CN114500053B - Code injection detection method and device, electronic equipment and readable storage medium - Google Patents
Code injection detection method and device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN114500053B CN114500053B CN202210099441.6A CN202210099441A CN114500053B CN 114500053 B CN114500053 B CN 114500053B CN 202210099441 A CN202210099441 A CN 202210099441A CN 114500053 B CN114500053 B CN 114500053B
- Authority
- CN
- China
- Prior art keywords
- decoding
- character string
- keyword
- character
- escape
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002347 injection Methods 0.000 title claims abstract description 60
- 239000007924 injection Substances 0.000 title claims abstract description 60
- 238000001514 detection method Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 claims abstract description 33
- 230000006870 function Effects 0.000 claims description 41
- 230000004044 response Effects 0.000 claims description 6
- 230000011218 segmentation Effects 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 3
- 239000000243 solution Substances 0.000 description 9
- 239000003795 chemical substances by application Substances 0.000 description 6
- 238000004891 communication Methods 0.000 description 4
- 235000014510 cooky Nutrition 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Compression, Expansion, Code Conversion, And Decoders (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application provides a code injection detection method, a code injection detection device, electronic equipment and a readable storage medium, wherein the method comprises the following steps: acquiring a character string to be detected in HTTP traffic generated when a user side accesses a server; decoding the character string to be detected by using a first decoding mode to obtain a first character string; decoding the first character string by using a second decoding mode to obtain a second character string; the first coding mode corresponding to the first decoding mode and the second coding mode corresponding to the second decoding mode are two different coding modes bypassing regular expression detection; decoding the second character string by using a third decoding mode corresponding to the character string to be detected to obtain a third character string; performing PHP code semantic escape on the third character string to generate a target feature string; if the PHP code injection semantic feature library has the target feature string, determining that the access is PHP code injection. By the method, the safety of data on the server is improved.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and apparatus for code injection detection, an electronic device, and a readable storage medium.
Background
PHP code injection belongs to one of RCE (remote code execution) attacks, and refers to that application program filtering is not tight, and an attacker can inject codes into a server through a user terminal to perform remote execution, so that remote control on the server is realized. Therefore, in order to prevent an attacker from injecting a PHP code into a server when accessing the server through a client, the server needs to detect code injection of HTTP traffic generated when the client accesses the server, and determine whether code injection exists in the HTTP traffic.
In the prior art, code injection detection is generally performed by using two modes of feature string detection and regular expression detection, wherein feature string detection refers to detecting whether a specific character string exists in HTTP traffic, for example: the functions included in a typical PHP code attack. Regular expression change refers to adding wild cards to the feature strings, or changing the order of the feature strings, or adding notes in the middle of the feature strings, or the like, interference information (but the interference information has no influence on code execution). The feature strings after regular expression change can be detected through regular expression detection.
However, the feature string detection and regular expression detection modes can only detect known PHP code injection attacks, and cannot detect the injection of deformed PHP codes (different from regular expression changes) (wherein the deformed PHP codes refer to the function effect of the code is not changed, but the logic structure of the PHP codes is changed, and the like). Therefore, the regular expression detection mode in the prior art has the problem that the deformed PHP code injection detection is easy to bypass, and the data security on the server is low.
Disclosure of Invention
In view of the above, the present application aims to provide a code injection detection method, a device, an electronic apparatus, and a readable storage medium, which are beneficial to solving the problem that the deformed PHP code injection detection is easy to bypass to a certain extent, and improving the security of data on a server.
In a first aspect, an embodiment of the present application provides a code injection detection method, including:
acquiring a specified field in HTTP traffic generated when a user terminal accesses a server, and taking the specified field as a character string to be detected;
performing first decoding on the character string to be detected by using a first decoding mode, and taking a first decoding result as a first character string; the coding mode corresponding to the first decoding mode is a first coding mode;
performing second decoding on the first character string by using a second decoding mode, and taking a second decoding result as a second character string; wherein the encoding mode corresponding to the second decoding mode is a second encoding mode; the first coding mode and the second coding mode are two different coding modes bypassing regular expression detection;
performing third decoding on the second character string by using a third decoding mode corresponding to the character string to be detected to obtain a third character string;
Performing PHP code semantic escape on each keyword in the third character string to generate a target feature string corresponding to the third character string;
inquiring in a PHP code injection semantic feature library, and if the target feature string exists in the PHP code injection semantic feature library, determining that the access is PHP code injection.
With reference to the first aspect, an embodiment of the present application provides a first possible implementation manner of the first aspect, where before the acquiring a specified field in HTTP traffic generated when a user side accesses a server, to use the specified field as a to-be-detected string, the method further includes:
acquiring the HTTP traffic generated when the user side accesses the server; the HTTP traffic includes access traffic and response traffic;
analyzing the HTTP traffic by using an HTTP protocol to obtain a target field; the target field contains a plurality of the specified fields.
With reference to the first aspect, the embodiment of the present application provides a second possible implementation manner of the first aspect, where the first coding mode is base64 coding, the first decoding mode is base64 decoding, the second coding mode is 16-ary coding, and the second decoding mode is 16-ary decoding;
Alternatively, the first encoding mode is 16-ary encoding, the first decoding mode is 16-ary decoding, the second encoding mode is base64 encoding, and the second decoding mode is base64 decoding.
With reference to the first aspect, an embodiment of the present application provides a third possible implementation manner of the first aspect, where the performing, using a first decoding manner, a first decoding on the to-be-detected string, and taking a first decoding result as a first string includes:
performing first decoding on the character string to be detected by using a first decoding mode, and judging whether the first decoding is successful;
if the first decoding is successful, a first decoding result obtained after the first decoding is used as the first character string;
and if the first decoding fails, taking the character string to be detected as the first character string.
With reference to the first aspect, an embodiment of the present application provides a fourth possible implementation manner of the first aspect, where the performing, by using a second decoding manner, a second decoding on the first string, and taking a second decoding result as a second string includes:
performing second decoding on the first character string by using a second decoding mode, and judging whether the second decoding is successful;
If the second decoding is successful, a second decoding result obtained after the second decoding is used as the second character string;
and if the second decoding fails, the first character string is used as the second character string.
With reference to the first aspect, an embodiment of the present application provides a fifth possible implementation manner of the first aspect, where the performing PHP code semantic escape on each keyword in the to-be-detected character string to generate a target feature string corresponding to the to-be-detected character string includes:
identifying a target space in the character string to be detected; the target space comprises a single space or a plurality of continuous spaces;
according to the target space in the character string to be detected, word segmentation processing is carried out on the character string to be detected, and a keyword set corresponding to the character string to be detected is obtained;
performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword;
and splicing the characters according to the arrangement sequence of the keywords in the character string to be detected, so as to generate the target characteristic string.
With reference to the fifth possible implementation manner of the first aspect, an embodiment of the present application provides a sixth possible implementation manner of the first aspect, wherein the keyword set includes: annotating one or more of characters, PHP script keywords, PHP code function keywords, special command keywords executed in PHP code functions, and special character keywords;
Performing PHP code semantic escape on each keyword in the keyword set, and generating a character corresponding to the keyword includes:
deleting the annotation character when the keyword is the annotation character;
when the keyword is the PHP script keyword, performing PHP code semantic escape on the PHP script keyword by using a dictionary or an escape relation to obtain a first character;
when the keyword is the PHP code function keyword, performing PHP code semantic escape on the PHP code function keyword by using the dictionary or the escape relation to obtain a second character;
when the keyword is a special command keyword executed in the PHP code function, performing the PHP code semantic escape on the special command keyword executed in the PHP code function by utilizing the dictionary or the escape relation to obtain a third character;
and when the keyword is the special character keyword, performing PHP code semantic escape on the special character keyword by utilizing the dictionary or the escape relation to obtain a fourth character.
In a second aspect, an embodiment of the present application further provides a code injection detection apparatus, including:
The first acquisition module is used for acquiring a specified field in HTTP traffic generated when the user side accesses the server, and taking the specified field as a character string to be detected;
the first decoding module is used for carrying out first decoding on the character string to be detected by using a first decoding mode, and taking a first decoding result as a first character string; the coding mode corresponding to the first decoding mode is a first coding mode;
the second decoding module is used for performing second decoding on the first character string by using a second decoding mode, and taking a second decoding result as a second character string; wherein the encoding mode corresponding to the second decoding mode is a second encoding mode; the first coding mode and the second coding mode are two different coding modes bypassing regular expression detection;
the third decoding module is used for performing third decoding on the second character string by using a third decoding mode corresponding to the character string to be detected to obtain a third character string;
the escape module is used for performing PHP code semantic escape on each keyword in the third character string and generating a target feature string corresponding to the third character string;
and the query module is used for querying in the PHP code injection semantic feature library, and determining that the access is PHP code injection if the target feature string exists in the PHP code injection semantic feature library.
With reference to the second aspect, an embodiment of the present application provides a first possible implementation manner of the second aspect, where the method further includes:
the second acquisition module is used for acquiring the specified field in the HTTP traffic generated when the user side accesses the server when the first acquisition module is used for acquiring the HTTP traffic generated when the user side accesses the server before the specified field is used as a character string to be detected; the HTTP traffic includes access traffic and response traffic;
the analysis module is used for analyzing the HTTP traffic by using the HTTP protocol to obtain a target field; the target field contains a plurality of the specified fields.
With reference to the second aspect, an embodiment of the present application provides a second possible implementation manner of the second aspect, where the first coding mode is base64 coding, the first decoding mode is base64 decoding, the second coding mode is 16-ary coding, and the second decoding mode is 16-ary decoding;
alternatively, the first encoding mode is 16-ary encoding, the first decoding mode is 16-ary decoding, the second encoding mode is base64 encoding, and the second decoding mode is base64 decoding.
With reference to the second aspect, an embodiment of the present application provides a third possible implementation manner of the second aspect, where the first decoding module is configured to perform first decoding on the to-be-detected string by using a first decoding manner, and use a first decoding result as a first string, where the first decoding module is specifically configured to:
performing first decoding on the character string to be detected by using a first decoding mode, and judging whether the first decoding is successful;
if the first decoding is successful, a first decoding result obtained after the first decoding is used as the first character string;
and if the first decoding fails, taking the character string to be detected as the first character string.
With reference to the second aspect, an embodiment of the present application provides a fourth possible implementation manner of the second aspect, where the second decoding module is configured to perform a second decoding on the first string by using a second decoding manner, and use a second decoding result as a second string, where the second decoding module is specifically configured to:
performing second decoding on the first character string by using a second decoding mode, and judging whether the second decoding is successful;
if the second decoding is successful, a second decoding result obtained after the second decoding is used as the second character string;
And if the second decoding fails, the first character string is used as the second character string.
With reference to the second aspect, an embodiment of the present application provides a fifth possible implementation manner of the second aspect, where the escape module is configured to perform PHP code semantic escape on each keyword in the third string, and generate a target feature string corresponding to the third string, where the escape module is specifically configured to:
identifying a target space in the character string to be detected; the target space comprises a single space or a plurality of continuous spaces;
according to the target space in the character string to be detected, word segmentation processing is carried out on the character string to be detected, and a keyword set corresponding to the character string to be detected is obtained;
performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword;
and splicing the characters according to the arrangement sequence of the keywords in the character string to be detected, so as to generate the target characteristic string.
With reference to the fifth possible implementation manner of the second aspect, an embodiment of the present application provides a sixth possible implementation manner of the second aspect, wherein the keyword set includes: annotating one or more of characters, PHP script keywords, PHP code function keywords, special command keywords executed in PHP code functions, and special character keywords;
The escape module is configured to, when performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword, specifically:
deleting the annotation character when the keyword is the annotation character;
when the keyword is the PHP script keyword, performing PHP code semantic escape on the PHP script keyword by using a dictionary or an escape relation to obtain a first character;
when the keyword is the PHP code function keyword, performing PHP code semantic escape on the PHP code function keyword by using the dictionary or the escape relation to obtain a second character;
when the keyword is a special command keyword executed in the PHP code function, performing the PHP code semantic escape on the special command keyword executed in the PHP code function by utilizing the dictionary or the escape relation to obtain a third character;
and when the keyword is the special character keyword, performing PHP code semantic escape on the special character keyword by utilizing the dictionary or the escape relation to obtain a fourth character.
In a third aspect, an embodiment of the present application further provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory in communication via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the steps of any one of the possible implementations of the first aspect.
In a fourth aspect, embodiments of the present application also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of any of the possible implementations of the first aspect described above.
In the code injection detection method, the code injection detection device, the electronic equipment and the readable storage medium provided by the embodiment of the application, if the character string to be detected is the character string encoded by the first encoding mode or the second encoding mode, the character string to be detected is a deformed character string, and whether PHP code injection exists in the character string to be detected cannot be detected by regular expression detection or feature string detection. Therefore, in the application, after the character string to be detected is obtained, the character string to be detected is firstly decoded by the first decoding mode and the second decoding mode, and if the character string to be detected is the character string encoded by the first encoding mode or the second encoding mode, the second character string before the deformation of the character string to be detected can be restored by the decoding mode. And then performing third decoding, PHP code semantic escape and PHP code injection semantic feature library query processing on the second character string. According to the method and the device, the first decoding and the second decoding are sequentially carried out on the character strings to be detected, so that the problem that the deformed character strings to be detected cannot be detected due to the fact that the deformed character strings to be detected are generated through the first coding mode or the second coding mode is solved to a certain extent, namely the problem that deformed PHP codes are easy to bypass due to injection is solved to a certain extent, and the safety of data on a server is improved.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a flowchart of a code injection detection method according to an embodiment of the present application;
FIG. 2 is a flowchart of another code injection detection method according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a code injection detection device according to an embodiment of the present application;
fig. 4 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the application, as presented in the figures, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by a person skilled in the art without making any inventive effort, are intended to be within the scope of the present application.
Considering that the problem that the regular expression detection mode in the prior art is easy to bypass the deformed PHP code injection detection, the data security on the server is low, based on the problem, the embodiment of the application provides a code injection detection method, a device, electronic equipment and a readable storage medium, which are beneficial to solving the problem that the deformed PHP code injection detection is easy to bypass to a certain extent, and ensuring the data security on the server to a certain extent.
Embodiment one:
for the sake of understanding the present embodiment, a method for detecting code injection disclosed in the present embodiment will be described in detail. The method is applied to the server. Fig. 1 shows a flowchart of a code injection detection method according to an embodiment of the present application, as shown in fig. 1, including the following steps:
s101: and acquiring the appointed field in the HTTP traffic generated when the user side accesses the server, and taking the appointed field as the character string to be detected.
S102: performing first decoding on the character string to be detected by using a first decoding mode, and taking a first decoding result as a first character string; the encoding mode corresponding to the first decoding mode is the first encoding mode.
S103: performing second decoding on the first character string by using a second decoding mode, and taking a second decoding result as a second character string; wherein the encoding mode corresponding to the second decoding mode is a second encoding mode; the first encoding scheme and the second encoding scheme are two different encoding schemes that bypass regular expression detection.
S104: and performing third decoding on the second character string by using a third decoding mode corresponding to the character string to be detected to obtain a third character string.
S105: and performing PHP code semantic escape on each keyword in the third character string to generate a target feature string corresponding to the third character string.
S106: inquiring in the PHP code injection semantic feature library, and if the PHP code injection semantic feature library has the target feature string, determining that the access is PHP code injection.
When executing step S101, PHP (PHP: hypertext Preprocesso) code injection belongs to one of RCE (remote code execution) attacks, which means that the application program in the server is not strictly filtered, and an attacker can inject PHP code into the server for remote execution through a user side, so that remote control of the server is realized.
In the embodiment of the application, when the specified fields in the HTTP traffic generated when the client accesses the server are acquired, one specified field can be acquired at a time, and a plurality of specified fields can also be acquired at a time. When one appointed field is acquired at a time, the number of character strings to be detected is 1; when a plurality of specified fields are acquired at a time, the number of character strings to be detected is plural, wherein each character string to be detected needs to be detected independently.
The detection process of the application can be parallel detection or serial detection. Wherein, parallel detection refers to detecting a plurality of character strings to be detected at the same time; serial detection refers to detecting a character string to be detected, and then detecting a next character string to be detected.
In a possible implementation manner, before executing step S101 to obtain the specified field in the HTTP traffic generated when the client accesses the server, so as to use the specified field as the character string to be detected, the method may specifically be executed according to steps S1011-S1012:
s1011: acquiring the flow generated when a user accesses a server; HTTP traffic includes access traffic and response traffic.
The access flow refers to the flow generated when the user side accesses the server, and the response flow refers to the flow generated when the server responds to the access of the user side.
S1012: resolving the HTTP traffic by using the HTTP protocol to obtain a target field; the target field contains a plurality of specified fields.
In embodiments of the present application, the specified field may be any one or more of the following: url (Uniform Resource Locator ) field, user-agent header field, reference header field, cookie header field, post-body field. The target field includes any one or more of the following: url field, user-agent header field, reference header field, cookie header field, post-body field. The designated field is a part of the fields in the target field.
For example, if the target field includes a url field, a user-agent header field, and a reference header field, the three specified fields are the url field, the user-agent header field, and the reference header field, respectively.
When step S102 is executed, the first encoding mode is an encoding mode that bypasses regular expression detection, and specifically, if the character string to be detected is a character string encoded by using the first encoding mode, the character string to be detected is a deformed character string.
In a possible implementation manner, when performing step S102 to perform first decoding on the to-be-detected character string using the first decoding manner and taking the first decoding result as the first character string, the method may specifically be performed according to steps S1021-S1023:
s1021: and performing first decoding on the character string to be detected by using a first decoding mode, and judging whether the first decoding is successful.
In the application, whether the character string to be detected is encoded (i.e. deformed) by using the first encoding mode is determined by judging whether the first decoding is successful. Specifically, the first decoding success indicates that the character string to be detected is the character string encoded by the first encoding mode; the first decoding failure indicates that the character string to be detected has not been encoded using the first encoding scheme.
S1022: and if the first decoding is successful, taking a first decoding result obtained after the first decoding as a first character string.
If the character string to be detected is a character string encoded by using the first encoding mode, the first decoding mode is used to perform first decoding on the character string to be detected, so that the deformed character string can be restored to the first character string before deformation.
S1023: if the first decoding fails, the character string to be detected is used as a first character string.
If the character string to be detected does not use the first coding mode to perform the first coding, decoding fails when the character string to be detected is subjected to the first decoding by the first decoding mode, and the character string to be detected is used as the first character string.
When step S103 is executed, the second encoding mode is another encoding mode that bypasses regular expression detection, and specifically, if the character string to be detected is a character string encoded by using the second encoding mode, the character string to be detected is also a deformed character string.
In a possible implementation manner, when performing step S103 to perform the second decoding on the first string using the second decoding method and using the second decoding result as the second string, the method may specifically be performed according to steps S1031-S1033:
S1031: and performing second decoding on the first character string by using a second decoding mode, and judging whether the second decoding is successful.
In the application, whether the character string to be detected is encoded by using the second encoding mode is determined by judging whether the second decoding is successful. If the second decoding is successful, the character string to be detected is the character string encoded by the second encoding mode; if the second decoding fails, the character string to be detected is not encoded by the second encoding mode.
S1032: and if the second decoding is successful, taking a second decoding result obtained after the second decoding as a second character string.
If the character string to be detected is the character string encoded by the second encoding mode, the deformed character string can be restored to the second character string before deformation by performing the second decoding on the first character string by using the second decoding mode. In the application, the second character string is the character string when the user terminal inputs the character string to the server.
S1033: if the second decoding fails, the first character string is used as a second character string.
If the character string to be detected does not use the second encoding mode to perform the second encoding, the decoding fails when the first character string is subjected to the second decoding through the second decoding mode, and the first character string is taken as a second character string.
When step S104 is executed, each character string to be detected corresponds to a respective third decoding method, the third decoding method corresponding to the character string to be detected is used for performing third decoding on the second character string, and the third decoding result is used as a third character string.
When the character string to be detected is a url field, the third decoding mode is url field decoding; when the character string to be detected is a user-agent header field, the third decoding mode is user-agent header field decoding; when the character string to be detected is the reference header field, the third decoding mode is the reference header field decoding; when the character string to be detected is a cookie header field, the third decoding mode is cookie header field decoding; when the character string to be detected is the post-body field, the third decoding mode is post-body field decoding.
When executing step S105 to perform PHP code semantic escape on each keyword in the third string and generate the target feature string corresponding to the third string, fig. 2 shows a flowchart of another code injection detection method provided by the embodiment of the present application, as shown in fig. 2, specifically, may be executed according to steps S1051 to S1054:
s1051: identifying a target space in the character string to be detected; the target space includes a single space or a plurality of spaces in succession.
In the embodiment of the present application, a single space may be used as one target space, or a plurality of continuous spaces may be used as one target space.
S1052: and performing word segmentation processing on the character strings to be detected according to the target spaces in the character strings to be detected, and obtaining keyword sets corresponding to the character strings to be detected.
The keyword set comprises at least one keyword.
S1053: and performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword.
S1054: and splicing the characters according to the arrangement sequence of the keywords in the character string to be detected, and generating a target characteristic string.
In one possible implementation, the keyword set includes: annotating one or more of characters, PHP script keywords, PHP code function keywords, special command keywords executed in PHP code functions, and special character keywords; in executing step S1053, for each keyword in the keyword set, performing PHP code semantic escape on the keyword, and when generating a character corresponding to the keyword, the method may specifically be executed according to steps S10531-S10535:
s10531: when the keyword is an annotation character, the annotation character is deleted.
S10532: when the keyword is PHP script keyword, PHP code semantic escape is carried out on the PHP script keyword by utilizing a dictionary or escape relation, and a first character is obtained.
Each PHP script keyword is converted to a specific first character using a dictionary or an escape relationship.
S10533: when the keyword is PHP code function keyword, PHP code semantic escape is carried out on the PHP code function keyword by utilizing a dictionary or escape relation, and a second character is obtained.
To distinguish between PHP script keywords and PHP code function keywords, the PHP script keywords need to be converted into different characters.
S10534: when the keyword is a special command keyword executed in the PHP code function, performing PHP code semantic escape on the special command keyword executed in the PHP code function by utilizing a dictionary or an escape relation to obtain a third character.
S10535: when the keyword is a special character keyword, PHP code semantic escape is carried out on the special character keyword by utilizing a dictionary or an escape relation, and a fourth character is obtained.
In step S106, when the user side accesses the server once, a plurality of character strings to be detected may be generated.
In one possible embodiment, if the current access is detected as PHP code injection, the server intercepts the current access and prevents an attacker from remotely controlling the server.
In one possible implementation, the first encoding mode is base64 encoding, the first decoding mode is base64 decoding, the second encoding mode is 16-ary encoding, and the second decoding mode is 16-ary decoding;
alternatively, the first encoding mode is 16-ary encoding, the first decoding mode is 16-ary decoding, the second encoding mode is base64 encoding, and the second decoding mode is base64 decoding.
Embodiment two:
based on the same technical concept, the embodiment of the present application further provides a code injection detection device, and fig. 3 shows a schematic structural diagram of the code injection detection device provided by the embodiment of the present application, as shown in fig. 3, where the device includes:
the first obtaining module 301 is configured to obtain a specified field in HTTP traffic generated when the client accesses the server, so as to use the specified field as a character string to be detected;
the first decoding module 302 is configured to perform a first decoding on the character string to be detected by using a first decoding manner, and take a first decoding result as a first character string; the coding mode corresponding to the first decoding mode is a first coding mode;
A second decoding module 303, configured to perform a second decoding on the first string using a second decoding manner, and use a second decoding result as a second string; wherein the encoding mode corresponding to the second decoding mode is a second encoding mode; the first coding mode and the second coding mode are two different coding modes bypassing regular expression detection;
a third decoding module 304, configured to perform third decoding on the second string by using a third decoding manner corresponding to the string to be detected, to obtain a third string;
an escape module 305, configured to perform PHP code semantic escape on each keyword in the third string, and generate a target feature string corresponding to the third string;
and the query module 306 is configured to query in a PHP code injection semantic feature library, and determine that the access is PHP code injection if the target feature string exists in the PHP code injection semantic feature library.
Optionally, the method further comprises:
the second acquisition module is used for acquiring the specified field in the HTTP traffic generated when the user side accesses the server when the first acquisition module is used for acquiring the HTTP traffic generated when the user side accesses the server before the specified field is used as a character string to be detected; the HTTP traffic includes access traffic and response traffic;
The analysis module is used for analyzing the HTTP traffic by using the HTTP protocol to obtain a target field; the target field contains a plurality of the specified fields.
Optionally, the first encoding mode is base64 encoding, the first decoding mode is base64 decoding, the second encoding mode is 16 system encoding, and the second decoding mode is 16 system decoding;
alternatively, the first encoding mode is 16-ary encoding, the first decoding mode is 16-ary decoding, the second encoding mode is base64 encoding, and the second decoding mode is base64 decoding.
Optionally, the first decoding module 302 is configured to perform a first decoding on the to-be-detected string by using a first decoding manner, and when the first decoding result is used as the first string, specifically is configured to:
performing first decoding on the character string to be detected by using a first decoding mode, and judging whether the first decoding is successful;
if the first decoding is successful, a first decoding result obtained after the first decoding is used as the first character string;
and if the first decoding fails, taking the character string to be detected as the first character string.
Optionally, the second decoding module 303 is configured to, when configured to perform a second decoding on the first string using a second decoding manner, take a second decoding result as a second string, specifically be:
Performing second decoding on the first character string by using a second decoding mode, and judging whether the second decoding is successful;
if the second decoding is successful, a second decoding result obtained after the second decoding is used as the second character string;
and if the second decoding fails, the first character string is used as the second character string.
Optionally, the escape module 305 is configured to, when performing PHP code semantic escape on each keyword in the third string to generate a target feature string corresponding to the third string, specifically:
identifying a target space in the character string to be detected; the target space comprises a single space or a plurality of continuous spaces;
according to the target space in the character string to be detected, word segmentation processing is carried out on the character string to be detected, and a keyword set corresponding to the character string to be detected is obtained;
performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword;
and splicing the characters according to the arrangement sequence of the keywords in the character string to be detected, so as to generate the target characteristic string.
Optionally, the keyword set includes: annotating one or more of characters, PHP script keywords, PHP code function keywords, special command keywords executed in PHP code functions, and special character keywords; the escape module 305 is configured to, for each keyword in the keyword set, perform PHP code semantic escape on the keyword, and generate a character corresponding to the keyword, specifically configured to:
deleting the annotation character when the keyword is the annotation character;
when the keyword is the PHP script keyword, performing PHP code semantic escape on the PHP script keyword by using a dictionary or an escape relation to obtain a first character;
when the keyword is the PHP code function keyword, performing PHP code semantic escape on the PHP code function keyword by using the dictionary or the escape relation to obtain a second character;
when the keyword is a special command keyword executed in the PHP code function, performing the PHP code semantic escape on the special command keyword executed in the PHP code function by utilizing the dictionary or the escape relation to obtain a third character;
And when the keyword is the special character keyword, performing PHP code semantic escape on the special character keyword by utilizing the dictionary or the escape relation to obtain a fourth character.
Reference is made to the description of the first embodiment for specific implementation of method steps and principles, and detailed descriptions thereof are omitted.
Embodiment III:
based on the same technical concept, the embodiment of the present application further provides an electronic device, and fig. 4 shows a schematic structural diagram of the electronic device provided by the embodiment of the present application, as shown in fig. 4, the electronic device 400 includes: a processor 401, a memory 402 and a bus 403, the memory storing machine-readable instructions executable by the processor, the processor 401 executing machine-readable instructions to perform the method steps of the first embodiment when the electronic device is operating, the processor 401 communicating with the memory 402 via the bus 403.
Reference is made to the description of the first embodiment for specific implementation of method steps and principles, and detailed descriptions thereof are omitted.
Embodiment four:
based on the same technical idea, a fourth embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, which when being executed by a processor performs the method steps in the first embodiment.
Reference is made to the description of the first embodiment for specific implementation of method steps and principles, and detailed descriptions thereof are omitted.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. The above-described apparatus embodiments are merely illustrative, for example, the division of units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Finally, it should be noted that: the above examples are only specific embodiments of the present application for illustrating the technical solution of the present application, but not for limiting the scope of the present application, and although the present application has been described in detail with reference to the foregoing examples, it will be understood by those skilled in the art that the present application is not limited thereto: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application. Therefore, the protection scope of the application is subject to the protection scope of the claims.
Claims (8)
1. A code injection detection method, comprising:
acquiring a specified field in HTTP traffic generated when a user terminal accesses a server, and taking the specified field as a character string to be detected;
performing first decoding on the character string to be detected by using a first decoding mode, and taking a first decoding result as a first character string; the coding mode corresponding to the first decoding mode is a first coding mode;
performing second decoding on the first character string by using a second decoding mode, and taking a second decoding result as a second character string; wherein the encoding mode corresponding to the second decoding mode is a second encoding mode; the first coding mode and the second coding mode are two different coding modes bypassing regular expression detection;
performing third decoding on the second character string by using a third decoding mode corresponding to the character string to be detected to obtain a third character string;
performing PHP code semantic escape on each keyword in the third character string to generate a target feature string corresponding to the third character string;
inquiring in a PHP code injection semantic feature library, and if the target feature string exists in the PHP code injection semantic feature library, determining that the access is PHP code injection;
Performing PHP code semantic escape on each keyword in the third character string to generate a target feature string corresponding to the third character string, including:
identifying a target space in the character string to be detected; the target space comprises a single space or a plurality of continuous spaces;
according to the target space in the character string to be detected, word segmentation processing is carried out on the character string to be detected, and a keyword set corresponding to the character string to be detected is obtained;
performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword;
splicing the characters according to the arrangement sequence of the keywords in the character string to be detected to generate the target characteristic string;
the keyword set comprises the following components: annotating one or more of characters, PHP script keywords, PHP code function keywords, special command keywords executed in PHP code functions, and special character keywords;
performing PHP code semantic escape on each keyword in the keyword set, and generating a character corresponding to the keyword includes:
Deleting the annotation character when the keyword is the annotation character;
when the keyword is the PHP script keyword, performing PHP code semantic escape on the PHP script keyword by using a dictionary or an escape relation to obtain a first character;
when the keyword is the PHP code function keyword, performing PHP code semantic escape on the PHP code function keyword by using the dictionary or the escape relation to obtain a second character;
when the keyword is a special command keyword executed in the PHP code function, performing the PHP code semantic escape on the special command keyword executed in the PHP code function by utilizing the dictionary or the escape relation to obtain a third character;
and when the keyword is the special character keyword, performing PHP code semantic escape on the special character keyword by utilizing the dictionary or the escape relation to obtain a fourth character.
2. The method for detecting code injection according to claim 1, wherein before the obtaining the specified field in the HTTP traffic generated when the client accesses the server, to use the specified field as the character string to be detected, the method further comprises:
Acquiring the HTTP traffic generated when the user side accesses the server; the HTTP traffic includes access traffic and response traffic;
analyzing the HTTP traffic by using an HTTP protocol to obtain a target field; the target field contains a plurality of the specified fields.
3. The code injection detection method of claim 1, wherein the first encoding mode is base64 encoding, the first decoding mode is base64 decoding, the second encoding mode is 16-ary encoding, and the second decoding mode is 16-ary decoding;
or,
the first coding mode is 16-system coding, the first decoding mode is 16-system decoding, the second coding mode is base64 coding, and the second decoding mode is base64 decoding.
4. The code injection detection method according to claim 1, wherein the performing a first decoding on the character string to be detected using a first decoding method, and taking a first decoding result as a first character string, includes:
performing first decoding on the character string to be detected by using a first decoding mode, and judging whether the first decoding is successful;
if the first decoding is successful, a first decoding result obtained after the first decoding is used as the first character string;
And if the first decoding fails, taking the character string to be detected as the first character string.
5. The code injection detection method according to claim 1, wherein the performing the second decoding on the first string using the second decoding method, and taking the second decoding result as the second string, includes:
performing second decoding on the first character string by using a second decoding mode, and judging whether the second decoding is successful;
if the second decoding is successful, a second decoding result obtained after the second decoding is used as the second character string;
and if the second decoding fails, the first character string is used as the second character string.
6. A code injection detection apparatus, comprising:
the first acquisition module is used for acquiring a specified field in HTTP traffic generated when the user side accesses the server, and taking the specified field as a character string to be detected;
the first decoding module is used for carrying out first decoding on the character string to be detected by using a first decoding mode, and taking a first decoding result as a first character string; the coding mode corresponding to the first decoding mode is a first coding mode;
The second decoding module is used for performing second decoding on the first character string by using a second decoding mode, and taking a second decoding result as a second character string; wherein the encoding mode corresponding to the second decoding mode is a second encoding mode; the first coding mode and the second coding mode are two different coding modes bypassing regular expression detection;
the third decoding module is used for performing third decoding on the second character string by using a third decoding mode corresponding to the character string to be detected to obtain a third character string;
the escape module is used for performing PHP code semantic escape on each keyword in the third character string and generating a target feature string corresponding to the third character string;
the query module is used for querying in the PHP code injection semantic feature library, and if the target feature string exists in the PHP code injection semantic feature library, the current access is determined to be PHP code injection;
the escape module is configured to, when performing PHP code semantic escape on each keyword in the third string to generate a target feature string corresponding to the third string, specifically:
identifying a target space in the character string to be detected; the target space comprises a single space or a plurality of continuous spaces;
According to the target space in the character string to be detected, word segmentation processing is carried out on the character string to be detected, and a keyword set corresponding to the character string to be detected is obtained;
performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword;
splicing the characters according to the arrangement sequence of the keywords in the character string to be detected to generate the target characteristic string;
the keyword set comprises the following components: annotating one or more of characters, PHP script keywords, PHP code function keywords, special command keywords executed in PHP code functions, and special character keywords;
the escape module is configured to, when performing PHP code semantic escape on each keyword in the keyword set to generate a character corresponding to the keyword, specifically:
deleting the annotation character when the keyword is the annotation character;
when the keyword is the PHP script keyword, performing PHP code semantic escape on the PHP script keyword by using a dictionary or an escape relation to obtain a first character;
When the keyword is the PHP code function keyword, performing PHP code semantic escape on the PHP code function keyword by using the dictionary or the escape relation to obtain a second character;
when the keyword is a special command keyword executed in the PHP code function, performing the PHP code semantic escape on the special command keyword executed in the PHP code function by utilizing the dictionary or the escape relation to obtain a third character;
and when the keyword is the special character keyword, performing PHP code semantic escape on the special character keyword by utilizing the dictionary or the escape relation to obtain a fourth character.
7. An electronic device, comprising: a processor, a memory and a bus, said memory storing machine-readable instructions executable by said processor, said processor and said memory communicating over the bus when the electronic device is running, said machine-readable instructions when executed by said processor performing the steps of the method according to any one of claims 1 to 5.
8. A computer-readable storage medium, characterized in that it has stored thereon a computer program which, when executed by a processor, performs the steps of the method according to any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210099441.6A CN114500053B (en) | 2022-01-27 | 2022-01-27 | Code injection detection method and device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210099441.6A CN114500053B (en) | 2022-01-27 | 2022-01-27 | Code injection detection method and device, electronic equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114500053A CN114500053A (en) | 2022-05-13 |
| CN114500053B true CN114500053B (en) | 2023-12-05 |
Family
ID=81476641
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210099441.6A Active CN114500053B (en) | 2022-01-27 | 2022-01-27 | Code injection detection method and device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500053B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459548A (en) * | 2007-12-14 | 2009-06-17 | 北京启明星辰信息技术股份有限公司 | Script injection attack detection method and system |
| CN107526968A (en) * | 2017-08-18 | 2017-12-29 | 郑州云海信息技术有限公司 | A kind of anti-method for implanting of SQL based on syntactic analysis and device |
| CN108959926A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of detection method of SQL injection attack |
| CN109150886A (en) * | 2018-08-31 | 2019-01-04 | 腾讯科技(深圳)有限公司 | Detecting structured query language injection attack and relevant device |
| CN111770079A (en) * | 2020-06-24 | 2020-10-13 | 绿盟科技集团股份有限公司 | Method and device for detecting vulnerability injection of web framework |
| CN113141332A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | Command injection identification method, system, equipment and computer storage medium |
| CN113138913A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | Java code injection detection method, device, equipment and storage medium |
| CN113591041A (en) * | 2021-09-28 | 2021-11-02 | 环球数科集团有限公司 | Distributed coding system for preventing code injection or source code decompilation |
| CN113645224A (en) * | 2021-08-09 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Network attack detection method, device, equipment and storage medium |
-
2022
- 2022-01-27 CN CN202210099441.6A patent/CN114500053B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101459548A (en) * | 2007-12-14 | 2009-06-17 | 北京启明星辰信息技术股份有限公司 | Script injection attack detection method and system |
| CN107526968A (en) * | 2017-08-18 | 2017-12-29 | 郑州云海信息技术有限公司 | A kind of anti-method for implanting of SQL based on syntactic analysis and device |
| CN108959926A (en) * | 2018-06-27 | 2018-12-07 | 杭州安恒信息技术股份有限公司 | A kind of detection method of SQL injection attack |
| CN109150886A (en) * | 2018-08-31 | 2019-01-04 | 腾讯科技(深圳)有限公司 | Detecting structured query language injection attack and relevant device |
| CN113141332A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | Command injection identification method, system, equipment and computer storage medium |
| CN113138913A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | Java code injection detection method, device, equipment and storage medium |
| CN111770079A (en) * | 2020-06-24 | 2020-10-13 | 绿盟科技集团股份有限公司 | Method and device for detecting vulnerability injection of web framework |
| CN113645224A (en) * | 2021-08-09 | 2021-11-12 | 杭州安恒信息技术股份有限公司 | Network attack detection method, device, equipment and storage medium |
| CN113591041A (en) * | 2021-09-28 | 2021-11-02 | 环球数科集团有限公司 | Distributed coding system for preventing code injection or source code decompilation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114500053A (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922052B (en) | Malicious URL detection method combining multiple features | |
| EP3323053B1 (en) | Document capture using client-based delta encoding with server | |
| JP6636096B2 (en) | System and method for machine learning of malware detection model | |
| JP6106340B2 (en) | Log analysis device, attack detection device, attack detection method and program | |
| CN107707545B (en) | Abnormal webpage access fragment detection method, device, equipment and storage medium | |
| CN110099059B (en) | Domain name identification method and device and storage medium | |
| CN111614599B (en) | Webshell detection method and device based on artificial intelligence | |
| CN107241296B (en) | Webshell detection method and device | |
| CN111600919B (en) | Method and device for constructing intelligent network application protection system model | |
| CN110034921B (en) | Webshell detection method based on weighted fuzzy hash | |
| EP3474175B1 (en) | System and method of managing computing resources for detection of malicious files based on machine learning model | |
| CN111030992B (en) | Detection method, server and computer readable storage medium | |
| CN105653949B (en) | A kind of malware detection methods and device | |
| CN104766013A (en) | Skip list based cross-site scripting attack defense method | |
| US10742668B2 (en) | Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof | |
| CN112351002B (en) | Message detection method, device and equipment | |
| CN114500053B (en) | Code injection detection method and device, electronic equipment and readable storage medium | |
| CN108259416A (en) | Detect the method and relevant device of malicious web pages | |
| CN115297104B (en) | File uploading method and device, electronic equipment and storage medium | |
| KR101526500B1 (en) | Suspected malignant website detecting method and system using information entropy | |
| CN113328982B (en) | Intrusion detection method, device, equipment and medium | |
| CN114169540A (en) | Webpage user behavior detection method and system based on improved machine learning | |
| CN116488947B (en) | Security element treatment method | |
| CN111211995A (en) | Method and device for analyzing network traffic acquired by character string matching library | |
| CN109218284B (en) | XSS vulnerability detection method and device, computer equipment and readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |