| The Computer network application has been involved in all aspects of our daily life, the security of the database which connect to the network application has become an increasing concern.This paper researches the SQL injection vulnerabilities and defense of the back-end database, makes the analysis of the causes and characteristics of the attack aspect, illustrates the general steps and methods of SQL injection attacks, illustrates the methods of SQL injection defense, realize the system of automatic SQL injection detecting and utilizing.The system include automatic SQL injection detecting, SQL injection utilizing and manual SQL injection detecting.In the automatic SQL injection attack detection module, the user input base URL, the program can get all the page which under the base URL through the source file of the base Web page. After the customization and optimization of the Web crawler, it only reptiles the Web page which is non-repetition and has the key domain. And then test the URL of the reptiles, the user can get the page which can be injected.In the SQL injection utilizing module, the user enters a vulnerable page address, then can be obtained directly the result. This module not only by the general method of SQL injection attacks, but also by the SQL dictionary guess and blind testing.Get the database type, user name and database name by the traditional SQL injection, get the table names, column names by traditional SQL injection and dictionary guess, get the contents of the database by the traditional SQL injection and literally blind guess. Through all of this to complete the work of get database information.In the manual SQL injection detect module, the user can input specific (have been injected or not) URL to get the source code of the page, the user can analyze and make judgments on the source code by themselves.The system works well in the Web attacking test, the Web crawler and the word for word attacking improve the SQL injection's efficiency. |
PDF Full Text Request