CN109327451A - A kind of method, system, device and medium that the upload verifying of defence file bypasses - Google Patents

A kind of method, system, device and medium that the upload verifying of defence file bypasses Download PDF

Info

Publication number
CN109327451A
CN109327451A CN201811280248.2A CN201811280248A CN109327451A CN 109327451 A CN109327451 A CN 109327451A CN 201811280248 A CN201811280248 A CN 201811280248A CN 109327451 A CN109327451 A CN 109327451A
Authority
CN
China
Prior art keywords
suffix
character string
file
filename
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811280248.2A
Other languages
Chinese (zh)
Other versions
CN109327451B (en
Inventor
梁满
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201811280248.2A priority Critical patent/CN109327451B/en
Publication of CN109327451A publication Critical patent/CN109327451A/en
Application granted granted Critical
Publication of CN109327451B publication Critical patent/CN109327451B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

This application discloses a kind of defence files to upload the method that verifying bypasses, when carrying out uploading verifying to file to be uploaded, the filename of removal suffix is obtained first, and it detects in file name with the presence or absence of suffix character string identical with target suffix character string, and when discovery has suffix character string identical with the target suffix character string, refuse the upload of the file to be uploaded.The mode for only upload to most end suffix verifying is different from the prior art, the application also detects the suffix character string being hidden in filename, accurate detection effectively can be realized to existing a variety of modes that bypass, and a variety of server management softwares are adapted to the analysis mode of file, it can significantly reduce and a possibility that loophole endangers data in server and server is uploaded by file, safety is higher.The application further simultaneously discloses a kind of system, device and computer readable storage medium that the upload verifying of defence file bypasses, and has above-mentioned beneficial effect.

Description

A kind of method, system, device and medium that the upload verifying of defence file bypasses
Technical field
This application involves server security technical field, in particular to a kind of method that the upload verifying of defence file bypasses, System, device and computer readable storage medium.
Background technique
When Web application increasingly horn of plenty while, Web server with its powerful computing capability, process performance and its The higher-value contained is increasingly becoming primary challenge target.Sql command (is inserted into the submission of Web list or input domain by SQL injection Name or page request inquiry string, be finally reached spoofing server execute malice sql command), (Web enters Webshell The script attack tool invaded) security incidents such as attack, web page horse hanging, frequently occur.The users such as enterprise are generally using foundation in number According to the first line of defence of the firewall (Firewall) as efficient public security system in link layer, network layer, transport layer, but due to The problem of various physical presence, protection effect is unsatisfactory, therefore produces WAF.
WAF, Web Application Firewall, Web application guard system are a kind of by executing a series of be directed to The security strategy of HTTP/HTTPS to provide product of the work in application layer of protection exclusively for Web application.Since its work exists Application layer, therefore the Web application for belonging to one layer can be protected preferably, WAF is to from web application client All kinds of requests carry out content detection and verifying, it is ensured that its safety and legitimacy give real-time blocking to illegal request, from And effective protection is carried out to all kinds of web-sites.
Although WAF has significant progress compared to traditional firewall, can still there are some loopholes, cause by malice File invasion uploads loophole using the file of Web server and the executable file of one malice is successfully uploaded to Web service Device is exactly one of most fast method for most directly obtaining server permission.The loophole refers to that user uploads one and can hold Capable script file, and obtain by this script file the ability of execute server sort command.File uploads this function sheet There is no problem for body, and problematic is after file uploads, and how Web server handled, instrument of interpretation.If the processing of server is patrolled It is volume not safe enough, it will lead to the file uploaded and explained by web container execute, to cause serious consequence.
Web server under mainstream framework is normally based on text to be uploaded when the file uploaded to one detects The suffix of part judges whether type belonging to this document is that itself allows received file type, wherein suffix is usually position In " .xxx " that filename is last, i.e., allow to upload by judging the mode whether " xxx " is in white list or blacklist Or the execution of refusal upload operation.But such mode tend to bypass by multiple means to file to be uploaded it is true after The detection sewed complies with the decision logic of file upload, but when server really parses this file, will become One malicious file that really can be performed, and then cause damages to Web server.
For using the Web server of IIS earlier version, under the management of its Server Manager Daemon, it is assumed that it is only Allow the image file that suffix format is .jpg to upload, therefore is linked as www.xxx.com/ when network image xx.asp;When .jpg, can since last " .jpg " is by file uploading detection, but server to receive this file into When row parsing, can not be parsed due to Server Default ";" number subsequent content, lead to xx.asp;.jpg this file is just solved Analyse into asp file.And when this asp file includes hostile content, to server and clothes will be stored in the process of implementation Data on business device cause damages.
Therefore, the prior art cannot prevent malicious file from bypassing means by the verifying of a variety of suffix come to Web well Server causes damages, and how to overcome this technological deficiency, and providing a kind of anti-suffix around the stronger method of ability is this field Technical staff's urgent problem to be solved.
Summary of the invention
The purpose of the application is to provide a kind of method that the upload verifying of defence file bypasses, and is carrying out to file to be uploaded When passing verifying, the filename of removal suffix is obtained first, and is detected in file name and be whether there is and target suffix character string phase Same suffix character string, and when discovery has suffix character string identical with the target suffix character string, it is to be uploaded to refuse this The upload of file.The mode for only upload to most end suffix verifying is different from the prior art, the application is also to may hide Suffix character string in filename is detected, and effectively can realize accurate detection to known around mode, and adapt to more Kind server management software can significantly reduce to the analysis mode of file and endanger server and server by file upload loophole A possibility that middle data, safety are higher.
The another object of the application is the provision of a kind of system, device and computer that the upload verifying of defence file bypasses Readable storage medium storing program for executing.
To achieve the above object, the application provides a kind of method that the upload verifying of defence file bypasses, comprising:
Filename of the file to be uploaded in addition to suffix is extracted from file upload request;
It detects in the filename with the presence or absence of suffix character string identical with target suffix character string;
When, there are when the target suffix character string, refusal executes the file to be uploaded and uploads behaviour in the filename Make.
Optionally, it detects in the filename with the presence or absence of suffix character string identical with target suffix character string, comprising:
Divide the filename using the suffix identifier in the filename, obtains each suffix character string;
It is respectively compared each suffix character string and whether the target suffix character string is identical;
It is corresponding, when, there are when the target suffix character string, refusal holds the file to be uploaded in the filename Row upload operation, comprising:
When any suffix character string is identical as the target suffix character string, refusal holds the file to be uploaded Row upload operation.
Optionally, divide the filename using the suffix identifier in the filename, obtain each suffix character string, wrap It includes:
End label is added at the end of the filename;
The suffix identifier of search forward since the label of the end character by character, and the suffix each to search Identifier adds suffix identification label;
It extracts the end label character string folded with special suffix identification label and each pair of adjacent suffix identifies The folded character string of label, obtains each suffix character string;Wherein, the special suffix identification is marked labeled as with the end Remember adjacent suffix identification label.
Optionally, it is respectively compared each suffix character string and whether the target suffix character string is identical, comprising:
Successively whether more each suffix character string and the target suffix character string are identical;
It is corresponding, when, there are when the target suffix character string, refusal holds the file to be uploaded in the filename Row upload operation, comprising:
When current suffix character string is identical as the target suffix character string, refusal executes the file to be uploaded Pass operation.
Optionally, which uploads the method that verifying bypasses further include:
Leave out each interference character appeared in default interference character list in each suffix character string, to use removal each Suffix character string after the interference character is to determine whether identical as the target suffix character string.
Optionally, which uploads the method that verifying bypasses further include:
The file to be uploaded for executing upload operation will be rejected, honey jar server is uploaded to by preset path;Wherein, institute It states honey jar server and possesses document analysis rule identical with normal Web server;
The file received, file after being parsed are parsed using the honey jar server, and record the parsing hereinafter The operation that part executes;
It discriminates whether to judge by accident according to whether each operation causes damages to the honey jar terminal.
To achieve the above object, present invention also provides a kind of defence files to upload the system that verifying bypasses, the system packet It includes:
Filename extraction unit, for extracting filename of the file to be uploaded in addition to suffix from file upload request;
Target suffix character string detection unit whether there is and target suffix character string phase for detecting in the filename Same suffix character string;
Refuse uploading unit, for when in the filename there are when the target suffix character string, refusal to it is described to Upper transmitting file executes upload operation.
Optionally, the target suffix character string detection unit includes:
Suffix identifier divides subelement, for dividing the filename using the suffix identifier in the filename, Obtain each suffix character string;
Identical comparing subunit, for whether being respectively compared each suffix character string and the target suffix character string It is identical;
Corresponding, the refusal uploading unit includes:
First refusal uploads subelement, identical as the target suffix character string for working as any suffix character string When, refusal executes upload operation to the file to be uploaded.
Optionally, the suffix identifier segmentation subelement includes:
End marks add-on module, for adding end label at the end of the filename;
The search of suffix identifier and identification label add-on module, for the searching forward character by character since the label of the end The suffix identifier is sought, and the suffix identifier each to search adds suffix identification label;
Suffix text string extracting module, for extracting the end label character string folded with special suffix identification label Folded character string, obtains each suffix character string with each pair of adjacent suffix identification label;Wherein, the special suffix Identification marks adjacent suffix to identify label labeled as with the end.
Optionally, the identical comparing subunit includes:
Successively comparison module, for successively more each suffix character string and the target suffix character string whether phase Together;
Corresponding, the refusal uploading unit includes:
Second refusal uploads subelement, for refusing when current suffix character string is identical as the target suffix character string The absolutely described file to be uploaded executes upload operation.
Optionally, which uploads the system that verifying bypasses further include:
Interfere character removal unit, for leave out appeared in each suffix character string it is each in default interference character list Character is interfered, to use the suffix character string after removing each interference character to determine whether with the target suffix character string It is identical.
Optionally, which uploads the system that verifying bypasses further include:
The special uploading unit of transmitting file is refused, passes through preset path for the file to be uploaded for executing upload operation will to be rejected It is uploaded to honey jar server;Wherein, the honey jar server possesses document analysis rule identical with normal Web server;
The parsing of honey jar server and operation note unit, for parsing the file received using the honey jar server, File after being parsed, and record the operation of file execution after the parsing;
Judgement unit is judged by accident, for discriminating whether to occur according to whether each operation causes damages to the honey jar terminal Erroneous judgement.
To achieve the above object, present invention also provides a kind of defence files to upload the device that verifying bypasses, the device packet It includes:
Memory, for storing computer program;
Processor realizes that the defence file as described in above content uploads verifying when for executing the computer program The step of method bypassed.
To achieve the above object, described computer-readable to deposit present invention also provides a kind of computer readable storage medium It is stored with computer program on storage media, realizes when the computer program is executed by processor and prevents as described in above content Imperial file uploads the step of method that verifying bypasses.
Obviously, a kind of defence file provided herein uploads the method that verifying bypasses, and carries out to file to be uploaded When uploading verifying, the filename of removal suffix is obtained first, and is detected in file name and be whether there is and target suffix character string Identical suffix character string, and when discovery has suffix character string identical with the target suffix character string, refusal should be to upper The upload of transmitting file.The mode for only upload to most end suffix verifying is different from the prior art, the application is also to possible hidden The suffix character string being hidden in filename is detected, and effectively can realize accurate detection to known around mode, and adapt to A variety of server management softwares can significantly reduce to the analysis mode of file and endanger server and service by file upload loophole In device a possibility that data, safety is higher.
The application additionally provides a kind of system, device and computer-readable storage that the upload verifying of defence file bypasses simultaneously Medium has above-mentioned beneficial effect, and details are not described herein.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is the flow chart that a kind of defence file provided by the embodiments of the present application uploads the method that verifying bypasses;
Fig. 2 is the flow chart that another defence file provided by the embodiments of the present application uploads the method that verifying bypasses;
It is a kind of in the method that Fig. 3 bypasses for defence file upload verifying provided by the embodiments of the present application to utilize suffix identifier Segmentation obtains the flow chart of the method for suffix character string;
Fig. 4 is the flow chart of the method for the file to be uploaded that a kind of processing provided by the embodiments of the present application is rejected upload;
Fig. 5 be HTTP request under a kind of agreement for multipart/form-data provided by the embodiments of the present application into The flow chart of the method for row suffix type detection;
Fig. 6 is a kind of flow diagram of method for carrying out suffix type detection provided by the embodiments of the present application;
Fig. 7 is the structural block diagram that a kind of defence file provided by the embodiments of the present application uploads the system that verifying bypasses.
Specific embodiment
The core of the application be to provide a kind of defence file upload the verifying method, system, device and the computer that bypass can Storage medium is read, when carrying out uploading verifying to file to be uploaded, obtains the filename of removal suffix first, and detect this document It whether there is suffix character string identical with target suffix character string in name, and exist and the target suffix character string phase in discovery With suffix character string when, refuse the upload of the file to be uploaded.It is different from the prior art and only most end suffix is uploaded The mode of verifying, the application also detect the suffix character string that may be hidden in filename, can be effectively to known Accurate detection is realized around mode, and adapts to a variety of server management softwares to the analysis mode of file, can be significantly reduced and be passed through File uploads a possibility that loophole endangers data in server and server, and safety is higher.
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art All other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Embodiment one
Below in conjunction with Fig. 1, Fig. 1 is the stream that a kind of defence file provided by the embodiments of the present application uploads the method that verifying bypasses Cheng Tu, specifically includes the following steps:
S101: filename of the file to be uploaded in addition to suffix is extracted from file upload request;
This step is intended to obtain filename of the file to be uploaded in addition to suffix, and the part being removed is can be by the prior art It is identified as the part of suffix.By taking xxxxx.txt file as an example, the file that this step obtains is entitled " xxxxx ", eliminates identified For the part of .txt.
Wherein, file name can upload HTTP request contained in file as the Partial Feature packet of the file to be uploaded In, uploading file verification mechanism extraction will obtain filename under the predeterminated position of the HTTP request.Based on different specific agreements It may include different types of information in the HTTP request of formation, put in order and be also not quite similar, therefore extract this article It is also required to be adjusted according to the agreement that HTTP request uses when part name.Such as the HTTP request obtained based on RFC1867 agreement, It increases file attribute on the basis of standard HTTP for INPUT label, and the method for also defining Form is necessary It is necessary for multipart/form-data for POST, ENCTYPE, in the HTTP request formed based on this agreement, filename can be It extracts and obtains in filename field in multipart/form-data.
File type identification can be carried out to the filename of related suffix in the prior art, still be with xxxxx.txt file Example, it is found that its suffix is txt, and file type is text document, and uploads the verifying of authentication mechanism to file according to itself, is sentenced Whether the file of this type of other text document is allowed to upload, should if the file that file type is image is only allowed to upload File can be rejected upload due to being text document, if the file of text document type is also allowed to upload, this document can quilt Allow to upload.
Therefore, whether the prior art can't be that true suffix judges to the suffix that it differentiates, can't be to except most Character string outside the suffix at end is judged, therefore, in the case where being concealed with true suffix in the filename except suffix, is incited somebody to action Verifying of the prior art to file upload mechanism can be bypassed.
So this step peels off the suffix that can be identified by conventional means first, obtain not carried out again by the prior art The filename of secondary identification, and the suffix character string that may be hidden in file name is again identified that in the next steps, To prevent the verifying around upload mechanism.
S102: it whether there is suffix character string identical with target suffix character string in detection filename;
On the basis of S101, this step is intended to detect in filename with the presence or absence of after identical with target suffix character string Sew character string, wherein target suffix character string, which should be, is not uploaded the mechanism existing suffix character string of permission, number in verifying It measures and is not specifically limited, can be also possible to unique to be multiple, multiple target suffix character strings can be also used for after being formed Sew blacklist, such as the suffix of script file type can be performed in php, asp this kind.I.e. this step carries out character string to filename Detection, be by the suffix that increases a part of other file types behind true suffix or to interfere the side of character in order to prevent Formula bypasses the verifying of existing upload mechanism, therefore this partial character will be determined as filename by existing upload mechanism, and being will not It is detected.
In order to allow the file to be uploaded of a non-permitted file type, (with text document, this class file is in the prior art Example) also it can pass through two ways by the verifying of upload file verification mechanism, big cognition: first, directly by the true of file Suffix information is revised as satisfactory suffix information, i.e., is directly revised as the suffix of an xxxx.jpg image file Xxxx.txt, with by authentication mechanism the file of txt format (require nothing more than upload), but will lead to originally should be by for such modification mode It can not be executed according to the unfolding mode of text document according to the file that the mode of checking of image file could execute, therefore such mode With modified unenforceability, can not cause damages to the Web server for being stored with the modified file.The application is simultaneously It is not directed to such situation.
Second, retaining true suffix, and add some information again after true suffix, such as xxxx.jpg is revised as xxxx.jpg;.txt, file modified in this way can be in the existing side only verified to the suffix information at end in filename By verifying under formula, and it is successfully uploaded to Web server, but in Web server when parsing this file, can be neglected due to default Slightly be located at ";" (a kind of truncation character, can by be located at this character before and after two parts message truncation) after information, will xxxx.jpg;.txt document analysis is xxxx.jpg file, once hostile content is carried in the xxxx.jpg file, in its quilt When execution will data to Web server and thereon cause damages.The application is mainly for boring file in the way of such Uploading loophole will be such that a file executes in server end, and then the case where endanger server and data thereon.
When determining the suffix character string in file name, will mainly be obtained using suffix identifier-" " shaped like rear Sew the suffix character string (shaped like " .xxx "), still takes xxxx.jpg;.txt this example can find .jpg (or .jpg;) and .txt two, in the case, in order to prevent including truncation character including interference character caused by interfere, can also remove or Ignore the interference character that may include in each suffix character string, to finally obtain two suffix informations of .jpg and .txt, and and mesh Comparison of mark suffix character string whether carry out identical, it is assumed that do not allow suffix to be .jpg, when the file that type is image uploads, just Can be found in filename its conceal the file that can be resolved to .jpg format after upload (because;In number subsequent Appearance will not be resolved, and can be ignored), so that defence is known to bypass means.
On this basis, determine that the concrete mode of each suffix character string also has much based on suffix identifier, Ke Yitong When determine all suffix identifiers in filename, then text string extracting folded between adjacent suffix identifier two-by-two is come out point Not Zuo Wei a suffix character string, to judge whether each suffix character string identical as target suffix character string simultaneously and (differentiate The type file whether is allowed to be uploaded);It can also be found one by one from one end of filename to the other end in a certain order Suffix identifier, i.e., a suffix character string can be obtained by finding a suffix identifier every time, and judge this rear asyllabia Whether symbol string is identical as target suffix character string, if this current suffix character string and target suffix character string be not identical, edge Identical direction continues to search for suffix identifier forward, until the suffix character string identical with target suffix character string looked for Terminate.
In simple terms, first way can carry out and target suffix each suffix character string being contained in filename The whether identical judgement of character string, will not omit each suffix character string determined, each suffix character string can obtain Result information whether identical with target suffix character string is adaptable to more complicated, richer refusal and uploads strategy, such as There are several suffix character strings identical with target suffix character string, there are combinations of which specific suffix character string etc. Deng, and optionally the mode based on serial or parallel carries out this deterministic process, serially and successively judges each rear asyllabia Whether symbol string is identical as target suffix character string, after then taking multiple or all suffix character strings determined and target simultaneously parallel Sew character string to be compared, it can be according to practical application scene flexible choice.
The second way finds a suffix identifier compared to first way every time, and obtains by the suffix mark As soon as the suffix character string that symbol is partitioned into is known, whether taking this suffix character string identical as the character string carry out of target suffix later Comparison, if not identical, just and so on look for next suffix identifier and next suffix character string, then be compared, directly To find suffix character string identical with target suffix character string or all suffix character strings with the target suffix character string not Mutually it is completed at the same time deterministic process.Compared to first method, discovery one or a small number of target suffix character strings are being only required just Refusal upload when, may not need all suffix character strings for determining to include in file name, can save portion of time and Resource.
Which kind of specifically also need not do and have herein come flexible choice according to the demand under practical application scene using mode Body limits.
S103: when, there are when target suffix character string, refusal executes upload operation to file to be uploaded in filename.
On the basis of S102, when there are when target suffix character string, have to cause damages to Web server in filename Possibility, just refusal executes upload operation to file to be uploaded.Have found that it can hide should not occur in filename Suffix character string, illustrate which employs attempt the verifying around existing upload mechanism around mode.
Further, it is assumed that determine 5 different suffix informations in the filename of a file to be uploaded, respectively correspond Whether 5 kinds of different file types are being refused to come across in the deterministic process that the file to be uploaded uploads with sets itself The number of suffix information in suffix blacklist, when being set as 2, only when 5 suffix informations of the filename of the file to be uploaded In when thering are 2 suffix informations to be located on suffix blacklist, just refuse the file to be uploaded and execute upload operation.At the same time it can also Setting is just to refuse the upload of this document when which two suffix information exists simultaneously.
Different danger classes can also be set for the different suffix informations in suffix blacklist, when a file to be uploaded Filename in just refuse to upload when at least there is the suffix information of a high-risk grade, and at least there is two low danger etc. Just refusal upload the etc. when suffix information of grade.Wherein, different danger classes is arranged for different suffix informations can be according to going through History threatens the frequency of occurrence of the true suffix to cause damages in sample to server to set, can also be according to files in different types The size that causes damages when comprising hostile content to server determines, herein and is not specifically limited.
Further, in order to prevent existing for such mode a possibility that erroneous judgement, it can also utilize sandbox, honey jar etc. can Control system environments simulates parsing of the true Web server to file, can by the way that the file for being rejected upload is uploaded to these The operation of its execution is observed in control system environments to determine whether to be judged by accident, to adjust suffix blacklist or refusal machine System.
Based on the above-mentioned technical proposal, a kind of defence file provided by the embodiments of the present application uploads the method that verifying bypasses, When carrying out uploading verifying to file to be uploaded, the filename of removal suffix is obtained first, and is detected in file name and be whether there is Suffix character string identical with target suffix character string, and there is suffix character identical with the target suffix character string in discovery When string, refuse the upload of the file to be uploaded.The mode for only upload to most end suffix verifying is different from the prior art, this Application also detects the suffix character string being hidden in filename, effectively can realize accurate inspection to known around mode It surveys, and adapts to a variety of server management softwares to the analysis mode of file, can significantly reduce and loophole harm clothes are uploaded by file A possibility that data in device and server of being engaged in, safety is higher.
Embodiment two
Below in conjunction with Fig. 2, Fig. 2 is that another defence file provided by the embodiments of the present application uploads the method that verifying bypasses Flow chart, is different from embodiment one, and the present embodiment is detected by S202 and S203 according to the first way referred in S102 It whether there is suffix character string identical with target suffix character string in filename, S204 gives one kind and is specifically performed refusal The strategy of upload operation, specific steps are as follows:
S201: filename of the file to be uploaded in addition to suffix is extracted from file upload request;
S202: divide filename using the suffix identifier in filename, obtain each suffix character string;
Still with xxxx.jpg;.txt for, it is found that wherein exist two suffix identifiers-" ", as point Symbol is cut, can divide to obtain " jpg;" the suffix character string different with " txt " two.
It under normal conditions, can be directly using each suffix character string as after when including the interference character such as truncation character Sew information use, but include shaped like ";", " 00ttt ", the truncation character character such as ":: DATA " when, it is also necessary to exclude this Partial character is interfered caused by it, to obtain real suffix information.
A kind of implementation for including but is not limited to are as follows:
Leave out each interference character appeared in default interference character list in each suffix character string, obtains preferred suffix character String, and using preferred suffix character string as suffix information.Wherein, comprising a variety of for realizing truncation in the default interference character list Truncation character and other interference characters, can also be according to being constantly updated around mode of constantly converting.
S203: being respectively compared each suffix character string and whether target suffix character string is identical;
I.e. this step is carried out with the target suffix character string using each suffix character string being included in filename Whether identical comparison.
S204: when any suffix character string is identical as target suffix character string, refusal executes upload to file to be uploaded Operation.
When any suffix character string is identical as target suffix character string, just refusal executes file to be uploaded and uploads behaviour Make, to realize that stringenter refusal uploads strategy.
Embodiment three
Below in conjunction with Fig. 3, Fig. 3 is that defence file provided by the embodiments of the present application uploads a kind of benefit in the method that verifying bypasses Divide the flow chart for the method for obtaining suffix character string with suffix identifier, the present embodiment gives a kind of specific for S202 Implementation, remaining step without modification, specifically includes the following steps:
S301: end label is added at the end of filename;
With xxxx.jpg;.txt for, end label should be attached to after txt.
S302: the file suffixes identifier of search forward since the label of end character by character, and the text each to search Part suffix identifier adds suffix identification label;
Wherein, suffix identifier is " ", i.e. identification of this step since the end mark of filename character by character is each Whether character is " ", and adds suffix identification label for each " ".
With xxxx.jpg;.txt for, can be located at it is before txt and adjacent " " and before jpg and adjacent " " adds suffix identification label.
S303: extracting the end label character string folded with special suffix identification label and each pair of adjacent suffix identification marks Folded character string obtains each suffix character string;
With xxxx.jpg;.txt for, " jpg can be finally obtained;" character string different with " txt " two, and made For two suffix character strings.
Example IV
Below in conjunction with Fig. 4, Fig. 4 is the side for the file to be uploaded that a kind of processing provided by the embodiments of the present application is rejected upload The flow chart of method, the present embodiment according to a possibility that the erroneous judgement that may be present referred in S103 for make judgement it is more accurate, A kind of concrete implementation mode is provided, specific implementation step is as follows:
S401: the file to be uploaded for being rejected upload is uploaded to honey jar server by preset path;
Wherein, which is the paths for being different from normal file and uploading path, is directed toward honey jar server.It needs It is noted that honey jar server possesses document analysis rule identical with normal Web server, to simulate to the full extent just Normal Web server after receiving this originally and should refuse the file uploaded it can happen that.
S402: parsing the file that receives, file after parse using honey jar server, and record parse after file hold Capable operation;
S403: it discriminates whether to judge by accident according to whether each operation causes damages to honey jar terminal.
The file that this process record obtains can be adjusted refusal using big data analysis method and upload strategy, constantly be promoted The safety of Web server.
Embodiment five
In order to deepen the understanding to the present application point, the present embodiment will combine concrete application scene to the technology of the application How scheme, which goes to realize, is introduced, wherein the present embodiment is directed to multipart/form- defined in RFC1867 Data agreement is mainly uploaded by file to multipart and carries out data and parse to obtain filename, and to including in filename All suffix information combination suffix blacklists detected, solved under current mechanism mainstream Web server to improper There are different parsing results for multipart/form-data protocol format, so as to cause the normal detection for having bypassed WAF, brill File uploads the problem of loophole, and specific embodiment refers to Fig. 5:
1) HTTP request (file upload request) sent from Client (client) is received;
It should be noted that WAF is in this scenario between Client and Server, for receiving from Client's HTTP request, and it is detected according to itself preset strategy, and execute corresponding movement according to testing result, and to Server returns to corresponding response message.
Concrete implementation process can be with are as follows:
(1) file upload request is initiated at the end Client, and WAF parses the request header of the request, recognizes HTTP Multipart file upload, caching body data (body matter part, including text, character in request etc.) to link with On track, and start to parse body data according to multipart format;
It (2), can be by the secondary request when having cached body data+this time request body data length no more than buffer size Body data continue to be cached in link tracking, while according to the body data of multipart format parsing caching;
(3) when having cached body data+this time request body data length more than buffer size, according to multipart Format parses the body data cached, empties the cache;This time is requested on body data buffer storage to link tracking simultaneously, according to The body data of multipart format parsing caching;
(4) process 2,3 is repeated, until after whole body data are all resolved, to parsing obtained filename word The information of section carries out the detection of suffix blacklist, and according to testing result to the end Server returning response data.
2) judge whether it is the HTTP request under multipart/form-data agreement;
This step is intended to filter out the HTTP request constituted with multipart/form-data agreement.
3) it parses and saves filename field value all in the HTTP request;
This step is established starts all filename words of parsing preservation on the basis of the judging result of step 2), which is, is Segment value.
4) judge in filename field value whether include and consistent suffix information in suffix type blacklist;
5) it reports log and intercepts/let pass the HTTP request according to preset implementation strategy;
The foundation of this step is in filename field value in the judging result of step 4) In on the basis of consistent suffix information, log will be reported and intercept/let pass the HTTP request according to preset implementation strategy.
Based on above-mentioned process, also refers to the schematic diagram of Fig. 6 and add come detection process in conjunction with an actual filename The deep understanding that all suffix informations how are determined to this programme:
1. " " (suffix identifier) is searched for since the end of filename (* * * .txt.php x00tt.xxx.exe), Record an end offset End (being equal to additional end label);
2. searching out " " (suffix identifier) and then recording one and start to deviate Start and (be equal to the identification of an additional suffix Label), judge that the content that Start to End is directed toward whether there is in suffix type blacklist, is to report log, according to strategy Interception/clearance;It is not to record End again, and continually look for previous " " (suffix identifier), and so on, to all Type suffix all detect;
3. then End is referred to when encountering truncation character (such as: x00) during searching " " (suffix identifier) To the previous position (skip truncation character and non-stop) of truncation character, " " (suffix identifier) is continually looked for;
4. filtering out most end when matching:: $ DATA character string prevents the file stream suffix of Windows from bypassing.
The Web means of defence that the detection of suffix type blacklist is uploaded using file provided in this embodiment, is being parsed When, it not only supports normal protocol format to parse, should also be compatible with the parsing of mainstream server, it is finally black in progress suffix type When list detects, it is also compatible with mainstream server.By the suffix class list testing mechanism of such strong compatibility, it is capable of detecting when mesh Preceding known All Files upload suffix around attack.
Because situation is complicated, it can not enumerate and be illustrated, those skilled in the art should be able to recognize according to the application The basic skills principle combination actual conditions of offer may exist many examples, in the case where not paying enough creative works, It should within the scope of protection of this application.
Embodiment six
Fig. 7 is referred to below, and Fig. 7 is that a kind of defence file provided by the embodiments of the present application uploads the system that verifying bypasses Structural block diagram, the system may include:
Filename extraction unit 100, for extracting filename of the file to be uploaded in addition to suffix from file upload request;
Target suffix character string detection unit 200 whether there is and target suffix character string phase for detecting in filename Same suffix character string;
Refuse uploading unit 300, for when, there are when target suffix character string, refusal holds file to be uploaded in filename Row upload operation.
Wherein, target suffix character string detection unit 200 may include:
Suffix identifier divides subelement, for dividing filename using the suffix identifier in filename, obtain it is each after Sew character string;
Whether identical comparing subunit is identical for being respectively compared each suffix character string and target suffix character string;
Corresponding, refusal uploading unit 300 may include:
First refusal uploads subelement, is used for when any suffix character string is identical as target suffix character string, refusal pair File to be uploaded executes upload operation.
Wherein, suffix identifier segmentation subelement may include:
End marks add-on module, for adding end label at the end of filename;
The search of suffix identifier and identification label add-on module, after the search forward since the label of end character by character Sew identifier, and the suffix identifier each to search adds suffix identification label;
Suffix text string extracting module, for extracting the end label character string folded with special suffix identification label and every The character string folded to adjacent suffix identification label, obtains each suffix character string;Wherein, special suffix identification is labeled as and end Adjacent suffix is marked to identify label.
Wherein, identical comparing subunit may include:
Successively comparison module, for successively whether more each suffix character string and target suffix character string to be identical;
Corresponding, refusal uploading unit 300 may include:
Second refusal uploads subelement, is used for when current suffix character string is identical as target suffix character string, refusal pair File to be uploaded executes upload operation.
Further, which, which uploads the system that verifying bypasses, to include:
Character removal unit is interfered, for leaving out each interference appeared in default interference character list in each suffix character string Character, to use the suffix character string after removing each interference character to determine whether identical as target suffix character string.
Further, which, which uploads the system that verifying bypasses, to include:
The special uploading unit of transmitting file is refused, passes through preset path for the file to be uploaded for executing upload operation will to be rejected It is uploaded to honey jar server;Wherein, honey jar server possesses document analysis rule identical with normal Web server;
The parsing of honey jar server and operation note unit are obtained for parsing the file received using honey jar server File after parsing, and record the operation of file execution after parsing;
Judgement unit is judged by accident, for discriminating whether to judge by accident according to whether each operation causes damages to honey jar terminal.
Based on the above embodiment, present invention also provides a kind of defence files to upload the device that verifying bypasses, which can To include memory and processor, wherein have computer program in the memory, which calls the meter in the memory When calculation machine program, step provided by above-described embodiment may be implemented.Certainly, which can also include various necessary networks Interface, power supply and other components etc..
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program Step provided by above-described embodiment may be implemented when being performed terminal or processor execution.The storage medium may include: U Disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), the various media that can store program code such as magnetic or disk.
Specific examples are used herein to illustrate the principle and implementation manner of the present application, and between each embodiment For progressive relationship, each embodiment focuses on the differences from other embodiments, identical between each embodiment Similar portion may refer to each other.For the device disclosed in the embodiment, reference can be made to corresponding method part illustration.The above reality The explanation for applying example is merely used to help understand the present processes and its core concept.For the ordinary skill people of the art Member for, under the premise of not departing from the application principle, can also to the application, some improvement and modification can also be carried out, these improve and Modification is also fallen into the protection scope of the claim of this application.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that A little elements, but also other elements including being not explicitly listed, or further include for this process, method, article or The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged Except there is also other identical elements in the process, method, article or equipment for including element.

Claims (14)

1. a kind of defence file uploads the method that verifying bypasses, which is characterized in that the described method includes:
Filename of the file to be uploaded in addition to suffix is extracted from file upload request;
It detects in the filename with the presence or absence of suffix character string identical with target suffix character string;
When, there are when the target suffix character string, refusal executes upload operation to the file to be uploaded in the filename.
2. the method according to claim 1, wherein detecting in the filename whether there is and asyllabia after target The identical suffix character string of symbol string, comprising:
Divide the filename using the suffix identifier in the filename, obtains each suffix character string;
It is respectively compared each suffix character string and whether the target suffix character string is identical;
It is corresponding, when, there are when the target suffix character string, refusal executes the file to be uploaded in the filename Pass operation, comprising:
When any suffix character string is identical as the target suffix character string, refusal executes the file to be uploaded Pass operation.
3. according to the method described in claim 2, it is characterized in that, using described in the suffix identifier segmentation in the filename Filename obtains each suffix character string, comprising:
End label is added at the end of the filename;
The suffix identifier of search forward since the label of the end character by character, and the suffix mark each to search Accord with additional suffix identification label;
It extracts the end label character string folded with special suffix identification label and each pair of adjacent suffix identification marks Folded character string obtains each suffix character string;Wherein, the special suffix identification marks phase labeled as with the end Adjacent suffix identifies label.
4. according to the method described in claim 2, it is characterized in that, being respectively compared each suffix character string and the target Whether suffix character string is identical, comprising:
Successively whether more each suffix character string and the target suffix character string are identical;
It is corresponding, when, there are when the target suffix character string, refusal executes the file to be uploaded in the filename Pass operation, comprising:
When current suffix character string is identical as the target suffix character string, refusal executes the file to be uploaded and uploads behaviour Make.
5. according to the described in any item methods of claim 2 to 4, which is characterized in that further include:
Leave out each interference character appeared in default interference character list in each suffix character string, to use removal each described Suffix character string after interfering character is to determine whether identical as the target suffix character string.
6. according to the method described in claim 5, it is characterized by further comprising:
The file to be uploaded for executing upload operation will be rejected, honey jar server is uploaded to by preset path;Wherein, the honey Tank server possesses document analysis rule identical with normal Web server;
The file that receives, file after being parsed are parsed using the honey jar server, and file is held after recording the parsing Capable operation;
It discriminates whether to judge by accident according to whether each operation causes damages to the honey jar terminal.
7. a kind of defence file uploads the system that verifying bypasses, which is characterized in that the system comprises:
Filename extraction unit, for extracting filename of the file to be uploaded in addition to suffix from file upload request;
Target suffix character string detection unit, for detecting in the filename with the presence or absence of identical with target suffix character string Suffix character string;
Refuse uploading unit, for when, there are when the target suffix character string, refusal is to described to be uploaded in the filename File executes upload operation.
8. system according to claim 7, which is characterized in that the target suffix character string detection unit includes:
Suffix identifier divides subelement, for dividing the filename using the suffix identifier in the filename, obtains Each suffix character string;
Identical comparing subunit, for be respectively compared each suffix character string and the target suffix character string whether phase Together;
Corresponding, the refusal uploading unit includes:
First refusal uploads subelement, for refusing when any suffix character string is identical as the target suffix character string The absolutely described file to be uploaded executes upload operation.
9. according to the method described in claim 8, it is characterized in that, suffix identifier segmentation subelement includes:
End marks add-on module, for adding end label at the end of the filename;
The search of suffix identifier and identification label add-on module, for the institute of search forward since the label of the end character by character Suffix identifier is stated, and the suffix identifier each to search adds suffix identification label;
Suffix text string extracting module, for extracting the end label character string folded with special suffix identification label and every The character string folded to the adjacent suffix identification label, obtains each suffix character string;Wherein, the special suffix identification It is marked labeled as marking adjacent suffix to identify with the end.
10. system according to claim 8, which is characterized in that the identical comparing subunit includes:
Successively comparison module, for successively whether more each suffix character string and the target suffix character string to be identical;
Corresponding, the refusal uploading unit includes:
Second refusal uploads subelement, is used for when current suffix character string is identical as the target suffix character string, refusal pair The file to be uploaded executes upload operation.
11. according to the described in any item systems of claim 8 to 10, which is characterized in that further include:
Character removal unit is interfered, for leaving out each interference appeared in default interference character list in each suffix character string Character, to use the suffix character string after removing each interference character to determine whether with the target suffix character string phase Together.
12. system according to claim 11, which is characterized in that further include:
The special uploading unit of transmitting file is refused, the file to be uploaded for that will be rejected execution upload operation passes through preset path and uploads To honey jar server;Wherein, the honey jar server possesses document analysis rule identical with normal Web server;
The parsing of honey jar server and operation note unit are obtained for parsing the file received using the honey jar server File after parsing, and record the operation of file execution after the parsing;
Judgement unit is judged by accident, for discriminating whether to miss according to whether each operation causes damages to the honey jar terminal Sentence.
13. a kind of defence file uploads the device that verifying bypasses characterized by comprising
Memory, for storing computer program;
Processor realizes that defence file as claimed in any one of claims 1 to 6 such as uploads when for executing the computer program The step of verifying the method bypassed.
14. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program realizes that defence file as claimed in any one of claims 1 to 6 upload such as is tested when the computer program is executed by processor The step of demonstrate,proving the method bypassed.
CN201811280248.2A 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing Active CN109327451B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811280248.2A CN109327451B (en) 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811280248.2A CN109327451B (en) 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing

Publications (2)

Publication Number Publication Date
CN109327451A true CN109327451A (en) 2019-02-12
CN109327451B CN109327451B (en) 2021-07-06

Family

ID=65259822

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811280248.2A Active CN109327451B (en) 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing

Country Status (1)

Country Link
CN (1) CN109327451B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109992967A (en) * 2019-03-12 2019-07-09 福建拓尔通软件有限公司 A kind of method and system for realizing automatic detection file security when file uploads
CN110309654A (en) * 2019-06-28 2019-10-08 四川长虹电器股份有限公司 The safety detection method and device that picture uploads
CN111901337A (en) * 2020-07-28 2020-11-06 中国平安财产保险股份有限公司 File uploading method and system and storage medium
CN113179280A (en) * 2021-05-21 2021-07-27 深圳市安之天信息技术有限公司 Deception defense method and device based on malicious code external connection behaviors and electronic equipment
CN113420300A (en) * 2021-06-21 2021-09-21 福建天晴数码有限公司 Method and system for detecting and defending file uploading vulnerability
CN113595997A (en) * 2021-07-14 2021-11-02 上海淇玥信息技术有限公司 File uploading safety detection method and device and electronic equipment

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100462990C (en) * 2005-12-12 2009-02-18 北京瑞星国际软件有限公司 Method and device for monitoring suspicious file start
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
CN102609654A (en) * 2012-02-08 2012-07-25 北京百度网讯科技有限公司 Method and device for detecting malicious flash files
CN102833240A (en) * 2012-08-17 2012-12-19 中国科学院信息工程研究所 Malicious code capturing method and system
CN103209170A (en) * 2013-03-04 2013-07-17 汉柏科技有限公司 File type identification method and identification system
CN103235913A (en) * 2013-04-03 2013-08-07 北京奇虎科技有限公司 System, equipment and method used for identifying and intercepting bundled software
CN103310150A (en) * 2012-03-13 2013-09-18 百度在线网络技术(北京)有限公司 Method and device for detecting portable document format (PDF) vulnerability
CN104009881A (en) * 2013-02-27 2014-08-27 广东电网公司信息中心 Method and device for system penetration testing
CN104063309A (en) * 2013-03-22 2014-09-24 南京理工大学常熟研究院有限公司 Web application program bug detection method based on simulated strike
CN104766011A (en) * 2015-03-26 2015-07-08 国家电网公司 Sandbox detection alarming method and system based on main engine characteristic
US9355246B1 (en) * 2013-12-05 2016-05-31 Trend Micro Inc. Tuning sandbox behavior based on static characteristics of malware
US20160212160A1 (en) * 2009-11-26 2016-07-21 Huawei Digital Technologies(Cheng Du) Co., Limited Method, device and system for alerting against unknown malicious codes
CN107800718A (en) * 2017-11-29 2018-03-13 中科信息安全共性技术国家工程研究中心有限公司 A kind of file uploads the method for early warning device of leak

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100462990C (en) * 2005-12-12 2009-02-18 北京瑞星国际软件有限公司 Method and device for monitoring suspicious file start
CN101692267A (en) * 2009-09-15 2010-04-07 北京大学 Method and system for detecting large-scale malicious web pages
US20160212160A1 (en) * 2009-11-26 2016-07-21 Huawei Digital Technologies(Cheng Du) Co., Limited Method, device and system for alerting against unknown malicious codes
CN102609654A (en) * 2012-02-08 2012-07-25 北京百度网讯科技有限公司 Method and device for detecting malicious flash files
CN103310150A (en) * 2012-03-13 2013-09-18 百度在线网络技术(北京)有限公司 Method and device for detecting portable document format (PDF) vulnerability
CN102833240A (en) * 2012-08-17 2012-12-19 中国科学院信息工程研究所 Malicious code capturing method and system
CN104009881A (en) * 2013-02-27 2014-08-27 广东电网公司信息中心 Method and device for system penetration testing
CN103209170A (en) * 2013-03-04 2013-07-17 汉柏科技有限公司 File type identification method and identification system
CN104063309A (en) * 2013-03-22 2014-09-24 南京理工大学常熟研究院有限公司 Web application program bug detection method based on simulated strike
CN103235913A (en) * 2013-04-03 2013-08-07 北京奇虎科技有限公司 System, equipment and method used for identifying and intercepting bundled software
US9355246B1 (en) * 2013-12-05 2016-05-31 Trend Micro Inc. Tuning sandbox behavior based on static characteristics of malware
CN104766011A (en) * 2015-03-26 2015-07-08 国家电网公司 Sandbox detection alarming method and system based on main engine characteristic
CN107800718A (en) * 2017-11-29 2018-03-13 中科信息安全共性技术国家工程研究中心有限公司 A kind of file uploads the method for early warning device of leak

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
FATIH HALTAŞ: "An Automated Bot Detection System through Honeypots for Large-Scale", 《2014 6TH INTERNATIONAL CONFERENCE ON CYBER CONFLICT》 *
佚名: "【绝密珍藏】渗透测试方法论之文件上传!", 《HTTPS://WWW.SOHU.COM/A/143477025_472906》 *
傅涛: "一种基于静、动态分析相结合的漏洞挖掘分析方法", 《软件》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109992967A (en) * 2019-03-12 2019-07-09 福建拓尔通软件有限公司 A kind of method and system for realizing automatic detection file security when file uploads
CN110309654A (en) * 2019-06-28 2019-10-08 四川长虹电器股份有限公司 The safety detection method and device that picture uploads
CN111901337A (en) * 2020-07-28 2020-11-06 中国平安财产保险股份有限公司 File uploading method and system and storage medium
CN111901337B (en) * 2020-07-28 2023-08-15 中国平安财产保险股份有限公司 File uploading method, system and storage medium
CN113179280A (en) * 2021-05-21 2021-07-27 深圳市安之天信息技术有限公司 Deception defense method and device based on malicious code external connection behaviors and electronic equipment
CN113420300A (en) * 2021-06-21 2021-09-21 福建天晴数码有限公司 Method and system for detecting and defending file uploading vulnerability
CN113420300B (en) * 2021-06-21 2023-09-08 福建天晴数码有限公司 Method and system for detecting and defending file uploading loopholes
CN113595997A (en) * 2021-07-14 2021-11-02 上海淇玥信息技术有限公司 File uploading safety detection method and device and electronic equipment

Also Published As

Publication number Publication date
CN109327451B (en) 2021-07-06

Similar Documents

Publication Publication Date Title
CN109327451A (en) A kind of method, system, device and medium that the upload verifying of defence file bypasses
CN109922052B (en) Malicious URL detection method combining multiple features
CN106357696B (en) SQL injection attack detection method and system
CN107659583B (en) Method and system for detecting attack in fact
CN110730175B (en) Botnet detection method and detection system based on threat information
EP3244335B1 (en) Blacklist generation device, blacklist generation system, blacklist generation method, and blacklist generation program
US9256736B2 (en) Method and system for monitoring webpage malicious attributes
CN110505235B (en) System and method for detecting malicious request bypassing cloud WAF
CN109768992B (en) Webpage malicious scanning processing method and device, terminal device and readable storage medium
CN104426906A (en) Identifying malicious devices within a computer network
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
CN110351248B (en) Safety protection method and device based on intelligent analysis and intelligent current limiting
CN107800686B (en) Phishing website identification method and device
CN111726364B (en) Host intrusion prevention method, system and related device
CN103532944A (en) Method and device for capturing unknown attack
JP2016033690A (en) Illegal intrusion detection device, illegal intrusion detection method, illegal intrusion detection program, and recording medium
CN110889113A (en) Log analysis method, server, electronic device and storage medium
Roopak et al. On effectiveness of source code and SSL based features for phishing website detection
CN106790102A (en) A kind of QR based on URL features yards of phishing recognition methods and system
Priya et al. A static approach to detect drive-by-download attacks on webpages
CN107294994B (en) CSRF protection method and system based on cloud platform
JP6716051B2 (en) Information processing apparatus, information processing method, and information processing program
CN113992442B (en) Trojan horse communication success detection method and device
KR102514214B1 (en) Method and system for preventing network pharming using big data and artificial intelligence
Huayu et al. Research on fog computing based active anti-theft technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant