【總結】SQL注入攻擊檢測方法

注意：以下方法不能過濾對 SQL注入漏洞的探測，但應該可以過濾掉絕大多數對 SQL

漏洞的利用。

檢查對象：

1. GET及 POST 請求CGI 參數Value資料

2. Cookie 的Key/Value 對的Value部分

請求參數拆分以後，如果發現有重複的key，報告攻擊。

解碼：

URL 解碼（%）: %41%41

HEX解碼（&#x）：&#x41&#x41

DECIMAL 解碼：&#65&#65

Base64解碼

正規化，以從上到下的次序執行如下操作：

把所有的TAB替換為空格

把所有的回車及換行符替換為空格

把多個連續空格合并為一個空格

處理0xXXXXXXXXX編碼，0x4141414141414141 或0x410041004100410041004100

處理char()的編碼字元，解碼為'X'

處理chr()的編碼字元，解碼為'X'

把所有模式  “  N'”  和  “= *N'”  和  “+ *N'”  替換為  “  '”  和  “='”  和  “+'”

删除所有模式  “' *+ *'”

删除所有模式  “' *|| *'”

删除所有模式  “||”

所有字元轉換為小寫

把所有  “'”  替換為   “  '  ”

把所有模式  “\/\*.*\*\/”  替換為空格，得到比對對象1

删除所有模式  “\/\*.*\*\/”  ，得到比對對象2 

比對：

分别對比對對象1和2 對如下清單以從上到下的次序進行模式比對，為提高效率比對

之前可以先判斷一下目标的長度，如果小于模式的長度，跳過，發現比對模式後告

警或阻斷，一旦發現比對不再繼續其後模式的比對。

比對模式清單（正規表達式）：

"select [^ ]+ from "

"update [^ ]+ set "

"delete [^ ]+ from "

" union all select "

" union select "

" order by "

" group by "

" limit 1[ )]"

"begin [^ ]+ end"

"create database "

"create table "

"drop database "

"drop table "

"insert into "

"alter table "

"bulk insert "

" into outfile "

" waitfor delay "

"sp_addextendedproc"

"xp_cmdshell"

"sp_oacreate"

"sp_addlogin"

"sp_sp_password"

"sp_addsrvrolemember"

"xp_dirtree"

"xp_servicecontrol"

"xp_regread"

"declare @"

" cursor for"

";.*exec *("

"db_name()"

"@@version"

"@@servername"

"system_user"

" and user"

"version()"

"database()"

"user()"

"system_user()"

"session_user()"

"host_name()"

"@@version_compile_os"

"@@basedir"

"@@datadir"

"@@tmpdir""

"is_srvrolemember *("

"is_member *(

" or [^ ]+=[^ ]+"

" or [^ <]+>[^ ]+"

" or [^ >]+<[^ ]+"

" and [^ ]+=[^ ]+"

" and [^ <]+>[^ ]+"

" and [^ >]+<[^ ]+"

" or [^ ]+ like [^ ]+"

" or [^ ]+ in [^ ]+"

" or [^ ]+ between [^ ]+"

" and [^ ]+ like [^ ]+"

" and [^ ]+ in [^ ]+"

" and [^ ]+ between [^ ]+"

"\.[sysdatabases]"

"\.[sysobjects]"

"\.sys\.all_objects"

"[\. (]+xtype="

".[syscolumns]"

" information_schema\.tables "

" information_schema\.columns "

" table_schema "

" mysql\.user "

" v\$parameter "

" v\$database "

" v\$version "

" sys.dba_users "

"utl_inaddr\.get_host_name" "sys.v_\$database"

" session_roles"

" user_role_privs"

" user_tables"

" user_tab_columns"

"granted_role"

"[( =,]+load_file *("

"[( =,]+count(\*)"

"[( =,]+serverproperty *("

"[( =,]+substring *("

"[( =,]+cast *("

"[( =,]+varchar *("

"[( =,]+nvarchar *("

"[( =,]+len *("

"[( =,]+unicode *("

"[( =,]+length *("

"[( =,]+ascii *("

"[( =,]+substr *("

"[( =,]+concat *("

"[( =,]+sys_context *("

"[( =,]+count *("

"[( =,]+asc *("

"[( =,]+mid *("

"@@pack_received"

"bitand("

"connection_id("

--

轉載于:https://www.cnblogs.com/yd1227/archive/2011/07/09/2101742.html