【总结】SQL注入攻击检测方法
2011-07-09 13:18
841 查看
注意:以下方法不能过滤对 SQL注入漏洞的探测,但应该可以过滤掉绝大多数对 SQL
漏洞的利用。
检查对象:
1. GET及 POST 请求CGI 参数Value数据
2. Cookie 的Key/Value 对的Value部分
请求参数拆分以后,如果发现有重复的key,报告攻击。
解码:
URL 解码(%): %41%41
HEX解码(&#x):AA
DECIMAL 解码:AA
Base64解码
正规化,以从上到下的次序执行如下操作:
把所有的TAB替换为空格
把所有的回车及换行符替换为空格
把多个连续空格合并为一个空格
处理0xXXXXXXXXX编码,0x4141414141414141 或0x410041004100410041004100
处理char()的编码字符,解码为'X'
处理chr()的编码字符,解码为'X'
把所有模式 “ N'” 和 “= *N'” 和 “+ *N'” 替换为 “ '” 和 “='” 和 “+'”
删除所有模式 “' *+ *'”
删除所有模式 “' *|| *'”
删除所有模式 “||”
所有字符转换为小写
把所有 “'” 替换为 “ ' ”
把所有模式 “\/\*.*\*\/” 替换为空格,得到匹配对象1
删除所有模式 “\/\*.*\*\/” ,得到匹配对象2
匹配:
分别对匹配对象1和2 对如下列表以从上到下的次序进行模式匹配,为提高效率匹配
之前可以先判断一下目标的长度,如果小于模式的长度,跳过,发现匹配模式后告
警或阻断,一旦发现匹配不再继续其后模式的匹配。
匹配模式列表(正则表达式):
"select [^ ]+ from "
"update [^ ]+ set "
"delete [^ ]+ from "
" union all select "
" union select "
" order by "
" group by "
" limit 1[ )]"
"begin [^ ]+ end"
"create database "
"create table "
"drop database "
"drop table "
"insert into "
"alter table "
"bulk insert "
" into outfile "
" waitfor delay "
"sp_addextendedproc"
"xp_cmdshell"
"sp_oacreate"
"sp_addlogin"
"sp_sp_password"
"sp_addsrvrolemember"
"xp_dirtree"
"xp_servicecontrol"
"xp_regread"
"declare @"
" cursor for"
";.*exec *("
"db_name()"
"@@version"
"@@servername"
"system_user"
" and user"
"version()"
"database()"
"user()"
"system_user()"
"session_user()"
"host_name()"
"@@version_compile_os"
"@@basedir"
"@@datadir"
"@@tmpdir""
"is_srvrolemember *("
"is_member *(
" or [^ ]+=[^ ]+"
" or [^ <]+>[^ ]+"
" or [^ >]+<[^ ]+"
" and [^ ]+=[^ ]+"
" and [^ <]+>[^ ]+"
" and [^ >]+<[^ ]+"
" or [^ ]+ like [^ ]+"
" or [^ ]+ in [^ ]+"
" or [^ ]+ between [^ ]+"
" and [^ ]+ like [^ ]+"
" and [^ ]+ in [^ ]+"
" and [^ ]+ between [^ ]+"
"\.[sysdatabases]"
"\.[sysobjects]"
"\.sys\.all_objects"
"[\. (]+xtype="
".[syscolumns]"
" information_schema\.tables "
" information_schema\.columns "
" table_schema "
" mysql\.user "
" v\$parameter "
" v\$database "
" v\$version "
" sys.dba_users "
"utl_inaddr\.get_host_name" "sys.v_\$database"
" session_roles"
" user_role_privs"
" user_tables"
" user_tab_columns"
"granted_role"
"[( =,]+load_file *("
"[( =,]+count(\*)"
"[( =,]+serverproperty *("
"[( =,]+substring *("
"[( =,]+cast *("
"[( =,]+varchar *("
"[( =,]+nvarchar *("
"[( =,]+len *("
"[( =,]+unicode *("
"[( =,]+length *("
"[( =,]+ascii *("
"[( =,]+substr *("
"[( =,]+concat *("
"[( =,]+sys_context *("
"[( =,]+count *("
"[( =,]+asc *("
"[( =,]+mid *("
"@@pack_received"
"bitand("
"connection_id("
--
漏洞的利用。
检查对象:
1. GET及 POST 请求CGI 参数Value数据
2. Cookie 的Key/Value 对的Value部分
请求参数拆分以后,如果发现有重复的key,报告攻击。
解码:
URL 解码(%): %41%41
HEX解码(&#x):AA
DECIMAL 解码:AA
Base64解码
正规化,以从上到下的次序执行如下操作:
把所有的TAB替换为空格
把所有的回车及换行符替换为空格
把多个连续空格合并为一个空格
处理0xXXXXXXXXX编码,0x4141414141414141 或0x410041004100410041004100
处理char()的编码字符,解码为'X'
处理chr()的编码字符,解码为'X'
把所有模式 “ N'” 和 “= *N'” 和 “+ *N'” 替换为 “ '” 和 “='” 和 “+'”
删除所有模式 “' *+ *'”
删除所有模式 “' *|| *'”
删除所有模式 “||”
所有字符转换为小写
把所有 “'” 替换为 “ ' ”
把所有模式 “\/\*.*\*\/” 替换为空格,得到匹配对象1
删除所有模式 “\/\*.*\*\/” ,得到匹配对象2
匹配:
分别对匹配对象1和2 对如下列表以从上到下的次序进行模式匹配,为提高效率匹配
之前可以先判断一下目标的长度,如果小于模式的长度,跳过,发现匹配模式后告
警或阻断,一旦发现匹配不再继续其后模式的匹配。
匹配模式列表(正则表达式):
"select [^ ]+ from "
"update [^ ]+ set "
"delete [^ ]+ from "
" union all select "
" union select "
" order by "
" group by "
" limit 1[ )]"
"begin [^ ]+ end"
"create database "
"create table "
"drop database "
"drop table "
"insert into "
"alter table "
"bulk insert "
" into outfile "
" waitfor delay "
"sp_addextendedproc"
"xp_cmdshell"
"sp_oacreate"
"sp_addlogin"
"sp_sp_password"
"sp_addsrvrolemember"
"xp_dirtree"
"xp_servicecontrol"
"xp_regread"
"declare @"
" cursor for"
";.*exec *("
"db_name()"
"@@version"
"@@servername"
"system_user"
" and user"
"version()"
"database()"
"user()"
"system_user()"
"session_user()"
"host_name()"
"@@version_compile_os"
"@@basedir"
"@@datadir"
"@@tmpdir""
"is_srvrolemember *("
"is_member *(
" or [^ ]+=[^ ]+"
" or [^ <]+>[^ ]+"
" or [^ >]+<[^ ]+"
" and [^ ]+=[^ ]+"
" and [^ <]+>[^ ]+"
" and [^ >]+<[^ ]+"
" or [^ ]+ like [^ ]+"
" or [^ ]+ in [^ ]+"
" or [^ ]+ between [^ ]+"
" and [^ ]+ like [^ ]+"
" and [^ ]+ in [^ ]+"
" and [^ ]+ between [^ ]+"
"\.[sysdatabases]"
"\.[sysobjects]"
"\.sys\.all_objects"
"[\. (]+xtype="
".[syscolumns]"
" information_schema\.tables "
" information_schema\.columns "
" table_schema "
" mysql\.user "
" v\$parameter "
" v\$database "
" v\$version "
" sys.dba_users "
"utl_inaddr\.get_host_name" "sys.v_\$database"
" session_roles"
" user_role_privs"
" user_tables"
" user_tab_columns"
"granted_role"
"[( =,]+load_file *("
"[( =,]+count(\*)"
"[( =,]+serverproperty *("
"[( =,]+substring *("
"[( =,]+cast *("
"[( =,]+varchar *("
"[( =,]+nvarchar *("
"[( =,]+len *("
"[( =,]+unicode *("
"[( =,]+length *("
"[( =,]+ascii *("
"[( =,]+substr *("
"[( =,]+concat *("
"[( =,]+sys_context *("
"[( =,]+count *("
"[( =,]+asc *("
"[( =,]+mid *("
"@@pack_received"
"bitand("
"connection_id("
--
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 圆检测方法总结
- Nginx防范Sql注入攻击方法总结
- 检测PC端和移动端的方法总结
- IdTcpServer 部分总结 (用户掉线的检测方法,控制用户量等)
- php检测字符串编码(utf-8,gbk,gb2312)是否为utf8编码的方法总结
- IdTcpServer 部分总结 (用户掉线的检测方法,控制用户量等)
- 使用xcode4.2检测内存泄露leak的具体位置的两种方法总结
- Android反调试方法总结以及源码实现之检测篇(一)
- 物体检测及分类方法总结(提供了很多论文和代码链接)
- 机器学习-->检测异常样本方法总结
- 使用xcode4.2检测内存泄露leak的具体位置的两种方法总结
- 网络编程资料总结(三)----p2p之NAT类型检测方法
- 检测IE版本号的方法总结
- js浏览器和浏览器插件检测的方法总结
- js浏览器和浏览器插件检测的方法总结
- js高级程序设计(第三版)总结--检测数组(判断数组的方法)
- 基于曲线曲度或类曲度的角点检测方法总结
- 检测PC端和移动端的方法总结(转)
- 目标检测方法总结(RFCN/SSD/RCNN/FastRCNN/FasterRCNN/SPPNet/DPM/OverFeat/YOLO)