiple character segments directly according to the corresponding preset line breaks.
具体地,检测响应页面是否是HTML文档的过程为:检测响应页面中是否携带HTML标签,其中,HTML DOM定义了访问和操作HTML文档的标准方法;DOM将HTML文档表达为树结构。需要说明的是,HTML标签是根据树结构表现形式的HTML文档而预先设置存储的。若检测到响应页面中携带HTML标签,则确定响应页面是HTML文档;若检测到响应页面中未携带HTML标签,则确定响应页面不是HTML文档。Specifically, the process of detecting whether the response page is an HTML document is: detecting whether the response page carries HTML tags, where HTML DOM defines a standard method for accessing and manipulating the HTML document; DOM expresses the HTML document as a tree structure. It should be noted that HTML tags are pre-set and stored according to the HTML document in the form of tree structure. If it is detected that the response page carries HTML tags, it is determined that the response page is an HTML document; if it is detected that the response page does not carry HTML tags, it is determined that the response page is not an HTML document.
步骤a2,根据预设的分隔符将所述字符段分割成字符串,对应得到所述第一响应页面和所述序列响应页面对应的元素。Step a2: Divide the character segment into character strings according to a preset separator, and correspondingly obtain elements corresponding to the first response page and the sequence response page.
当得到第一响应页面和序列响应页面对应的字符段后,根据预设的分隔符将字符段分割成对应的字符串,对应得到第一响应页面对应集合中的元素和序列响应页面对应集合中的元素。其中,分隔符包括但不限于字符段中的空格,逗号,分号,句号,叹号和问号。可以理解的是,第一响应页面对应的字符串即为第一响应页面对应集合中的元素,序列响应页面对应的字符串即为序列响应页面对应集合中的元素,在第一响应页面和序列响应页面中,一个字符串为第一个元素。After the character segments corresponding to the first response page and the sequence response page are obtained, the character segments are divided into corresponding character strings according to the preset separators, and the elements in the corresponding set of the first response page and the corresponding set of the sequence response page are correspondingly obtained Elements. Among them, the separator includes but is not limited to spaces, commas, semicolons, periods, exclamations, and question marks in the character segment. It can be understood that the string corresponding to the first response page is the element in the set corresponding to the first response page, and the string corresponding to the sequence response page is the element in the set corresponding to the sequence response page. In the response page, a string is the first element.
步骤a3,计算所述第一响应页面与每一所述序列响应页面之间元素的交集和并集,将所述交集除以对应的所述并集,得到对应的杰卡德系数。Step a3: Calculate the intersection and union of elements between the first response page and each of the sequence response pages, and divide the intersection by the corresponding union to obtain the corresponding Jaccard coefficient.
当得到第一响应页面和序列响应页面对应集合的元素后,计算第一响应页面与每一序列响应页面元素的交集和并集,并将计算出的交集除以对应的并集,得到对应的杰卡德系数。如上述杰卡德系数对应的定义可知,A可表示第一响应页面对应元素组成的集合,B可表示其中一个序列响应页面对应元素组成的集合。After obtaining the elements of the corresponding set of the first response page and the sequence response page, calculate the intersection and union of the first response page and each sequence response page element, and divide the calculated intersection by the corresponding union to obtain the corresponding Jaccard coefficient. As can be seen from the above definition of the Jaccard coefficient, A can represent a set of elements corresponding to the first response page, and B can represent a set of elements corresponding to one of the sequence response pages.
步骤b,将所述杰卡德系数对应作为所述第一响应页面与各个所述序列响应页面之间的相似度值。Step b: Corresponding to the Jaccard coefficient as the similarity value between the first response page and each of the sequence response pages.
当计算得到第一响应页面与各个序列响应页面之间的杰卡德系数后,将杰卡德系数对应作为第一响应页面与各个序列响应页面之间的相似度值。可以理解的是,当杰卡德系数的值越趋近1时,表明第一响应页面与对应的序列响应页面越相似度;当杰卡德系数的值越趋近0时,表明第一响应页面与对应的序列响应页面越不相似度。After calculating the Jeckard coefficient between the first response page and each sequence response page, the Jeckard coefficient is correspondingly used as the similarity value between the first response page and each sequence response page. It can be understood that, when the value of the Jeckard coefficient approaches 1, the similarity between the first response page and the corresponding sequence response page; when the value of the Jeckard coefficient approaches 0, indicates the first response The less similar the page is to the corresponding sequence response page.
步骤S30,若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。Step S30, if the similarity value meets a preset condition, it is determined that the URL request has a SQL injection vulnerability.
在本申请实施例中,序列请求对应URL请求个数不同,对应的预设条件也不同,即序列响应页面个数不同,对应的预设条件不同。当确定相似度值满足预设条件时,确定URL请求存在SQL注入漏洞,即确定待测试网站存在SQL注入漏洞。SQL注入漏洞是由于WEB应用程序对输入校验存在问题,导致攻击者可将恶意构造的SQL语句通过WEB应用的输入点注入到后端数据库中执行,并达到对数据库形成恶意攻击的目的。WEB全名为World Wide Web,即全球广域网,也称为万维网,通俗称呼为网站;它是一种基于超文本和HTTP的、全球性的、动态交互的、跨平台的分布式图形信息系统。In the embodiment of the present application, the number of URL requests corresponding to sequence requests is different, and the corresponding preset conditions are also different, that is, the number of sequence response pages is different, and the corresponding preset conditions are different. When it is determined that the similarity value satisfies the preset condition, it is determined that there is a SQL injection vulnerability in the URL request, that is, a SQL injection vulnerability is determined on the website to be tested. The SQL injection vulnerability is due to a problem with the input verification of the WEB application, which leads the attacker to inject maliciously constructed SQL statements into the back-end database through the input point of the WEB application for execution, and achieve the purpose of forming a malicious attack on the database. The full name of WEB is World Wide Web, which is the global wide area network, also known as the World Wide Web, commonly known as the website; it is a global, dynamic, interactive, cross-platform distributed graphical information system based on hypertext and HTTP.
本实施例通过构造URL请求检测点对应布尔逻辑参数的序列请求,执行URL请求和序列请求对应的URL请求,获取执行URL请求和序列请求后得到的响应页面,对响应页面进行相似度分析,得到URL请求对应响应页面与序列请求中每一请求对应响应页面之间的相似度值;若相似度值满足预设条件,则确定URL请求存在SQL注入漏洞,通过根据响应页面之间的相似度来判断URL请求是否存在SQL注入漏洞,提高了检测SQL注入漏洞的准确率。In this embodiment, a sequence request corresponding to a Boolean logic parameter corresponding to a URL request detection point is constructed, a URL request corresponding to the URL request and the sequence request is executed, a response page obtained after executing the URL request and the sequence request is obtained, and a similarity analysis is performed on the response page to obtain The similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request; if the similarity value meets the preset condition, it is determined that there is a SQL injection vulnerability in the URL request. Determine whether there is a SQL injection vulnerability in the URL request, which improves the accuracy of detecting SQL injection vulnerabilities.
进一步地,提出本申请SQL注入漏洞检测方法第二实施例。Further, a second embodiment of the SQL injection vulnerability detection method of this application is proposed.
所述SQL注入漏洞检测方法第二实施例与所述SQL注入漏洞检测方法第一实施例的区别在于,SQL注入漏洞检测方法还包括:The difference between the second embodiment of the SQL injection vulnerability detection method and the first embodiment of the SQL injection vulnerability detection method is that the SQL injection vulnerability detection method further includes:
步骤c,为所述URL请求中的每一检测点构造一个逻辑真条件的请求,记为第一真请求。In step c, a request for constructing a logically true condition for each detection point in the URL request is recorded as the first true request.
在构造URL请求检测点对应布尔逻辑参数的序列请求过程中,为URL请求中的每一检测点构造一个逻辑真条件的URL请求,记为第一真请求。In the process of constructing a sequence request corresponding to a Boolean logic parameter of a URL request detection point, a logical true condition URL request is constructed for each detection point in the URL request, which is recorded as the first true request.
步骤d,为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,以形成包括所述第一真请求和第一假请求的序列请求。Step d: Construct a request for a logical false condition for each detection point in the URL request, and record it as a first false request to form a sequence request including the first true request and the first false request.
为URL请求中的每一检测点构造一个逻辑假条件的URL请求,记为第一假请求。其中,第一真请求和第一假请求组成了URL请求检测点对应的序列请求。Construct a logical false condition URL request for each detection point in the URL request, and record it as the first false request. Among them, the first true request and the first false request constitute a sequence request corresponding to the URL request detection point.
步骤S30包括:Step S30 includes:
步骤e,若确定所述URL请求对应的第一响应页面与所述第一真请求对应的第二响应页面之间的第一杰卡德系数大于第一阈值,则判断所述第一响应页面与所述第一假请求对应的第三响应页面之间的第二杰卡德系数是否小于第二阈值。Step e, if it is determined that the first Jaccard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold, the first response page is determined Whether the second Jaccard coefficient between the third response pages corresponding to the first fake request is less than the second threshold.
当得到第一真请求和第一假请求后,在待测试网站中执行URL请求、第一真请求和第一假请求,得到执行URL请求后所得的第一响应页面,执行第一真请求后所得的第二响应页面,以及执行第一假请求后所得的第三响应页面,并计算第一响应页面和第二响应页面之间的杰卡德系数,记为第一杰卡德系数,以及计算第一响应页面与第三响应页面之间的杰卡德系数,记为第二杰卡德系数。After obtaining the first true request and the first false request, execute the URL request, the first true request, and the first false request in the website to be tested, and obtain the first response page obtained after executing the URL request. After executing the first true request The resulting second response page, and the third response page obtained after executing the first fake request, and calculating the Jakarta coefficient between the first and second response pages, recorded as the first Jakarta coefficient, and The Jeckard coefficient between the first and third response pages is calculated and recorded as the second Jeckard coefficient.
可以理解的是,第一杰卡德系数和第二杰卡德系数即为对应响应页面之间的相似度值。当得到第一杰卡德系数和第二杰卡德系数后,判断第一杰卡德系数和第二杰卡德系数是否满足预设条件。具体地,判断第一杰卡德系数是否大于第一阈值。若确定第一杰卡德系数大于第一阈值,则判断第二杰卡德系数是否小于第二阈值。若确定第一杰卡德系数小于或者等于第一阈值,则表明该URL请求对应的检测点不存在SQL注入漏洞,此时判断URL请求是否存在还未检测的检测点,若存在还未检测的检测点,则采用检测上述检测点是否存在SQL注入漏洞相同的方法,继续检测该URL请求中还未检测的检测点,直到该URL请求的所有检测点都不存在SQL注入漏洞时,确定该URL请求不存在SQL注入漏洞。It can be understood that the first Jaccard coefficient and the second Jaccard coefficient are the similarity values between corresponding response pages. When the first and second Jaccard coefficients are obtained, it is determined whether the first and second Jaccard coefficients satisfy the preset conditions. Specifically, it is determined whether the first Jaccard coefficient is greater than the first threshold. If it is determined that the first Jaccard coefficient is greater than the first threshold, it is determined whether the second Jaccard coefficient is less than the second threshold. If it is determined that the first Jaccard coefficient is less than or equal to the first threshold, it indicates that there is no SQL injection vulnerability in the detection point corresponding to the URL request. At this time, it is judged whether the URL request has an undetected detection point, For the detection point, use the same method to detect whether there is a SQL injection vulnerability in the above detection point, and continue to detect the detection point that has not been detected in the URL request, until all the detection points of the URL request are free of SQL injection vulnerability, determine the URL There is no SQL injection vulnerability in the request.
其中,第一阈值和第二阈值可根据具体需要而设置,第一阈值和第二阈值可以相等,也可以不相等。如可将第一阈值和第二阈值都设置为0.99,或者将第一阈值设置为0.99,第二阈值设置为0.98等。The first threshold and the second threshold may be set according to specific needs, and the first threshold and the second threshold may be equal or different. For example, both the first threshold and the second threshold can be set to 0.99, or the first threshold can be set to 0.99, the second threshold can be set to 0.98, and so on.
需要说明的是,响应页面可能是动态变化的,变化的原因可能是待测试网站当前时间、当前天气状态等的改变所导致的;或者是由于网络波动,导致响应页面中的部分内容还未加载完毕所导致的。但是正常情况下,响应页面改变的内容是很小的,所以第一响应页面和第二响应页面之间的相似度会很高。It should be noted that the response page may change dynamically. The reason for the change may be caused by changes in the current time and current weather status of the website to be tested; or due to network fluctuations, some content in the response page has not been loaded. Caused by the completion. However, under normal circumstances, the content of the response page is very small, so the similarity between the first response page and the second response page will be high.
步骤f,若所述第二杰卡德系数小于所述第二阈值,则确定所述URL请求存在SQL注入漏洞。Step f: If the second Jaccard coefficient is less than the second threshold, it is determined that there is a SQL injection vulnerability in the URL request.
若确定第二杰卡德系数小于第二阈值,则确定该URL请求对应检测点存在SQL注入漏洞,即该URL请求存在SQL注入漏洞;若确定第二杰卡德系数大于或者等于第二阈值,则确定该URL请求中对应检测点不存在SQL注入漏洞。If it is determined that the second Jaccard coefficient is less than the second threshold, it is determined that there is a SQL injection vulnerability in the corresponding detection point of the URL request, that is, the URL request has SQL injection vulnerability; if it is determined that the second Jaccard coefficient is greater than or equal to the second threshold, It is determined that there is no SQL injection vulnerability at the corresponding detection point in the URL request.
需要说明的是,通过对第一响应页面和第二响应页面做相似度分析,来判断当前测试环境是否稳定,其中,测试环境包括网络环境和服务器环境等。可以理解的是,第二响应页面对应的URL请求为真请求,若测试环境稳定,第一响应页面和第二响应页面之间的相似度应趋近于1,或者等于1,因此,第一阈值应设置为趋近于1,或者等于1的数值。通过对第一响应页面和第三响应页面做相似度分析,来判断URL请求中对应的检测点是否因执行了SQL语句而可能存在SQL注入漏洞。可以理解的是,若构造的布尔逻辑假的SQL语句在待测试网站服务器后台被执行,那URL请求与第一假请求之间的响应页面应该有所差别,甚至完全不相同,因此,第二阈值应设置为趋近于1,或者等于1的数值。It should be noted that the similarity analysis is performed on the first response page and the second response page to determine whether the current test environment is stable. The test environment includes a network environment and a server environment. It can be understood that the URL request corresponding to the second response page is a true request. If the test environment is stable, the similarity between the first response page and the second response page should be close to 1, or equal to 1, therefore, the first The threshold should be set to a value close to 1, or equal to 1. By performing similarity analysis on the first response page and the third response page, it is determined whether the corresponding detection point in the URL request may have a SQL injection vulnerability due to the execution of the SQL statement. It can be understood that if the constructed Boolean logic fake SQL statement is executed in the background of the website server to be tested, the response page between the URL request and the first fake request should be different, or even completely different, so the second The threshold should be set to a value close to 1, or equal to 1.
本实施例通过构造一个真请求和一个假请求,然后分析URL请求对应的响应页面与第一真请求对应响应页面之间的第一杰卡德系数与第一阈值之间的关系,以及分析URL请求对应的响应页面与第一假请求对应响应页面之间的第二杰卡德系数与第二阈值之间的关系,当第一杰卡德系数大于第一阈值,且第二杰卡德系数小于第二阈值时,确定URL请求存在SQL注入漏洞,提高了检测SQL注入漏洞的准确率。In this embodiment, by constructing a true request and a false request, and then analyzing the relationship between the first Jaccard coefficient and the first threshold between the response page corresponding to the URL request and the response page corresponding to the first true request, and analyzing the URL The relationship between the second Jackard coefficient and the second threshold between the response page corresponding to the request and the response page corresponding to the first fake request, when the first Jackard coefficient is greater than the first threshold and the second Jackard coefficient When it is less than the second threshold, it is determined that there is a SQL injection vulnerability in the URL request, which improves the accuracy of detecting the SQL injection vulnerability.
进一步地,提出本申请SQL注入漏洞检测方法第三实施例。Further, a third embodiment of the SQL injection vulnerability detection method of this application is proposed.
所述SQL注入漏洞检测方法第三实施例与所述SQL注入漏洞检测方法第一或第二实施例的区别在于,步骤d包括:The difference between the third embodiment of the SQL injection vulnerability detection method and the first or second embodiment of the SQL injection vulnerability detection method is that step d includes:
步骤d1,为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,并为所述第一真请求构造逻辑真条件的确认请求,记为第二真请求。Step d1: A request to construct a logical false condition for each detection point in the URL request is recorded as a first false request, and a confirmation request to construct a logical true condition for the first true request is recorded as a second true request.
为URL请求中的每一个检测点构造一个逻辑假条件的URL请求,记为第一假请求,并为第一真请求构造逻辑真条件的URL确认请求,记为第二真请求。Construct a logical false condition URL request for each detection point in the URL request and record it as the first false request, and construct a logical true condition URL confirmation request for the first true request and record it as the second true request.
步骤d2,为所述第一假请求构造逻辑假条件的确认请求,记为第二假请求,以形成包括所述第一真请求、第一假请求、第二真请求和第二假请求的序列请求。Step d2, construct a confirmation request of a logical false condition for the first false request, and record it as a second false request to form a request including the first true request, the first false request, the second true request, and the second false request Sequence request.
在构造出第一假请求后,为该第一假请求构造逻辑假条件的URL确认请求,记为第二假请求,将第一真请求、第一假请求、第二真请求和第二假请求组成序列请求。需要说明的是,在本实施例中不限制构造第一真请求、第一假请求、第二真请求和第二假请求之间的先后 顺序。参照第一实施例中所描述的URL请求,对应的第一真请求可为http://www.test.com/test?param_a=1and 1=1,其中“and 1=1”便是构造的布尔逻辑真的SQL语句;第一假请求可为http://www.test.com/test?param_a=1and 1=2,其中“and 1=2”便是构造的布尔逻辑真的SQL语句;第二真请求可为http://www.test.com/test?param_a=1and 3*3=9,其中“and 3*3=9”便是构造的布尔逻辑真的SQL语句,它与第一次构造的逻辑真“and 1=1”不相同;第二假请求可为http://www.test.com/test?param_a=1and 3*3=8,其中“and 3*3=8”便是构造的布尔逻辑假的SQL语句,它与第一次构造的逻辑假“and 1=2”不相同。由此可知,第一真请求和第二真请求对应的布尔逻辑SQL语句是不相同的,第一假请求和第二假请求对应的布尔逻辑SQL语句也是不相同的。After constructing the first fake request, construct a URL confirmation request for the logically false condition for the first fake request, and record it as the second fake request. Put the first true request, the first fake request, the second true request, and the second fake request The request constitutes a sequence request. It should be noted that, in this embodiment, the sequence between the first true request, the first false request, the second true request, and the second false request is not limited. Referring to the URL request described in the first embodiment, the corresponding first true request may be http://www.test.com/test? param_a = 1 and 1 = 1, where “and 1 = 1” is the constructed Boolean logic true SQL statement; the first fake request can be http://www.test.com/test? param_a = 1 and 1 = 2, where “and 1 = 2” is the constructed Boolean logic true SQL statement; the second true request can be http://www.test.com/test? param_a = 1 and 3 * 3 = 9, where “and 3 * 3 = 9” is the constructed Boolean logic true SQL statement, which is different from the first constructed logic true “and 1 = 1”; the second false The request can be http://www.test.com/test? param_a = 1 and 3 * 3 = 8, where “and 3 * 3 = 8” is the constructed Boolean logic false SQL statement, which is different from the first constructed logical false “and 1 = 2”. It can be seen that the Boolean logic SQL statements corresponding to the first true request and the second true request are different, and the Boolean logic SQL statements corresponding to the first false request and the second false request are also different.
步骤S30还包括:Step S30 also includes:
步骤g,若确定所述URL请求对应的第一响应页面与所述第一真请求对应的第二响应页面之间的第一杰卡德系数大于第一阈值,则判断所述第一响应页面与所述第一假请求对应的第三响应页面之间的第二杰卡德系数是否小于第二阈值。Step g: If it is determined that the first Jakarta coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold, the first response page is determined Whether the second Jaccard coefficient between the third response pages corresponding to the first fake request is less than the second threshold.
当构造出第一真请求、第二真请求、第一假请求和第二假请求后,在待测试网站中执行URL请求、第一真请求、第一假请求、第二真请求和第二假请求,得到执行URL请求后所得的第一响应页面,执行第一真请求后所得的第二响应页面,执行第一假请求后所得的第三响应页面,执行第二真请求后所得的第四响应页面,以及执行第二假请求后所得的第五响应页面,并计算计算第一响应页面和第二响应页面之间的杰卡德系数,记为第一杰卡德系数,以及计算第一响应页面与第三响应页面之间的杰卡德系数,记为第二杰卡德系数。若确定第一杰卡德系数大于第一阈值,则判断第二杰卡德系数是否小于第二阈值。After constructing the first true request, the second true request, the first false request and the second false request, execute the URL request, the first true request, the first false request, the second true request and the second in the website to be tested Fake request, the first response page obtained after executing the URL request, the second response page obtained after executing the first true request, the third response page obtained after executing the first false request, the third page obtained after executing the second true request Four response pages, and the fifth response page obtained after the execution of the second fake request, and calculate and calculate the Jackard coefficient between the first and second response pages, which is recorded as the first Jackard coefficient, and calculate the first The Jackard coefficient between a response page and the third response page is recorded as the second Jackard coefficient. If it is determined that the first Jaccard coefficient is greater than the first threshold, it is determined whether the second Jaccard coefficient is less than the second threshold.
步骤h,若所述第二杰卡德系数小于所述第二阈值,则确定所述第一响应页面与所述第二真请求对应的第四响应页面之间的第三杰卡德系数,并计算所述第三杰卡德系数与所述第一杰卡德系数之间的第一差值。Step h, if the second Jackard coefficient is less than the second threshold, determine a third Jackard coefficient between the first response page and the fourth response page corresponding to the second true request, And calculate the first difference between the third Jaccard coefficient and the first Jaccard coefficient.
若确定第二杰卡德系数小于第二阈值,则计算第一响应页面与第四响应页面之间的第三杰卡德系数,并计算第三杰卡德系数与第一杰卡德系数之间的差值,记为第一差值,判断第一差值是否小于第三阈值。其中,第三阈值可根据就具体需要而设置,如可设置为0.01。需要说明的是,为了便于比较,第一差值为第三杰卡德系数与第一杰卡德系数之间差值的绝对值。If it is determined that the second Jackard coefficient is less than the second threshold, the third Jackard coefficient between the first and fourth response pages is calculated, and the third Jackard coefficient and the first Jackard coefficient are calculated. The difference between them is recorded as the first difference, and it is determined whether the first difference is less than the third threshold. The third threshold can be set according to specific needs, such as 0.01. It should be noted that, for ease of comparison, the first difference is the absolute value of the difference between the third Jaccard coefficient and the first Jaccard coefficient.
步骤i,若所述第一差值小于第三阈值,则确定所述第一响应页 面与所述第二假请求对应的第五响应页面之间的第四杰卡德系数,并计算所述第四杰卡德系数与所述第二杰卡德系数之间的第二差值。Step i, if the first difference is less than the third threshold, determine a fourth Jakarta coefficient between the first response page and the fifth response page corresponding to the second fake request, and calculate the The second difference between the fourth Jaccard coefficient and the second Jaccard coefficient.
若确定第一差值小于第三阈值,则计算第一响应页面与第二假请求对应的第五响应页面之间的第四杰卡德系数,并将第四杰卡德系数减去第二杰卡德系数,以计算出第四杰卡德系数与第二杰卡德系数之间的差值,记为第二差值。需要说明的是,为了便于对比,第二差值为第四杰卡德系数与第二杰卡德系数之间差值的绝对值。If it is determined that the first difference is less than the third threshold, the fourth Jaccard coefficient between the first response page and the fifth response page corresponding to the second fake request is calculated, and the fourth Jaccard coefficient is subtracted from the second The Jeckard coefficient is used to calculate the difference between the fourth Jeckard coefficient and the second Jeckard coefficient, and is recorded as the second difference. It should be noted that, to facilitate comparison, the second difference is the absolute value of the difference between the fourth Jaccard coefficient and the second Jaccard coefficient.
在计算出第二差值后,判断第二差值是否小于第四阈值。其中,第四阈值可与第三阈值相等,也可与第三阈值不相等。进一步地,若第一差值大于或者等于第三阈值,则确定URL请求中对应检测点不存在SQL注入漏洞。After calculating the second difference, it is determined whether the second difference is less than the fourth threshold. The fourth threshold may be equal to the third threshold, or may not be equal to the third threshold. Further, if the first difference is greater than or equal to the third threshold, it is determined that there is no SQL injection vulnerability at the corresponding detection point in the URL request.
步骤j,若所述第二差值小于第四阈值,则确定所述URL请求存在SQL注入漏洞。Step j, if the second difference is less than the fourth threshold, it is determined that there is a SQL injection vulnerability in the URL request.
若确定第二差值小于第四阈值,则确定URL请求中对应的检测点存在SQL注入漏洞,即该待测试网站存在SQL注入漏洞。进一步地,若确定第二差值大于或者等于第四阈值,则确定URL请求中对应的检测点不存在SQL注入漏洞。If it is determined that the second difference is less than the fourth threshold, it is determined that there is a SQL injection vulnerability in the corresponding detection point in the URL request, that is, there is a SQL injection vulnerability in the website to be tested. Further, if it is determined that the second difference is greater than or equal to the fourth threshold, it is determined that there is no SQL injection vulnerability at the corresponding detection point in the URL request.
需要说明的是,计算杰卡德系数过程已在第一实施例中详细描述,在本实施例中不再详细赘述。通过对第一响应页面和第四响应页面做相似度分析,来确认当前测试环境的稳定性,并二次确认逻辑真条件的SQL注入执行结果。通过对第一响应页面和第五响应页面做相似度分析,来再次确认URL请求中对应的检测点是否因执行了SQL语句而存在SQL注入漏洞。It should be noted that the process of calculating Jaccard coefficients has been described in detail in the first embodiment, and will not be described in detail in this embodiment. By performing a similarity analysis on the first response page and the fourth response page, the stability of the current test environment is confirmed, and the SQL injection execution result of the logically true condition is confirmed twice. By performing similarity analysis on the first response page and the fifth response page, it is again confirmed whether the corresponding detection point in the URL request has a SQL injection vulnerability due to the execution of the SQL statement.
为了证明SQL注入漏洞检测的测试环境的稳定性,保证上次(第一真请求)构造的逻辑真的检测的有效性,所以发起逻辑真的二次确认请求。如果本次(第二真请求)SQL注入漏洞检测的测试环境稳定,且确实存在SQL注入漏洞,那么第三杰卡德系数与第一杰德卡系数肯定会很接近,或者相等;因此第三杰卡德系数与第一杰德卡系数之间的差值的绝对值会是一个接近0甚至等于0的数值,由此可知,第三阈值应设置为等于0,或者趋近于0的数值。In order to prove the stability of the test environment for SQL injection vulnerability detection, and to ensure the validity of the logic true detection constructed last time (first true request), a second confirmation request for logic true is initiated. If the test environment for this (second true request) SQL injection vulnerability detection is stable and there are indeed SQL injection vulnerabilities, then the third Jaccard coefficient and the first Jaccard coefficient will definitely be very close, or equal; therefore the third The absolute value of the difference between the Jeckard coefficient and the first Jeckard coefficient will be a value close to 0 or even equal to 0. It can be seen that the third threshold should be set to be equal to 0, or a value close to 0 .
为了证明SQL注入漏洞检测的测试环境的稳定性,保证上次(第一假请求)构造的逻辑假的检测的有效性,所以发起逻辑假的二次确认请求。如果本次(第二假请求)SQL注入漏洞检测的测试环境稳定,且确实存在SQL注入漏洞,那么第四杰德卡系数与第二杰德卡系数肯定会很接近,或者相等;因此第四杰德卡系数与第二杰德卡系数之间差值的绝对值肯定会是一个接近0,甚至等于0的数值,因此,第四阈值应设置为等于0,或者趋近于0的数值。In order to prove the stability of the test environment for SQL injection vulnerability detection and to ensure the validity of the logical false detection constructed last time (first false request), a second confirmation request for logical false is initiated. If the test environment for this (second fake request) SQL injection vulnerability detection is stable and there is indeed a SQL injection vulnerability, then the fourth Jedka coefficient and the second Jedka coefficient will definitely be very close, or equal; therefore the fourth The absolute value of the difference between the Jedka coefficient and the second Jedka coefficient will definitely be a value close to 0 or even equal to 0. Therefore, the fourth threshold should be set to a value equal to 0, or close to 0.
本实施例通过构造出两个真请求和两个假请求,通过第二真请求 确认第一真请求,保证第一真请求对应的逻辑真的检测的有效性,以及通过第二假请求确认第一假请求,保证第一假请求对应的逻辑假的检测的有效性,进一步地提高了检测SQL注入漏洞的准确率,且降低了SQL注入漏洞检测的误报率和漏报率。其中,漏报是在WEB安全漏洞检测中,如果一个URL请求本来存在漏洞,却没有被检测出来,称为漏报。误报是在WEB安全漏洞检测中,如果一个URL请求本来不存在漏洞,却被错误地检测为存在漏洞,称为误报。This embodiment constructs two true requests and two false requests, confirms the first true request through the second true request, ensures the validity of the logical true detection corresponding to the first true request, and confirms the first through the second false request A false request ensures the validity of the logical false detection corresponding to the first false request, further improves the accuracy of detecting SQL injection vulnerabilities, and reduces the false positive rate and false negative rate of SQL injection vulnerability detection. Among them, underreporting is in the detection of WEB security vulnerabilities. If a URL request is originally vulnerable, but is not detected, it is called underreporting. False positives are detected in WEB security vulnerabilities. If a URL request does not have vulnerabilities, it is mistakenly detected as vulnerabilities, which is called false positives.
此外,参照图2,本申请还提供一种SQL注入漏洞检测装置,所述SQL注入漏洞检测装置包括:In addition, referring to FIG. 2, the present application also provides a SQL injection vulnerability detection device. The SQL injection vulnerability detection device includes:
确定模块10,用于当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点;The determining module 10 is configured to determine the detection point of the URL request after obtaining the URL request of the uniform resource locator of the website to be tested;
构造模块20,用于构造所述检测点对应布尔逻辑参数的序列请求;A construction module 20, configured to construct a sequence request corresponding to a Boolean logic parameter of the detection point;
获取模块30,用于获取执行所述URL请求和所述序列请求后得到的响应页面;The obtaining module 30 is configured to obtain a response page obtained after executing the URL request and the sequence request;
分析模块40,用于对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值;The analysis module 40 is configured to perform similarity analysis on the response page to obtain a similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request;
所述确定模块10还用于若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。The determining module 10 is further configured to determine that there is a SQL injection vulnerability in the URL request if the similarity value meets a preset condition.
进一步地,所述构造模块20还用于为所述URL请求中的每一检测点构造一个逻辑真条件的请求,记为第一真请求;为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,以形成包括所述第一真请求和第一假请求的序列请求。Further, the constructing module 20 is further configured to construct a request for a logically true condition for each detection point in the URL request, and record it as the first true request; construct one for each detection point in the URL request The logically false condition request is recorded as a first false request to form a sequence request including the first true request and the first false request.
进一步地,所述构造模块20还用于为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,并为所述第一真请求构造逻辑真条件的确认请求,记为第二真请求;为所述第一假请求构造逻辑假条件的确认请求,记为第二假请求,以形成包括所述第一真请求、第一假请求、第二真请求和第二假请求的序列请求。Further, the construction module 20 is further configured to construct a request for a logical false condition for each detection point in the URL request, denoted as a first false request, and construct a logical true condition for the first true request A confirmation request is recorded as a second true request; a confirmation request that constructs a logical false condition for the first false request is recorded as a second false request to form the first true request, the first false request, and the second true request The sequence request of the request and the second fake request.
进一步地,所述确定模块10还包括:Further, the determination module 10 further includes:
第一判断单元,用于若确定所述URL请求对应的第一响应页面与所述第一真请求对应的第二响应页面之间的第一杰卡德系数大于第一阈值,则判断所述第一响应页面与所述第一假请求对应的第三响应页面之间的第二杰卡德系数是否小于第二阈值;The first determining unit is configured to determine if the first Jaccard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold Whether the second Jaccard coefficient between the first response page and the third response page corresponding to the first fake request is less than a second threshold;
第一确定单元,用于若所述第二杰卡德系数小于所述第二阈值,则确定所述URL请求存在SQL注入漏洞。The first determining unit is configured to determine that there is a SQL injection vulnerability in the URL request if the second Jaccard coefficient is less than the second threshold.
进一步地,所述确定模块10还包括:Further, the determination module 10 further includes:
第二判断单元,,用于若确定所述URL请求对应的第一响应页面 与所述第一真请求对应的第二响应页面之间的第一杰卡德系数大于第一阈值,则判断所述第一响应页面与所述第一假请求对应的第三响应页面之间的第二杰卡德系数是否小于第二阈值;A second judging unit, which is used for judging if the first Jaccard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than the first threshold Whether the second Jaccard coefficient between the first response page and the third response page corresponding to the first fake request is less than a second threshold;
第二确定单元,用于若所述第二杰卡德系数小于所述第二阈值,则确定所述第一响应页面与所述第二真请求对应的第四响应页面之间的第三杰卡德系数;A second determining unit, configured to determine the third master between the first response page and the fourth response page corresponding to the second true request if the second Jackard coefficient is less than the second threshold Card coefficient
第一计算单元,用于计算所述第三杰卡德系数与所述第一杰卡德系数之间的第一差值;A first calculation unit, configured to calculate a first difference between the third Jaccard coefficient and the first Jaccard coefficient;
所述第二确定单元还用于若所述第一差值小于第三阈值,则确定所述第一响应页面与所述第二假请求对应的第五响应页面之间的第四杰卡德系数;The second determining unit is further configured to determine the fourth Jaccard between the first response page and the fifth response page corresponding to the second fake request if the first difference is less than the third threshold coefficient;
所述第一计算单元还用于计算所述第四杰卡德系数与所述第二杰卡德系数之间的第二差值;The first calculation unit is further used to calculate a second difference between the fourth Jaccard coefficient and the second Jaccard coefficient;
所述第二确定单元还用于若所述第二差值小于第四阈值,则确定所述URL请求存在SQL注入漏洞。The second determining unit is further configured to determine that the URL request has a SQL injection vulnerability if the second difference is less than a fourth threshold.
进一步地,所述分析模块40包括:Further, the analysis module 40 includes:
第二计算单元,用于计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数;A second calculation unit, configured to calculate the Jackard coefficient between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request;
第三确定单元,用于将所述杰卡德系数对应作为所述第一响应页面与各个所述序列响应页面之间的相似度值。The third determining unit is configured to correspond the Jaccard coefficient as a similarity value between the first response page and each of the sequence response pages.
进一步地,所述第二计算单元包括:Further, the second calculation unit includes:
分割子单元,用于根据预设的换行符将所述第一响应页面和所述序列响应页面对应的文本分割成字符段;根据预设的分隔符将所述字符段分割成字符串,对应得到所述第一响应页面和所述序列响应页面对应的元素;A segmentation subunit for segmenting the text corresponding to the first response page and the sequence response page into character segments according to a preset newline character; segmenting the character segment into a character string according to a preset separator, corresponding to Obtaining elements corresponding to the first response page and the sequence response page;
计算子单元,用于计算所述第一响应页面与每一所述序列响应页面之间元素的交集和并集,将所述交集除以对应的所述并集,得到对应的杰卡德系数。A calculation subunit, used for calculating the intersection and union of elements between the first response page and each of the sequence response pages, dividing the intersection by the corresponding union to obtain the corresponding Jaccard coefficient .
需要说明的是,SQL注入漏洞检测装置的各个实施例与上述SQL注入漏洞检测方法的各实施例基本相同,在此不再详细赘述。It should be noted that the embodiments of the SQL injection vulnerability detection device are basically the same as the embodiments of the SQL injection vulnerability detection method described above, and details are not repeated here.
此外,本申请还提供一种SQL注入漏洞检测设备。如图3所示,图3是本申请实施例方案涉及的硬件运行环境的结构示意图。In addition, this application also provides a SQL injection vulnerability detection device. As shown in FIG. 3, FIG. 3 is a schematic structural diagram of a hardware operating environment involved in a solution of an embodiment of the present application.
需要说明的是,图3即可为SQL注入漏洞检测设备的硬件运行环境的结构示意图。本申请实施例SQL注入漏洞检测设备可以是PC,便携计算机等终端设备。It should be noted that FIG. 3 is a schematic diagram of the hardware operating environment of the SQL injection vulnerability detection device. The SQL injection vulnerability detection device in the embodiment of the present application may be a terminal device such as a PC or a portable computer.
如图3所示,该SQL注入漏洞检测设备可以包括:处理器1001,例如CPU,存储器1005,用户接口1003,网络接口1004,通信总线1002。 其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),可选用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可选的可以包括标准的有线接口、无线接口(如WI-FI接口)。存储器1005可以是高速RAM存储器,也可以是稳定的存储器(non-volatile memory),例如磁盘存储器。存储器1005可选的还可以是独立于前述处理器1001的存储装置。As shown in FIG. 3, the SQL injection vulnerability detection device may include: a processor 1001, such as a CPU, a memory 1005, a user interface 1003, a network interface 1004, and a communication bus 1002. Among them, the communication bus 1002 is used to implement connection communication between these components. The user interface 1003 may include a display (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as a disk memory. The memory 1005 may optionally be a storage device independent of the foregoing processor 1001.
可选地,SQL注入漏洞检测设备还可以包括摄像头、RF(Radio Frequency,射频)电路,传感器、音频电路、WiFi模块等等。Optionally, the SQL injection vulnerability detection device may also include a camera, an RF (Radio Frequency) circuit, a sensor, an audio circuit, a WiFi module, and so on.
本领域技术人员可以理解,图3中示出的SQL注入漏洞检测设备结构并不构成对SQL注入漏洞检测设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。Those skilled in the art can understand that the structure of the SQL injection vulnerability detection device shown in FIG. 3 does not constitute a limitation on the SQL injection vulnerability detection device, and may include more or fewer components than the illustration, or a combination of certain components, Or different component arrangements.
如图3所示,作为一种计算机存储介质的存储器1005中可以包括操作系统、网络通信模块、用户接口模块以及计算机可读指令。其中,操作系统是管理和控制SQL注入漏洞检测设备硬件和软件资源的程序,支持计算机可读指令以及其它软件或程序的运行。As shown in FIG. 3, the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and computer-readable instructions. Among them, the operating system is a program that manages and controls the hardware and software resources of the SQL injection vulnerability detection device, and supports the operation of computer-readable instructions and other software or programs.
在图3所示的SQL注入漏洞检测设备中,用户接口1003可用于用户所持终端,与用户所持终端进行数据通信;网络接口1004主要用于连接后台服务器,与后台服务器进行数据通信;处理器1001可以用于调用存储器1005中存储的计算机可读指令,并执行如上所述的SQL注入漏洞检测方法的步骤。In the SQL injection vulnerability detection device shown in FIG. 3, the user interface 1003 can be used for the terminal held by the user to perform data communication with the terminal held by the user; the network interface 1004 is mainly used to connect to the background server and perform data communication with the background server; the processor 1001 It can be used to call computer-readable instructions stored in the memory 1005 and execute the steps of the SQL injection vulnerability detection method as described above.
本申请SQL注入漏洞检测设备具体实施方式与上述SQL注入漏洞检测方法各实施例基本相同,在此不再赘述。The specific implementation of the SQL injection vulnerability detection device of the present application is basically the same as the above embodiments of the SQL injection vulnerability detection method, which will not be repeated here.
此外,本申请实施例还提出一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如上所述的SQL注入漏洞检测方法的步骤。In addition, embodiments of the present application also provide a computer-readable storage medium having computer-readable instructions stored on the computer-readable storage medium, the computer-readable instructions being executed by a processor to implement the SQL injection vulnerability described above The steps of the detection method.
本申请计算机可读存储介质具体实施方式与上述SQL注入漏洞检测方法各实施例基本相同,在此不再赘述。The specific implementation of the computer-readable storage medium of the present application is basically the same as the above embodiments of the SQL injection vulnerability detection method, which will not be repeated here.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that in this article, the terms "include", "include" or any other variant thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device that includes a series of elements includes not only those elements It also includes other elements that are not explicitly listed, or include elements inherent to this process, method, article, or device. Without more restrictions, the element defined by the sentence "include one ..." does not exclude that there are other identical elements in the process, method, article or device that includes the element.
上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The sequence numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现, 当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,空调器,或者网络设备等)执行本申请各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the methods in the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, can also be implemented by hardware, but in many cases the former is better Implementation. Based on this understanding, the technical solutions of the present application can essentially be embodied in the form of software products, and the computer software products are stored in a storage medium (such as ROM / RAM, magnetic disk, The CD-ROM includes several instructions to enable a terminal device (which may be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in the embodiments of the present application.
以上仅为本申请的优选实施例,并非因此限制本申请的专利范围,凡是利用本申请说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本申请的专利保护范围内。The above are only the preferred embodiments of the present application, and do not limit the patent scope of the present application. Any equivalent structure or equivalent process transformation made by the description and drawings of this application, or directly or indirectly used in other related technical fields , The same reason is included in the scope of patent protection of this application.

Claims (20)

  1. 一种结构化查询语言SQL注入漏洞检测方法,其特征在于,所述SQL注入漏洞检测方法包括以下步骤:A structured query language SQL injection vulnerability detection method, characterized in that the SQL injection vulnerability detection method includes the following steps:
    当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点,并构造所述检测点对应布尔逻辑参数的序列请求;After obtaining the URL request of the uniform resource locator of the website to be tested, determine the detection point of the URL request, and construct a sequence request corresponding to the detection point corresponding to a Boolean logic parameter;
    获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值;Obtaining a response page obtained after executing the URL request and the sequence request, and performing a similarity analysis on the response page to obtain a relationship between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request Similarity value
    若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。If the similarity value meets a preset condition, it is determined that the URL request has a SQL injection vulnerability.
  2. 如权利要求1所述的SQL注入漏洞检测方法,其特征在于,所述构造所述检测点对应布尔逻辑参数的序列请求的步骤包括:The SQL injection vulnerability detection method according to claim 1, wherein the step of constructing a sequence request corresponding to a Boolean logic parameter of the detection point comprises:
    为所述URL请求中的每一检测点构造一个逻辑真条件的请求,记为第一真请求;Construct a request for a logically true condition for each detection point in the URL request, and record it as the first true request;
    为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,以形成包括所述第一真请求和第一假请求的序列请求。Construct a request for a logical false condition for each detection point in the URL request, and record it as a first false request to form a sequence request including the first true request and the first false request.
  3. 如权利要求2所述的SQL注入漏洞检测方法,其特征在于,所述为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,以形成包括所述第一真请求和第一假请求的序列请求的步骤包括:The SQL injection vulnerability detection method according to claim 2, wherein the request for constructing a logical false condition for each detection point in the URL request is recorded as a first false request to form a The steps of the sequence request of the first true request and the first false request include:
    为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,并为所述第一真请求构造逻辑真条件的确认请求,记为第二真请求;A request for constructing a logically false condition for each detection point in the URL request is recorded as a first false request, and a confirmation request for a logically true condition for the first true request is recorded as a second true request;
    为所述第一假请求构造逻辑假条件的确认请求,记为第二假请求,以形成包括所述第一真请求、第一假请求、第二真请求和第二假请求的序列请求。A confirmation request for constructing a logical false condition for the first false request is recorded as a second false request to form a sequence request including the first true request, the first false request, the second true request, and the second false request.
  4. 如权利要求2所述的SQL注入漏洞检测方法,其特征在于,所述若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞的步骤包括:The SQL injection vulnerability detection method according to claim 2, wherein the step of determining that there is a SQL injection vulnerability in the URL request if the similarity value satisfies a preset condition includes:
    若确定所述URL请求对应的第一响应页面与所述第一真请求对应的第二响应页面之间的第一杰卡德系数大于第一阈值,则判断所述第一响应页面与所述第一假请求对应的第三响应页面之间的第二杰 卡德系数是否小于第二阈值;If it is determined that the first Jackard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold, it is determined that the first response page and the Whether the second Jaccard coefficient between the third response pages corresponding to the first fake request is less than the second threshold;
    若所述第二杰卡德系数小于所述第二阈值,则确定所述URL请求存在SQL注入漏洞。If the second Jaccard coefficient is less than the second threshold, it is determined that there is a SQL injection vulnerability in the URL request.
  5. 如权利要求3所述的SQL注入漏洞检测方法,其特征在于,所述若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞的步骤包括:The SQL injection vulnerability detection method according to claim 3, wherein the step of determining that there is a SQL injection vulnerability in the URL request if the similarity value satisfies a preset condition includes:
    若确定所述URL请求对应的第一响应页面与所述第一真请求对应的第二响应页面之间的第一杰卡德系数大于第一阈值,则判断所述第一响应页面与所述第一假请求对应的第三响应页面之间的第二杰卡德系数是否小于第二阈值;If it is determined that the first Jackard coefficient between the first response page corresponding to the URL request and the second response page corresponding to the first true request is greater than a first threshold, it is determined that the first response page and the Whether the second Jaccard coefficient between the third response pages corresponding to the first fake request is less than the second threshold;
    若所述第二杰卡德系数小于所述第二阈值,则确定所述第一响应页面与所述第二真请求对应的第四响应页面之间的第三杰卡德系数,并计算所述第三杰卡德系数与所述第一杰卡德系数之间的第一差值;If the second Jackard coefficient is less than the second threshold, determine the third Jackard coefficient between the first response page and the fourth response page corresponding to the second true request, and calculate the A first difference between the third Jaccard coefficient and the first Jaccard coefficient;
    若所述第一差值小于第三阈值,则确定所述第一响应页面与所述第二假请求对应的第五响应页面之间的第四杰卡德系数,并计算所述第四杰卡德系数与所述第二杰卡德系数之间的第二差值;If the first difference is less than the third threshold, determine the fourth Jackard coefficient between the first response page and the fifth response page corresponding to the second fake request, and calculate the fourth A second difference between the Card's coefficient and the second Jackard's coefficient;
    若所述第二差值小于第四阈值,则确定所述URL请求存在SQL注入漏洞。If the second difference is less than the fourth threshold, it is determined that the URL request has a SQL injection vulnerability.
  6. 如权利要求1所述的SQL注入漏洞检测方法,其特征在于,所述获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值的步骤包括:The SQL injection vulnerability detection method according to claim 1, characterized in that, the response page obtained after executing the URL request and the sequence request is subjected to similarity analysis on the response page to obtain the URL The step of requesting the similarity value between the response page corresponding to the request and the response page corresponding to each request in the sequence request includes:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and calculating the Jackard coefficient between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request;
    将所述杰卡德系数对应作为所述第一响应页面与各个所述序列响应页面之间的相似度值。The Jaccard coefficient is correspondingly used as the similarity value between the first response page and each of the sequence response pages.
  7. 如权利要求6所述的SQL注入漏洞检测方法,其特征在于,所述获取所述执行序列请求后得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数的步骤包括:The SQL injection vulnerability detection method according to claim 6, wherein the response page obtained after executing the sequence request is obtained, and the first response page corresponding to the URL request and the sequence request corresponding to the sequence request are calculated The steps of the Jeckard coefficient between each sequence of response pages include:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,根据预设的换行符将所述第一响应页面和所述序列响应页面对应的文本分割成字符段;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and dividing the text corresponding to the first response page and the sequence response page into character segments according to preset line breaks;
    根据预设的分隔符将所述字符段分割成字符串,对应得到所述第 一响应页面和所述序列响应页面对应的元素;Dividing the character segment into character strings according to a preset separator, and correspondingly obtaining elements corresponding to the first response page and the sequence response page;
    计算所述第一响应页面与每一所述序列响应页面之间元素的交集和并集,将所述交集除以对应的所述并集,得到对应的杰卡德系数。Calculate the intersection and union of elements between the first response page and each of the sequence response pages, and divide the intersection by the corresponding union to obtain the corresponding Jaccard coefficient.
  8. 如权利要求2所述的SQL注入漏洞检测方法,其特征在于,所述获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值的步骤包括:The SQL injection vulnerability detection method according to claim 2, characterized in that, the response page obtained after executing the URL request and the sequence request is subjected to similarity analysis on the response page to obtain the URL The step of requesting the similarity value between the response page corresponding to the request and the response page corresponding to each request in the sequence request includes:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and calculating the Jackard coefficient between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request;
    将所述杰卡德系数对应作为所述第一响应页面与各个所述序列响应页面之间的相似度值。The Jaccard coefficient is correspondingly used as the similarity value between the first response page and each of the sequence response pages.
  9. 如权利要求8所述的SQL注入漏洞检测方法,其特征在于,所述获取所述执行序列请求后得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数的步骤包括:The SQL injection vulnerability detection method according to claim 8, wherein the response page obtained after executing the sequence request is obtained, and the first response page corresponding to the URL request and the sequence request corresponding to the sequence request are calculated The steps of the Jeckard coefficient between each sequence of response pages include:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,根据预设的换行符将所述第一响应页面和所述序列响应页面对应的文本分割成字符段;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and dividing the text corresponding to the first response page and the sequence response page into character segments according to preset line breaks;
    根据预设的分隔符将所述字符段分割成字符串,对应得到所述第一响应页面和所述序列响应页面对应的元素;Dividing the character segment into character strings according to a preset separator, and correspondingly obtaining elements corresponding to the first response page and the sequence response page;
    计算所述第一响应页面与每一所述序列响应页面之间元素的交集和并集,将所述交集除以对应的所述并集,得到对应的杰卡德系数。Calculate the intersection and union of elements between the first response page and each of the sequence response pages, and divide the intersection by the corresponding union to obtain the corresponding Jaccard coefficient.
  10. 如权利要求3所述的SQL注入漏洞检测方法,其特征在于,所述获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值的步骤包括:The SQL injection vulnerability detection method according to claim 3, characterized in that, the response page obtained after executing the URL request and the sequence request is subjected to similarity analysis on the response page to obtain the URL The step of requesting the similarity value between the response page corresponding to the request and the response page corresponding to each request in the sequence request includes:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and calculating the Jackard coefficient between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request;
    将所述杰卡德系数对应作为所述第一响应页面与各个所述序列响应页面之间的相似度值。The Jaccard coefficient is correspondingly used as the similarity value between the first response page and each of the sequence response pages.
  11. 如权利要求10所述的SQL注入漏洞检测方法,其特征在于,所述获取所述执行序列请求后得到的响应页面,并计算所述URL请 求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数的步骤包括:The SQL injection vulnerability detection method according to claim 10, wherein the response page obtained after executing the sequence request is obtained, and the first response page corresponding to the URL request and the sequence request corresponding to the sequence request are calculated The steps of the Jeckard coefficient between each sequence of response pages include:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,根据预设的换行符将所述第一响应页面和所述序列响应页面对应的文本分割成字符段;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and dividing the text corresponding to the first response page and the sequence response page into character segments according to preset line breaks;
    根据预设的分隔符将所述字符段分割成字符串,对应得到所述第一响应页面和所述序列响应页面对应的元素;Dividing the character segment into character strings according to a preset separator, and correspondingly obtaining elements corresponding to the first response page and the sequence response page;
    计算所述第一响应页面与每一所述序列响应页面之间元素的交集和并集,将所述交集除以对应的所述并集,得到对应的杰卡德系数。Calculate the intersection and union of elements between the first response page and each of the sequence response pages, and divide the intersection by the corresponding union to obtain the corresponding Jaccard coefficient.
  12. 如权利要求4所述的SQL注入漏洞检测方法,其特征在于,所述获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值的步骤包括:The SQL injection vulnerability detection method according to claim 4, wherein the response page obtained after executing the URL request and the sequence request is subjected to similarity analysis on the response page to obtain the URL The step of requesting the similarity value between the response page corresponding to the request and the response page corresponding to each request in the sequence request includes:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and calculating the Jackard coefficient between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request;
    将所述杰卡德系数对应作为所述第一响应页面与各个所述序列响应页面之间的相似度值。The Jaccard coefficient is correspondingly used as the similarity value between the first response page and each of the sequence response pages.
  13. 如权利要求12所述的SQL注入漏洞检测方法,其特征在于,所述获取所述执行序列请求后得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数的步骤包括:The SQL injection vulnerability detection method according to claim 12, wherein the response page obtained after executing the sequence request is obtained, and the first response page corresponding to the URL request and the sequence request corresponding to the sequence request are calculated. The steps of the Jeckard coefficient between each sequence of response pages include:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,根据预设的换行符将所述第一响应页面和所述序列响应页面对应的文本分割成字符段;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and dividing the text corresponding to the first response page and the sequence response page into character segments according to preset line breaks;
    根据预设的分隔符将所述字符段分割成字符串,对应得到所述第一响应页面和所述序列响应页面对应的元素;Dividing the character segment into character strings according to a preset separator, and correspondingly obtaining elements corresponding to the first response page and the sequence response page;
    计算所述第一响应页面与每一所述序列响应页面之间元素的交集和并集,将所述交集除以对应的所述并集,得到对应的杰卡德系数。Calculate the intersection and union of elements between the first response page and each of the sequence response pages, and divide the intersection by the corresponding union to obtain the corresponding Jaccard coefficient.
  14. 如权利要求5所述的SQL注入漏洞检测方法,其特征在于,所述获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值的步骤包括:The SQL injection vulnerability detection method according to claim 5, characterized in that, the response page obtained after executing the URL request and the sequence request is subjected to similarity analysis on the response page to obtain the URL The step of requesting the similarity value between the response page corresponding to the request and the response page corresponding to each request in the sequence request includes:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每 一序列响应页面之间的杰卡德系数;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and calculating the Jackard coefficient between the first response page corresponding to the URL request and each sequence response page corresponding to the sequence request;
    将所述杰卡德系数对应作为所述第一响应页面与各个所述序列响应页面之间的相似度值。The Jaccard coefficient is correspondingly used as the similarity value between the first response page and each of the sequence response pages.
  15. 如权利要求14所述的SQL注入漏洞检测方法,其特征在于,所述获取所述执行序列请求后得到的响应页面,并计算所述URL请求对应的第一响应页面与所述序列请求对应的每一序列响应页面之间的杰卡德系数的步骤包括:The SQL injection vulnerability detection method according to claim 14, wherein the response page obtained after performing the sequence request is obtained, and the first response page corresponding to the URL request and the sequence request corresponding to the sequence request are calculated The steps of the Jeckard coefficient between each sequence of response pages include:
    获取执行所述URL请求和所述序列请求后对应得到的响应页面,根据预设的换行符将所述第一响应页面和所述序列响应页面对应的文本分割成字符段;Acquiring a response page corresponding to the execution of the URL request and the sequence request, and dividing the text corresponding to the first response page and the sequence response page into character segments according to preset line breaks;
    根据预设的分隔符将所述字符段分割成字符串,对应得到所述第一响应页面和所述序列响应页面对应的元素;Dividing the character segment into character strings according to a preset separator, and correspondingly obtaining elements corresponding to the first response page and the sequence response page;
    计算所述第一响应页面与每一所述序列响应页面之间元素的交集和并集,将所述交集除以对应的所述并集,得到对应的杰卡德系数。Calculate the intersection and union of elements between the first response page and each of the sequence response pages, and divide the intersection by the corresponding union to obtain the corresponding Jaccard coefficient.
  16. 一种SQL注入漏洞检测装置,其特征在于,所述SQL注入漏洞检测装置包括:A SQL injection vulnerability detection device, characterized in that the SQL injection vulnerability detection device includes:
    确定模块,用于当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点;The determining module is used to determine the detection point of the URL request after obtaining the URL request of the uniform resource locator of the website to be tested;
    构造模块,用于构造所述检测点对应布尔逻辑参数的序列请求;A construction module, configured to construct a sequence request corresponding to a Boolean logic parameter of the detection point;
    获取模块,用于获取执行所述URL请求和所述序列请求后得到的响应页面;An obtaining module, used to obtain a response page obtained after executing the URL request and the sequence request;
    分析模块,用于对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值;An analysis module, configured to perform a similarity analysis on the response page to obtain a similarity value between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request;
    所述确定模块还用于若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。The determining module is further configured to determine that the URL request has a SQL injection vulnerability if the similarity value meets a preset condition.
  17. 如权利要求16所述的SQL注入漏洞检测装置,其特征在于,所述构造模块还用于为所述URL请求中的每一检测点构造一个逻辑真条件的请求,记为第一真请求;为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,以形成包括所述第一真请求和第一假请求的序列请求。The SQL injection vulnerability detection device according to claim 16, wherein the construction module is further configured to construct a request for a logically true condition for each detection point in the URL request, which is recorded as a first true request; Construct a request for a logical false condition for each detection point in the URL request, and record it as a first false request to form a sequence request including the first true request and the first false request.
  18. 如权利要求17所述的SQL注入漏洞检测装置,其特征在于,所述构造模块还用于为所述URL请求中的每一检测点构造一个逻辑假条件的请求,记为第一假请求,并为所述第一真请求构造逻辑真条 件的确认请求,记为第二真请求;为所述第一假请求构造逻辑假条件的确认请求,记为第二假请求,以形成包括所述第一真请求、第一假请求、第二真请求和第二假请求的序列请求。The SQL injection vulnerability detection device according to claim 17, wherein the construction module is further configured to construct a request for a logical false condition for each detection point in the URL request, which is recorded as a first false request, And construct a confirmation request for the logically true condition for the first true request, and record it as a second true request; construct a confirmation request for the logically false condition for the first false request, and record it as a second false request to form Sequence request of the first true request, the first false request, the second true request, and the second false request.
  19. 一种SQL注入漏洞检测设备,其特征在于,所述SQL注入漏洞检测设备包括存储器、处理器和存储在所述存储器上并可在所述处理器上运行的计算机可读指令,所述计算机可读指令被所述处理器执行时实现如下步骤:A SQL injection vulnerability detection device, characterized in that the SQL injection vulnerability detection device includes a memory, a processor, and computer-readable instructions stored on the memory and executable on the processor, the computer may When the read instruction is executed by the processor, the following steps are implemented:
    当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点,并构造所述检测点对应布尔逻辑参数的序列请求;After obtaining the URL request of the uniform resource locator of the website to be tested, determine the detection point of the URL request, and construct a sequence request corresponding to the detection point corresponding to a Boolean logic parameter;
    获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值;Obtaining a response page obtained after executing the URL request and the sequence request, and performing a similarity analysis on the response page to obtain a relationship between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request Similarity value
    若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。If the similarity value meets a preset condition, it is determined that the URL request has a SQL injection vulnerability.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质上存储有计算机可读指令,所述计算机可读指令被处理器执行时实现如下步骤:A computer-readable storage medium, characterized in that computer-readable instructions are stored on the computer-readable storage medium, and when the computer-readable instructions are executed by a processor, the following steps are implemented:
    当获取到待测试网站的统一资源定位符URL请求后,确定所述URL请求的检测点,并构造所述检测点对应布尔逻辑参数的序列请求;After obtaining the URL request of the uniform resource locator of the website to be tested, determine the detection point of the URL request, and construct a sequence request corresponding to the detection point corresponding to a Boolean logic parameter;
    获取执行所述URL请求和所述序列请求后得到的响应页面,对所述响应页面进行相似度分析,得到所述URL请求对应响应页面与所述序列请求中每一请求对应响应页面之间的相似度值;Obtaining a response page obtained after executing the URL request and the sequence request, and performing a similarity analysis on the response page to obtain a relationship between the response page corresponding to the URL request and the response page corresponding to each request in the sequence request Similarity value
    若所述相似度值满足预设条件,则确定所述URL请求存在SQL注入漏洞。If the similarity value meets a preset condition, it is determined that the URL request has a SQL injection vulnerability.
PCT/CN2018/122811 2018-10-11 2018-12-21 Sql injection vulnerability detection method, apparatus and device, and readable storage medium WO2020073493A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811188829.3 2018-10-11
CN201811188829.3A CN109657472B (en) 2018-10-11 2018-10-11 SQL injection vulnerability detection method, device, equipment and readable storage medium

Publications (1)

Publication Number Publication Date
WO2020073493A1 true WO2020073493A1 (en) 2020-04-16

Family

ID=66110693

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/122811 WO2020073493A1 (en) 2018-10-11 2018-12-21 Sql injection vulnerability detection method, apparatus and device, and readable storage medium

Country Status (2)

Country Link
CN (1) CN109657472B (en)
WO (1) WO2020073493A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111404937B (en) * 2020-03-16 2021-12-10 腾讯科技(深圳)有限公司 Method and device for detecting server vulnerability
US11562095B2 (en) 2021-01-28 2023-01-24 International Business Machines Corporation Reinforcing SQL transactions dynamically to prevent injection attacks

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102799830A (en) * 2012-08-06 2012-11-28 厦门市美亚柏科信息股份有限公司 Improved SQL (Structured Query Language) injection flaw detection method
CN103077348A (en) * 2012-12-28 2013-05-01 华为技术有限公司 Method and device for vulnerability scanning of Web site
EP2874071A1 (en) * 2012-07-12 2015-05-20 Young Kun Kim Method of implementing structured and non-structured data in xml document
CN104965784A (en) * 2015-06-16 2015-10-07 广州华多网络科技有限公司 Automatic test method and apparatus
CN106407803A (en) * 2016-08-30 2017-02-15 北京奇虎科技有限公司 Detection method and device of SQL (Structured Query Language) injection vulnerabilities

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7743327B2 (en) * 2006-02-23 2010-06-22 Xerox Corporation Table of contents extraction with improved robustness
US20080065671A1 (en) * 2006-09-07 2008-03-13 Xerox Corporation Methods and apparatuses for detecting and labeling organizational tables in a document
CN105072095B (en) * 2015-07-20 2019-03-26 北京神州绿盟信息安全科技股份有限公司 A kind of method and device detecting SQL injection loophole
CN106411578B (en) * 2016-09-12 2019-07-12 国网山东省电力公司电力科学研究院 A kind of web publishing system and method being adapted to power industry
CN108616527A (en) * 2018-04-16 2018-10-02 贵州大学 One kind is towards SQL injection bug excavation method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2874071A1 (en) * 2012-07-12 2015-05-20 Young Kun Kim Method of implementing structured and non-structured data in xml document
CN102799830A (en) * 2012-08-06 2012-11-28 厦门市美亚柏科信息股份有限公司 Improved SQL (Structured Query Language) injection flaw detection method
CN103077348A (en) * 2012-12-28 2013-05-01 华为技术有限公司 Method and device for vulnerability scanning of Web site
CN104965784A (en) * 2015-06-16 2015-10-07 广州华多网络科技有限公司 Automatic test method and apparatus
CN106407803A (en) * 2016-08-30 2017-02-15 北京奇虎科技有限公司 Detection method and device of SQL (Structured Query Language) injection vulnerabilities

Also Published As

Publication number Publication date
CN109657472A (en) 2019-04-19
CN109657472B (en) 2023-09-22

Similar Documents

Publication Publication Date Title
US9525702B2 (en) Similarity search and malware prioritization
RU2638710C1 (en) Methods of detecting malicious elements of web pages
US10484424B2 (en) Method and system for security protection of account information
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
US9600400B1 (en) Performance testing of web application components using image differentiation
US9479519B1 (en) Web content fingerprint analysis to detect web page issues
US20160269433A1 (en) Method and system for checking security of url for mobile terminal
WO2018095411A1 (en) Web page clustering method and device
CN111835777B (en) Abnormal flow detection method, device, equipment and medium
US9934206B2 (en) Method and apparatus for extracting web page content
US9124934B2 (en) Rule-based classification of electronic devices
US11080322B2 (en) Search methods, servers, and systems
WO2017167208A1 (en) Method and apparatus for recognizing malicious website, and computer storage medium
WO2021253252A1 (en) Method and apparatus for testing webpage, and electronic device and storage medium
WO2022063133A1 (en) Sensitive information detection method and apparatus, and device and computer-readable storage medium
WO2021031902A1 (en) Url extraction method, apparatus and device and computer-readable storage medium
WO2020073493A1 (en) Sql injection vulnerability detection method, apparatus and device, and readable storage medium
CN107786529B (en) Website detection method, device and system
CN109495471B (en) Method, device and equipment for judging WEB attack result and readable storage medium
WO2022179128A1 (en) Crawler-based data crawling method and apparatus, computer device, and storage medium
US11030304B2 (en) Buffer overflow detection based on a synthesis of assertions from templates and k-induction
WO2017107708A1 (en) User proxy self-adaptation uniform resource locator prefix mining method and device
US20140331117A1 (en) Application-based dependency graph
CN115437930B (en) Webpage application fingerprint information identification method and related equipment
US20130230248A1 (en) Ensuring validity of the bookmark reference in a collaborative bookmarking system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18936662

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12/07/2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18936662

Country of ref document: EP

Kind code of ref document: A1