A vulnerability detection method and device, electronic equipment and storage medium

By adding probes to the SQL execution method in the database and utilizing SQL syntax tree parsing, the problem of SQL injection vulnerability detection being labor-intensive and prone to being missed in existing technologies is solved, thus achieving comprehensive vulnerability detection.

CN116628702BActive Publication Date: 2026-07-03PING AN BANK CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
PING AN BANK CO LTD
Filing Date
2023-06-06
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Current technologies rely on manual code review for SQL injection vulnerability detection, which is labor-intensive, prone to omissions, and cannot guarantee comprehensiveness.

Method used

By adding probes to the SQL execution methods in the database, and using the SQL syntax tree to parse the SQL execution statements before and after user parameters, the existence of SQL injection vulnerabilities can be determined without modifying the project source code.

Benefits of technology

It achieves comprehensive SQL injection vulnerability detection, ensuring the completeness of the inspection and avoiding the problem of missed detections in manual review.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116628702B_ABST
    Figure CN116628702B_ABST
Patent Text Reader

Abstract

This application provides a vulnerability detection method, apparatus, electronic device, and storage medium, relating to the field of network security technology. The method includes acquiring SQL execution statements before and after user parameter injection; performing abstract syntax tree parsing on the SQL execution statements based on SQL syntax; and determining whether an SQL injection vulnerability exists based on the parsing results. This method utilizes a probe to add SQL statement verification logic to the database SQL execution method to detect SQL injection vulnerabilities, without modifying the project source code and ensuring comprehensiveness of the check, thus solving the problem of existing methods easily missing vulnerabilities.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, and more specifically, to a vulnerability detection method, apparatus, electronic device, and storage medium. Background Technology

[0002] SQL injection is a security vulnerability that occurs at the database layer of web applications. It is one of the most common and simplest vulnerabilities in websites. The main reason is that the application lacks proper validation and handling of user input data. This allows attackers to add extra SQL statements to predefined SQL statements in the web application, enabling unauthorized operations without the administrator's knowledge. This allows attackers to trick the database server into executing unauthorized arbitrary queries, thereby obtaining data information. In short, SQL injection involves inserting SQL statements into a user-input string. If poorly designed programs neglect checks, these injected SQL statements will be mistakenly interpreted by the database server as legitimate SQL statements and executed, allowing attackers to execute unplanned commands or access unauthorized data.

[0003] Conventional detection methods rely on manual code review to prevent SQL injection vulnerabilities. This requires significant human resources, and because developers have varying coding skills, potential SQL injection vulnerabilities may be missed due to poor coding skills or lack of experience. Summary of the Invention

[0004] The purpose of this application is to provide a vulnerability detection method, device, electronic device, and storage medium. It utilizes a probe to add SQL statement verification logic to the SQL execution method of the database to detect SQL injection vulnerabilities. This method does not require modification of the project source code and ensures the comprehensiveness of the detection, thus solving the problem that existing methods are prone to missing vulnerabilities.

[0005] This application provides a vulnerability detection method, the method comprising:

[0006] Obtain the SQL execution statements before and after user parameter injection;

[0007] The SQL execution statement is parsed using an abstract syntax tree based on the SQL syntax.

[0008] Determine whether an SQL injection vulnerability exists based on the analysis results.

[0009] In the above implementation process, the SQL injection vulnerability is checked by adding SQL statement verification logic to the database SQL execution method using a probe. There is no need to modify the project source code, because the execution of all SQL statements will enter the JDBC executeupdate or executequery function. Therefore, this method ensures the comprehensiveness of the check and solves the problem that existing methods are prone to missing detections.

[0010] Furthermore, before the step of obtaining the SQL execution statements before and after the user parameter injection, the method further includes:

[0011] Add the detection probe source code to the source code to be detected so that it runs synchronously with the source code to be detected.

[0012] In the above implementation process, before detection, the source code corresponding to the detection probe needs to be added to the source code to be detected. That is, the probe project is packaged and attached to the main program that needs to be checked, so that the two run synchronously.

[0013] Furthermore, adding the detection probe source code to the source code to be detected, so as to run synchronously with the source code to be detected, includes:

[0014] Obtain the source code to be tested;

[0015] Compile the source code to be tested into a project JAR file;

[0016] Receive the source code of the detection probe created by the user;

[0017] Add a detection probe to the database SQL execution method of the source code to be detected;

[0018] Compile the source code of the detection probe into a probe jar package;

[0019] Add the probe JAR file to the project JAR file so that they can start and run synchronously.

[0020] In the above implementation process, the SQL statement verification logic corresponding to the detection probe is added to the database SQL execution method to achieve vulnerability detection.

[0021] Furthermore, the step of determining whether an SQL injection vulnerability exists based on the parsing results includes:

[0022] If an error occurs during the parsing of the abstract syntax tree of the SQL execution statement after the user parameters are injected, then an SQL injection vulnerability exists.

[0023] In the above implementation process, the obtained SQL execution statement is parsed using an abstract syntax tree. If the parsing fails, it indicates that there may be an error in the SQL execution statement due to the input of abnormal data, which means that there may be an SQL injection problem.

[0024] Furthermore, the step of determining whether an SQL injection vulnerability exists based on the parsing results includes:

[0025] If the abstract syntax tree parsing of the SQL execution statement after the user parameters are injected is successful, then the parsed abstract syntax tree is analyzed to obtain the list of injected DDLCOMMAMND / DMLCOMMAND in the abstract syntax tree.

[0026] The SQL execution statement before the user parameters are injected is parsed using an abstract syntax tree to obtain the list of DDLCOMMAMND / DMLCOMMAND before injection in the parsed abstract syntax tree;

[0027] Compare key fields between the DDLCOMMAMND / DMLCOMMAND list after injection and the DDLCOMMAMND / DMLCOMMAND list before injection.

[0028] If the key fields are consistent, then there is no SQL injection vulnerability.

[0029] In the above implementation process, the presence of SQL injection can be determined by comparing key fields before and after the injection. If SQL injection is present, a vulnerability may exist.

[0030] This application provides a vulnerability detection device, the device comprising:

[0031] The data acquisition module is used to acquire the SQL execution statements before and after the user parameter injection.

[0032] The parsing module is used to perform abstract syntax tree parsing on the SQL execution statement based on the SQL syntax;

[0033] The judgment module is used to determine whether an SQL injection vulnerability exists based on the parsing results.

[0034] In the above implementation process, the SQL injection vulnerability is checked by adding SQL statement verification logic to the database SQL execution method using a probe. There is no need to modify the project source code, because the execution of all SQL statements will enter the JDBC executeupdate or executequery function. Therefore, this method ensures the comprehensiveness of the check and solves the problem that existing methods are prone to missing detections.

[0035] Furthermore, the device also includes:

[0036] The probe adding module is used to add the source code of the detection probe to the source code to be detected, so that they can run synchronously.

[0037] In the above implementation process, before detection, the source code corresponding to the detection probe needs to be added to the source code to be detected. That is, the probe project is packaged and attached to the main program that needs to be checked, so that the two run synchronously.

[0038] Furthermore, the determination module includes:

[0039] The injection list acquisition module is used to analyze the parsed abstract syntax tree if the SQL execution statement after the user parameters are injected is successfully parsed, so as to obtain the list of injected DDLCOMMAMND / DMLCOMMAND in the abstract syntax tree.

[0040] The pre-injection list acquisition module is used to perform abstract syntax tree parsing on the SQL execution statement before the user parameters are injected, and obtain the pre-injection DDLCOMMAMND / DMLCOMMAND list in the parsed abstract syntax tree;

[0041] The comparison module is used to compare key fields of the DDLCOMMAMND / DMLCOMMAND list after injection and the DDLCOMMAMND / DMLCOMMAND list before injection.

[0042] The determination module is used to determine whether there is an SQL injection vulnerability if the key fields are consistent.

[0043] In the above implementation process, the presence of SQL injection can be determined by comparing key fields before and after the injection. If SQL injection is present, a vulnerability may exist.

[0044] This application also provides an electronic device, which includes a memory and a processor. The memory stores a computer program, and the processor runs the computer program to enable the electronic device to perform the vulnerability detection method described in any one of the above-described embodiments.

[0045] This application also provides a readable storage medium storing computer program instructions, which are read and executed by a processor to perform the vulnerability detection method described in any one of the above-described embodiments. Attached Figure Description

[0046] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments of this application will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0047] Figure 1 A flowchart illustrating a vulnerability detection method provided in an embodiment of this application;

[0048] Figure 2 A flowchart illustrating the specific implementation of vulnerability detection provided in this application embodiment;

[0049] Figure 3 A flowchart for adding the detection probe provided in the embodiments of this application;

[0050] Figure 4 A specific vulnerability assessment flowchart is provided for the embodiments of this application;

[0051] Figure 5 A structural block diagram of a vulnerability detection device provided in an embodiment of this application;

[0052] Figure 6 This is a structural block diagram of another vulnerability detection device provided in an embodiment of this application.

[0053] icon:

[0054] 100 - Data Acquisition Module; 101 - Probe Addition Module; 200 - Parsing Module; 300 - Judgment Module; 301 - First Judgment Module; 302 - Post-Injection List Acquisition Module; 303 - Pre-Injection List Acquisition Module; 304 - Comparison Module; 305 - Second Judgment Module. Detailed Implementation

[0055] The technical solutions in the embodiments of this application will now be described with reference to the accompanying drawings.

[0056] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0057] Example 1

[0058] Please refer to Figure 1 , Figure 1 A flowchart illustrating a vulnerability detection method provided in this application embodiment. The method specifically includes the following steps:

[0059] Step S100: Obtain the SQL execution statements before and after the user parameter injection;

[0060] Step S200: Perform abstract syntax tree parsing on the SQL execution statement based on SQL syntax;

[0061] Step S300: Determine whether an SQL injection vulnerability exists based on the parsing results.

[0062] This method determines the existence of SQL injection by comparing key fields of the abstract syntax tree before and after user parameter injection, thereby performing vulnerability detection. For example... Figure 2 The diagram shown is a flowchart illustrating the specific implementation of vulnerability detection.

[0063] like Figure 3 As shown in the flowchart for adding a detection probe, specifically, before step S100, the method further includes the following steps:

[0064] Add the detection probe source code to the source code to be detected so that it runs synchronously with the source code to be detected.

[0065] Specifically, it includes:

[0066] Step S101: Obtain the source code to be tested;

[0067] For example, the project source code can be obtained from the project code management platform using the git clone command, which is the source code to be tested.

[0068] Step S102: Compile the source code to be tested into a project jar package;

[0069] Specifically, the `mvn clean package` command can be used to compile the project source code into a standalone JAR or WAR file.

[0070] Step S103: Receive the source code of the detection probe created by the user;

[0071] Users can create Java probe projects, which contain Java probe files and methods based on the Java Instrumentation API. This constitutes the source code for the detection probe, used for vulnerability detection.

[0072] Step S104: Add a detection probe to the database SQL execution method of the source code to be detected;

[0073] By overriding the `premain` method, the code executes its content before the Java program starts running. Within this method, AOP (Aspect-Oriented Programming) is used to execute database-related methods in the JDBC database access layer (such as `executeupdate` [which executes data insert and delete statements], and `executequery` [which executes database select queries]). SQL statement validation logic is added to the SQL execution methods for both databases, recording the currently executed SQL statement and verifying whether the SQL statement has any injection risks.

[0074] Step S105: Compile the detection probe source code into a probe jar package;

[0075] Specifically, the Java probe project is built and compiled into a standalone JAR file using the `mvn clean package` command.

[0076] Step S106: Add the probe jar package to the project jar package so that it can start and run synchronously with the project jar package.

[0077] When running the project's JAR file using the `jar` command, you can also add the command `javaagent java probe project jar file` to attach the Java probe project to the JAR file and start it together. This means packaging the Java probe project and attaching it to the main program (project JAR file) that needs to be detected.

[0078] Perform SQL injection tests on any database operation interfaces that may exist in the program.

[0079] User parameters are inputs that may lead to SQL injection in the database operation interface. For example, adding dangerous SQL operations such as Delete table, or adding syntax keywords such as OR to the query conditions to expand the query range.

[0080] like Figure 4 The diagram shown is a flowchart of the specific vulnerability assessment process. Step S300 specifically includes the following steps:

[0081] Step S301: If an error occurs when parsing the abstract syntax tree of the SQL execution statement after the user parameters are injected, then an SQL injection vulnerability exists.

[0082] The detection probe obtains the SQL execution statements in the executeupdate and executequery functions through AOP aspects. The obtained SQL execution statements are parsed using an abstract syntax tree. If the parsing fails, it indicates that there may be an SQL injection problem caused by abnormal data being passed in, which may lead to an SQL statement error and thus prevent the SQL from being executed.

[0083] Step S302: If the abstract syntax tree parsing of the SQL execution statement after the user parameters are injected is successful, then analyze the parsed abstract syntax tree to obtain the list of injected DDLCOMMAMND / DMLCOMMAND in the abstract syntax tree.

[0084] The abstract syntax tree is parsed using SQL syntax. If the parsing is successful, the parsed abstract syntax tree is analyzed, including the DDLCOMAMNT and DMLCOMANT nodes.

[0085] Step S303: Perform abstract syntax tree parsing on the SQL execution statement before the user parameter injection to obtain the list of DDLCOMMAMND / DMLCOMMAND before injection in the parsed abstract syntax tree;

[0086] Simultaneously, for SQL execution statements without injected user parameters, an abstract syntax tree is parsed based on SQL syntax, and the DDLCOMANT and DMLCOMANT nodes in the abstract syntax tree are analyzed.

[0087] Step S304: Compare the key fields of the injected DDLCOMMAMND / DMLCOMMAND list and the injected DDLCOMMAMND / DMLCOMMAND list;

[0088] Step S305: If the key fields are consistent, then there is no SQL injection vulnerability.

[0089] The DDLCOMMAMND and DMLCOMMAND nodes in the SQL statement with injected user parameters are compared with the DDLCOMMAMND and DMLCOMMAND nodes in the SQL statement without injected user parameters. The Keyword under the node is compared. If the Keyword is the same, it indicates that there is no SQL injection; otherwise, it indicates that there is an SQL injection vulnerability.

[0090] This method, based on Java probes, utilizes AOP (Aspect-Oriented Programming) to execute database-related methods in the JDBC database access layer (executeupdate [which executes insert and delete statements], and executequery [which executes select queries]). SQL statement validation logic is added to these SQL execution methods to detect SQL injection vulnerabilities. Therefore, this method can detect SQL injection vulnerabilities without modifying the source code; because all SQL statement execution ultimately enters the JDBC executeupdate or executequery function, this method ensures comprehensive detection of SQL injection vulnerabilities.

[0091] Example 2

[0092] This application provides a vulnerability detection device, applied to the vulnerability detection method described in Embodiment 1, such as... Figure 5 The diagram shown is a structural block diagram of a vulnerability detection device, which includes, but is not limited to:

[0093] The data acquisition module 100 is used to acquire the SQL execution statements before and after the user parameter injection, respectively;

[0094] Parsing module 200 is used to perform abstract syntax tree parsing on the SQL execution statement based on SQL syntax;

[0095] The judgment module 300 is used to determine whether an SQL injection vulnerability exists based on the parsing results.

[0096] like Figure 6 The diagram shown is a structural block diagram of another vulnerability detection device, which further includes:

[0097] The probe adding module 101 is used to add the detection probe source code to the source code to be detected so that it can run synchronously with the source code to be detected.

[0098] Specifically:

[0099] Obtain the source code to be tested;

[0100] Compile the source code to be tested into a project JAR file;

[0101] Receive the source code of the detection probe created by the user;

[0102] Add a detection probe to the database SQL execution method of the source code to be detected;

[0103] Compile the source code of the detection probe into a probe jar package;

[0104] Add the probe JAR file to the project JAR file so that they can start and run synchronously.

[0105] The judgment module 300 includes:

[0106] The first determination module 301 is used to determine if an SQL injection vulnerability exists if an error occurs when parsing the abstract syntax tree of the SQL execution statement after the user parameters are injected.

[0107] The injection list acquisition module 302 is used to analyze the parsed abstract syntax tree if the SQL execution statement after the user parameter injection is successfully parsed, so as to obtain the list of injected DDLCOMMAMND / DMLCOMMAND in the abstract syntax tree.

[0108] The pre-injection list acquisition module 303 is used to perform abstract syntax tree parsing on the SQL execution statement before the user parameter injection, and obtain the pre-injection DDLCOMMAMND / DMLCOMMAND list in the parsed abstract syntax tree;

[0109] Comparison module 304 is used to compare key fields of the injected DDLCOMMAMND / DMLCOMMAND list and the injected DDLCOMMAMND / DMLCOMMAND list.

[0110] The second determination module 305 is used to determine whether there is an SQL injection vulnerability if the key fields are consistent.

[0111] This device uses a probe to add SQL statement verification logic to the SQL execution method of the database to check for SQL injection vulnerabilities. It does not require modification of the project source code, because the execution of all SQL statements will enter the JDBC executeupdate or executequery function. Therefore, this method ensures the comprehensiveness of the check and solves the problem that existing methods are prone to missing detections.

[0112] This application also provides an electronic device, which includes a memory and a processor. The memory stores a computer program, and the processor runs the computer program to enable the electronic device to perform the vulnerability detection method described in Embodiment 1.

[0113] This application also provides a readable storage medium storing computer program instructions, which are read and executed by a processor to perform the vulnerability detection method described in embodiment 1.

[0114] In the several embodiments provided in this application, it should be understood that the disclosed apparatus and methods can also be implemented in other ways. The apparatus embodiments described above are merely illustrative. For example, the flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions marked in the blocks may occur in a different order than those marked in the drawings. For example, two consecutive blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram and / or flowchart, and combinations of blocks in block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or action, or using a combination of dedicated hardware and computer instructions.

[0115] In addition, the functional modules in the various embodiments of this application can be integrated together to form an independent part, or each module can exist independently, or two or more modules can be integrated to form an independent part.

[0116] If the aforementioned functions are implemented as software functional modules and sold or used as independent products, they can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0117] The above description is merely an embodiment of this application and is not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application. It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.

[0118] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0119] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

Claims

1. A vulnerability detection method, characterized in that, The method includes: Adding the detection probe source code to the source code to be detected for synchronous operation includes: obtaining the source code to be detected; compiling the source code to be detected into a project JAR file; receiving the detection probe source code created by the user; adding the detection probe to the database SQL execution method of the source code to be detected; compiling the detection probe source code into a probe JAR file; and adding the probe JAR file to the project JAR file for synchronous startup and operation. Obtain the SQL execution statements before and after user parameter injection; The SQL execution statement is parsed using an abstract syntax tree based on the SQL syntax. Determining whether an SQL injection vulnerability exists based on the parsing results specifically includes: if the abstract syntax tree (AST) parsing of the SQL execution statement after the user parameter injection is successful, then analyzing the parsed AST to obtain the injected DDLCOMMAMND / DMLCOMMAND list; parsing the SQL execution statement before the user parameter injection to obtain the pre-injection DDLCOMMAMND / DMLCOMMAND list in the parsed AST; comparing the injected DDLCOMMAMND / DMLCOMMAND list with the pre-injection DDLCOMMAMND / DMLCOMMAND list using key fields; if the key fields are consistent, then no SQL injection vulnerability exists.

2. The vulnerability detection method according to claim 1, characterized in that, The process of determining whether an SQL injection vulnerability exists based on the parsing results includes: If an error occurs during the parsing of the abstract syntax tree of the SQL execution statement after the user parameters are injected, then an SQL injection vulnerability exists.

3. A vulnerability detection device, characterized in that, The device includes: The probe adding module is used to add detection probe source code to the source code to be detected so that they can run synchronously. Specifically, it includes: obtaining the source code to be detected; compiling the source code to be detected into a project JAR package; receiving the detection probe source code created by the user; adding the detection probe to the database SQL execution method of the source code to be detected; compiling the detection probe source code into a probe JAR package; and adding the probe JAR package to the project JAR package so that they can start and run synchronously. The data acquisition module is used to acquire the SQL execution statements before and after the user parameter injection. The parsing module is used to perform abstract syntax tree parsing on the SQL execution statement based on the SQL syntax; The judgment module is used to determine whether there is an SQL injection vulnerability based on the parsing result. Specifically, it includes an injection post-list acquisition module, which is used to analyze the parsed abstract syntax tree if the SQL execution statement after the user parameter injection is successfully parsed, so as to obtain the list of injected DDLCOMMAMND / DMLCOMMAND in the abstract syntax tree. The pre-injection list acquisition module is used to perform abstract syntax tree parsing on the SQL execution statement before the user parameters are injected, and obtain the pre-injection DDLCOMMAMND / DMLCOMMAND list in the parsed abstract syntax tree; The comparison module is used to compare key fields of the DDLCOMMAMND / DMLCOMMAND list after injection and the DDLCOMMAMND / DMLCOMMAND list before injection. The determination module is used to determine whether there is an SQL injection vulnerability if the key fields are consistent.

4. An electronic device, characterized in that, The electronic device includes a memory and a processor, the memory being used to store a computer program, and the processor running the computer program to cause the electronic device to perform the vulnerability detection method according to any one of claims 1 to 2.

5. A readable storage medium, characterized in that, The readable storage medium stores computer program instructions, which, when read and executed by a processor, perform the vulnerability detection method according to any one of claims 1 to 2.