CN105491000B - The method and system of arbitrarily upper transmitting file are prevented using webpage check code - Google Patents
The method and system of arbitrarily upper transmitting file are prevented using webpage check code Download PDFInfo
- Publication number
- CN105491000B CN105491000B CN201410845383.2A CN201410845383A CN105491000B CN 105491000 B CN105491000 B CN 105491000B CN 201410845383 A CN201410845383 A CN 201410845383A CN 105491000 B CN105491000 B CN 105491000B
- Authority
- CN
- China
- Prior art keywords
- uploaded
- file
- check code
- webpage
- website
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 20
- 238000012795 verification Methods 0.000 claims abstract description 12
- 238000004458 analytical method Methods 0.000 claims description 5
- 230000007812 deficiency Effects 0.000 abstract description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000010998 test method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses use webpage check code to prevent the method and system of arbitrarily upper transmitting file, it include: the website that parsing has upload function, it is numbered for the page with upload function, number as check code and is hidden in code, when there is file upload, judge whether file to be uploaded meets upload rule by the verifying function of website, and carries out corresponding operation.The network verification majority that the present invention compensates for upload loophole at present is verified using extension name, and hacker can verify file by modifying extension name and utilize the various ways such as parsing loophole around the deficiency limited.The present invention can effectively judge the legitimacy of file to be uploaded, it is therefore prevented that the behavior of the arbitrarily upper transmitting file in website maintains the network information security.
Description
Technical field
The present invention relates to computer network security technology field more particularly to it is a kind of prevented using webpage check code it is any
The method and system of upper transmitting file.
Background technique
It uploads loophole and always is very common loophole.The most rampant, benefit is utilized by hackers in the DVBBS6.0 epoch
Webshell can be directly obtained with loophole is uploaded, hazard rating is very high, and the reason of leading to the loophole is that code authors do not have
The data that visitor submits are tested or filtered is not tight.Extension name is used for the network verification for uploading loophole is most at present
Verification, however hackers can verify file and using various ways such as parsing loopholes by modification extension name around limitation.One
It assists the CMS system built a station and third-party application itself also to have a bit and uploads loophole, using more widely there is Ewebeditor,
Fckeditor etc. carries out packet capturing when website uploads, and obtains the page address for receiving data submission, is then mentioned with tool
It hands over, if there is loophole, Webshell can be obtained, into Webshell detection system information, propose power, open 3389 ports
Or use rebound shell connection, so that it may threaten server even intranet security.
Summary of the invention
Under normal circumstances, the file for uploading to webpage is all the analysable file format in the websites such as asp, jsp, php, txt,
Hackers attack the page of website upload and Webshell is also mostly these file formats.According to this feature and above-mentioned existing
There is deficiency existing for technology, the invention proposes use webpage check code to prevent the method and system of the upper transmitting file of malice, solution
The website with upload function is analysed, is numbered for the page with upload function, number as check code and is hidden in generation
In code, when there is file upload, judge whether file to be uploaded meets upload rule by the verifying function of website, and carry out
Corresponding operation.
Specifically summary of the invention includes:
The method of the upper transmitting file of malice is prevented using webpage check code characterized by comprising
Website is parsed, website hierarchy is obtained, website is expressed as unlimited tree-shaped list;
According to position of the webpage in unlimited tree-shaped list, the webpage with upload function is numbered, number is made
For the check code of webpage, and it is hidden in webpage source code;
When upper transmitting file, the check code for the webpage to be uploaded is written in document code to be uploaded;
Website receives file to be uploaded, and is verified, if verifying successfully, file to be uploaded is uploaded to its check code
Corresponding webpage;
If verification failure, without uploading, and prompts uploader;
The website receives file to be uploaded, and is verified, if verifying successfully, file to be uploaded is uploaded to its school
Test the corresponding webpage of code;If verification failure, without uploading, and prompts uploader, specifically includes:
Website judges whether file to be uploaded has check code submission, if not having, without uploading, and prompts uploader;
If so, then judge whether check code matches with existing webpage check code, and if mismatching, without uploading, and
Prompt uploader;
If matching, judges whether check code has repetition, if so, uploader is then prompted to carry out in gradation file to be uploaded
It passes;
If not repeating, file to be uploaded is uploaded to the corresponding webpage of its check code.
Further, the website receives file to be uploaded, and is verified, specifically: website judges file to be uploaded
Whether there is check code submission, if not having, without uploading, and prompts uploader;
If so, then judge whether check code matches with existing webpage check code, and if mismatching, without uploading, and
Prompt uploader;
If matching, judges whether check code has repetition, if so, uploader is then prompted to carry out in gradation file to be uploaded
It passes;
If not repeating, file to be uploaded is uploaded to the corresponding webpage of its check code.
Further, the website judges whether file to be uploaded has check code submission, wherein file to be uploaded passes through it
The parameter of code is transmitted, and check code is submitted to website.
Further, it is described file to be uploaded is uploaded to the corresponding webpage of its check code after, further include the net that will be updated
Page parsing is placed into unlimited tree-shaped list corresponding position.
The system of the upper transmitting file of malice is prevented using webpage check code characterized by comprising
Website parsing module obtains website hierarchy, website is expressed as unlimited tree-shaped list for parsing website;
Check code generation module, for the position according to webpage in unlimited tree-shaped list, to the net with upload function
Page is numbered, the check code by number as webpage, and is hidden in webpage source code;
When being used for upper transmitting file, file to be uploaded is written in the check code for the webpage to be uploaded by check code writing module
In code;
Website authentication module receives file to be uploaded for website, and is verified, will be to be uploaded if verifying successfully
File is uploaded to the corresponding webpage of its check code;If verification failure, without uploading, and prompts uploader;
The website authentication module is specifically used for:
Judge whether file to be uploaded has check code submission, if not having, without uploading, and prompts uploader;
If so, then judge whether check code matches with existing webpage check code, and if mismatching, without uploading, and
Prompt uploader;
If matching, judges whether check code has repetition, if so, uploader is then prompted to carry out in gradation file to be uploaded
It passes;
If not repeating, file to be uploaded is uploaded to the corresponding webpage of its check code.
Further, website receives file to be uploaded in the website authentication module, and is verified, specifically: website
Judge whether file to be uploaded has check code submission, if not having, without uploading, and prompts uploader;
If so, then judge whether check code matches with existing webpage check code, and if mismatching, without uploading, and
Prompt uploader;
If matching, judges whether check code has repetition, if so, uploader is then prompted to carry out in gradation file to be uploaded
It passes;
If not repeating, file to be uploaded is uploaded to the corresponding webpage of its check code.
Further, the website judges whether file to be uploaded has check code submission, wherein file to be uploaded passes through it
The parameter of code is transmitted, and check code is submitted to website.
Further, it is described file to be uploaded is uploaded to the corresponding webpage of its check code after, further include the net that will be updated
Page parsing is placed into unlimited tree-shaped list corresponding position.
The beneficial effects of the present invention are:
It is verified for the current network verification for uploading loophole is most using extension name, however hackers can be expanded by modification
Exhibition name verifies file and using various ways such as parsing loopholes around this defect is limited, and the invention proposes use webpage to verify
Code prevents the method and system of arbitrarily upper transmitting file, the website with upload function is parsed, for the page with upload function
It is numbered, number as check code and is hidden in code, when there is file upload, is sentenced by the verifying function of website
Whether the file to be uploaded that breaks meets upload rule, and carries out corresponding operation.The present invention can effectively judge the conjunction of file to be uploaded
Method, it is therefore prevented that the behavior of the arbitrarily upper transmitting file in website maintains the network information security.
Detailed description of the invention
It, below will be to embodiment or the prior art in order to illustrate more clearly of the present invention or technical solution in the prior art
Attached drawing needed in description is briefly described, it should be apparent that, the accompanying drawings in the following description is only in the present invention
The some embodiments recorded for those of ordinary skill in the art without creative efforts, can be with
It obtains other drawings based on these drawings.
Fig. 1 is the website analytic method flow chart that the present invention prevents arbitrarily upper transmitting file using webpage check code;
Fig. 2 is the file test method process to be uploaded that the present invention prevents arbitrarily upper transmitting file using webpage check code
Figure;
Fig. 3 is the website method of calibration flow chart that the present invention prevents arbitrarily upper transmitting file using webpage check code;
Fig. 4 is the system construction drawing that the present invention prevents arbitrarily upper transmitting file using webpage check code.
Specific embodiment
Technical solution in embodiment in order to enable those skilled in the art to better understand the present invention, and make of the invention
Above objects, features, and advantages can be more obvious and easy to understand, makees with reference to the accompanying drawing to technical solution in the present invention further detailed
Thin explanation.
The present invention gives use webpage check code to prevent the embodiment of the method for arbitrarily upper transmitting file, including website parsing
Two parts are detected with file to be uploaded;Wherein analytic method flow chart in website is as described in Figure 1, comprising:
S101: parsing website obtains website hierarchy, and website is expressed as unlimited tree-shaped list;
S102: according to position of the webpage in unlimited tree-shaped list, the webpage with upload function is numbered, will be compiled
Check code number as webpage, and be hidden in webpage source code, such as: it, will according to position of the webpage in unlimited tree-shaped list
Webpage in first layer with upload function is numbered according to A101, A102, A103 etc. respectively, uploads having in the second layer
The webpage of function is numbered according to B201, B202, B203 etc. respectively, and so on, and it regard these numbers as corresponding web page
Check code, be hidden in source code;
File test method flow chart to be uploaded is as shown in Figure 2, comprising:
S201: when upper transmitting file, the check code for the webpage to be uploaded being written in document code to be uploaded, such as: it
File X to be uploaded is uploaded in the webpage that number is A103, just number A103 is written in the code of file X to be uploaded, institute
Stating file to be uploaded is usually the analysable file in the websites such as asp, jsp, php, txt;
S202: website receives file to be uploaded, and is verified;
S203: judging whether verification succeeds, if so, carrying out step S204;Otherwise S205 is entered step;
S204: being uploaded to the corresponding webpage of its check code for file to be uploaded, terminates;
S205: without uploading, and uploader is prompted.
Preferably, the website receives file to be uploaded, and is verified, and specific website method of calibration flow chart is as schemed
Shown in 3, comprising:
S301: website receives file to be uploaded;
S302: website judges whether file to be uploaded has check code submission, if so, carrying out step S303;Otherwise it carries out
Step S304;
S303: judging whether check code matches with existing webpage check code, if so, step S305 is carried out,;Otherwise into
Row step S304;
S304: without uploading, and prompting uploader, terminates;
S305: judging whether check code has repetition, if so, carrying out step S306;Otherwise step 307 is carried out;
S306: prompt uploader carries out gradation upload to file to be uploaded, terminates;
S307: file to be uploaded is uploaded to the corresponding webpage of its check code.
Preferably, the website judges whether file to be uploaded has check code submission, wherein file to be uploaded passes through its generation
The parameter transmitting of code, submits to website for check code.
Preferably, described that file to be uploaded is uploaded to webpage, it further include that the web analysis of update is placed into unlimited tree
Shape list corresponding position.
The present invention gives using webpage check code the system embodiment for preventing the upper transmitting file of malice, as shown in figure 4,
Include:
Website parsing module 401 obtains website hierarchy, website is expressed as unlimited tree-shaped column for parsing website
Table;
Check code generation module 402, for the position according to webpage in unlimited tree-shaped list, to upload function
Webpage is numbered, the check code by number as webpage, and is hidden in webpage source code;
When being used for upper transmitting file, text to be uploaded is written in the check code for the webpage to be uploaded by check code writing module 403
In part code;
Website authentication module 404 receives file to be uploaded for website, and is verified, will be to upper if verifying successfully
Transmitting file is uploaded to the corresponding webpage of its check code;If verification failure, without uploading, and prompts uploader.
Preferably, website receives file to be uploaded in the website authentication module, and is verified, specifically: sentence website
Whether the file to be uploaded that breaks has check code submission, if not having, without uploading, and prompts uploader;
If so, then judge whether check code matches with existing webpage check code, and if mismatching, without uploading, and
Prompt uploader;
If matching, judges whether check code has repetition, if so, uploader is then prompted to carry out in gradation file to be uploaded
It passes;
If not repeating, file to be uploaded is uploaded to the corresponding webpage of its check code.
Preferably, the website judges whether file to be uploaded has check code submission, wherein file to be uploaded passes through its generation
The parameter transmitting of code, submits to website for check code.
Preferably, described that file to be uploaded is uploaded to webpage, it further include that the web analysis of update is placed into unlimited tree
Shape list corresponding position.
The embodiment of method is described in a progressive manner in this specification, for the embodiment of system, due to it
It is substantially similar to embodiment of the method, so being described relatively simple, the relevent part can refer to the partial explaination of embodiments of method.
The invention proposes using webpage check code to prevent the method and system of arbitrarily upper transmitting file, the net with upload function is parsed
Stand, be numbered for the page with upload function, will number as check code and being hidden in code, when there is file upload
When, judge whether file to be uploaded meets upload rule by the verifying function of website, and carry out corresponding operation.The present invention
It can effectively judge the legitimacy of file to be uploaded, it is therefore prevented that the behavior of the arbitrarily upper transmitting file in website maintains the network information security.
Although depicting the present invention by embodiment, it will be appreciated by the skilled addressee that the present invention there are many deformation and
Variation is without departing from spirit of the invention, it is desirable to which the attached claims include these deformations and change without departing from of the invention
Spirit.
Claims (4)
1. preventing the method for the upper transmitting file of malice using webpage check code characterized by comprising
Website is parsed, website hierarchy is obtained, website is expressed as unlimited tree-shaped list;
According to position of the webpage in unlimited tree-shaped list, the webpage with upload function is numbered, regard number as net
The check code of page, and be hidden in webpage source code;
When upper transmitting file, the check code for the webpage to be uploaded is written in document code to be uploaded;
Website receives file to be uploaded, and is verified, if verifying successfully, it is corresponding that file to be uploaded is uploaded to its check code
Webpage;
If verification failure, without uploading, and prompts uploader;
The website receives file to be uploaded, and is verified, if verifying successfully, file to be uploaded is uploaded to its check code
Corresponding webpage;If verification failure, without uploading, and prompts uploader, specifically includes:
Website judges whether file to be uploaded has check code submission, if not having, without uploading, and prompts uploader;
If so, then judging whether check code matches with existing webpage check code, if mismatching, without uploading, and prompt
Uploader;
If matching, judges whether check code has repetition, if so, uploader is then prompted to carry out gradation upload to file to be uploaded;
If not repeating, file to be uploaded is uploaded to the corresponding webpage of its check code.
2. the method as described in claim 1, which is characterized in that the website judges whether file to be uploaded has check code to mention
It hands over, wherein file to be uploaded is transmitted by the parameter of its code, check code is submitted into website.
3. the method as described in claim 1, which is characterized in that described that file to be uploaded is uploaded to the corresponding net of its check code
It further include that the web analysis of update is placed into unlimited tree-shaped list corresponding position after page.
4. preventing the system of the upper transmitting file of malice using webpage check code characterized by comprising
Website parsing module obtains website hierarchy, website is expressed as unlimited tree-shaped list for parsing website;
Check code generation module, for the position according to webpage in unlimited tree-shaped list, to the webpage with upload function into
Row number, the check code by number as webpage, and be hidden in webpage source code;
When being used for upper transmitting file, document code to be uploaded is written in the check code for the webpage to be uploaded by check code writing module
In;
Website authentication module receives file to be uploaded for website, and is verified, if verifying successfully, by file to be uploaded
It is uploaded to the corresponding webpage of its check code;If verification failure, without uploading, and prompts uploader;
The website authentication module is specifically used for:
Judge whether file to be uploaded has check code submission, if not having, without uploading, and prompts uploader;
If so, then judging whether check code matches with existing webpage check code, if mismatching, without uploading, and prompt
Uploader.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410845383.2A CN105491000B (en) | 2014-12-31 | 2014-12-31 | The method and system of arbitrarily upper transmitting file are prevented using webpage check code |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410845383.2A CN105491000B (en) | 2014-12-31 | 2014-12-31 | The method and system of arbitrarily upper transmitting file are prevented using webpage check code |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105491000A CN105491000A (en) | 2016-04-13 |
| CN105491000B true CN105491000B (en) | 2019-05-07 |
Family
ID=55677720
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410845383.2A Active CN105491000B (en) | 2014-12-31 | 2014-12-31 | The method and system of arbitrarily upper transmitting file are prevented using webpage check code |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105491000B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107423622B (en) * | 2017-07-04 | 2020-04-28 | 上海高重信息科技有限公司 | Method and system for detecting and preventing rebound shell |
| CN111314314B (en) * | 2020-01-20 | 2022-05-10 | 苏州浪潮智能科技有限公司 | Method and system for verifying integrity of website download file |
| CN113810366A (en) * | 2021-08-02 | 2021-12-17 | 厦门天锐科技股份有限公司 | Website uploaded file safety identification system and method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621381A (en) * | 2008-06-30 | 2010-01-06 | 财团法人工业技术研究院 | The system that is used for webpage verification using data-hiding technology |
| CN101937455A (en) * | 2010-08-27 | 2011-01-05 | 北京鸿蒙网科技有限公司 | Method for establishing multi-dimensional classification cluster based on infinite hierarchy and heredity information |
| CN103281301A (en) * | 2013-04-28 | 2013-09-04 | 上海海事大学 | System and method for judging cloud safety malicious program |
| CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
| CN103685307A (en) * | 2013-12-25 | 2014-03-26 | 北京奇虎科技有限公司 | Method, system, client and server for detecting phishing fraud webpage based on feature library |
-
2014
- 2014-12-31 CN CN201410845383.2A patent/CN105491000B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101621381A (en) * | 2008-06-30 | 2010-01-06 | 财团法人工业技术研究院 | The system that is used for webpage verification using data-hiding technology |
| CN101937455A (en) * | 2010-08-27 | 2011-01-05 | 北京鸿蒙网科技有限公司 | Method for establishing multi-dimensional classification cluster based on infinite hierarchy and heredity information |
| CN103281301A (en) * | 2013-04-28 | 2013-09-04 | 上海海事大学 | System and method for judging cloud safety malicious program |
| CN103401836A (en) * | 2013-07-01 | 2013-11-20 | 北京卓易讯畅科技有限公司 | Method and device used for judging whether webpage is hijacked by ISP (internet service provider) or not |
| CN103685307A (en) * | 2013-12-25 | 2014-03-26 | 北京奇虎科技有限公司 | Method, system, client and server for detecting phishing fraud webpage based on feature library |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105491000A (en) | 2016-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106534160B (en) | Identity authentication method and system based on block chain | |
| US9356955B2 (en) | Methods for determining cross-site scripting and related vulnerabilities in applications | |
| EP3803664A1 (en) | Systems and methods for machine learning based application security testing | |
| CN107395614A (en) | Single-point logging method and system | |
| CN104901970B (en) | A kind of Quick Response Code login method, server and system | |
| CN102546576A (en) | Webpagehanging trojan detecting and protecting method and system as well as method for extracting corresponding code | |
| CN110084044A (en) | For the horizontal method and relevant device that loophole is tested automatically of going beyond one's commission | |
| CN102413074A (en) | Method for detecting login of instant messenger terminal in another place | |
| CN103455965A (en) | Verification image based verification method, device and server | |
| CN105491000B (en) | The method and system of arbitrarily upper transmitting file are prevented using webpage check code | |
| CN105491010A (en) | Cross validation method and system for verification codes | |
| CN104283682A (en) | Method, device and system conducting verification through verification codes | |
| CN105162604A (en) | Feature image identification based verification method and system, and verification server | |
| CN103152365A (en) | Data validation method for validating data and server for validating data | |
| CN111125718A (en) | Unauthorized vulnerability detection method, device, equipment and storage medium | |
| CN104348578B (en) | The method and device of data processing | |
| CN104618356B (en) | Auth method and device | |
| CN104899499A (en) | Internet image search based Web verification code generation method | |
| CN102761611A (en) | Method for verifying verification code of Cloud platform graph | |
| CN104050054B (en) | Processing method for installation package installation failure and cause determining method and device | |
| CN105095729B (en) | A kind of Quick Response Code login method, server and system | |
| CN109495458A (en) | A kind of method, system and the associated component of data transmission | |
| CN111385272A (en) | Weak password detection method and device | |
| JP6785360B2 (en) | Attack string generation method and device | |
| WO2017016458A1 (en) | Application internal page processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 150028 Building 7, Innovation Plaza, Science and Technology Innovation City, Harbin Hi-tech Industrial Development Zone, Harbin, Heilongjiang Province (838 Shikun Road) Patentee after: Harbin antiy Technology Group Limited by Share Ltd Address before: 150090 room 506, Hongqi Street, Nangang District, Harbin Development Zone, Heilongjiang, China, 162 Patentee before: Harbin Antiy Technology Co., Ltd. |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Method and system for preventing arbitrary uploading of files through webpage check codes Effective date of registration: 20190828 Granted publication date: 20190507 Pledgee: Bank of Longjiang, Limited by Share Ltd, Harbin Limin branch Pledgor: Harbin antiy Technology Group Limited by Share Ltd Registration number: Y2019230000002 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Patentee after: Antan Technology Group Co.,Ltd. Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Patentee before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| PC01 | Cancellation of the registration of the contract for pledge of patent right |
Date of cancellation: 20211119 Granted publication date: 20190507 Pledgee: Bank of Longjiang Limited by Share Ltd. Harbin Limin branch Pledgor: Harbin Antian Science and Technology Group Co.,Ltd. Registration number: Y2019230000002 |
|
| PC01 | Cancellation of the registration of the contract for pledge of patent right |