SQL注入检测示例大全
以下是多种SQL注入检测方法和示例,涵盖不同场景和技术:
1. 基础检测方法
basic_detection.php
function basicSQLiDetection($input) {
$dangerousPatterns = [
'/\b(union\s+select)\b/i',
'/\b(insert|update|delete|drop|alter)\b/i',
'/\b(exec|execute|xp_cmdshell)\b/i',
'/\b(or\s+1\s*=\s*1)\b/i',
'/;\s*(--|#)/',
'/sleep\(\d+\)/i'
];
foreach ($dangerousPatterns as $pattern) {
if (preg_match($pattern, $input)) {
return true;
}
}
return false;
}
基础检测函数包含常见SQL注入关键词和模式匹配。
2. 编码注入检测
encoding_detection.php
detectEncodedInjection($input) {
$encodedPatterns = [
'/%27|\x27/i', // 单引号
'/%22|\x22/i', // 双引号
'/%3B|\x3B/i', // 分号
'/%2D%2D|\x2D\x2D/i', // --
'/%25/i', // 百分号
'/0x[0-9a-f]+/i' // 十六进制
];
// 检测多重编码
$decoded = urldecode(urldecode($input));
if ($decoded != $input) {
foreach ($encodedPatterns as $pattern) {
if (preg_match($pattern, $decoded)) {
return true;
}
}
}
return false;
}
此函数检测经过编码的SQL注入尝试,包括多重URL编码和十六进制编码。
3. 时间盲注检测
time_based_detection.php
detectTimeBasedInjection($query) {
$timePatterns = [
'/benchmark\(\d+,\s*\w+\)/i',
'/sleep\(\d+\)/i',
'/waitfor\s+delay\s+\'\d+:\d+:\d+\'/i',
'/pg_sleep\(\d+\)/i'
];
foreach ($timePatterns as $pattern) {
if (preg_match($pattern, $query)) {
return true;
}
}
// 检测异常延迟
$start = microtime(true);
$result = db_query($query);
$duration = microtime(true) - $start;
return $duration > 2.0; // 超过2秒视为可疑
}
时间盲注检测函数识别可能导致数据库延迟执行的恶意查询。
4. 错误注入检测
error_based_detection.php
detectErrorBasedInjection($input) {
$errorPatterns = [
'/convert\(int,\s*@@version\)/i',
'/extractvalue\(\d+,\s*concat\(\'/i',
'/updatexml\(\d+,\s*concat\(\'/i',
'/exp\(\d+\)/i',
'/geometrycollection\(\'/i'
];
foreach ($errorPatterns as $pattern) {
if (preg_match($pattern, $input)) {
return true;
}
}
// 检测异常错误信息
try {
$result = db_query($input);
} catch (Exception $e) {
if (strpos($e->getMessage(), 'SQL syntax') !== false) {
return true;
}
}
return false;
}
错误注入检测函数识别试图通过错误消息获取信息的攻击模式。
5. 二阶注入检测
second_order_detection.php
class SecondOrderInjectionDetector {
private $storedInputs = [];
public function storeInput($key, $value) {
$this->storedInputs[$key] = $value;
}
public function checkSecondOrderInjection($query) {
foreach ($this->storedInputs as $value) {
if (strpos($query, $value) !== false) {
$dangerous = basicSQLiDetection($value) ||
detectEncodedInjection($value);
if ($dangerous) {
return true;
}
}
}
return false;
}
}
二阶注入检测类监控存储后使用的数据,防止延迟触发的SQL注入。
6. 自动化测试脚本
sql_injection_tester.php
SQLInjectionTester {
private $testCases = [
// 基础注入
"' OR 1=1 -- ",
"\" OR \"a\"=\"a",
"admin'--",
// 联合查询
"1 UNION SELECT username, password FROM users",
// 盲注
"1 AND (SELECT COUNT(*) FROM users) > 0",
// 时间盲注
"1; SELECT BENCHMARK(5000000, ENCODE('test','slow')) --",
// 编码注入
"%27%20OR%201%3D1",
// 存储过程
"1; EXEC xp_cmdshell('dir') --"
];
public function testApplication($url, $params) {
$results = [];
foreach ($this->testCases as $testCase) {
foreach ($params as $param => $value) {
$testParams = $params;
$testParams[$param] = $testCase;
$response = $this->sendRequest($url, $testParams);
$results[] = [
'param' => $param,
'payload' => $testCase,
'status' => $this->analyzeResponse($response)
];
}
}
return $results;
}
private function sendRequest($url, $params) {
// 实现HTTP请求发送逻辑
}
private function analyzeResponse($response) {
// 分析响应是否显示注入成功迹象
}
}
自动化测试脚本包含多种注入测试用例,可对Web应用进行系统化测试。
7. 防御性编码示例
secure_coding.php
class SecureDatabase {
private $pdo;
public function __construct() {
$this->pdo = new PDO('mysql:host=localhost;dbname=test', 'user', 'pass', [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_EMULATE_PREPARES => false
]);
}
// 安全查询方法
public function safeQuery($sql, $params = []) {
$stmt = $this->pdo->prepare($sql);
foreach ($params as $key => $value) {
$type = is_int($value) ? PDO::PARAM_INT : PDO::PARAM_STR;
$stmt->bindValue($key, $value, $type);
}
$stmt->execute();
return $stmt->fetchAll(PDO::FETCH_ASSOC);
}
// 动态表名安全处理
public function queryFromTable($table, $conditions = []) {
$allowedTables = ['users', 'products', 'orders'];
if (!in_array($table, $allowedTables)) {
throw new Exception("Invalid table name");
}
$where = '';
$params = [];
foreach ($conditions as $column => $value) {
$where .= " AND `$column` = :$column";
$params[":$column"] = $value;
}
$sql = "SELECT * FROM `$table` WHERE 1=1 $where";
return $this->safeQuery($sql, $params);
}
}
防御性编码示例展示了如何使用预处理语句和安全查询构建技术防止SQL注入。
这些示例涵盖了从基础检测到高级防御的各种SQL注入相关技术,可以根据实际需求集成到应用中或用于安全测试。