CN109327451A - A kind of method, system, device and medium that the upload verifying of defence file bypasses - Google Patents
A kind of method, system, device and medium that the upload verifying of defence file bypasses Download PDFInfo
- Publication number
- CN109327451A CN109327451A CN201811280248.2A CN201811280248A CN109327451A CN 109327451 A CN109327451 A CN 109327451A CN 201811280248 A CN201811280248 A CN 201811280248A CN 109327451 A CN109327451 A CN 109327451A
- Authority
- CN
- China
- Prior art keywords
- suffix
- character string
- file
- filename
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Information Transfer Between Computers (AREA)
Abstract
This application discloses a kind of defence files to upload the method that verifying bypasses, when carrying out uploading verifying to file to be uploaded, the filename of removal suffix is obtained first, and it detects in file name with the presence or absence of suffix character string identical with target suffix character string, and when discovery has suffix character string identical with the target suffix character string, refuse the upload of the file to be uploaded.The mode for only upload to most end suffix verifying is different from the prior art, the application also detects the suffix character string being hidden in filename, accurate detection effectively can be realized to existing a variety of modes that bypass, and a variety of server management softwares are adapted to the analysis mode of file, it can significantly reduce and a possibility that loophole endangers data in server and server is uploaded by file, safety is higher.The application further simultaneously discloses a kind of system, device and computer readable storage medium that the upload verifying of defence file bypasses, and has above-mentioned beneficial effect.
Description
Technical field
This application involves server security technical field, in particular to a kind of method that the upload verifying of defence file bypasses,
System, device and computer readable storage medium.
Background technique
When Web application increasingly horn of plenty while, Web server with its powerful computing capability, process performance and its
The higher-value contained is increasingly becoming primary challenge target.Sql command (is inserted into the submission of Web list or input domain by SQL injection
Name or page request inquiry string, be finally reached spoofing server execute malice sql command), (Web enters Webshell
The script attack tool invaded) security incidents such as attack, web page horse hanging, frequently occur.The users such as enterprise are generally using foundation in number
According to the first line of defence of the firewall (Firewall) as efficient public security system in link layer, network layer, transport layer, but due to
The problem of various physical presence, protection effect is unsatisfactory, therefore produces WAF.
WAF, Web Application Firewall, Web application guard system are a kind of by executing a series of be directed to
The security strategy of HTTP/HTTPS to provide product of the work in application layer of protection exclusively for Web application.Since its work exists
Application layer, therefore the Web application for belonging to one layer can be protected preferably, WAF is to from web application client
All kinds of requests carry out content detection and verifying, it is ensured that its safety and legitimacy give real-time blocking to illegal request, from
And effective protection is carried out to all kinds of web-sites.
Although WAF has significant progress compared to traditional firewall, can still there are some loopholes, cause by malice
File invasion uploads loophole using the file of Web server and the executable file of one malice is successfully uploaded to Web service
Device is exactly one of most fast method for most directly obtaining server permission.The loophole refers to that user uploads one and can hold
Capable script file, and obtain by this script file the ability of execute server sort command.File uploads this function sheet
There is no problem for body, and problematic is after file uploads, and how Web server handled, instrument of interpretation.If the processing of server is patrolled
It is volume not safe enough, it will lead to the file uploaded and explained by web container execute, to cause serious consequence.
Web server under mainstream framework is normally based on text to be uploaded when the file uploaded to one detects
The suffix of part judges whether type belonging to this document is that itself allows received file type, wherein suffix is usually position
In " .xxx " that filename is last, i.e., allow to upload by judging the mode whether " xxx " is in white list or blacklist
Or the execution of refusal upload operation.But such mode tend to bypass by multiple means to file to be uploaded it is true after
The detection sewed complies with the decision logic of file upload, but when server really parses this file, will become
One malicious file that really can be performed, and then cause damages to Web server.
For using the Web server of IIS earlier version, under the management of its Server Manager Daemon, it is assumed that it is only
Allow the image file that suffix format is .jpg to upload, therefore is linked as www.xxx.com/ when network image
xx.asp;When .jpg, can since last " .jpg " is by file uploading detection, but server to receive this file into
When row parsing, can not be parsed due to Server Default ";" number subsequent content, lead to xx.asp;.jpg this file is just solved
Analyse into asp file.And when this asp file includes hostile content, to server and clothes will be stored in the process of implementation
Data on business device cause damages.
Therefore, the prior art cannot prevent malicious file from bypassing means by the verifying of a variety of suffix come to Web well
Server causes damages, and how to overcome this technological deficiency, and providing a kind of anti-suffix around the stronger method of ability is this field
Technical staff's urgent problem to be solved.
Summary of the invention
The purpose of the application is to provide a kind of method that the upload verifying of defence file bypasses, and is carrying out to file to be uploaded
When passing verifying, the filename of removal suffix is obtained first, and is detected in file name and be whether there is and target suffix character string phase
Same suffix character string, and when discovery has suffix character string identical with the target suffix character string, it is to be uploaded to refuse this
The upload of file.The mode for only upload to most end suffix verifying is different from the prior art, the application is also to may hide
Suffix character string in filename is detected, and effectively can realize accurate detection to known around mode, and adapt to more
Kind server management software can significantly reduce to the analysis mode of file and endanger server and server by file upload loophole
A possibility that middle data, safety are higher.
The another object of the application is the provision of a kind of system, device and computer that the upload verifying of defence file bypasses
Readable storage medium storing program for executing.
To achieve the above object, the application provides a kind of method that the upload verifying of defence file bypasses, comprising:
Filename of the file to be uploaded in addition to suffix is extracted from file upload request;
It detects in the filename with the presence or absence of suffix character string identical with target suffix character string;
When, there are when the target suffix character string, refusal executes the file to be uploaded and uploads behaviour in the filename
Make.
Optionally, it detects in the filename with the presence or absence of suffix character string identical with target suffix character string, comprising:
Divide the filename using the suffix identifier in the filename, obtains each suffix character string;
It is respectively compared each suffix character string and whether the target suffix character string is identical;
It is corresponding, when, there are when the target suffix character string, refusal holds the file to be uploaded in the filename
Row upload operation, comprising:
When any suffix character string is identical as the target suffix character string, refusal holds the file to be uploaded
Row upload operation.
Optionally, divide the filename using the suffix identifier in the filename, obtain each suffix character string, wrap
It includes:
End label is added at the end of the filename;
The suffix identifier of search forward since the label of the end character by character, and the suffix each to search
Identifier adds suffix identification label;
It extracts the end label character string folded with special suffix identification label and each pair of adjacent suffix identifies
The folded character string of label, obtains each suffix character string;Wherein, the special suffix identification is marked labeled as with the end
Remember adjacent suffix identification label.
Optionally, it is respectively compared each suffix character string and whether the target suffix character string is identical, comprising:
Successively whether more each suffix character string and the target suffix character string are identical;
It is corresponding, when, there are when the target suffix character string, refusal holds the file to be uploaded in the filename
Row upload operation, comprising:
When current suffix character string is identical as the target suffix character string, refusal executes the file to be uploaded
Pass operation.
Optionally, which uploads the method that verifying bypasses further include:
Leave out each interference character appeared in default interference character list in each suffix character string, to use removal each
Suffix character string after the interference character is to determine whether identical as the target suffix character string.
Optionally, which uploads the method that verifying bypasses further include:
The file to be uploaded for executing upload operation will be rejected, honey jar server is uploaded to by preset path;Wherein, institute
It states honey jar server and possesses document analysis rule identical with normal Web server;
The file received, file after being parsed are parsed using the honey jar server, and record the parsing hereinafter
The operation that part executes;
It discriminates whether to judge by accident according to whether each operation causes damages to the honey jar terminal.
To achieve the above object, present invention also provides a kind of defence files to upload the system that verifying bypasses, the system packet
It includes:
Filename extraction unit, for extracting filename of the file to be uploaded in addition to suffix from file upload request;
Target suffix character string detection unit whether there is and target suffix character string phase for detecting in the filename
Same suffix character string;
Refuse uploading unit, for when in the filename there are when the target suffix character string, refusal to it is described to
Upper transmitting file executes upload operation.
Optionally, the target suffix character string detection unit includes:
Suffix identifier divides subelement, for dividing the filename using the suffix identifier in the filename,
Obtain each suffix character string;
Identical comparing subunit, for whether being respectively compared each suffix character string and the target suffix character string
It is identical;
Corresponding, the refusal uploading unit includes:
First refusal uploads subelement, identical as the target suffix character string for working as any suffix character string
When, refusal executes upload operation to the file to be uploaded.
Optionally, the suffix identifier segmentation subelement includes:
End marks add-on module, for adding end label at the end of the filename;
The search of suffix identifier and identification label add-on module, for the searching forward character by character since the label of the end
The suffix identifier is sought, and the suffix identifier each to search adds suffix identification label;
Suffix text string extracting module, for extracting the end label character string folded with special suffix identification label
Folded character string, obtains each suffix character string with each pair of adjacent suffix identification label;Wherein, the special suffix
Identification marks adjacent suffix to identify label labeled as with the end.
Optionally, the identical comparing subunit includes:
Successively comparison module, for successively more each suffix character string and the target suffix character string whether phase
Together;
Corresponding, the refusal uploading unit includes:
Second refusal uploads subelement, for refusing when current suffix character string is identical as the target suffix character string
The absolutely described file to be uploaded executes upload operation.
Optionally, which uploads the system that verifying bypasses further include:
Interfere character removal unit, for leave out appeared in each suffix character string it is each in default interference character list
Character is interfered, to use the suffix character string after removing each interference character to determine whether with the target suffix character string
It is identical.
Optionally, which uploads the system that verifying bypasses further include:
The special uploading unit of transmitting file is refused, passes through preset path for the file to be uploaded for executing upload operation will to be rejected
It is uploaded to honey jar server;Wherein, the honey jar server possesses document analysis rule identical with normal Web server;
The parsing of honey jar server and operation note unit, for parsing the file received using the honey jar server,
File after being parsed, and record the operation of file execution after the parsing;
Judgement unit is judged by accident, for discriminating whether to occur according to whether each operation causes damages to the honey jar terminal
Erroneous judgement.
To achieve the above object, present invention also provides a kind of defence files to upload the device that verifying bypasses, the device packet
It includes:
Memory, for storing computer program;
Processor realizes that the defence file as described in above content uploads verifying when for executing the computer program
The step of method bypassed.
To achieve the above object, described computer-readable to deposit present invention also provides a kind of computer readable storage medium
It is stored with computer program on storage media, realizes when the computer program is executed by processor and prevents as described in above content
Imperial file uploads the step of method that verifying bypasses.
Obviously, a kind of defence file provided herein uploads the method that verifying bypasses, and carries out to file to be uploaded
When uploading verifying, the filename of removal suffix is obtained first, and is detected in file name and be whether there is and target suffix character string
Identical suffix character string, and when discovery has suffix character string identical with the target suffix character string, refusal should be to upper
The upload of transmitting file.The mode for only upload to most end suffix verifying is different from the prior art, the application is also to possible hidden
The suffix character string being hidden in filename is detected, and effectively can realize accurate detection to known around mode, and adapt to
A variety of server management softwares can significantly reduce to the analysis mode of file and endanger server and service by file upload loophole
In device a possibility that data, safety is higher.
The application additionally provides a kind of system, device and computer-readable storage that the upload verifying of defence file bypasses simultaneously
Medium has above-mentioned beneficial effect, and details are not described herein.
Detailed description of the invention
In order to illustrate the technical solutions in the embodiments of the present application or in the prior art more clearly, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
The embodiment of application for those of ordinary skill in the art without creative efforts, can also basis
The attached drawing of offer obtains other attached drawings.
Fig. 1 is the flow chart that a kind of defence file provided by the embodiments of the present application uploads the method that verifying bypasses;
Fig. 2 is the flow chart that another defence file provided by the embodiments of the present application uploads the method that verifying bypasses;
It is a kind of in the method that Fig. 3 bypasses for defence file upload verifying provided by the embodiments of the present application to utilize suffix identifier
Segmentation obtains the flow chart of the method for suffix character string;
Fig. 4 is the flow chart of the method for the file to be uploaded that a kind of processing provided by the embodiments of the present application is rejected upload;
Fig. 5 be HTTP request under a kind of agreement for multipart/form-data provided by the embodiments of the present application into
The flow chart of the method for row suffix type detection;
Fig. 6 is a kind of flow diagram of method for carrying out suffix type detection provided by the embodiments of the present application;
Fig. 7 is the structural block diagram that a kind of defence file provided by the embodiments of the present application uploads the system that verifying bypasses.
Specific embodiment
The core of the application be to provide a kind of defence file upload the verifying method, system, device and the computer that bypass can
Storage medium is read, when carrying out uploading verifying to file to be uploaded, obtains the filename of removal suffix first, and detect this document
It whether there is suffix character string identical with target suffix character string in name, and exist and the target suffix character string phase in discovery
With suffix character string when, refuse the upload of the file to be uploaded.It is different from the prior art and only most end suffix is uploaded
The mode of verifying, the application also detect the suffix character string that may be hidden in filename, can be effectively to known
Accurate detection is realized around mode, and adapts to a variety of server management softwares to the analysis mode of file, can be significantly reduced and be passed through
File uploads a possibility that loophole endangers data in server and server, and safety is higher.
To keep the purposes, technical schemes and advantages of the embodiment of the present application clearer, below in conjunction with the embodiment of the present application
In attached drawing, the technical scheme in the embodiment of the application is clearly and completely described, it is clear that described embodiment is
Some embodiments of the present application, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art
All other embodiment obtained without making creative work, shall fall in the protection scope of this application.
Embodiment one
Below in conjunction with Fig. 1, Fig. 1 is the stream that a kind of defence file provided by the embodiments of the present application uploads the method that verifying bypasses
Cheng Tu, specifically includes the following steps:
S101: filename of the file to be uploaded in addition to suffix is extracted from file upload request;
This step is intended to obtain filename of the file to be uploaded in addition to suffix, and the part being removed is can be by the prior art
It is identified as the part of suffix.By taking xxxxx.txt file as an example, the file that this step obtains is entitled " xxxxx ", eliminates identified
For the part of .txt.
Wherein, file name can upload HTTP request contained in file as the Partial Feature packet of the file to be uploaded
In, uploading file verification mechanism extraction will obtain filename under the predeterminated position of the HTTP request.Based on different specific agreements
It may include different types of information in the HTTP request of formation, put in order and be also not quite similar, therefore extract this article
It is also required to be adjusted according to the agreement that HTTP request uses when part name.Such as the HTTP request obtained based on RFC1867 agreement,
It increases file attribute on the basis of standard HTTP for INPUT label, and the method for also defining Form is necessary
It is necessary for multipart/form-data for POST, ENCTYPE, in the HTTP request formed based on this agreement, filename can be
It extracts and obtains in filename field in multipart/form-data.
File type identification can be carried out to the filename of related suffix in the prior art, still be with xxxxx.txt file
Example, it is found that its suffix is txt, and file type is text document, and uploads the verifying of authentication mechanism to file according to itself, is sentenced
Whether the file of this type of other text document is allowed to upload, should if the file that file type is image is only allowed to upload
File can be rejected upload due to being text document, if the file of text document type is also allowed to upload, this document can quilt
Allow to upload.
Therefore, whether the prior art can't be that true suffix judges to the suffix that it differentiates, can't be to except most
Character string outside the suffix at end is judged, therefore, in the case where being concealed with true suffix in the filename except suffix, is incited somebody to action
Verifying of the prior art to file upload mechanism can be bypassed.
So this step peels off the suffix that can be identified by conventional means first, obtain not carried out again by the prior art
The filename of secondary identification, and the suffix character string that may be hidden in file name is again identified that in the next steps,
To prevent the verifying around upload mechanism.
S102: it whether there is suffix character string identical with target suffix character string in detection filename;
On the basis of S101, this step is intended to detect in filename with the presence or absence of after identical with target suffix character string
Sew character string, wherein target suffix character string, which should be, is not uploaded the mechanism existing suffix character string of permission, number in verifying
It measures and is not specifically limited, can be also possible to unique to be multiple, multiple target suffix character strings can be also used for after being formed
Sew blacklist, such as the suffix of script file type can be performed in php, asp this kind.I.e. this step carries out character string to filename
Detection, be by the suffix that increases a part of other file types behind true suffix or to interfere the side of character in order to prevent
Formula bypasses the verifying of existing upload mechanism, therefore this partial character will be determined as filename by existing upload mechanism, and being will not
It is detected.
In order to allow the file to be uploaded of a non-permitted file type, (with text document, this class file is in the prior art
Example) also it can pass through two ways by the verifying of upload file verification mechanism, big cognition: first, directly by the true of file
Suffix information is revised as satisfactory suffix information, i.e., is directly revised as the suffix of an xxxx.jpg image file
Xxxx.txt, with by authentication mechanism the file of txt format (require nothing more than upload), but will lead to originally should be by for such modification mode
It can not be executed according to the unfolding mode of text document according to the file that the mode of checking of image file could execute, therefore such mode
With modified unenforceability, can not cause damages to the Web server for being stored with the modified file.The application is simultaneously
It is not directed to such situation.
Second, retaining true suffix, and add some information again after true suffix, such as xxxx.jpg is revised as
xxxx.jpg;.txt, file modified in this way can be in the existing side only verified to the suffix information at end in filename
By verifying under formula, and it is successfully uploaded to Web server, but in Web server when parsing this file, can be neglected due to default
Slightly be located at ";" (a kind of truncation character, can by be located at this character before and after two parts message truncation) after information, will
xxxx.jpg;.txt document analysis is xxxx.jpg file, once hostile content is carried in the xxxx.jpg file, in its quilt
When execution will data to Web server and thereon cause damages.The application is mainly for boring file in the way of such
Uploading loophole will be such that a file executes in server end, and then the case where endanger server and data thereon.
When determining the suffix character string in file name, will mainly be obtained using suffix identifier-" " shaped like rear
Sew the suffix character string (shaped like " .xxx "), still takes xxxx.jpg;.txt this example can find .jpg (or .jpg;) and
.txt two, in the case, in order to prevent including truncation character including interference character caused by interfere, can also remove or
Ignore the interference character that may include in each suffix character string, to finally obtain two suffix informations of .jpg and .txt, and and mesh
Comparison of mark suffix character string whether carry out identical, it is assumed that do not allow suffix to be .jpg, when the file that type is image uploads, just
Can be found in filename its conceal the file that can be resolved to .jpg format after upload (because;In number subsequent
Appearance will not be resolved, and can be ignored), so that defence is known to bypass means.
On this basis, determine that the concrete mode of each suffix character string also has much based on suffix identifier, Ke Yitong
When determine all suffix identifiers in filename, then text string extracting folded between adjacent suffix identifier two-by-two is come out point
Not Zuo Wei a suffix character string, to judge whether each suffix character string identical as target suffix character string simultaneously and (differentiate
The type file whether is allowed to be uploaded);It can also be found one by one from one end of filename to the other end in a certain order
Suffix identifier, i.e., a suffix character string can be obtained by finding a suffix identifier every time, and judge this rear asyllabia
Whether symbol string is identical as target suffix character string, if this current suffix character string and target suffix character string be not identical, edge
Identical direction continues to search for suffix identifier forward, until the suffix character string identical with target suffix character string looked for
Terminate.
In simple terms, first way can carry out and target suffix each suffix character string being contained in filename
The whether identical judgement of character string, will not omit each suffix character string determined, each suffix character string can obtain
Result information whether identical with target suffix character string is adaptable to more complicated, richer refusal and uploads strategy, such as
There are several suffix character strings identical with target suffix character string, there are combinations of which specific suffix character string etc.
Deng, and optionally the mode based on serial or parallel carries out this deterministic process, serially and successively judges each rear asyllabia
Whether symbol string is identical as target suffix character string, after then taking multiple or all suffix character strings determined and target simultaneously parallel
Sew character string to be compared, it can be according to practical application scene flexible choice.
The second way finds a suffix identifier compared to first way every time, and obtains by the suffix mark
As soon as the suffix character string that symbol is partitioned into is known, whether taking this suffix character string identical as the character string carry out of target suffix later
Comparison, if not identical, just and so on look for next suffix identifier and next suffix character string, then be compared, directly
To find suffix character string identical with target suffix character string or all suffix character strings with the target suffix character string not
Mutually it is completed at the same time deterministic process.Compared to first method, discovery one or a small number of target suffix character strings are being only required just
Refusal upload when, may not need all suffix character strings for determining to include in file name, can save portion of time and
Resource.
Which kind of specifically also need not do and have herein come flexible choice according to the demand under practical application scene using mode
Body limits.
S103: when, there are when target suffix character string, refusal executes upload operation to file to be uploaded in filename.
On the basis of S102, when there are when target suffix character string, have to cause damages to Web server in filename
Possibility, just refusal executes upload operation to file to be uploaded.Have found that it can hide should not occur in filename
Suffix character string, illustrate which employs attempt the verifying around existing upload mechanism around mode.
Further, it is assumed that determine 5 different suffix informations in the filename of a file to be uploaded, respectively correspond
Whether 5 kinds of different file types are being refused to come across in the deterministic process that the file to be uploaded uploads with sets itself
The number of suffix information in suffix blacklist, when being set as 2, only when 5 suffix informations of the filename of the file to be uploaded
In when thering are 2 suffix informations to be located on suffix blacklist, just refuse the file to be uploaded and execute upload operation.At the same time it can also
Setting is just to refuse the upload of this document when which two suffix information exists simultaneously.
Different danger classes can also be set for the different suffix informations in suffix blacklist, when a file to be uploaded
Filename in just refuse to upload when at least there is the suffix information of a high-risk grade, and at least there is two low danger etc.
Just refusal upload the etc. when suffix information of grade.Wherein, different danger classes is arranged for different suffix informations can be according to going through
History threatens the frequency of occurrence of the true suffix to cause damages in sample to server to set, can also be according to files in different types
The size that causes damages when comprising hostile content to server determines, herein and is not specifically limited.
Further, in order to prevent existing for such mode a possibility that erroneous judgement, it can also utilize sandbox, honey jar etc. can
Control system environments simulates parsing of the true Web server to file, can by the way that the file for being rejected upload is uploaded to these
The operation of its execution is observed in control system environments to determine whether to be judged by accident, to adjust suffix blacklist or refusal machine
System.
Based on the above-mentioned technical proposal, a kind of defence file provided by the embodiments of the present application uploads the method that verifying bypasses,
When carrying out uploading verifying to file to be uploaded, the filename of removal suffix is obtained first, and is detected in file name and be whether there is
Suffix character string identical with target suffix character string, and there is suffix character identical with the target suffix character string in discovery
When string, refuse the upload of the file to be uploaded.The mode for only upload to most end suffix verifying is different from the prior art, this
Application also detects the suffix character string being hidden in filename, effectively can realize accurate inspection to known around mode
It surveys, and adapts to a variety of server management softwares to the analysis mode of file, can significantly reduce and loophole harm clothes are uploaded by file
A possibility that data in device and server of being engaged in, safety is higher.
Embodiment two
Below in conjunction with Fig. 2, Fig. 2 is that another defence file provided by the embodiments of the present application uploads the method that verifying bypasses
Flow chart, is different from embodiment one, and the present embodiment is detected by S202 and S203 according to the first way referred in S102
It whether there is suffix character string identical with target suffix character string in filename, S204 gives one kind and is specifically performed refusal
The strategy of upload operation, specific steps are as follows:
S201: filename of the file to be uploaded in addition to suffix is extracted from file upload request;
S202: divide filename using the suffix identifier in filename, obtain each suffix character string;
Still with xxxx.jpg;.txt for, it is found that wherein exist two suffix identifiers-" ", as point
Symbol is cut, can divide to obtain " jpg;" the suffix character string different with " txt " two.
It under normal conditions, can be directly using each suffix character string as after when including the interference character such as truncation character
Sew information use, but include shaped like ";", " 00ttt ", the truncation character character such as ":: DATA " when, it is also necessary to exclude this
Partial character is interfered caused by it, to obtain real suffix information.
A kind of implementation for including but is not limited to are as follows:
Leave out each interference character appeared in default interference character list in each suffix character string, obtains preferred suffix character
String, and using preferred suffix character string as suffix information.Wherein, comprising a variety of for realizing truncation in the default interference character list
Truncation character and other interference characters, can also be according to being constantly updated around mode of constantly converting.
S203: being respectively compared each suffix character string and whether target suffix character string is identical;
I.e. this step is carried out with the target suffix character string using each suffix character string being included in filename
Whether identical comparison.
S204: when any suffix character string is identical as target suffix character string, refusal executes upload to file to be uploaded
Operation.
When any suffix character string is identical as target suffix character string, just refusal executes file to be uploaded and uploads behaviour
Make, to realize that stringenter refusal uploads strategy.
Embodiment three
Below in conjunction with Fig. 3, Fig. 3 is that defence file provided by the embodiments of the present application uploads a kind of benefit in the method that verifying bypasses
Divide the flow chart for the method for obtaining suffix character string with suffix identifier, the present embodiment gives a kind of specific for S202
Implementation, remaining step without modification, specifically includes the following steps:
S301: end label is added at the end of filename;
With xxxx.jpg;.txt for, end label should be attached to after txt.
S302: the file suffixes identifier of search forward since the label of end character by character, and the text each to search
Part suffix identifier adds suffix identification label;
Wherein, suffix identifier is " ", i.e. identification of this step since the end mark of filename character by character is each
Whether character is " ", and adds suffix identification label for each " ".
With xxxx.jpg;.txt for, can be located at it is before txt and adjacent " " and before jpg and adjacent
" " adds suffix identification label.
S303: extracting the end label character string folded with special suffix identification label and each pair of adjacent suffix identification marks
Folded character string obtains each suffix character string;
With xxxx.jpg;.txt for, " jpg can be finally obtained;" character string different with " txt " two, and made
For two suffix character strings.
Example IV
Below in conjunction with Fig. 4, Fig. 4 is the side for the file to be uploaded that a kind of processing provided by the embodiments of the present application is rejected upload
The flow chart of method, the present embodiment according to a possibility that the erroneous judgement that may be present referred in S103 for make judgement it is more accurate,
A kind of concrete implementation mode is provided, specific implementation step is as follows:
S401: the file to be uploaded for being rejected upload is uploaded to honey jar server by preset path;
Wherein, which is the paths for being different from normal file and uploading path, is directed toward honey jar server.It needs
It is noted that honey jar server possesses document analysis rule identical with normal Web server, to simulate to the full extent just
Normal Web server after receiving this originally and should refuse the file uploaded it can happen that.
S402: parsing the file that receives, file after parse using honey jar server, and record parse after file hold
Capable operation;
S403: it discriminates whether to judge by accident according to whether each operation causes damages to honey jar terminal.
The file that this process record obtains can be adjusted refusal using big data analysis method and upload strategy, constantly be promoted
The safety of Web server.
Embodiment five
In order to deepen the understanding to the present application point, the present embodiment will combine concrete application scene to the technology of the application
How scheme, which goes to realize, is introduced, wherein the present embodiment is directed to multipart/form- defined in RFC1867
Data agreement is mainly uploaded by file to multipart and carries out data and parse to obtain filename, and to including in filename
All suffix information combination suffix blacklists detected, solved under current mechanism mainstream Web server to improper
There are different parsing results for multipart/form-data protocol format, so as to cause the normal detection for having bypassed WAF, brill
File uploads the problem of loophole, and specific embodiment refers to Fig. 5:
1) HTTP request (file upload request) sent from Client (client) is received;
It should be noted that WAF is in this scenario between Client and Server, for receiving from Client's
HTTP request, and it is detected according to itself preset strategy, and execute corresponding movement according to testing result, and to
Server returns to corresponding response message.
Concrete implementation process can be with are as follows:
(1) file upload request is initiated at the end Client, and WAF parses the request header of the request, recognizes HTTP
Multipart file upload, caching body data (body matter part, including text, character in request etc.) to link with
On track, and start to parse body data according to multipart format;
It (2), can be by the secondary request when having cached body data+this time request body data length no more than buffer size
Body data continue to be cached in link tracking, while according to the body data of multipart format parsing caching;
(3) when having cached body data+this time request body data length more than buffer size, according to multipart
Format parses the body data cached, empties the cache;This time is requested on body data buffer storage to link tracking simultaneously, according to
The body data of multipart format parsing caching;
(4) process 2,3 is repeated, until after whole body data are all resolved, to parsing obtained filename word
The information of section carries out the detection of suffix blacklist, and according to testing result to the end Server returning response data.
2) judge whether it is the HTTP request under multipart/form-data agreement;
This step is intended to filter out the HTTP request constituted with multipart/form-data agreement.
3) it parses and saves filename field value all in the HTTP request;
This step is established starts all filename words of parsing preservation on the basis of the judging result of step 2), which is, is
Segment value.
4) judge in filename field value whether include and consistent suffix information in suffix type blacklist;
5) it reports log and intercepts/let pass the HTTP request according to preset implementation strategy;
The foundation of this step is in filename field value in the judging result of step 4)
In on the basis of consistent suffix information, log will be reported and intercept/let pass the HTTP request according to preset implementation strategy.
Based on above-mentioned process, also refers to the schematic diagram of Fig. 6 and add come detection process in conjunction with an actual filename
The deep understanding that all suffix informations how are determined to this programme:
1. " " (suffix identifier) is searched for since the end of filename (* * * .txt.php x00tt.xxx.exe),
Record an end offset End (being equal to additional end label);
2. searching out " " (suffix identifier) and then recording one and start to deviate Start and (be equal to the identification of an additional suffix
Label), judge that the content that Start to End is directed toward whether there is in suffix type blacklist, is to report log, according to strategy
Interception/clearance;It is not to record End again, and continually look for previous " " (suffix identifier), and so on, to all
Type suffix all detect;
3. then End is referred to when encountering truncation character (such as: x00) during searching " " (suffix identifier)
To the previous position (skip truncation character and non-stop) of truncation character, " " (suffix identifier) is continually looked for;
4. filtering out most end when matching:: $ DATA character string prevents the file stream suffix of Windows from bypassing.
The Web means of defence that the detection of suffix type blacklist is uploaded using file provided in this embodiment, is being parsed
When, it not only supports normal protocol format to parse, should also be compatible with the parsing of mainstream server, it is finally black in progress suffix type
When list detects, it is also compatible with mainstream server.By the suffix class list testing mechanism of such strong compatibility, it is capable of detecting when mesh
Preceding known All Files upload suffix around attack.
Because situation is complicated, it can not enumerate and be illustrated, those skilled in the art should be able to recognize according to the application
The basic skills principle combination actual conditions of offer may exist many examples, in the case where not paying enough creative works,
It should within the scope of protection of this application.
Embodiment six
Fig. 7 is referred to below, and Fig. 7 is that a kind of defence file provided by the embodiments of the present application uploads the system that verifying bypasses
Structural block diagram, the system may include:
Filename extraction unit 100, for extracting filename of the file to be uploaded in addition to suffix from file upload request;
Target suffix character string detection unit 200 whether there is and target suffix character string phase for detecting in filename
Same suffix character string;
Refuse uploading unit 300, for when, there are when target suffix character string, refusal holds file to be uploaded in filename
Row upload operation.
Wherein, target suffix character string detection unit 200 may include:
Suffix identifier divides subelement, for dividing filename using the suffix identifier in filename, obtain it is each after
Sew character string;
Whether identical comparing subunit is identical for being respectively compared each suffix character string and target suffix character string;
Corresponding, refusal uploading unit 300 may include:
First refusal uploads subelement, is used for when any suffix character string is identical as target suffix character string, refusal pair
File to be uploaded executes upload operation.
Wherein, suffix identifier segmentation subelement may include:
End marks add-on module, for adding end label at the end of filename;
The search of suffix identifier and identification label add-on module, after the search forward since the label of end character by character
Sew identifier, and the suffix identifier each to search adds suffix identification label;
Suffix text string extracting module, for extracting the end label character string folded with special suffix identification label and every
The character string folded to adjacent suffix identification label, obtains each suffix character string;Wherein, special suffix identification is labeled as and end
Adjacent suffix is marked to identify label.
Wherein, identical comparing subunit may include:
Successively comparison module, for successively whether more each suffix character string and target suffix character string to be identical;
Corresponding, refusal uploading unit 300 may include:
Second refusal uploads subelement, is used for when current suffix character string is identical as target suffix character string, refusal pair
File to be uploaded executes upload operation.
Further, which, which uploads the system that verifying bypasses, to include:
Character removal unit is interfered, for leaving out each interference appeared in default interference character list in each suffix character string
Character, to use the suffix character string after removing each interference character to determine whether identical as target suffix character string.
Further, which, which uploads the system that verifying bypasses, to include:
The special uploading unit of transmitting file is refused, passes through preset path for the file to be uploaded for executing upload operation will to be rejected
It is uploaded to honey jar server;Wherein, honey jar server possesses document analysis rule identical with normal Web server;
The parsing of honey jar server and operation note unit are obtained for parsing the file received using honey jar server
File after parsing, and record the operation of file execution after parsing;
Judgement unit is judged by accident, for discriminating whether to judge by accident according to whether each operation causes damages to honey jar terminal.
Based on the above embodiment, present invention also provides a kind of defence files to upload the device that verifying bypasses, which can
To include memory and processor, wherein have computer program in the memory, which calls the meter in the memory
When calculation machine program, step provided by above-described embodiment may be implemented.Certainly, which can also include various necessary networks
Interface, power supply and other components etc..
Present invention also provides a kind of computer readable storage mediums, have computer program thereon, the computer program
Step provided by above-described embodiment may be implemented when being performed terminal or processor execution.The storage medium may include: U
Disk, mobile hard disk, read-only memory (Read-Only Memory, ROM), random access memory (Random Access
Memory, RAM), the various media that can store program code such as magnetic or disk.
Specific examples are used herein to illustrate the principle and implementation manner of the present application, and between each embodiment
For progressive relationship, each embodiment focuses on the differences from other embodiments, identical between each embodiment
Similar portion may refer to each other.For the device disclosed in the embodiment, reference can be made to corresponding method part illustration.The above reality
The explanation for applying example is merely used to help understand the present processes and its core concept.For the ordinary skill people of the art
Member for, under the premise of not departing from the application principle, can also to the application, some improvement and modification can also be carried out, these improve and
Modification is also fallen into the protection scope of the claim of this application.
It should also be noted that, in the present specification, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that the process, method, article or equipment for including a series of elements not only includes that
A little elements, but also other elements including being not explicitly listed, or further include for this process, method, article or
The intrinsic element of equipment.In the absence of more restrictions, the element limited by sentence "including a ...", is not arranged
Except there is also other identical elements in the process, method, article or equipment for including element.
Claims (14)
1. a kind of defence file uploads the method that verifying bypasses, which is characterized in that the described method includes:
Filename of the file to be uploaded in addition to suffix is extracted from file upload request;
It detects in the filename with the presence or absence of suffix character string identical with target suffix character string;
When, there are when the target suffix character string, refusal executes upload operation to the file to be uploaded in the filename.
2. the method according to claim 1, wherein detecting in the filename whether there is and asyllabia after target
The identical suffix character string of symbol string, comprising:
Divide the filename using the suffix identifier in the filename, obtains each suffix character string;
It is respectively compared each suffix character string and whether the target suffix character string is identical;
It is corresponding, when, there are when the target suffix character string, refusal executes the file to be uploaded in the filename
Pass operation, comprising:
When any suffix character string is identical as the target suffix character string, refusal executes the file to be uploaded
Pass operation.
3. according to the method described in claim 2, it is characterized in that, using described in the suffix identifier segmentation in the filename
Filename obtains each suffix character string, comprising:
End label is added at the end of the filename;
The suffix identifier of search forward since the label of the end character by character, and the suffix mark each to search
Accord with additional suffix identification label;
It extracts the end label character string folded with special suffix identification label and each pair of adjacent suffix identification marks
Folded character string obtains each suffix character string;Wherein, the special suffix identification marks phase labeled as with the end
Adjacent suffix identifies label.
4. according to the method described in claim 2, it is characterized in that, being respectively compared each suffix character string and the target
Whether suffix character string is identical, comprising:
Successively whether more each suffix character string and the target suffix character string are identical;
It is corresponding, when, there are when the target suffix character string, refusal executes the file to be uploaded in the filename
Pass operation, comprising:
When current suffix character string is identical as the target suffix character string, refusal executes the file to be uploaded and uploads behaviour
Make.
5. according to the described in any item methods of claim 2 to 4, which is characterized in that further include:
Leave out each interference character appeared in default interference character list in each suffix character string, to use removal each described
Suffix character string after interfering character is to determine whether identical as the target suffix character string.
6. according to the method described in claim 5, it is characterized by further comprising:
The file to be uploaded for executing upload operation will be rejected, honey jar server is uploaded to by preset path;Wherein, the honey
Tank server possesses document analysis rule identical with normal Web server;
The file that receives, file after being parsed are parsed using the honey jar server, and file is held after recording the parsing
Capable operation;
It discriminates whether to judge by accident according to whether each operation causes damages to the honey jar terminal.
7. a kind of defence file uploads the system that verifying bypasses, which is characterized in that the system comprises:
Filename extraction unit, for extracting filename of the file to be uploaded in addition to suffix from file upload request;
Target suffix character string detection unit, for detecting in the filename with the presence or absence of identical with target suffix character string
Suffix character string;
Refuse uploading unit, for when, there are when the target suffix character string, refusal is to described to be uploaded in the filename
File executes upload operation.
8. system according to claim 7, which is characterized in that the target suffix character string detection unit includes:
Suffix identifier divides subelement, for dividing the filename using the suffix identifier in the filename, obtains
Each suffix character string;
Identical comparing subunit, for be respectively compared each suffix character string and the target suffix character string whether phase
Together;
Corresponding, the refusal uploading unit includes:
First refusal uploads subelement, for refusing when any suffix character string is identical as the target suffix character string
The absolutely described file to be uploaded executes upload operation.
9. according to the method described in claim 8, it is characterized in that, suffix identifier segmentation subelement includes:
End marks add-on module, for adding end label at the end of the filename;
The search of suffix identifier and identification label add-on module, for the institute of search forward since the label of the end character by character
Suffix identifier is stated, and the suffix identifier each to search adds suffix identification label;
Suffix text string extracting module, for extracting the end label character string folded with special suffix identification label and every
The character string folded to the adjacent suffix identification label, obtains each suffix character string;Wherein, the special suffix identification
It is marked labeled as marking adjacent suffix to identify with the end.
10. system according to claim 8, which is characterized in that the identical comparing subunit includes:
Successively comparison module, for successively whether more each suffix character string and the target suffix character string to be identical;
Corresponding, the refusal uploading unit includes:
Second refusal uploads subelement, is used for when current suffix character string is identical as the target suffix character string, refusal pair
The file to be uploaded executes upload operation.
11. according to the described in any item systems of claim 8 to 10, which is characterized in that further include:
Character removal unit is interfered, for leaving out each interference appeared in default interference character list in each suffix character string
Character, to use the suffix character string after removing each interference character to determine whether with the target suffix character string phase
Together.
12. system according to claim 11, which is characterized in that further include:
The special uploading unit of transmitting file is refused, the file to be uploaded for that will be rejected execution upload operation passes through preset path and uploads
To honey jar server;Wherein, the honey jar server possesses document analysis rule identical with normal Web server;
The parsing of honey jar server and operation note unit are obtained for parsing the file received using the honey jar server
File after parsing, and record the operation of file execution after the parsing;
Judgement unit is judged by accident, for discriminating whether to miss according to whether each operation causes damages to the honey jar terminal
Sentence.
13. a kind of defence file uploads the device that verifying bypasses characterized by comprising
Memory, for storing computer program;
Processor realizes that defence file as claimed in any one of claims 1 to 6 such as uploads when for executing the computer program
The step of verifying the method bypassed.
14. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium
Program realizes that defence file as claimed in any one of claims 1 to 6 upload such as is tested when the computer program is executed by processor
The step of demonstrate,proving the method bypassed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811280248.2A CN109327451B (en) | 2018-10-30 | 2018-10-30 | Method, system, device and medium for preventing file uploading verification from bypassing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811280248.2A CN109327451B (en) | 2018-10-30 | 2018-10-30 | Method, system, device and medium for preventing file uploading verification from bypassing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109327451A true CN109327451A (en) | 2019-02-12 |
| CN109327451B CN109327451B (en) | 2021-07-06 |
Family
ID=65259822
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811280248.2A Active CN109327451B (en) | 2018-10-30 | 2018-10-30 | Method, system, device and medium for preventing file uploading verification from bypassing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109327451B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992967A (en) * | 2019-03-12 | 2019-07-09 | 福建拓尔通软件有限公司 | A kind of method and system for realizing automatic detection file security when file uploads |
| CN110309654A (en) * | 2019-06-28 | 2019-10-08 | 四川长虹电器股份有限公司 | The safety detection method and device that picture uploads |
| CN111901337A (en) * | 2020-07-28 | 2020-11-06 | 中国平安财产保险股份有限公司 | File uploading method and system and storage medium |
| CN113179280A (en) * | 2021-05-21 | 2021-07-27 | 深圳市安之天信息技术有限公司 | Deception defense method and device based on malicious code external connection behaviors and electronic equipment |
| CN113420300A (en) * | 2021-06-21 | 2021-09-21 | 福建天晴数码有限公司 | Method and system for detecting and defending file uploading vulnerability |
| CN113595997A (en) * | 2021-07-14 | 2021-11-02 | 上海淇玥信息技术有限公司 | File uploading safety detection method and device and electronic equipment |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100462990C (en) * | 2005-12-12 | 2009-02-18 | 北京瑞星国际软件有限公司 | Method and device for monitoring suspicious file start |
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| CN102609654A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting malicious flash files |
| CN102833240A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院信息工程研究所 | Malicious code capturing method and system |
| CN103209170A (en) * | 2013-03-04 | 2013-07-17 | 汉柏科技有限公司 | File type identification method and identification system |
| CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
| CN103310150A (en) * | 2012-03-13 | 2013-09-18 | 百度在线网络技术(北京)有限公司 | Method and device for detecting portable document format (PDF) vulnerability |
| CN104009881A (en) * | 2013-02-27 | 2014-08-27 | 广东电网公司信息中心 | Method and device for system penetration testing |
| CN104063309A (en) * | 2013-03-22 | 2014-09-24 | 南京理工大学常熟研究院有限公司 | Web application program bug detection method based on simulated strike |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| US9355246B1 (en) * | 2013-12-05 | 2016-05-31 | Trend Micro Inc. | Tuning sandbox behavior based on static characteristics of malware |
| US20160212160A1 (en) * | 2009-11-26 | 2016-07-21 | Huawei Digital Technologies(Cheng Du) Co., Limited | Method, device and system for alerting against unknown malicious codes |
| CN107800718A (en) * | 2017-11-29 | 2018-03-13 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of file uploads the method for early warning device of leak |
-
2018
- 2018-10-30 CN CN201811280248.2A patent/CN109327451B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100462990C (en) * | 2005-12-12 | 2009-02-18 | 北京瑞星国际软件有限公司 | Method and device for monitoring suspicious file start |
| CN101692267A (en) * | 2009-09-15 | 2010-04-07 | 北京大学 | Method and system for detecting large-scale malicious web pages |
| US20160212160A1 (en) * | 2009-11-26 | 2016-07-21 | Huawei Digital Technologies(Cheng Du) Co., Limited | Method, device and system for alerting against unknown malicious codes |
| CN102609654A (en) * | 2012-02-08 | 2012-07-25 | 北京百度网讯科技有限公司 | Method and device for detecting malicious flash files |
| CN103310150A (en) * | 2012-03-13 | 2013-09-18 | 百度在线网络技术(北京)有限公司 | Method and device for detecting portable document format (PDF) vulnerability |
| CN102833240A (en) * | 2012-08-17 | 2012-12-19 | 中国科学院信息工程研究所 | Malicious code capturing method and system |
| CN104009881A (en) * | 2013-02-27 | 2014-08-27 | 广东电网公司信息中心 | Method and device for system penetration testing |
| CN103209170A (en) * | 2013-03-04 | 2013-07-17 | 汉柏科技有限公司 | File type identification method and identification system |
| CN104063309A (en) * | 2013-03-22 | 2014-09-24 | 南京理工大学常熟研究院有限公司 | Web application program bug detection method based on simulated strike |
| CN103235913A (en) * | 2013-04-03 | 2013-08-07 | 北京奇虎科技有限公司 | System, equipment and method used for identifying and intercepting bundled software |
| US9355246B1 (en) * | 2013-12-05 | 2016-05-31 | Trend Micro Inc. | Tuning sandbox behavior based on static characteristics of malware |
| CN104766011A (en) * | 2015-03-26 | 2015-07-08 | 国家电网公司 | Sandbox detection alarming method and system based on main engine characteristic |
| CN107800718A (en) * | 2017-11-29 | 2018-03-13 | 中科信息安全共性技术国家工程研究中心有限公司 | A kind of file uploads the method for early warning device of leak |
Non-Patent Citations (3)
| Title |
|---|
| FATIH HALTAŞ: "An Automated Bot Detection System through Honeypots for Large-Scale", 《2014 6TH INTERNATIONAL CONFERENCE ON CYBER CONFLICT》 * |
| 佚名: "【绝密珍藏】渗透测试方法论之文件上传!", 《HTTPS://WWW.SOHU.COM/A/143477025_472906》 * |
| 傅涛: "一种基于静、动态分析相结合的漏洞挖掘分析方法", 《软件》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992967A (en) * | 2019-03-12 | 2019-07-09 | 福建拓尔通软件有限公司 | A kind of method and system for realizing automatic detection file security when file uploads |
| CN110309654A (en) * | 2019-06-28 | 2019-10-08 | 四川长虹电器股份有限公司 | The safety detection method and device that picture uploads |
| CN111901337A (en) * | 2020-07-28 | 2020-11-06 | 中国平安财产保险股份有限公司 | File uploading method and system and storage medium |
| CN111901337B (en) * | 2020-07-28 | 2023-08-15 | 中国平安财产保险股份有限公司 | File uploading method, system and storage medium |
| CN113179280A (en) * | 2021-05-21 | 2021-07-27 | 深圳市安之天信息技术有限公司 | Deception defense method and device based on malicious code external connection behaviors and electronic equipment |
| CN113420300A (en) * | 2021-06-21 | 2021-09-21 | 福建天晴数码有限公司 | Method and system for detecting and defending file uploading vulnerability |
| CN113420300B (en) * | 2021-06-21 | 2023-09-08 | 福建天晴数码有限公司 | Method and system for detecting and defending file uploading loopholes |
| CN113595997A (en) * | 2021-07-14 | 2021-11-02 | 上海淇玥信息技术有限公司 | File uploading safety detection method and device and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109327451B (en) | 2021-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109327451A (en) | A kind of method, system, device and medium that the upload verifying of defence file bypasses | |
| CN109922052B (en) | Malicious URL detection method combining multiple features | |
| CN106357696B (en) | SQL injection attack detection method and system | |
| CN107659583B (en) | Method and system for detecting attack in fact | |
| CN110730175B (en) | Botnet detection method and detection system based on threat information | |
| EP3244335B1 (en) | Blacklist generation device, blacklist generation system, blacklist generation method, and blacklist generation program | |
| US9256736B2 (en) | Method and system for monitoring webpage malicious attributes | |
| CN110505235B (en) | System and method for detecting malicious request bypassing cloud WAF | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| KR101070184B1 (en) | System and method for blocking execution of malicious code by automatically crawling and analyzing malicious code through multi-thread site-crawler, and by interworking with network security device | |
| CN104426906A (en) | Identifying malicious devices within a computer network | |
| KR101132197B1 (en) | Apparatus and Method for Automatically Discriminating Malicious Code | |
| CN110351248B (en) | Safety protection method and device based on intelligent analysis and intelligent current limiting | |
| CN107800686B (en) | Phishing website identification method and device | |
| CN111726364B (en) | Host intrusion prevention method, system and related device | |
| CN103532944A (en) | Method and device for capturing unknown attack | |
| JP2016033690A (en) | Illegal intrusion detection device, illegal intrusion detection method, illegal intrusion detection program, and recording medium | |
| CN110889113A (en) | Log analysis method, server, electronic device and storage medium | |
| Roopak et al. | On effectiveness of source code and SSL based features for phishing website detection | |
| CN106790102A (en) | A kind of QR based on URL features yards of phishing recognition methods and system | |
| CN107294994B (en) | CSRF protection method and system based on cloud platform | |
| JP6716051B2 (en) | Information processing apparatus, information processing method, and information processing program | |
| CN113992442B (en) | Trojan horse communication success detection method and device | |
| KR102514214B1 (en) | Method and system for preventing network pharming using big data and artificial intelligence | |
| Huayu et al. | Research on fog computing based active anti-theft technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |