基于二阶分片重组盲注的渗透测试方法

doi:10.11959/j.issn.1000-436x.2017238

通信学报 ›› 2017, Vol. 38 ›› Issue (Z1): 73-82.doi: 10.11959/j.issn.1000-436x.2017238

基于二阶分片重组盲注的渗透测试方法

乐德广^1,^2,³,龚声蓉¹,吴少刚³,徐锋³,刘文生⁴

¹ 常熟理工学院计算机科学与工程学院，江苏常熟 215500
² 苏州大学计算机科学与技术学院，江苏苏州 215006
³ 中科梦兰电子科技有限公司，江苏常熟 215500
⁴ 泉州市公安局公共信息网络安全监察支队，福建泉州 362000

出版日期:2017-10-01 发布日期:2018-06-07
作者简介:乐德广（1975-），男，福建三明人，博士，常熟理工学院副教授，主要研究方向为信息安全与下一代互联网技术等。|龚声蓉（1966-），男，湖北天门人，博士，常熟理工学院教授、博士生导师，主要研究方向为图像处理与信息安全等。|吴少刚（1973-），男，安徽宿松人，博士，中科梦兰电子科技有限公司研究员，主要研究方向为计算机系统结构、并行与分布式计算等。|徐锋（1981-），男，江苏常熟人，中科梦兰电子科技有限公司高级工程师，主要研究方向为计算机体系结构及自主安全。|刘文生（1969-），男，福建泉州人，泉州市公安局高级工程师，主要研究方向为网络安全。
基金资助:
国家自然科学基金资助项目(61402057);江苏省产学研前瞻性联合研究基金资助项目(BY2016050-01);江苏省科技计划基金资助项目(BK20160411)

Penetration test method using blind SQL injection based on second-order fragment and reassembly

De-guang LE^1,^2,³,Sheng-rong GONG¹,Shao-gang WU³,Feng XU³,Wen-sheng LIU⁴

¹ School of Computer Science ＆Engineering,Changshu Institute of Technology,Changshu 215500,China
² School of Computer Science and Technology,Soochow University,Suzhou 215006,China
³ Lemote Electronic Technology Co.,Ltd.,Changshu 215500,China
⁴ Public Information Network Safety Supervision Division,Quanzhou Municipal Public Security Bureau,Quanzhou 362000,China

Online:2017-10-01 Published:2018-06-07
Supported by:
The National Natural Science Foundation of China(61402057);The Production and Research Prospective Joint Research Project of Jiangsu Province(BY2016050-01);The Jiangsu Provincial Natural Science Foundation(BK20160411)

摘要/Abstract

摘要：

针对如何克服当前SQL注入渗透测试存在的盲目性，以生成优化的SQL注入攻击模式、增强渗透测试攻击生成阶段的有效性，提高对SQL注入渗透测试的准确度问题，提出一种基于二阶分片重组的SQL盲注漏洞渗透测试方法。该方法通过对SQL注入攻击行为进行建模，并以模型驱动渗透测试多形态和多种类的攻击生成，从而降低SQL注入渗透测试盲目性，提高其准确度。通过实际的Web应用SQL注入漏洞测试实验与比较分析，不仅验证了所提方法的有效性，而且通过减少在安全防御环境下对 SQL 注入漏洞检测的漏报，提高其测试的准确度。

关键词: SQL注入, 渗透测试, 攻击模型, 二阶分片重组

Abstract:

How to get rid of the blindness of current SQL injection penetration test,produce the optimized attack pattern of SQL injection,enhance the effectiveness in the phase of attack generation,and improve the accuracy of vulnerability detection of SQL injection using penetration test,is a big challenge.In order to resolve these problems,a new penetration test method using blind SQL injection was proposed based on second-order fragment and reassembly.In this method,the SQL injection attack model was built firstly and then the multiform and multi-type attack patterns of SQL injection penetration test driven by the SQL injection attack model was produced,which can reduce the blindness of SQL injection penetration test and improve the accuracy of SQL injection vulnerability detection.The experiments of SQL injection vulnerability detection was conducted through the actual Web applications by using proposed method in comparison with current methods.The analysis results of test show the proposed method is better compared with other methods,which not only proves the effectiveness of proposed method,but also improve the accuracy of SQL injection vulnerability detection by reducing false negative in the defensive environment.

Key words: SQL injection, penetration test, attack model, second-order fragment and reassembly

中图分类号:

TP393

乐德广,龚声蓉,吴少刚,徐锋,刘文生. 基于二阶分片重组盲注的渗透测试方法[J]. 通信学报, 2017, 38(Z1): 73-82.

De-guang LE,Sheng-rong GONG,Shao-gang WU,Feng XU,Wen-sheng LIU. Penetration test method using blind SQL injection based on second-order fragment and reassembly[J]. Journal on Communications, 2017, 38(Z1): 73-82.

图/表 8

表1

图1

图2

表2

图3

表3

表4

表5

参考文献 27

[1]	OWASP. The ten most critical Web application security risks[S]. OWASP Top 10, 2017.
[2]	ANTUNES N , VIEIRA M . Designing vulnerability testing tools for Web services:approach,components,and tools[J]. International Journal of Information Security, 2017,16(4): 435-457.
[3]	ANTUNES N , VIEIRA M . Penetration testing for Web services[J]. IEEE Computer, 2014,47(2): 30-36.
[4]	DEEPA G , THILAGAM P S . Securing Web applications from injection and logic vulnerabilities:approaches and challenges[J]. Information and Software Technology, 2016,74(6): 160-180.
[5]	DALAI A K , JENA S K . Neutralizing SQL injection attack using server side code modification in Web applications[J]. Security ＆Communication Networks, 2017,2017(2): 1-12.
[6]	乐德广, 李鑫, 龚声蓉 ,等. 新型二阶 SQL 注入技术研究[J]. 通信学报, 2015,36(Z1): 85-93.
	LE D G , LI X , GONG S R ,et al. Research on second-order SQL injection techniques[J]. Journal on Communications, 2015,36(Z1): 85-93.
[7]	HALFOND W G J , CHOUDHARY S R , ORSO A . Improving penetration testing through static and dynamic analysis[J]. Software Testing Verification ＆ Reliability, 2011,21(3): 195-214.
[8]	SALAS M I P , MARTINS E . A black-box approach to detect vulnerabilities in Web services using penetration testing[J]. IEEE Latin America Transactions, 2015,13(3): 707-712.
[9]	CHEN J M , WU C L . An automated vulnerability scanner for injection attack based on injection point[C]// IEEE International Computer Symposium (ICS). 2010: 113-118.
[10]	ALENEZI M , JAVED Y . Open source Web application security:a static analysis approach[C]// IEEE International Conference on Engineering ＆ MIS (ICEMIS). 2016: 1-5.
[11]	KIM M Y , LEE D H . Data-mining based SQL injection attack detection using internal query trees[J]. Expert Systems with Applications, 2014,41(11): 5416-5430.
[12]	JANG Y S , CHOI J Y . Detecting SQL injection attacks using query result size[J]. Computers ＆ Security, 2014,44(2): 104-118.
[13]	KAR D , PANIGRAHI S , SUNDARARAJAN S . SQLiGoT:detecting SQL injection attacks using graph of tokens and SVM[J]. Computers＆ Security, 2016,60(3): 206-225.
[14]	KIEZUN A , GUO P J , JAYARAMAN K ,et al. Automatic creation of SQL Injection and cross-site scripting attacks[C]// 31st IEEE International Conference on Software Engineering. 2009: 199-209.
[15]	HUANG H C , ZHANG Z K , CHENG H W ,et al. Web application security:threats,counter measures,and pitfalls[J]. IEEE Computer, 2017,50(6): 81-85.
[16]	DAHSE J , HOLZ T . Static detection of second-order vulnerabilities in Web applications[C]// 23rd USENIX conference on Security Symposium (USENIX). 2014: 989-1003.
[17]	YAN L , LI X H , FENG R T ,et al. Detection method of the second-order SQL injection in Web applications[J]. Lecture Notes in Computer Science, 2014,8332(1): 154-165.
[18]	MARBACK A , DO H , HE K ,et al. A threat model-based approach to security testing[J]. Software-Practice ＆ Experience, 2013,43(2): 241-258.
[19]	XIONG P L . A model-driven penetration test framework for Web applications[D]. University of Ottawa, 2012.
[20]	KAUR N , KAUR P . Modeling a SQL injection attack[C]// 3rd IEEE International Conference on Computing for Sustainable Global Development (INDIACom). 2016: 77-82.
[21]	BYERS D , SHAHMEHRI N . Unified modeling of attacks,vulnerabilities[C]// ICSE Workshop on Software Engineering for Secure Systems (SESS). 2010: 36-42.
[22]	田伟, 许静, 杨巨峰 ,等. 模型驱动的Web应用SQL注入渗透测试[J]. 高技术通讯, 2012,22(11): 1161-1168.
	TIAN W , XU J , YANG J F ,et al. Model-driven penetration test of the SQL injection in Web applications[J]. Chinese High Technology Letters, 2012,22(11): 1161-1168.
[23]	VIBHANDIK R , BOSE A K . Vulnerability assessment of Web applications - a testing approach[C]// 4th IEEE International Conference on e-Technologies and Networks for Development (ICeND). 2015: 1-6.
[24]	LIBAN A , HILLES S M . Enhancing MySQL injector vulnerability checker tool (mysql injector) using inference binary search algorithm for blind timing-based attack[C]// IEEE 5th Control and System Graduate Research Colloquium. 2014: 47-52.
[25]	DABAS A , SHARMA A K . Understanding advanced blind SQLI attack[J]. International Journal of Engineering Research and General Science, 2015,3(3): 1548-1552.
[26]	HALFOND W , VIEGAS J , ORSO A . A Classification of SQLinjection attacks and countermeasures[C]// International Symposium on Secure Software Engineering (ISSSE). 2006: 12-23.
[27]	ANTUNES N , VIEIRA M . Defending against Web application vulnerabilities[J]. IEEE Computer, 2012,45(2): 66-72.

图形化符号	描述
	根
	与SGM无关联的子目标
	与SGM关联的子目标
	子目标之间的依赖边
	与（AND）操作符
	或（OR）操作符
	子目标之间的信息边

连接符	描述
/* */	多行注释符
\	表示特殊字符
‘	字符分割符
#	单行注释符
-	单行注释符

Web应用	基于时间盲注	基于布尔值盲注	本文方法
phpmps v2.4	×	×	√
cmseasy v4	×	×	√
Mallbuilder v7	×	×	√

Web应用	一阶SQL注入			本文方法
Web应用	无	WAF1	WAF2	无	WAF1	WAF2
XDcms v5	√	×	×	√	√	√
天生创想OA v2014	√	×	×	√	√	√
phpyun v3.2	√	×	×	√	×	×
齐博CMS v5.0	√	×	×	√	√	√
U-Mail v9.8.57	√	×	×	√	√	√

代码防御技术	一阶SQL注入		本文方法
代码防御技术	Web1	Web2	Web1	Web2
参数化查询	×	×	√	√
addslashes函数	×	×	√	√
Trim函数	×	×	√	√
Magic-quote-gpc	×	×	√	√
str_replace	×	×	√	√

基于二阶分片重组盲注的渗透测试方法

Penetration test method using blind SQL injection based on second-order fragment and reassembly

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 27

相关文章 8

Metrics

推荐阅读 0

[1]	马博林, 张铮, 刘浩, 邬江兴. SQLMVED：基于多变体执行的SQL注入运行时防御系统[J]. 通信学报, 2021, 42(4): 127-138.
[2]	熊文君,徐正全,王豪. 基于滤波原理的时间序列差分隐私保护强度评估[J]. 通信学报, 2017, 38(5): 172-181.
[3]	赵宇飞,熊刚,贺龙涛,李舟军. 面向网络环境的SQL注入行为检测方法[J]. 通信学报, 2016, 37(2): 89-98.
[4]	乐德广，李鑫，龚声蓉，郑力新. 新型二阶SQL注入技术研究[J]. 通信学报, 2015, 36(Z1): 85-93.
[5]	何贤芒,王晓阳,陈华辉,董一鸿. 差分隐私保护参数ε的选取研究[J]. 通信学报, 2015, 36(12): 124-130.
[6]	罩遵颖,李国栋,李卫,黄旭昌. OSPF协议脆弱性分析与检测系统的设计和实现[J]. 通信学报, 2013, 34(Z2): 58-63.
[7]	覃遵颖1,2，李国栋1,3，李卫2,3，黄旭昌2. OSPF协议脆弱性分析与检测系统的设计和实现[J]. 通信学报, 2013, 34(Z2): 12-63.
[8]	祝宁,陈性元,张永福. 基于渗透测试的抗攻击测试体系构建与渗透攻击系统设计[J]. 通信学报, 2011, 32(11A): 71-78.