【总结】SQL注入攻击检测方法
注意:以下方法不能过滤对 SQL注入漏洞的探测,但应该可以过滤掉绝大多数对 SQL
漏洞的利用。
检查对象:
1. GET及 POST 请求CGI 参数Value数据
2. Cookie 的Key/Value 对的Value部分
请求参数拆分以后,如果发现有重复的key,报告攻击。
解码:
URL 解码(%): %41%41
HEX解码(&#x):AA
DECIMAL 解码:AA
Base64解码
正规化,以从上到下的次序执行如下操作:
把所有的TAB替换为空格
把所有的回车及换行符替换为空格
把多个连续空格合并为一个空格
处理0xXXXXXXXXX编码,0x4141414141414141 或0x410041004100410041004100
处理char()的编码字符,解码为'X'
处理chr()的编码字符,解码为'X'
把所有模式 “ N'” 和 “= *N'” 和 “+ *N'” 替换为 “ '” 和 “='” 和 “+'”
删除所有模式 “' *+ *'”
删除所有模式 “' *|| *'”
删除所有模式 “||”
所有字符转换为小写
把所有 “'” 替换为 “ ' ”
把所有模式 “\/\*.*\*\/” 替换为空格,得到匹配对象1
删除所有模式 “\/\*.*\*\/” ,得到匹配对象2
匹配:
分别对匹配对象1和2 对如下列表以从上到下的次序进行模式匹配,为提高效率匹配
之前可以先判断一下目标的长度,如果小于模式的长度,跳过,发现匹配模式后告
警或阻断,一旦发现匹配不再继续其后模式的匹配。
匹配模式列表(正则表达式):
"select [^ ]+ from "
"update [^ ]+ set "
"delete [^ ]+ from "
" union all select "
" union select "
" order by "
" group by "
" limit 1[ )]"
"begin [^ ]+ end"
"create database "
"create table "
"drop database "
"drop table "
"insert into "
"alter table "
"bulk insert "
" into outfile "
" waitfor delay "
"sp_addextendedproc"
"xp_cmdshell"
"sp_oacreate"
"sp_addlogin"
"sp_sp_password"
"sp_addsrvrolemember"
"xp_dirtree"
"xp_servicecontrol"
"xp_regread"
"declare @"
" cursor for"
";.*exec *("
"db_name()"
"@@version"
"@@servername"
"system_user"
" and user"
"version()"
"database()"
"user()"
"system_user()"
"session_user()"
"host_name()"
"@@version_compile_os"
"@@basedir"
"@@datadir"
"@@tmpdir""
"is_srvrolemember *("
"is_member *(
" or [^ ]+=[^ ]+"
" or [^ <]+>[^ ]+"
" or [^ >]+<[^ ]+"
" and [^ ]+=[^ ]+"
" and [^ <]+>[^ ]+"
" and [^ >]+<[^ ]+"
" or [^ ]+ like [^ ]+"
" or [^ ]+ in [^ ]+"
" or [^ ]+ between [^ ]+"
" and [^ ]+ like [^ ]+"
" and [^ ]+ in [^ ]+"
" and [^ ]+ between [^ ]+"
"\.[sysdatabases]"
"\.[sysobjects]"
"\.sys\.all_objects"
"[\. (]+xtype="
".[syscolumns]"
" information_schema\.tables "
" information_schema\.columns "
" table_schema "
" mysql\.user "
" v\$parameter "
" v\$database "
" v\$version "
" sys.dba_users "
"utl_inaddr\.get_host_name" "sys.v_\$database"
" session_roles"
" user_role_privs"
" user_tables"
" user_tab_columns"
"granted_role"
"[( =,]+load_file *("
"[( =,]+count(\*)"
"[( =,]+serverproperty *("
"[( =,]+substring *("
"[( =,]+cast *("
"[( =,]+varchar *("
"[( =,]+nvarchar *("
"[( =,]+len *("
"[( =,]+unicode *("
"[( =,]+length *("
"[( =,]+ascii *("
"[( =,]+substr *("
"[( =,]+concat *("
"[( =,]+sys_context *("
"[( =,]+count *("
"[( =,]+asc *("
"[( =,]+mid *("
"@@pack_received"
"bitand("
"connection_id("
--
---------------------------------------------------------------------------
低调的python小子
当梦想照进现实 幸福近在咫尺
[jpg]http://ip.ipwind.cn/msn.png[/jpg]