catalog

  1. . introduction
  2. . sqlchop sourcecode analysis
  3. . SQLWall(Druid)
  4. . PHP Syntax Parser
  5. . SQL Parse and Compile: Parse and compose
  6. . sql-parser
  7. . PEAR SQL_Parser

1. introduction

SQLCHOP, This awesome new tool, sqlchop, is a new SQL injection detection engine, using a pipeline of smart recursive decoding, lexical analysis and semantic analysis. It can detect SQL injection query with extremely high accuracy and high recall with 0day SQLi detection ability, far better than nowadays' SQL injection detection tools, most of which based on regex rules. We proposed a novel algorithm to achieve both blazing fast speed and accurate detection ability using SQL syntax analysis.

0x1: Description

SQLChop is a novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis. Web input (URLPath, body, cookie, etc.) will be first decoded to the raw payloads that web app accepts, then syntactical analysis will be performed on payload to classify result. The algorithm behind SQLChop is based on compiler knowledge and automata theory, and runs at a time complexity of O(N).

0x2: installation

  1. //If using python, you need to install protobuf-python, e.g.:
  2. . wget https://bootstrap.pypa.io/get-pip.py
  3. . python get-pip.py
  4. . sudo pip install protobuf
  5.  
  6. //If using c++, you need to install protobuf, protobuf-compiler and protobuf-devel, e.g.:
  7. . sudo yum install protobuf protobuf-compiler protobuf-devel
  8.  
  9. //make
  10. . Download latest release at https://github.com/chaitin/sqlchop/releases
  11. . Make
  12. . Run python2 test.py or LD_LIBRARY_PATH=./ ./sqlchop_test

Relevant Link:

  1. http://sqlchop.chaitin.com/demo
  2. http://sqlchop.chaitin.com/
  3. https://www.blackhat.com/us-15/arsenal.html#yusen-chen
  4. https://pip.pypa.io/en/stable/installing.html

2. sqlchop sourcecode analysis

The SQLChop alpha testing release includes the c++ header and shared object, a python library, and also some sample usages.

0x1: c++ header

  1. /*
  2.  * Copyright (C) 2015 Chaitin Tech.
  3.  *
  4.  * Licensed under:
  5.  *   https://github.com/chaitin/sqlchop/blob/master/LICENSE
  6.  *
  7.  */
  8.  
  9. #ifndef __SQLCHOP_SQLCHOP_H__
  10. #define __SQLCHOP_SQLCHOP_H__
  11.  
  12. #define SQLCHOP_API __attribute__((visibility("default")))
  13.  
  14. #ifdef __cplusplus
  15. extern "C" {
  16. #endif
  17.  
  18. struct sqlchop_object_t;
  19.  
  20. enum {
  21.   SQLCHOP_RET_SQLI = ,
  22.   SQLCHOP_RET_NORMAL = ,
  23.   SQLCHOP_ERR_SERIALIZE = -,
  24.   SQLCHOP_ERR_LENGTH = -,
  25. };
  26.  
  27. SQLCHOP_API int sqlchop_init(const char config[],
  28.                              struct sqlchop_object_t **obj);
  29. SQLCHOP_API float sqlchop_score_sqli(const struct sqlchop_object_t *obj,
  30.                                      const char buf[], size_t len);
  31. SQLCHOP_API int sqlchop_classify_request(const struct sqlchop_object_t *obj,
  32.                                          const char request[], size_t rlen,
  33.                                          char *payloads, size_t maxplen,
  34.                                          size_t *plen, int detail);
  35.  
  36. SQLCHOP_API int sqlchop_release(struct sqlchop_object_t *obj);
  37.  
  38. #ifdef __cplusplus
  39. }
  40. #endif
  41.  
  42. #endif // __SQLCHOP_SQLCHOP_H__

Relevant Link:

  1. https://github.com/chaitin/sqlchop/releases
  2. https://github.com/chaitin/sqlchop

3. SQLWall(Druid)

0x1: Introduction

  1. git clone https://github.com/alibaba/druid.git
  2. cd druid && mvn install

Druid提供了WallFilter,它是基于SQL语义分析来实现防御SQL注入攻击的,通过将SQL语句解析为AST语法树,基于语法树规则进行恶意语义分析,得出SQL注入判断

0x2: Test Example

  1. /*
  2.  * Copyright 1999-2101 Alibaba Group Holding Ltd.
  3.  *
  4.  * Licensed under the Apache License, Version 2.0 (the "License");
  5.  * you may not use this file except in compliance with the License.
  6.  * You may obtain a copy of the License at
  7.  *
  8.  *      http://www.apache.org/licenses/LICENSE-2.0
  9.  *
  10.  * Unless required by applicable law or agreed to in writing, software
  11.  * distributed under the License is distributed on an "AS IS" BASIS,
  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13.  * See the License for the specific language governing permissions and
  14.  * limitations under the License.
  15.  */
  16. package com.alibaba.druid.test.wall;
  17.  
  18. import java.io.File;
  19. import java.io.FileInputStream;
  20.  
  21. import junit.framework.TestCase;
  22.  
  23. import com.alibaba.druid.util.Utils;
  24. import com.alibaba.druid.wall.Violation;
  25. import com.alibaba.druid.wall.WallCheckResult;
  26. import com.alibaba.druid.wall.WallProvider;
  27. import com.alibaba.druid.wall.spi.MySqlWallProvider;
  28.  
  29. public class MySqlResourceWallTest extends TestCase {
  30.  
  31.     private String[] items;
  32.  
  33.     protected void setUp() throws Exception {
  34. //        File file = new File("/home/wenshao/error_sql");
  35.         File file = new File("/home/wenshao/scan_result");
  36.         FileInputStream is = new FileInputStream(file);
  37.         String text = Utils.read(is);
  38.         is.close();
  39.         items = text.split("\\|\\n\\|");
  40.     }
  41.  
  42.     public void test_false() throws Exception {
  43.         WallProvider provider = new MySqlWallProvider();
  44.  
  45.         provider.getConfig().setConditionDoubleConstAllow(true);
  46.  
  47.         provider.getConfig().setUseAllow(true);
  48.         provider.getConfig().setStrictSyntaxCheck(false);
  49.         provider.getConfig().setMultiStatementAllow(true);
  50.         provider.getConfig().setConditionAndAlwayTrueAllow(true);
  51.         provider.getConfig().setNoneBaseStatementAllow(true);
  52.         provider.getConfig().setSelectUnionCheck(false);
  53.         provider.getConfig().setSchemaCheck(true);
  54.         provider.getConfig().setLimitZeroAllow(true);
  55.         provider.getConfig().setCommentAllow(true);
  56.  
  57.         for (int i = ; i < items.length; ++i) {
  58.             String sql = items[i];
  59.             if (sql.indexOf("''=''") != -) {
  60.                 continue;
  61.             }
  62. //            if (i <= 121) {
  63. //                continue;
  64. //            }
  65.             WallCheckResult result = provider.check(sql);
  66.             if (result.getViolations().size() > ) {
  67.                 Violation violation = result.getViolations().get();
  68.                 System.out.println("error (" + i + ") : " + violation.getMessage());
  69.                 System.out.println(sql);
  70.                 break;
  71.             }
  72.         }
  73.         System.out.println(provider.getViolationCount());
  74. //        String sql = "SELECT name, '******' password, createTime from user where name like 'admin' AND (CASE WHEN (7885=7885) THEN 1 ELSE 0 END)";
  75.  
  76. //        Assert.assertFalse(provider.checkValid(sql));
  77.     }
  78.  
  79. }

Relevant Link:

  1. https://raw.githubusercontent.com/alibaba/druid/master/src/test/java/com/alibaba/druid/test/wall/MySqlResourceWallTest.java
  2. https://github.com/alibaba/druid/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
  3. https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter
  4. https://github.com/alibaba/druid
  5. http://www.cnblogs.com/LittleHann/p/3495602.html
  6. http://www.cnblogs.com/LittleHann/p/3514532.html

4. PHP Syntax Parser

  1. <?php
  2.     require_once('php-sql-parser.php');
  3.  
  4.     $sql = "select name, sum(credits) from students where name='Marcin' and lvID='42509';";
  5.     echo $sql . "\n";
  6.     $start = microtime(true);
  7.     $parser = new PHPSQLParser($sql, true);
  8.     var_dump($parser->parsed);
  9.     echo "parse time simplest query:" . (microtime(true) - $start) . "\n";
  10. ?>

Relevant Link:

  1. http://files.cnblogs.com/LittleHann/php-sql-parser-20131130.zip

5. SQL Parse and Compile: Parse and compose

This package can be used to parse and compose SQL queries programatically.
It can take an SQL query and parse it to extract the different parts of the query like the type of command, fields, tables, conditions, etc..
It can also be used to do the opposite, i.e. compose SQL queries from values that define each part of the query.

0x1: Features

  1. I. Parser
  2. - insert
  3. - replace
  4. - update
  5. - delete
  6. - select
  7. - union
  8. - subselect
  9. - recognizes flow control function (IF, CASE - WHEN - THEN)
  10. - recognition of many sql functions
  11.  
  12. II. Composer (Compiler)
  13. - insert
  14. - replace
  15. - update
  16. - delete
  17. - select
  18. - union
  19.  
  20. III. Wrapper SQL
  21. - object oriented writing of SQL statements from the scratch

0x2: Example

  1. #################################################
  2. $insertObject = new Sql();
  3. $insertObject
  4. ->setCommand("insert")
  5. ->addTableNames("employees")
  6. ->addColumnNames(array("LastName","FirstName"))
  7. ->addValues(
  8. array(
  9. array("Value"=>"Davolio","Type"=>"text_val"),
  10. array("Value"=>"Nancy","Type"=>"text_val"),
  11. )
  12. );
  13. $sqlout = $insertObject->compile();
  14. #################################################
  15.  
  16. result:
  17. echo $sqlout;
  18. #################################################
  19. INSERT INTO employees (LastName, FirstName) VALUES ('Davolio', 'Nancy')
  20. #################################################

Relevant Link:

  1. http://www.phpclasses.org/package/5007-PHP-Parse-and-compose-SQL-queries-programatically.html

6. sql-parser

A validating SQL lexer and parser with a focus on MySQL dialect

Relevant Link:

  1. https://github.com/dmitry-php/sql-parser
  2. https://github.com/udan11/sql-parser/wiki/Overview
  3. https://github.com/udan11/sql-parser/wiki/Examples

7. PEAR SQL_Parser

Relevant Link:

  1. https://pear.php.net/package/SQL_Parser/docs/latest/elementindex_SQL_Parser.html
  2. https://pear.php.net/package/SQL_Parser/docs/latest/__filesource/fsource_SQL_Parser__SQL_Parser-0.6.0SQLParserDialectANSI.php.html
  3. https://pear.php.net/package/SQL_Parser/docs/latest/SQL_Parser/SQL_Parser_Compiler.html
  4. https://pear.php.net/package/SQL_Parser/docs/latest/__filesource/fsource_SQL_Parser__SQL_Parser-0.6.0SQLParserCompiler.php.html
  5. https://pear.php.net/package/SQL_Parser/docs/latest/__filesource/fsource_SQL_Parser__SQL_Parser-0.6.0SQLParser.php.html

Copyright (c) 2015 LittleHann All rights reserved

SQLChop、SQLWall(Druid)、PHP Syntax Parser Analysis的更多相关文章

  1. 基于Spring、SpringMVC、MyBatis、Druid、Shrio构建web系统

    源码下载地址:https://github.com/shuaijunlan/Autumn-Framework 在线Demo:http://autumn.shuaijunlan.cn 项目介绍 Autu ...

  2. Druid、BoneCP、DBCP、C3P0等主流数据库对比

    关键功能 Druid BoneCP DBCP C3P0 Proxool JBoss LRU 是 否 是 否 是 是 PSCache 是 是 是 是 否 是 PSCache-Oracle-Optimiz ...

  3. SpringBoot系列七:SpringBoot 整合 MyBatis(配置 druid 数据源、配置 MyBatis、事务控制、druid 监控)

    1.概念:SpringBoot 整合 MyBatis 2.背景 SpringBoot 得到最终效果是一个简化到极致的 WEB 开发,但是只要牵扯到 WEB 开发,就绝对不可能缺少数据层操作,所有的开发 ...

  4. SQL数据分析概览——Hive、Impala、Spark SQL、Drill、HAWQ 以及Presto+druid

    转自infoQ! 根据 O’Reilly 2016年数据科学薪资调查显示,SQL 是数据科学领域使用最广泛的语言.大部分项目都需要一些SQL 操作,甚至有一些只需要SQL. 本文涵盖了6个开源领导者: ...

  5. SpringMVC+MyBatis (druid、logback)

    数据库连接池是阿里巴巴的druid.日志框架式logback 1.整合SpringMVCspringMybatis-servlet.xml: <?xml version="1.0&qu ...

  6. 数据库连接池 - (druid、c3p0、dbcp)

    概述: 在这里所谓的数据库连接是指通过网络协议与数据库服务之间建立的TCP连接.通常,与数据库服务进行通信的网络协议无需由应用程序本身实现. 原因有三: 实现复杂度大,需要充分理解和掌握相应的通信协议 ...

  7. 时间序列数据库(TSDB)初识与选择(InfluxDB、OpenTSDB、Druid、Elasticsearch对比)

    背景 这两年互联网行业掀着一股新风,总是听着各种高大上的新名词.大数据.人工智能.物联网.机器学习.商业智能.智能预警啊等等. 以前的系统,做数据可视化,信息管理,流程控制.现在业务已经不仅仅满足于这 ...

  8. SpringBoot:整合Druid、MyBatis

    目录 简介 JDBC 导入依赖 连接数据库 CRUD操作 自定义数据源 DruidDataSource Druid 简介 配置数据源 配置 Druid 数据源监控 配置 Druid web 监控 fi ...

  9. JdbcTemplate 、Mybatis、ORM 、Druid 、HikariCP 、Hibernate是什么?它们有什么关系?

    JdbcTemplate .Mybatis.ORM .Druid .HikariCP .Hibernate是什么?它们有什么关系? 学完Spring和SpringMVC之后,就急于求成的开始学习起Sp ...

随机推荐

  1. flask+sqlite3+echarts2+ajax数据可视化--静态图

    结构: /www | |-- /static | | | |-- echarts.js(当然还有echarts原dist目录下的文件(夹)) | |-- /templates | | | |-- in ...

  2. Putty颜色设置

    默认的Putty颜色和字体太不好看了,得自己设置: 字体:毫无疑问Consolas, 10-point:看起来非常清新自然 颜色: * Default Foreground: 255/255/255  ...

  3. Autofac中的属性注入功能使用

    使用依赖注入容器时,大部分都是使用构造函数来注入或者是xml配置文件.也有很多支持属性注入.Autofac就是其中一个. 1 为什么要有属性注入? 对于一些使用特频繁的类或者方法,很多类都会用到,那么 ...

  4. 2016古装动作喜剧《笨贼别跑》HD720P.国语中字

    导演: 雷金克编剧: 郭卫鹏 / 李诗怡 / 马强主演: 彭波 / 李添诺 / 董向荣 / 韩丰 / 董怡君类型: 喜剧 / 动作 / 古装制片国家/地区: 中国大陆语言: 汉语普通话上映日期: 20 ...

  5. vbs keys

    其使用格式为: object.SendKeys string "object":表示WshShell对象 "string":表示要发送的按键指令字符串,需要放在 ...

  6. ASP.NET MVC3入门教程之ajax交互

    本文转载自:http://www.youarebug.com/forum.php?mod=viewthread&tid=100&extra=page%3D1 随着web技术的不断发展与 ...

  7. 【NDK开发】android-ndk r10环境搭建

    1)打开Android开发者的官网http://developer.android.com/找到Develop点击.如果页面打不开,通过代理来访问. 2)进入后再点击Tools 3)进入后在左侧找到N ...

  8. 通过UserAgent判断设备为Android、Ios、Pc访问

    public static bool CheckAgent() { bool flag = false; string agent = HttpContext.Current.Request.User ...

  9. C# 利用反射动态将字符串转换成属性对应的类型值

    /// <summary> /// 为指定对象分配参数 /// </summary> /// <typeparam name="T">对象类型& ...

  10. Java Little Knowledge

    1.Constructor running order of Base class and Derived class This is Alibaba's audition problem. clas ...