Libinjection 语义分析通用绕过分析<\/h1>

1. 概述<\/h2>
Libinjection 是一个用于检测 SQL 注入攻击的开源库，它通过语义分析而非简单的模式匹配来识别恶意输入。本文详细分析了一种绕过 libinjection 检测的方法，并深入探讨了其工作原理。<\/p>

2. 测试环境搭建<\/h2>

2.1 示例代码<\/h3>

#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <strings.h><\/span>
<\/span><\/span><\/span>#include<\/span> <errno.h><\/span>
<\/span><\/span><\/span>#include<\/span> "libinjection.h"<\/span>
<\/span><\/span><\/span>#include<\/span> "libinjection_sqli.h"<\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, const<\/span> char<\/span>*<\/span> argv[]) {
<\/span><\/span>    struct<\/span> libinjection_sqli_state state;
<\/span><\/span>    int<\/span> issqli;
<\/span><\/span>    const<\/span> char<\/span>*<\/span> input =<\/span> argv[1<\/span>];
<\/span><\/span>    size_t slen =<\/span> strlen(input);
<\/span><\/span>    
<\/span><\/span>    libinjection_sqli_init(&<\/span>state, input, slen, FLAG_NONE);
<\/span><\/span>    issqli =<\/span> libinjection_is_sqli(&<\/span>state);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (issqli) {
<\/span><\/span>        fprintf(stderr, "sqli detected with fingerprint of '%s'<\/span>\n<\/span>"<\/span>, state.fingerprint);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> issqli;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 编译与测试<\/h3>
# 编译<\/span>
<\/span><\/span>gcc -o bin example1.c libinjection_sqli.c
<\/span><\/span>
<\/span><\/span># 测试1 - 被检测到的SQL注入<\/span>
<\/span><\/span>.\/bin "1' and 1=1"<\/span>
<\/span><\/span># 输出: sqli with fingerprint of 's&1'<\/span>
<\/span><\/span>
<\/span><\/span># 测试2 - 未被检测到的SQL注入<\/span>
<\/span><\/span>.\/bin "ad1n'-- %a%0aunion select 1,database(),user() -- "<\/span>
<\/span><\/span># 输出: not sqli<\/span>
<\/span><\/span><\/code><\/pre>3. Libinjection 工作原理<\/h2>
3.1 运行流程<\/h3>
Libinjection 内部分为六种解析模式：<\/p>

无符号 标准SQL 模式<\/li>
无符号 MySQL 模式<\/li>
单引号 标准SQL 模式<\/li>
单引号 MySQL 模式<\/li>
双引号 MySQL 模式<\/li>
双引号 标准模式<\/li>
<\/ol>
3.2 核心函数分析<\/h3>
libinjection_sqli_tokenize<\/code> 是转换内部字符的主要入口函数：<\/p>
int<\/span> libinjection_sqli_tokenize<\/span>(struct<\/span> libinjection_sqli_state*<\/span> sf) {
<\/span><\/span>    pt2Function fnptr;
<\/span><\/span>    size_t*<\/span> pos =<\/span> &<\/span>sf-><\/span>pos;
<\/span><\/span>    stoken_t*<\/span> current =<\/span> sf-><\/span>current;
<\/span><\/span>    const<\/span> char<\/span>*<\/span> s =<\/span> sf-><\/span>s;
<\/span><\/span>    const<\/span> size_t slen =<\/span> sf-><\/span>slen;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (slen ==<\/span> 0<\/span>) {
<\/span><\/span>        return<\/span> FALSE;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 初始化
<\/span><\/span><\/span><\/span>    st_clear(current);
<\/span><\/span>    sf-><\/span>current =<\/span> current;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (*<\/span>pos ==<\/span> 0<\/span> &&<\/span> (sf-><\/span>flags &<\/span> (FLAG_QUOTE_SINGLE |<\/span> FLAG_QUOTE_DOUBLE))) {
<\/span><\/span>        *<\/span>pos =<\/span> parse_string_core(s, slen, 0<\/span>, current, flag2delim(sf-><\/span>flags), 0<\/span>);
<\/span><\/span>        printf("单引号双引号进入"<\/span>);
<\/span><\/span>        sf-><\/span>stats_tokens +=<\/span> 1<\/span>;
<\/span><\/span>        return<\/span> TRUE;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    while<\/span> (*<\/span>pos <<\/span> slen) {
<\/span><\/span>        const<\/span> unsigned<\/span> char<\/span> ch =<\/span> (unsigned<\/span> char<\/span>)(s[*<\/span>pos]);
<\/span><\/span>        fnptr =<\/span> char_parse_map[ch];
<\/span><\/span>        *<\/span>pos =<\/span> (*<\/span>fnptr)(sf);
<\/span><\/span>        
<\/span><\/span>        if<\/span> (current-><\/span>type !=<\/span> CHAR_NULL) {
<\/span><\/span>            sf-><\/span>stats_tokens +=<\/span> 1<\/span>;
<\/span><\/span>            return<\/span> TRUE;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> FALSE;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 绕过原理分析<\/h2>
4.1 示例payload解析<\/h3>
"ad1n'-- %a%0aunion select 1,database(),user() -- "<\/code> 的解析过程：<\/p>

ad1n'<\/code> 首先进入无符号的标准SQL模式<\/li>
发现单引号后转到单引号的标准SQL模式<\/li>
获取 ad1n'<\/code> 后 break<\/li>
遇到 --<\/code> 进入 parse_dash<\/code> 函数<\/li>
<\/ol>
4.2 parse_dash 函数分析<\/h3>
static<\/span> size_t parse_dash<\/span>(struct<\/span> libinjection_sqli_state*<\/span> sf) {
<\/span><\/span>    const<\/span> char<\/span>*<\/span> cs =<\/span> sf-><\/span>s;
<\/span><\/span>    const<\/span> size_t slen =<\/span> sf-><\/span>slen;
<\/span><\/span>    size_t pos =<\/span> sf-><\/span>pos;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (pos +<\/span> 2<\/span> <<\/span> slen &&<\/span> cs[pos +<\/span> 1<\/span>] ==<\/span> '-'<\/span> &&<\/span> char_is_white(cs[pos +<\/span> 2<\/span>])) {
<\/span><\/span>        return<\/span> parse_eol_comment(sf);
<\/span><\/span>    }
<\/span><\/span>    else<\/span> if<\/span> (pos +<\/span> 2<\/span> ==<\/span> slen &&<\/span> cs[pos +<\/span> 1<\/span>] ==<\/span> '-'<\/span>) {
<\/span><\/span>        return<\/span> parse_eol_comment(sf);
<\/span><\/span>    }
<\/span><\/span>    else<\/span> if<\/span> (pos +<\/span> 1<\/span> <<\/span> slen &&<\/span> cs[pos +<\/span> 1<\/span>] ==<\/span> '-'<\/span> &&<\/span> (sf-><\/span>flags &<\/span> FLAG_SQL_ANSI)) {
<\/span><\/span>        sf-><\/span>stats_comment_ddx +=<\/span> 1<\/span>;
<\/span><\/span>        return<\/span> parse_eol_comment(sf);
<\/span><\/span>    }
<\/span><\/span>    else<\/span> {
<\/span><\/span>        st_assign_char(sf-><\/span>current, TYPE_OPERATOR, pos, 1<\/span>, '-'<\/span>);
<\/span><\/span>        return<\/span> pos +<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 parse_eol_comment 函数分析<\/h3>
static<\/span> size_t parse_eol_comment<\/span>(struct<\/span> libinjection_sqli_state*<\/span> sf) {
<\/span><\/span>    const<\/span> char<\/span>*<\/span> cs =<\/span> sf-><\/span>s;
<\/span><\/span>    const<\/span> size_t slen =<\/span> sf-><\/span>slen;
<\/span><\/span>    size_t pos =<\/span> sf-><\/span>pos;
<\/span><\/span>    const<\/span> char<\/span>*<\/span> endpos =<\/span> (const<\/span> char<\/span>*<\/span>)memchr((const<\/span> void<\/span>*<\/span>)(cs +<\/span> pos), '\n'<\/span>, slen -<\/span> pos);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (endpos ==<\/span> NULL) {
<\/span><\/span>        st_assign(sf-><\/span>current, TYPE_COMMENT, pos, slen -<\/span> pos, cs +<\/span> pos);
<\/span><\/span>        return<\/span> slen;
<\/span><\/span>    }
<\/span><\/span>    else<\/span> {
<\/span><\/span>        st_assign(sf-><\/span>current, TYPE_COMMENT, pos, (size_t)(endpos -<\/span> cs) -<\/span> pos, cs +<\/span> pos);
<\/span><\/span>        return<\/span> (size_t)((endpos -<\/span> cs) +<\/span> 1<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.4 st_assign 函数分析<\/h3>
static<\/span> void<\/span> st_assign<\/span>(stoken_t*<\/span> st, const<\/span> char<\/span> stype, size_t pos, size_t len, const<\/span> char<\/span>*<\/span> value) {
<\/span><\/span>    const<\/span> size_t MSIZE =<\/span> LIBINJECTION_SQLI_TOKEN_SIZE;
<\/span><\/span>    size_t last =<\/span> len <<\/span> MSIZE ?<\/span> len : (MSIZE -<\/span> 1<\/span>);
<\/span><\/span>    
<\/span><\/span>    st-><\/span>type =<\/span> (char<\/span>)stype;
<\/span><\/span>    st-><\/span>pos =<\/span> pos;
<\/span><\/span>    st-><\/span>len =<\/span> last;
<\/span><\/span>    memcpy(st-><\/span>val, value, last);
<\/span><\/span>    st-><\/span>val[last] =<\/span> CHAR_NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 绕过关键点<\/h2>

admin'<\/code> 被转换为 S<\/code> 类型<\/li>
--<\/code> 注释后的内容被简单地标记为 TYPE_COMMENT<\/code> (C)<\/li>
最终得到的匹配规则为 SC<\/code>，这种组合不在 libinjection 的检测规则库中<\/li>
注释处理过于简单，没有深入分析注释后的SQL语句<\/li>
<\/ol>
6. 防御建议<\/h2>

改进注释处理逻辑，对注释后的内容进行更严格的分析<\/li>
更新指纹库，添加 SC<\/code> 这种组合的检测规则<\/li>
结合其他检测方法，如语法分析，提高检测准确性<\/li>
对URL编码的内容进行解码后再分析<\/li>
<\/ol>
7. 总结<\/h2>
这种绕过方法利用了 libinjection 对注释处理的不足，通过构造特定的注释格式来隐藏恶意SQL语句。理解这种绕过技术有助于改进SQL注入检测机制，提高Web应用的安全性。<\/p>

Libinjection 语义分析通用绕过分析<\/h1>

1. 概述<\/h2> Libinjection 是一个用于检测 SQL 注入攻击的开源库，它通过语义分析而非简单的模式匹配来识别恶意输入。本文详细分析了一种绕过 libinjection 检测的方法，并深入探讨了其工作原理。<\/p>

2. 测试环境搭建<\/h2>

3. Libinjection 工作原理<\/h2>

4. 绕过原理分析<\/h2>

7. 总结<\/h2> 这种绕过方法利用了 libinjection 对注释处理的不足，通过构造特定的注释格式来隐藏恶意SQL语句。理解这种绕过技术有助于改进SQL注入检测机制，提高Web应用的安全性。<\/p>

1. 概述<\/h2>
Libinjection 是一个用于检测 SQL 注入攻击的开源库，它通过语义分析而非简单的模式匹配来识别恶意输入。本文详细分析了一种绕过 libinjection 检测的方法，并深入探讨了其工作原理。<\/p>

7. 总结<\/h2>
这种绕过方法利用了 libinjection 对注释处理的不足，通过构造特定的注释格式来隐藏恶意SQL语句。理解这种绕过技术有助于改进SQL注入检测机制，提高Web应用的安全性。<\/p>