SQLiDetect: A WEB BASED INTRUSION DETECTION APPLICATION [PDF]

SQLiDetect: A WEB BASED INTRUSION DETECTION APPLICATION FOR SQL INJECTIONS Priyanka J. Hatwalne B.E., Pune University, India, 2006

PROJECT

Submitted in partial satisfaction of the requirements for the degree of

MASTER OF SCIENCE

in

COMPUTER SCIENCE

at

CALIFORNIA STATE UNIVERSITY, SACRAMENTO FALL 2011

SQLiDetect: A WEB BASED INTRUSION DETECTION APPLICATION FOR SQL INJECTIONS

A Project

by

Priyanka J. Hatwalne

Approved by: __________________________________, Committee Chair Scott Gordon, Ph. D.

__________________________________, Second Reader Meiliu Lu, Ph. D.

__________________________ Date

ii

Student: Priyanka J. Hatwalne

I certify that this student has met the requirements for format contained in the university format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the Project.

______________________________, Graduate Coordinator Nikrouz Faroughi, Ph. D Department of Computer Science

iii

________________ Date

Abstract of SQLiDetect: A WEB BASED INTRUSION DETECTION APPLICATION FOR SQL INJECTIONS by Priyanka J. Hatwalne ,reset_cnt= ".$config->RESET_COUNT.",blk_count=".$config->BLOCK_COUNT." where id = $config>BLACK_LIST_ID"; mysql_query($qry) or die(mysql_error()) ; }

36

if( $c_attack == 1) { $qry = "select id from INJECTIONS where injection_name = 'comment'"; $result = mysql_query($qry) or die(mysql_error()) ; while ($row = mysql_fetch_array($result)) { $injection_id = $row['id']; } $qry = "insert into ATTACK (injection_id ,black_list_id,attack_query) values (".$injection_id.",".$config>BLACK_LIST_ID.",'".mysql_real_escape_string($input)."')"; mysql_query($qry) or die(mysql_error()) ; } if($comment) { $qry = "select id from INJECTIONS where injection_name = 'multi line comments'"; $result = mysql_query($qry) or die(mysql_error()) ; while ($row = mysql_fetch_array($result)) { $injection_id = $row['id']; } $qry = "insert into ATTACK (injection_id ,black_list_id,attack_query) values (".$injection_id.",".$config>BLACK_LIST_ID.",'".mysql_real_escape_string($input)."')"; mysql_query($qry) or die(mysql_error()) ; } if($a_o_attack) { $qry = "select id from INJECTIONS where injection_name = 'and-or'"; $result = mysql_query($qry) or die(mysql_error()) ; while ($row = mysql_fetch_array($result)) { $injection_id = $row['id']; } $qry = "insert into ATTACK (injection_id ,black_list_id,attack_query) values (".$injection_id.",".$config>BLACK_LIST_ID.",'".mysql_real_escape_string($input)."')"; mysql_query($qry) or die(mysql_error()) ; } if($concat_attack) { $qry = "select id from INJECTIONS where injection_name = 'String concatination'"; $result = mysql_query($qry) or die(mysql_error()) ; while ($row = mysql_fetch_array($result)) { $injection_id = $row['id']; } $qry = "insert into ATTACK (injection_id ,black_list_id,attack_query) values (".$injection_id.",".$config>BLACK_LIST_ID.",'".mysql_real_escape_string($input)."')"; mysql_query($qry) or die(mysql_error()) ; } if($u_attack) { $qry = "select id from INJECTIONS where injection_name = 'union'"; $result = mysql_query($qry) or die(mysql_error()) ; while ($row = mysql_fetch_array($result)) { $injection_id = $row['id']; }

37 $qry = "insert into ATTACK (injection_id ,black_list_id,attack_query) values (".$injection_id.",".$config>BLACK_LIST_ID.",'".mysql_real_escape_string($input)."')"; mysql_query($qry) or die(mysql_error()) ; } if($multi_query_attack) { $qry = "select id from INJECTIONS where injection_name = 'multiple queries'"; $result = mysql_query($qry) or die(mysql_error()) ; while ($row = mysql_fetch_array($result)) { $injection_id = $row['id']; } $qry = "insert into ATTACK (injection_id ,black_list_id,attack_query) values (".$injection_id.",".$config>BLACK_LIST_ID.",'".mysql_real_escape_string($input)."')"; mysql_query($qry) or die(mysql_error()) ; } if($ascii_attack) { $qry = "select id from INJECTIONS where injection_name = 'ASCII'"; $result = mysql_query($qry) or die(mysql_error()) ; while ($row = mysql_fetch_array($result)) { $injection_id = $row['id']; } $qry = "insert into ATTACK (injection_id ,black_list_id,attack_query) values (".$injection_id.",".$config>BLACK_LIST_ID.",'".mysql_real_escape_string($input)."')"; mysql_query($qry) or die(mysql_error()) ; } $qry = "select * from users"; $result = mysql_query($qry); $from = "From:[email protected]"; $subject = "Injection detected"; $body = "Hello Adminstrator,\n\t An SQL injection has been encountered at".date("M-d-Y, h:i:s A") . ".\n The IP adress of the host is ".$_SERVER["REMOTE_ADDR"].". For details about the attack click here."; while ($row = mysql_fetch_array($result)) { if ($to) $to = $to.",".$row["email"]; else $to = $row["email"]; } //mail($to, $subject, $body,$form); //echo $to." ".$body; return 0; } else if($config->BLACK_LISTED=='y') { //update $qry = "update BLACK_LIST set last_attack_time=now(),block_status=".$config>BLOCK_STATUS.",reset_cnt= ".$config->RESET_COUNT.",blk_count=".$config->BLOCK_COUNT." where id = $config>BLACK_LIST_ID"; return 1; } else return 1; }

38 else { return 0; } } function check_multiple_query($filter_qry) { //$filter_qry = "select abBc from xy.x"; //echo $filter_qry; $pattern = "/(\\s*)'(\\s*);(\\s*)[select[a-zA-Z0-9_.,(\*)(\()(\))(\\s)]+from[a-zA-Z0-9_.,(\()(\))(\\s)]+|insert[a-zA-Z09_(\\s)]*into[a-zA-Z0-9_.,(\()(\))(\\s)]+[VALUES|VALUE|select|set]|drop[a-zA-Z0-9_(\\s)]*[table|")))) return 1; else return 0; } else { $patern = "/'(\\s*)(or|OR|Or|oR)(\\s+)[0-9]+(\\s*)(=|)(\\s*)[0-9]+/"; if(preg_match($patern,$qry,$match)) { $parts = explode($match[2], $match[0]); $parts[1] = str_replace(' ', '', $parts[1]); if(strstr($parts[1],"=")) { $cmp_str = explode("=",$parts[1]); if($cmp_str[0]==$cmp_str[1]) return 1;

40 } else { $cmp_str = explode("",$parts[1]); if($cmp_str[0]!=$cmp_str[1]) return 1; } print_r($parts); } else { $patern = "/'(\\s*)(or|Or|oR|OR)(\\s+)([0-9]+|'[\.]+')/"; if(preg_match($patern,$qry,$match)) { return 1; } return 0; } return 0; } } ?>

ConfigClass.php Tracking Model AtackList.php List

IP Address: Last Attack Time: Block Count: Reset Count: Block Status : Installation Model Index.php Install SQLiBan Configuration Create New Administrator Uninstall | Attack list | Add users | Change configeration settings | Log out Step 1 Step 2 Step 3 53 First Name Last Name Email User Name Password Retype Password Register_save.php SQLiBan Configuration Configure Settings Uninstall | Attack list | Add users | Change configeration settings | Log out Step 1 Step 2 Step 3 55 Temporary Block a user after × Report "SQLiDetect: A WEB BASED INTRUSION DETECTION APPLICATION [PDF]" Your name Email Reason -Select Reason- Pornographic Defamatory Illegal/Unlawful Spam Other Terms Of Service Violation File a copyright complaint Description Close Send Helpful Links About Us Privacy Policy Terms and Conditions Copyright Contact Us Smile Life When life gives you a hundred reasons to cry, show life that you have a thousand reasons to smile Get in touch Get monthly updates Submit © Copyright 2015 - 2024 PDFFOX.COM - All rights reserved.