Catalog
1 . Introduction 2 . Sqlchop sourcecode Analysis 3 . Sqlwall (Druid)4. PHP Syntax Parser
1. Introduction
Sqlchop, this awesome new tool, Sqlchop, is a new SQL injection detection engine, using a pipeline of smart recursive deco Ding, lexical analysis and semantic analysis. It can detect SQL injection query with extremely-accuracy and high recall with 0day SQLi detection ability, far Bette R than nowadays ' SQL injection detection tools, most of the which based on regex rules. We proposed a novel algorithm to achieve both blazing fast speed and accurate detection ability using SQL syntax analysis.
0x1:description
Sqlchop is a novel SQL injection detection engine built on top of the SQL tokenizing and syntax analysis. Web input (urlpath, body, cookie, etc.) would be first decoded to the raw payloads the Web app accepts and then syntactical a Nalysis'll is performed on payload to classify result. The algorithm behind Sqlchop is based on compiler knowledge and automata theory, and runs at a time complexity of O (N).
0x2:installation
//If using Python, you need to install Protobuf-python, e.g.:1. wget https://bootstrap.pypa.io/get-pip.py2. PythonGet-pip.py3. sudo pip install protobuf//If using C + +, you need to install PROTOBUF, Protobuf-compiler and protobuf-devel, e.g.:1. sudo yum install protobuf protobuf-compiler protobuf-devel// Make1. Download latest release at https://github.com/chaitin/sqlchop/releases2. make3. Run python2 test.py or ld_library_path=././sqlchop_test
Relevant Link:
http://Sqlchop.chaitin.com/demohttp://sqlchop.chaitin.com/https: // www.blackhat.com/us-15/arsenal.html#yusen-chenhttps://pip.pypa.io/en/stable/ Installing.html
2. Sqlchop SourceCode Analysis
The Sqlchop Alpha testing release includes the C + + header and shared object, a Python library, and also some sample usages .
0x1:c++ Header
/** Copyright (C) chaitin Tech. * * Licensed under: *Https://github.com/chaitin/sqlchop/blob/master/LICENSE * */#ifndef __sqlchop_sqlchop_h__#define__sqlchop_sqlchop_h__#defineSqlchop_api __attribute__ ((Visibility ("default"))#ifdef __cplusplusextern "C" {#endifstructsqlchop_object_t;enum{sqlchop_ret_sqli=1, Sqlchop_ret_normal=0, Sqlchop_err_serialize= -1, Sqlchop_err_length= -2,}; Sqlchop_apiintSqlchop_init (Const Charconfig[],structsqlchop_object_t * *obj); Sqlchop_apifloatSqlchop_score_sqli (Const structsqlchop_object_t *obj,Const Charbuf[], size_t len); Sqlchop_apiintSqlchop_classify_request (Const structsqlchop_object_t *obj,Const Charrequest[], size_t Rlen,Char*payloads, size_t Maxplen, size_t*plen,intdetail); Sqlchop_apiintSqlchop_release (structsqlchop_object_t *obj); #ifdef __cplusplus}#endif#endif //__sqlchop_sqlchop_h__
Relevant Link:
HTTPS://github.com/chaitin/sqlchop/releaseshttps://Github.com/chaitin/sqlchop
3. Sqlwall (DRUID)
0x1:introduction
git clone https://github.com/alibaba/druid.gitCD Druid && mvn install
Druid provides Wallfilter, it is based on SQL Semantic analysis to achieve the defense of SQL injection attacks, by parsing SQL statements into AST syntax tree, based on the syntax tree rules for malicious semantic analysis, to obtain SQL injection judgment
0x2:test Example
/** Copyright 1999-2101 Alibaba Group Holding Ltd. * * Licensed under the Apache License, Version 2.0 (the "License"); * You are not a use this file except in compliance with the License. * Obtain a copy of the License at * *http://www.apache.org/licenses/LICENSE-2.0* * Unless required by applicable or agreed to writing, software * Distributed under the License is distribute D on ' As is ' BASIS, * without warranties or CONDITIONS of any KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */Package Com.alibaba.druid.test.wall;import Java.io.file;import java.io.fileinputstream;import Junit.framework.testcase;import Com.alibaba.druid.util.utils;import Com.alibaba.druid.wall.violation;import Com.alibaba.druid.wall.wallcheckresult;import Com.alibaba.druid.wall.wallprovider;import Com.alibaba.druid.wall.spi.MySqlWallProvider; Public classMysqlresourcewalltest extends TestCase {Privatestring[] items; protected voidsetUp () throws Exception {//File File = new file ("/home/wenshao/error_sql");File File =NewFile ("/home/wenshao/scan_result"); FileInputStream is=Newfileinputstream (file); String text= Utils.read ( is); is. Close (); Items= Text.split ("\\|\\n\\|"); } Public voidTest_false () throws Exception {Wallprovider provider=NewMysqlwallprovider (); Provider.getconfig (). Setconditiondoubleconstallow (true); Provider.getconfig (). Setuseallow (true); Provider.getconfig (). Setstrictsyntaxcheck (false); Provider.getconfig (). Setmultistatementallow (true); Provider.getconfig (). Setconditionandalwaytrueallow (true); Provider.getconfig (). Setnonebasestatementallow (true); Provider.getconfig (). Setselectunioncheck (false); Provider.getconfig (). Setschemacheck (true); Provider.getconfig (). Setlimitzeroallow (true); Provider.getconfig (). Setcommentallow (true); for(inti =0; i < items.length; ++i) {String SQL=Items[i]; if(Sql.indexof (""' = '") != -1) { Continue; }//if (i <= 121) {//continue;// }Wallcheckresult result =provider.check (SQL); if(Result.getviolations (). Size () >0) {violation violation= Result.getviolations ().Get(0); System. out. println ("Error ("+ i +") : "+violation.getmessage ()); System. out. println (SQL); Break; }} System. out. println (Provider.getviolationcount ());//String sql = "SELECT name, ' ****** ' password, createtime from user where name is like ' admin ' and (788 5=7885) then 1 ELSE 0 END) ";//assert.assertfalse (provider.checkvalid (SQL)); }}
Relevant Link:
HTTPS://raw.githubusercontent.com/alibaba/druid/master/src/test/java/com/alibaba/druid/test/wall/ Mysqlresourcewalltest.javahttps://github.com/alibaba/druid/wiki/%e5%b8%b8%e8%a7%81%e9%97%ae% e9%a2%98https://github.com/alibaba/druid/wiki/%e9%85%8d%e7%bd%ae-wallfilterhttps:// github.com/alibaba/druidhttp://www.cnblogs.com/LittleHann/p/3495602.htmlhttp: // www.cnblogs.com/LittleHann/p/3514532.html
4. PHP Syntax Parser
<?php require_once ('php-sql-parser.php'); $sql="select name, sum (credits) from students where name= ' Marcin ' and lvid= ' 42509 ';"; Echo $sql. "\ n"; $start= Microtime (true); $parser=NewPhpsqlparser ($sql,true); Var_dump ($parser-parsed); Echo"Parse Time simplest query:". (Microtime (true)-$start)."\ n"; ?>
Relevant Link:
http://files.cnblogs.com/littlehann/php-sql-parser-20131130.zip
Copyright (c) Littlehann All rights reserved
Sqlchop, Sqlwall (Druid), PHP Syntax Parser analysis