基于SQL注入的数据安全测评技术研究
发布时间:2018-10-12 08:37
【摘要】:随着B/S模式应用技术的迅猛发展以及数据库在Web中的广泛应用,SQL注入逐渐成为了黑客对数据库进行攻击的最常用的手段之一。但是由于B/S模式的程序开发人员水平参差不齐,导致相当数量的编程人员在程序开发的时候,并没有充分的考虑对用户输入的数据进行合法性验证的问题,使得应用存在严重的安全隐患。因此,基于SQL注入漏洞的数据安全问题就有着重要的研究意义。 首先,论文对现今SQL注入研究领域的国内外研究现状及技术发展趋势进行了分析。阐述了SQL注入的相关原理,并对目前SQL注入的关键技术、基本原理进行了简要的归结和分析,逐一的分析了SQL注入式攻击的常用攻击方法,同时对SQL注入扫描技术和注入检测技术进行剖析和研究。 其次,论文详尽阐述了网络爬虫的工作机理及技术特点,对网络爬虫需要提取的URL存在的几种形态进行具体分析,并在此基础上分析和研究了DOM树生成技术、页面控件绑定事件技术、字典猜测、被动分析、利用搜索引擎等几种技术。然后,论文对在oracle数据库中SQL注入技术进行详细的分析和研究,其中主要囊括了针对oracle数据库SQL注入的相关知识、查询的语句、执行系统命令、读写文件等研究内容。 最后,课题对SQL注入的防御技术进行了研究,提出几种防御方法并阐述了每种防御方法适合的情况。本课题构建了一个基于SQL注入的数据安全系统,并在论文中给出了课题的系统功能模块划分和功能模块的运行示例,并通过对实际网站的检测初步验证了其实效性。
[Abstract]:With the rapid development of the application technology of B / S mode and the wide application of database in Web, SQL injection has gradually become one of the most commonly used methods for hackers to attack the database. However, due to the uneven level of program developers in the B / S mode, a considerable number of programmers did not fully consider the issue of validating the validity of the data entered by the user when developing the program. Make the application exist serious security hidden trouble. Therefore, the data security problem based on SQL injection vulnerability is of great significance. First of all, this paper analyzes the current research situation and technology development trend of SQL injection research at home and abroad. This paper expounds the relevant principles of SQL injection, and briefly analyzes the key technologies and basic principles of SQL injection, and analyzes the common attack methods of SQL injection attack one by one. At the same time, the SQL injection scanning technology and injection detection technology are analyzed and studied. Secondly, the working mechanism and technical characteristics of web crawlers are described in detail, and several forms of URL that need to be extracted from web crawlers are analyzed in detail. On this basis, the technology of DOM tree generation is analyzed and studied. Page control binding event technology, dictionary guesses, passive analysis, use search engine and other technologies. Then, the paper makes a detailed analysis and research on the technology of SQL injection in oracle database, which mainly includes the related knowledge of oracle database SQL injection, query statements, executing system commands, reading and writing files and so on. Finally, the defense technology of SQL injection is studied, several defense methods are put forward and the suitable conditions of each defense method are expounded. In this paper, a data security system based on SQL injection is constructed, and the partition of the system function module and the running example of the function module are given in this paper, and the effectiveness of the system is preliminarily verified by the testing of the actual website.
【学位授予单位】:沈阳工业大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP309
本文编号:2265486
[Abstract]:With the rapid development of the application technology of B / S mode and the wide application of database in Web, SQL injection has gradually become one of the most commonly used methods for hackers to attack the database. However, due to the uneven level of program developers in the B / S mode, a considerable number of programmers did not fully consider the issue of validating the validity of the data entered by the user when developing the program. Make the application exist serious security hidden trouble. Therefore, the data security problem based on SQL injection vulnerability is of great significance. First of all, this paper analyzes the current research situation and technology development trend of SQL injection research at home and abroad. This paper expounds the relevant principles of SQL injection, and briefly analyzes the key technologies and basic principles of SQL injection, and analyzes the common attack methods of SQL injection attack one by one. At the same time, the SQL injection scanning technology and injection detection technology are analyzed and studied. Secondly, the working mechanism and technical characteristics of web crawlers are described in detail, and several forms of URL that need to be extracted from web crawlers are analyzed in detail. On this basis, the technology of DOM tree generation is analyzed and studied. Page control binding event technology, dictionary guesses, passive analysis, use search engine and other technologies. Then, the paper makes a detailed analysis and research on the technology of SQL injection in oracle database, which mainly includes the related knowledge of oracle database SQL injection, query statements, executing system commands, reading and writing files and so on. Finally, the defense technology of SQL injection is studied, several defense methods are put forward and the suitable conditions of each defense method are expounded. In this paper, a data security system based on SQL injection is constructed, and the partition of the system function module and the running example of the function module are given in this paper, and the effectiveness of the system is preliminarily verified by the testing of the actual website.
【学位授予单位】:沈阳工业大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP309
【参考文献】
相关期刊论文 前10条
1 陈岗,史长琼,马淑萍;基于SQL攻击的SQL Server安全性研究[J];长沙交通学院学报;2005年01期
2 吴定刚;ASP.NET应用中的“SQL注入”及解决方案[J];电脑知识与技术;2005年18期
3 马海滨;臧卫华;李晨;周明姬;;SQL注入的危害、检测及防范[J];电脑知识与技术(学术交流);2007年11期
4 刘帅;;SQL注入攻击及其防范检测技术的研究[J];电脑知识与技术;2009年28期
5 陈熔;;基于SQL Server数据库安全性的研究[J];福建电脑;2006年11期
6 宋利荣;罗文兴;;浅谈SQL Server安全系统的改进[J];黔东南民族师范高等专科学校学报;2006年06期
7 李超;;SQL SERVER 2000的安全机制[J];中国轻工教育;2006年01期
8 曾瑞;;SQL Injection和CSS Hole入侵解决方案研究[J];太原师范学院学报(自然科学版);2005年04期
9 王玉国,李启鹏;SQL Server的安全机制分析及实现建议[J];通化师范学院学报;2004年10期
10 陈楠 ,薛质;SQL注入攻击的实现和防范[J];信息安全与通信保密;2005年01期
相关硕士学位论文 前2条
1 张卓;SQL注入攻击技术及防范措施研究[D];上海交通大学;2007年
2 李小花;基于程序分析的SQL注入防御系统的设计与实现[D];湖南大学;2010年
,本文编号:2265486
本文链接:https://www.wllwen.com/kejilunwen/sousuoyinqinglunwen/2265486.html
