应用异常监控
数据库异常监控
在SQL注入的探测阶段,或者报错注入的攻击阶段,通常会在数据库产生大量的异常。因此,通过监控异常可以有效的发现的SQL注入攻击。目前我们所有支持的数据库均可以监控SQL异常,且异常代码可以在插件里配置。
插件里默认监控的SQL异常如下,具体请参考官方插件的 sql_exception 检测算法。
MySQL
| 错误编号 |
报警样例 |
| 1060 |
Duplicate column name '5.5.60-0ubuntu0.14.04.1' |
| 1062 |
Duplicate entry '::root@localhost::1' for key 'group_key' |
| 1064 |
You have an error in your SQL syntax; check the manual that corresponds
to your MySQL server version for the right syntax
to use near ') from mysql.user' at line 1 |
| 1105 |
XPATH syntax error: '~root@localhost~' |
| 1367 |
Illegal non geometric 'user()' value found during parsing |
PostgreSQL
| 错误编号 |
报警样例 |
| 42601 |
normal syntax error |
| 22P02 |
ERROR: invalid input syntax for type double precision: "DATABASE: test1" |
SQLite
| 错误编号 |
报警样例 |
| 1 |
generic error, like syntax error、malformed MATCH expression: ["3.6.23.1] and other |
Oracle
| 错误编号 |
报警样例 |
| ORA-01740 |
missing double quote in identifier |
| ORA-01756 |
quoted string not properly terminated |
| ORA-00907 |
missing right parenthesis |
HSQL
| 错误编号 |
报警样例 |
| -5583 |
malformed quoted identifier |
| -5590 |
unexpected end of statement |
SQLServer
| 错误编号 |
报警样例 |
| 105 |
Unclosed quotation mark after the character string '%.*ls'. |
| 245 |
Conversion failed when converting the %ls value '%.*ls' to data type %ls. |
DB2
| 错误编号 |
报警样例 |
| 42603 |
The string constant beginning with "'xxx" does not have an ending string |
FAQ
1. Unable to derive error code from SQL exceptions 错误
当MySQL服务器与JDBC驱动不兼容,我们将无法从异常消息里提取SQL错误代码,并打印这个错误。比如 JDBC 5.1.46 + MySQL 5.5 就会出现这个问题,可以考虑升级JDBC驱动到对应的版本来解决。
这个错误会让数据库异常监控失效。