Hook 函数列表

本文档列出了我们挂钩的函数列表

Java 版本

攻击检测

其中,SQL注入检测点为 execute/executeUpdate/executeQuery/executeBatch/executeBatchInternal/addBatch 方法之一,具体请看我们在github的源代码,这里不在赘述

检查内容方法名称
文件上传org.apache.commons.fileupload.disk.DiskFileItem.setHeaders()
org.apache.commons.fileupload.FileUploadBase.parseRequest()
文件读取java.io.FileInputStream(File file)
文件写入java.io.FileOutputStream()
java.io.FileOutputStream(String name, boolean append)
文件重命名java.io.File.renameTo()
文件遍历java.io.File.list()
SSRForg.apache.commons.httpclient.URI.parseUriReference()
org.apache.http.client.methods.HttpRequestBase.setURI()
com.squareup.okhttp3.HttpUrl.parse(String)
com.squareup.okhttp.HttpUrl.parse(String)
sun.net.www.protocol.http.HttpURLConnection.connect()
反序列化java.io.ObjectInputStream.resolveClass
命令执行java.lang.UNIXProcess.<init>
java.lang.ProcessImpl.<init>
OGNL 表达式执行ognl.OgnlParser.topLevelExpression()
XXEcom.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl()
org.apache.xerces.util.XMLResourceIdentifierImpl的setValues()
JSTL importorg.apache.taglibs.standard.tag.common.core.ImportSupport.targetUrl()
DubboRPCcom.alibaba.dubbo.rpc.filter.ContextFilter.invoke()
com.alibaba.dubbo.rpc.filter.GenericFilter.invoke()
SQL 注入com.mysql.jdbc.StatementImpl
com.mysql.jdbc.PreparedStatement
com.mysql.cj.jdbc.PreparedStatement
org.sqlite.Stmt
org.sqlite.PrepStmt
org.sqlite.jdbc3.JDBC3Statement
org.sqlite.jdbc3.JDBC3PreparedStatement
oracle.jdbc.driver.OracleStatement
oracle.jdbc.driver.OraclePreparedStatement
com.microsoft.sqlserver.jdbc.SQLServerStatement
com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement
org.postgresql.jdbc.PgStatement
org.postgresql.jdbc1.AbstractJdbc1Statement
org.postgresql.jdbc2.AbstractJdbc2Statement
org.postgresql.jdbc3.AbstractJdbc3Statement
org.postgresql.jdbc3g.AbstractJdbc3gStatement
org.postgresql.jdbc4.AbstractJdbc4Statement
com.ibm.db2.jcc.am
com.ibm.db2.jcc.am.Connection

基线检查

检查内容方法名称
数据库连接账号com.mysql.jdbc.NonRegisteringDriver.connect()
com.mysql.cj.jdbc.NonRegisteringDriver.connect()
org.sqlite.JDBC.connect()
com.microsoft.sqlserver.jdbc.SQLServerDriver.connect()
org.postgresql.Driver.connect()
oracle.jdbc.driver.OracleDriver.connect()
com.ibm.db2.jcc.DB2Driver.connect()

服务器启动检测点

用途方法名称
Tomcatorg.apache.catalina.startup.Catalina.start()
Jettyorg.eclipse.jetty.server.Server.doStart()
JBoss 4org.jboss.system.server.ServerImpl.start()
JBoss 5org.jboss.bootstrap.AbstractServerImpl.start()
JBoss 6org.jboss.bootstrap.impl.base.server.AbstractServer.start()
Resincom.caucho.server.resin.Resin.initMain()
WebSphereorg.eclipse.core.launcher.Main.run()

Tomcat/Jetty/JBoss/Resin/WebSphere 通用

用途方法名称
preRequestapache.catalina.connector.CoyoteAdapter.service()
requestapache.catalina.core.ApplicationFilterChain.doFilter()
缓存bodyorg.apache.catalina.connector.InputBuffer.readByte(int)
org.apache.catalina.connector.InputBuffer.read(byte[],int ,int)
HTML 注入org.apache.catalina.connector.OutputBuffer.close()

Resin 服务器

用途方法名称
preRequestcom.caucho.server.http.HttpRequest.handleRequest()
com.caucho.server.http.HttpRequest.handleResume()
requestcom.caucho.server.dispatch.ServletInvocation.service()
com.caucho.server.dispatch.ServletInvocation.doResume()
缓存bodycom.caucho.server.connection.ServletInputStreamImpl.read(int)
com.caucho.server.connection.ServletInputStreamImpl.read(byte[],int ,int)
com.caucho.server.http.ServletInputStreamImpl.read(int)
com.caucho.server.http.ServletInputStreamImpl.read(byte[],int ,int)
HTML注入com.caucho.server.connection.AbstractHttpResponse.finish()
com.caucho.server.connection.AbstractHttpResponse.finishInvocation()
com.caucho.server.http.AbstractHttpResponse.finish()
com.caucho.server.http.AbstractHttpResponse.finishInvocation()

Jetty 服务器

用途方法名称
preRequestorg.eclipse.jetty.server.Server.handle()
requestorg.eclipse.jetty.server.handler.HandlerWrapper.handle()
缓存bodyorg.eclipse.jetty.server.HttpInput.read(int)
org.eclipse.jetty.server.HttpInput.read(byte[],int ,int)
HTML注入org.eclipse.jetty.server.HttpOutput.close()

WebSphere 服务器

用途方法名称
preRequestcom.ibm.ws.webcontainer.WebContainer.handleRequest()
requestcom.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters()
缓存bodycom.ibm.ws.webcontainer.srt.http.HttpInputStream.read(int)
com.ibm.ws.webcontainer.srt.http.HttpInputStream.read(byte[],int ,int)
HTML注入com.ibm.ws.webcontainer.srt.SRTServletResponse.finish()

PHP 版本

攻击检测

检查内容方法名称
webshell callablearray_walk
array_map
array_filter
ReflectionFunction::construct
命令执行passthru
system
exec
shell_exec
proc_open
popen
pcntl_exec
命令执行(webshell)passthru
system
exec
shell_exec
proc_open
popen
pcntl_exec
目录遍历dir
scandir
opendir
XSS(echo)echo
文件读取file
readfile
file_get_contents
fopen
SplFileObject::construct
文件写入file_put_contents
fopen
SplFileObject::__construct
文件写入(webshell)file_put_contents
文件拷贝copy
文件移动rename
文件上传move_uploaded_file
文件包含include
文件运行(webshell)eval
assert(仅PHP5)
SQL注入mysql_query(仅PHP5)
mysqli_query
mysqli::query
mysqli_real_query
mysqli::real_query
mysqli_prepare
mysqli::prepare
PDO::query
PDO::exec
PDO::prepare
pg_query
pg_send_query
pg_prepare
SQLite3::query
SQLite3::exec
SQLite3::querySingle
SSRFcurl_exec

基线检查

检查内容方法名称
数据库连接账号mysql_connect (仅PHP5)
mysql_pconnect (仅PHP5)
mysqli::construct
mysqli::connect
mysqli_connect
mysqli::real_connect
mysqli_real_connect
PDO::construct
pg_connect
pg_pconnect