【总结】SQL注入攻击检测方法

注意：以下方法不能过滤对 SQL注入漏洞的探测，但应该可以过滤掉绝大多数对 SQL

漏洞的利用。

检查对象：

1. GET及 POST 请求CGI 参数Value数据

2. Cookie 的Key/Value 对的Value部分

请求参数拆分以后，如果发现有重复的key，报告攻击。

解码：

URL 解码（%）: %41%41

HEX解码（&#x）：&#x41&#x41

DECIMAL 解码：&#65&#65

Base64解码

正规化，以从上到下的次序执行如下操作：

把所有的TAB替换为空格

把所有的回车及换行符替换为空格

把多个连续空格合并为一个空格

处理0xXXXXXXXXX编码，0x4141414141414141 或0x410041004100410041004100

处理char()的编码字符，解码为'X'

处理chr()的编码字符，解码为'X'

把所有模式  “  N'”  和  “= *N'”  和  “+ *N'”  替换为  “  '”  和  “='”  和  “+'”

删除所有模式  “' *+ *'”

删除所有模式  “' *|| *'”

删除所有模式  “||”

所有字符转换为小写

把所有  “'”  替换为   “  '  ”

把所有模式  “\/\*.*\*\/”  替换为空格，得到匹配对象1

删除所有模式  “\/\*.*\*\/”  ，得到匹配对象2 

匹配：

分别对匹配对象1和2 对如下列表以从上到下的次序进行模式匹配，为提高效率匹配

之前可以先判断一下目标的长度，如果小于模式的长度，跳过，发现匹配模式后告

警或阻断，一旦发现匹配不再继续其后模式的匹配。

匹配模式列表（正则表达式）：

"select [^ ]+ from "

"update [^ ]+ set "

"delete [^ ]+ from "

" union all select "

" union select "

" order by "

" group by "

" limit 1[ )]"

"begin [^ ]+ end"

"create database "

"create table "

"drop database "

"drop table "

"insert into "

"alter table "

"bulk insert "

" into outfile "

" waitfor delay "

"sp_addextendedproc"

"xp_cmdshell"

"sp_oacreate"

"sp_addlogin"

"sp_sp_password"

"sp_addsrvrolemember"

"xp_dirtree"

"xp_servicecontrol"

"xp_regread"

"declare @"

" cursor for"

";.*exec *("

"db_name()"

"@@version"

"@@servername"

"system_user"

" and user"

"version()"

"database()"

"user()"

"system_user()"

"session_user()"

"host_name()"

"@@version_compile_os"

"@@basedir"

"@@datadir"

"@@tmpdir""

"is_srvrolemember *("

"is_member *(

" or [^ ]+=[^ ]+"

" or [^ <]+>[^ ]+"

" or [^ >]+<[^ ]+"

" and [^ ]+=[^ ]+"

" and [^ <]+>[^ ]+"

" and [^ >]+<[^ ]+"

" or [^ ]+ like [^ ]+"

" or [^ ]+ in [^ ]+"

" or [^ ]+ between [^ ]+"

" and [^ ]+ like [^ ]+"

" and [^ ]+ in [^ ]+"

" and [^ ]+ between [^ ]+"

"\.[sysdatabases]"

"\.[sysobjects]"

"\.sys\.all_objects"

"[\. (]+xtype="

".[syscolumns]"

" information_schema\.tables "

" information_schema\.columns "

" table_schema "

" mysql\.user "

" v\$parameter "

" v\$database "

" v\$version "

" sys.dba_users "

"utl_inaddr\.get_host_name" "sys.v_\$database"

" session_roles"

" user_role_privs"

" user_tables"

" user_tab_columns"

"granted_role"

"[( =,]+load_file *("

"[( =,]+count(\*)"

"[( =,]+serverproperty *("

"[( =,]+substring *("

"[( =,]+cast *("

"[( =,]+varchar *("

"[( =,]+nvarchar *("

"[( =,]+len *("

"[( =,]+unicode *("

"[( =,]+length *("

"[( =,]+ascii *("

"[( =,]+substr *("

"[( =,]+concat *("

"[( =,]+sys_context *("

"[( =,]+count *("

"[( =,]+asc *("

"[( =,]+mid *("

"@@pack_received"

"bitand("

"connection_id("

--

转载于:https://www.cnblogs.com/yd1227/archive/2011/07/09/2101742.html