The content of the invention
For technical problem present in prior art, it is an object of the invention to provide a kind of PHP code to perform leak
Black box detection method and device.
The technical scheme is that:
A kind of PHP code performs the black box detection method of leak, and its step includes:
1) PHP code of one section of function for output random string is chosen or write, is added before the PHP code for closing
The code of PHP programs is closed, to generate the load that performs leak for detecting PHP code and whether there is;Then by HTTP request
The value of GET parameters and POST parameters is substituted for the load, constructs the request data package for detecting leak;
2) request data package constructed is sent to targeted website, and receives the response data packet of targeted website;
3) judge in the response data packet whether the random words that the PHP code generates in the load comprising the request data package
Symbol string, if in the presence of, judge the targeted website exist PHP code perform leak;If being not present, judge that the targeted website is not deposited
Leak is performed in PHP code.
Further, the set information in the acquisition request target website server, if the sound that the destination server returns
Answer in packet and corresponding set information be present, then further determine that the destination server has PHP code and performs leak.
Further, PHP code of one section of function for set information in output target website server is chosen or writes,
The code for closing PHP programs is added before the PHP code, is used to verify that PHP code performs what leak whether there is to generate
Load, the value of GET parameters and POST parameters in HTTP request is then substituted for the load, constructs asking for leak evidence obtaining
Seek packet;The request data package for being used to verify constructed is sent to targeted website, acquisition request target website server
On set information.
Further, the set information is the progress information in target website server.
Further, the set information is the content of the specified file in target website server.
A kind of PHP code performs the black box detection means of leak, it is characterised in that including packet constructing module, request
Respond interactive module, leak judge module;Wherein,
Packet constructing module, by being added before exporting the PHP code of random string in one section of function for closing
The code of PHP programs, to generate the load that performs leak for detecting PHP code and whether there is;Then by GET in HTTP request
The value of parameter and POST parameters is substituted for the load, constructs the request data package for detecting leak;
Request response interactive module, for the request data package constructed to be sent into targeted website, and receives target
The response data packet of website;
Leak judge module judges, for according to this in the load that the request data package whether is included in the response data packet
The random string of PHP code generation, judges that targeted website whether there is leak;If in the presence of, judge the targeted website exist
PHP code performs leak;If being not present, judge that the targeted website is not present PHP code and performs leak.
Further, in addition to leak evidence obtaining module, for the setting letter in the acquisition request target website server
Breath, if corresponding set information in the response data packet that the destination server returns be present, further determine that the destination service
Leak is performed and there is PHP code in device.
Further, the leak evidence obtaining module, by believing in one section of function for setting in output target website server
The code for closing PHP programs is added before the PHP code of breath, is used to verify that PHP code performs leak and whether there is with generation
Load, the value of GET parameters and POST parameters in HTTP request is then substituted for the load, construct for leak evidence obtaining
Request data package;The request data package for being used to verify constructed is sent to targeted website, the service of acquisition request targeted website
Set information on device.
The present invention writes PHP code of the function for output random string by packet constructing module, in the PHP code
The preceding code added for closing PHP programs, to generate load, and the value of GET parameters and POST parameters in HTTP request is replaced
Change the load into, construct the request data package for detecting leak;
By asking response interactive module that the request data package constructed is sent into targeted website, and receive target network
The response data packet stood;
By leak judge module, judge that PHP code in request data payload package whether is included in response data packet to be generated
Random string, to judge that targeted website whether there is leak;
By leak evidence obtaining module, load is regenerated, to obtain the progress information in target website server or refer to
The content of file is determined, further to verify leak necessary being.
Load in leak evidence obtaining module is different from the load in packet constructing module;Load in leak evidence obtaining module
It is comprising function to obtain the PHP code of progress information or specified file content, for obtaining entering for target website server
Journey information or specified file content;Load in packet constructing module is the PHP for output random string comprising function
Code, it whether there is for detecting PHP code execution leak.
1st, the purpose of load is to obtain progress information in leak evidence obtaining module
Function is write to obtain the PHP code of progress information.Such as:
system('ps-ef');//
The code for closing PHP programs can be added before code.Such as:
');system('ps-ef');//
");system('ps-ef');//
Such as above-mentioned example, that is, generate 3 load.
Note:' ps-ef ' is the order that progress information is obtained under (SuSE) Linux OS.If targeted website operating system is
Windows operating system, then obtain progress information using the order of ' tasklist '.So ' ps-ef ' herein, is only
Example, to illustrate technical scheme.When practical operation, it can be adjusted according to actual conditions.
2nd, the purpose of load is to obtain specified file content in leak evidence obtaining module
Function is write to obtain the PHP code of specified file content.Such as:
system('cat/etc/passwd');//
The code for closing PHP programs can be added before code.Such as:
');system('cat/etc/passwd');//
");system('cat/etc/passwd');//
Such as above-mentioned example, that is, generate 3 load.
Note:File/etc/passwd, be a file under (SuSE) Linux OS, selection read this document the reason for be
This document 100% is existing under (SuSE) Linux OS., should if targeted website operating system is Windows operating system
File existing for 100% under the selection Windows operating system, such as c:Windows system.ini files.So this
Place /etc/passwd files, only it is example, to illustrate technical scheme., can basis when practical operation
Actual conditions adjust.
If in response data packet, progress information be present or specified file content be present, then can further test
Card leak is implicitly present in.
Reason is:
If progress information in response data packet be present, illustrate to be used for code (ps-ef) quilt for obtaining progress information in load
Targeted website successful execution, then show that targeted website has PHP code and performs leak.
If specified file content in response data packet be present, illustrate to be used for the code for obtaining specified file content in load
(cat/etc/passwd) by targeted website successful execution, then show that targeted website has PHP code and performs leak.
Ordinary circumstance is that after Hole Detection Programmable detection, which goes out certain website, certain leak be present, Hole Detection personnel can enter
The secondary checking work of pedestrian's work, to ensure the leak necessary being, and the not wrong report of Hole Detection program.
The present invention is write function as progress information in output target website server or specified by leak evidence obtaining module
The PHP code of file content, the code for closing PHP programs is added before the PHP code, to generate load, and by HTTP
The value of GET parameters and POST parameters is substituted for the load in request, constructs the request data package for leak evidence obtaining;Will construction
Good request data package is sent to targeted website, and receives the response data packet of targeted website;If checked in response data packet
To the progress information or specified file content of target website server, Hole Detection personnel can be intuitively to judge and confirm
Leak necessary being.
The effect of leak evidence obtaining module, it is to provide the progress information or specified file content of target website server.
So, when Hole Detection personnel are carrying out secondary checking work, it is seen that progress information or specified file content, so that it may
With determination leak necessary being fast quickly, without carrying out manual validating vulnerability work again.
Leak evidence obtaining module, the time of the secondary validating vulnerability of Hole Detection personnel is greatlyd save, improves work effect
Rate.
The present invention mainly has advantages below:
Present invention employs thinking of the PHP code of output random string as load, it instead of and commonly use known hold
Method of the functions such as row phpinfo () as load.It is extremely low to there is the probability of identical random string in back page by chance,
So leak rate of false alarm is extremely low, this thinking effectively reduces the rate of false alarm of Hole Detection.
The thinking that the present invention additionally uses Hole Detection and leak evidence obtaining is combined, targeted website is obtained by leak and serviced
The leak forensic informations such as the progress information of device, specified file content, can intuitively judge for Hole Detection personnel and confirm to leak
Hole necessary being, reliable reference frame is provided for the secondary checking of leak.
Embodiment
To enable the features described above of the present invention and advantage to become apparent, special embodiment below, and coordinate institute's accompanying drawing to make
Describe in detail as follows.
The method flow of the present invention is as shown in Figure 1:
Step 1:" packet constructing module ", PHP code of the function for output random string is write, in the PHP code
The preceding code added for closing PHP programs, to generate load, and the value of GET parameters and POST parameters in HTTP request is replaced
Change the load into, construct the request data package for detecting leak;
Step 2:" request response interactive module ", is sent to targeted website, and receive mesh by the request data package constructed
Mark the response data packet of website;
Step 3:" leak judge module ", judges the PHP generation whether is included in request data payload package in response data packet
The random string of code generation, to judge that targeted website whether there is leak;When including the random string in response data packet
When, judge that targeted website has PHP code and performs leak.
Step 4:" leak evidence obtaining module ", regenerates load, with obtain progress information in target website server or
The content of person's specified file, further to verify leak necessary being.
More specifically implementation:
(1) packet constructs
(1) load is generated
Write PHP code of the function for output random string.Such as:
print(c9de2ca853969fca6526811f099825691);//
The code for closing PHP programs can be added before code.Such as:
');print(c9de2ca853969fca6526811f099825691);//
");print(c9de2ca853969fca6526811f099825691);//
Such as above-mentioned example, that is, generate 3 load.
(2) packet for detecting leak is constructed
The value of GET parameters and POST parameters in HTTP request is substituted for the load, constructs the number for detecting leak
According to bag.Such as:
http://1.1.1.1/test_1.phpData=print
(c9de2ca853969fca6526811f099825691);//
http://1.1.1.1/test_2.phpData=');print
(c9de2ca853969fca6526811f099825691);//
http://1.1.1.1/test_3.phpData=");print
(c9de2ca853969fca6526811f099825691);//
(2) leak judges
(1) example 1:
For detecting the packet of leak, such as:
http://1.1.1.1/test_1.phpData=print
(c9de2ca853969fca6526811f099825691);//
It is sent to after targeted website, in the back page received, if in the presence of the random string
(c9de2ca853969fca6526811f099825691), then judge that PHP code be present performs leak;It is if random in the absence of this
Character string, then judge the leak is not present.
(2) example 2:
For detecting the packet of leak, such as:
http://1.1.1.1/test_2.phpData=');print
(c9de2ca853969fca6526811f099825691);//
It is sent to after targeted website, in the back page received, if in the presence of the random string
(c9de2ca853969fca6526811f099825691), then judge that PHP code be present performs leak;It is if random in the absence of this
Character string, then judge the leak is not present.
(3) example 3:
For detecting the packet of leak, such as:
http://1.1.1.1/test_3.phpData=");print
(c9de2ca853969fca6526811f099825691);//
It is sent to after targeted website, in the back page received, if in the presence of the random string
(c9de2ca853969fca6526811f099825691), then judge that PHP code be present performs leak;It is if random in the absence of this
Character string, then judge the leak is not present.
(3) leak is collected evidence
(1) progress information in target website server is obtained
Load is generated, such as:
http://1.1.1.1/test_1.phpData=system (' ps-ef');// be sent to after targeted website,
In the back page received, if process list information be present, it can further verify that the leak is implicitly present in;And enter
Journey list information can intuitively judge for Hole Detection personnel as forensic information and confirm leak necessary being.Note:“ps–
Ef " is the order that progress information is obtained under linux operating systems.
If process list information is not present in back page, fail further to verify leak necessary being, but not generation
Table leak is not present.
(2) the specified file content in target website server is obtained
Load is generated, such as:
http://1.1.1.1/test_1.phpData=system (' cat/etc/passwd');// it is sent to target
After website, in the back page received, if the content of file/etc/passwd in target website server be present,
It can further verify that the leak is implicitly present in;, can be for leakage and file/etc/passwd content is as forensic information
Hole testing staff intuitively judges and confirms leak necessary being.Note:" cat/etc/passwd " is to be obtained under linux operating systems
Take the order of file/etc/passwd contents.
If file/etc/passwd content is not present in back page, fail further to verify leak necessary being,
But do not represent leak to be not present.
Implement to be merely illustrative of the technical solution of the present invention rather than be limited above, the ordinary skill people of this area
Technical scheme can be modified by member or equivalent substitution, without departing from the spirit and scope of the present invention, this hair
Bright protection domain should be to be defined described in claims.