摘要
结构化查询语言(Structured Query Language,SQL)注入漏洞是最常见也是最具破坏性的漏洞之一。由于该漏洞的检测手段单一、漏测、误报概率较大,提出一种精准SQL注入漏洞批量检测方案,能够快速有效识别被测系统中的SQL注入漏洞。该方案通过代理工具快速全面收集测试数据,有效弥补了爬虫工具在数据收集方面的不稳定性;集成SQLMAP并采用多线程并发方式对待测数据执行漏洞检测批处理任务,可充分利用系统资源。最后对测试结果进行分析快速准确定位注入点,发现所提方案具有实现代价小、运行效率高、检测结果精准的优势。
SQL injection vulnerability is one of the most common and destructive vulnerabilities.The detection method of the vulnerability is single,and the probability of missing detection and false alarm is high.A precise batch detection scheme for SQL injection vulnerabilities was proposed,which could quickly and effectively identify SQL injection vulnerabilities in the system under test.The scheme collected test data quickly and comprehensively through agent tools,which effectively made up for the instability of crawler tools in data collection.SQLMP was integrated and multithreading concurrent method was adopted to execute batch task of vulnerability detection for test data,which made full use of system resources.Finally,the test results were analyzed to locate the injection point quickly and accurately.It was found that the proposed scheme has the advantages of low cost,high efficiency and accurate test results.
作者
边莉
薛念明
张明岩
谢吉伦
林秀
BIAN Li;XUE Nianming;ZHANG Mingyan;XIE Jilun;LIN Xiu(Shandong Luneng Software Technology Co.,Ltd.,Jinan 250014,China)
出处
《山东电力技术》
2021年第7期13-18,共6页
Shandong Electric Power
基金
山东鲁能软件技术有限公司科技项目“开发测试一体化平台关键技术研发”(XM2020080)。
关键词
SQL注入
批量检测
代理工具
多线程并发
运行效率
SQL injection
batch detection
proxy tool
multithreading concurrency
operating efficiency
