面向PHP应用程序的SQL注入行为检测

doi:10.11772/j.issn.1001-9081.2017071692

计算机应用 ›› 2018, Vol. 38 ›› Issue (1): 201-206.DOI: 10.11772/j.issn.1001-9081.2017071692

面向PHP应用程序的SQL注入行为检测

周颖¹, 方勇², 黄诚¹, 刘亮²

1. 四川大学电子信息学院, 成都 610065;
2. 四川大学网络空间安全学院, 成都 610207

收稿日期:2017-07-10 修回日期:2017-08-31 发布日期:2018-01-22 出版日期:2018-01-10
通讯作者: 黄诚
作者简介:周颖(1993-),女,四川成都人,硕士研究生,主要研究方向:Web安全、网络攻防;方勇(1966-),男,四川成都人,教授,博士,主要研究方向:信息安全、网络信息对抗;黄诚(1987-),男,重庆人,博士,主要研究方向:信息安全、网络攻防;刘亮(1982-),男,四川成都人,讲师,博士,主要研究方向:网络系统与信息安全。

Detection of SQL injection behaviors for PHP applications

ZHOU Ying¹, FANG Yong², HUANG Cheng¹, LIU Liang²

1. College of Electronic Information, Sichuan University, Chengdu Sichuan 610065, China;
2. College of Cybersecurity, Sichuan University, Chengdu Sichuan 610207, China

Received:2017-07-10 Revised:2017-08-31 Online:2018-01-22 Published:2018-01-10

摘要/Abstract

摘要： 层出不穷的SQL注入攻击使Web应用面临威胁。针对PHP应用程序中的SQL注入行为，提出了一种基于污点分析的SQL注入行为检测模型。首先，该模型使用PHP扩展技术在SQL函数执行时获取SQL语句，并记录攻击者所携带的身份信息；基于以上信息生成SQL请求日志，并将该日志作为分析源。然后，基于SQL语法和抽象语法树，实现了污点标记的SQL语法分析过程，并使用污点分析技术，提取语法树中SQL注入行为的多个特征。最后，使用随机森林分类算法实现SQL注入行为的判定。与正则匹配检测技术对比实验结果显示，通过该模型检测SQL注入行为，准确率为96.9%，准确率提高了7.2个百分点。该模型的信息获取模块能以扩展形式加载在任何PHP应用程序中，因此该模型可移植性强，在安全审计和攻击溯源中具有应用价值。

关键词: SQL注入, PHP扩展, 污点分析, 抽象语法树, 随机森林算法

Abstract: The SQL (Structured Query Language) injection attack is a threat to Web applications. Aiming at SQL injection behaviors in PHP (Hypertext Preprocessor) applications, a model of detecting SQL injection behaviors based on tainting technology was proposed. Firstly, an SQL statement was obtained when an SQL function was executed, and the identity information of the attacker was recorded through PHP extension technology. Based on the above information, the request log was generated and used as the analysis source. Secondly, the SQL parsing process with taint marking was achieved based on SQL grammar analysis and abstract syntax tree. By using tainting technology, multiple features which reflected SQL injection behaviors were extracted. Finally, the random forest algorithm was used to identify malicious SQL requests. The experimental results indicate that the proposed model gets a high accuracy of 96.9%, which is 7.2 percentage points higher than that of regular matching detection technology. The information acquisition module of the proposed model can be loaded in an extended form in any PHP application; therefore, it is transplantable and applicable in security audit and attack traceability.

Key words: SQL (Structured Query Language) injection, PHP (Hypertext Preprocessor) extension, tainting analysis, abstract syntax tree, random forest algorithm

中图分类号:

TP393.08

周颖, 方勇, 黄诚, 刘亮. 面向PHP应用程序的SQL注入行为检测[J]. 计算机应用, 2018, 38(1): 201-206.

ZHOU Ying, FANG Yong, HUANG Cheng, LIU Liang. Detection of SQL injection behaviors for PHP applications[J]. Journal of Computer Applications, 2018, 38(1): 201-206.

参考文献

[1] 360安全.2016年中国网站安全漏洞形势分析报告[EB/OL].(2017-01-05)[2017-06-20]. http://bobao.360.cn/news/detail/3905.html.(360 safe. Analysis report of Chinese Website security vulnerability in 2016[EB/OL]. (2017-01-05)[2017-06-20]. http://bobao.360.cn/news/detail/3905.html.)
[2] 王丹,赵文兵,丁治明.Web应用常见注入式安全漏洞检测关键技术综述[J].北京工业大学学报,2016,42(12):1822-1832.(WANG D, ZHAO W B, DING Z M. Review of detection for injection vulnerability of Web applications[J]. Journal of Beijing University of Technology, 2016, 42(12):1822-1832.)
[3] youyou0635.2016年度Web漏洞统计之Exploit-db[EB/OL].(2017-01-23)[2017-06-20].http://www.freebuf.com/vuls/125382.html. (youyou0635. Web vulnerability statistics from Exploit-db in 2016[EB/OL]. (2017-01-23)[2017-06-20]. http://www.freebuf.com/vuls/125382.html.)
[4] KAR D, PANIGRAHI S, SUNDARARAJAN S. SQLiDDS:SQL injection detection using query transformation and document similarity[C]//Proceedings of the 2015 International Conference on Distributed Computing and Internet Technology. Berlin:Springer, 2015:377-390.
[5] 赵宇飞,熊刚,贺龙涛,等.面向网络环境的SQL注入行为检测方法[J].通信学报,2016,37(2):88-97.(ZHAO Y F, XIONG G, HE L T, et al. Approach to detection SQL injection behaviors in network environment[J]. Journal on Communications, 2016, 37(2):88-97.)
[6] PRIYAA B D, DEVI M I. Fragmented query parse tree based SQL injection detection system for Web applications[C]//Proceedings of the 2016 International Conference on Computing Technologies and Intelligent Data Engineering. Piscataway, NJ:IEEE, 2016:1-5.
[7] 范春荣.基于Web日志的入侵检测系统设计与实现[D].石家庄:河北科技大学,2011:4-36.(FAN C R. Design and implementation of the Web log-based intrusion detection system[D]. Shijiazhuang:Hebei University of Science and Technology, 2011:4-36.)
[8] NGUYEN-TUONG A, GUARNIERI S, GREENE D, et al. Automatically hardening Web applications using precise tainting[C]//SEC 2005:IFIP International Information Security Conference on Security and Privacy in the Age of Ubiquitous Computing. Berlin:Springer, 2005:295-307.
[9] 王溢,李舟军,郭涛.防御代码注入式攻击的字面值污染方法[J].计算机研究与发展,2012,49(11):2414-2423.(WANG Y, LI Z J, GUO T. Literal tainting method for preventing code injection attack in Web application[J]. Journal of Computer Research and Development, 2012, 49(11):2414-2423.)
[10] GOLEMON S. Extending and Embedding PHP[M]. Indianapolis, Indiana:SAMS Publishing, 2006:269.
[11] WANG Y, WANG D, ZHAO W, et al. Detecting SQL vulnerability attack based on the dynamic and static analysis technology[C]//Proceedings of the 2015 IEEE Computer Software & Applications Conference. Piscataway, NJ:IEEE, 2015:604-607.
[12] 陆开奎.基于动态污点分析的漏洞攻击检测技术研究与实现[D].成都:电子科技大学,2013:28-35.(LU K K. The research and realization of dynamic taint analysis based security attack detection technology[D]. Chengdu:University of Electronic Science and Technology of China, 2013:28-35.)
[13] BREIMAN L. Random forest[J]. Machine Learning, 2001, 45(1):5-32.
[14] The PHP Group. Zend Engine 2 opcode[EB/OL]. (2017-05-25)[2017-08-26]. http://php.net/manual/zh/internals2.opcodes.php.
[15] 吴江.SQL语言预编译器的构架——基于Linux操作系统[D].北京:北京化工大学,2002:15-37.(WU J. The construction of complier for SQL-basing on Linux operating system[D]. Beijing:Beijing University of Chemical Technology, 2002:15-37.)
[16] 张炘,廖频,郭波.一种挖掘频繁闭项集的深度优先算法[J].计算机应用,2010,30(3):806-809.(ZHANG X, LIAO P, GUO B. Depth-first search algorithm for mining frequent closed itemsets[J]. Journal of Computer Applications, 2010, 30(3):806-809.)
[17] LIN D. An information-theoretic definition of similarity[C]//ICML'98:Proceedings of the Fifteenth International Conference on Machine Learning. Madison:Morgan Kaufmann, 1998:296-304.
[18] ABOU-ASSALEH T, CERCONE N, KEŠELJ V, et al. N-gram-based detection of new malicious code[C]//Proceedings of the 28th Annual International Computer Software & Applications Conference-Workshops & Fast Abstracts. Washington, DC:IEEE Computer Society, 2004, 2:41-42.
[19] SWANHART J. greenlion/PHP-SQL-parser[EB/OL]. (2016-08-01)[2017-06-20]. https://github.com/greenlion/PHP-SQL-Parser.
[20] TRIET P T M. SQL-injection-payloads[EB/OL]. (2017-08-20)[2017-08-26]. https://github.com/trietptm/SQL-Injection-Payloads/blob/master/LINKS.md.
[21] 360.360_safe3.php[EB/OL]. (2017-05-29)[2017-08-26]. https://github.com/luislv/easycms/blob/master/lib/plugins/filecheck/tool/360_safe3.php.
[22] safedog. safedog[EB/OL]. (2017-04-26)[2017-08-26]. http://www.safedog.cn/website_safedog.html.

面向PHP应用程序的SQL注入行为检测

Detection of SQL injection behaviors for PHP applications

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	万泽轩, 谢春丽, 吕泉润, 梁瑶. 基于依赖增强的分层抽象语法树的代码克隆检测[J]. 《计算机应用》唯一官方网站, 2024, 44(4): 1259-1268.
[2]	蔡锦辉, 尹中旭, 宗国笑, 李俊儒. 面向嵌套分支突破的推断与污点分析融合的方法[J]. 《计算机应用》唯一官方网站, 2024, 44(12): 3823-3830.
[3]	刘吉会, 何成万. 基于ECA规则和动态污点分析的SQL注入攻击在线检测[J]. 《计算机应用》唯一官方网站, 2023, 43(5): 1534-1542.
[4]	徐精诚, 陈学斌, 董燕灵, 杨佳. 融合特征选择的随机森林DDoS攻击检测[J]. 《计算机应用》唯一官方网站, 2023, 43(11): 3497-3503.
[5]	余东昌, 赵文芳, 聂凯, 张舸. 基于LightGBM算法的能见度预测模型[J]. 《计算机应用》唯一官方网站, 2021, 41(4): 1035-1041.
[6]	王治忠, 钱龙龙, 韩闯, 师丽. 基于统计特征和熵特征融合的心肌梗死辅助诊断方法[J]. 《计算机应用》唯一官方网站, 2020, 40(2): 608-615.
[7]	任玉柱, 张有为, 艾成炜. 污点分析技术研究综述[J]. 计算机应用, 2019, 39(8): 2302-2309.
[8]	秦彪, 郭帆, 涂风涛. 面向Android应用的静态污点分析结果的正确性验证[J]. 计算机应用, 2019, 39(10): 3018-3027.
[9]	李阵, 钮俊, 王奎, 辛园园. 基于多特征权重分配的源代码搜索优化[J]. 计算机应用, 2018, 38(3): 812-817.
[10]	王嘉卿, 朱焱, 陈同孝, 张真诚. 欺诈网页检测中基于遗传算法的特征优选[J]. 计算机应用, 2018, 38(1): 295-299.
[11]	刘有耀, 杨鹏程. 基于JavaCC的C代码自动并行化的设计与实现[J]. 计算机应用, 2016, 36(9): 2422-2426.
[12]	李洁, 俞研, 吴家顺. 基于动态污点分析的DOM XSS漏洞检测算法[J]. 计算机应用, 2016, 36(5): 1246-1249.
[13]	曾祥飞, 郭帆, 涂风涛. 基于对象跟踪的J2EE程序动态污点分析方法[J]. 计算机应用, 2015, 35(8): 2386-2391.
[14]	吴逸伦张博锋赖志权苏金树. 基于消息语义解析的软件网络行为分析[J]. 计算机应用, 2012, 32(01): 25-29.
[15]	陈衍铃赵静. 基于虚拟化技术的动态污点分析[J]. 计算机应用, 2011, 31(09): 2367-2372.