| With the development of computer network technology, Web-based applications have become more and more popular. The current hot research on network security attack and defense is about the attacks that happened on Web applications, and in these attacks, SQL injection attacks become the focus. Via SQL injection attacks, the attackers not only distort the data on the server or load additional information, but also implant backdoors, etc., which seriously affects the normal operation of the website or even destroys it, and finally makes serious consequences. The SQL injection attacks allow an attacker to access the underlying database unrestrictedly, and furthermore, retrieve the confidential information of the corporation and the network user, which can cause economic losses and inconvenience to enterprises and the net users, so it requires rigorous prevention against SQL injection attacks. Therefore, it is of important practical significance to have study on preventive technology of SQL injection.Based on this security topic, this thesis has done in-depth research as follows.In view of the existing problems of SQL injection attacks and their harmful consequences and the current research progress of SQL injection attacks and corresponding prevention and detection at home and abroad, and by means of the in-depth analysis of the theory on the SQL injection tool and combining the technical principles and characteristics of all kinds of injection attacks, we have designed and realized a SQL injection scanning analysis tool. After research and analysis on existing technology against SQL injection, an improved three-level prevention model has been put forward as well.The SQL injection scanning analysis system can rapidly scan pages of the website and find the SQL injection point, which can help people discover the injective vulnerabilities in Web applications so as to better protect their security. Two new injection types, that is, the character-included type and digit-included type, have been added to the designed and realized scanning analysis system so that the probability of successful injection attack can be increased. The attack, to a certain extent, can be accelerated if applying the multi-threading technology to judging SQL injection point. We can utilize violent solution or dictionary guess in the procedure of the attack, which helps improve the efficiency of the injection attacks. Meanwhile, the proposed three-level prevention model can, in some degree, make up for the deficiencies of the current preventive technologies. |
PDF Full Text Request