WO2020211555A1 - File detection method, apparatus and device, and computer-readable storage medium - Google Patents

File detection method, apparatus and device, and computer-readable storage medium Download PDF

Info

Publication number
WO2020211555A1
WO2020211555A1 PCT/CN2020/077615 CN2020077615W WO2020211555A1 WO 2020211555 A1 WO2020211555 A1 WO 2020211555A1 CN 2020077615 W CN2020077615 W CN 2020077615W WO 2020211555 A1 WO2020211555 A1 WO 2020211555A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
suffix
uploaded
magic number
detection
Prior art date
Application number
PCT/CN2020/077615
Other languages
French (fr)
Chinese (zh)
Inventor
朱杨军
Original Assignee
深圳前海微众银行股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳前海微众银行股份有限公司 filed Critical 深圳前海微众银行股份有限公司
Publication of WO2020211555A1 publication Critical patent/WO2020211555A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • This application relates to the technical field of information security in financial technology, and in particular to a file detection method, device, device, and computer-readable storage medium.
  • File upload vulnerability refers to the fact that the programmer has insufficient control over the user's file upload part or processing flaws, which results in the user being able to override his own authority to upload executable dynamic script files to the server.
  • the files uploaded here can be Trojan horses, viruses, malicious scripts or WebShells, etc. This attack method is the most direct and effective.
  • the file upload vulnerability itself is a very harmful vulnerability, and WebShell expands the use of this vulnerability infinitely. After most upload vulnerabilities are exploited, the attacker will leave WebShell to facilitate subsequent access to the system. After the attacker places or inserts a WebShell on the affected system, he can use the WebShell to do whatever he wants in the service more easily and more covertly. Therefore, how to improve the success rate of file upload vulnerability detection is an urgent problem to be solved.
  • the main purpose of this application is to provide a file detection method, device, device, and computer-readable storage medium, which aims to solve the technical problem of how to improve the success rate of file upload vulnerability detection.
  • the present application provides a file detection method, the file detection method includes the steps
  • the first file suffix is a legal file suffix, detecting whether the file to be uploaded has a file magic number;
  • the file to be uploaded has a file magic number
  • the second file suffix corresponding to the file magic number is acquired; [0010] if the first file suffix is different from the second file suffix, then it is determined
  • the file to be uploaded fails the file upload vulnerability detection.
  • the present application also provides a file detection device, the file detection device includes:
  • the obtaining module is configured to obtain the first file suffix of the file to be uploaded after obtaining the file to be uploaded
  • the detection module is configured to detect whether the file to be uploaded has a file magic number if the first file suffix is a legal file suffix;
  • the obtaining module is further configured to obtain a second file suffix corresponding to the file magic number if the file to be uploaded has a file magic number;
  • the determining module is configured to determine that the file to be uploaded fails the file upload vulnerability detection if the suffix of the first file is different from the suffix of the second file.
  • the present application also provides a file detection device, the file detection device includes a memory, a processor, and a file detection program stored in the memory and running on the processor When the file detection program is executed by the processor, the steps of the file detection method described above are implemented.
  • the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a file detection program, and when the file detection program is executed by a processor, the above The steps of the file detection method.
  • This application defends file upload vulnerabilities by double checking the file suffix and the file magic number. It is determined that the first file suffix of the file to be uploaded is a legal file suffix, and the file to be uploaded has a file magic number, and the file magic number corresponds to If the second file suffix is different from the first file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection, which improves the success rate of file upload vulnerability detection and improves the security of the file in the server.
  • FIG. 1 is a schematic flowchart of a preferred embodiment of the document detection method of the present application.
  • FIG. 2 is a schematic diagram of a process for obtaining the first file suffix of the file to be uploaded after obtaining the file to be uploaded in an embodiment of the present application;
  • FIG. 3 is a schematic diagram of another process for obtaining the first file suffix of the file to be uploaded after obtaining the file to be uploaded in an embodiment of the present application;
  • FIG. 4 is a functional schematic block diagram of a preferred embodiment of the document detection device of the present application.
  • FIG. 5 is a schematic structural diagram of a hardware operating environment involved in a solution of an embodiment of the present application.
  • FIG. 1 is a schematic flowchart of a preferred embodiment of the file detection method of this application.
  • the file detection method is applied to a file detection device, a server or a terminal.
  • the terminal may include, for example, a mobile phone, a tablet computer, a notebook computer, a handheld computer, and a personal digital assistant (Personal Digital Assistant). Assistant, PDA) and other mobile terminals, as well as fixed terminals such as digital TVs and desktop computers.
  • PDA Personal Digital Assistant
  • FIG. 1 For ease of description, each embodiment is described with a server as an execution subject.
  • File detection methods include:
  • Step S10 After obtaining the file to be uploaded, obtain the first file suffix of the file to be uploaded.
  • the financial institution will upload its files to the server in real time or regularly.
  • the file that the financial institution needs to upload to the server is recorded as a file to be uploaded.
  • the server obtains the file to be uploaded uploaded by the financial institution, the server obtains the file suffix of the file to be uploaded, and records the file suffix of the file to be uploaded as the first file suffix.
  • the file to be uploaded can be sent by the client that has established a communication connection with the server.
  • File suffix is also called file extension. It is a mechanism used by the operating system to mark the file type. Generally speaking, an extension follows the main file name and is separated by a separator.
  • .txt in the file name
  • "Read me” is the main file name
  • txt is the extension (text, foreign language full name: Text), which means that this file is considered a plain text file, and the extension can be considered a type
  • the server can obtain the first file suffix of the file to be uploaded by recognizing the file name.
  • the files in the web server are easily accessed by malicious users with illegal URLs (Uni form Resource Locator); 2To be uploaded
  • the directory of the file should not provide execution restrictions; 3Pass the CSRF (Cross-site request forgery) to prevent uploading of the file to be uploaded; 4Restrict the same file name algorithm hash value (hash) to cover the situation with the surface Malicious users upload illegal files with the same hash value as legal files; 5Operation logs of the user’s login and password modification operations should be generated for the files to be uploaded; 6If the files to be uploaded are compressed files, check the compressed files one by one The type of each file to be uploaded to avoid illegal files in the compressed file.
  • the file detection method further includes:
  • Step a Determine whether the first file suffix exists in the preset file suffix name array.
  • Step b If the first file suffix exists in the file suffix name array, it is determined that the first file suffix is a legal file suffix. [0035] Further, after the server obtains the first file suffix, the server obtains a preset file suffix name array, and determines whether the first file suffix exists in the preset file suffix name array. Among them, the file suffixes acceptable to the server are stored in the file suffix name array, that is, the file suffixes in the file suffix name array are legal file suffixes. It should be noted that after the server obtains the file to be uploaded, the server will initialize the program to obtain the file extension array. If it is determined that the first file suffix exists in the file suffix name array, the server determines that the first file suffix is a legal file suffix. For example, the file extension array contains MPEG (Motion Picture Experts), MPEG (Motion Picture Experts), MPEG (Motion Picture Experts), MPEG (Motion Picture Experts), MPEG (Mo
  • the server determines that the first file suffix is GIF, the server determines that the first file suffix is a legal file suffix.
  • the file detection method further includes:
  • Step c if the first file suffix does not exist in the file suffix name array, determine that the first file suffix is an illegal file suffix, and after determining that the first file suffix is an illegal file suffix It is determined that the file to be uploaded fails the file upload vulnerability detection.
  • the server determines that the first file suffix is an illegal file suffix. After the server determines that the first file suffix is an illegal file suffix, the server determines that the file to be uploaded fails the file upload vulnerability detection.
  • Step S20 If the first file suffix is a legal file suffix, it is detected whether the file to be uploaded has a file magic number.
  • the server determines that the first file suffix is a legal file suffix, the server detects whether the file to be uploaded has a file magic number.
  • File Magic Number (File Magic Number) is to distinguish file type metadata, and a "magic number" is stored in the file itself. It should be noted that not all file types have file magic numbers. Some file types may not have magic numbers. For example, files in the format of txt do not have file magic numbers, so the server needs to check whether the file to be uploaded exists. File magic Number.
  • step S20 includes:
  • Step d if the first file suffix is a legal file suffix, read the file header of the file to be uploaded.
  • the process for the server to detect whether the file to be uploaded has a file magic number is: if it is determined that the suffix of the first file is a legal file suffix, reading the file header of the file to be uploaded.
  • the server may obtain the file header information of the file to be uploaded through the file path to obtain the file header of the file to be uploaded.
  • the file header is a section of data that undertakes certain tasks at the beginning of the file, and is generally at the beginning.
  • the file header of the file to be uploaded is read, the file header is compared with the preset file magic number rule to obtain the comparison result.
  • the server when the server reads the file header of the file to be uploaded, it can read characters of a specific length in the file header, such as reading the 8 characters before the file header, or reading the 20 characters before the file header, etc.
  • the file magic number rule is preset. There are different file magic numbers for different types of files. One file magic number can correspond to multiple file formats, and different file magic numbers can correspond to the same file format. For example, videos and pictures correspond to different file magic numbers, but one file magic number Can correspond to a variety of image file formats. For example, use key to represent the file magic number, and Value to represent the corresponding file format. Since the file magic number of different file formats may be the same, the key may be duplicated.
  • the file format corresponding to the file magic number A can be PNG (Portable Network Graphics) and JPEG. It can be understood that the file magic number array corresponding to the file magic number is an array storing repeated keys, and the file magic number array is an array corresponding to the rule of storing file magic numbers.
  • the server may first determine the target character of the file magic number corresponding to various file formats, and then set the file magic number rule according to the position of the target character in the file header. If in a picture file, the first 8 characters in the file header can be used to determine whether the file is a picture, then these 8 characters are the target characters corresponding to the file magic number.
  • change The first 8 bits are set as the target characters of the file magic number corresponding to the picture file, and some characters can be added appropriately afterwards. These characters can be any characters, that is, the length of the file magic number rule corresponding to the picture file is at least 8 characters.
  • the 5th to 10th bits in the file header are the target characters of the file magic number corresponding to the video file, it can be determined that the file magic number offset of the video file is 4, that is, the file magic number offset in the file header is 4.
  • Bit 1 to Bit 4 are the offset of the file magic number.
  • the length of the file magic number rule corresponding to the picture file is also at least 10 characters. Therefore, when reading the file header of the file to be uploaded, the read character length is determined by the length of the file magic number rule, that is, the character length of the read file header must be greater than or equal to the length of the file magic number rule, and the file magic number The length of the rule is greater than or equal to the sum of the offset and the target character. It is understandable that not all files have offsets.
  • the server may convert the read file header into hexadecimal.
  • the server in order to obtain the efficiency of the comparison result, it is necessary to ensure that the data format of the file magic number rule is the same as the data format of the read file header, that is, if the corresponding character of the file magic number rule is hexadecimal, the server also needs to change all The read file header is converted from binary to hexadecimal.
  • Step e Detect whether the file header meets a preset file magic number rule.
  • Step f If it is detected that the file header complies with the file magic number rule, it is determined that the file to be uploaded has a file magic number.
  • Step g if it is detected that the file header does not meet the file magic number rule, it is determined that the file to be uploaded does not have a file magic number.
  • the server After the server reads the file header of the file to be uploaded, the server detects whether the file header meets the preset file magic number rule. If it detects that the file header meets the file magic number rule, the server determines that the file to be uploaded has a file magic number; if it detects that the file header does not meet the file magic number rule, the server determines that there is no file magic number to be uploaded. For example, when the file magic number rule of the picture file is FFD8FFDB/
  • FFD8FFE0/FFD8FFE 1 +00 it means that the server must read at least 10 characters, FFD8FFDB, FFD 8FFE0 and FFD8FFE1 are the target characters corresponding to the picture file, "00" means the two characters after the target character can be any character The first 8 characters are one of FFD8FFDB, FFD8FFE0 and FFD8FFE1, it is determined that the file to be uploaded has a file magic number.
  • Step S30 If the file to be uploaded has a file magic number, acquire a second file suffix corresponding to the file magic number.
  • the server obtains the file suffix corresponding to the file magic number, and records the file suffix corresponding to the file magic number as the second file suffix. It is understandable that the file magic number can be used to mark the format of the file or protocol. Therefore, the corresponding file suffix can be determined through the file magic number, that is, there is a correspondence between the file magic number and the file suffix.
  • the server gets the file magic number pair
  • the server determines whether the first file suffix is the same as the second file suffix.
  • the file detection method further includes:
  • Step h if it is detected that the file to be uploaded does not have the file magic number, it is determined that the file to be uploaded has not passed the file upload vulnerability detection.
  • the server determines that the file to be uploaded has not passed the file upload vulnerability detection. When it is determined that the file to be uploaded fails the file upload vulnerability detection, the server prohibits the upload of the file to be uploaded.
  • the server may determine that the file to be uploaded passes the file upload vulnerability detection. It should be noted that when it is detected that the file to be uploaded does not have a file magic number, it is determined whether the file to be uploaded passes the file upload vulnerability detection or fails the file upload vulnerability detection, which can be set according to specific business needs.
  • Step S40 if the suffix of the first file is different from the suffix of the second file, it is determined that the file to be uploaded fails the file upload vulnerability detection.
  • the server determines that the file to be uploaded fails the file upload vulnerability detection, and prohibits uploading the file to be uploaded after determining that the file to be uploaded fails the file upload vulnerability detection, that is, It is forbidden to store the file to be uploaded in the set storage area, and return a notification message of upload failure to the financial institution, so as to remind the financial institution according to the notification message of the upload failure that the file to be uploaded fails to upload.
  • the file detection method further includes:
  • Step i If the suffix of the first file is the same as the suffix of the second file, it is determined that the file to be uploaded passes the file upload vulnerability detection.
  • the server determines that the file to be uploaded passes the file upload vulnerability detection.
  • the server allows the file to be uploaded to be uploaded, that is, the file to be uploaded is stored in the set storage area.
  • the server After the server stores the file to be uploaded in the set storage area, the server generates a notification message of successful upload to the financial institution to remind the financial institution of the successful upload of the file to be uploaded according to the notification message of successful upload.
  • This embodiment uses the double check of the file suffix and the file magic number to prevent file upload vulnerabilities.
  • the first file suffix of the uploaded file is a legal file suffix
  • the file to be uploaded has a file magic number
  • the second file suffix corresponding to the file magic number is different from the first file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection.
  • the success rate of file upload vulnerability detection is improved, and the security of files in the server is improved.
  • step S10 includes:
  • Step S11 After obtaining the file to be uploaded, obtain the file path and file name of the file to be uploaded
  • the server obtains the file to be uploaded.
  • the server obtains the file path and file name of the file to be uploaded.
  • the server After the server obtains the file to be uploaded, the server generates a storage directory for the file to be uploaded, and the storage directory corresponds to an address, which can be read by the API (Application Programming Interface) function In this address, there is a file path corresponding to the file to be uploaded. Among them, the file path is expressed in the form of a string.
  • API Application Programming Interface
  • Step S12 if the file path is a legal file path, and the file name is a legal file name, obtain the first file suffix of the file to be uploaded.
  • the server After the server obtains the file path and file name of the file to be uploaded, the server detects whether the file path is a legal file path and whether the file name is a legal file name.
  • illegal path characters that cannot be included in the file path are preset, such as
  • the characters "%”, “&”, “$”, “I”, “ ⁇ ”, "?", "#” and “” are set as illegal path characters. If the server detects that the file path contains illegal path characters, the server determines that the file path is an illegal file path; if the server detects that the file path does not contain illegal path characters, the server determines that the file path is a legal file path.
  • illegal name characters that cannot be contained in the file name are preset. Illegal name characters can be set according to specific needs. Illegal name characters can be set to be consistent with illegal path characters, or illegal name characters can be set to be inconsistent with illegal path characters. If the server detects that the file name contains illegal name characters, the server determines that the file name is illegal file name; if the server detects that the file name does not contain illegal name characters, the server determines that the file name is a legal file name.
  • the server can obtain the length of the file name plus the file suffix, and judge the file name plus the file Whether the length of the suffix is less than or equal to the preset length. If it is determined that the length of the file name plus the file suffix is less than or equal to the preset length, the server determines that the file name is a legal file name; if it is determined that the length of the file name plus the file suffix is greater than the preset length, the server determines that the file name is an illegal file name .
  • the preset length can be set according to specific needs, for example, the preset length can be set to 255 bytes, or set to 356 bytes.
  • the server obtains the first file suffix of the file to be uploaded. Further, if it is determined that the file path is an illegal file path, and/or the file name is an illegal file name, the server determines that the file to be uploaded fails the file upload vulnerability detection.
  • the server may obtain the first file suffix of the file to be uploaded when only determining that the file path is a legal file path; when only determining that the file path is an illegal file path, determine The file to be uploaded fails the file upload vulnerability detection. Or when it is only determined that the file name is a legal file name, the first file suffix of the file to be uploaded is obtained; when only the file name is determined to be an illegal file name, it is determined that the file to be uploaded fails the file upload vulnerability detection.
  • the file path and file name of the file to be uploaded are obtained.
  • the file path and file name of the file to be uploaded are obtained.
  • the first file suffix avoids obtaining the first file suffix of the file to be uploaded when the file path is an illegal file path and/or the file name is an illegal file name, and performing subsequent file magic number detection and the first file suffix sum
  • the comparison of the second file suffix improves the efficiency of file upload vulnerability detection, and when the file path is an illegal file path, and/or the file name is an illegal file name, it is determined that the file to be uploaded fails the file upload vulnerability detection, which improves the file upload The success rate of vulnerability detection.
  • step S10 further includes:
  • Step S13 After the file to be uploaded is obtained, it is detected whether the length of the file name of the file to be uploaded is less than or equal to the preset length.
  • Step S14 If the length of the file name is less than or equal to the preset length, obtain the file to be uploaded The first file suffix.
  • the server obtains the file name length of the file to be uploaded, and compares the file name length of the file to be uploaded with the preset length to detect whether the file name length of the file to be uploaded is less than or equal to Preset length. If it is detected that the file name length of the file to be uploaded is less than or equal to the preset length, the server obtains the first file suffix of the file to be uploaded; if it is detected that the file name length of the file to be uploaded is greater than the preset length, the server determines the file to be uploaded Failed file upload vulnerability detection.
  • the preset length can be set according to specific needs, for example, the preset length can be set to 256 characters.
  • the first file suffix of the file to be uploaded is obtained, thereby avoiding the problem of the file to be uploaded.
  • the length of the file name is greater than the preset length
  • the first file suffix and file magic number of the file to be uploaded are also obtained, and then the first file suffix is compared with the second file suffix magic number corresponding to the file magic number, which improves the detection of the file to be uploaded. Whether the file passes the file upload vulnerability detection efficiency, and improves the success rate of file upload vulnerability detection.
  • the server may combine the file path, file name, and file name length of the file to be uploaded to determine whether to obtain the first file suffix of the file to be uploaded. At this time, the server only obtains the file to be uploaded when the file path of the file to be uploaded is a legal file path, the file name of the file to be uploaded is legal file name, and the length of the file name of the file to be uploaded is less than or equal to the preset length.
  • the first file suffix otherwise, the server determines that the file to be uploaded fails the file upload vulnerability detection, that is, the file path of the file to be uploaded is an illegal file path, the file name of the file to be uploaded is an illegal file name, and/or the file name of the file to be uploaded When the length of the file name is greater than the preset length, the server determines that the file to be uploaded fails the file upload vulnerability detection.
  • the server detects whether the file to be uploaded is a compressed file. Specifically, the server may determine whether the file to be uploaded is a compressed file through the file suffix of the file to be uploaded. For example, the suffix of the compressed file is RAR (Roshal ARchive) and ZIP etc. If the server determines that the file to be uploaded is a compressed file based on the file suffix of the file to be uploaded, the server determines whether the compression format corresponding to the file to be uploaded is allowed.
  • the server will detect whether each file in the file to be uploaded passes the file upload vulnerability detection one by one according to the file detection method in this application, which improves the accuracy of the file upload vulnerability detection of compressed files .
  • the allowed compression format is stored in the server in advance, and the allowed compression format can be set according to specific needs, and there is no specific restriction here.
  • the file detection method further includes:
  • Step j if it is detected that the file magic number does not exist in the file to be uploaded, obtain a preset class function
  • Step k if the object corresponding to the file to be uploaded is not generated through the class function, it is determined that the file to be uploaded has not passed the file upload vulnerability detection.
  • the server detects that the file to be uploaded does not have a file magic number, the server obtains a preset class function, and executes the file to be uploaded in the class function to obtain the execution result.
  • the class functions can be written by developers in languages such as Java or C++ (The C++ Programming Language/c plus plus) and stored in the server in advance.
  • the server determines that the file to be uploaded passes the file upload vulnerability detection; if the execution result is not the object corresponding to the file to be uploaded, it passes the class The function does not generate an object corresponding to the file to be uploaded, and the server determines that the file to be uploaded fails the file upload vulnerability detection.
  • the server compares the file format of the file to be uploaded with the preset format blacklist. If the file format of the file to be uploaded is the same as the file format in the preset format blacklist, the server determines that the file to be uploaded fails the file upload vulnerability detection; if the file format of the file to be uploaded is different from the file format in the preset format blacklist , The server determines that the file to be uploaded passes the file upload vulnerability detection.
  • the file format is a file indicating which format the file is, such as a PNG file or a TXT file.
  • the preset format blacklist is pre-stored by the server.
  • the preset class function is obtained. If the object corresponding to the file to be uploaded is not generated through the cold function, it is determined that the file to be uploaded does not pass the file upload vulnerability Detection further improves the success rate of file upload vulnerability detection.
  • the file detection methods in this application can be written into SDK (Software Development Kit, software development kit) through object-oriented programming, and the SDK is generated by The library is output to other vulnerability prevention terminals for use.
  • SDK Software Development Kit, software development kit
  • the programming language corresponding to the object-oriented programming mode is not limited.
  • the present application also provides a file detection device, the file detection device includes: [0091] The acquisition module 10 is used to obtain the file to be uploaded after obtaining the file to be uploaded. The first file suffix;
  • the detection module 20 is configured to detect whether the file to be uploaded has a file magic number if the first file suffix is a legal file suffix;
  • the obtaining module 10 is further configured to obtain a second file suffix corresponding to the file magic number if there is a file magic number in the file to be uploaded;
  • the determining module 30 is configured to determine that the file to be uploaded fails the file upload vulnerability detection if the suffix of the first file is different from the suffix of the second file.
  • the obtaining module 10 is also configured to obtain the file path and file name of the file to be uploaded after obtaining the file to be uploaded; if the file path is a legal file path, and the file name If it is a legal file name, the first file suffix of the file to be uploaded is obtained.
  • the acquisition module 10 includes:
  • the first detection unit is configured to detect whether the file name length of the file to be uploaded is less than or equal to a preset length after the file to be uploaded is obtained;
  • the obtaining unit is configured to obtain the first file suffix of the file to be uploaded if the length of the file name is less than or equal to the preset length.
  • the detection module 20 includes:
  • a reading unit configured to read the file header of the file to be uploaded if the first file suffix is a legal file suffix
  • the second detection unit is configured to detect whether the file header complies with a preset file magic number rule
  • the determining unit is configured to, if it is detected that the file header meets the file magic number rule, determine that the file to be uploaded has a file magic number; if it is detected that the file header does not meet the file magic number rule , It is determined that there is no file magic number in the file to be uploaded.
  • the obtaining module 10 is further configured to obtain a preset class function if it is detected that the file magic number does not exist in the file to be uploaded;
  • the determining module 30 is further configured to, if the object corresponding to the file to be uploaded is not generated through the class function, It is determined that the file to be uploaded fails the file upload vulnerability detection.
  • the file detection device further includes:
  • the judging module is used to judge whether the first file suffix exists in the preset file suffix name array
  • the determining module 30 is further configured to determine that the first file suffix is a legal file suffix if the first file suffix exists in the file suffix name array.
  • the determining module 30 is also configured to determine that the first file suffix is an illegal file suffix if the first file suffix does not exist in the file suffix name array, and determine the first file suffix After a file suffix is an illegal file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection.
  • the determining module 30 is further configured to determine that the file to be uploaded fails the file upload vulnerability detection if it is detected that the file magic number does not exist in the file to be uploaded.
  • the determining module 30 is further configured to determine that the file to be uploaded passes the file upload vulnerability detection if the suffix of the first file is the same as the suffix of the second file.
  • FIG. 5 is a schematic structural diagram of the hardware operating environment involved in the solution of the embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of the hardware operating environment of the file detection device.
  • the file detection device in this application embodiment may be a terminal device such as a PC and a portable computer.
  • the file detection device may include: a processor 1001, such as a CPU, a memory 1005, a user interface 1003, a network interface 1004, and a communication bus 1002.
  • the communication bus 1002 is used to implement connection and communication between these components.
  • the user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
  • the network interface 1004 can optionally include a standard wired interface and a wireless interface (such as a WI-FI interface).
  • the memory 1005 can be a high-speed RAM memory, or a stable memory (non-volati le
  • the memory 1005 may also be a storage device independent of the aforementioned processor 1001.
  • the file detection device may also include a camera, an RF (Radio Frequency, radio frequency) Circuits, sensors, audio circuits, WiFi modules, etc.
  • RF Radio Frequency, radio frequency
  • FIG. 5 does not constitute a limitation on the file detection device, and may include more or less components than shown in the figure, or combine certain components, or Different component arrangements.
  • the memory 1005 which is a computer storage medium, may include an operating system, a network communication module, a user interface module, and a file detection program.
  • the operating system is a program that manages and controls the hardware and software resources of the file detection device, and supports the operation of the file detection program and other software or programs.
  • the user interface 1003 is mainly used to connect to the client (user side)
  • the network interface 1004 is mainly used to connect to the background server, and perform data communication with the background server; the processor 1001 can be used to call the file detection program stored in the memory 1005 and execute the file detection method described above A step of.
  • an embodiment of the present application also proposes a computer-readable storage medium having a file detection program stored on the computer-readable storage medium, and when the file detection program is executed by a processor, the file detection as described above is realized Method steps.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A file detection method, apparatus and device, and a computer-readable storage medium. Said method comprises the steps of: upon acquisition of a file to be uploaded, acquiring a first file suffix of said file (S10); if the first file suffix is a valid file suffix, detecting whether there is a file magic number in said file (S20); if there is a file magic number in said file, acquiring a second file suffix corresponding to the file magic number (S30); if the first file suffix is different from the second file suffix, determining that said file fails to pass the file uploading vulnerability detection (S40). Said method defends against file uploading vulnerability by means of a double verification of the file suffix and the file magic number, improving the success rate of file uploading vulnerability detection, and improving the security of files in a server.

Description

文件检测方法、 装置、 设备及计算机可读存储介质 File detection method, device, equipment and computer readable storage medium
[0001] 本申请要求于 2019年 4月 18日提交中国专利局、 申请号为 201910315457. 4、 发 明名称为“文件检测方法、 装置、 设备及计算机可读存储介质” 的中国专利申 请的优先权, 其全部内容通过引用结合在申请中。 [0001] This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on April 18, 2019, the application number is 201910315457. 4. The title of the invention is "file detection method, device, equipment and computer readable storage medium". , Its entire contents are incorporated in the application by reference.
技术领域 Technical field
[0002] 本申请涉及金融科技的信息安全技术领域, 尤其涉及一种文件检测方法、 装置 、 设备及计算机可读存储介质。 [0002] This application relates to the technical field of information security in financial technology, and in particular to a file detection method, device, device, and computer-readable storage medium.
背景技术 Background technique
[0003] 随着金融科技 (Fintech) , 尤其是互联网科技金融的不断发展, 金融机构 ( 比如银行) 会将越来越多文件会上传到服务器中存储, 而金融机构对其上传到 服务器中文件的安全性有着较高的要求, 因此在金融机构将文件上传到服务器 过程中, 要避免文件上传漏洞, 以保护服务器中所存储文件的安全性。 文件上 传漏洞是指由于程序员在对用户文件上传部分的控制不足或者处理缺陷, 从而 导致的用户可以越过其本身权限向服务器上传可执行的动态脚本文件。 这里上 传的文件可以是木马、 病毒、 恶意脚本或者 WebShell等, 这种攻击方式是最为 直接和有效的, “文件上传”本身没有问题, 有问题的是文件上传后, 服务器 怎么处理、 解释文件, 如果服务器的处理逻辑做的不够安全, 则会导致严重的 后果。 [0003] With the continuous development of financial technology (Fintech), especially Internet technology finance, financial institutions (such as banks) will upload more and more files to the server for storage, and the financial institution uploads files to the server. The security has high requirements. Therefore, in the process of uploading files to the server by financial institutions, file upload loopholes should be avoided to protect the security of the files stored in the server. File upload vulnerability refers to the fact that the programmer has insufficient control over the user's file upload part or processing flaws, which results in the user being able to override his own authority to upload executable dynamic script files to the server. The files uploaded here can be Trojan horses, viruses, malicious scripts or WebShells, etc. This attack method is the most direct and effective. There is no problem with "file upload" itself. The problem is how the server processes and interprets the file after the file is uploaded. If the processing logic of the server is not secure enough, it will lead to serious consequences.
[0004] 文件上传漏洞本身就是一个危害巨大的漏洞, WebShell更是将这种漏洞的利用 无限扩大。 大多数的上传漏洞被利用后, 攻击者都会留下 WebShell以方便后续 进入系统。 攻击者在受影响系统放置或者插入 WebShell后, 可通过该 WebShell 更轻松, 更隐蔽的在服务中为所欲为。 因此, 如何提高文件上传漏洞检测成功 率是亟待解决的问题。 [0004] The file upload vulnerability itself is a very harmful vulnerability, and WebShell expands the use of this vulnerability infinitely. After most upload vulnerabilities are exploited, the attacker will leave WebShell to facilitate subsequent access to the system. After the attacker places or inserts a WebShell on the affected system, he can use the WebShell to do whatever he wants in the service more easily and more covertly. Therefore, how to improve the success rate of file upload vulnerability detection is an urgent problem to be solved.
发明概述 Summary of the invention
技术问题 technical problem
问题的解决方案 技术解决方案 The solution to the problem Technical solutions
[0005] 本申请的主要目的在于提供一种文件检测方法、 装置、 设备及计算机可读存储 介质, 旨在解决如何提高文件上传漏洞检测成功率的技术问题。 [0005] The main purpose of this application is to provide a file detection method, device, device, and computer-readable storage medium, which aims to solve the technical problem of how to improve the success rate of file upload vulnerability detection.
[0006] 为实现上述目的, 本申请提供一种文件检测方法, 所述文件检测方法包括步骤 [0006] In order to achieve the above object, the present application provides a file detection method, the file detection method includes the steps
[0007] 当获取到待上传文件后, 获取所述待上传文件的第一文件后缀; [0007] After obtaining the file to be uploaded, obtain the first file suffix of the file to be uploaded;
[0008] 若所述第一文件后缀为合法文件后缀, 则检测所述待上传文件是否存在文件幻 数; [0008] If the first file suffix is a legal file suffix, detecting whether the file to be uploaded has a file magic number;
[0009] 若所述待上传文件存在文件幻数, 则获取所述文件幻数对应的第二文件后缀; [0010] 若所述第一文件后缀与所述第二文件后缀不同, 则确定所述待上传文件未通过 文件上传漏洞检测。 [0009] If the file to be uploaded has a file magic number, the second file suffix corresponding to the file magic number is acquired; [0010] if the first file suffix is different from the second file suffix, then it is determined The file to be uploaded fails the file upload vulnerability detection.
[0011] 此外, 为实现上述目的, 本申请还提供一种文件检测装置, 所述文件检测装置 包括: [0011] In addition, in order to achieve the above objective, the present application also provides a file detection device, the file detection device includes:
[0012] 获取模块, 用于当获取到待上传文件后, 获取所述待上传文件的第一文件后缀 [0012] The obtaining module is configured to obtain the first file suffix of the file to be uploaded after obtaining the file to be uploaded
[0013] 检测模块, 用于若所述第一文件后缀为合法文件后缀, 则检测所述待上传文件 是否存在文件幻数; [0013] The detection module is configured to detect whether the file to be uploaded has a file magic number if the first file suffix is a legal file suffix;
[0014] 所述获取模块还用于若所述待上传文件存在文件幻数, 则获取所述文件幻数对 应的第二文件后缀; [0014] The obtaining module is further configured to obtain a second file suffix corresponding to the file magic number if the file to be uploaded has a file magic number;
[0015] 确定模块, 用于若所述第一文件后缀与所述第二文件后缀不同, 则确定所述待 上传文件未通过文件上传漏洞检测。 [0015] The determining module is configured to determine that the file to be uploaded fails the file upload vulnerability detection if the suffix of the first file is different from the suffix of the second file.
[0016] 此外, 为实现上述目的, 本申请还提供一种文件检测设备, 所述文件检测设备 包括存储器、 处理器和存储在所述存储器上并可在所述处理器上运行的文件检 测程序, 所述文件检测程序被所述处理器执行时实现如上所述的文件检测方法 的步骤。 [0016] In addition, in order to achieve the above object, the present application also provides a file detection device, the file detection device includes a memory, a processor, and a file detection program stored in the memory and running on the processor When the file detection program is executed by the processor, the steps of the file detection method described above are implemented.
[0017] 此外, 为实现上述目的, 本申请还提供一种计算机可读存储介质, 所述计算机 可读存储介质上存储有文件检测程序, 所述文件检测程序被处理器执行时实现 如上所述的文件检测方法的步骤。 [0018] 本申请通过文件后缀和文件幻数双重检验来防御文件上传漏洞, 在确定待上传 文件的第一文件后缀为合法文件后缀, 且待上传文件存在文件幻数, 以及文件 幻数对应的第二文件后缀与第一文件后缀不同, 则确定待上传文件未通过文件 上传漏洞检测, 提高了文件上传漏洞检测的成功率, 提高了服务器中文件的安 全性。 [0017] In addition, in order to achieve the above object, the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a file detection program, and when the file detection program is executed by a processor, the above The steps of the file detection method. [0018] This application defends file upload vulnerabilities by double checking the file suffix and the file magic number. It is determined that the first file suffix of the file to be uploaded is a legal file suffix, and the file to be uploaded has a file magic number, and the file magic number corresponds to If the second file suffix is different from the first file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection, which improves the success rate of file upload vulnerability detection and improves the security of the file in the server.
发明的有益效果 The beneficial effects of the invention
对附图的简要说明 Brief description of the drawings
附图说明 Description of the drawings
[0019] 图 1是本申请文件检测方法较佳实施例的流程示意图; [0019] FIG. 1 is a schematic flowchart of a preferred embodiment of the document detection method of the present application;
[0020] 图 2是本申请实施例中当获取到待上传文件后, 获取所述待上传文件的第一文 件后缀的一种流程示意图; [0020] FIG. 2 is a schematic diagram of a process for obtaining the first file suffix of the file to be uploaded after obtaining the file to be uploaded in an embodiment of the present application;
[0021] 图 3是本申请实施例中当获取到待上传文件后, 获取所述待上传文件的第一文 件后缀的另一种流程示意图; [0021] FIG. 3 is a schematic diagram of another process for obtaining the first file suffix of the file to be uploaded after obtaining the file to be uploaded in an embodiment of the present application;
[0022] 图 4是本申请文件检测装置较佳实施例的功能示意图模块图; [0022] FIG. 4 is a functional schematic block diagram of a preferred embodiment of the document detection device of the present application;
[0023] 图 5是本申请实施例方案涉及的硬件运行环境的结构示意图。 [0023] FIG. 5 is a schematic structural diagram of a hardware operating environment involved in a solution of an embodiment of the present application.
[0024] 本申请目的的实现、 功能特点及优点将结合实施例, 参照附图做进一步说明。 [0024] The realization, functional characteristics, and advantages of the objectives of this application will be further described in conjunction with the embodiments and with reference to the accompanying drawings.
发明实施例 Invention embodiment
本发明的实施方式 Embodiments of the invention
[0025] 应当理解, 此处所描述的具体实施例仅仅用以解释本申请, 并不用于限定本申 请。 [0025] It should be understood that the specific embodiments described here are only used to explain the application, and are not used to limit the application.
[0026] 本申请提供一种文件检测方法, 参照图 1, 图 1为本申请文件检测方法较佳实施 例的流程示意图。 [0026] The present application provides a file detection method. Referring to FIG. 1, FIG. 1 is a schematic flowchart of a preferred embodiment of the file detection method of this application.
[0027] 本申请实施例提供了文件检测方法的实施例, 需要说明的是, 虽然在流程图中 示出了逻辑顺序, 但是在某些情况下, 可以以不同于此处的顺序执行所示出或 描述的步骤。 [0027] The embodiments of the present application provide embodiments of the file detection method. It should be noted that although the logical sequence is shown in the flowchart, in some cases, the sequence shown here may be executed in a different order. Steps out or described.
[0028] 文件检测方法应用于文件检测设备、 服务器或者终端中, 终端可以包括诸如手 机、 平板电脑、 笔记本电脑、 掌上电脑、 个人数字助理 (Personal Digital Assistant, PDA) 等移动终端, 以及诸如数字 TV、 台式计算机等固定终端。 在 文件检测方法的各个实施例中, 为了便于描述, 以服务器为执行主体进行阐述 各个实施例。 文件检测方法包括: [0028] The file detection method is applied to a file detection device, a server or a terminal. The terminal may include, for example, a mobile phone, a tablet computer, a notebook computer, a handheld computer, and a personal digital assistant (Personal Digital Assistant). Assistant, PDA) and other mobile terminals, as well as fixed terminals such as digital TVs and desktop computers. In each embodiment of the file detection method, for ease of description, each embodiment is described with a server as an execution subject. File detection methods include:
[0029] 步骤 S10, 当获取到待上传文件后, 获取所述待上传文件的第一文件后缀。 [0029] Step S10: After obtaining the file to be uploaded, obtain the first file suffix of the file to be uploaded.
[0030] 金融机构会实时或者定时将其文件上传到服务器中, 在本申请实施例中, 将金 融机构需要上传到服务器中的文件记为待上传文件。 当服务器获取到金融机构 上传的待上传文件后, 服务器获取待上传文件的文件后缀, 并将该待上传文件 的文件后缀记为第一文件后缀。 其中, 待上传文件可为与服务器建立了通讯连 接的客户端发送的。 文件后缀也称为文件扩展名, 是操作系统用来标志文件类 型的一种机制, 通常来说, 一个扩展名是跟在主文件名后面的, 由一个分隔符 分隔, 在一个像“读我 . txt” ” 的文件名中, “读我”是主文件名, txt为扩展 名 (文本、 外语全称: Text) , 表示这个文件被认为是一个纯文本文件, 扩展 名可以被认为是一个类型的元数据。 可以理解的是, 服务器可用过识别文件名 来获取待上传文件的第一文件后缀。 [0030] The financial institution will upload its files to the server in real time or regularly. In the embodiment of the present application, the file that the financial institution needs to upload to the server is recorded as a file to be uploaded. After the server obtains the file to be uploaded uploaded by the financial institution, the server obtains the file suffix of the file to be uploaded, and records the file suffix of the file to be uploaded as the first file suffix. Among them, the file to be uploaded can be sent by the client that has established a communication connection with the server. File suffix is also called file extension. It is a mechanism used by the operating system to mark the file type. Generally speaking, an extension follows the main file name and is separated by a separator. .txt"" in the file name, "Read me" is the main file name, and txt is the extension (text, foreign language full name: Text), which means that this file is considered a plain text file, and the extension can be considered a type It is understandable that the server can obtain the first file suffix of the file to be uploaded by recognizing the file name.
[0031] 需要说明的是, 在本申请实施例中, 为了保证待上传文件的安全性, 可执行以 下一种或者多种操作。 ①待上传文件不要存储到 web (World Wide Web, 全球广 域网或万维网) 服务器中, web服务器中的文件容易被恶意用户用非法 URL(Uni form Resource Locator, 统一资源定位符) 随意访问; ②待上传文件的目录不 应该提供执行限制; ③将待上传文件通过 CSRF (Cross-site request forgery , 跨站请求伪造) 防御上传; ④限制相同文件名算法哈希值 (hash) 一致覆盖 的情况, 以表面恶意用户采用与合法文件相同的哈希值上传非法文件; ⑤要生 成待上传文件对应用户的登录、 修改密码等操作的操作日志; ⑥若待上传文件 为压缩文件时, 需要逐个检查压缩文件中各个待上传文件的类型, 以避免压缩 文件中存在非法文件。 [0031] It should be noted that, in the embodiment of the present application, in order to ensure the security of the file to be uploaded, the following one or more operations may be performed. ①Do not store the files to be uploaded on a web (World Wide Web, Global Wide Area Network or World Wide Web) server. The files in the web server are easily accessed by malicious users with illegal URLs (Uni form Resource Locator); ②To be uploaded The directory of the file should not provide execution restrictions; ③Pass the CSRF (Cross-site request forgery) to prevent uploading of the file to be uploaded; ④Restrict the same file name algorithm hash value (hash) to cover the situation with the surface Malicious users upload illegal files with the same hash value as legal files; ⑤Operation logs of the user’s login and password modification operations should be generated for the files to be uploaded; ⑥If the files to be uploaded are compressed files, check the compressed files one by one The type of each file to be uploaded to avoid illegal files in the compressed file.
[0032] 进一步地, 文件检测方法还包括: [0032] Further, the file detection method further includes:
[0033] 步骤 a, 判断预设的文件后缀名数组中是否存在所述第一文件后缀。 [0033] Step a: Determine whether the first file suffix exists in the preset file suffix name array.
[0034] 步骤 b, 若所述文件后缀名数组中存在所述第一文件后缀, 则确定所述第一文 件后缀为合法文件后缀。 [0035] 进一步地, 当服务器获取到第一文件后缀后, 服务器获取预设的文件后缀名数 组, 并判断预设的文件后缀名数组中是否存在第一文件后缀。 其中, 文件后缀 名数组中存储有服务器所能接受的文件后缀, 即文件后缀名数组中的文件后缀 为合法文件后缀。 需要说明的是, 服务器在获取到待上传文件后, 服务器会进 行程序初始化, 以得到文件后缀名数组。 若确定文件后缀名数组中存在第一文 件后缀, 服务器则确定第一文件后缀为合法文件后缀。 如在文件后缀名数组中 , 含有 MPEG(Motion Picture Experts [0034] Step b: If the first file suffix exists in the file suffix name array, it is determined that the first file suffix is a legal file suffix. [0035] Further, after the server obtains the first file suffix, the server obtains a preset file suffix name array, and determines whether the first file suffix exists in the preset file suffix name array. Among them, the file suffixes acceptable to the server are stored in the file suffix name array, that is, the file suffixes in the file suffix name array are legal file suffixes. It should be noted that after the server obtains the file to be uploaded, the server will initialize the program to obtain the file extension array. If it is determined that the first file suffix exists in the file suffix name array, the server determines that the first file suffix is a legal file suffix. For example, the file extension array contains MPEG (Motion Picture Experts
Group, 运动图像专家组) 、 AVI (Audio Video Interleaved, 音频视频交错) Group, Motion Picture Experts Group), AVI (Audio Video Interleaved, Audio Video Interleaved)
、 ASF(Advanced Streaming , ASF (Advanced Streaming
forma, 高级流格式) 、 BMP (BitMaP, 位图) 、 TIF(Tag Image File Format , 标签图像文件格式) 、 GIF(Graphics Interchange Format, 图形交换格 式) 和 JPEG(Joint Photographic Expert Group, 联合照片专家组) 等文 件后缀。 若服务器确定第一文件后缀为 GIF, 服务器则确定第一文件后缀为合法 文件后缀。 forma, advanced stream format), BMP (BitMaP, bitmap), TIF (Tag Image File Format), GIF (Graphics Interchange Format) and JPEG (Joint Photographic Expert Group, Joint Photographic Expert Group) ) And other file suffixes. If the server determines that the first file suffix is GIF, the server determines that the first file suffix is a legal file suffix.
[0036] 进一步地, 文件检测方法还包括: [0036] Further, the file detection method further includes:
[0037] 步骤 c, 若所述文件后缀名数组中未存在所述第一文件后缀, 则确定所述第一 文件后缀为非法文件后缀, 并在确定所述第一文件后缀为非法文件后缀后确定 所述待上传文件未通过文件上传漏洞检测。 [0037] Step c, if the first file suffix does not exist in the file suffix name array, determine that the first file suffix is an illegal file suffix, and after determining that the first file suffix is an illegal file suffix It is determined that the file to be uploaded fails the file upload vulnerability detection.
[0038] 若确定文件后缀名数组中未存在第一文件后缀, 服务器则确定第一文件后缀为 非法文件后缀。 当服务器确定第一文件后缀为非法文件后缀后, 服务器确定待 上传文件未通过文件上传漏洞检测。 [0038] If it is determined that the first file suffix does not exist in the file suffix name array, the server determines that the first file suffix is an illegal file suffix. After the server determines that the first file suffix is an illegal file suffix, the server determines that the file to be uploaded fails the file upload vulnerability detection.
[0039] 步骤 S20, 若所述第一文件后缀为合法文件后缀, 则检测所述待上传文件是否 存在文件幻数。 [0039] Step S20: If the first file suffix is a legal file suffix, it is detected whether the file to be uploaded has a file magic number.
[0040] 若服务器确定第一文件后缀为合法文件后缀, 服务器则检测待上传文件是否存 在文件幻数。 文件幻数 (File Magic number) 是区分文件类型元数据, 在文件 本身中存储一个“幻数” (Magic number) 。 需要说明的还是, 并不是所有文 件类型都存在文件幻数的, 有些文件类型可能没有存在幻数, 如 txt这种格式的 文件是存在没有文件幻数的, 因此服务器需要检测待上传文件是否存在文件幻 数。 [0040] If the server determines that the first file suffix is a legal file suffix, the server detects whether the file to be uploaded has a file magic number. File Magic Number (File Magic Number) is to distinguish file type metadata, and a "magic number" is stored in the file itself. It should be noted that not all file types have file magic numbers. Some file types may not have magic numbers. For example, files in the format of txt do not have file magic numbers, so the server needs to check whether the file to be uploaded exists. File magic Number.
[0041] 进一步地, 步骤 S20包括: [0041] Further, step S20 includes:
[0042] 步骤 d, 若所述第一文件后缀为合法文件后缀, 则读取所述待上传文件的文件 头。 [0042] Step d, if the first file suffix is a legal file suffix, read the file header of the file to be uploaded.
[0043] 进一步地, 服务器检测待上传文件是否存在文件幻数的过程为: 若确定第一文 件后缀为合法文件后缀, 则读取待上传文件的文件头。 具体地, 服务器可通过 文件路径获取待上传文件的文件头信息, 以获取到待上传文件的文件头。 文件 头是位于文件开头的一段承担一定任务的数据, 一般都在开头的部分。 当读取 到待上传文件的文件头时, 将文件头与预设的文件幻数规则进行比对, 得到比 对结果。 具体地, 服务器在读取待上传文件的文件头时, 可读取文件头中特定 长度的字符, 如读取文件头前面的 8个字符, 或者读取文件头前面的 20个字符等 [0043] Further, the process for the server to detect whether the file to be uploaded has a file magic number is: if it is determined that the suffix of the first file is a legal file suffix, reading the file header of the file to be uploaded. Specifically, the server may obtain the file header information of the file to be uploaded through the file path to obtain the file header of the file to be uploaded. The file header is a section of data that undertakes certain tasks at the beginning of the file, and is generally at the beginning. When the file header of the file to be uploaded is read, the file header is compared with the preset file magic number rule to obtain the comparison result. Specifically, when the server reads the file header of the file to be uploaded, it can read characters of a specific length in the file header, such as reading the 8 characters before the file header, or reading the 20 characters before the file header, etc.
[0044] 需要说明的是, 文件幻数规则是预先设置好的。 不同类型的文件存在不同的文 件幻数, 一个文件幻数可对应多种文件格式, 不同的文件幻数可对应相同的文 件格式, 如视频和图片对应不同的文件幻数, 但是一个文件幻数可对应多种图 片文件格式。 如用 key表示文件幻数, Value表示对应的文件格式, 由于不同文 件格式的文件幻数可能会相同, 因此 key可能是重复的。 如文件幻数 A对应的文 件格式可为 PNG(Portable Network Graphics, 便携式网络图形) 和 JPEG。 可 以理解的是, 文件幻数对应的文件幻数数组为一个存储重复键的数组, 文件幻 数数组为存储文件幻数规则对应的数组。 [0044] It should be noted that the file magic number rule is preset. There are different file magic numbers for different types of files. One file magic number can correspond to multiple file formats, and different file magic numbers can correspond to the same file format. For example, videos and pictures correspond to different file magic numbers, but one file magic number Can correspond to a variety of image file formats. For example, use key to represent the file magic number, and Value to represent the corresponding file format. Since the file magic number of different file formats may be the same, the key may be duplicated. For example, the file format corresponding to the file magic number A can be PNG (Portable Network Graphics) and JPEG. It can be understood that the file magic number array corresponding to the file magic number is an array storing repeated keys, and the file magic number array is an array corresponding to the rule of storing file magic numbers.
[0045] 具体地, 服务器可先确定各种文件格式对应文件幻数的目标字符, 然后根据目 标字符在文件头中的位置来设置文件幻数规则。 如若在图片文件中, 可通过文 件头中前 8位字符确定该文件是否为图片, 则这 8位字符即为文件幻数对应的目 标字符, 在设置图片文件对应的文件幻数规则时, 将前 8位设置为图片文件对应 文件幻数的目标字符, 后面可适当加一些字符, 这些字符可为任意字符, 即图 片文件对应的文件幻数规则的长度至少为 8位字符。 若在视频文件中, 文件头中 的第 5位至第 10位才是视频文件对应文件幻数的目标字符, 则可确定视频文件的 文件幻数偏移量为 4, 即文件头中的第 1位至第 4位为文件幻数的偏移量, 此时, 图片文件对应的文件幻数规则的长度也至少为 10位字符。 因此, 在读取待上传 文件的文件头时, 所读取字符长度由文件幻数规则的长度决定, 即读取文件头 的字符长度要大于或者等于文件幻数规则的长度, 而文件幻数规则的长度大于 或者等于偏移量和目标字符之和。 可以理解的是, 并不是所有文件都存在偏移 量的。 [0045] Specifically, the server may first determine the target character of the file magic number corresponding to various file formats, and then set the file magic number rule according to the position of the target character in the file header. If in a picture file, the first 8 characters in the file header can be used to determine whether the file is a picture, then these 8 characters are the target characters corresponding to the file magic number. When setting the file magic number rule corresponding to the picture file, change The first 8 bits are set as the target characters of the file magic number corresponding to the picture file, and some characters can be added appropriately afterwards. These characters can be any characters, that is, the length of the file magic number rule corresponding to the picture file is at least 8 characters. If in a video file, the 5th to 10th bits in the file header are the target characters of the file magic number corresponding to the video file, it can be determined that the file magic number offset of the video file is 4, that is, the file magic number offset in the file header is 4. Bit 1 to Bit 4 are the offset of the file magic number. At this time, The length of the file magic number rule corresponding to the picture file is also at least 10 characters. Therefore, when reading the file header of the file to be uploaded, the read character length is determined by the length of the file magic number rule, that is, the character length of the read file header must be greater than or equal to the length of the file magic number rule, and the file magic number The length of the rule is greater than or equal to the sum of the offset and the target character. It is understandable that not all files have offsets.
[0046] 进一步地, 若服务器所读取的文件头为二进制, 服务器可将所读取的文件头转 换成十六进制。 但是为了得到比对结果的效率, 需要保证文件幻数规则的数据 格式与所读取的文件头的数据格式相同, 即若文件幻数规则对应字符为十六进 制, 则服务器也需将所读取的文件头从二进制转换成十六进制。 [0046] Further, if the file header read by the server is binary, the server may convert the read file header into hexadecimal. However, in order to obtain the efficiency of the comparison result, it is necessary to ensure that the data format of the file magic number rule is the same as the data format of the read file header, that is, if the corresponding character of the file magic number rule is hexadecimal, the server also needs to change all The read file header is converted from binary to hexadecimal.
[0047] 步骤 e, 检测所述文件头是否符合预设的文件幻数规则。 [0047] Step e: Detect whether the file header meets a preset file magic number rule.
[0048] 步骤 f, 若检测到所述文件头符合所述文件幻数规则, 则确定所述待上传文件 存在文件幻数。 [0048] Step f: If it is detected that the file header complies with the file magic number rule, it is determined that the file to be uploaded has a file magic number.
[0049] 步骤 g, 若检测到所述文件头不符合所述文件幻数规则, 则确定所述待上传文 件未存在文件幻数。 [0049] Step g, if it is detected that the file header does not meet the file magic number rule, it is determined that the file to be uploaded does not have a file magic number.
[0050] 当服务器读取到待上传文件的文件头后, 服务器检测文件头是否符合预设的文 件幻数规则。 若检测到文件头符合文件幻数规则, 服务器则确定待上传文件存 在文件幻数; 若检测到文件头不符合文件幻数规则, 服务器则确定待上传未存 在文件幻数。 如当图片文件的文件幻数规则为 FFD8FFDB/ [0050] After the server reads the file header of the file to be uploaded, the server detects whether the file header meets the preset file magic number rule. If it detects that the file header meets the file magic number rule, the server determines that the file to be uploaded has a file magic number; if it detects that the file header does not meet the file magic number rule, the server determines that there is no file magic number to be uploaded. For example, when the file magic number rule of the picture file is FFD8FFDB/
FFD8FFE0/FFD8FFE 1 +00 , 此时表明服务器至少要读取 10个字符, FFD8FFDB、 FFD 8FFE0和 FFD8FFE1为图片文件对应的目标字符, “00”表示目标字符后的两个字 符可为任意字符, 若前 8个字符为 FFD8FFDB、 FFD8FFE0和 FFD8FFE1中的其中一个 , 则确定待上传文件存在文件幻数。 FFD8FFE0/FFD8FFE 1 +00, it means that the server must read at least 10 characters, FFD8FFDB, FFD 8FFE0 and FFD8FFE1 are the target characters corresponding to the picture file, "00" means the two characters after the target character can be any character The first 8 characters are one of FFD8FFDB, FFD8FFE0 and FFD8FFE1, it is determined that the file to be uploaded has a file magic number.
[0051] 步骤 S30, 若所述待上传文件存在文件幻数, 则获取所述文件幻数对应的第二 文件后缀。 [0051] Step S30: If the file to be uploaded has a file magic number, acquire a second file suffix corresponding to the file magic number.
[0052] 若确定待上传文件存在文件幻数, 服务器则获取文件幻数对应的文件后缀, 并 将文件幻数对应的文件后缀记为第二文件后缀。 可以理解的是, 文件幻数可以 用来标记文件或者协议的格式, 因此, 通过文件幻数即可确定对应的文件后缀 , 即文件幻数和文件后缀之间是存在对应关系的。 当服务器获取到文件幻数对 应的第二文件后缀时, 服务器判断第一文件后缀和第二文件后缀是否相同。 [0052] If it is determined that the file to be uploaded has a file magic number, the server obtains the file suffix corresponding to the file magic number, and records the file suffix corresponding to the file magic number as the second file suffix. It is understandable that the file magic number can be used to mark the format of the file or protocol. Therefore, the corresponding file suffix can be determined through the file magic number, that is, there is a correspondence between the file magic number and the file suffix. When the server gets the file magic number pair When applying the second file suffix, the server determines whether the first file suffix is the same as the second file suffix.
[0053] 进一步地, 文件检测方法还包括: [0053] Further, the file detection method further includes:
[0054] 步骤 h, 若检测到所述待上传文件未存在所述文件幻数, 则确定所述待上传文 件未通过文件上传漏洞检测。 [0054] Step h, if it is detected that the file to be uploaded does not have the file magic number, it is determined that the file to be uploaded has not passed the file upload vulnerability detection.
[0055] 进一步地, 若检测到待上传文件未存在文件幻数, 服务器则确定待上传文件未 通过文件上传漏洞检测。 当确定待上传文件未通过文件上传漏洞检测时, 服务 器禁止上传该待上传文件。 [0055] Further, if it is detected that the file to be uploaded does not have a file magic number, the server determines that the file to be uploaded has not passed the file upload vulnerability detection. When it is determined that the file to be uploaded fails the file upload vulnerability detection, the server prohibits the upload of the file to be uploaded.
[0056] 进一步地, 若检测到待上传文件未存在文件幻数, 服务器可确定待上传文件通 过文件上传漏洞检测。 需要说明的是, 当检测到待上传文件未存在文件幻数时 , 确定待上传文件是通过文件上传漏洞检测还是未通过文件上传漏洞检测, 可 根据具体的业务需要而设置。 [0056] Further, if it is detected that the file to be uploaded does not have a file magic number, the server may determine that the file to be uploaded passes the file upload vulnerability detection. It should be noted that when it is detected that the file to be uploaded does not have a file magic number, it is determined whether the file to be uploaded passes the file upload vulnerability detection or fails the file upload vulnerability detection, which can be set according to specific business needs.
[0057] 步骤 S40, 若所述第一文件后缀与所述第二文件后缀不同, 则确定所述待上传 文件未通过文件上传漏洞检测。 [0057] Step S40, if the suffix of the first file is different from the suffix of the second file, it is determined that the file to be uploaded fails the file upload vulnerability detection.
[0058] 若确定第一文件后缀与第二文件后缀不同, 服务器则确定待上传文件未通过文 件上传漏洞检测, 并在确定待上传文件未通过文件上传漏洞检测后禁止上传该 待上传文件, 即禁止将待上传文件存储至设定的存储区域, 并返回上传失败的 通知消息给金融机构, 以根据该上传失败的通知消息提醒金融机构, 待上传文 件上传失败。 [0058] If it is determined that the first file suffix is different from the second file suffix, the server determines that the file to be uploaded fails the file upload vulnerability detection, and prohibits uploading the file to be uploaded after determining that the file to be uploaded fails the file upload vulnerability detection, that is, It is forbidden to store the file to be uploaded in the set storage area, and return a notification message of upload failure to the financial institution, so as to remind the financial institution according to the notification message of the upload failure that the file to be uploaded fails to upload.
[0059] 进一步地, 文件检测方法还包括: [0059] Further, the file detection method further includes:
[0060] 步骤 i, 若所述第一文件后缀与所述第二文件后缀相同, 则确定所述待上传文 件通过文件上传漏洞检测。 [0060] Step i: If the suffix of the first file is the same as the suffix of the second file, it is determined that the file to be uploaded passes the file upload vulnerability detection.
[0061] 进一步地, 若确定第一文件后缀与第二文件后缀相同, 服务器则确定待上传文 件通过文件上传漏洞检测。 当服务器确定待上传文件通过文件上传漏洞检测后 , 服务器允许上传待上传文件, 即将待上传文件存储至设定的存储区域。 当服 务器将待上传文件存储至设定的存储区域中后, 服务器生成上传成功的通知消 息给金融机构, 以根据该上传成功的通知消息提醒金融机构待上传文件上传成 功。 [0061] Further, if it is determined that the suffix of the first file is the same as the suffix of the second file, the server determines that the file to be uploaded passes the file upload vulnerability detection. When the server determines that the file to be uploaded passes the file upload vulnerability detection, the server allows the file to be uploaded to be uploaded, that is, the file to be uploaded is stored in the set storage area. After the server stores the file to be uploaded in the set storage area, the server generates a notification message of successful upload to the financial institution to remind the financial institution of the successful upload of the file to be uploaded according to the notification message of successful upload.
[0062] 本实施例通过文件后缀和文件幻数双重检验来防御文件上传漏洞, 在确定待上 传文件的第一文件后缀为合法文件后缀, 且待上传文件存在文件幻数, 以及文 件幻数对应的第二文件后缀与第一文件后缀不同, 则确定待上传文件未通过文 件上传漏洞检测, 提高了文件上传漏洞检测的成功率, 提高了服务器中文件的 安全性。 [0062] This embodiment uses the double check of the file suffix and the file magic number to prevent file upload vulnerabilities. The first file suffix of the uploaded file is a legal file suffix, and the file to be uploaded has a file magic number, and the second file suffix corresponding to the file magic number is different from the first file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection. The success rate of file upload vulnerability detection is improved, and the security of files in the server is improved.
[0063] 进一步地, 提出本申请文件检测方法第二实施例。 [0063] Further, a second embodiment of the document detection method of the present application is proposed.
[0064] 所述文件检测方法第二实施例与所述文件检测方法第一实施例的区别在于, 参 照图 2, 步骤S 10包括: [0064] The difference between the second embodiment of the file detection method and the first embodiment of the file detection method is that, referring to FIG. 2, step S10 includes:
[0065] 步骤S11, 当获取到待上传文件后, 获取所述待上传文件的文件路径和文件名 [0065] Step S11: After obtaining the file to be uploaded, obtain the file path and file name of the file to be uploaded
[0066] 当服务器获取到待上传文件后, 服务器获取待上传文件的文件路径和文件名。 [0066] After the server obtains the file to be uploaded, the server obtains the file path and file name of the file to be uploaded.
需要说明的是, 当服务器获取到待上传文件后, 服务器为待上传文件会生成一 个存储目录, 该存储目录对应的一个地址, 该地址可用API (Application Programming Interface, 应用程序编程接口) 函数读取, 在该地址中, 存在待 上传文件对应的文件路径。 其中, 文件路径是以字符串的形式表示。 It should be noted that after the server obtains the file to be uploaded, the server generates a storage directory for the file to be uploaded, and the storage directory corresponds to an address, which can be read by the API (Application Programming Interface) function In this address, there is a file path corresponding to the file to be uploaded. Among them, the file path is expressed in the form of a string.
[0067] 步骤S12, 若所述文件路径为合法文件路径, 且所述文件名为合法文件名, 则 获取所述待上传文件的第一文件后缀。 [0067] Step S12, if the file path is a legal file path, and the file name is a legal file name, obtain the first file suffix of the file to be uploaded.
[0068] 当服务器获取到待上传文件的文件路径和文件名后, 服务器检测文件路径是否 为合法文件路径, 以及检测文件名是否为合法文件名。 在服务器中, 预先设置 有文件路径不能包含的非法路径字符, 如可将
Figure imgf000011_0001
[0068] After the server obtains the file path and file name of the file to be uploaded, the server detects whether the file path is a legal file path and whether the file name is a legal file name. In the server, illegal path characters that cannot be included in the file path are preset, such as
Figure imgf000011_0001
“%” 、 “&” 、 “$” 、 “I” 、 “\” 、 “?” 、 “#”和“ ”等字符设置为非 法路径字符。 若服务器检测到文件路径中含有非法路径字符, 服务器则确定文 件路径为非法文件路径; 若服务器检测到文件路径中未含有非法路径字符, 服 务器则确定文件路径为合法文件路径。 The characters "%", "&", "$", "I", "\", "?", "#" and "" are set as illegal path characters. If the server detects that the file path contains illegal path characters, the server determines that the file path is an illegal file path; if the server detects that the file path does not contain illegal path characters, the server determines that the file path is a legal file path.
[0069] 在服务中, 预先设置有文件名中不能含有的非法名称字符。 非法名称字符可根 据具体需要而设置, 可将非法名称字符设置为与非法路径字符一致, 也可将非 法名称字符设置为与非法路径字符不一致。 若服务器检测到文件名中含有非法 名称字符, 服务器则确定文件名为非法文件名; 若服务器检测到文件名中未含 有非法名称字符, 服务器则确定文件名为合法文件名。 [0070] 进一步地, 为了进一步提高文件上传漏洞检测的成功率, 服务器在检测到文件 名中未含有非法名称字符时, 服务器可获取文件名加上文件后缀的长度, 并判 断文件名加上文件后缀的长度是否小于或者等于预设长度。 若确定文件名加上 文件后缀的长度小于或者等于预设长度, 服务器则确定文件名为合法文件名; 若确定文件名加文件后缀的长度大于预设长度, 服务器则确定文件名为非法文 件名。 其中, 预设长度可根据具体需要而设置, 如预设长度可设置为 255字节, 或者设置为 356字节等。 [0069] In the service, illegal name characters that cannot be contained in the file name are preset. Illegal name characters can be set according to specific needs. Illegal name characters can be set to be consistent with illegal path characters, or illegal name characters can be set to be inconsistent with illegal path characters. If the server detects that the file name contains illegal name characters, the server determines that the file name is illegal file name; if the server detects that the file name does not contain illegal name characters, the server determines that the file name is a legal file name. [0070] Further, in order to further improve the success rate of file upload vulnerability detection, when the server detects that the file name does not contain illegal name characters, the server can obtain the length of the file name plus the file suffix, and judge the file name plus the file Whether the length of the suffix is less than or equal to the preset length. If it is determined that the length of the file name plus the file suffix is less than or equal to the preset length, the server determines that the file name is a legal file name; if it is determined that the length of the file name plus the file suffix is greater than the preset length, the server determines that the file name is an illegal file name . Among them, the preset length can be set according to specific needs, for example, the preset length can be set to 255 bytes, or set to 356 bytes.
[0071] 若确定文件路径为合法文件路径, 且确定文件名为合法文件名, 服务器则获取 待上传文件的第一文件后缀。 进一步地, 若确定文件路径为非法文件路径, 和 / 或文件名为非法文件名, 服务器则确定待上传文件未通过文件上传漏洞检测。 [0071] If it is determined that the file path is a legal file path, and the file name is determined to be a legal file name, the server obtains the first file suffix of the file to be uploaded. Further, if it is determined that the file path is an illegal file path, and/or the file name is an illegal file name, the server determines that the file to be uploaded fails the file upload vulnerability detection.
[0072] 需要说明的是, 在本申请实施例中, 服务器可在仅确定文件路径为合法文件路 径时, 获取待上传文件的第一文件后缀; 在仅确定文件路径为非法文件路径时 , 确定待上传文件未通过文件上传漏洞检测。 或者在仅确定文件名为合法文件 名时, 获取待上传文件的第一文件后缀; 在仅确定文件名为非法文件名时, 确 定待上传文件未通过文件上传漏洞检测。 [0072] It should be noted that in this embodiment of the application, the server may obtain the first file suffix of the file to be uploaded when only determining that the file path is a legal file path; when only determining that the file path is an illegal file path, determine The file to be uploaded fails the file upload vulnerability detection. Or when it is only determined that the file name is a legal file name, the first file suffix of the file to be uploaded is obtained; when only the file name is determined to be an illegal file name, it is determined that the file to be uploaded fails the file upload vulnerability detection.
[0073] 本实施例通过在获取到待上传文件后, 获取待上传文件的文件路径和文件名, 在确定文件路径为合法文件路径, 且确定文件名为合法文件名时, 获取待上传 文件的第一文件后缀, 避免了在文件路径为非法文件路径, 和 /或文件名为非法 文件名时, 也获取待上传文件的第一文件后缀, 进行后续的文件幻数检测和第 一文件后缀和第二文件后缀的对比, 提高了文件上传漏洞检测的效率, 且在文 件路径为非法文件路径, 和 /或文件名为非法文件名, 确定待上传文件未通过文 件上传漏洞检测, 提高了文件上传漏洞检测的成功率。 [0073] In this embodiment, after the file to be uploaded is obtained, the file path and file name of the file to be uploaded are obtained. When it is determined that the file path is a legal file path and the file name is determined to be a legal file name, the file path and file name of the file to be uploaded are obtained. The first file suffix avoids obtaining the first file suffix of the file to be uploaded when the file path is an illegal file path and/or the file name is an illegal file name, and performing subsequent file magic number detection and the first file suffix sum The comparison of the second file suffix improves the efficiency of file upload vulnerability detection, and when the file path is an illegal file path, and/or the file name is an illegal file name, it is determined that the file to be uploaded fails the file upload vulnerability detection, which improves the file upload The success rate of vulnerability detection.
[0074] 进一步地, 提出本申请文件检测方法第三实施例。 [0074] Further, a third embodiment of the document detection method of the present application is proposed.
[0075] 所述文件检测方法第三实施例与所述文件检测方法第一或第二实施例的区别在 于, 参照图 3, 步骤 S 10还包括: [0075] The third embodiment of the file detection method is different from the first or second embodiment of the file detection method in that, referring to FIG. 3, step S10 further includes:
[0076] 步骤 S13, 当获取到待上传文件后, 检测所述待上传文件的文件名长度是否小 于或者等于预设长度。 [0076] Step S13: After the file to be uploaded is obtained, it is detected whether the length of the file name of the file to be uploaded is less than or equal to the preset length.
[0077] 步骤 S14, 若所述文件名长度小于或者等于预设长度, 则获取所述待上传文件 的第一文件后缀。 [0077] Step S14: If the length of the file name is less than or equal to the preset length, obtain the file to be uploaded The first file suffix.
[0078] 当服务器获取到待上传文件后, 服务器获取待上传文件的文件名长度, 将待上 传文件的文件名长度与预设长度进行对比, 以检测待上传文件的文件名长度是 否小于或者等于预设长度。 若检测到待上传文件的文件名长度小于或者等于预 设长度, 服务器则获取待上传文件的第一文件后缀; 若检测到待上传文件的文 件名长度大于预设长度, 服务器则确定待上传文件未通过文件上传漏洞检测。 其中, 预设长度可根据具体需要而设置, 如可将预设长度设置为 256个字符。 [0078] After the server obtains the file to be uploaded, the server obtains the file name length of the file to be uploaded, and compares the file name length of the file to be uploaded with the preset length to detect whether the file name length of the file to be uploaded is less than or equal to Preset length. If it is detected that the file name length of the file to be uploaded is less than or equal to the preset length, the server obtains the first file suffix of the file to be uploaded; if it is detected that the file name length of the file to be uploaded is greater than the preset length, the server determines the file to be uploaded Failed file upload vulnerability detection. Among them, the preset length can be set according to specific needs, for example, the preset length can be set to 256 characters.
[0079] 本实施例通过在获取到待上传文件后, 若检测到待上传文件的文件名长度小于 或者等于预设长度, 则获取待上传文件的第一文件后缀, 避免了在待上传文件 的文件名长度大于预设长度时, 也获取待上传文件的第一文件后缀和文件幻数 , 然后将第一文件后缀与文件幻数对应的第二文件后缀幻数进行对比, 提高了 检测待上传文件是否通过文件上传漏洞检测的效率, 并提高了文件上传漏洞检 测的成功率。 [0079] In this embodiment, after the file to be uploaded is obtained, if it is detected that the file name length of the file to be uploaded is less than or equal to the preset length, the first file suffix of the file to be uploaded is obtained, thereby avoiding the problem of the file to be uploaded. When the length of the file name is greater than the preset length, the first file suffix and file magic number of the file to be uploaded are also obtained, and then the first file suffix is compared with the second file suffix magic number corresponding to the file magic number, which improves the detection of the file to be uploaded. Whether the file passes the file upload vulnerability detection efficiency, and improves the success rate of file upload vulnerability detection.
[0080] 需要说明的是, 在本申请的其它实施例中, 服务器可将待上传文件的文件路径 、 文件名和文件名长度结合起来判断是否获取待上传文件的第一文件后缀。 此 时, 服务器只有在待上传文件的文件路径为合法文件路径, 待上传文件的文件 名为合法文件名, 且待上传文件的文件名长度小于或者等于预设长度时, 才获 取待上传文件的第一文件后缀, 否则, 服务器确定待上传文件未通过文件上传 漏洞检测, 即在待上传文件的文件路径为非法文件路径, 待上传文件的文件名 为非法文件名, 和 /或待上传文件的文件名长度大于预设长度时, 服务器确定待 上传文件未通过文件上传漏洞检测。 [0080] It should be noted that, in other embodiments of the present application, the server may combine the file path, file name, and file name length of the file to be uploaded to determine whether to obtain the first file suffix of the file to be uploaded. At this time, the server only obtains the file to be uploaded when the file path of the file to be uploaded is a legal file path, the file name of the file to be uploaded is legal file name, and the length of the file name of the file to be uploaded is less than or equal to the preset length. The first file suffix, otherwise, the server determines that the file to be uploaded fails the file upload vulnerability detection, that is, the file path of the file to be uploaded is an illegal file path, the file name of the file to be uploaded is an illegal file name, and/or the file name of the file to be uploaded When the length of the file name is greater than the preset length, the server determines that the file to be uploaded fails the file upload vulnerability detection.
[0081] 进一步地, 当服务器获取到待上传文件后, 服务器检测待上传文件是否为压缩 文件。 具体地, 服务器可通过待上传文件的文件后缀来确定待上传文件是否为 压缩文件。 如压缩文件的后缀为 RAR (Roshal ARchive) 和 ZIP等。 若服务器通 过待上传文件的文件后缀确定待上传文件为压缩文件, 服务器则判断待上传文 件对应的压缩格式是否被允许。 若确定待上传文件对应的压缩格式被允许, 服 务器则按照本申请中的文件检测方法逐个检测待上传文件中的各个文件是否通 过文件上传漏洞检测, 提高了压缩文件的文件上传漏洞检测的准确率。 具体地 , 预先在服务器中存储有被允许的压缩格式, 被允许的压缩格式可根据具体需 要而设置, 在此不做具体限制。 [0081] Further, after the server obtains the file to be uploaded, the server detects whether the file to be uploaded is a compressed file. Specifically, the server may determine whether the file to be uploaded is a compressed file through the file suffix of the file to be uploaded. For example, the suffix of the compressed file is RAR (Roshal ARchive) and ZIP etc. If the server determines that the file to be uploaded is a compressed file based on the file suffix of the file to be uploaded, the server determines whether the compression format corresponding to the file to be uploaded is allowed. If it is determined that the compression format corresponding to the file to be uploaded is allowed, the server will detect whether each file in the file to be uploaded passes the file upload vulnerability detection one by one according to the file detection method in this application, which improves the accuracy of the file upload vulnerability detection of compressed files . specifically , The allowed compression format is stored in the server in advance, and the allowed compression format can be set according to specific needs, and there is no specific restriction here.
[0082] 进一步地, 提出本申请文件检测方法第四实施例。 [0082] Further, a fourth embodiment of the document detection method of the present application is proposed.
[0083] 所述文件检测方法第四实施例与所述文件检测方法第一、 第二或第三实施例的 区别在于, 文件检测方法还包括: [0083] The difference between the fourth embodiment of the file detection method and the first, second or third embodiment of the file detection method is that the file detection method further includes:
[0084] 步骤j, 若检测到所述待上传文件未存在所述文件幻数, 则获取预设的类函数 [0084] Step j, if it is detected that the file magic number does not exist in the file to be uploaded, obtain a preset class function
[0085] 步骤k, 若通过所述类函数未生成所述待上传文件对应的对象, 则确定所述待 上传文件未通过文件上传漏洞检测。 [0085] Step k, if the object corresponding to the file to be uploaded is not generated through the class function, it is determined that the file to be uploaded has not passed the file upload vulnerability detection.
[0086] 若服务器检测到待上传文件未存在文件幻数, 服务器则获取预设的类函数, 并 在类函数中执行待上传文件, 得到执行结果。 其中, 类函数可为开发人员采用j ava或者C++ (The C++ Programming Language/c plus plus) 等语言编写, 预 先存储在服务器中的。 若执行结果为待上传文件对应的对象, 即通过类函数生 成了待上传文件对应的对象, 服务器则确定待上传文件通过文件上传漏洞检测 ; 若执行结果不是待上传文件对应的对象, 即通过类函数未生成待上传文件对 应的对象, 服务器则确定待上传文件未通过文件上传漏洞的检测。 [0086] If the server detects that the file to be uploaded does not have a file magic number, the server obtains a preset class function, and executes the file to be uploaded in the class function to obtain the execution result. Among them, the class functions can be written by developers in languages such as Java or C++ (The C++ Programming Language/c plus plus) and stored in the server in advance. If the execution result is the object corresponding to the file to be uploaded, that is, the object corresponding to the file to be uploaded is generated through the class function, the server determines that the file to be uploaded passes the file upload vulnerability detection; if the execution result is not the object corresponding to the file to be uploaded, it passes the class The function does not generate an object corresponding to the file to be uploaded, and the server determines that the file to be uploaded fails the file upload vulnerability detection.
[0087] 进一步地, 若检测到待上传文件未存在文件幻数, 服务器则将待上传文件的文 件格式与预设格式黑名单进行对比。 若待上传文件的文件格式与预设格式黑名 单中的文件格式相同, 服务器则确定待上传文件未通过文件上传漏洞检测; 若 待上传文件的文件格式与预设格式黑名单中的文件格式不同, 服务器则确定待 上传文件通过文件上传漏洞检测。 其中, 文件格式为表示文件是何种格式的文 件, 如是PNG文件还是TXT文件。 预设格式黑名单是服务器预先存储的。 [0087] Further, if it is detected that there is no file magic number in the file to be uploaded, the server compares the file format of the file to be uploaded with the preset format blacklist. If the file format of the file to be uploaded is the same as the file format in the preset format blacklist, the server determines that the file to be uploaded fails the file upload vulnerability detection; if the file format of the file to be uploaded is different from the file format in the preset format blacklist , The server determines that the file to be uploaded passes the file upload vulnerability detection. Among them, the file format is a file indicating which format the file is, such as a PNG file or a TXT file. The preset format blacklist is pre-stored by the server.
[0088] 本实施例通过在检测到待上传文件未存在文件幻数后, 获取预设的类函数, 若 通过冷函数未生成待上传文件对应的对象, 则确定待上传文件未通过文件上传 漏洞检测, 进一步提高了文件上传漏洞检测的成功率。 [0088] In this embodiment, after detecting that the file to be uploaded does not have a file magic number, the preset class function is obtained. If the object corresponding to the file to be uploaded is not generated through the cold function, it is determined that the file to be uploaded does not pass the file upload vulnerability Detection further improves the success rate of file upload vulnerability detection.
[0089] 进一步地, 为了便于将其它漏洞防御终端使用文件检测方法, 可将本申请中的 文件检测方法通过面向对象编程方式编写成SDK (Software Development Kit , 软件开发工具包) , 将SDK通过生成库的形式输出给其它漏洞防御终端使用。 在本申请实施例中, 不限制面向对象编程方式对应的编程语言。 [0089] Further, in order to facilitate the use of file detection methods for other vulnerability defense terminals, the file detection methods in this application can be written into SDK (Software Development Kit, software development kit) through object-oriented programming, and the SDK is generated by The library is output to other vulnerability prevention terminals for use. In the embodiments of the present application, the programming language corresponding to the object-oriented programming mode is not limited.
[0090] 此外, 参照图 4, 本申请还提供一种文件检测装置, 所述文件检测装置包括: [0091] 获取模块 10, 用于当获取到待上传文件后, 获取所述待上传文件的第一文件后 缀; [0090] In addition, referring to FIG. 4, the present application also provides a file detection device, the file detection device includes: [0091] The acquisition module 10 is used to obtain the file to be uploaded after obtaining the file to be uploaded. The first file suffix;
[0092] 检测模块 20, 用于若所述第一文件后缀为合法文件后缀, 则检测所述待上传文 件是否存在文件幻数; [0092] The detection module 20 is configured to detect whether the file to be uploaded has a file magic number if the first file suffix is a legal file suffix;
[0093] 所述获取模块 10还用于若所述待上传文件存在文件幻数, 则获取所述文件幻数 对应的第二文件后缀; [0093] The obtaining module 10 is further configured to obtain a second file suffix corresponding to the file magic number if there is a file magic number in the file to be uploaded;
[0094] 确定模块 30, 用于若所述第一文件后缀与所述第二文件后缀不同, 则确定所述 待上传文件未通过文件上传漏洞检测。 [0094] The determining module 30 is configured to determine that the file to be uploaded fails the file upload vulnerability detection if the suffix of the first file is different from the suffix of the second file.
[0095] 进一步地, 所述获取模块 10还用于当获取到待上传文件后, 获取所述待上传文 件的文件路径和文件名; 若所述文件路径为合法文件路径, 且所述文件名为合 法文件名, 则获取所述待上传文件的第一文件后缀。 [0095] Further, the obtaining module 10 is also configured to obtain the file path and file name of the file to be uploaded after obtaining the file to be uploaded; if the file path is a legal file path, and the file name If it is a legal file name, the first file suffix of the file to be uploaded is obtained.
[0096] 进一步地, 所述获取模块 10包括: [0096] Further, the acquisition module 10 includes:
[0097] 第一检测单元, 用于当获取到待上传文件后, 检测所述待上传文件的文件名长 度是否小于或者等于预设长度; [0097] The first detection unit is configured to detect whether the file name length of the file to be uploaded is less than or equal to a preset length after the file to be uploaded is obtained;
[0098] 获取单元, 用于若所述文件名长度小于或者等于预设长度, 则获取所述待上传 文件的第一文件后缀。 [0098] The obtaining unit is configured to obtain the first file suffix of the file to be uploaded if the length of the file name is less than or equal to the preset length.
[0099] 进一步地, 所述检测模块 20包括: [0099] Further, the detection module 20 includes:
[0100] 读取单元, 用于若所述第一文件后缀为合法文件后缀, 则读取所述待上传文件 的文件头; [0100] A reading unit, configured to read the file header of the file to be uploaded if the first file suffix is a legal file suffix;
[0101] 第二检测单元, 用于检测所述文件头是否符合预设的文件幻数规则; [0101] The second detection unit is configured to detect whether the file header complies with a preset file magic number rule;
[0102] 确定单元, 用于若检测到所述文件头符合所述文件幻数规则, 则确定所述待上 传文件存在文件幻数; 若检测到所述文件头不符合所述文件幻数规则, 则确定 所述待上传文件未存在文件幻数。 [0102] The determining unit is configured to, if it is detected that the file header meets the file magic number rule, determine that the file to be uploaded has a file magic number; if it is detected that the file header does not meet the file magic number rule , It is determined that there is no file magic number in the file to be uploaded.
[0103] 进一步地, 所述获取模块 10还用于若检测到所述待上传文件未存在所述文件幻 数, 则获取预设的类函数; [0103] Further, the obtaining module 10 is further configured to obtain a preset class function if it is detected that the file magic number does not exist in the file to be uploaded;
[0104] 所述确定模块 30还用于若通过所述类函数未生成所述待上传文件对应的对象, 则确定所述待上传文件未通过文件上传漏洞检测。 [0104] The determining module 30 is further configured to, if the object corresponding to the file to be uploaded is not generated through the class function, It is determined that the file to be uploaded fails the file upload vulnerability detection.
[0105] 进一步地, 所述文件检测装置还包括: : [0105] Further, the file detection device further includes:
[0106] 判断模块, 用于判断预设的文件后缀名数组中是否存在所述第一文件后缀; [0106] The judging module is used to judge whether the first file suffix exists in the preset file suffix name array;
[0107] 所述确定模块 30还用于若所述文件后缀名数组中存在所述第一文件后缀, 则确 定所述第一文件后缀为合法文件后缀。 [0107] The determining module 30 is further configured to determine that the first file suffix is a legal file suffix if the first file suffix exists in the file suffix name array.
[0108] 进一步地, 所述确定模块 30还用于若所述文件后缀名数组中未存在所述第一文 件后缀, 则确定所述第一文件后缀为非法文件后缀, 并在确定所述第一文件后 缀为非法文件后缀后确定所述待上传文件未通过文件上传漏洞检测。 [0108] Further, the determining module 30 is also configured to determine that the first file suffix is an illegal file suffix if the first file suffix does not exist in the file suffix name array, and determine the first file suffix After a file suffix is an illegal file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection.
[0109] 进一步地, 所述确定模块 30还用于若检测到所述待上传文件未存在所述文件幻 数, 则确定所述待上传文件未通过文件上传漏洞检测。 [0109] Further, the determining module 30 is further configured to determine that the file to be uploaded fails the file upload vulnerability detection if it is detected that the file magic number does not exist in the file to be uploaded.
[0110] 进一步地, 所述确定模块 30还用于若所述第一文件后缀与所述第二文件后缀相 同, 则确定所述待上传文件通过文件上传漏洞检测。 [0110] Further, the determining module 30 is further configured to determine that the file to be uploaded passes the file upload vulnerability detection if the suffix of the first file is the same as the suffix of the second file.
[0111] 需要说明的是, 文件检测装置的各个实施例与上述文件检测方法的各实施例基 本相同, 在此不再详细赘述。 [0111] It should be noted that the various embodiments of the file detection device are basically the same as the embodiments of the above-mentioned file detection method, and will not be described in detail here.
[0112] 此外, 本申请还提供一种文件检测设备。 如图 5所示, 图 5是本申请实施例方案 涉及的硬件运行环境的结构示意图。 [0112] In addition, this application also provides a file detection device. As shown in FIG. 5, FIG. 5 is a schematic structural diagram of the hardware operating environment involved in the solution of the embodiment of the present application.
[0113] 需要说明的是, 图 5即可为文件检测设备的硬件运行环境的结构示意图。 本申 请实施例文件检测设备可以是 PC, 便携计算机等终端设备。 [0113] It should be noted that FIG. 5 is a schematic structural diagram of the hardware operating environment of the file detection device. The file detection device in this application embodiment may be a terminal device such as a PC and a portable computer.
[0114] 如图 5所示, 该文件检测设备可以包括: 处理器 1001, 例如 CPU, 存储器 1005, 用户接口 1003, 网络接口 1004, 通信总线 1002。 其中, 通信总线 1002用于实现 这些组件之间的连接通信。 用户接口 1003可以包括显示屏 (Display) 、 输入单 元比如键盘 (Keyboard) , 可选用户接口 1003还可以包括标准的有线接口、 无 线接口。 网络接口 1004可选的可以包括标准的有线接口、 无线接口 (如 WI-FI接 口) 。 存储器 1005可以是高速 RAM存储器, 也可以是稳定的存储器 (non-volati le [0114] As shown in FIG. 5, the file detection device may include: a processor 1001, such as a CPU, a memory 1005, a user interface 1003, a network interface 1004, and a communication bus 1002. Among them, the communication bus 1002 is used to implement connection and communication between these components. The user interface 1003 may include a display screen (Display) and an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 can optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 can be a high-speed RAM memory, or a stable memory (non-volati le
memory) , 例如磁盘存储器。 存储器 1005可选的还可以是独立于前述处理器 100 1的存储装置。 memory), such as disk storage. Optionally, the memory 1005 may also be a storage device independent of the aforementioned processor 1001.
[0115] 可选地, 文件检测设备还可以包括摄像头、 RF(Radio Frequency, 射频) 电 路, 传感器、 音频电路、 WiFi模块等等。 [0115] Optionally, the file detection device may also include a camera, an RF (Radio Frequency, radio frequency) Circuits, sensors, audio circuits, WiFi modules, etc.
[0116] 本领域技术人员可以理解, 图 5中示出的文件检测设备结构并不构成对文件检 测设备的限定, 可以包括比图示更多或更少的部件, 或者组合某些部件, 或者 不同的部件布置。 [0116] Those skilled in the art can understand that the structure of the file detection device shown in FIG. 5 does not constitute a limitation on the file detection device, and may include more or less components than shown in the figure, or combine certain components, or Different component arrangements.
[0117] 如图 5所示, 作为一种计算机存储介质的存储器 1005中可以包括操作系统、 网 络通信模块、 用户接口模块以及文件检测程序。 其中, 操作系统是管理和控制 文件检测设备硬件和软件资源的程序, 支持文件检测程序以及其它软件或程序 的运行。 [0117] As shown in FIG. 5, the memory 1005, which is a computer storage medium, may include an operating system, a network communication module, a user interface module, and a file detection program. Among them, the operating system is a program that manages and controls the hardware and software resources of the file detection device, and supports the operation of the file detection program and other software or programs.
[0118] 在图 5所示的文件检测设备中, 用户接口 1003主要用于连接客户端 (用户端) [0118] In the file detection device shown in FIG. 5, the user interface 1003 is mainly used to connect to the client (user side)
, 与客户端进行数据通信; 网络接口 1004主要用于连接后台服务器, 与后台服 务器进行数据通信; 处理器 1001可以用于调用存储器 1005中存储的文件检测程 序, 并执行如上所述的文件检测方法的步骤。 , Perform data communication with the client; the network interface 1004 is mainly used to connect to the background server, and perform data communication with the background server; the processor 1001 can be used to call the file detection program stored in the memory 1005 and execute the file detection method described above A step of.
[0119] 本申请文件检测设备具体实施方式与上述文件检测方法各实施例基本相同, 在 此不再赘述。 [0119] The specific implementation manner of the document detection device of the present application is basically the same as each embodiment of the above-mentioned document detection method, and will not be repeated here.
[0120] 此外, 本申请实施例还提出一种计算机可读存储介质, 所述计算机可读存储介 质上存储有文件检测程序, 所述文件检测程序被处理器执行时实现如上所述的 文件检测方法的步骤。 [0120] In addition, an embodiment of the present application also proposes a computer-readable storage medium having a file detection program stored on the computer-readable storage medium, and when the file detection program is executed by a processor, the file detection as described above is realized Method steps.
[0121] 本申请计算机可读存储介质具体实施方式与上述文件检测方法各实施例基本相 同, 在此不再赘述。 [0121] The specific implementation of the computer-readable storage medium of the present application is basically the same as each embodiment of the above-mentioned file detection method, and will not be repeated here.
[0122] 需要说明的是, 在本文中, 术语“包括” 、 “包含”或者其任何其他变体意在 涵盖非排他性的包含, 从而使得包括一系列要素的过程、 方法、 物品或者装置 不仅包括那些要素, 而且还包括没有明确列出的其他要素, 或者是还包括为这 种过程、 方法、 物品或者装置所固有的要素。 在没有更多限制的情况下, 由语 句“包括一个 ” 限定的要素, 并不排除在包括该要素的过程、 方法、 物品 或者装置中还存在另外的相同要素。 [0122] It should be noted that in this article, the terms "including", "including" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes Those elements also include other elements that are not explicitly listed, or also include elements inherent to the process, method, article, or device. Without more restrictions, the element defined by the phrase "including one" does not exclude the existence of other same elements in the process, method, article, or device that includes the element.
[0123] 上述本申请实施例序号仅仅为了描述, 不代表实施例的优劣。 [0123] The sequence numbers of the foregoing embodiments of the present application are only for description, and do not represent the advantages and disadvantages of the embodiments.
[0124] 通过以上的实施方式的描述, 本领域的技术人员可以清楚地了解到上述实施例 方法可借助软件加必需的通用硬件平台的方式来实现, 当然也可以通过硬件, 但很多情况下前者是更佳的实施方式。 基于这样的理解, 本申请的技术方案本 质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来, 该计 算机软件产品存储在一个存储介质 (如 R0M/RAM、 磁碟、 光盘) 中, 包括若干指 令用以使得一台终端设备 (可以是手机, 计算机, 服务器, 空调器, 或者网络 设备等) 执行本申请各个实施例所述的方法。 [0124] Through the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software plus a necessary general hardware platform, and of course, they can also be implemented by hardware. But in many cases, the former is a better implementation. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes a number of instructions to enable a terminal device (which may be a mobile phone, a computer, a server, an air conditioner, or a network device, etc.) to execute the method described in each embodiment of the present application.
[0125] 以上仅为本申请的优选实施例, 并非因此限制本申请的专利范围, 凡是利用本 申请说明书及附图内容所作的等效结构或等效流程变换, 或直接或间接运用在 其他相关的技术领域, 均同理包括在本申请的专利保护范围内。 [0125] The above are only preferred embodiments of the application, and do not limit the scope of the application. Any equivalent structure or equivalent process transformation made by using the description and drawings of the application, or directly or indirectly applied to other related In the same way, the technical fields of are included in the scope of patent protection of this application.

Claims

权利要求书 Claims
[权利要求 1] 一种文件检测方法, 其中, 所述文件检测方法包括以下步骤: [Claim 1] A file detection method, wherein the file detection method includes the following steps:
当获取到待上传文件后, 获取所述待上传文件的第一文件后缀; 若所述第一文件后缀为合法文件后缀, 则检测所述待上传文件是否存 在文件幻数; After obtaining the file to be uploaded, obtain the first file suffix of the file to be uploaded; if the first file suffix is a legal file suffix, detecting whether the file to be uploaded has a file magic number;
若所述待上传文件存在文件幻数, 则获取所述文件幻数对应的第二文 件后缀; If the file to be uploaded has a file magic number, acquiring the second file suffix corresponding to the file magic number;
若所述第一文件后缀与所述第二文件后缀不同, 则确定所述待上传文 件未通过文件上传漏洞检测。 If the suffix of the first file is different from the suffix of the second file, it is determined that the file to be uploaded fails the file upload vulnerability detection.
[权利要求 2] 如权利要求 1所述的文件检测方法, 其中, 所述当获取到待上传文件 后, 获取所述待上传文件的第一文件后缀的步骤包括: [Claim 2] The file detection method according to claim 1, wherein after the file to be uploaded is obtained, the step of obtaining the first file suffix of the file to be uploaded comprises:
当获取到待上传文件后, 获取所述待上传文件的文件路径和文件名; 若所述文件路径为合法文件路径, 且所述文件名为合法文件名, 则获 取所述待上传文件的第一文件后缀。 When the file to be uploaded is obtained, the file path and file name of the file to be uploaded are obtained; if the file path is a legal file path and the file name is a legal file name, the first file name of the file to be uploaded is obtained A file suffix.
[权利要求 3] 如权利要求 1所述的文件检测方法, 其中, 所述当获取到待上传文件 后, 获取所述待上传文件的第一文件后缀的步骤包括: [Claim 3] The file detection method according to claim 1, wherein, after the file to be uploaded is obtained, the step of obtaining the first file suffix of the file to be uploaded comprises:
当获取到待上传文件后, 检测所述待上传文件的文件名长度是否小于 或者等于预设长度; After obtaining the file to be uploaded, detecting whether the length of the file name of the file to be uploaded is less than or equal to the preset length;
若所述文件名长度小于或者等于预设长度, 则获取所述待上传文件的 第一文件后缀。 If the length of the file name is less than or equal to the preset length, obtaining the first file suffix of the file to be uploaded.
[权利要求 4] 如权利要求 1所述的文件检测方法, 其中, 所述若所述第一文件后缀 为合法文件后缀, 则检测所述待上传文件是否存在文件幻数的步骤包 括: [Claim 4] The file detection method of claim 1, wherein, if the first file suffix is a legal file suffix, the step of detecting whether the file to be uploaded has a file magic number includes:
若所述第一文件后缀为合法文件后缀, 则读取所述待上传文件的文件 头; If the first file suffix is a legal file suffix, read the file header of the file to be uploaded;
检测所述文件头是否符合预设的文件幻数规则; 若检测到所述文件头符合所述文件幻数规则, 则确定所述待上传文件 存在文件幻数; 若检测到所述文件头不符合所述文件幻数规则, 则确定所述待上传文 件未存在文件幻数。 Detecting whether the file header complies with a preset file magic number rule; if it is detected that the file header complies with the file magic number rule, determining that the file to be uploaded has a file magic number; If it is detected that the file header does not comply with the file magic number rule, it is determined that the file to be uploaded does not have a file magic number.
[权利要求 5] 如权利要求 1所述的文件检测方法, 其中, 所述若所述第一文件后缀 为合法文件后缀, 则检测所述待上传文件是否存在文件幻数的步骤之 后, 还包括: [Claim 5] The file detection method according to claim 1, wherein if the first file suffix is a legal file suffix, after the step of detecting whether the file to be uploaded has a file magic number, the method further comprises :
若检测到所述待上传文件未存在所述文件幻数, 则获取预设的类函数 若通过所述类函数未生成所述待上传文件对应的对象, 则确定所述待 上传文件未通过文件上传漏洞检测。 If it is detected that the file magic number does not exist in the file to be uploaded, a preset class function is obtained. If the object corresponding to the file to be uploaded is not generated through the class function, it is determined that the file to be uploaded does not pass the file Upload vulnerability detection.
[权利要求 6] 如权利要求 1所述的文件检测方法, 其中, 所述若所述第一文件后缀 为合法文件后缀, 则检测所述待上传文件是否存在文件幻数的步骤之 前, 还包括: [Claim 6] The file detection method according to claim 1, wherein, if the first file suffix is a legal file suffix, before the step of detecting whether the file to be uploaded has a file magic number, the method further comprises :
判断预设的文件后缀名数组中是否存在所述第一文件后缀; 若所述文件后缀名数组中存在所述第一文件后缀, 则确定所述第一文 件后缀为合法文件后缀。 Determine whether the first file suffix exists in the preset file suffix name array; if the first file suffix exists in the file suffix name array, determine that the first file suffix is a legal file suffix.
[权利要求 7] 如权利要求 6所述的文件检测方法, 其中, 所述判断预设的文件后缀 名数组中是否存在所述第一文件后缀的步骤之后, 还包括: 若所述文件后缀名数组中未存在所述第一文件后缀, 则确定所述第一 文件后缀为非法文件后缀, 并在确定所述第一文件后缀为非法文件后 缀后确定所述待上传文件未通过文件上传漏洞检测。 [Claim 7] The file detection method according to claim 6, wherein after the step of determining whether the first file suffix exists in the preset file suffix name array, the method further comprises: if the file suffix name is If the first file suffix does not exist in the array, it is determined that the first file suffix is an illegal file suffix, and after determining that the first file suffix is an illegal file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection .
[权利要求 8] 如权利要求 1所述的文件检测方法, 其中, 所述若所述第一文件后缀 为合法文件后缀, 则检测所述待上传文件是否存在文件幻数的步骤之 后, 还包括: [Claim 8] The file detection method of claim 1, wherein, if the first file suffix is a legal file suffix, after the step of detecting whether the file to be uploaded has a file magic number, the method further comprises :
若检测到所述待上传文件未存在所述文件幻数, 则确定所述待上传文 件未通过文件上传漏洞检测。 If it is detected that the file magic number does not exist in the file to be uploaded, it is determined that the file to be uploaded fails the file upload vulnerability detection.
[权利要求 9] 如权利要求 1所述的文件检测方法, 其中, 所述若所述待上传文件存 在文件幻数, 则获取所述文件幻数对应的第二文件后缀的步骤之后, 还包括: 若所述第一文件后缀与所述第二文件后缀相同, 则确定所述待上传文 件通过文件上传漏洞检测。 [Claim 9] The file detection method according to claim 1, wherein, after the step of obtaining a second file suffix corresponding to the file magic number if the file to be uploaded has a file magic number, the method further comprises : If the suffix of the first file is the same as the suffix of the second file, it is determined that the file to be uploaded passes the file upload vulnerability detection.
[权利要求 10] 一种文件检测装置, 其中, 所述文件检测装置包括: [Claim 10] A file detection device, wherein the file detection device comprises:
获取模块, 用于当获取到待上传文件后, 获取所述待上传文件的第一 文件后缀; The obtaining module is used to obtain the first file suffix of the file to be uploaded after the file to be uploaded is obtained;
检测模块, 用于若所述第一文件后缀为合法文件后缀, 则检测所述待 上传文件是否存在文件幻数; A detection module, configured to detect whether the file to be uploaded has a file magic number if the first file suffix is a legal file suffix;
所述获取模块还用于若所述待上传文件存在文件幻数, 则获取所述文 件幻数对应的第二文件后缀; The obtaining module is further configured to obtain a second file suffix corresponding to the file magic number if there is a file magic number in the file to be uploaded;
确定模块, 用于若所述第一文件后缀与所述第二文件后缀不同, 则确 定所述待上传文件未通过文件上传漏洞检测。 The determining module is configured to determine that the file to be uploaded fails the file upload vulnerability detection if the suffix of the first file is different from the suffix of the second file.
[权利要求 11] 如权利要求 10所述的文件检测装置, 其中, 所述获取模块还用于当获 取到待上传文件后, 获取所述待上传文件的文件路径和文件名; 若所 述文件路径为合法文件路径, 且所述文件名为合法文件名, 则获取所 述待上传文件的第一文件后缀。 [Claim 11] The file detection device according to claim 10, wherein the obtaining module is further configured to obtain the file path and file name of the file to be uploaded after obtaining the file to be uploaded; if the file If the path is a legal file path, and the file name is a legal file name, then the first file suffix of the file to be uploaded is obtained.
[权利要求 12] 如权利要求 10所述的文件检测装置, 其中, 所述获取模块包括: 第一检测单元, 用于当获取到待上传文件后, 检测所述待上传文件的 文件名长度是否小于或者等于预设长度; [Claim 12] The file detection device according to claim 10, wherein the acquisition module comprises: a first detection unit, configured to detect whether the file name length of the file to be uploaded is Less than or equal to the preset length;
获取单元, 用于若所述文件名长度小于或者等于预设长度, 则获取所 述待上传文件的第一文件后缀。 The obtaining unit is configured to obtain the first file suffix of the file to be uploaded if the length of the file name is less than or equal to the preset length.
[权利要求 13] 如权利要求 10所述的文件检测装置, 其中, 所述检测模块包括: 读取单元, 用于若所述第一文件后缀为合法文件后缀, 则读取所述待 上传文件的文件头; [Claim 13] The file detection device according to claim 10, wherein the detection module comprises: a reading unit, configured to read the file to be uploaded if the suffix of the first file is a legal file suffix The file header;
第二检测单元, 用于检测所述文件头是否符合预设的文件幻数规则; 确定单元, 用于若检测到所述文件头符合所述文件幻数规则, 则确定 所述待上传文件存在文件幻数; 若检测到所述文件头不符合所述文件 幻数规则, 则确定所述待上传文件未存在文件幻数。 The second detection unit is configured to detect whether the file header complies with a preset file magic number rule; the determining unit is configured to determine that the file to be uploaded exists if it is detected that the file header complies with the file magic number rule File magic number; if it is detected that the file header does not meet the file magic number rule, it is determined that there is no file magic number in the file to be uploaded.
[权利要求 14] 如权利要求 10所述的文件检测装置, 其中, 所述获取模块还用于若检 测到所述待上传文件未存在所述文件幻数, 则获取预设的类函数; 所述确定模块还用于若通过所述类函数未生成所述待上传文件对应的 对象, 则确定所述待上传文件未通过文件上传漏洞检测。 [Claim 14] The file detection device according to claim 10, wherein the acquisition module is further configured to It is detected that the file magic number does not exist in the file to be uploaded, then a preset class function is obtained; the determining module is further configured to determine that if the object corresponding to the file to be uploaded is not generated by the class function The file to be uploaded fails the file upload vulnerability detection.
[权利要求 15] 如权利要求 10所述的文件检测装置, 其中, 判断模块, 用于判断预设 的文件后缀名数组中是否存在所述第一文件后缀; 所述确定模块还用于若所述文件后缀名数组中存在所述第一文件后缀 , 则确定所述第一文件后缀为合法文件后缀。 [Claim 15] The file detection device according to claim 10, wherein the determining module is configured to determine whether the first file suffix exists in the preset file suffix name array; and the determining module is also configured to: If the first file suffix exists in the file suffix name array, it is determined that the first file suffix is a legal file suffix.
[权利要求 16] 如权利要求 15所述的文件检测装置, 其中, 所述确定模块还用于若所 述文件后缀名数组中未存在所述第一文件后缀, 则确定所述第一文件 后缀为非法文件后缀, 并在确定所述第一文件后缀为非法文件后缀后 确定所述待上传文件未通过文件上传漏洞检测。 [Claim 16] The file detection device according to claim 15, wherein the determining module is further configured to determine the first file suffix if the first file suffix does not exist in the file suffix name array Is an illegal file suffix, and after determining that the first file suffix is an illegal file suffix, it is determined that the file to be uploaded fails the file upload vulnerability detection.
[权利要求 17] 如权利要求 10所述的文件检测装置, 其中, 所述确定模块还用于若检 测到所述待上传文件未存在所述文件幻数, 则确定所述待上传文件未 通过文件上传漏洞检测。 [Claim 17] The file detection device according to claim 10, wherein the determining module is further configured to determine that the file to be uploaded does not pass if it is detected that the file magic number does not exist in the file to be uploaded File upload vulnerability detection.
[权利要求 18] 如权利要求 10所述的文件检测装置, 其中, 所述确定模块还用于若所 述第一文件后缀与所述第二文件后缀相同, 则确定所述待上传文件通 过文件上传漏洞检测。 [Claim 18] The file detection device according to claim 10, wherein the determining module is further configured to determine that the file to be uploaded passes the file if the suffix of the first file is the same as the suffix of the second file. Upload vulnerability detection.
[权利要求 19] 一种文件检测设备, 其中, 所述文件检测设备包括存储器、 处理器和 存储在所述存储器上并可在所述处理器上运行的文件检测程序, 所述 文件检测程序被所述处理器执行时实现如下步骤: 当获取到待上传文件后, 获取所述待上传文件的第一文件后缀; 若所述第一文件后缀为合法文件后缀, 则检测所述待上传文件是否存 在文件幻数; [Claim 19] A file detection device, wherein the file detection device includes a memory, a processor, and a file detection program stored on the memory and capable of running on the processor, and the file detection program is When the processor executes, the following steps are implemented: after the file to be uploaded is obtained, the first file suffix of the file to be uploaded is obtained; if the first file suffix is a legal file suffix, it is detected whether the file to be uploaded is There is a file magic number;
若所述待上传文件存在文件幻数, 则获取所述文件幻数对应的第二文 件后缀; If the file to be uploaded has a file magic number, acquiring the second file suffix corresponding to the file magic number;
若所述第一文件后缀与所述第二文件后缀不同, 则确定所述待上传文 件未通过文件上传漏洞检测。 If the suffix of the first file is different from the suffix of the second file, it is determined that the file to be uploaded fails the file upload vulnerability detection.
[权利要求 20] 一种计算机可读存储介质, 其中, 所述计算机可读存储介质上存储有 文件检测程序, 所述文件检测程序被处理器执行时实现如下步骤: 当获取到待上传文件后, 获取所述待上传文件的第一文件后缀; 若所述第一文件后缀为合法文件后缀, 则检测所述待上传文件是否存 在文件幻数; [Claim 20] A computer-readable storage medium, wherein the computer-readable storage medium stores A file detection program, when the file detection program is executed by a processor, the following steps are implemented: after the file to be uploaded is obtained, the first file suffix of the file to be uploaded is obtained; if the first file suffix is a legal file suffix, Then detect whether the file to be uploaded has a file magic number;
若所述待上传文件存在文件幻数, 则获取所述文件幻数对应的第二文 件后缀; If the file to be uploaded has a file magic number, acquiring the second file suffix corresponding to the file magic number;
若所述第一文件后缀与所述第二文件后缀不同, 则确定所述待上传文 件未通过文件上传漏洞检测。 If the suffix of the first file is different from the suffix of the second file, it is determined that the file to be uploaded fails the file upload vulnerability detection.
PCT/CN2020/077615 2019-04-18 2020-03-03 File detection method, apparatus and device, and computer-readable storage medium WO2020211555A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910315457.4A CN110096889B (en) 2019-04-18 2019-04-18 File detection method, device, equipment and computer readable storage medium
CN201910315457.4 2019-04-18

Publications (1)

Publication Number Publication Date
WO2020211555A1 true WO2020211555A1 (en) 2020-10-22

Family

ID=67445288

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/077615 WO2020211555A1 (en) 2019-04-18 2020-03-03 File detection method, apparatus and device, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN110096889B (en)
WO (1) WO2020211555A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110096889B (en) * 2019-04-18 2024-03-01 深圳前海微众银行股份有限公司 File detection method, device, equipment and computer readable storage medium
CN110929110B (en) * 2019-11-13 2023-02-21 北京北信源软件股份有限公司 Electronic document detection method, device, equipment and storage medium
CN111027290A (en) * 2019-11-22 2020-04-17 贝壳技术有限公司 Data report naming method and device, electronic equipment and storage medium
CN112738085B (en) * 2020-12-28 2023-08-08 深圳前海微众银行股份有限公司 File security verification method, device, equipment and storage medium
CN114765545A (en) * 2020-12-31 2022-07-19 国网思极检测技术(北京)有限公司 Device for detecting any file uploading loophole
CN114567506B (en) * 2022-03-09 2024-03-19 平安科技(深圳)有限公司 File uploading method and device, computer equipment and storage medium
CN115374075B (en) * 2022-08-01 2023-09-01 北京明朝万达科技股份有限公司 File type identification method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100199099A1 (en) * 2009-02-05 2010-08-05 Junling Wu User friendly Authentication and Login Method Using Multiple X509 Digital Certificates
CN103778210A (en) * 2014-01-15 2014-05-07 北京京东尚科信息技术有限公司 Method and device for judging specific file type of file to be analyzed
US20180018464A1 (en) * 2016-07-14 2018-01-18 Digital Bedrock Digital obsolescence avoidance systems and methods
CN108171054A (en) * 2016-12-05 2018-06-15 中国科学院软件研究所 The detection method and system of a kind of malicious code for social deception
CN110096889A (en) * 2019-04-18 2019-08-06 深圳前海微众银行股份有限公司 File test method, device, equipment and computer readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10121003B1 (en) * 2016-12-20 2018-11-06 Amazon Technologies, Inc. Detection of malware, such as ransomware
CN108040069A (en) * 2017-12-28 2018-05-15 成都数成科技有限公司 A kind of quick method for opening network data APMB package

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100199099A1 (en) * 2009-02-05 2010-08-05 Junling Wu User friendly Authentication and Login Method Using Multiple X509 Digital Certificates
CN103778210A (en) * 2014-01-15 2014-05-07 北京京东尚科信息技术有限公司 Method and device for judging specific file type of file to be analyzed
US20180018464A1 (en) * 2016-07-14 2018-01-18 Digital Bedrock Digital obsolescence avoidance systems and methods
CN108171054A (en) * 2016-12-05 2018-06-15 中国科学院软件研究所 The detection method and system of a kind of malicious code for social deception
CN110096889A (en) * 2019-04-18 2019-08-06 深圳前海微众银行股份有限公司 File test method, device, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN110096889B (en) 2024-03-01
CN110096889A (en) 2019-08-06

Similar Documents

Publication Publication Date Title
WO2020211555A1 (en) File detection method, apparatus and device, and computer-readable storage medium
US11797636B2 (en) Intermediary server for providing secure access to web-based services
JP4912400B2 (en) Immunization from known vulnerabilities in HTML browsers and extensions
WO2017101865A1 (en) Data processing method and device
US9305174B2 (en) Electronic clipboard protection
US20140115705A1 (en) Method for detecting illegal connection and network monitoring apparatus
US8448260B1 (en) Electronic clipboard protection
US8510817B1 (en) Two-factor anti-phishing authentication systems and methods
US10425445B2 (en) Deception using screen capture
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
US11831617B2 (en) File upload control for client-side applications in proxy solutions
CN111163095B (en) Network attack analysis method, network attack analysis device, computing device, and medium
CN110888838A (en) Object storage based request processing method, device, equipment and storage medium
US20220391489A1 (en) Data processing method and apparatus, computer device, and storage medium
US9191405B2 (en) Dynamic cross-site request forgery protection in a web-based client application
WO2015109912A1 (en) Buffer overflow attack detection device and method and security protection system
CN106104546B (en) Providing multi-level password and phishing protection
US11886716B2 (en) System and method to secure a computer system by selective control of write access to a data storage medium
WO2023151238A1 (en) Ransomware detection method and related system
CN113225348B (en) Request anti-replay verification method and device
US10944785B2 (en) Systems and methods for detecting the injection of malicious elements into benign content
CN111222130B (en) Page response method, page request method and page request device
Sun Security and Privacy Solutions for Camera and Camera Based Authentication
TW202145033A (en) Computer program product and apparatus for encrypting and verifying sensitive parameters
CN118176698A (en) Software situation for zero trust access

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20791345

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20791345

Country of ref document: EP

Kind code of ref document: A1