Detection method and system for SQL injection loophole

A vulnerability detection and vulnerability technology, applied in transmission systems, digital transmission systems, electrical components, etc., can solve problems such as false positives, inaccurate methods, and false negatives, and achieve the effect of avoiding inaccuracy and improving efficiency and accuracy.

Inactive Publication Date: 2011-08-31
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0007] 1. The method of relying on the status code returned by the server to determine whether there is a vulnerability is too simple, and when the server uses a custom error message to shield the running error prompt, it will not be able to make a normal judgment, resulting in false positives
[0008] 2. The method of judging whether the server is running incorrectly through keywords is not accurate enough. When the server is running normally, but the return page happens to have a predefined keyword, or the server is running incorrectly, but the set return content does not include the predefined keyword. When using words, it is impossible to make accurate judgments, resulting in false negatives and false negatives

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method and system for SQL injection loophole
  • Detection method and system for SQL injection loophole
  • Detection method and system for SQL injection loophole

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0029] This embodiment is a specific implementation of the SQL injection vulnerability detection method, and the main operation process is as figure 1 Shown. The basic idea of ​​this embodiment is that it provides a series of SQL injection attack templates, where each template is composed of several SQL injection statements that may cause the server to return different results, and the cross-validation function corresponding to the template. For each web page to be scanned on the server, the SQL injection vulnerability detection system will send normal SQL access requests and specific SQL injection statements to the web page according to the selected template, and receive the results returned by the server. Since each access request is constructed in advance, if these access requests can be executed on the server, different results will be returned. The cross-validation function compares these returned results with each other to determine whether the submitted SQL injection sta...

Embodiment 2

[0061] This embodiment is a system that implements the method described in the embodiment. For a schematic diagram of the system structure, see figure 1 Shown. That is, a SQL injection vulnerability detection system. The system is installed on a user terminal on the Internet and has at least one web page definition unit to be verified connected to a web server. At least one is connected to the definition unit of the web page to be verified, which can provide four SQL injection attack template selection units of the attack template subunits. There is at least one cross-validation unit that gets support from the SQL injection attack template selection unit and connects to the web server. The system includes:

[0062] 1. Web page definition unit to be verified: Define a series of web page addresses that may contain SQL injection vulnerabilities.

[0063] 2. SQL injection attack template selection unit: List available SQL injection attack templates for users to choose.

[0064] 3. Cro...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a key technique-SQL injection vulnerability detection technique of a host vulnerability scanning system as one important product for network security. The SQL injection vulnerability detection technique is characterized by submitting normal access request data and different types of SQL injection data to a server, receiving results returned by the server, then cross-comparing the returned results of different requests, and further determining exists of SQL injection vulnerabilities from the processing of submitted data by the server according to the compared results. To-be-certified website addresses are defined by means of website crawler, browser plug-in and manual input. One or a plurality of attacking templates of four different types of attacking templates canbe selected to detect exists of SQL injection vulnerabilities on the to-be-certified websites. And the exists of SQL injection vulnerabilities during processing the user-submitted data by the server can be judged through cross-comparing the returned results of the normal access requests and SQL injection statements, under the condition that the server shields error information.

Description

Technical field [0001] The present invention relates to a SQL (Structured Query Language) injection vulnerability detection method and system. It is a protection method and system for processing electronic and digital data and preventing unauthorized use. It is applied to a network system and belongs to an important product of network security. One of the key technologies of the host vulnerability scanning system. Background technique [0002] With the development of the Internet, the client / server (B / S) model has been more and more widely used. In the B / S mode, there is often a place for data interaction between the user and the back-end database server, that is, the user enters and submits data through a form on the client's web page, and the server application constructs SQL statements based on the data submitted by the user and submits it to the database The server performs processing and returns the processing result to the user. When developing applications in the B / S mod...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): H04L9/00H04L29/06
Inventor 周涛叶润国骆拥政
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap