【总结】SQL注入攻击检测方法

注意:以下方法不能过滤对 SQL注入漏洞的探测,但应该可以过滤掉绝大多数对 SQL
漏洞的利用。
 
 
检查对象:
 
1. GET及 POST 请求CGI 参数Value数据
2. Cookie 的Key/Value 对的Value部分
 
请求参数拆分以后,如果发现有重复的key,报告攻击。
 
 
解码:
 
URL 解码(%): %41%41
HEX解码(&#x):&#x41&#x41
DECIMAL 解码:&#65&#65
Base64解码
 
 
正规化,以从上到下的次序执行如下操作:
 
把所有的TAB替换为空格
把所有的回车及换行符替换为空格
把多个连续空格合并为一个空格
处理0xXXXXXXXXX编码,0x4141414141414141 或0x410041004100410041004100
处理char()的编码字符,解码为'X'
处理chr()的编码字符,解码为'X'
把所有模式  “  N'”  和  “= *N'”  和  “+ *N'”  替换为  “  '”  和  “='”  和  “+'”
删除所有模式  “' *+ *'”
删除所有模式  “' *|| *'”
删除所有模式  “||”
所有字符转换为小写
把所有  “'”  替换为   “  '  ”
把所有模式  “\/\*.*\*\/”  替换为空格,得到匹配对象1
删除所有模式  “\/\*.*\*\/”  ,得到匹配对象2 
 
匹配:
 
分别对匹配对象1和2 对如下列表以从上到下的次序进行模式匹配,为提高效率匹配
之前可以先判断一下目标的长度,如果小于模式的长度,跳过,发现匹配模式后告
警或阻断,一旦发现匹配不再继续其后模式的匹配。
 
 
匹配模式列表(正则表达式):
 
"select [^ ]+ from "
"update [^ ]+ set "
"delete [^ ]+ from "
" union all select "
" union select "
" order by "
" group by "
" limit 1[ )]"
"begin [^ ]+ end"
"create database "
"create table "
"drop database "
"drop table "
"insert into "
"alter table "
"bulk insert "
" into outfile "
" waitfor delay "
"sp_addextendedproc"
"xp_cmdshell"
"sp_oacreate"
"sp_addlogin"
"sp_sp_password"
"sp_addsrvrolemember"
"xp_dirtree"
"xp_servicecontrol"
"xp_regread"
"declare @"
" cursor for"
";.*exec *("
 
"db_name()"
"@@version"

"@@servername"
"system_user"
" and user"
"version()"
"database()"
"user()"
"system_user()"
"session_user()"
"host_name()"
"@@version_compile_os"
"@@basedir"
"@@datadir"
"@@tmpdir""
 
"is_srvrolemember *("
"is_member *(
 
" or [^ ]+=[^ ]+"
" or [^ <]+>[^ ]+"
" or [^ >]+<[^ ]+"
" and [^ ]+=[^ ]+"
" and [^ <]+>[^ ]+"
" and [^ >]+<[^ ]+"
" or [^ ]+ like [^ ]+"
" or [^ ]+ in [^ ]+"
" or [^ ]+ between [^ ]+"
" and [^ ]+ like [^ ]+"
" and [^ ]+ in [^ ]+"
" and [^ ]+ between [^ ]+"
 
"\.[sysdatabases]"
"\.[sysobjects]"
"\.sys\.all_objects"
"[\. (]+xtype="
".[syscolumns]"
" information_schema\.tables "
" information_schema\.columns "
" table_schema "
" mysql\.user "
" v\$parameter "
" v\$database "
" v\$version "
" sys.dba_users "
"utl_inaddr\.get_host_name" "sys.v_\$database"
" session_roles"
" user_role_privs"
" user_tables"
" user_tab_columns"
"granted_role"
 
"[( =,]+load_file *("
"[( =,]+count(\*)"
"[( =,]+serverproperty *("
"[( =,]+substring *("
"[( =,]+cast *("
"[( =,]+varchar *("
"[( =,]+nvarchar *("
"[( =,]+len *("
"[( =,]+unicode *("
"[( =,]+length *("
"[( =,]+ascii *("
"[( =,]+substr *("
"[( =,]+concat *("
"[( =,]+sys_context *("
"[( =,]+count *("
"[( =,]+asc *("
"[( =,]+mid *("
"@@pack_received"
"bitand("
"connection_id("
--

 

posted @ 2011-07-09 13:18  Capricorn.python  阅读(1554)  评论(1编辑  收藏  举报