堆栈内存溢出
  简体   繁体   English

使用PHP验证查找恶意PDF文件?

[英]Find malicious PDF files using PHP validation?

 原文  2016-09-21 11:28:05       javascript/ php/ validation/ pdf/ file-upload

问题描述

Currently for file validations the following actions are implemented, 目前,对于文件验证,执行以下操作,

  • File type validations using MIME details like application/pdf 使用MIME详细信息(如application / pdf)进行文件类型验证
  • Validating the file extensions along with MIME details. 验证文件扩展名以及MIME详细信息。

But some PDF files contains the malicious scripts like JavaScript to damage the system 但是一些PDF文件包含像JavaScript这样的恶意脚本来破坏系统

More details about the PDF attacks: 有关PDF攻击的更多详细信息:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2992 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2992

Question: For this case any recommended solutions? 问题: 对于这种情况,任何推荐的解决方

3 个解决方案

解决方案1
 2  2016-09-23 17:51:53

I did this once a few years ago (no longer have code). 几年前我做过这个(不再有代码)了。

  • On upload 上传
    • Scan the file for malicious code (similar to a virus scanner) 扫描文件中的恶意代码(类似于病毒扫描程序)
    • Deny or Allow file based on functional logic 基于功能逻辑拒绝或允许文件

Malicious code is usually hidden inside base 64 functions inside of file meta, or using char codes to render the malicious code. 恶意代码通常隐藏在文件meta内部的base 64函数内,或使用char代码呈现恶意代码。

You'll need to find a dictionary of common malicious code, or create your own and open the file with php functionality and scan for items within your dictionary (Array). 您需要找到常见恶意代码的字典,或创建自己的字典并使用php功能打开文件并扫描字典中的项目(数组)。

At this point, you're probably think, that's not very optimized or that would be slow...etc. 在这一点上,你可能会认为,这不是很优化或者会很慢......等等。

This is correct; 这是对的; anytime you throw security it does take a performance hit, but you could get around it by creating a new server that the files get uploaded to and scanned and then passed back to the original server...etc. 任何时候你抛出安全性它确实会带来性能损失,但你可以通过创建一个新的服务器来解决它,文件上传到并扫描然后传回原始服务器......等等。

As far as scanners go I'm sure you may find services or open source code, just found this one; 就扫描仪而言,我确信您可以找到服务或开源代码,只需找到这个; https://github.com/mikestowe/Malicious-Code-Scanner/blob/master/phpMalCodeScanner.php (never used it, or am I recommending it) https://github.com/mikestowe/Malicious-Code-Scanner/blob/master/phpMalCodeScanner.php (从未使用它,或者我推荐它)

解决方案2
 2 已采纳  2016-09-24 01:06:19

Take a look into this project https://github.com/urule99/jsunpack-n - A Generic JavaScript Unpacker 看看这个项目https://github.com/urule99/jsunpack-n - 一个通用的JavaScript解包器

jsunpack-n emulates browser functionality when visiting a URL. jsunpack-n在访问URL时模拟浏览器功能。 It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. 它的目的是检测针对浏览器和浏览器插件漏洞的漏洞。 It accepts many different types of input: ( also PDFs* ) 它接受许多不同类型的输入:( 也是PDF *)

By looking into ths file https://raw.githubusercontent.com/urule99/jsunpack-n/master/pre.js it looks like it directly addresses your problem. 通过查看文件https://raw.githubusercontent.com/urule99/jsunpack-n/master/pre.js,它看起来直接解决了您的问题。 

var util = {
375     printf : function(a,b){print ("//alert CVE-2008-2992 util.printf length ("+ a.length + "," + b.length + ")\n"); },

On upload I would feed pdf into this tool and check the results. 在上传时,我会将pdf提供给此工具并检查结果。

Below some interesting resouces related to that vunelabirity which explain everything in-depth. 下面是与vunelabirity相关的一些有趣的资源,它们深入地解释了所有内容。

http://resources.infosecinstitute.com/hacking-pdf-part-1/ http://resources.infosecinstitute.com/hacking-pdf-part-1/

http://resources.infosecinstitute.com/hacking-pdf-part-2/ http://resources.infosecinstitute.com/hacking-pdf-part-2/

In part 2 of the article there is a fragment saying that you can use Spider monkey to execute pre.js (the file I mentioned eariler ) to get info about CVE 在文章的第2部分中有一个片段,说你可以使用蜘蛛猴执行pre.js(我提到的文件),以获取有关CVE的信息

js -f pre.js -f util_printf.pdf.out js -f pre.js -f util_printf.pdf.out

//alert CVE-2008-2992 util.printf length (13,undefined) // alert CVE-2008-2992 util.printf length(13,undefined)

解决方案3
 1  2016-09-24 01:42:45

Adding another answer as this project below is much easier to use and also is able to find CVE-2008-2992 vulnerability. 在下面的这个项目中添加另一个答案更容易使用,并且还能够找到CVE-2008-2992漏洞。 I know you are asking about PHP but you can simply run any script from PHP using for example escapeshellcmd 我知道你在问PHP,但你可以使用例如escapeshellcmd从PHP运行任何脚本

peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. peepdf是一个Python工具,用于探索PDF文件,以确定文件是否有害。 The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. 此工具的目的是提供安全研究人员在PDF分析中可能需要的所有必要组件,而无需使用3或4个工具来完成所有任务。 With peepdf it's possible to see all the objects in the document showing the suspicious elements, supports all the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files 使用peepdf,可以看到文档中的所有对象显示可疑元素,支持所有最常用的过滤器和编码,它可以解析文件的不同版本,对象流和加密文件

https://github.com/jesparza/peepdf https://github.com/jesparza/peepdf

Instructions: http://eternal-todo.com/tools/peepdf-pdf-analysis-tool 说明: http//eternal-todo.com/tools/peepdf-pdf-analysis-tool

and you use it like below, and on the end you get all problematic elements with CVE info 你可以像下面一样使用它,最后你可以通过CVE信息获得所有有问题的元素 

$ ./peepdf.py -f fcexploit.pdf

File: fcexploit.pdf
MD5: 659cf4c6baa87b082227540047538c2a
SHA1: a93bf00077e761152d4ff8a695c423d14c9a66c9
Size: 25169 bytes
Version: 1.3
Binary: True
Linearized: False
Encrypted: False
Updates: 0
Objects: 18
Streams: 5
Comments: 0
Errors: 1

Version 0:
    Catalog: 27
    Info: 11
    Objects (18): [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 22, 23, 24, 25, 26, 27, 28]
        Errors (2): [11, 25]
    Streams (5): [5, 7, 9, 10, 11]
        Encoded (4): [5, 7, 9, 10]
    Objects with JS code (1): [5]
    Suspicious elements:
        /OpenAction: [1]
        /JS: [4]
        /JavaScript: [4]
        getAnnots (CVE-2009-1492): [5]

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从恶意PDF中提取JavaScript - Extract JavaScript from malicious PDF 用php下载pdf文件 - Download pdf files in php 需要找出恶意Javascript如何注入到我的header.php Wordpress主题文件中 - Need to find out how malicious Javascript was injected into my header.php Wordpress theme file 在php中验证文件附件只有doc和pdf - validation for file attachment only doc and pdf in php 在php中打开多个pdf文件 - open multiple pdf files in php 使用Java脚本API查找和销毁不良/恶意Java脚本代码 - using java scripting API to find and destroy bad/malicious java script code 很难找到恶意的JS行: </title><script src=http://hgbyju.com/r.php ></script> - Very hard to find malicious JS line: </title><script src=http://hgbyju.com/r.php ></script> 从.js文件中删除恶意代码 - Remove malicious code from .js files 使用Python解析PDF文件 - Parsing PDF files using Python PHP脚本:最后的恶意JavaScript代码 - PHP script: malicious JavaScript code at the end
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM