Shulou(Shulou.com)06/01 Report--

How to analyze SQL injection semantic analysis library Libinjection, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

I. Preface

This time we will mainly talk about the open source SQL injection semantic analysis library libinjection. If you find any other open source SQL semantic analysis libraries, you are welcome to let us know. The program analysis of libinjection is provided by Simon Friendship. If you need to see the full report, you can join the group.

2. Libinjection program analysis

From the flow chart, libinjection first initializes the issqlii variable, then sets the data structure and initializes the variable state,libinjection_sqli_init () function will initialize the structure needed for SQL detection, and then carries out specific analysis through the libinjection_is_sqli () function. If there is an issqli, the SQL injection recognition feature is copied into the fingerprint variable and returned, if it does not exist, the fingerprint variable is set to empty and returned.

The above figure is the general function diagram. The main work of the libinjection_sqli_init () function is to load the SQL injection identification signature (fingerprint) into the structure and complete the initialization of various built-in variables. The processing code of libinjection_is_sqli () is as follows, which is analyzed according to the code.

Int libinjection_is_sqli (struct libinjection_sqli_state * sql_state) {const char * s = sql_state- > s; size_t slen = sql_state- > slen; if (slen = = 0) {return FALSE;} libinjection_sqli_fingerprint (sql_state, FLAG_QUOTE_NONE | FLAG_SQL_ANSI) If (sql_state- > lookup (sql_state, LOOKUP_FINGERPRINT, sql_state- > fingerprint, strlen (sql_state- > fingerprint)) {return TRUE;} else if (reparse_as_mysql (sql_state)) {libinjection_sqli_fingerprint (sql_state, FLAG_QUOTE_NONE | FLAG_SQL_MYSQL) If (sql_state- > lookup (sql_state, LOOKUP_FINGERPRINT, sql_state- > fingerprint, strlen (sql_state- > fingerprint)) {return TRUE;}} if (memchr (s, CHAR_SINGLE, slen)) {libinjection_sqli_fingerprint (sql_state, FLAG_QUOTE_SINGLE | FLAG_SQL_ANSI) If (sql_state- > lookup (sql_state, LOOKUP_FINGERPRINT, sql_state- > fingerprint, strlen (sql_state- > fingerprint)) {return TRUE;} else if (reparse_as_mysql (sql_state)) {libinjection_sqli_fingerprint (sql_state, FLAG_QUOTE_SINGLE | FLAG_SQL_MYSQL) If (sql_state- > lookup (sql_state, LOOKUP_FINGERPRINT, sql_state- > fingerprint, strlen (sql_state- > fingerprint)) {return TRUE;}} if (memchr (s, CHAR_DOUBLE, slen)) {libinjection_sqli_fingerprint (sql_state, FLAG_QUOTE_DOUBLE | FLAG_SQL_MYSQL) If (sql_state- > lookup (sql_state, LOOKUP_FINGERPRINT, sql_state- > fingerprint, strlen (sql_state- > fingerprint)) {return TRUE;}} return FALSE;}

1. Determines whether the length of the string entered by the user is legal, and returns FALSE if zero. (i.e. no SQL injection was found)

two。 Execute the SQL injection recognition function (libinjection_sqli_fingerprint, no quotation marks, standard SQL syntax) to get the string recognition signature

3. Execute the query function in the structure (here is libinjection_sqli_lookup_word, binary search algorithm) to compare whether the recognition feature obtained in the second step matches the recognition feature of SQL injection.

4. If the SQL injection feature matching result is found to be true in the third step, true is returned, and the fingerprint to which the SQL injection recognition feature is matched is written to the structure

5. If the detection fails, the reparse_as_mysql () function is called to determine whether there is a "(dash-dash- [notwhite]) comment" or "#" operation symbol, and if so, the SQL recognition function is executed again (libinjection_sqli_fingerprint, no quotation marks, MYSQL syntax).

6. At the same time, the analysis function (libinjection_sqli_lookup_word, binary search algorithm) of the structure is executed for feature matching detection. If the result is true, true is returned, and the fingerprint to which the SQL recognition feature is matched is written to the structure.

7. If the previous judgment does not return a result, the scan parameter (that is, the string entered by the user) will be scanned to see if there is a single.

Quotation marks. If it is true, repeat the above detection steps.

8. If the previous judgment still does not return a result, the scan parameter (that is, the string entered by the user) is checked to see if it is saved.

In double quotation marks. If true, then execute the SQL injection recognition function

(libinjection_sqli_fingerprint, double quotation marks, MYSQL syntax)

At the same time, the analysis function (libinjection_sqli_lookup_word, binary search algorithm) of the structure is executed to detect the feature matching. If the result is true, the true is returned, and the fingerprint to which the SQL recognition feature is matched is written into the structure.

9. If the previous three judgments are inconclusive, there is no SQL injection by default for this parameter (the string entered by the user).

III. Case analysis of libinjection

The above has carried on the simple analysis to the libinjection procedure, below through a concrete example to understand the libinjecton processing flow.

First of all, let's take a look at libinjection's definition of signature.

Typedef enum {TYPE_NONE = 0 / * has no practical significance, just fill in the number of digits * /, TYPE_KEYWORD = (int)'k' / * such as COLUMN,DATABASES,DEC will be recognized as the value * /, TYPE_UNION = (int)'U'/ * EXCEPT,INTERSECT,UNION will be recognized as the value * /, TYPE_GROUP = (int)'B' / * GROUP BY,LIMIT HAVING*/, TYPE_EXPRESSION = (int)'E' / * INSERT,SELECT,SET*/, TYPE_SQLTYPE = (int)'t'/ * SMALLINT,TEXT,TRY*/, TYPE_FUNCTION = (int)'f'/ * UPPER,UTL_HTTP.REQUEST,UUID*/, TYPE_BAREWORD = (int)'n' / * WAITFOR,BY CHECK*/, TYPE_NUMBER = (int)'1' / * all digits will be recognized as 1'/, TYPE_VARIABLE = (int)'v'/ * CURRENT_TIME,LOCALTIME,NULL*/, TYPE_STRING = (int)'s'/ * single and double quotes * /, TYPE_OPERATOR = (int)'o' / * + =,-= ! > * /, TYPE_LOGIC_OPERATOR = (int)'&'/ * & &, AND,OR*/, TYPE_COMMENT = (int)'c'/ * commentator * /, TYPE_COLLATE = (int)'A'/ * COLLATE*/, TYPE_LEFTPARENS = (int)'(', TYPE_RIGHTPARENS = (int)')'/ * not used? * / TYPE_LEFTBRACE = (int)'{', TYPE_RIGHTBRACE = (int)'}', TYPE_DOT = (int)'.', TYPE_COMMA = (int)',', TYPE_COLON = (int)':', TYPE_SEMICOLON = (int)' ', TYPE_TSQL = (int)' T'/ * TSQL start * / / * DECLARE,DELETE DROP*/, TYPE_UNKNOWN = (int)'?', TYPE_EVIL = (int)'X' / * unparsable, abort * / / * "/! * /" * /, TYPE_FINGERPRINT = (int)'F' / * not really a token * /, TYPE_BACKSLASH = (int)'\\'} sqli_token_types

Libinjection converts the input data according to the above definition, and then gets the SQL injection identification feature, or fingerprint, and then uses the binary search algorithm to match in the feature library, and reports the SQL injection vulnerability when matching.

For example:

We enter the detection statement of SQL injection

'and 1: 1

Libinjection converts it to slots 1, where single quotes are converted to & by definition, and numbers are converted to 1

'UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--

Libinjection converts it to sUEvc, where single quotation marks are converted to spark Union ALL by definition, to UMagine select, to EMagol null, to v, and then the same NULL is merged into a vQuery NULL-comment character is converted to c

After the conversion of libinjection, more than 8000 built-in features are matched by binary search algorithm, and then the SQL injection recognition features are copied into fingerprint variables and returned.

Through the above two examples, we can know the data conversion logic of libinjection, in which there will be special treatment for some special cases, the article is limited here, you can look at the code if you are interested.

IV. Summary

Compared with the traditional regular matching recognition SQL injection, SQL injection semantic analysis library libinjection has the advantages of high speed, low false positives and low false positives.

The high speed is reflected in the performance-consuming search algorithm of the library, which is negligible relative to the regular consumption of performance, which can be clearly seen from the flame diagram, so no matter whether the number of features is 800, 8000 or 80000, it will not have much impact on the processing speed, and the change in performance can be obviously felt when the regular matching rules reach more than 1000.

Low false positives. In the past, when testing modsecurity2.0 's owasp rules, the false positives were simply touching. However, if you want to write the rules in detail and reduce the false alarm rate, the number of rules is bound to go up and have some impact on performance. The good thing about SQL injection semantics is that in order to meet its matching rules, generally speaking, more than three features must be satisfied, such as slic1 or sUEvc, and each feature is either a special character or a reserved word in a SQL statement, so under normal circumstances, user input rarely occurs such false positives.

This is the answer to the question on how to analyze the SQL injection semantic analysis library Libinjection. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.