CN116186699B - PHP file access detection method and device - Google Patents

PHP file access detection method and device Download PDF

Info

Publication number
CN116186699B
CN116186699B CN202310095993.4A CN202310095993A CN116186699B CN 116186699 B CN116186699 B CN 116186699B CN 202310095993 A CN202310095993 A CN 202310095993A CN 116186699 B CN116186699 B CN 116186699B
Authority
CN
China
Prior art keywords
file
access
php
script
function
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310095993.4A
Other languages
Chinese (zh)
Other versions
CN116186699A (en
Inventor
杨钰卉
姚纪卫
姜向前
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Anxin Wangdun Beijing Technology Co ltd
Original Assignee
Anxin Wangdun Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Anxin Wangdun Beijing Technology Co ltd filed Critical Anxin Wangdun Beijing Technology Co ltd
Priority to CN202310095993.4A priority Critical patent/CN116186699B/en
Publication of CN116186699A publication Critical patent/CN116186699A/en
Application granted granted Critical
Publication of CN116186699B publication Critical patent/CN116186699B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention relates to a PHP file access detection method and device, wherein the method comprises the following steps: acquiring a function of at least one access file when the PHP process is started; hooking the function of the at least one access file; when the script of the PHP process is executed, a first catalog of a current PHP server file is acquired; when the function of the at least one access file is executed in the script, acquiring an absolute path of the file to be accessed according to a hook of the function of the at least one access file; judging whether an absolute path of a file to be accessed contains a first directory or not, and judging whether the script is a malicious access request related to sensitive file access or not according to a judging result. The technical scheme provided by the embodiment of the invention can realize real-time monitoring and detection of the access of the sensitive file in the execution process of the PHP process based on the HOOK (HOOK) technology, the detection method is simpler, and the performance influence on the PHP server is smaller.

Description

PHP file access detection method and device
Technical Field
The embodiment of the invention relates to the technical field of PHP file access detection, in particular to a PHP file access detection method and device.
Background
Sensitive files refer to configuration files, backup files and other files on a computer or a website, which record sensitive information such as host or user information. If these files are stolen or tampered with, there is a significant loss to the user, so the behavior of accessing sensitive files needs to be monitored and detected.
In the prior art, a sensitive file access control mechanism based on white list protection is mostly adopted, an application program and a sensitive file which can be accessed by the application program need to be pre-configured, when the application program accesses the file, a configuration item needs to be detected, and whether the application program has the access authority of the file is judged.
The sensitive file access control machine based on the white list protection is highly dependent on manual configuration, cannot realize real-time detection, is more complicated to configure for application programs accessing more files, and has larger influence on the performance of the application programs because a large amount of configuration needs to be searched when the application programs access the files.
Disclosure of Invention
Based on the above situation in the prior art, an object of the embodiments of the present invention is to provide a method and an apparatus for detecting PHP file access, which can monitor and detect sensitive file access in real time based on HOOK (HOOK) technology, and the detection method is simpler and has less influence on performance of a PHP server.
In order to achieve the above object, according to one aspect of the present invention, there is provided a PHP file access detection method, including the steps of:
acquiring a function of at least one access file when the PHP process is started;
hooking the function of the at least one access file;
when the script of the PHP process is executed, a first catalog of a current PHP server file is acquired;
when the function of the at least one access file is executed in the script, acquiring an absolute path of the file to be accessed according to a hook of the function of the at least one access file;
judging whether an absolute path of a file to be accessed contains a first directory or not, and judging whether the script is a malicious access request related to sensitive file access or not according to a judging result.
Further, the function of accessing the file includes fopen, fwrite, readfile and file_get_contents.
Further, the first directory includes a root directory of the PHP server file to be accessed.
Further, determining whether the absolute path of the file to be accessed includes the first directory, and determining whether the script is a malicious access request related to the access of the sensitive file according to the determination result includes:
if the absolute path of the file to be accessed comprises a first directory, the script is a normal access request;
if the absolute path of the file to be accessed does not include the first directory, the script is a malicious access request involving access to the sensitive file.
Further, the sensitive file includes a file for recording information of the host or the user.
According to another aspect of the present invention, there is provided a PHP file access detection apparatus including:
the function acquisition module is used for acquiring a function of at least one access file when the PHP process is started;
the hooking module is used for hooking the function of the at least one access file;
the first catalog acquisition module is used for acquiring a first catalog of a current file when the script of the PHP process is executed;
the file path acquisition module is used for acquiring an absolute path of a file to be accessed according to a hook of the function of the at least one access file when the function of the at least one access file is executed in the script;
the detection module is used for judging whether the absolute path of the file to be accessed contains the first directory or not, and judging whether the script is a malicious access request related to sensitive file access or not according to a judging result.
Further, the function of accessing the file includes fopen, fwrite, readfile and file_get_contents.
Further, the first directory includes a root directory of the PHP server file to be accessed.
Further, the detecting module determines whether an absolute path of a file to be accessed includes a first directory, and determines whether the script is a malicious access request related to access of a sensitive file according to a determination result, including:
if the absolute path of the file to be accessed comprises a first directory, the script is a normal access request;
if the absolute path of the file to be accessed does not include the first directory, the script is a malicious access request involving access to the sensitive file.
Further, the sensitive file includes a file for recording information of the host or the user.
In summary, the embodiment of the invention provides a PHP file access detection method and device, wherein the method comprises the following steps: acquiring a function of at least one access file when the PHP process is started; hooking the function of the at least one access file; when the script of the PHP process is executed, a first catalog of a current PHP server file is acquired; when the function of the at least one access file is executed in the script, acquiring an absolute path of the file to be accessed according to a hook of the function of the at least one access file; judging whether an absolute path of a file to be accessed contains a first directory or not, and judging whether the script is a malicious access request related to sensitive file access or not according to a judging result. The technical scheme provided by the embodiment of the invention can realize real-time monitoring and detection of the access of the sensitive file in the execution process of the PHP process based on the HOOK (HOOK) technology, the detection method is simpler, and the performance influence on the PHP server is smaller.
Drawings
FIG. 1 is a flowchart of a PHP file access detection method provided by an embodiment of the invention;
FIG. 2 is a block diagram of a PHP file access detection apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to the embodiment of the present invention.
Detailed Description
The objects, technical solutions and advantages of the present invention will become more apparent by the following detailed description of the present invention with reference to the accompanying drawings. It should be understood that the description is only illustrative and is not intended to limit the scope of the invention. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the present invention.
The following describes the technical scheme of the embodiment of the present invention in detail with reference to the accompanying drawings. The embodiment of the invention provides a PHP file access detection method, and a flow chart of the PHP file access detection method provided by the embodiment of the invention is shown in fig. 1, and the method comprises the following steps:
s202, acquiring at least one function of accessing the file when the PHP process is started. When the PHP process starts, in this step, a function of the PHP possible to access the sensitive file, for example, a function such as fopen, fwrite, readfile, file _get_contents, is Hooked (HOOK), and after the user executes the PHP script, that is, after the PHP process receives the request, if the PHP script needs to access the sensitive file through these functions, a path of accessing the sensitive file can be obtained, and if the path of accessing the sensitive file does not include a path of document_root, it can be determined that the request is malicious.
S204, hooking the function of the at least one access file.
S206, when the script of the PHP process is executed, acquiring a first directory of the current PHP server file. The first directory is, for example, a root directory of a server file to be accessed, and is stored in a global variable of the PHP, and the first directory of the current PHP server file can be obtained through the global variable. In this embodiment, the Root directory is, for example, a document_root, where the document_root is a Root directory where the server accesses user files, and PHP files that all users can access through the web are placed under the document_root directory, so when a malicious request wants to access some sensitive files, the user generally traverses paths, that is, uses a name/name to attempt to access files stored outside the document_root. In the embodiment of the invention, whether the PHP script is a malicious access request related to sensitive file access is judged by judging whether the absolute path of the file to be accessed contains the root directory. Compared with the detection method in the prior art, the method has higher real-time performance and smaller influence on the performance of the PHP server.
S208, when the function of the at least one access file is executed in the script, acquiring an absolute path of the file to be accessed according to the hook of the function of the at least one access file.
S210, judging whether an absolute path of the file to be accessed contains a first directory, and judging whether the script is a malicious access request related to sensitive file access according to a judging result. The judgment of the step comprises the following steps:
if the absolute path of the file to be accessed comprises a first directory, the script is a normal access request;
if the absolute path of the file to be accessed does not include the first directory, the script is a malicious access request involving access to the sensitive file.
The sensitive file related in the embodiment of the invention refers to a file for recording sensitive information such as host or user information, for example, etc/passwd,/etc/hosts, and the difference between the sensitive file and the file is that the user can normally access.
The embodiment of the invention also provides a PHP file access detection device, and a block diagram of the device is shown in FIG. 2, comprising:
a function obtaining module 201, configured to obtain a function of at least one access file when the PHP process is started;
a hooking module 202, configured to hook the function of the at least one access file;
the first directory obtaining module 203 is configured to obtain a first directory of a current file when a script of the PHP process is executed;
a file path obtaining module 204, configured to obtain, when the function of the at least one access file is executed in the script, an absolute path of a file to be accessed according to a hook of the function of the at least one access file;
the detection module 205 is configured to determine whether an absolute path of a file to be accessed includes a first directory, and determine whether the script is a malicious access request related to access of a sensitive file according to a determination result. The detecting module 205 determines whether the absolute path of the file to be accessed includes the first directory, and determines whether the script is a malicious access request related to the access of the sensitive file according to the determination result, including:
if the absolute path of the file to be accessed comprises a first directory, the script is a normal access request;
if the absolute path of the file to be accessed does not include the first directory, the script is a malicious access request involving access to the sensitive file.
In the PHP file access detection apparatus provided in this embodiment of the present invention, the specific process of each module implementing its function is the same as each step in the PHP file access detection method provided in the above embodiment of the present invention, and a repetitive description thereof will be omitted herein.
In an embodiment of the present invention, there is further provided an electronic device including a memory, a processor, and executable instructions stored on the memory and executable on the processor, the processor implementing the method according to the above embodiment of the present invention when executing the program. Fig. 3 is a schematic structural diagram of an electronic device according to the embodiment of the invention. As shown in fig. 3, the electronic device includes: one or more processors 301 and memory 302; and computer executable instructions stored in memory 302 that, when executed by processor 301, cause processor 301 to perform the PHP file access detection method as in the above-described embodiments. The processor 301 may be a Central Processing Unit (CPU) or other form of processing unit having data processing and/or instruction execution capabilities and may control other components in the electronic device to perform desired functions. Memory 302 may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. Volatile memory can include, for example, random Access Memory (RAM) and/or cache memory (cache) and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. One or more computer program instructions may be stored on a computer readable storage medium and the processor 301 may execute the program instructions to implement the steps in the PHP file access detection method and/or other desired functions of the embodiments of the invention above. In some embodiments, the electronic device may further include: an input device 303, and an output device 304, which are interconnected by a bus system and/or other form of connection mechanism (not shown in fig. 3). For example, when the electronic device is a stand-alone device, the input means 303 may be a communication network connector for receiving the acquired input signal from an external, removable device. In addition, the input device 303 may also include, for example, a keyboard, a mouse, a microphone, and the like. The output device 304 may output various information to the outside, and may include, for example, a display, a speaker, a printer, a communication network, a remote output apparatus connected thereto, and the like.
In an embodiment of the present invention, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method as described in the above embodiments of the present invention. A computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random access memory ((RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It should be appreciated that the processor in embodiments of the present invention may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In summary, the embodiment of the invention relates to a PHP file access detection method and device, wherein the method comprises the following steps: acquiring a function of at least one access file when the PHP process is started; hooking the function of the at least one access file; when the script of the PHP process is executed, a first catalog of a current PHP server file is acquired; when the function of the at least one access file is executed in the script, acquiring an absolute path of the file to be accessed according to a hook of the function of the at least one access file; judging whether an absolute path of a file to be accessed contains a first directory or not, and judging whether the script is a malicious access request related to sensitive file access or not according to a judging result. The technical scheme provided by the embodiment of the invention can realize real-time monitoring and detection of the access of the sensitive file in the execution process of the PHP process based on the HOOK (HOOK) technology, the detection method is simpler, and the performance influence on the PHP server is smaller.
It should be understood that the above discussion of any of the embodiments is exemplary only and is not intended to suggest that the scope of the invention (including the claims) is limited to these examples; combinations of features of the above embodiments or in different embodiments are also possible within the spirit of the invention, steps may be implemented in any order and there are many other variations of the different aspects of one or more embodiments of the invention described above which are not provided in detail for the sake of brevity. The above detailed description of the present invention is merely illustrative or explanatory of the principles of the invention and is not necessarily intended to limit the invention. Accordingly, any modification, equivalent replacement, improvement, etc. made without departing from the spirit and scope of the present invention should be included in the scope of the present invention. Furthermore, the appended claims are intended to cover all such changes and modifications that fall within the scope and boundary of the appended claims, or equivalents of such scope and boundary.

Claims (8)

1. The PHP file access detection method is characterized by comprising the following steps:
acquiring a function of at least one access file when the PHP process is started;
hooking the function of the at least one access file;
when a script of a PHP process is executed, a first directory of a current PHP server file is obtained, wherein the first directory comprises a root directory of the server file to be accessed and is stored in a global variable of the PHP;
when the function of the at least one access file is executed in the script, acquiring an absolute path of the file to be accessed according to a hook of the function of the at least one access file;
judging whether an absolute path of a file to be accessed contains a first directory or not, and judging whether the script is a malicious access request related to sensitive file access or not according to a judging result.
2. The method of claim 1, wherein the function of accessing the file comprises fopen, fwrite, readfile and file_get_contents.
3. The method of claim 2, wherein determining whether the absolute path of the file to be accessed includes the first directory, and determining whether the script is a malicious access request involving access to the sensitive file based on the determination comprises:
if the absolute path of the file to be accessed comprises a first directory, the script is a normal access request;
if the absolute path of the file to be accessed does not include the first directory, the script is a malicious access request involving access to the sensitive file.
4. A method according to any of claims 1-3, wherein the sensitive file comprises a file recording host or user information.
5. A PHP file access detection apparatus, comprising:
the function acquisition module is used for acquiring a function of at least one access file when the PHP process is started;
the hooking module is used for hooking the function of the at least one access file;
the first catalog acquisition module is used for acquiring a first catalog of a current PHP server file when the script of the PHP process is executed, wherein the first catalog comprises a root catalog of the server file to be accessed and is stored in a global variable of the PHP;
the file path acquisition module is used for acquiring an absolute path of a file to be accessed according to a hook of the function of the at least one access file when the function of the at least one access file is executed in the script;
the detection module is used for judging whether the absolute path of the file to be accessed contains the first directory or not, and judging whether the script is a malicious access request related to sensitive file access or not according to a judging result.
6. The apparatus of claim 5, wherein the function of accessing the file comprises fopen, fwrite, readfile and file_get_contents.
7. The apparatus of claim 6, wherein the detecting module determining whether the absolute path of the file to be accessed includes the first directory, and determining whether the script is a malicious access request involving access of the sensitive file according to the determination result includes:
if the absolute path of the file to be accessed comprises a first directory, the script is a normal access request;
if the absolute path of the file to be accessed does not include the first directory, the script is a malicious access request involving access to the sensitive file.
8. The apparatus of any of claims 5-7, wherein the sensitive file comprises a file recording host or user information.
CN202310095993.4A 2023-01-19 2023-01-19 PHP file access detection method and device Active CN116186699B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310095993.4A CN116186699B (en) 2023-01-19 2023-01-19 PHP file access detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310095993.4A CN116186699B (en) 2023-01-19 2023-01-19 PHP file access detection method and device

Publications (2)

Publication Number Publication Date
CN116186699A CN116186699A (en) 2023-05-30
CN116186699B true CN116186699B (en) 2023-08-22

Family

ID=86441748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310095993.4A Active CN116186699B (en) 2023-01-19 2023-01-19 PHP file access detection method and device

Country Status (1)

Country Link
CN (1) CN116186699B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901313A (en) * 2010-06-10 2010-12-01 中科方德软件有限公司 Linux file protection system and method
KR20150017925A (en) * 2013-08-08 2015-02-23 에스지에이 주식회사 A detect system against malicious processes by using the full path of access files
CN108304304A (en) * 2018-01-03 2018-07-20 珠海金山网络游戏科技有限公司 A kind of method and device that statistics program accesses file number and takes
CN112035888A (en) * 2020-09-01 2020-12-04 杭州安恒信息安全技术有限公司 File path determining method, device and medium based on webpage tamper-proof system
CN114186239A (en) * 2021-11-09 2022-03-15 北京威努特技术有限公司 Program white list method and device based on path information

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101901313A (en) * 2010-06-10 2010-12-01 中科方德软件有限公司 Linux file protection system and method
KR20150017925A (en) * 2013-08-08 2015-02-23 에스지에이 주식회사 A detect system against malicious processes by using the full path of access files
CN108304304A (en) * 2018-01-03 2018-07-20 珠海金山网络游戏科技有限公司 A kind of method and device that statistics program accesses file number and takes
CN112035888A (en) * 2020-09-01 2020-12-04 杭州安恒信息安全技术有限公司 File path determining method, device and medium based on webpage tamper-proof system
CN114186239A (en) * 2021-11-09 2022-03-15 北京威努特技术有限公司 Program white list method and device based on path information

Also Published As

Publication number Publication date
CN116186699A (en) 2023-05-30

Similar Documents

Publication Publication Date Title
JP5639725B2 (en) Method and apparatus for measuring software reliability
JP5793764B2 (en) Method and apparatus for reducing false detection of malware
WO2014048240A1 (en) Method and client for using built-in activex plug-in in browser
JP2010049627A (en) Computer virus detection system
US10162963B2 (en) Malware detection and identification using deviations in one or more operating parameters
CN108898012B (en) Method and apparatus for detecting illegal program
WO2015188604A1 (en) Phishing webpage detection method and device
CN116186699B (en) PHP file access detection method and device
CN115758351B (en) PHP memory horse detection method and device
CN110708270B (en) Abnormal link detection method and device
CN116069591A (en) Interface performance monitoring method, device, equipment and storage medium
CN115051867A (en) Detection method and device for illegal external connection behaviors, electronic equipment and medium
CN113672918A (en) Malicious code detection method and device, storage medium and electronic equipment
JP5386015B1 (en) Bug detection apparatus and bug detection method
CN107330327B (en) Infected file detection method, server, processing method, device and detection system
CN116318941B (en) Method and device for detecting injected TomcatUpgrade memory horse
CN114707149B (en) Puppet process detection method and device, electronic equipment and storage medium
CN105282091A (en) Security application server detection method and system thereof
CN116028929B (en) Method and device for detecting file-free attack based on Linux kernel
WO2022195739A1 (en) Activity trace extracting device, activity trace extracting method, and activity trace extracting program
CN110795133B (en) Automatic protection method and device for auxiliary application
JP7452849B2 (en) Abnormal operation detection device, abnormal operation detection method, and program
CN113961921A (en) Malicious program detection method, device, equipment and storage medium
JP7255681B2 (en) Execution control system, execution control method, and program
CN115828247B (en) Method, device and equipment for detecting abnormality of applet and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant