Detection of SQL injection behaviors for PHP applications
ZHOU Ying1, FANG Yong2, HUANG Cheng1, LIU Liang2
1. College of Electronic Information, Sichuan University, Chengdu Sichuan 610065, China; 2. College of Cybersecurity, Sichuan University, Chengdu Sichuan 610207, China
Abstract:The SQL (Structured Query Language) injection attack is a threat to Web applications. Aiming at SQL injection behaviors in PHP (Hypertext Preprocessor) applications, a model of detecting SQL injection behaviors based on tainting technology was proposed. Firstly, an SQL statement was obtained when an SQL function was executed, and the identity information of the attacker was recorded through PHP extension technology. Based on the above information, the request log was generated and used as the analysis source. Secondly, the SQL parsing process with taint marking was achieved based on SQL grammar analysis and abstract syntax tree. By using tainting technology, multiple features which reflected SQL injection behaviors were extracted. Finally, the random forest algorithm was used to identify malicious SQL requests. The experimental results indicate that the proposed model gets a high accuracy of 96.9%, which is 7.2 percentage points higher than that of regular matching detection technology. The information acquisition module of the proposed model can be loaded in an extended form in any PHP application; therefore, it is transplantable and applicable in security audit and attack traceability.
[1] 360安全.2016年中国网站安全漏洞形势分析报告[EB/OL].(2017-01-05)[2017-06-20]. http://bobao.360.cn/news/detail/3905.html.(360 safe. Analysis report of Chinese Website security vulnerability in 2016[EB/OL]. (2017-01-05)[2017-06-20]. http://bobao.360.cn/news/detail/3905.html.) [2] 王丹,赵文兵,丁治明.Web应用常见注入式安全漏洞检测关键技术综述[J].北京工业大学学报,2016,42(12):1822-1832.(WANG D, ZHAO W B, DING Z M. Review of detection for injection vulnerability of Web applications[J]. Journal of Beijing University of Technology, 2016, 42(12):1822-1832.) [3] youyou0635.2016年度Web漏洞统计之Exploit-db[EB/OL].(2017-01-23)[2017-06-20].http://www.freebuf.com/vuls/125382.html. (youyou0635. Web vulnerability statistics from Exploit-db in 2016[EB/OL]. (2017-01-23)[2017-06-20]. http://www.freebuf.com/vuls/125382.html.) [4] KAR D, PANIGRAHI S, SUNDARARAJAN S. SQLiDDS:SQL injection detection using query transformation and document similarity[C]//Proceedings of the 2015 International Conference on Distributed Computing and Internet Technology. Berlin:Springer, 2015:377-390. [5] 赵宇飞,熊刚,贺龙涛,等.面向网络环境的SQL注入行为检测方法[J].通信学报,2016,37(2):88-97.(ZHAO Y F, XIONG G, HE L T, et al. Approach to detection SQL injection behaviors in network environment[J]. Journal on Communications, 2016, 37(2):88-97.) [6] PRIYAA B D, DEVI M I. Fragmented query parse tree based SQL injection detection system for Web applications[C]//Proceedings of the 2016 International Conference on Computing Technologies and Intelligent Data Engineering. Piscataway, NJ:IEEE, 2016:1-5. [7] 范春荣.基于Web日志的入侵检测系统设计与实现[D].石家庄:河北科技大学,2011:4-36.(FAN C R. Design and implementation of the Web log-based intrusion detection system[D]. Shijiazhuang:Hebei University of Science and Technology, 2011:4-36.) [8] NGUYEN-TUONG A, GUARNIERI S, GREENE D, et al. Automatically hardening Web applications using precise tainting[C]//SEC 2005:IFIP International Information Security Conference on Security and Privacy in the Age of Ubiquitous Computing. Berlin:Springer, 2005:295-307. [9] 王溢,李舟军,郭涛.防御代码注入式攻击的字面值污染方法[J].计算机研究与发展,2012,49(11):2414-2423.(WANG Y, LI Z J, GUO T. Literal tainting method for preventing code injection attack in Web application[J]. Journal of Computer Research and Development, 2012, 49(11):2414-2423.) [10] GOLEMON S. Extending and Embedding PHP[M]. Indianapolis, Indiana:SAMS Publishing, 2006:269. [11] WANG Y, WANG D, ZHAO W, et al. Detecting SQL vulnerability attack based on the dynamic and static analysis technology[C]//Proceedings of the 2015 IEEE Computer Software & Applications Conference. Piscataway, NJ:IEEE, 2015:604-607. [12] 陆开奎.基于动态污点分析的漏洞攻击检测技术研究与实现[D].成都:电子科技大学,2013:28-35.(LU K K. The research and realization of dynamic taint analysis based security attack detection technology[D]. Chengdu:University of Electronic Science and Technology of China, 2013:28-35.) [13] BREIMAN L. Random forest[J]. Machine Learning, 2001, 45(1):5-32. [14] The PHP Group. Zend Engine 2 opcode[EB/OL]. (2017-05-25)[2017-08-26]. http://php.net/manual/zh/internals2.opcodes.php. [15] 吴江.SQL语言预编译器的构架——基于Linux操作系统[D].北京:北京化工大学,2002:15-37.(WU J. The construction of complier for SQL-basing on Linux operating system[D]. Beijing:Beijing University of Chemical Technology, 2002:15-37.) [16] 张炘,廖频,郭波.一种挖掘频繁闭项集的深度优先算法[J].计算机应用,2010,30(3):806-809.(ZHANG X, LIAO P, GUO B. Depth-first search algorithm for mining frequent closed itemsets[J]. Journal of Computer Applications, 2010, 30(3):806-809.) [17] LIN D. An information-theoretic definition of similarity[C]//ICML'98:Proceedings of the Fifteenth International Conference on Machine Learning. Madison:Morgan Kaufmann, 1998:296-304. [18] ABOU-ASSALEH T, CERCONE N, KEŠELJ V, et al. N-gram-based detection of new malicious code[C]//Proceedings of the 28th Annual International Computer Software & Applications Conference-Workshops & Fast Abstracts. Washington, DC:IEEE Computer Society, 2004, 2:41-42. [19] SWANHART J. greenlion/PHP-SQL-parser[EB/OL]. (2016-08-01)[2017-06-20]. https://github.com/greenlion/PHP-SQL-Parser. [20] TRIET P T M. SQL-injection-payloads[EB/OL]. (2017-08-20)[2017-08-26]. https://github.com/trietptm/SQL-Injection-Payloads/blob/master/LINKS.md. [21] 360.360_safe3.php[EB/OL]. (2017-05-29)[2017-08-26]. https://github.com/luislv/easycms/blob/master/lib/plugins/filecheck/tool/360_safe3.php. [22] safedog. safedog[EB/OL]. (2017-04-26)[2017-08-26]. http://www.safedog.cn/website_safedog.html.