| With the development of computer network technology, the application system based on the database schema and Web technology has increasingly popular, and has been widely used within the enterprise's business system. Because of the Web application with the natural defects, makes it vulnerable to be attacked. To resist more and more serious security risks, experts also actively research new preventive measures. Web security penetration testing technology is an effective prevention technology, it fully simulates the hacker's methods of detection for Web application system.The attackers usually have a variety of means attack Web application, and injection attack is one of the most common and greater harm, at least 70% of the Web site have SQL injection vulnerabilities.These vulnerabilities not only threaten the database information, but also harm system and users.Therefore, it is the key to get done of the related intrusion detection and prevention work to ensure the security of Web application system and the whole information.Due to the existing detection are based on SQL syntax analysis strategy, this strategy of detection efficiency is lower, and now the SQL injection vulnerability scanning system is widespread on vulnerability scanning is not enough comprehensive, aiming at the above problems specific to do the following work.1.This paper focuses on the SQL injection vulnerability related defense and detection technology, and uses the experimental environment of the local construction, combined with a variety of penetration techniques carry out manual SQL injection experiments by using Pubs database as an example., on the basis of manual SQL injection, the principle of tool injection is introduced, and sums up the characteristics and the similarities and differences of the manual injection and tools injection.2.According to the method of SQL injection attack, several specific improvement measures of SQL injection vulnerability were proposed, which provided the reference for the SQL injection vulnerability detection method.Through experiments show that the Web application system which uses these defensive measures can identify the majority of SQL injection attacks, also has good recognition effect to the SQL injection point of the Web application system.3.According to the theory of SQL injection attack and defense experiment, designed a SQL injection vulnerability scanning system,this system uses tree model, using the regular rules to improve the traditional method to extract the URL, make the extracted URL an absolute path, and introduces multithreading technology, the experimental results show that the system can effectively detect the SQL injection vulnerability in the network site. |
PDF Full Text Request