Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Detection method and system for SQL injection loophole

A vulnerability detection and injection attack technology, applied in transmission systems, digital transmission systems, electrical components, etc., can solve problems such as inaccurate methods, false positives, and inability to make normal judgments, so as to improve efficiency and accuracy, and avoid inaccuracy Effect

Inactive Publication Date: 2008-11-26
BEIJING VENUS INFORMATION TECH
View PDF0 Cites 49 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0007] 1. The method of relying on the status code returned by the server to determine whether there is a vulnerability is too simple, and when the server uses a custom error message to shield the running error prompt, it will not be able to make a normal judgment, resulting in false positives
[0008] 2. The method of judging whether the server is running incorrectly through keywords is not accurate enough. When the server is running normally, but the return page happens to have a predefined keyword, or the server is running incorrectly, but the set return content does not include the predefined keyword. When using words, it is impossible to make accurate judgments, resulting in false negatives and false negatives

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Detection method and system for SQL injection loophole
  • Detection method and system for SQL injection loophole
  • Detection method and system for SQL injection loophole

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0029] This embodiment is a specific real-time mode of the SQL injection vulnerability detection method, the main operation process is as follows figure 1 shown. The basic idea of ​​this embodiment is: it provides a series of SQL injection attack templates, wherein each template is composed of several SQL injection statements that may cause the server to return different results, and a cross-validation function corresponding to the template. For each webpage to be scanned on the server, the SQL injection vulnerability detection system will send a normal SQL access request and a specific SQL injection statement to the webpage according to the selected template, and receive the returned result from the server. Since each access request is constructed in advance, if these access requests can be executed on the server, different return results will be returned. The cross-validation function judges whether the submitted SQL injection statement has been executed on the server by co...

Embodiment 2

[0061] This embodiment is a system for implementing the method described in the embodiment, and the system structure diagram is shown in figure 1 shown. That is, a SQL injection vulnerability detection system, the system is installed on the user terminal of the Internet, and has at least one webpage definition unit to be verified connected with the network server. There is at least one SQL injection attack template selection unit that is connected with the web page definition unit to be verified and can provide four attack template subunits. There is at least one cross-validation unit that gets support from the SQL injection attack template selection unit and interfaces with the web server. The system includes:

[0062] 1. Webpage definition unit to be verified: define a series of webpage addresses that may contain SQL injection vulnerabilities.

[0063] 2. SQL injection attack template selection unit: lists available SQL injection attack templates for users to choose.

[...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a key technique-SQL injection vulnerability detection technique of a host vulnerability scanning system as one important product for network security. The SQL injection vulnerability detection technique is characterized by submitting normal access request data and different types of SQL injection data to a server, receiving results returned by the server, then cross-comparing the returned results of different requests, and further determining exists of SQL injection vulnerabilities from the processing of submitted data by the server according to the compared results. To-be-certified website addresses are defined by means of website crawler, browser plug-in and manual input. One or a plurality of attacking templates of four different types of attacking templates can be selected to detect exists of SQL injection vulnerabilities on the to-be-certified websites. And the exists of SQL injection vulnerabilities during processing the user-submitted data by the server can be judged through cross-comparing the returned results of the normal access requests and SQL injection statements, under the condition that the server shields error information.

Description

technical field [0001] The present invention relates to a SQL (Structured Query Language) injection vulnerability detection method and system, which is a protection method and system for electronic digital data processing and preventing unauthorized use, which is applied to network systems and belongs to an important product of network security. A key technology of host vulnerability scanning system. Background technique [0002] With the development of the Internet, the client / server (B / S) model has been more and more widely used. In the B / S mode, data interaction between the user and the background database server often occurs, that is, the user enters and submits data through a form on the web page of the client, and the application program of the server constructs an SQL statement based on the data submitted by the user and submits it to the database. The server processes and returns the processing result to the user. When developing applications in the B / S mode, many ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L9/00H04L29/06
Inventor 周涛叶润国骆拥政
Owner BEIJING VENUS INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com