CN109327451B - Method, system, device and medium for preventing file uploading verification from bypassing - Google Patents

Method, system, device and medium for preventing file uploading verification from bypassing Download PDF

Info

Publication number
CN109327451B
CN109327451B CN201811280248.2A CN201811280248A CN109327451B CN 109327451 B CN109327451 B CN 109327451B CN 201811280248 A CN201811280248 A CN 201811280248A CN 109327451 B CN109327451 B CN 109327451B
Authority
CN
China
Prior art keywords
suffix
file
character string
uploading
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811280248.2A
Other languages
Chinese (zh)
Other versions
CN109327451A (en
Inventor
梁满
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201811280248.2A priority Critical patent/CN109327451B/en
Publication of CN109327451A publication Critical patent/CN109327451A/en
Application granted granted Critical
Publication of CN109327451B publication Critical patent/CN109327451B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]

Abstract

When a file to be uploaded is subjected to upload verification, a filename with a suffix removed is obtained, whether a suffix character string identical to a target suffix character string exists in the filename is detected, and uploading of the file to be uploaded is rejected when the suffix character string identical to the target suffix character string is found. Different from the mode that only the last suffix is uploaded for verification in the prior art, the suffix character string hidden in the file name is detected, accurate detection can be effectively achieved for various bypass modes, the method is suitable for the analysis mode of various server management software for the file, the possibility that the server and data in the server are damaged by file uploading loopholes can be remarkably reduced, and the safety is higher. The application also discloses a system and a device for preventing the uploading verification of the files from bypassing and a computer readable storage medium, and the system and the device have the beneficial effects.

Description

Method, system, device and medium for preventing file uploading verification from bypassing
Technical Field
The present application relates to the field of server security technologies, and in particular, to a method, a system, an apparatus, and a computer-readable storage medium for preventing file upload verification bypassing.
Background
As Web applications become more and more abundant, Web servers are becoming the main targets of attacks with their powerful computing power, processing performance and their high implications. SQL injection (which inserts an SQL command into a Web form to submit or input a query string of a domain name or a page request, and finally achieves that a server is deceived to execute a malicious SQL command), Webshell (a script attack tool for Web intrusion) attack, Web page horse hanging, and other security events occur frequently. Users such as enterprises generally adopt firewalls (firewalls) established on a data link layer, a network layer and a transmission layer as a first line of defense of a security and security system, but the defense effect is not ideal due to various actual problems, so that the WAF is generated.
The Web Application protection system is a product working at an Application layer and specially provides protection for Web applications by executing a series of security policies aiming at HTTP/HTTPS. The WAF detects and verifies the content of various requests from the Web application program client, ensures the safety and the legality of the requests, blocks illegal requests in real time and effectively protects various website sites.
Although the WAF has a great progress compared with the conventional firewall, some vulnerabilities still exist to cause invasion by malicious files, and a malicious executable file is successfully uploaded to the Web server by using the file uploading vulnerability of the Web server, which is the fastest and most direct method for obtaining the server authority. The vulnerability means that a user uploads an executable script file, and the capability of executing the server-side command is obtained through the script file. The function of uploading the files has no problem, and the problem is how to process and interpret the files by the Web server after the files are uploaded. If the processing logic of the server is not secure enough, the uploaded file is interpreted and executed by the web container, and thus serious results are caused.
When a Web server under the mainstream architecture detects an uploaded file, it is usually determined whether the type of the file is a file type that the Web server is allowed to receive based on a suffix of the file to be uploaded, where the suffix is usually the "xxx" located at the last of the file name, that is, the Web server allows the upload or rejects the execution of the upload operation by determining whether the "xxx" is in a white list or a black list. However, in this way, detection of a real suffix of a file to be uploaded can often be bypassed by various means, so that the file conforms to judgment logic of file uploading, but when the server really analyzes the file, the file becomes a real executable malicious file, and further the file is damaged to the Web server.
Taking the Web server using the IIS early version as an example, under the management of the server management program, it is assumed that it allows only the image file with the suffix format of.jpg to be uploaded, and thus when a link of a network image is www.xxx.com/xx.asp; when the server receives the file, the server defaults to not analyze the file; content after the "number, resulting in xx.asp; jpg this file is parsed into an asp file. When the asp file contains malicious content, the server and data stored on the server are damaged in the execution process.
Therefore, the technical problem that how to overcome the technical defect that a malicious file cannot be well prevented from causing harm to a Web server through various suffix verification bypass means in the prior art is to provide a method with stronger suffix bypass prevention capability is urgently needed to be solved by the technical staff in the field.
Disclosure of Invention
When a file to be uploaded is subjected to upload verification, a filename with a suffix removed is obtained first, whether a suffix character string which is the same as a target suffix character string exists in the filename is detected, and when the suffix character string which is the same as the target suffix character string exists is found, uploading of the file to be uploaded is rejected. Compared with the mode that only the last suffix is uploaded for verification in the prior art, the method and the device for verifying the suffix string are used for detecting the suffix string which is possibly hidden in the file name, can effectively realize accurate detection on the known bypass mode, are suitable for the analysis mode of a plurality of server management software on the file, can remarkably reduce the possibility that the server and the data in the server are damaged by file uploading loopholes, and are higher in safety.
It is another object of the present application to provide a system, apparatus and computer readable storage medium that defend against file upload verification bypass.
To achieve the above object, the present application provides a method for preventing file upload verification bypass, comprising:
extracting the file names of the files to be uploaded except the suffix from the file uploading request;
detecting whether a suffix character string identical to a target suffix character string exists in the file name;
and when the target suffix character string exists in the file name, refusing to execute the uploading operation on the file to be uploaded.
Optionally, detecting whether a suffix character string identical to the target suffix character string exists in the file name includes:
dividing the file name by using a suffix identifier in the file name to obtain each suffix character string;
comparing whether each suffix character string is the same as the target suffix character string;
correspondingly, when the target suffix character string exists in the file name, refusing to execute the uploading operation on the file to be uploaded, and the method comprises the following steps:
and when any suffix character string is the same as the target suffix character string, refusing to execute the uploading operation on the file to be uploaded.
Optionally, the dividing the file name by using the suffix identifier in the file name to obtain each suffix character string includes:
attaching an end mark at the end of the file name;
searching the suffix identifier from the tail mark character by character, and attaching a suffix identification mark to each searched suffix identifier;
extracting character strings sandwiched by the tail mark and the special suffix identification mark and character strings sandwiched by each pair of adjacent suffix identification marks to obtain each suffix character string; wherein the special suffix identification mark is a suffix identification mark adjacent to the end mark.
Optionally, respectively comparing whether each suffix character string is identical to the target suffix character string includes:
sequentially comparing whether each suffix character string is the same as the target suffix character string;
correspondingly, when the target suffix character string exists in the file name, refusing to execute the uploading operation on the file to be uploaded, and the method comprises the following steps:
and when the current suffix character string is the same as the target suffix character string, refusing to execute the uploading operation on the file to be uploaded.
Optionally, the method for bypassing the uploading verification of the defense file further includes:
deleting each interfering character in each suffix character string appearing in a preset interfering character table to determine whether the suffix character string is identical to the target suffix character string using the suffix character string from which each interfering character is removed.
Optionally, the method for bypassing the uploading verification of the defense file further includes:
uploading the file to be uploaded, which is refused to execute the uploading operation, to the honey pot server through a preset path; the honeypot server has the same file analysis rule as a normal Web server;
analyzing the received file by using the honeypot server to obtain an analyzed file, and recording the operation executed by the analyzed file;
and judging whether misjudgment occurs or not according to whether each operation causes harm to the honeypot terminal or not.
To achieve the above object, the present application further provides a system for preventing document upload verification bypass, the system comprising:
the file name extraction unit is used for extracting the file names of the files to be uploaded except the suffix from the file uploading request;
a target suffix character string detection unit configured to detect whether or not a suffix character string identical to a target suffix character string exists in the file name;
and the uploading refusing unit is used for refusing to execute the uploading operation on the file to be uploaded when the target suffix character string exists in the file name.
Optionally, the target suffix character string detection unit includes:
a suffix identifier division subunit, configured to divide the file name by using a suffix identifier in the file name to obtain each suffix character string;
an identical comparison subunit, configured to compare whether each of the suffix character strings is identical to the target suffix character string, respectively;
correspondingly, the unit for rejecting uploading comprises:
and the first uploading refusing subunit is used for refusing to execute the uploading operation on the file to be uploaded when any suffix character string is the same as the target suffix character string.
Optionally, the suffix identifier splitting subunit includes:
an end mark attaching module for attaching an end mark at the end of the file name;
a suffix identifier searching and identification tag appending module for searching the suffix identifier character by character from the end tag and appending a suffix identification tag to each searched suffix identifier;
a suffix character string extraction module configured to extract a character string sandwiched by the end mark and a special suffix identification mark and a character string sandwiched by each pair of adjacent suffix identification marks, to obtain each suffix character string; wherein the special suffix identification mark is a suffix identification mark adjacent to the end mark.
Optionally, the same comparing subunit includes:
a sequential comparison module for sequentially comparing whether each of the suffix character strings is the same as the target suffix character string;
correspondingly, the unit for rejecting uploading comprises:
and the second uploading refusing subunit is used for refusing to execute the uploading operation on the file to be uploaded when the current suffix character string is the same as the target suffix character string.
Optionally, the system for preventing the document uploading and verification bypassing further includes:
and the interference character removing unit is used for deleting each interference character in each suffix character string, wherein the interference character appears in a preset interference character table, so that the suffix character string after each interference character is removed is used for judging whether the suffix character string is identical to the target suffix character string.
Optionally, the system for preventing the document uploading and verification bypassing further includes:
the special uploading unit of the refused file is used for uploading the file to be uploaded which is refused to execute the uploading operation to the honey pot server through a preset path; the honeypot server has the same file analysis rule as a normal Web server;
the honeypot server analysis and operation recording unit is used for analyzing the received file by using the honeypot server to obtain an analyzed file and recording the operation executed by the analyzed file;
and the misjudgment judging unit is used for judging whether misjudgment occurs according to whether each operation causes harm to the honeypot terminal.
To achieve the above object, the present application further provides a device for defending file upload verification bypass, the device comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method for defending against file upload verification bypass as described above when executing the computer program.
To achieve the above object, the present application further provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method for defending against file upload verification bypass as described above.
Obviously, according to the method for preventing file upload verification bypassing provided by the present application, when a file to be uploaded is subjected to upload verification, a filename with a suffix removed is obtained first, whether a suffix character string identical to a target suffix character string exists in the filename is detected, and when a suffix character string identical to the target suffix character string exists, upload of the file to be uploaded is rejected. Compared with the mode that only the last suffix is uploaded for verification in the prior art, the method and the device for verifying the suffix string are used for detecting the suffix string which is possibly hidden in the file name, can effectively realize accurate detection on the known bypass mode, are suitable for the analysis mode of a plurality of server management software on the file, can remarkably reduce the possibility that the server and the data in the server are damaged by file uploading loopholes, and are higher in safety.
The application also provides a system, a device and a computer readable storage medium for preventing file uploading verification bypassing, which have the beneficial effects and are not described in detail herein.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for preventing file upload verification bypass according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of another method for defending file upload verification bypass provided by an embodiment of the present application;
FIG. 3 is a flowchart of a method for obtaining a suffix string by suffix identifier segmentation in a method for defending document upload verification bypass according to an embodiment of the present disclosure;
fig. 4 is a flowchart of a method for processing a file to be uploaded, which is denied to be uploaded according to an embodiment of the present application;
FIG. 5 is a flowchart of a method for detecting suffix type of an HTTP request under multipart/form-data protocol according to an embodiment of the present application;
FIG. 6 is a schematic flow chart illustrating a method for suffix type detection according to an embodiment of the present disclosure;
fig. 7 is a block diagram illustrating a structure of a system for preventing file upload verification bypass according to an embodiment of the present disclosure.
Detailed Description
The core of the application is to provide a method, a system, a device and a computer readable storage medium for preventing file uploading verification from bypassing, when uploading verification is carried out on a file to be uploaded, firstly, a file name without a suffix is obtained, whether a suffix character string which is the same as a target suffix character string exists in the file name is detected, and when the suffix character string which is the same as the target suffix character string exists is found, uploading of the file to be uploaded is refused. Compared with the mode that only the last suffix is uploaded for verification in the prior art, the method and the device for verifying the suffix string are used for detecting the suffix string which is possibly hidden in the file name, can effectively realize accurate detection on the known bypass mode, are suitable for the analysis mode of a plurality of server management software on the file, can remarkably reduce the possibility that the server and the data in the server are damaged by file uploading loopholes, and are higher in safety.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Example one
With reference to fig. 1, fig. 1 is a flowchart of a method for preventing document upload verification bypassing according to an embodiment of the present application, which specifically includes the following steps:
s101: extracting the file names of the files to be uploaded except the suffix from the file uploading request;
this step is intended to obtain the file name of the file to be uploaded, except for the suffix, which is a portion that can be recognized as a suffix by the prior art. Taking xxxxx.
The file name can be used as part of characteristic information of the file to be uploaded and is included in a file uploading HTTP request, and an uploading file verification mechanism extracts the file name from a preset position of the HTTP request. Since HTTP requests formed based on different specific protocols may include different types of information and have different arrangement orders, the file name extraction needs to be adjusted according to the protocol used by the HTTP request. For example, an HTTP request obtained based on the RFC1867 protocol adds a file attribute to an INPUT tag on the basis of a standard HTTP protocol, and defines that a method of Form must be a POST and an encrypt must be multipart/Form-data.
In the prior art, file type identification is performed on a filename with a suffix, and still taking xxxxx.
Therefore, the prior art does not determine whether the determined suffix is a real suffix, and does not determine the character string except for the last suffix, so that the prior art can be bypassed for verification of the file uploading mechanism under the condition that the real suffix is hidden in the file name except for the suffix.
Therefore, this step first strips away suffixes that are recognizable by conventional means, resulting in a filename that is not re-recognizable by the prior art, and re-recognizes in a subsequent step a suffix string that may be hidden in the filename to prevent bypassing the verification of the upload mechanism.
S102: detecting whether a suffix character string identical to the target suffix character string exists in the file name;
on the basis of S101, this step aims to detect whether a suffix string identical to a target suffix string exists in the file name, where the target suffix string should be a suffix string that is not allowed to exist by an upload mechanism during verification, the number of the suffix strings is not particularly limited, and the suffix strings may be multiple or unique, and the multiple target suffix strings may also be used to form a suffix blacklist, for example, a suffix of an executable script file type such as php or asp. That is, the detection of the character string of the file name in this step is to prevent the verification of the existing uploading mechanism from being bypassed by adding a part of suffixes or interfering characters of other file types after the true suffix, so that the part of characters is distinguished as the file name by the existing uploading mechanism and cannot be detected.
In the prior art, in order to enable a file to be uploaded (for example, a file such as a text document) of a non-allowable file type to be verified by an uploading file verification mechanism, two methods are generally adopted: firstly, the real suffix information of a file is directly modified into the suffix information meeting the requirement, namely, the suffix of an xxxx.jpg image file is directly modified into xxxx.txt, so that the file which can be executed originally according to the viewing mode of the image file cannot be executed according to the opening mode of the text file through a verification mechanism (only the file in the txt format is required to be uploaded), and therefore the mode has the non-executability after modification and cannot cause harm to a Web server storing the modified file. This is not the case for the present application.
Secondly, a real suffix is reserved, and some information is added after the real suffix, such as xxxx.jpg is modified into xxxx.jpg; txt, the file thus modified will pass the verification in the existing way of verifying only the last suffix information in the file name, and successfully upload to the Web server, but when the Web server parses the file, it will be ignored by default; "(a truncated character that truncates two portions of information located before and after the character) and divides the information into xxxx. jpg; txt file is parsed into xxxx.jpg file, which, once malicious content is carried in it, can cause harm to the Web server and the data thereon when it is executed. The method is mainly used for drilling the file uploading loophole in such a way so as to enable a file to be executed at the server side and further damage the server and data on the server.
When determining a suffix string in the file name, a suffix string shaped like a suffix (shaped like ". xxx") will be obtained mainly using the suffix identifier — ", as it is with xxxx.jpg; in this case, in order to prevent interference caused by interference characters including truncated characters, the interference characters possibly contained in each suffix character string can be removed or ignored to finally obtain two suffix information of jpg and txt, and the two suffix information is compared with a target suffix character string, and if the file with the suffix of jpg and the type of image is not allowed to be uploaded, the file name is found to hide a file which is analyzed into the jpg format after being uploaded (because the content behind the number cannot be analyzed and can be ignored), so that a known bypassing means is prevented.
On the basis, the specific modes for determining each suffix character string based on the suffix identifiers are also many, all the suffix identifiers in the file name can be determined at the same time, and then the character strings sandwiched between every two adjacent suffix identifiers are extracted to be respectively used as a suffix character string so as to judge whether each suffix character string is the same as the target suffix character string (namely, whether the file of the type is allowed to be uploaded or not is judged); the suffix identifiers can be found one by one from one end to the other end of the file name according to a certain sequence, namely, each time one suffix identifier is found, a suffix character string can be obtained, whether the suffix character string is the same as the target suffix character string or not is judged, if the suffix character string is not the same as the target suffix character string at present, the suffix identifiers are continuously searched forward along the same direction until the found suffix character string which is the same as the target suffix character string is ended.
Briefly, the first method determines whether each suffix character string included in the file name is the same as the target suffix character string, does not omit each determined suffix character string, obtains result information about whether each suffix character string is the same as the target suffix character string, and is applicable to more complicated and richer upload rejection strategies, such as the existence of several suffix character strings that are the same as the target suffix character string, the existence of a combination of which specific suffix character strings, and the like.
The second method is compared with the first method, each time a suffix identifier is found, a suffix character string divided by the suffix identifier is obtained, then the suffix character string is taken to be compared with a target suffix character string, if the suffix character string is different from the target suffix character string, the next suffix identifier and the next suffix character string are found by analogy, and then the comparison is carried out until a suffix character string which is the same as the target suffix character string is found or all the suffix character strings are different from the target suffix character string, and the judgment process is finished. Compared with the first mode, when uploading is refused only by finding one or a few target suffix character strings, all suffix character strings contained in the file name do not need to be determined, and a part of time and resources can be saved.
The specific manner to be adopted also needs to be flexibly selected according to the requirements in the actual application scenario, and is not specifically limited here.
S103: and when the target suffix character string exists in the file name, refusing to execute the uploading operation on the file to be uploaded.
On the basis of S102, when the target suffix character string exists in the file name, there is a possibility of causing harm to the Web server, and the upload operation to the file to be uploaded is rejected. I.e., finding an unexplained suffix string in the filename that it can hide, illustrates that it employs a bypass approach to attempt to bypass authentication of existing upload mechanisms.
Further, assuming that 5 different suffix information are determined in the file name of a file to be uploaded, the suffix information corresponds to 5 different file types, the number of the suffix information appearing in the suffix blacklist can be set by itself in the judgment process of whether the file to be uploaded is rejected to be uploaded, and when the suffix information is set to be 2, the file to be uploaded is rejected to be uploaded to execute the uploading operation only when 2 suffix information in the 5 suffix information of the file name of the file to be uploaded is located in the suffix blacklist. Meanwhile, the uploading of the file can be refused when the two pieces of suffix information exist at the same time.
Different risk levels can be set for different suffix information in the suffix blacklist, uploading is refused when at least one suffix information with a high risk level exists in the file name of a file to be uploaded, uploading is refused when at least two suffix information with low risk levels exist, and the like. The setting of different risk levels for different suffix information may be set according to the number of occurrences of the real suffix that endangers the server in the historical threat sample, or may be determined according to the size of the damage that the different types of files endanger the server when the files contain malicious content, which is not specifically limited herein.
Furthermore, in order to prevent the possibility of misjudgment in such a manner, controllable system environments such as sandboxes and honeypots can be used to simulate the analysis of files by a real Web server, and whether misjudgment occurs or not can be determined by uploading the files which are refused to be uploaded to the controllable system environments to observe the operation performed by the files so as to adjust the suffix blacklist or the refusing mechanism.
Based on the technical scheme, the method for preventing file upload verification bypassing provided by the embodiment of the application obtains the filename without suffix when the file to be uploaded is subjected to upload verification, detects whether a suffix character string same as a target suffix character string exists in the filename, and rejects the upload of the file to be uploaded when the suffix character string same as the target suffix character string is found. Different from the mode that only the last suffix is uploaded for verification in the prior art, the method and the device for detecting the suffix character string hidden in the file name can effectively realize accurate detection on the known bypass mode, are suitable for the analysis mode of the file by various server management software, can obviously reduce the possibility of damaging the server and data in the server through file uploading loopholes, and have higher safety.
Example two
With reference to fig. 2 and fig. 2, a flowchart of another method for preventing file upload verification bypassing according to an embodiment of the present application is shown, different from the first embodiment, in this embodiment, whether a suffix character string identical to a target suffix character string exists in a file name is detected through S202 and S203 according to the first manner mentioned in S102, and S204 provides a policy specifically executed to reject an upload operation, and the specific steps are as follows:
s201: extracting the file names of the files to be uploaded except the suffix from the file uploading request;
s202: dividing the file name by using a suffix identifier in the file name to obtain each suffix character string;
again at xxxx.jpg; txt, for example, would find that there are two suffix identifiers ", which, as a segmenter, would be segmented into" jpg; "and" txt "are two different suffix strings.
In general, when an interfering character such as a truncated character is included, each suffix character string may be used as suffix information as it is, but the suffix character string may be included in the form of "; when the character characters are truncated, such as "\\ 00 ttt", ":: $ DATA", etc., the interference caused by the part of the characters on the character characters also needs to be eliminated so as to obtain the real suffix information.
One implementation, including but not limited to, is:
deleting each interference character in each suffix character string appearing in a preset interference character table to obtain a preferred suffix character string, and using the preferred suffix character string as suffix information. The preset interference character table comprises a plurality of truncation characters used for realizing truncation and other interference characters, and can be continuously updated according to a continuously-changed bypass mode.
S203: comparing whether each suffix character string is the same as the target suffix character string;
that is, this step employs a comparison of whether each suffix string contained in the file name is identical to the target suffix string.
S204: and when any suffix character string is the same as the target suffix character string, refusing to execute the uploading operation on the file to be uploaded.
And when any suffix character string is the same as the target suffix character string, refusing to execute the uploading operation on the file to be uploaded so as to realize a stricter uploading refusing strategy.
EXAMPLE III
With reference to fig. 3, fig. 3 is a flowchart of a method for obtaining a suffix character string by using suffix identifier segmentation in a method for verifying and bypassing uploading of a defense file provided in an embodiment of the present application, where this embodiment provides a specific implementation manner for S202, and other steps are not changed, and specifically includes the following steps:
s301: attaching an end mark at the end of the file name;
jpg with xxxx.jpg; txt is an example, and an end tag should be appended after txt.
S302: searching the file suffix identifiers character by character from the tail mark, and attaching a suffix identification mark to each searched file suffix identifier;
the suffix identifier is ". multidot.", that is, the step identifies whether each character is ". multidot.", character by character, starting from the end mark of the file name, and attaches a suffix identification mark to each ". multidot.".
Jpg with xxxx.jpg; txt is an example, suffix identification tags would be attached to the ". ang" preceding and adjacent txt and the ". ang" preceding and adjacent jpg.
S303: extracting character strings sandwiched by the tail mark and the special suffix identification mark and character strings sandwiched by each pair of adjacent suffix identification marks to obtain each suffix character string;
jpg with xxxx.jpg; txt is taken as an example, and "jpg" will be finally obtained; "and" txt "are two different strings and are treated as two suffix strings.
Example four
With reference to fig. 4, fig. 4 is a flowchart of a method for processing a file to be uploaded, which is denied to be uploaded according to an embodiment of the present application, where the embodiment provides a specific implementation manner for making a determination more accurate according to the possibility of a possible misjudgment mentioned in S103, and the specific implementation steps are as follows:
s401: uploading the file to be uploaded which is refused to be uploaded to a honey pot server through a preset path;
the preset path is a path different from the normal file uploading path and points to the honeypot server. It should be noted that the honeypot server has the same file parsing rule as the normal Web server, so as to simulate the situation that the normal Web server may occur after receiving the file that should originally be rejected to upload to the maximum extent.
S402: analyzing the received file by using the honeypot server to obtain an analyzed file, and recording the operation executed by the analyzed file;
s403: and judging whether misjudgment occurs or not according to whether each operation causes harm to the honey pot terminal or not.
The file recorded in the process can utilize a big data analysis method to adjust the uploading rejection strategy, and the safety of the Web server is continuously improved.
EXAMPLE five
In order to deepen understanding of the invention of the present application, this embodiment will introduce how to implement the technical solution of the present application in combination with a specific application scenario, where the embodiment is directed to a multipart/form-data protocol defined in RFC1867, and mainly obtains a file name by performing data parsing on file upload of a multipart, and detects all suffix information contained in the file name in combination with a suffix black list, so as to solve the problem that in the existing mechanism, a mainstream Web server has different parsing results on an abnormal multipart/form-data protocol format, thereby bypassing normal detection of a WAF and drilling a vulnerability of file upload, and please refer to fig. 5 in a specific embodiment:
1) receiving an HTTP request (file uploading request) sent from a Client;
it should be noted that the WAF is located between the Client and the Server in this scenario, and is configured to receive the HTTP request from the Client, detect the HTTP request according to a preset policy of the WAF, execute a corresponding action according to a detection result, and return corresponding response information to the Server.
The specific implementation process may be as follows:
(1) initiating a file uploading request by a Client, analyzing a request head of the request by the WAF, identifying HTTP multipart file uploading, caching body data (main content part in the request, including characters, characters and the like) to a link track, and beginning to analyze the body data according to the multipart format;
(2) when the length of the cached body data + the requested body data does not exceed the size of the buffer area, the requested body data is continuously cached to the link trace, and the cached body data is analyzed according to the multipart format;
(3) when the length of the cached body data and the length of the body data of the request exceeds the size of the buffer area, analyzing the cached body data according to a multipart format, and emptying the cache; simultaneously caching the requested body data to the link trace, and analyzing the cached body data according to a multipart format;
(4) and repeating the processes 2 and 3 until all the body data are analyzed, performing suffix blacklist detection on the information of the filename field obtained by analysis, and returning response data to the Server according to the detection result.
2) Judging whether the request is an HTTP request under a multipart/form-data protocol;
this step is intended to filter out HTTP requests composed in multipart/form-data protocol.
3) Analyzing and storing all filename field values in the HTTP request;
the step is established on the basis that the judgment result in the step 2) is yes, and all filename field values are analyzed and stored.
4) Judging whether suffix information consistent with a suffix type blacklist is contained in the filename field value;
5) reporting logs and intercepting/releasing the HTTP request according to a preset execution strategy;
the step is established on the basis that the judgment result in the step 4) is that the filename field value contains suffix information consistent with that in the suffix type blacklist, the log is reported, and the HTTP request is intercepted/released according to a preset execution strategy.
Based on the above flow, please refer to the schematic diagram of fig. 6 to combine with an actual file name detection process to deepen understanding of how all suffix information is determined by the scheme:
1. starting a search from the End of the filename (×.txt. php \ x00tt. xxx. exe) "(suffix identifier), recording an End offset End (equivalent to appending an End mark);
2. if finding out the suffix identifier, recording a Start offset Start (which is equal to adding a suffix identification mark), judging whether the content pointed by the Start to the End exists in a suffix type blacklist, if so, reporting a log, and intercepting/releasing according to a strategy; if not, recording End again, and continuously searching for the previous "-" (suffix identifier), and so on, and detecting all types of suffixes;
3. when a truncated character (such as: \ x00) is encountered in the search for "-" (suffix identifier), then End is pointed to the previous position of the truncated character (skipping the truncated character rather than stopping), continuing the search for "-" (suffix identifier);
4. the last: $ DATA string is filtered out during matching, preventing Windows' filestream suffix bypass.
By applying the Web protection method for detecting the file upload suffix type blacklist, not only is normal protocol format analysis supported, but also analysis of the mainstream server should be compatible when analysis is performed, and finally, the method is also compatible with the mainstream server when the suffix type blacklist is detected. Through the suffix class list detection mechanism with strong compatibility, the attack by bypassing the uploading suffixes of all known files can be detected.
Because the situation is complicated and cannot be illustrated by a list, a person skilled in the art can realize that many examples exist according to the basic method principle provided by the application and the practical situation, and the protection scope of the application should be protected without enough inventive work.
EXAMPLE six
Referring to fig. 7, fig. 7 is a block diagram illustrating a structure of a system for defending file upload verification bypass according to an embodiment of the present application, where the system may include:
a file name extracting unit 100, configured to extract, from the file upload request, a file name of the file to be uploaded, except for a suffix;
a target suffix character string detection unit 200 for detecting whether or not a suffix character string identical to the target suffix character string exists in the file name;
and the upload rejection unit 300 is configured to reject to perform an upload operation on the file to be uploaded when the target suffix character string exists in the file name.
The target suffix string detection unit 200 may include:
a suffix identifier division subunit, configured to divide the file name by using a suffix identifier in the file name to obtain each suffix character string;
the same comparison subunit is used for respectively comparing whether each suffix character string is the same as the target suffix character string;
correspondingly, the upload rejection unit 300 may include:
and the first uploading refusing subunit is used for refusing to execute the uploading operation on the file to be uploaded when any suffix character string is the same as the target suffix character string.
Wherein the suffix identifier splitting subunit may include:
an end mark attaching module for attaching an end mark at the end of the file name;
a suffix identifier searching and identification tag appending module for searching character-by-character forward suffix identifiers starting from the end tag and appending a suffix identification tag to each searched suffix identifier;
a suffix character string extraction module for extracting a character string sandwiched by the tail mark and the special suffix identification mark and a character string sandwiched by each pair of adjacent suffix identification marks to obtain each suffix character string; wherein the special suffix identification mark is a suffix identification mark adjacent to the end mark.
Wherein, the same comparing subunit may include:
the sequential comparison module is used for sequentially comparing whether each suffix character string is the same as the target suffix character string;
correspondingly, the upload rejection unit 300 may include:
and the second uploading refusing subunit is used for refusing to execute the uploading operation on the file to be uploaded when the current suffix character string is the same as the target suffix character string.
Further, the system for preventing the file uploading and verification bypassing can further comprise:
and an interference character removing unit for deleting each interference character in each suffix character string appearing in the preset interference character table to determine whether the suffix character string is identical to the target suffix character string using the suffix character string from which each interference character is removed.
Further, the system for preventing the file uploading and verification bypassing can further comprise:
the special uploading unit of the refused file is used for uploading the file to be uploaded which is refused to execute the uploading operation to the honey pot server through a preset path; the honeypot server has the same file analysis rule as the normal Web server;
the honeypot server analysis and operation recording unit is used for analyzing the received file by using the honeypot server to obtain an analyzed file and recording the operation executed by the analyzed file;
and the misjudgment judging unit is used for judging whether misjudgment occurs according to whether each operation causes harm to the honeypot terminal.
Based on the foregoing embodiments, the present application further provides a device for defending file upload verification bypass, where the device may include a memory and a processor, where the memory stores a computer program, and the processor may implement the steps provided by the foregoing embodiments when calling the computer program in the memory. Of course, the device may also include various necessary network interfaces, power supplies, and other components.
The present application also provides a computer-readable storage medium, on which a computer program is stored, which, when executed by an execution terminal or processor, can implement the steps provided by the above-mentioned embodiments. The storage medium may include: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The principle and the implementation of the present application are described herein by applying specific examples, and in order to make the various embodiments have a progressive relationship, each embodiment focuses on the differences from the other embodiments, and the same and similar parts among the various embodiments may be referred to each other. For the apparatus disclosed in the embodiments, reference is made to the corresponding method section. The above description of the embodiments is only intended to help understand the method of the present application and its core ideas. It will be apparent to those skilled in the art that various changes and modifications can be made in the present invention without departing from the principles of the invention, and these changes and modifications also fall within the scope of the claims of the present application.
It is further noted that, in the present specification, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Claims (12)

1. A method of defending against file upload verification bypass, the method comprising:
extracting the file names of the files to be uploaded except the suffix from the file uploading request;
detecting whether a suffix character string identical to a target suffix character string exists in the file name;
when the target suffix character string exists in the file name, refusing to execute uploading operation on the file to be uploaded;
uploading the file to be uploaded, which is refused to execute the uploading operation, to the honey pot server through a preset path; the honeypot server has the same file analysis rule as a normal Web server;
analyzing the received file by using the honeypot server to obtain an analyzed file, and recording the operation executed by the analyzed file;
and judging whether misjudgment occurs or not according to whether each operation causes harm to the honeypot server or not.
2. The method of claim 1, wherein detecting whether a suffix string identical to a target suffix string is present in the file name comprises:
dividing the file name by using a suffix identifier in the file name to obtain each suffix character string;
comparing whether each suffix character string is the same as the target suffix character string;
correspondingly, when the target suffix character string exists in the file name, refusing to execute the uploading operation on the file to be uploaded, and the method comprises the following steps:
and when any suffix character string is the same as the target suffix character string, refusing to execute the uploading operation on the file to be uploaded.
3. The method of claim 2, wherein segmenting the file name using suffix identifiers in the file name to obtain suffix strings comprises:
attaching an end mark at the end of the file name;
searching the suffix identifier from the tail mark character by character, and attaching a suffix identification mark to each searched suffix identifier;
extracting character strings sandwiched by the tail mark and the special suffix identification mark and character strings sandwiched by each pair of adjacent suffix identification marks to obtain each suffix character string; wherein the special suffix identification mark is a suffix identification mark adjacent to the end mark.
4. The method of claim 2, wherein separately comparing each of the suffix strings to the target suffix string comprises:
sequentially comparing whether each suffix character string is the same as the target suffix character string;
correspondingly, when the target suffix character string exists in the file name, refusing to execute the uploading operation on the file to be uploaded, and the method comprises the following steps:
and when the current suffix character string is the same as the target suffix character string, refusing to execute the uploading operation on the file to be uploaded.
5. The method of any of claims 2 to 4, further comprising:
deleting each interfering character in each suffix character string appearing in a preset interfering character table to determine whether the suffix character string is identical to the target suffix character string using the suffix character string from which each interfering character is removed.
6. A system for defending against file upload verification bypass, the system comprising:
the file name extraction unit is used for extracting the file names of the files to be uploaded except the suffix from the file uploading request;
a target suffix character string detection unit configured to detect whether or not a suffix character string identical to a target suffix character string exists in the file name;
the uploading refusing unit is used for refusing to execute the uploading operation on the file to be uploaded when the target suffix character string exists in the file name;
the special uploading unit of the refused file is used for uploading the file to be uploaded which is refused to execute the uploading operation to the honey pot server through a preset path; the honeypot server has the same file analysis rule as a normal Web server;
the honeypot server analysis and operation recording unit is used for analyzing the received file by using the honeypot server to obtain an analyzed file and recording the operation executed by the analyzed file;
and the misjudgment judging unit is used for judging whether misjudgment occurs according to whether each operation causes harm to the honeypot server.
7. The system according to claim 6, wherein the target suffix string detection unit comprises:
a suffix identifier division subunit, configured to divide the file name by using a suffix identifier in the file name to obtain each suffix character string;
an identical comparison subunit, configured to compare whether each of the suffix character strings is identical to the target suffix character string, respectively;
correspondingly, the unit for rejecting uploading comprises:
and the first uploading refusing subunit is used for refusing to execute the uploading operation on the file to be uploaded when any suffix character string is the same as the target suffix character string.
8. The system of claim 7, wherein the suffix identifier split sub-unit comprises:
an end mark attaching module for attaching an end mark at the end of the file name;
a suffix identifier searching and identification tag appending module for searching the suffix identifier character by character from the end tag and appending a suffix identification tag to each searched suffix identifier;
a suffix character string extraction module configured to extract a character string sandwiched by the end mark and a special suffix identification mark and a character string sandwiched by each pair of adjacent suffix identification marks, to obtain each suffix character string; wherein the special suffix identification mark is a suffix identification mark adjacent to the end mark.
9. The system of claim 7, wherein the same comparison subunit comprises:
a sequential comparison module for sequentially comparing whether each of the suffix character strings is the same as the target suffix character string;
correspondingly, the unit for rejecting uploading comprises:
and the second uploading refusing subunit is used for refusing to execute the uploading operation on the file to be uploaded when the current suffix character string is the same as the target suffix character string.
10. The system of any one of claims 7 to 9, further comprising:
and the interference character removing unit is used for deleting each interference character in each suffix character string, wherein the interference character appears in a preset interference character table, so that the suffix character string after each interference character is removed is used for judging whether the suffix character string is identical to the target suffix character string.
11. An apparatus for defending against file upload verification bypass, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the method for defensive file upload verification bypass according to any one of claims 1 to 5 when executing the computer program.
12. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, carries out the steps of the method for defending against file upload verification bypassing according to any one of claims 1 to 5.
CN201811280248.2A 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing Active CN109327451B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811280248.2A CN109327451B (en) 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811280248.2A CN109327451B (en) 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing

Publications (2)

Publication Number Publication Date
CN109327451A CN109327451A (en) 2019-02-12
CN109327451B true CN109327451B (en) 2021-07-06

Family

ID=65259822

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811280248.2A Active CN109327451B (en) 2018-10-30 2018-10-30 Method, system, device and medium for preventing file uploading verification from bypassing

Country Status (1)

Country Link
CN (1) CN109327451B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109992967A (en) * 2019-03-12 2019-07-09 福建拓尔通软件有限公司 A kind of method and system for realizing automatic detection file security when file uploads
CN110309654A (en) * 2019-06-28 2019-10-08 四川长虹电器股份有限公司 The safety detection method and device that picture uploads
CN111901337B (en) * 2020-07-28 2023-08-15 中国平安财产保险股份有限公司 File uploading method, system and storage medium
CN113179280B (en) * 2021-05-21 2022-11-22 深圳安天网络安全技术有限公司 Deception defense method and device based on malicious code external connection behaviors and electronic equipment
CN113420300B (en) * 2021-06-21 2023-09-08 福建天晴数码有限公司 Method and system for detecting and defending file uploading loopholes
CN113595997A (en) * 2021-07-14 2021-11-02 上海淇玥信息技术有限公司 File uploading safety detection method and device and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100462990C (en) * 2005-12-12 2009-02-18 北京瑞星国际软件有限公司 Method and device for monitoring suspicious file start
CN103209170A (en) * 2013-03-04 2013-07-17 汉柏科技有限公司 File type identification method and identification system
CN104009881A (en) * 2013-02-27 2014-08-27 广东电网公司信息中心 Method and device for system penetration testing
CN104063309A (en) * 2013-03-22 2014-09-24 南京理工大学常熟研究院有限公司 Web application program bug detection method based on simulated strike
CN107800718A (en) * 2017-11-29 2018-03-13 中科信息安全共性技术国家工程研究中心有限公司 A kind of file uploads the method for early warning device of leak

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101692267B (en) * 2009-09-15 2011-09-07 北京大学 Method and system for detecting large-scale malicious web pages
US10027693B2 (en) * 2009-11-26 2018-07-17 Huawei Digital Technologies (Cheng Du) Co., Limited Method, device and system for alerting against unknown malicious codes within a network environment
CN102609654A (en) * 2012-02-08 2012-07-25 北京百度网讯科技有限公司 Method and device for detecting malicious flash files
CN103310150A (en) * 2012-03-13 2013-09-18 百度在线网络技术(北京)有限公司 Method and device for detecting portable document format (PDF) vulnerability
CN102833240B (en) * 2012-08-17 2016-02-03 中国科学院信息工程研究所 A kind of malicious code catching method and system
CN103235913B (en) * 2013-04-03 2016-12-28 北京奇虎科技有限公司 A kind of for identifying, intercept the system of bundled software, Apparatus and method for
US9355246B1 (en) * 2013-12-05 2016-05-31 Trend Micro Inc. Tuning sandbox behavior based on static characteristics of malware
CN104766011B (en) * 2015-03-26 2017-09-12 国家电网公司 The sandbox detection alarm method and system of Intrusion Detection based on host feature

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100462990C (en) * 2005-12-12 2009-02-18 北京瑞星国际软件有限公司 Method and device for monitoring suspicious file start
CN104009881A (en) * 2013-02-27 2014-08-27 广东电网公司信息中心 Method and device for system penetration testing
CN103209170A (en) * 2013-03-04 2013-07-17 汉柏科技有限公司 File type identification method and identification system
CN104063309A (en) * 2013-03-22 2014-09-24 南京理工大学常熟研究院有限公司 Web application program bug detection method based on simulated strike
CN107800718A (en) * 2017-11-29 2018-03-13 中科信息安全共性技术国家工程研究中心有限公司 A kind of file uploads the method for early warning device of leak

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
【绝密珍藏】渗透测试方法论之文件上传!;佚名;《https://www.sohu.com/a/143477025_472906》;20170525;正文第9-11页 *

Also Published As

Publication number Publication date
CN109327451A (en) 2019-02-12

Similar Documents

Publication Publication Date Title
CN109327451B (en) Method, system, device and medium for preventing file uploading verification from bypassing
CN108259449B (en) Method and system for defending against APT (android packet) attack
CN109583193B (en) System and method for cloud detection, investigation and elimination of target attacks
EP3113064B1 (en) System and method for determining modified web pages
CN107659583B (en) Method and system for detecting attack in fact
CN107612924B (en) Attacker positioning method and device based on wireless network intrusion
CN107066883B (en) System and method for blocking script execution
RU2680736C1 (en) Malware files in network traffic detection server and method
CN107819731B (en) Network security protection system and related method
US20100251371A1 (en) Real-time malicious code inhibitor
CN107566420B (en) Method and equipment for positioning host infected by malicious code
Chung et al. Allergy attack against automatic signature generation
KR101132197B1 (en) Apparatus and Method for Automatically Discriminating Malicious Code
CN110602032A (en) Attack identification method and device
KR101851233B1 (en) Apparatus and method for detection of malicious threats included in file, recording medium thereof
CN107465702B (en) Early warning method and device based on wireless network intrusion
CN110868403B (en) Method and equipment for identifying advanced persistent Attack (APT)
CN105471912A (en) Security defense method and system of monitoring system
CN107566401B (en) Protection method and device for virtualized environment
CN111628990A (en) Attack recognition method and device and server
Lingenfelter et al. Analyzing variation among IoT botnets using medium interaction honeypots
Deng et al. Lexical analysis for the webshell attacks
CN107231364B (en) Website vulnerability detection method and device, computer device and storage medium
JP5656266B2 (en) Blacklist extraction apparatus, extraction method and extraction program
CN110768949B (en) Vulnerability detection method and device, storage medium and electronic device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant