`
m635674608
  • 浏览: 5028118 次
  • 性别: Icon_minigender_1
  • 来自: 南京
社区版块
存档分类
最新评论

SQLChop、SQLWall(Druid)、PHP Syntax Parser Analysis

 
阅读更多

SQLChop、SQLWall(Druid)、PHP Syntax Parser Analysis

 

阅读目录

catalog

复制代码
1. introduction
2. sqlchop sourcecode analysis
3. SQLWall(Druid)
4. PHP Syntax Parser
5. SQL Parse and Compile: Parse and compose 
6. sql-parser
7. PEAR SQL_Parser
复制代码

 

1. introduction

SQLCHOP, This awesome new tool, sqlchop, is a new SQL injection detection engine, using a pipeline of smart recursive decoding, lexical analysis and semantic analysis. It can detect SQL injection query with extremely high accuracy and high recall with 0day SQLi detection ability, far better than nowadays' SQL injection detection tools, most of which based on regex rules. We proposed a novel algorithm to achieve both blazing fast speed and accurate detection ability using SQL syntax analysis.

0x1: Description

SQLChop is a novel SQL injection detection engine built on top of SQL tokenizing and syntax analysis. Web input (URLPath, body, cookie, etc.) will be first decoded to the raw payloads that web app accepts, then syntactical analysis will be performed on payload to classify result. The algorithm behind SQLChop is based on compiler knowledge and automata theory, and runs at a time complexity of O(N).

0x2: installation

复制代码
//If using python, you need to install protobuf-python, e.g.:
1. wget https://bootstrap.pypa.io/get-pip.py
2. python get-pip.py
3. sudo pip install protobuf

//If using c++, you need to install protobuf, protobuf-compiler and protobuf-devel, e.g.:
1. sudo yum install protobuf protobuf-compiler protobuf-devel

//make
1. Download latest release at https://github.com/chaitin/sqlchop/releases
2. Make
3. Run python2 test.py or LD_LIBRARY_PATH=./ ./sqlchop_test
复制代码

Relevant Link:

http://sqlchop.chaitin.com/demo
http://sqlchop.chaitin.com/
https://www.blackhat.com/us-15/arsenal.html#yusen-chen
https://pip.pypa.io/en/stable/installing.html

 

2. sqlchop sourcecode analysis

The SQLChop alpha testing release includes the c++ header and shared object, a python library, and also some sample usages.

0x1: c++ header

复制代码
/*
 * Copyright (C) 2015 Chaitin Tech.
 *
 * Licensed under:
 *   https://github.com/chaitin/sqlchop/blob/master/LICENSE
 *
 */

#ifndef __SQLCHOP_SQLCHOP_H__
#define __SQLCHOP_SQLCHOP_H__

#define SQLCHOP_API __attribute__((visibility("default")))

#ifdef __cplusplus
extern "C" {
#endif

struct sqlchop_object_t;

enum {
  SQLCHOP_RET_SQLI = 1,
  SQLCHOP_RET_NORMAL = 0,
  SQLCHOP_ERR_SERIALIZE = -1,
  SQLCHOP_ERR_LENGTH = -2,
};

SQLCHOP_API int sqlchop_init(const char config[],
                             struct sqlchop_object_t **obj);
SQLCHOP_API float sqlchop_score_sqli(const struct sqlchop_object_t *obj,
                                     const char buf[], size_t len);
SQLCHOP_API int sqlchop_classify_request(const struct sqlchop_object_t *obj,
                                         const char request[], size_t rlen,
                                         char *payloads, size_t maxplen,
                                         size_t *plen, int detail);

SQLCHOP_API int sqlchop_release(struct sqlchop_object_t *obj);

#ifdef __cplusplus
}
#endif

#endif // __SQLCHOP_SQLCHOP_H__
复制代码

Relevant Link:

https://github.com/chaitin/sqlchop/releases
https://github.com/chaitin/sqlchop

 

3. SQLWall(Druid)

0x1: Introduction

git clone https://github.com/alibaba/druid.git
cd druid && mvn install

Druid提供了WallFilter,它是基于SQL语义分析来实现防御SQL注入攻击的,通过将SQL语句解析为AST语法树,基于语法树规则进行恶意语义分析,得出SQL注入判断

0x2: Test Example

复制代码
/*
 * Copyright 1999-2101 Alibaba Group Holding Ltd.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.alibaba.druid.test.wall;

import java.io.File;
import java.io.FileInputStream;

import junit.framework.TestCase;

import com.alibaba.druid.util.Utils;
import com.alibaba.druid.wall.Violation;
import com.alibaba.druid.wall.WallCheckResult;
import com.alibaba.druid.wall.WallProvider;
import com.alibaba.druid.wall.spi.MySqlWallProvider;

public class MySqlResourceWallTest extends TestCase {

    private String[] items;

    protected void setUp() throws Exception {
//        File file = new File("/home/wenshao/error_sql");
        File file = new File("/home/wenshao/scan_result");
        FileInputStream is = new FileInputStream(file);
        String text = Utils.read(is);
        is.close();
        items = text.split("\\|\\n\\|");
    }

    public void test_false() throws Exception {
        WallProvider provider = new MySqlWallProvider();
        
        provider.getConfig().setConditionDoubleConstAllow(true);
        
        provider.getConfig().setUseAllow(true);
        provider.getConfig().setStrictSyntaxCheck(false);
        provider.getConfig().setMultiStatementAllow(true);
        provider.getConfig().setConditionAndAlwayTrueAllow(true);
        provider.getConfig().setNoneBaseStatementAllow(true);
        provider.getConfig().setSelectUnionCheck(false);
        provider.getConfig().setSchemaCheck(true);
        provider.getConfig().setLimitZeroAllow(true);
        provider.getConfig().setCommentAllow(true);

        for (int i = 0; i < items.length; ++i) {
            String sql = items[i];
            if (sql.indexOf("''=''") != -1) {
                continue;
            }
//            if (i <= 121) {
//                continue;
//            }
            WallCheckResult result = provider.check(sql);
            if (result.getViolations().size() > 0) {
                Violation violation = result.getViolations().get(0);
                System.out.println("error (" + i + ") : " + violation.getMessage());
                System.out.println(sql);
                break;
            }
        }
        System.out.println(provider.getViolationCount());
//        String sql = "SELECT name, '******' password, createTime from user where name like 'admin' AND (CASE WHEN (7885=7885) THEN 1 ELSE 0 END)";

//        Assert.assertFalse(provider.checkValid(sql));
    }

}
复制代码

Relevant Link:

https://raw.githubusercontent.com/alibaba/druid/master/src/test/java/com/alibaba/druid/test/wall/MySqlResourceWallTest.java
https://github.com/alibaba/druid/wiki/%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE-wallfilter
https://github.com/alibaba/druid
http://www.cnblogs.com/LittleHann/p/3495602.html
http://www.cnblogs.com/LittleHann/p/3514532.html

 

4. PHP Syntax Parser

复制代码
<?php 
    require_once('php-sql-parser.php');

    $sql = "select name, sum(credits) from students where name='Marcin' and lvID='42509';";
    echo $sql . "\n";
    $start = microtime(true);
    $parser = new PHPSQLParser($sql, true); 
    var_dump($parser->parsed);
    echo "parse time simplest query:" . (microtime(true) - $start) . "\n"; 
?>
复制代码

Relevant Link:

http://files.cnblogs.com/LittleHann/php-sql-parser-20131130.zip

 

5. SQL Parse and Compile: Parse and compose

This package can be used to parse and compose SQL queries programatically.
It can take an SQL query and parse it to extract the different parts of the query like the type of command, fields, tables, conditions, etc..
It can also be used to do the opposite, i.e. compose SQL queries from values that define each part of the query.

0x1: Features

复制代码
I. Parser
- insert
- replace
- update
- delete
- select
- union
- subselect
- recognizes flow control function (IF, CASE - WHEN - THEN)
- recognition of many sql functions

II. Composer (Compiler)
- insert
- replace
- update
- delete
- select
- union

III. Wrapper SQL
- object oriented writing of SQL statements from the scratch
复制代码

0x2: Example

复制代码
#################################################
$insertObject = new Sql();
$insertObject
->setCommand("insert")
->addTableNames("employees")
->addColumnNames(array("LastName","FirstName"))
->addValues(
array(
array("Value"=>"Davolio","Type"=>"text_val"),
array("Value"=>"Nancy","Type"=>"text_val"),
)
);
$sqlout = $insertObject->compile();
#################################################

result:
echo $sqlout;
#################################################
INSERT INTO employees (LastName, FirstName) VALUES ('Davolio', 'Nancy')
#################################################
复制代码

Relevant Link:

http://www.phpclasses.org/package/5007-PHP-Parse-and-compose-SQL-queries-programatically.html

 

6. sql-parser

A validating SQL lexer and parser with a focus on MySQL dialect

Relevant Link:

https://github.com/dmitry-php/sql-parser
https://github.com/udan11/sql-parser/wiki/Overview
https://github.com/udan11/sql-parser/wiki/Examples

 

7. PEAR SQL_Parser

Relevant Link:

https://pear.php.net/package/SQL_Parser/docs/latest/elementindex_SQL_Parser.html
https://pear.php.net/package/SQL_Parser/docs/latest/__filesource/fsource_SQL_Parser__SQL_Parser-0.6.0SQLParserDialectANSI.php.html
https://pear.php.net/package/SQL_Parser/docs/latest/SQL_Parser/SQL_Parser_Compiler.html
https://pear.php.net/package/SQL_Parser/docs/latest/__filesource/fsource_SQL_Parser__SQL_Parser-0.6.0SQLParserCompiler.php.html
https://pear.php.net/package/SQL_Parser/docs/latest/__filesource/fsource_SQL_Parser__SQL_Parser-0.6.0SQLParser.php.html 

 

Copyright (c) 2015 LittleHann All rights reserved

 

https://www.cnblogs.com/LittleHann/p/4788143.html

分享到:
评论

相关推荐

    基于Druid的SqlParser模块解析create table语句创建java POJO和DAO类的效率工具.zip

    本工具利用Druid的SqlParser模块,针对`CREATE TABLE`语句,能够自动化地生成对应的Java POJO(Plain Old Java Object)类和DAO(Data Access Object)类,极大地提高了开发效率。 首先,我们来了解Druid的Sql...

    sql-parser:druidSQL Parser简单举例

    在`Druid`中,SQL解析器`DruidSQL Parser`是一个强大的工具,可以将SQL语句转换为抽象语法树(AST),方便进行SQL分析和优化。下面我们将深入探讨`DruidSQL Parser`的使用和相关知识点。 首先,`DruidSQL Parser`是...

    Druid源码(apache-druid-0.22.1-src.tar.gz)

    2. **SQL解析与优化**:Druid内建了SQL解析器`com.alibaba.druid.sql.parser.Parser`,可以解析多种数据库的SQL语句,并生成执行计划。这有助于提高查询效率和兼容性。 3. **数据分片与并行处理**:Druid支持数据的...

    最新版druid 数据库连接池 druid-1.1.21.jar

    3. **智能感知并过滤SQL**:Druid可以通过SqlParser解析SQL语句,提供SQL黑名单功能,防止恶意或者错误的SQL被执行。 4. **扩展性强**:Druid支持多种数据源类型,并且可以通过Filter(过滤器)机制进行扩展,用户...

    common-basic-service:基于Druid的SqlParser模块解析create table语句创建java POJO和DAO类的效率工具

    共同基本服务 适用于Java开发人员的简单有效的效率工具 Java +引导程序+ jQuery 当前,常用的基本服务支持的功能如下: 将sql(创建表sql脚本)转换为java POJO类 将sql(创建表sql脚本)转换为paoding rose框架...

    druid-0.2.20

    druid-0.2.20.jar Druid首先是一个数据库连接池。Druid是目前最好的数据库连接池,在功能、性能、扩展性方面,都超过其他数据库连接池,包括DBCP、C3P0、BoneCP、Proxool、JBoss DataSource。...SQLParser

    druid-1.1.20.zip

    1. **SQL解析**:Druid内置了SQL解析器`com.alibaba.druid.sql.parser.Parser`,可以解析SQL语句并生成抽象语法树(AST),为SQL执行计划分析提供基础。 2. **SQL执行计划分析**:通过`...

    大数据druid集群析搭建

    大数据Druid集群实时分析搭建 Druid是大数据实时分析平台,能够处理大量数据的实时查询和分析。以下是大数据Druid集群实时分析搭建的详细步骤和知识点: 环境准备 * 3台ECS服务器,each with 4 cores, 8G memory,...

    Druid源码(druid-1.2.8.tar.gz)

    Druid是阿里巴巴开源的一个强大、灵活且高性能的Java数据库连接池组件。它提供了监控、SQL解析、执行性能统计等多种功能,广泛应用于各种Java企业级项目中。Druid-1.2.8版本源码的分析可以帮助我们深入理解其内部...

    参照阿里druid整理druid-spring-boot-starter的demo

    【阿里Druid简介】 Druid是阿里巴巴开源的一个数据库连接池组件,它不仅是一个优秀的数据库连接池,还包含SQL解析、监控、扩展性等多方面的功能。Druid在性能上表现优秀,提供了强大的监控和扩展机制,是许多Java...

    druid-1.1.10-API文档-中文版.zip

    赠送jar包:druid-1.1.10.jar; 赠送原API文档:druid-1.1.10-javadoc.jar; 赠送源代码:druid-1.1.10-sources.jar; 赠送Maven依赖信息文件:druid-1.1.10.pom; 包含翻译后的API文档:druid-1.1.10-javadoc-API...

    Druid监控分布式解决方案.docx

    Druid 监控分布式解决方案 Druid 是一个强大的数据库连接池,除了提供高性能的连接池和连接管理外,还内置了一个强大的监控工具:Druid Monitor。Druid Monitor 不仅可以监控数据源和慢查询,还可以监控 Web 应用...

    去除druid监控的阿里广告

    ### 如何去除Druid监控中的阿里广告 #### 一、问题背景 在使用Java集成阿里云的Druid数据源进行数据库连接池管理时,我们可能会遇到一个比较烦人的问题:Druid控制台页面下方默认会显示一条来自阿里的横幅广告。...

    使用Druid数据连接池连接PostgreSQL简单例子

    Druid是一个功能强大且性能优异的数据源连接池,而PostgreSQL则是一种流行的开源关系型数据库管理系统。本教程将详细介绍如何在Java项目中使用Druid数据连接池连接PostgreSQL数据库,以实现一个简单的测试环境。 ...

    Druid数据源操作指南

    它不仅仅是一个数据库连接池,还包含一个 ProxyDriver,一系列内置的 JDBC 组件库,一个 SQL Parser。Druid 能够提供强大的监控和扩展功能。 Druid 的特点: * 支持所有 JDBC 兼容的数据库,包括 Oracle、MySql、...

    druid-1.1.12jar

    Druid是阿里巴巴开源的一个强大、灵活且全面的Java数据库连接池组件。版本1.1.12是该组件的一个稳定发行版。在Java应用程序中,数据库连接池是性能优化的关键部分,因为它有效地管理数据库连接,避免了频繁创建和...

    Springboot中使用Druid+JPA

    在Spring Boot应用中,Druid和JPA是两种常见的数据库操作工具。Druid是一个功能强大的数据库连接池,而JPA(Java Persistence API)是Java平台上的一个标准,用于对象关系映射(ORM)。本篇文章将深入探讨如何在...

    druid-1.1.16-API文档-中文版.zip

    赠送jar包:druid-1.1.16.jar; 赠送原API文档:druid-1.1.16-javadoc.jar; 赠送源代码:druid-1.1.16-sources.jar; 赠送Maven依赖信息文件:druid-1.1.16.pom; 包含翻译后的API文档:druid-1.1.16-javadoc-API...

    Druid所需要引入的jar包

    Druid是阿里巴巴开源的一个强大、全面且高效的Java数据库连接池组件,它在数据库连接管理、监控、性能优化等方面具有显著优势。在Java web开发中,Druid常被用来替代传统的数据库连接池,如C3P0、DBCP等,以提供更...

Global site tag (gtag.js) - Google Analytics