CN113114680A - Detection method and detection device for file uploading vulnerability - Google Patents
Detection method and detection device for file uploading vulnerability Download PDFInfo
- Publication number
- CN113114680A CN113114680A CN202110397528.7A CN202110397528A CN113114680A CN 113114680 A CN113114680 A CN 113114680A CN 202110397528 A CN202110397528 A CN 202110397528A CN 113114680 A CN113114680 A CN 113114680A
- Authority
- CN
- China
- Prior art keywords
- message
- response message
- file
- access request
- test
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
Abstract
The disclosure provides a detection method for a file uploading vulnerability, and belongs to the field of information security. The method comprises the following steps: acquiring an access request of a website; when the access request is a file uploading request, constructing at least one vulnerability attack message based on the access request; sending the vulnerability attack message to the website to obtain a test response message fed back by the website aiming at the vulnerability attack message; comparing the test response message with an original response message, wherein the original response message is a response message fed back by the website aiming at the access request; and when the comparison result represents that the difference between the test response message and the original response message meets a preset condition, determining that the website has a bug. The embodiment of the disclosure also provides a detection device for the file uploading vulnerability, an electronic device and a computer readable storage medium.
Description
Technical Field
The present disclosure belongs to the technical field of information security; and more particularly, to a method and an apparatus for detecting a file upload vulnerability.
Background
In the web application program of the modern internet, in order to improve the service efficiency, a function of uploading files is often provided, but the risk that the web application is attacked is also improved, if the web application has a file uploading bug, an attacker can use the bug to attack, and further the harm of controlling the whole website and even controlling a server is caused.
Disclosure of Invention
In view of this, the present disclosure provides a method and an apparatus for detecting a file upload vulnerability, an electronic device, and a computer-readable storage medium.
One aspect of the disclosed embodiments provides a method for detecting a file upload vulnerability. The detection method comprises the following steps: acquiring an access request of a website; when the access request is a file uploading request, constructing at least one vulnerability attack message based on the access request; sending the vulnerability attack message to the website to obtain a test response message fed back by the website aiming at the vulnerability attack message; comparing the test response message with an original response message, wherein the original response message is a response message fed back by the website aiming at the access request; and when the comparison result represents that the difference between the test response message and the original response message meets a preset condition, determining that the website has a bug.
According to an embodiment of the present disclosure, the predetermined condition includes: the formats of the test response message and the original response message are consistent, and the difference degree between the test response message and the original response message is smaller than or equal to a threshold value.
According to an embodiment of the present disclosure, the comparing the test response packet with the original response packet includes: and comparing the formats and sizes of the test response message and the original response message.
According to an embodiment of the present disclosure, the comparing the test response packet with the original response packet further includes: and when the formats and the sizes of the test response message and the original response message are consistent, calculating the difference degree according to the format of the messages.
According to an embodiment of the present disclosure, the calculating the difference degree according to the format of the packet includes: when the format of the message is HTML, calculating the difference degree according to the editing distances of DOM trees and CSS-DOM trees of the test response message and the original response message; when the format of the message is XML, calculating the difference degree according to the editing distance of DOM trees of the original response message and the test response message; or when the format of the message is a character string or binary data, calculating the difference degree according to the SimHash values of the original response message and the test response message.
According to an embodiment of the present disclosure, the method further comprises: and when the comparison result represents that at least one of the formats or the sizes of the test response message and the original response message are inconsistent, determining that no vulnerability exists in the website.
According to an embodiment of the present disclosure, the method further includes determining that the website does not have a vulnerability when the difference is greater than the threshold.
According to the embodiment of the disclosure, when the access request is a file uploading request, constructing at least one vulnerability attack message based on the access request comprises obtaining at least one vulnerability attack message by at least one of the following methods: replacing the file extension in the message of the access request by using the file extension for testing; generating a malicious code corresponding to the file extension according to the file extension in the message of the access request, and inserting the malicious code into the file information in the message of the access request; or generating an uploading file with the file extension and the file size larger than a preset value according to the file extension in the message of the access request, and replacing the file in the message of the access request with the uploading file.
According to an embodiment of the present disclosure, before replacing the file extension in the access request message, the method further includes obtaining at least one test file extension for replacing the file extension in the access request message, specifically obtaining the test file extension in at least one of the following manners: collecting common extension names of the vulnerability tests; intelligently constructing a special extension name according to a preset rule by using the file extension name in the message of the access request; or combining the file extension in the message of the access request with the common test extension and/or the special extension to form a new extension.
According to the embodiment of the disclosure, when the difference between the test response message and the original response message meets the predetermined condition, determining that the website has the vulnerability includes determining the type of the vulnerability existing in the website according to the obtaining mode of the vulnerability attack message.
In another aspect of the disclosed embodiments, a device for detecting a file upload vulnerability is provided. The device comprises an acquisition module, a construction module, an attack module, a comparison module and a determination module. The acquisition module is used for acquiring the access request of the website. And the construction module is used for constructing at least one vulnerability attack message based on the access request when the access request is a file uploading request. And the attack module is used for sending the vulnerability attack message to the website so as to obtain a test response message fed back by the website aiming at the vulnerability attack message. The comparison module is used for comparing the test response message with an original response message, wherein the original response message is a response message fed back by the website aiming at the access request. The determining module is used for determining that the website has a bug when the comparison result represents that the difference between the test response message and the original response message meets a preset condition.
According to the embodiment of the disclosure, the predetermined condition includes that the formats of the test response packet and the original response packet are consistent, and the difference between the test response packet and the original response packet is less than or equal to a threshold value.
According to an embodiment of the present disclosure, the comparison module includes a first comparison sub-module. The first comparison sub-module is used for comparing the formats and sizes of the test response message and the original response message.
According to an embodiment of the present disclosure, the comparison module further comprises a second comparison submodule. And the second comparison submodule is used for calculating the difference degree according to the format of the message when the formats and the sizes of the test response message and the original response message are consistent.
According to an embodiment of the present disclosure, the second comparison sub-module is further configured to: when the format of the message is HTML, calculating the difference degree according to the editing distances of DOM trees and CSS-DOM trees of the test response message and the original response message; when the format of the message is XML, calculating the difference degree according to the editing distance of DOM trees of the original response message and the test response message; or when the format of the message is a character string or binary data, calculating the difference degree according to the SimHash values of the original response message and the test response message.
According to the embodiment of the disclosure, the determining module is further configured to determine that the website has no vulnerability when the comparison result indicates that at least one of the formats or the sizes of the test response packet and the original response packet is inconsistent.
According to an embodiment of the disclosure, the determining module is further configured to determine that the website does not have a vulnerability when the difference is greater than the threshold.
According to the embodiment of the disclosure, the construction module comprises an extension name replacement submodule, a malicious code insertion submodule and a large file generation submodule. The construction module obtains at least one vulnerability attack message through any one of an extension name replacement submodule, a malicious code insertion submodule or a large file generation submodule. And the extension name replacing submodule is used for replacing the file extension name in the message of the access request by using the file extension name for test. And the malicious code insertion sub-module is used for generating a malicious code corresponding to the file extension according to the file extension in the message of the access request and inserting the malicious code into the file information in the message of the access request. The large file generation submodule is used for generating an uploading file with the file extension size larger than a preset value according to the file extension in the message of the access request, and replacing the file in the message of the access request with the uploading file.
According to an embodiment of the present disclosure, the construction module further comprises an extension construction sub-module. The extension name constructing submodule is used for acquiring at least one test file extension name for replacing the file extension name in the message of the access request before replacing the file extension name in the message of the access request. Specifically, the extension construction sub-module is configured to obtain the extension of the file for test in at least one of the following manners: collecting common extension names of the vulnerability tests; intelligently constructing a special extension name according to a preset rule by using the file extension name in the message of the access request; or combining the file extension in the message of the access request with the common test extension and/or the special extension to form a new extension.
According to the embodiment of the disclosure, the determining module is further configured to determine the type of the vulnerability existing in the website according to the obtaining mode of the vulnerability attack packet.
In another aspect of the disclosed embodiments, an electronic device is provided. The electronic device includes one or more memories, and one or more processors. The memory stores executable instructions. The processor executes the executable instructions to implement the method as described above.
Another aspect of the embodiments of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of embodiments of the present disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
One or more of the above-described embodiments may provide the following advantages or benefits: the technical effect of full-process automatic detection of the website file uploading vulnerability can be at least partially achieved, and the detection efficiency and accuracy of the file uploading vulnerability can be effectively improved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates a system architecture of a detection method and a detection apparatus for a file upload vulnerability according to an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow chart of a detection method for a file upload vulnerability according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a conceptual illustration of a detection method for file upload vulnerabilities according to an embodiment of the present disclosure;
FIG. 4 schematically shows a process schematic for constructing a vulnerability attack message according to an embodiment of the present disclosure;
FIG. 5 schematically shows a flowchart of a detection method for a file upload vulnerability according to another embodiment of the present disclosure;
FIG. 6 schematically shows a flowchart of a detection method for a file upload vulnerability according to yet another embodiment of the present disclosure;
FIG. 7 schematically illustrates a block diagram of a detection apparatus for file upload vulnerabilities according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a block diagram of a building block in the detection apparatus shown in FIG. 7;
FIG. 9 schematically illustrates a block diagram of a detection apparatus for file upload vulnerabilities, according to another embodiment of the present disclosure;
FIG. 10 is a block diagram schematically illustrating a file upload test case automatic execution module in the inspection apparatus shown in FIG. 9;
FIG. 11 is a block diagram schematically illustrating a file upload test result intelligent analysis module in the detection apparatus shown in FIG. 9;
FIG. 12 is a block diagram schematically illustrating a test result feedback module in the test apparatus shown in FIG. 9; and
fig. 13 schematically shows a block diagram of an electronic device suitable for implementing the detection method and the detection apparatus according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The embodiment of the disclosure provides a detection method, a detection device, electronic equipment and a computer-readable storage medium for file uploading loopholes. The detection method comprises the following steps: acquiring an access request of a website; when the access request is a file uploading request, constructing at least one vulnerability attack message based on the access request; sending the vulnerability attack message to a website to obtain a test response message fed back by the website aiming at the vulnerability attack message; comparing the test response message with an original response message, wherein the original response message is a response message fed back by the website aiming at the access request; and when the comparison result represents that the difference between the test response message and the original response message meets a preset condition, determining that the website has a bug.
The embodiment of the disclosure can at least partially realize full-process automatic detection of the file uploading vulnerability of the website, and can effectively improve the detection efficiency and accuracy of the file uploading vulnerability.
According to the embodiments of the disclosure, a file uploading request of a website can be automatically acquired, at least one vulnerability attack message is automatically constructed according to the file uploading request to carry out attack testing on the website, and the problems that vulnerability detection is limited to a certain specific environment, the testing type is too single, and therefore full coverage cannot be achieved and vulnerability is not reported are solved to a certain extent in the related art.
According to the embodiments of the disclosure, by comparing the difference between the test response message and the original response message, whether the vulnerability attack message is successfully attacked or not can be automatically judged, so that whether a vulnerability exists in a website or not can be automatically judged. In this way, the problem of low manual testing efficiency in the related technology can be effectively improved, and the accuracy of vulnerability detection is improved.
It should be noted that the detection method and the detection apparatus for the file upload vulnerability, which are determined in the embodiment of the present disclosure, may be used in the financial field, and may also be used in any field other than the financial field.
Fig. 1 schematically illustrates a system architecture 100 for a detection method and a detection apparatus for a file upload vulnerability according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in fig. 1, the system architecture 100 may include a tester 101, a browser or App102, a detection device 103, and a target application server 104. The target application server 104 may provide background management services for the tester 101 through a browser or a website browsed by the App 102. The detection device 103 may execute the detection method according to the embodiment of the present disclosure to detect a file upload vulnerability of a website supported by the target application server 104.
The embodiment of the disclosure is suitable for a development stage, a function test stage and a safety test stage in a software development life cycle. Therefore, the tester 101 may be a developer, a functional tester, a safety tester, and the like.
The tester 101 may initiate an access request 11 (e.g., an http request) through the browser or APP 102. On the one hand, the access request 11 may reach the target application server 104 in a manner of accessing a website conventionally, on the other hand, the access request 11 may be acquired (for example, copied) by the detection device 103, and then the detection device 103 constructs a vulnerability attack message 12 according to the access request 11, and performs vulnerability detection.
The target application server 104 feeds back an original response message (not shown) when receiving the access request 11. Meanwhile, when receiving the vulnerability attack message 12, the target application server 104 also feeds back a test response message 13 accordingly.
The detection device 103 may execute the detection method according to the embodiment of the present disclosure, on one hand, obtain an access request 11 initiated by a tester, construct a vulnerability attack message 12 when the access request 11 is a file upload request, and then send the vulnerability attack message 12 to a target application server. On the other hand, the original response message and the test response message 13 are acquired, the vulnerability detection result 14 is obtained based on the comparison between the original response message and the test response message 13, and then the vulnerability detection result 14 is fed back to the browser or App102 so that the testing personnel can check the vulnerability detection result.
The detecting apparatus 103 may be implemented as any one or a combination of any plurality of the detecting apparatus 700, the detecting apparatus 900, the electronic device 1300, the computer-readable storage medium, or the computer program, which are described below, and the present disclosure is not limited thereto.
Fig. 2 schematically illustrates a flowchart of a detection method 200 for a file upload vulnerability according to an embodiment of the present disclosure. As shown in fig. 2, the detection method 200 may include operations S210 to S250.
Fig. 3 schematically shows a conceptual illustration of a detection method for a file upload vulnerability according to an embodiment of the present disclosure. The detection method 200 is described below with reference to fig. 3.
In operation S210, an access request 30 for a website is acquired;
in operation S220, when the access request 30 is a file upload request, at least one vulnerability attack message 301, 302, 303 is constructed based on the access request 30.
In operation S230, the vulnerability attack message 301/302/303 (i.e., each or any one of 301 to 303) is sent to the website to obtain a test response message 311/312/313 fed back by the website for the vulnerability attack message 301/302/303.
In operation S240, the test response message 311/312/313 is compared with the original response message 31, where the original response message 31 is a response message fed back by the website for the access request 30.
In operation S250, when the comparison result VS1/VS2/VS3 indicates that the difference between the test response packet 311/312/313 and the original response packet 31 satisfies the predetermined condition, it is determined that a vulnerability exists in the website.
According to an embodiment of the present disclosure, the predetermined condition may be, for example, that the formats of the test response message 311/312/313 and the original response message 31 are consistent, and the difference between the test response message 311/312/313 and the original response message 30 is less than or equal to a threshold value. The format of the message may be determined by the suffix name of the message (such as html,. txt, or xml, etc.).
Specifically, when the formats of the test response message 311/312/313 and the original response message 31 are not the same, it indicates that the website can distinguish the access request message 30 from the vulnerability attack message 301/302/303, thereby indicating that the attack is unsuccessful and the website does not have a corresponding vulnerability.
When the formats of the test response message 311/312/313 and the original response message 31 are consistent, it can be directly compared whether the difference between the test response message 311/312/313 and the original response message 31 is less than or equal to the threshold. If so, it is determined that the test response message 311/312/313 is very similar to or even the same as the original response message 31, and it is determined that the website is difficult to distinguish the access request message 30 from the vulnerability attack message 301/302/303, thereby indicating that the attack is successful and that the website has a corresponding vulnerability.
In other embodiments, when the formats of the test response message 311/312/313 and the original response message 31 are consistent, the sizes of the test response message 311/312/313 and the original response message 31 may be compared. When the sizes are consistent, whether the difference degree between the test response message 311/312/313 and the original response message 31 is smaller than or equal to the threshold value is further judged. When the test response message 311/312/313 and the original response message 31 are not the same in size (e.g., different in magnitude), it is indicated that the website can distinguish the test response message 311/312/313 from the original response message 31, and at this time, it can be determined that the website does not have a corresponding attack hole, and therefore, the difference does not need to be further calculated. Therefore, the difference of the messages is quickly and visually judged according to the two dimensional parameters of format and size, and the detection efficiency can be improved.
According to an embodiment of the present disclosure, when the formats of the test response message 311/312/313 and the original response message 31 are consistent, the calculation manner may be different according to the format of the messages when calculating the difference degree. For example, when the format of the message is HTML, calculating the difference according to the edit distances of the DOM trees and the CSS-DOM trees of the test response message and the original response message (e.g., calculating the edit distances of the DOM trees of the two messages and the edit distances of the CSS-DOM trees, and then summing up to obtain the difference); for another example, when the format of the message is XML, the difference is calculated according to the edit distance of the DOM trees of the original response message and the test response message. Or, for another example, when the format of the message is a character string or binary data, the difference degree may be calculated according to the SimHash values of the original response message and the test response message.
According to the embodiment of the disclosure, by comparing the test response message 311/312/313 with the original response message 31, it can be automatically and more accurately determined whether the vulnerability attack message 301/302/303 is successfully attacked. And then, whether the corresponding vulnerability exists in the website can be determined more efficiently and accurately.
Fig. 4 schematically shows a process schematic of constructing a vulnerability attack packet in operation S230 according to an embodiment of the present disclosure.
Also described below in conjunction with fig. 3. As shown in fig. 4, when the access request 30 is a file upload request in operation S230 according to the embodiment of the present disclosure, and at least one vulnerability attack message 301, 302, and 303 is constructed based on the access request 30, for example, the following may be implemented: replacing the file extension in the message 30 of the access request with the file extension for testing (S401), so as to obtain a vulnerability attack message 301; or, according to the file extension in the message 30 of the access request, generating a malicious code corresponding to the file extension, and inserting the malicious code into the file information in the message of the access request (S402), thereby obtaining a vulnerability attack message 302; or generating an upload file with a file size larger than a predetermined value and having the file extension according to the file extension in the message 30 of the access request, and replacing the file in the message of the access request with the upload file (S403), thereby obtaining the vulnerability attack message 303.
According to the embodiment of the present disclosure, in the configuration process shown in fig. 4, before replacing the file extension in the access request message 30 in S401, at least one test file extension for replacing the file extension in the access request message 30 may also be obtained in advance.
The way of obtaining the extension name of the test file can be various, and examples are as follows.
For example, common extensions for vulnerability testing may be collected, such as ". jsp", ". php", ". asp", ". jsp% 00", ". php% 00", ". asp% 00", and the like.
For another example, the file extension in the message 30 of the access request may be used to intelligently construct a special extension according to a predetermined rule. As exemplified by the use of the file extension in the message when an access request is given as.png, special extensions such as ". pNg", ". PNG", ". Png", ". pnG", ". png.xxxx", ". PNG/", ". php.", ". PNG.", ". pnngg", etc. can be intelligently constructed. The predetermined rules of the intelligently constructed process may include, for example, case-changing individual characters of the extension png, adding special characters before and after, or characters appearing repeatedly, etc.
As another example, the file extension in the message 30 of the access request may be combined with a common test extension and/or a special extension to form a new extension. Continuing with the example of the file extension in the message 30 when an access request is given as.png, the new extensions formed by the combination may be, for example, ". png.jsp", ". jsp.png", ". jsp% 00. png", ". png.php", ". php.png", ". php% 00. png", ". png.asp", ". asp.png", ". asp% 00. png", and so on.
After obtaining these extensions, the file extensions in the parameters describing the file information in the request body in the message 30 of the access request may be correspondingly replaced in S401, so that one vulnerability attack message 301 is formed for each replacement.
According to an embodiment of the present disclosure, in operation S230, when the difference between the test response packet 311/312/313 and the original response packet 31 satisfies the predetermined condition and it is determined that the website has a bug, the type of the bug existing in the website may be determined according to the obtaining manner of the bug attack packet 311/312/313. For example, what the type of the specific vulnerability exists in the website and/or what the content of the vulnerability is determined according to which manner of S401 to S403 shown in fig. 4 the vulnerability attack message is obtained and/or the rules or the content of the construction process of the vulnerability attack message, for example: there is no control over case or certain characters in the file extension; or, the size of the uploaded file is not controlled; or, no malicious code detection interception mechanism, etc. Therefore, a more detailed vulnerability detection result can be obtained, and more detailed vulnerability detection information can be provided for testers. In this way, the way of constructing the vulnerability attack message in the embodiment of the present disclosure can have diversity, so that the type and content of vulnerability detection can be more comprehensive.
Fig. 5 schematically shows a flowchart of a detection method for a file upload vulnerability according to another embodiment of the present disclosure.
As shown in fig. 5, the detection method 500 according to this embodiment may include operations S210 to S240, and operations S251 to S256. Operations S210 to S240 are the same as those described above, and are not described herein again. As will be described further below in connection with fig. 3.
After the website is attacked by the bug attack message 301/302/303 and the test response message 311/312/313 fed back to the bug attack message 301/302/303 is obtained through operation S210 to operation S240, the test response message 311/312/313 is compared with the original response message 31. And then judging according to a comparison result VS1/VS2/VS 3.
First, in operation S251, it is determined whether the formats of the test response packet and the original response packet are consistent. If the formats are not consistent, it indicates that the website can clearly distinguish the vulnerability attack message 301/302/303 from the access request message 30, so that the vulnerability attack messages 301-303 cannot be disguised as the access request message 30, and therefore, operation S256 may be performed to determine that no vulnerability exists in the website. If the formats are consistent, it is not yet possible to determine whether the masquerading attack behavior of the vulnerability attack message 301/302/303 is successful, and at this time, further determination is required, and at this time, operation S252 may be continuously performed.
Next, in operation S252, it may be determined whether the sizes of the test response message 311/312/313 and the original response message 31 are consistent. If the sizes are not the same (e.g., the sizes are different in magnitude), it also indicates that the website can clearly distinguish the vulnerability attack message 301/302/303 from the message 30 of the access request, so that operation S256 can be performed to determine that the website has no vulnerability. If the sizes of the attack packets are consistent, it is not yet possible to determine whether the masquerading attack behavior of the vulnerability attack packet is successful, at this time, further determination is needed, and at this time, operation S253 may be continuously performed.
Next, in operation S253, when the formats and sizes of the test response message 311/312/313 and the original response message 31 are consistent, the difference degree is calculated according to the formats of the messages. For example, when the format of the message is HTML, the difference degree is calculated according to the edit distances of the DOM trees of the test response message 311/312/313 and the original response message 31 and the CSS-DOM trees; when the format of the message is XML, calculating the difference degree according to the edit distance of DOM trees of the original response message 31 and the test response message 311/312/313; or when the format of the message is a character string or binary data, calculating the difference degree according to the SimHash values of the original response message 31 and the test response message 311/312/313.
Then, in operation S254, it is determined whether the difference between the test response message 311/312/313 and the original response message 31 is less than or equal to the threshold. If not, it also indicates that the website can clearly distinguish the vulnerability attack message 301/302/303 from the message 30 of the access request, so that operation S256 may be performed to determine that the website does not have a vulnerability. If so, it can be seen that the feedback information of the vulnerability attack message 301/302/303 and the access request message 30 by the website is basically consistent (no matter the format, size or the difference degree of the information in the messages), which means that the website cannot distinguish the vulnerability attack messages 301, 302, 303 and the access request message 30, and thus it is indicated that the website has a vulnerability, that is, operation S255 may be executed at this time.
Next, in operation S255, when the message formats are consistent and the calculated difference degree is less than or equal to the threshold value, it is determined that a vulnerability exists in the website.
Or in operation S256, when at least one of the format and the size of the packet is inconsistent or the calculated difference degree is greater than the threshold value, it is determined that the website has no vulnerability.
Therefore, according to the embodiment of the disclosure, the difference between the test response message and the original response message can be judged according to the format and the size of the message in consideration of the fact that the test response message and the original response message are easy to obtain and visual according to the format and the size of the message, and the message comparison efficiency is improved. When the comparison result represents that at least one of the formats or the sizes of the test response message and the original response message are inconsistent, it can be determined that no vulnerability exists in the website.
Further, when the formats and sizes of the two messages compared are consistent and the difference between the two messages cannot be determined, the difference of the messages can be correspondingly calculated according to the formats of the messages with different formats. In this way, the difference judgment result of the message can be more accurate. And when the difference degree is less than or equal to the threshold value, determining that the website has the vulnerability. And when the difference is larger than the threshold value, determining that the website has no vulnerability, so that the conclusion on whether the website vulnerability exists is more reliable.
Fig. 6 schematically illustrates a flowchart of a method 600 for detecting a file upload vulnerability according to still another embodiment of the present disclosure.
As shown in FIG. 6, the test method 600 may include steps S1-S8.
S1, capturing a message: the step is used for acquiring an http message when a tester initiates a service request, and forwarding the http message to a detection device through an agent.
S2, message classification and identification: this step serves to identify the message captured in the step of capturing a message at S1.
S3, determining whether the captured message is a file uploading message: if so, go to step S4; if not, the flow ends.
S4, generating a vulnerability attack message: the step is used for generating one or more vulnerability attack messages for the file uploading message as the preparation of the test. The generation process may refer to operation 230 described above.
S5, test report: the step is used for testing and transmitting the vulnerability attack messages according to a certain sequence.
S6, analysis of results: this step is for analyzing the report result of the S5 sequential test report step, for example, referring to operation S240 described above.
S7, uploading success judgment: the step is used for judging whether the uploading is successful, if so, the step of S8 result storage and display is carried out, and the process is ended; if the uploading fails, the step of S8 is entered, and then the step of S5 sequential test report is entered again. If the difference between the test response message and the original response message meets the preset condition, the vulnerability attack message is successfully uploaded. On the contrary, the vulnerability attack message uploading failure can be indicated.
S8, storing and displaying the results: the step has the function of classifying and storing the attack means and the test result of each test, and displaying the attack means and the test result on the result display page to be provided for the tester, so that the tester can conveniently know the vulnerability control condition of the website.
Fig. 7 schematically illustrates a block diagram of a detection apparatus 700 for a file upload vulnerability according to an embodiment of the present disclosure.
As shown in fig. 7, a detection apparatus 700 according to an embodiment of the present disclosure may include an acquisition module 710, a construction module 720, an attack module 730, a comparison module 740, and a determination module 750. The detection apparatus 700 may be a specific embodiment of the detection apparatus 103, and may be used to implement the detection methods described with reference to fig. 2 to 6.
Specifically, the obtaining module 710 is configured to obtain an access request of a website.
The constructing module 720 is configured to construct at least one vulnerability attack message based on the access request when the access request is a file upload request.
The attack module 730 is configured to send the vulnerability attack packet to a website, so as to obtain a test response packet fed back by the website for the vulnerability attack packet.
The comparing module 740 is configured to compare the test response message with an original response message, where the original response message is a response message fed back by the website for the access request.
The determining module 750 is configured to determine that a vulnerability exists in the website when the comparison result represents that the difference between the test response packet and the original response packet meets a predetermined condition. According to an embodiment of the present disclosure, the predetermined condition may include that the formats of the test response packet and the original response packet are consistent, and the difference between the test response packet and the original response packet is less than or equal to a threshold value.
According to an embodiment of the present disclosure, the comparison module 740 may include a first comparison sub-module. The first comparison sub-module is used for comparing the formats and sizes of the test response message and the original response message.
According to another embodiment of the present disclosure, the comparison module 740 may further include a second comparison sub-module. And the second comparison submodule is used for calculating the difference degree according to the format of the message when the formats and the sizes of the test response message and the original response message are consistent. According to yet another embodiment of the present disclosure, the second comparing sub-module is further configured to: when the format of the message is HTML, calculating the difference degree according to the editing distances of DOM trees and CSS-DOM trees of the test response message and the original response message; when the format of the message is XML, calculating the difference degree according to the editing distance of DOM trees of the original response message and the test response message; or when the format of the message is a character string or binary data, calculating the difference degree according to the SimHash values of the original response message and the test response message.
According to an embodiment of the present disclosure, the determining module 750 is further configured to determine that there is no vulnerability in the website when the comparison result indicates that at least one of the formats or sizes of the test response packet and the original response packet is inconsistent.
According to another embodiment of the present disclosure, the determining module 750 may be further configured to determine that the website does not have a bug when the difference is greater than the threshold.
According to another embodiment of the present disclosure, the determining module 750 is further configured to determine the type of the vulnerability existing in the website according to an obtaining manner of the vulnerability attack packet.
Fig. 8 schematically shows a block diagram of a configuration module 720 in the detection apparatus 700 shown in fig. 7.
As shown in fig. 8, the construction module 720 according to this embodiment may include an extension replacement sub-module 721, a malicious code insertion sub-module 722, and a large file generation sub-module 723. The constructing module 700 may obtain at least one vulnerability attack message through any one of the extension replacing sub-module 721, the malicious code inserting sub-module 722, or the large file generating sub-module 723. Further, according to an embodiment of the present disclosure, the constructing module 720 may further include an extension constructing submodule 724.
Specifically, the extension replacing sub-module 721 is configured to replace the file extension in the message of the access request with the test file extension. The extension construction submodule 724 is configured to, before replacing the file extension in the access request message, obtain at least one test file extension used for replacing the file extension in the access request message. According to an embodiment of the present disclosure, the extension construction submodule 724 is configured to obtain the extension name of the file for test in at least one of the following manners: collecting common extension names of the vulnerability tests; intelligently constructing a special extension name according to a preset rule by using the file extension name in the message of the access request; or combining the file extension in the message of the access request with the common test extension and/or the special extension to form a new extension.
The malicious code insertion sub-module 722 is configured to generate a malicious code corresponding to the file extension according to the file extension in the message of the access request, and insert the malicious code into the file information in the message of the access request.
The large file generation sub-module 723 is configured to generate an upload file with a file size larger than a predetermined value and having the file extension according to the file extension in the access request message, and replace the file in the access request message with the upload file.
Fig. 9 schematically illustrates a block diagram of a detection apparatus 900 for a file upload vulnerability according to another embodiment of the present disclosure.
As shown in fig. 9, the detection apparatus 900 may include a file upload message determination module 901, a file upload test case automatic execution module 902, a file upload test result intelligent analysis module 903, and a test result feedback module 904. The detection device 900 is an embodiment of the detection device 103.
File upload message determination module 901: the tester initiates a service function, obtains the http message at this time, and forwards the http message to the detection device through the proxy, and the file upload message determination module 901 in the detection device 900 determines whether the message relates to the file upload function or not according to the characteristics of the http message. For example, the determination may be made according to whether the parameter information in the request line or the request body of the message contains words of file format and type. When the file upload message is identified, the identification result can be given, and information such as the file extension in the request body in the message can be given at the same time.
File upload test case automatic execution module 902: according to the judgment result of the file uploading message judgment module 901, the messages related to the file uploading function are automatically screened out. And then, the message is reassembled to obtain a vulnerability attack message, and the vulnerability attack message is automatically sent to a target application server.
The file uploading test result intelligent analysis module 903: and according to the comparison between the test response message fed back by the target application server aiming at the vulnerability attack message and the original response message fed back by the target application server 103 aiming at the original access request, obtaining the difference of the two messages in a certain aspect of semi-structured or character string simhash values such as format, size, HTML structured similarity, XML and the like, and judging whether the website has the vulnerability uploaded by the file.
Test result feedback module 904: the detection result of the intelligent analysis module 903 is uploaded to the record file and is fed back to the tester in the form of a webpage.
Fig. 10 schematically shows a block diagram of the automatic file upload test case execution module 902 in the inspection apparatus shown in fig. 9.
As shown in fig. 10, the file upload test case automatic execution module 902 may include a base case library 1001, an intelligent matching case library 1002, and a test case intelligent reporting unit 1003.
The basic case library 1001 mainly stores commonly used cases in a manual file upload vulnerability testing process, for example, commonly used extension names such as ". jsp", ". php", ". asp", ". jsp% 00", ". php% 00", ". asp% 00", and the like;
intelligent matching case library 1002: and automatically generating at least one corresponding file extension for test according to the file extension in the message of the access request. The file extension for testing can be used for replacing the file extension in the message of the access request, and the vulnerability attack message is constructed in such a way.
The constructed vulnerability attack message can form a test case library. In one embodiment, the test case library can be divided into two types, namely a "file type test case" and a "file size test case", according to the acquisition mode of the bug attack message. Two cases are exemplified here by png.
The document type test cases were obtained by the following methods 1), 2), and 3):
when the file extension in the message of the access request is. PNG, special extensions can be intelligently constructed, such as ". pNg", ". PNG", ". Png", ". pnG", ". png.xxxx", ". PNG/", ". php.", ". PNG.", ". pnngg", etc.; the intelligent construction process comprises the steps of changing the case of each character of the extension name png, adding special characters in front and back, or repeatedly appearing characters and the like. The special extensions replace file extensions in the message of the access request, and the obtained vulnerability attack message belongs to the class 1) test case of the file type test case.
When the file extension in the message of the access request is png, the png and the commonly used extensions in the base case library may be combined to form a new extension, such as "png.jsp", ". jsp.png", ". jsp% 00. png", ". png.php", ". php.png", ". php% 00. png", ". png.asp", ". asp.png", ". asp% 00. png", and so on. The vulnerability attack message obtained by replacing the file extension name in the message of the access request by the special extension names belongs to the 2) class test case of the file type test case.
And when the file extension name in the message of the access request is png, automatically constructing a file containing malicious content. For example, a malicious php code is inserted into a png picture in the message of the access request, and a png picture Trojan with the suffix is manufactured, so that a vulnerability attack message which uploads the picture Trojan is obtained, wherein the vulnerability attack message belongs to a 3) type test case in a file type test case.
The file size test case may be obtained by: for example, when the file extension in the message of the access request is. For example, a picture file with the size of 10GB and the suffix of png is generated, and the picture file is used as an uploading file, so that a vulnerability attack message is obtained.
Test case intelligent reporting unit 1003: for sending test cases in the smart matching case library 1002 to the target server. When sending, the file uploading vulnerability test of the file type can be firstly carried out. Sending messages from the 1) type test cases in sequence, receiving result feedback sent by the intelligent file uploading test result analysis module 903, stopping sending the file type test cases and starting sending the file size test cases if the feedback of successful uploading is received; if the prompt of uploading failure is received, the file type test cases are continuously sent according to the sequence of the test cases of 1) -2-3), and the sending of the file size test cases is started again until the feedback of uploading success is received or the test cases in the intelligent matching case library 1002 are all sent in sequence; and after all the test cases in the case library are sent, automatically stopping sending.
Fig. 11 schematically shows a block diagram of the intelligent analysis module 903 for file upload test results in the detection apparatus shown in fig. 9.
As shown in fig. 11, the file upload test result intelligent analysis module 903 may include a test method recording unit 1101, an upload success determination unit 1102, and an upload failure retry feedback unit 1103.
Test method recording unit 1101: generally, a plurality of vulnerability attack messages are constructed for the message of the access request, so that a plurality of attack tests can be initiated, and the test method recording unit 1101 is used for recording the attack mode of each test attack.
The upload success determination unit 1102: the upload success determining unit 1102 receives an original response message and a test response message transmitted by the target application server 108, and determines whether the file in the vulnerability attack message is uploaded successfully according to the difference between the two response messages, wherein if the file is uploaded successfully, the vulnerability risk is present, and if the file is not uploaded successfully, the vulnerability risk is present. First, the formats and sizes of the original response message and the test response message can be determined. In this embodiment, if the formats and sizes of the messages are not consistent, it is indicated that the website has no risk. If the format and size of the message are consistent, the difference is further calculated according to the specific message format, for example: for structural response messages such as HTML and the like, calculating the difference degree according to the editing distances of DOM trees of the original response message and the test response message and a CSS-DOM tree, and if the difference degree is smaller than a threshold value, indicating that the website has risks; for semi-structured response messages such as XML (extensive makeup language), calculating the difference according to the editing distance of DOM trees of the original response message and the test response message, and if the excessive difference is smaller than a threshold value, indicating that the website has risk; and for the unstructured response messages such as character strings, binary data and the like, calculating the difference degree according to the SimHash values of the original response message and the test response message, and if the difference degree is smaller than a given threshold value, indicating that the website has risks.
Upload failure retry feedback unit 1103: judging the next operation according to the result of the upload success judging unit 1102, and if the upload is successful, directly sending the content of the test method recording unit 1101 and the upload success result to the test result feedback module 904; otherwise, the content of the test method recording unit 1101 is sent to the test result feedback module 904 together with the result of the uploading failure, and at the same time, the same content is sent to the file uploading test case automatic execution module 902, and it is prompted that a case needs to be replaced or an attack means needs to be redetected.
Fig. 12 schematically shows a block diagram of the test result feedback module 904 in the detection apparatus shown in fig. 9.
As shown in fig. 12, the test result feedback module 904 may include a test result classification storage unit 1201 and a test result display unit 1202.
Test result classification storage unit 1201: and the attack means and the test result of the vulnerability attack message sent in each test are stored in the database so that the testers can conveniently inquire and reproduce the attack means and other operations.
Test result display unit 1202: and a result display page is provided, so that the tester can conveniently and directly check the result.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any of the obtaining module 710, the constructing module 720, the attacking module 730, the comparing module 740, the determining module 750, the first comparing sub-module, the second comparing sub-module, the extension replacing sub-module 721, the malicious code inserting sub-module 722, the large file generating sub-module 723, the file upload message judging module 901, the file upload test case automatic executing module 902, the file upload test result intelligent analyzing module 903, and the test result feedback module 904 may be combined into one module to be implemented, or any one of them may be split into multiple modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to the embodiment of the disclosure, at least one of the obtaining module 710, the constructing module 720, the attacking module 730, the comparing module 740, the determining module 750, the first comparing submodule, the second comparing submodule, the extension replacing submodule 721, the malicious code inserting submodule 722, the large file generating submodule 723, the file upload message judging module 901, the file upload test case automatic executing module 902, the file upload test result intelligent analyzing module 903, and the test result feedback module 904 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware such as any other reasonable manner of integrating or packaging a circuit, or implemented by software, a computer readable medium, Hardware, and firmware, or in any suitable combination of any of the three. Alternatively, at least one of the obtaining module 710, the constructing module 720, the attacking module 730, the comparing module 740, the determining module 750, the first comparing sub-module, the second comparing sub-module, the extension replacing sub-module 721, the malicious code inserting sub-module 722, the large file generating sub-module 723, the file upload message judging module 901, the file upload test case automatic executing module 902, the file upload test result intelligent analyzing module 903, and the test result feedback module 904 may be at least partially implemented as a computer program module, and when the computer program module is run, corresponding functions may be executed.
Fig. 13 schematically illustrates a block diagram of an electronic device 1300 suitable for implementing a detection method and a detection apparatus according to an embodiment of the disclosure. The electronic device 1300 shown in fig. 13 is only an example and should not bring any limitations to the functionality and scope of use of the embodiments of the present disclosure.
As shown in fig. 13, an electronic device 1300 according to an embodiment of the present disclosure includes a processor 1301 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1302 or a program loaded from a storage section 1308 into a Random Access Memory (RAM) 1303. The processor 1301 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1301 may also include onboard memory for caching purposes. Processor 1301 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 1303, various programs and data necessary for the operation of the electronic apparatus 1300 are stored. The processor 1301, the ROM1302, and the RAM 1303 are connected to each other via a bus 1304. The processor 1301 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM1302 and/or the RAM 1303. Note that the programs may also be stored in one or more memories other than the ROM1302 and RAM 1303. The processor 1301 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications component 1309 and/or installed from removable media 1311. The computer program, when executed by the processor 1301, performs the functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include one or more memories other than the ROM1302 and/or the RAM 1303 and/or the ROM1302 and the RAM 1303 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method provided by the embodiments of the present disclosure, when the computer program product runs on an electronic device, the program code is configured to enable the electronic device to implement the method for detecting a file upload vulnerability provided by the embodiments of the present disclosure.
The computer program, when executed by the processor 1301, performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via communications component 1309, and/or installed from removable media 1311. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (13)
1. A detection method for file uploading bugs comprises the following steps:
acquiring an access request of a website;
when the access request is a file uploading request, constructing at least one vulnerability attack message based on the access request;
sending the vulnerability attack message to the website to obtain a test response message fed back by the website aiming at the vulnerability attack message;
comparing the test response message with an original response message, wherein the original response message is a response message fed back by the website aiming at the access request; and
and when the comparison result represents that the difference between the test response message and the original response message meets a preset condition, determining that the website has a bug.
2. The method of claim 1, wherein the predetermined condition comprises:
the formats of the test response message and the original response message are consistent, and the difference degree between the test response message and the original response message is smaller than or equal to a threshold value.
3. The method of claim 2, wherein said comparing said test response message to an original response message comprises:
and comparing the formats and sizes of the test response message and the original response message.
4. The method of claim 3, wherein said comparing said test response message to an original response message further comprises:
and when the formats and the sizes of the test response message and the original response message are consistent, calculating the difference degree according to the format of the messages.
5. The method of claim 2, wherein said calculating the degree of difference according to the format of the packet comprises:
when the format of the message is HTML, calculating the difference degree according to the editing distances of DOM trees and CSS-DOM trees of the test response message and the original response message;
when the format of the message is XML, calculating the difference degree according to the editing distance of DOM trees of the original response message and the test response message; or
And when the format of the message is a character string or binary data, calculating the difference degree according to the SimHash values of the original response message and the test response message.
6. The method of claim 2, wherein the method further comprises:
and when the comparison result represents that at least one of the formats or the sizes of the test response message and the original response message are inconsistent, determining that no vulnerability exists in the website.
7. The method of claim 2, wherein the method further comprises:
and when the difference degree is larger than the threshold value, determining that the website has no vulnerability.
8. The method according to any one of claims 1 to 7, wherein, when the access request is a file upload request, constructing at least one vulnerability attack message based on the access request comprises obtaining at least one vulnerability attack message by at least one of:
replacing the file extension in the message of the access request by using the file extension for testing;
generating a malicious code corresponding to the file extension according to the file extension in the message of the access request, and inserting the malicious code into the file information in the message of the access request; or
And generating an uploading file with the file extension and the file size larger than a preset value according to the file extension in the message of the access request, and replacing the file in the message of the access request with the uploading file.
9. The method of claim 8, wherein prior to said replacing the file extension in the message of the access request, the method further comprises:
acquiring at least one test file extension for replacing the file extension in the access request message, wherein the acquiring of the test file extension comprises acquiring the test file extension in at least one of the following modes:
collecting common extension names of the vulnerability tests;
intelligently constructing a special extension name according to a preset rule by using the file extension name in the message of the access request; or
And combining the file extension in the message of the access request with the common test extension and/or the special extension to form a new extension.
10. The method according to claim 8, wherein the determining that the website has a vulnerability when the difference between the test response packet and the original response packet satisfies a predetermined condition comprises:
and determining the type of the vulnerability existing in the website according to the obtaining mode of the vulnerability attack message.
11. A detection apparatus for a file upload vulnerability, comprising:
the acquisition module is used for acquiring an access request of a website;
the construction module is used for constructing at least one vulnerability attack message based on the access request when the access request is a file uploading request;
the attack module is used for sending the vulnerability attack message to the website so as to obtain a test response message fed back by the website aiming at the vulnerability attack message;
a comparison module, configured to compare the test response packet with an original response packet, where the original response packet is a response packet fed back by the website for the access request; and
and the determining module is used for determining that the website has a bug when the comparison result represents that the difference between the test response message and the original response message meets a preset condition.
12. An electronic device, comprising:
one or more memories storing executable instructions; and
one or more processors executing the executable instructions to implement the method of any one of claims 1-10.
13. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110397528.7A CN113114680B (en) | 2021-04-13 | 2021-04-13 | Detection method and detection device for file uploading vulnerability |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110397528.7A CN113114680B (en) | 2021-04-13 | 2021-04-13 | Detection method and detection device for file uploading vulnerability |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113114680A true CN113114680A (en) | 2021-07-13 |
| CN113114680B CN113114680B (en) | 2023-04-07 |
Family
ID=76716789
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110397528.7A Active CN113114680B (en) | 2021-04-13 | 2021-04-13 | Detection method and detection device for file uploading vulnerability |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113114680B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114629688A (en) * | 2022-02-22 | 2022-06-14 | 中国人民解放军国防科技大学 | File uploading vulnerability mining method and system based on dynamic test |
| CN115314322A (en) * | 2022-10-09 | 2022-11-08 | 安徽华云安科技有限公司 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
| CN116055222A (en) * | 2023-03-23 | 2023-05-02 | 北京长亭未来科技有限公司 | Method and device for preventing attack file from bypassing WAF detection |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120311712A1 (en) * | 2011-06-01 | 2012-12-06 | International Business Machines Corporation | Testing web applications for file upload vulnerabilities |
| CN105227387A (en) * | 2014-06-16 | 2016-01-06 | 腾讯科技(深圳)有限公司 | The detection method of webpage leak, Apparatus and system |
| US20180278647A1 (en) * | 2017-03-26 | 2018-09-27 | Microsoft Technology Licensing, Llc | Computer security attack detection using distribution departure |
| CN110929264A (en) * | 2019-11-21 | 2020-03-27 | 中国工商银行股份有限公司 | Vulnerability detection method and device, electronic equipment and readable storage medium |
| CN111125718A (en) * | 2019-12-24 | 2020-05-08 | 北京三快在线科技有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN112182583A (en) * | 2020-09-27 | 2021-01-05 | 国网山东省电力公司电力科学研究院 | File uploading vulnerability detection method and system based on WEB application |
| CN112446030A (en) * | 2020-10-23 | 2021-03-05 | 苏州浪潮智能科技有限公司 | Method and device for detecting file uploading vulnerability of webpage end |
-
2021
- 2021-04-13 CN CN202110397528.7A patent/CN113114680B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120311712A1 (en) * | 2011-06-01 | 2012-12-06 | International Business Machines Corporation | Testing web applications for file upload vulnerabilities |
| CN105227387A (en) * | 2014-06-16 | 2016-01-06 | 腾讯科技(深圳)有限公司 | The detection method of webpage leak, Apparatus and system |
| US20180278647A1 (en) * | 2017-03-26 | 2018-09-27 | Microsoft Technology Licensing, Llc | Computer security attack detection using distribution departure |
| CN110929264A (en) * | 2019-11-21 | 2020-03-27 | 中国工商银行股份有限公司 | Vulnerability detection method and device, electronic equipment and readable storage medium |
| CN111125718A (en) * | 2019-12-24 | 2020-05-08 | 北京三快在线科技有限公司 | Unauthorized vulnerability detection method, device, equipment and storage medium |
| CN112182583A (en) * | 2020-09-27 | 2021-01-05 | 国网山东省电力公司电力科学研究院 | File uploading vulnerability detection method and system based on WEB application |
| CN112446030A (en) * | 2020-10-23 | 2021-03-05 | 苏州浪潮智能科技有限公司 | Method and device for detecting file uploading vulnerability of webpage end |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114629688A (en) * | 2022-02-22 | 2022-06-14 | 中国人民解放军国防科技大学 | File uploading vulnerability mining method and system based on dynamic test |
| CN114629688B (en) * | 2022-02-22 | 2024-03-15 | 中国人民解放军国防科技大学 | File uploading vulnerability mining method and system based on dynamic test |
| CN115314322A (en) * | 2022-10-09 | 2022-11-08 | 安徽华云安科技有限公司 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
| CN116055222A (en) * | 2023-03-23 | 2023-05-02 | 北京长亭未来科技有限公司 | Method and device for preventing attack file from bypassing WAF detection |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113114680B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110414242B (en) | Method, device, equipment and medium for detecting business logic loophole | |
| CN113114680B (en) | Detection method and detection device for file uploading vulnerability | |
| EP3693874B1 (en) | Continuous vulnerability management for modern applications | |
| CA2777434C (en) | Verifying application security vulnerabilities | |
| CN110955899B (en) | Safety test method, device, test equipment and medium | |
| CN106294102B (en) | Application program testing method, client, server and system | |
| US8676966B2 (en) | Detecting and monitoring server side states during web application scanning | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| CN111783096B (en) | Method and device for detecting security hole | |
| WO2019071891A1 (en) | Code coverage analysis method and application server | |
| CN109347882B (en) | Webpage Trojan horse monitoring method, device, equipment and storage medium | |
| US9135153B2 (en) | Optimizing test data payload selection for testing computer software applications via computer networks | |
| US11216554B2 (en) | Determining apparatus, determining method, and determining program | |
| CN111813696A (en) | Application testing method, device and system and electronic equipment | |
| CN111654495B (en) | Method, apparatus, device and storage medium for determining traffic generation source | |
| CN113158197A (en) | SQL injection vulnerability detection method and system based on active IAST | |
| CN114491560A (en) | Vulnerability detection method and device, storage medium and electronic equipment | |
| CN110874475A (en) | Vulnerability mining method, vulnerability mining platform and computer readable storage medium | |
| CN113362173A (en) | Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium | |
| US20230141948A1 (en) | Analysis and Testing of Embedded Code | |
| US11880470B2 (en) | System and method for vulnerability detection in computer code | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN116450533B (en) | Security detection method and device for application program, electronic equipment and medium | |
| CN113596051B (en) | Detection method, detection apparatus, electronic device, medium, and computer program | |
| KR102311119B1 (en) | Method for automatic diagnosis vulnerability of web and apparatus for performing the method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |