SQLChop、SQLWall(Druid)、PHP Syntax Parser Analysis

catalog

1. introduction
2. sqlchop sourcecode analysis
3. SQLWall(Druid)
4. PHP Syntax Parser

1. introduction

SQLCHOP, This awesome new tool, sqlchop, is a new SQL injection detection engine, using a pipeline of smart recursive decoding, lexical analysis and semantic analysis. It can detect SQL injection query with extremely high accuracy and high recall with 0day SQLi detection ability, far better than nowadays‘ SQL injection detection tools, most of which based on regex rules. We proposed a novel algorithm to achieve both blazing fast speed and accurate detection ability using SQL syntax analysis.

0x1: Description

SQLChop is a novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis. Web input (URLPath, body, cookie, etc.) will be first decoded to the raw payloads that web app accepts, then syntactical analysis will be performed on payload to classify result. The algorithm behind SQLChop is based on compiler knowledge and automata theory, and runs at a time complexity of O(N).

0x2: installation

//If using python, you need to install protobuf-python, e.g.:
1. wget https://bootstrap.pypa.io/get-pip.py
2. python get-pip.py
3. sudo pip install protobuf

//If using c++, you need to install protobuf, protobuf-compiler and protobuf-devel, e.g.:
1. sudo yum install protobuf protobuf-compiler protobuf-devel

//make
1. Download latest release at https://github.com/chaitin/sqlchop/releases
2. Make
3. Run python2 test.py or LD_LIBRARY_PATH=./ ./sqlchop_test

Relevant Link:

http://sqlchop.chaitin.com/demo
http://sqlchop.chaitin.com/
https://www.blackhat.com/us-15/arsenal.html#yusen-chen
https://pip.pypa.io/en/stable/installing.html

2. sqlchop sourcecode analysis

The SQLChop alpha testing release includes the c++ header and shared object, a python library, and also some sample usages.

0x1: c++ header

/*
 * Copyright (C) 2015 Chaitin Tech.
 *
 * Licensed under:
 *   https://github.com/chaitin/sqlchop/blob/master/LICENSE
 *
 */

#ifndef __SQLCHOP_SQLCHOP_H__
#define __SQLCHOP_SQLCHOP_H__

#define SQLCHOP_API __attribute__((visibility("default")))

#ifdef __cplusplus
extern "C" {
#endif

struct sqlchop_object_t;

enum {
  SQLCHOP_RET_SQLI = 1,
  SQLCHOP_RET_NORMAL = 0,
  SQLCHOP_ERR_SERIALIZE = -1,
  SQLCHOP_ERR_LENGTH = -2,
};

SQLCHOP_API int sqlchop_init(const char config[],
                             struct sqlchop_object_t **obj);
SQLCHOP_API float sqlchop_score_sqli(const struct sqlchop_object_t *obj,
                                     const char buf[], size_t len);
SQLCHOP_API int sqlchop_classify_request(const struct sqlchop_object_t *obj,
                                         const char request[], size_t rlen,
                                         char *payloads, size_t maxplen,
                                         size_t *plen, int detail);

SQLCHOP_API int sqlchop_release(struct sqlchop_object_t *obj);

#ifdef __cplusplus
}
#endif

#endif // __SQLCHOP_SQLCHOP_H__

Relevant Link:

https://github.com/chaitin/sqlchop/releases
https://github.com/chaitin/sqlchop

3. SQLWall(Druid)

0x1: Introduction

git clone https://github.com/alibaba/druid.git
cd druid && mvn install

Druid提供了WallFilter,它是基于SQL语义分析来实现防御SQL注入攻击的,通过将SQL语句解析为AST语法树,基于语法树规则进行恶意语义分析,得出SQL注入判断

0x2: Test Example

/*
 * Copyright 1999-2101 Alibaba Group Holding Ltd.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.alibaba.druid.test.wall;

import java.io.File;
import java.io.FileInputStream;

import junit.framework.TestCase;

import com.alibaba.druid.util.Utils;
import com.alibaba.druid.wall.Violation;
import com.alibaba.druid.wall.WallCheckResult;
import com.alibaba.druid.wall.WallProvider;
import com.alibaba.druid.wall.spi.MySqlWallProvider;

public class MySqlResourceWallTest extends TestCase {

    private String[] items;

    protected void setUp() throws Exception {
//        File file = new File("/home/wenshao/error_sql");
        File file = new File("/home/wenshao/scan_result");
        FileInputStream is = new FileInputStream(file);
        String text = Utils.read(is);
        is.close();
        items = text.split("\\|\\n\\|");
    }

    public void test_false() throws Exception {
        WallProvider provider = new MySqlWallProvider();

        provider.getConfig().setConditionDoubleConstAllow(true);

        provider.getConfig().setUseAllow(true);
        provider.getConfig().setStrictSyntaxCheck(false);
        provider.getConfig().setMultiStatementAllow(true);
        provider.getConfig().setConditionAndAlwayTrueAllow(true);
        provider.getConfig().setNoneBaseStatementAllow(true);
        provider.getConfig().setSelectUnionCheck(false);
        provider.getConfig().setSchemaCheck(true);
        provider.getConfig().setLimitZeroAllow(true);
        provider.getConfig().setCommentAllow(true);

        for (int i = 0; i < items.length; ++i) {
            String sql = items[i];
            if (sql.indexOf("‘‘=‘‘") != -1) {
                continue;
            }
//            if (i <= 121) {
//                continue;
//            }
            WallCheckResult result = provider.check(sql);
            if (result.getViolations().size() > 0) {
                Violation violation = result.getViolations().get(0);
                System.out.println("error (" + i + ") : " + violation.getMessage());
                System.out.println(sql);
                break;
            }
        }
        System.out.println(provider.getViolationCount());
//        String sql = "SELECT name, ‘******‘ password, createTime from user where name like ‘admin‘ AND (CASE WHEN (7885=7885) THEN 1 ELSE 0 END)";

//        Assert.assertFalse(provider.checkValid(sql));
    }

}

Relevant Link:

https://raw.githubusercontent.com/alibaba/druid/master/src/test/java/com/alibaba/druid/test/wall/MySqlResourceWallTest.java
https://github.com/alibaba/druid/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter
https://github.com/alibaba/druid
http://www.cnblogs.com/LittleHann/p/3495602.html
http://www.cnblogs.com/LittleHann/p/3514532.html

4. PHP Syntax Parser

<?php
    require_once(‘php-sql-parser.php‘);

    $sql = "select name, sum(credits) from students where name=‘Marcin‘ and lvID=‘42509‘;";
    echo $sql . "\n";
    $start = microtime(true);
    $parser = new PHPSQLParser($sql, true);
    var_dump($parser->parsed);
    echo "parse time simplest query:" . (microtime(true) - $start) . "\n";
?>

Relevant Link:

http://files.cnblogs.com/LittleHann/php-sql-parser-20131130.zip

Copyright (c) 2015 LittleHann All rights reserved

时间: 2024-12-14 00:49:24

SQLChop、SQLWall(Druid)、PHP Syntax Parser Analysis的相关文章

SQL数据分析概览——Hive、Impala、Spark SQL、Drill、HAWQ 以及Presto+druid

转自infoQ! 根据 O'Reilly 2016年数据科学薪资调查显示,SQL 是数据科学领域使用最广泛的语言.大部分项目都需要一些SQL 操作,甚至有一些只需要SQL. 本文涵盖了6个开源领导者:Hive.Impala.Spark SQL.Drill.HAWQ 以及Presto,还加上Calcite.Kylin.Phoenix.Tajo 和Trafodion.以及2个商业化选择Oracle Big Data SQL 和IBM Big SQL,IBM 尚未将后者更名为"Watson SQL&q

时间序列数据库(TSDB)初识与选择(InfluxDB、OpenTSDB、Druid、Elastic

背景 这两年互联网行业掀着一股新风,总是听着各种高大上的新名词.大数据.人工智能.物联网.机器学习.商业智能.智能预警啊等等. 以前的系统,做数据可视化,信息管理,流程控制.现在业务已经不仅仅满足于这种简单的管理和控制了.数据可视化分析,大数据信息挖掘,统计预测,建模仿真,智能控制成了各种业务的追求. "所有一切如泪水般消失在时间之中,时间正在死去",以前我们利用互联网解决现实的问题.现在我们已经不满足于现实,数据将连接成时间序列,可以往前可以观其历史,揭示其规律性,往后可以把握其趋势

mysql高级教程(一)-----逻辑架构、查询流程、索引

mysql逻辑架构 和其它数据库相比,MySQL有点与众不同,它的架构可以在多种不同场景中应用并发挥良好作用.主要体现在存储引擎的架构上,插件式的存储引擎架构将查询处理和其它的系统任务以及数据的存储提取相分离.这种架构可以根据业务的需求和实际需要选择合适的存储引擎. 1.连接层 最上层是一些客户端和连接服务,包含本地sock通信和大多数基于客户端/服务端工具实现的类似于tcp/ip的通信.主要完成一些类似于连接处理.授权认证.及相关的安全方案.在该层上引入了线程池的概念,为通过认证安全接入的客户

第4章:缓冲区、着色器、GLSL

原文链接: http://www.rastertek.com/gl40tut04.html Tutorial 4: Buffers, Shaders, and GLSL This tutorial will be the introduction to writing vertex and pixel shaders in OpenGL 4.0. It will also be the introduction to using vertex and index buffers in OpenG

(转)从内存管 理、内存泄漏、内存回收探讨C++内存管理

http://www.cr173.com/html/18898_all.html 内存管理是C++最令人切齿痛恨的问题,也是C++最有争议的问题,C++高手从中获得了更好的性能,更大的自由,C++菜鸟的收获则是一遍一遍的检查代码和对 C++的痛恨,但内存管理在C++中无处不在,内存泄漏几乎在每个C++程序中都会发生,因此要想成为C++高手,内存管理一关是必须要过的,除非放弃 C++,转到Java或者.NET,他们的内存管理基本是自动的,当然你也放弃了自由和对内存的支配权,还放弃了C++超绝的性能

Spring、Spring MVC、Mybatis、Dubbo、Spring security整合日记(一)

使用Idea 15作为开发工具 一.四个模块 api    作为接口,jar包,提供依赖 core  基础模块,提供实体类,工具类,jar包,提供依赖 consumer dubbo中的消费者,控制层,war包,依赖api.core provider dubbo中的提供者,业务层,war包,依赖api.core 二.Maven依赖 ①.dubbo(parent) pom.xml <groupId>com.zhf</groupId> <artifactId>dubbo<

Nginx反向代理、负载均衡、页面缓存、URL重写及读写分离详解

大纲 一.前言 二.环境准备 三.安装与配置Nginx 四.Nginx之反向代理 五.Nginx之负载均衡 六.Nginx之页面缓存 七.Nginx之URL重写 八.Nginx之读写分离 注,操作系统为 CentOS 6.4 x86_64 , Nginx 是版本是最新版的1.4.2,所以实验用到的软件请点击这里下载:http://yunpan.cn/QXIgqMmVmuZrm 一.前言 在前面的几篇博文中我们主要讲解了Nginx作为Web服务器知识点,主要的知识点有nginx的理论详解.ngin

安全权限、高性能、高并发、分布式java shiro、maven、Bootstrap、SpringMVC、Mybatis

获取[下载地址]   QQ: 313596790   [免费支持更新]支持三大数据库 mysql  oracle  sqlsever   更专业.更强悍.适合不同用户群体[新录针对本系统的视频教程,手把手教开发一个模块,快速掌握本系统]A 代码生成器(开发利器);      增删改查的处理类,service层,mybatis的xml,SQL( mysql   和oracle)脚本,   jsp页面 都生成   就不用写搬砖的代码了,生成的放到项目里,可以直接运行B 阿里巴巴数据库连接池druid

Nginx之反向代理、日志格式、集群、缓存、压缩、URl 重写,读写分离配置

location的模式匹配按照优先级由低到高有以下四种: Nginx作为一个优秀的Web服务器,不仅在处理静态内容上比Apache优秀,还经常被用来做反向代理服务器,且支持缓存,URL重写,自定义格式,读写分离等功能,并且支持在TCP/IP第七层实现集群功能,基于AIO(异步I/O)event_driven(事件驱动)mmap(内存映射)等机制和功能,具有轻量级.高性能.消耗低.特性丰富.配置简单等特点 实验环境: node1:192.168.139.2 node2:192.168.139.4