CN110879891B - Vulnerability detection method and device based on web fingerprint information - Google Patents
Vulnerability detection method and device based on web fingerprint information Download PDFInfo
- Publication number
- CN110879891B CN110879891B CN201910747265.0A CN201910747265A CN110879891B CN 110879891 B CN110879891 B CN 110879891B CN 201910747265 A CN201910747265 A CN 201910747265A CN 110879891 B CN110879891 B CN 110879891B
- Authority
- CN
- China
- Prior art keywords
- web
- fingerprint information
- penetration
- information
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 55
- 230000035515 penetration Effects 0.000 claims abstract description 87
- 238000000034 method Methods 0.000 claims abstract description 38
- 238000004590 computer program Methods 0.000 claims description 18
- 238000007726 management method Methods 0.000 claims description 15
- 238000011161 development Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 9
- 238000012546 transfer Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 abstract description 9
- 230000006870 function Effects 0.000 description 17
- 230000018109 developmental process Effects 0.000 description 11
- 230000008569 process Effects 0.000 description 8
- 238000012360 testing method Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000008595 infiltration Effects 0.000 description 7
- 238000001764 infiltration Methods 0.000 description 7
- 239000000243 solution Substances 0.000 description 6
- 230000004044 response Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003204 osmotic effect Effects 0.000 description 3
- 230000002265 prevention Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 241001397173 Kali <angiosperm> Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- YHVACWACSOJLSJ-UHFFFAOYSA-N n-methyl-n-(1-oxo-1-phenylpropan-2-yl)nitrous amide Chemical compound O=NN(C)C(C)C(=O)C1=CC=CC=C1 YHVACWACSOJLSJ-UHFFFAOYSA-N 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 239000012466 permeate Substances 0.000 description 1
- 239000000047 product Substances 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a vulnerability detection method and device based on web fingerprint information, wherein the method comprises the following steps: determining a web site of a penetration target, wherein the penetration target is a network system connected through a network; collecting web fingerprint information of the web site; and detecting the external vulnerability of the penetration target by using the web fingerprint information. The method and the device solve the technical problem that the vulnerability detection cannot be carried out through the web fingerprint information in the related technology.
Description
Technical Field
The invention relates to the field of network security, in particular to a vulnerability detection method and device based on web fingerprint information.
Background
The network attack is an attack initiated by hackers or virus Trojan horses and the like on the electronic equipment, huge losses are brought to users by stealing files and the like, and the penetration test is a process of simulating the network attack so as to discover problems in advance and make up for whether the users have the trouble or not in time.
In the related technology, generally, only the website with known framework information can be attacked, the framework information of the web website can not be collected, the fingerprint identification method on the market is single at present, the identification of special fingerprints can not be supported, and a large number of false positives exist in the identification rule.
In view of the above problems in the related art, no effective solution has been found yet.
Disclosure of Invention
The embodiment of the invention provides a vulnerability detection method and device based on web fingerprint information.
According to one embodiment of the invention, a vulnerability detection method based on web fingerprint information is provided, which comprises the following steps: determining a web site of a penetration target, wherein the penetration target is a network system connected through a network; collecting web fingerprint information of the web site; and detecting the external vulnerability of the penetration target by using the web fingerprint information.
Optionally, collecting web fingerprint information of the web site includes: gathering at least one of the following framework information of the web site: development language, operating system of deployment server, middleware, third party code general framework used, content management system CMS, content delivery network CDN.
Optionally, collecting web fingerprint information of the web site includes: sending a hypertext transfer protocol (HTTP) request to a website server of the web website; receiving webpage information fed back by the web site based on the HTTP request; and detecting the web fingerprint information according to the web page information.
Optionally, detecting the web fingerprint information according to the web page information includes: searching a status code in the webpage information; judging whether a specified page exists in the web site according to the status code; and determining the web fingerprint information according to the designated page.
Optionally, detecting the web fingerprint information according to the web page information includes: identifying a HASH value of the designated file in the web page information; and determining the web fingerprint information according to the HASH value.
Optionally, detecting the web fingerprint information according to the web page information includes: searching a specified keyword in a data packet text of a webpage source code, and/or searching a specified character string in a data packet header of the webpage source code, and/or searching a regular character string in the data packet header of the webpage source code, wherein the webpage information comprises the webpage source code, and the regular character string is a character string combination set by adopting a regular expression; determining the web fingerprint information according to at least one of: the specified keywords, the specified character strings and the regular character strings.
Optionally, after detecting the external vulnerability of the penetration target using the web fingerprint information, the method further comprises: acquiring the operation authority of the penetration target by using the external leak; and performing a penetration operation on the network system by using the operation authority.
Optionally, detecting the external vulnerability of the penetration target using the web fingerprint information includes: selecting a detection plugin matched with the web fingerprint information from a preset plugin library; and calling the detection plug-in to identify an external service port provided by the penetration target.
According to another embodiment of the present invention, there is provided a vulnerability detection apparatus based on web fingerprint information, including: the system comprises a determining module, a processing module and a processing module, wherein the determining module is used for determining a web site of a penetration target, and the penetration target is a network system connected through a network; the acquisition module is used for acquiring web fingerprint information of the web website; and the detection module is used for detecting the external loopholes of the penetration targets by using the web fingerprint information.
Optionally, the acquisition module includes: the acquisition unit is used for acquiring at least one of the following framework information of the web site: development language, operating system of deployment server, middleware, third party code general framework used, content management system CMS, content delivery network CDN.
Optionally, the acquisition module includes: a sending unit, configured to send a hypertext transfer protocol HTTP request to a website server of the web website; the receiving unit is used for receiving webpage information fed back by the web site based on the HTTP request; and the detection unit is used for detecting the web fingerprint information according to the web page information.
Optionally, the detection unit includes: the first searching subunit is used for searching the state code in the webpage information; the judging subunit is used for judging whether the web site has a designated page or not according to the status code; and the first determining subunit is used for determining the web fingerprint information according to the designated page.
Optionally, the detection unit includes: an identification subunit, configured to identify a HASH value of the specified file in the web page information; and the second determining subunit is used for determining the web fingerprint information according to the HASH value.
Optionally, the detection unit includes: the second searching subunit is used for searching a specified keyword in a data packet text of the webpage source code, and/or searching a specified character string in a data packet header of the webpage source code, and/or searching a regular character string in the data packet header of the webpage source code, wherein the webpage information comprises the webpage source code, and the regular character string is a character string combination set by adopting a regular expression; a third determination subunit configured to determine the web fingerprint information according to at least one of: the specified keywords, the specified character strings and the regular character strings.
Optionally, the apparatus further includes: the acquisition module is used for acquiring the operation authority of the penetration target by utilizing the external vulnerability after the detection module detects the external vulnerability of the penetration target by using the web fingerprint information; and the infiltration module is used for executing infiltration operation on the network system by using the operation authority.
Optionally, the detection module includes: the selection unit is used for selecting a detection plugin matched with the web fingerprint information from a preset plugin library; and the identification unit is used for calling the detection plug-in to identify an external service port provided by the penetration target.
According to a further embodiment of the invention, there is also provided a storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the invention, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
According to the method and the device for detecting the external loopholes, the web site of the penetration target is determined, the web fingerprint information of the web site is collected, and finally the external loopholes of the penetration target are detected by using the web fingerprint information on the external network of the local area network, so that the technical problem that the loopholes cannot be detected through the web fingerprint information in the related technology is solved, and more network loopholes can be found during penetration test.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a hardware block diagram of a vulnerability detection computer device based on web fingerprint information according to an embodiment of the present invention;
FIG. 2 is a flow chart of a vulnerability detection method based on web fingerprint information according to an embodiment of the present invention;
FIG. 3 is a logic flow diagram of an embodiment of the present invention by identifying web fingerprint information;
FIG. 4 is a graph of an attack route of a task node against a penetration target in accordance with an embodiment of the present invention;
Fig. 5 is a block diagram of a vulnerability detection apparatus based on web fingerprint information according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method according to the first embodiment of the present application may be implemented in a computer device or a similar computing device. Taking the example of running on a computer device, fig. 1 is a hardware structure block diagram of a vulnerability detection computer device based on web fingerprint information according to an embodiment of the present application. As shown in fig. 1, the computer device 10 may include one or more (only one is shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing means such as a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those of ordinary skill in the art that the configuration shown in FIG. 1 is merely illustrative and is not intended to limit the configuration of the computer device described above. For example, computer device 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to a vulnerability detection method based on web fingerprint information in an embodiment of the present invention, and the processor 102 executes the computer program stored in the memory 104 to perform various functional applications and data processing, that is, implement the method described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory located remotely from processor 102, which may be connected to computer device 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 106 is arranged to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communications provider of the computer device 10. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as a NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
In this embodiment, a vulnerability detection method based on web fingerprint information is provided, fig. 2 is a flowchart of a vulnerability detection method based on web fingerprint information according to an embodiment of the present invention, as shown in fig. 2, where the flowchart includes the following steps:
step S202, determining a web site of a penetration target, wherein the penetration target is a network system connected through a network;
The penetration target of the embodiment is a network system composed of hardware, software and a network, which is operated in a local area network and isolated from the wide area network by a switch, a firewall and the like, wherein the network system comprises electronic equipment and a data program, the network system comprises a server, a database, a service system, the electronic equipment accessed to the local area network, an operating system installed by the electronic equipment and the like, and the penetration target is applied to various scenes such as units with strong confidentiality or strong security requirements, particularly, the internal network of a government organization, the local area network of a financial structure and the like.
Step S204, collecting web fingerprint information of the web site;
And step S206, detecting the external vulnerability of the penetration target by using the web fingerprint information.
The vulnerability of the embodiment is a defect in specific implementation of hardware, software and protocols or in a system security policy, so that an attacker can access or destroy the system under unauthorized conditions, and the external vulnerability of the embodiment is a defect of a network system which can be utilized by third party equipment.
Through the steps, the web site of the penetration target is determined, then the web fingerprint information of the web site is collected, finally the external vulnerability of the penetration target is detected by using the web fingerprint information on the external network of the local area network, the technical problem that vulnerability detection cannot be carried out through the web fingerprint information in the related technology is solved, and more network vulnerabilities can be found during penetration test.
The execution body of the embodiment may be an electronic device such as a computer, a tablet, etc., and the electronic device is connected to a local area network where the penetration target is located, or is connected to a wide area network.
In this embodiment, collecting web fingerprint information of a web site includes: gathering at least one of the following framework information of the web site: development language, operating system of deployment server, middleware, third party code general framework used, content management system CMS, content delivery network CDN. The web fingerprint information of the present embodiment is information composed of a plurality of types of framework information, and is exemplified here: CMS information: such as CMS of chinese, dream of fabric, empire CMS, phpcms, ecshop, etc.; front-end technology: such as HTML5, jquery, bootstrap, pure, ace, etc.; the web server: such as Apache, lighttpd, nmginx, IIS, etc.; the application server: such as Tomcat, jboss, weblogic, websphere, etc.; development language: such as PHP, java, ruby, python, C #; operating system information: such as linux, win2k8, win7, kali, centos, etc.; CDN information: whether or not CDN is used, and what type of CDN is used, such as cloudflare, 360CDN, 365cyd, yunjiasu, etc.; WAF information: whether to use waf, and what type of waf to use, such as Topsec, jiasule, yundun, etc.; IP and domain name information: IP and domain name registration information, service provider information, etc.; port information: some software or platforms may also probe common ports that are open to servers.
In one implementation of the present embodiment, collecting web fingerprint information for a web site includes:
s11, sending a hypertext transfer protocol (HTTP) request to a website server of a web website;
The HTTP request of the present embodiment may be, but is not limited to,: GET, POST, HEAD, custom request heads and other various requesters;
S12, receiving web page information fed back by a web site based on an HTTP request;
s13, detecting web fingerprint information according to the web page information.
In one optional example, detecting web fingerprint information from web page information includes: searching a status code in the webpage information; judging whether a specified page exists in the web site according to the state code; web fingerprint information is determined from the specified page.
In one optional example, detecting web fingerprint information from web page information includes: identifying HASH values of the specified files in the webpage information; web fingerprint information is determined from the HASH value.
In one optional example, detecting web fingerprint information from web page information includes: searching a specified keyword in a data packet text of the webpage source code, and/or searching a specified character string in a data packet header of the webpage source code, and/or searching a regular character string in the data packet header of the webpage source code, wherein the webpage information comprises the webpage source code, and the regular character string is a character string combination set by adopting a regular expression; determining web fingerprint information from at least one of: specified keywords, specified strings, regular strings.
In one implementation of this embodiment, when the CMS is identified, the CMS may be identified by MD5 of a specific file, and static files such as favicon, CSS, logo, js, etc. of some websites, such as favicon, ics, js, etc. are not generally modified, and these files are grabbed by a crawler and compared with MD5 values, and if the values are consistent with MD5 in a rule base, the same CMS is indicated. Or the keywords contained in the normal page or the wrong webpage are identified, the keywords contained in the normal page or the wrong webpage are accessed first or specific pages such as robots. Txt and the like, and certain keywords such as Powered by Discuz, dedecms and the like are matched in a regular mode. Or an error page can be constructed, and the used CMS or middleware information is judged according to the error reporting information, so that the common error reporting page such as tomcat is adopted.
The embodiment can also match web fingerprint information through the keywords of the request header information of the web page information fed back by the web server. Keyword matching is carried out according to response header information returned by the website, and whatweb and Wappalyzer are used for quickly identifying fingerprints through the canner information. There are several ways of identification according to response header: looking at the X-Powered-By field of the http response header to identify; judging according to Cookies, for example, some wafs can contain some information in a return header, such as 360wzws, safedog, yunsuo; judging according to Server information in the header, such as DVRDVS-webs, yunjiasu-nginx, mod_ Security, nginx-wallarm and the like; some route switching devices may have this field, e.g., NETCORE, huawei, h c, at the discretion of WWW-Authenticate.
The embodiment may also identify web fingerprint information by specifying a keyword contained in the URL, such as URL key features such as wp-includes, dede. Whether a corresponding catalogue exists is detected through a rule base, link url is analyzed according to a crawler result, catalogues in a robots. Txt file are detected, and the like, whether a certain CMS is used or not is judged through url addresses, for example, a wp-include catalogue and a wp-admin catalogue exist in wordpress in a default mode, a dream site default management background is a dede catalogue, a software platform possibly uses/software catalogue, weblogic can use wls-wsat catalogue and the like.
In identifying development languages, web development languages are generally common in PHP, jsp, aspx, asp and the like, and the identification modes are as follows: the method for directly judging by obtaining dynamic links through the crawlers is simpler and more convenient. The Asp discriminant rule is as follows: < a? href= (' ") [ ζp ] is? \. asp (\is? # | \1), other languages can replace corresponding asps; locating and identifying By taking the X-Powered-By of the station http response header as a key; the identification is performed through the Set-Cookie, for example, the Set-Cookie contains PHPSSIONID of php, jsesionid of java, asp.net_sessionid of aspx and the like.
FIG. 3 is a logic flow diagram of an embodiment of the present invention for identifying web fingerprint information, each piece of information (e.g., webCMS, middleware, development language, etc.) in the web fingerprint information corresponding to a set of fingerprint identification rules.
In this embodiment, web fingerprint recognition is mainly used for discovering architecture information of web sites, so as to more deeply mine vulnerabilities existing in the web sites. For example, a development language, an operating system deploying a server, middleware, a third party code generic framework used, etc., the discovery means are as follows: judging whether the designated page exists or not; by identifying the HASH value of a particular file; designating keywords in the page content; the data responds to the tag string or rule specific to the header information.
Optionally, after detecting the external vulnerability of the penetration target by using the web fingerprint information in the external network of the local area network, the method further includes: obtaining the operation authority of the penetration target by utilizing the external loopholes; the operation authority is used to perform the infiltration operation on the network system. Wherein the osmotic operation comprises at least one of: and accessing a business system of the penetration target, accessing local data of the penetration target, and performing transverse penetration in an intranet of the penetration target. The service system includes a website server, a database, etc., such as frequently accessing the website server, frequently sending the same instruction, etc., and when the service system exceeds the upper processing limit, it may cause downtime or crash, and the local data in this embodiment includes sharable data in the local area network, and data stored in each device connected through the local area network, etc.
In this embodiment, the detected available vulnerabilities are packaged, a complex vulnerability exploitation process is integrated into a plug-in library, when vulnerability exploitation is required, a responsive input one-key retrieval display result, such as a system command, is executed, and for a user, only the command to be executed needs to be input, and the command execution result can be obtained by clicking an execution button (or automatic triggering of the system), without concern about the complex vulnerability exploitation process. For example, after the weblogic deserialization loopholes are found, operations such as command execution, file uploading, interaction shell rebound and the like can be directly performed through advanced utilization functions. The permeate personnel only need to input the target address, and can perform the discovery and utilization process of the loopholes by one key. The function of single vulnerability exploitation is provided for some vulnerabilities which cannot be fully automatically discovered, and a penetrating person can exploit the vulnerability by one key only by inputting corresponding parameters, such as the exploitation of fastjson vulnerabilities. Meanwhile, the method can also be used for utilizing known vulnerabilities, such as inputting oracle account passwords, carrying out one-key rights, executing system commands and the like. This functionality greatly simplifies the exploit process.
The present embodiment instructs the execution of the penetration operation by sending the penetration instruction to the penetration target, and before sending the penetration instruction to the target server of the penetration target, the penetration target needs to pass through the gateway and the protection system of the penetration target, including WAF, IDS (Intrusion Detection System ), IPS (Intrusion Prevention System, intrusion prevention system), monitoring device, router, switch. The method for adding various means for bypassing WAF in the underlying package program and automatically selecting WAF according to the target condition comprises the following steps: 1. filling a large amount of useless data in the data packet head to bypass the resource limit detection type WAF;2. bypassing rule detection type WAF by adopting coding, deformation, function replacement of the same type, annotation processing, word segmentation and grammar characteristics of a database; 3. the protocol conversion, the protocol format change and the protocol replacement bypass the protocol layer detection type WAF;4. the WAF is bypassed using autonomously discovered packet fragmented transport techniques. The slicing transmission is to divide data to be transmitted into a plurality of data packets every three bytes, and transmit the data packets to a target server individually, so as to avoid a detection means according to the content matching of the data packets, and embed the slicing technology of the embodiment in a bottom layer program for transmitting HTTP data packets.
In this embodiment, in one implementation manner of this embodiment, the method further includes: and determining the external vulnerability as a dangerous entrance of the local area network, determining the operation authority as an illegal authority of the network system, and generating a penetration test report of the penetration target.
The embodiment can customize a specified detection scheme according to the running environment of the penetration target. For example, a scene of detecting a certain vulnerability of the latest outbreak, a scene of detecting a weak password of a mail, a scene of detecting an industrial vulnerability, and the like. The scene detection is supported, and scenes at least comprising conventional tests, attack and defense exercises, target range exercises, security capability assessment and the like can be rapidly customized according to requirements, so that the requirements of customized scene vulnerability discovery are met. The single-penetration task does not limit the number of adding targets, and the tasks can be executed in a distributed mode and concurrently, so that efficient discovery of vulnerabilities is ensured.
Fig. 4 is an attack route diagram of a task node aiming at a penetration target according to an embodiment of the present invention, which illustrates a flow trend from information collection to a post-penetration attack, where each task node may perform a penetration test. In this embodiment, the implementation of each function may be implemented by a functional module disposed in the infiltration apparatus, including:
An information collection module: various in-line means are used to collect information about the penetration target prior to penetration testing. The information collection module is mainly used for completing information collection of the penetration target.
And a loophole detection module: the module can automatically detect the loopholes of the penetration targets. Vulnerability detection is divided into two modes, namely a website URL detection mode and an IP address detection mode. The website URL detection mode is to collect fingerprint information of middleware, a general website frame, development language, an operating system and the like by fingerprint identification of a target, and find out vulnerability plug-ins related to the information from a plug-in library to find out the existing vulnerability. The IP address detection mode is to carry out port scanning on a target, find out an externally opened service, identify a corresponding service type, search a vulnerability plugin related to the service type, and judge whether a vulnerability exists or not.
The vulnerability plugin library comprises a plurality of vulnerability plugins, and the vulnerability range covers systems such as web, middleware, databases, network equipment, operating systems, intelligent equipment, mobile terminals, industrial control equipment and the like. Types of vulnerabilities can be found that are not limited to SQL (structured query language) injection, XXE (Xml external entity injection), XSS (cross site scripting attack), any file upload, any file download, any file operation, information leakage, weak passwords, local file inclusion, directory traversal, command execution, misconfiguration, and the like. The partial plug-in also provides high-level functionality for one-touch exploits. Advanced functions include: executing commands, executing SQL, uploading files, bouncing Shell, uploading GTwebshell, downloading files, etc. The vulnerability plugin library is maintained by 360 with many years of penetration experience personnel.
The web fingerprint library may identify a variety of CMSs (content management systems), up to a number of total rules. The system service fingerprint integrates an NMAP tool fingerprint library, and can meet the type and version identification of conventional system service. The scene detection is supported, and scenes at least comprising conventional tests, attack and defense exercises, target range exercises, security capability assessment and the like can be rapidly customized according to requirements, so that the requirements of customized scene vulnerability discovery are met. The single task does not limit the number of adding targets, and the tasks can be executed in a distributed mode and concurrently, so that efficient vulnerability discovery is ensured.
And the vulnerability exploitation module: the exploit module is used to solve two problems: providing a single vulnerability exploitation function aiming at some vulnerabilities which cannot be fully automatically discovered; for example, when some target addresses cannot be automatically obtained through a crawler or other means, the osmotic person can utilize the vulnerability by only manually filling corresponding parameters by using the module. And secondly, whether the specified loophole exists or not can be directly detected, and the loophole can be further utilized. The function can simplify complex vulnerability exploitation processes, such as inputting oracle account passwords, carrying out one-key rights, executing system commands and the like. In addition, the module also provides high-level functions of the vulnerability exploitation, including executing commands, executing SQL, uploading files, rebounding Shell, uploading GTwebshell, downloading files and the like, and can be utilized for the vulnerability exploitation.
Rear osmosis module: the target is transversely infiltrated by the post infiltration module. For example: discovering the network topology condition of the intranet, discovering the loopholes of the intranet database, discovering the position of the mail server, and even acquiring the authority of the office network segment, the operation and maintenance host or the domain controller. The rear osmosis module comprises a remote control system, can control 16 platforms such as windows, linux, unix, android, ios, aix, bsd, cisco, osx and the like, and supports more than 30 frames such as X86, X64, arm, sparc, ppc and the like. For the controlled end, the generation of the controlled end with various formats is supported, including executable file formats. Such as exe, elf, powershell, vbs, dll, etc., and the generation of raw Shellcode. The external network fragile points marked by other holes are connected with the rear penetration module, and the rear penetration plug-in can be utilized to realize the functions of host information collection, host weight improvement, internal network topology discovery, host evidence obtaining, password obtaining, system screenshot, keyboard recording and the like.
Plug-in management module: and according to the quick writing plug-in of the related document, the tool also provides a code automatic generation function to facilitate the writing of the plug-in. The plug-in library management supports the submission and the introduction of new plug-ins at any time, and the non-delay loading of the new plug-ins is realized by utilizing a dynamic introduction loading technology. In order to ensure the validity and accuracy of the plug-in, the enabling and disabling operation functions of the plug-in are provided, so that the rule of the plug-in library can be conveniently configured at any time. An auditing mechanism of the plug-ins is added for better maintaining the plug-in library, so that the plug-ins in the plug-in library are guaranteed to be high-quality plug-ins. The plug-in library management system has a perfect plug-in library management function, and can submit plug-ins, view plug-in lists and review plug-ins.
Fingerprint management module: fingerprint management is designed primarily for maintaining fingerprint libraries, where all rule information in the fingerprint library can be viewed. The fingerprint management module provides the function of submitting fingerprints, so that the osmotic personnel can conveniently add fingerprint information at any time. By using the dynamic import technology, the new fingerprint can be loaded into the fingerprint library without delay. The add fingerprint rules support web generic frameworks, middleware, development languages, third party frameworks, and the like. The recognition means supports the modes of character strings, MD5, data packet heads, special page status codes and the like. In order to better maintain the fingerprint library, a fingerprint auditing mechanism is added, and the plug-in units in the fingerprint library are ensured to be high-quality fingerprint rules. Fingerprint management includes submitting a fingerprint, a list of fingerprints, and a review fingerprint function.
WAF bypasses the technical module: many WAF (web application level intrusion prevention system, web Application Firewall) guards are deployed in network nodes, and the present module is used to bypass the guards.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
The embodiment also provides a vulnerability detection device based on web fingerprint information, which is used for realizing the embodiment and the preferred implementation manner, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 5 is a block diagram of a vulnerability detection apparatus based on web fingerprint information according to an embodiment of the present invention, which may be applied to a server, as shown in fig. 5, the apparatus includes: a determination module 50, an acquisition module 52, a detection module 54, wherein,
A determining module 50, configured to determine a web site of a penetration target, where the penetration target is a network system connected through a network;
an acquisition module 52 for acquiring web fingerprint information of the web site;
And a detection module 54, configured to detect an external vulnerability of the penetration target using the web fingerprint information.
Optionally, the acquisition module includes: the acquisition unit is used for acquiring at least one of the following framework information of the web site: development language, operating system of deployment server, middleware, third party code general framework used, content management system CMS, content delivery network CDN.
Optionally, the acquisition module includes: a sending unit, configured to send a hypertext transfer protocol HTTP request to a website server of the web website; the receiving unit is used for receiving webpage information fed back by the web site based on the HTTP request; and the detection unit is used for detecting the web fingerprint information according to the web page information.
Optionally, the detection unit includes: the first searching subunit is used for searching the state code in the webpage information; the judging subunit is used for judging whether the web site has a designated page or not according to the status code; and the first determining subunit is used for determining the web fingerprint information according to the designated page.
Optionally, the detection unit includes: an identification subunit, configured to identify a HASH value of the specified file in the web page information; and the second determining subunit is used for determining the web fingerprint information according to the HASH value.
Optionally, the detection unit includes: the second searching subunit is used for searching a specified keyword in a data packet text of the webpage source code, and/or searching a specified character string in a data packet header of the webpage source code, and/or searching a regular character string in the data packet header of the webpage source code, wherein the webpage information comprises the webpage source code, and the regular character string is a character string combination set by adopting a regular expression; a third determination subunit configured to determine the web fingerprint information according to at least one of: the specified keywords, the specified character strings and the regular character strings.
Optionally, the apparatus further includes: the acquisition module is used for acquiring the operation authority of the penetration target by utilizing the external vulnerability after the detection module detects the external vulnerability of the penetration target by using the web fingerprint information; and the infiltration module is used for executing infiltration operation on the network system by using the operation authority.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; or the above modules may be located in different processors in any combination.
Example 3
An embodiment of the invention also provides a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
Alternatively, in the present embodiment, the above-described storage medium may be configured to store a computer program for performing the steps of:
s1, determining a web site of a penetration target, wherein the penetration target is a network system connected through a network;
s2, collecting web fingerprint information of the web site;
And S3, detecting the external vulnerability of the penetration target by using the web fingerprint information.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the invention also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:
s1, determining a web site of a penetration target, wherein the penetration target is a network system connected through a network;
s2, collecting web fingerprint information of the web site;
And S3, detecting the external vulnerability of the penetration target by using the web fingerprint information.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments and optional implementations, and this embodiment is not described herein.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application, which are intended to be comprehended within the scope of the present application.
Claims (10)
1. A vulnerability detection method based on web fingerprint information is characterized by comprising the following steps:
determining a web site of a penetration target, wherein the penetration target is a network system connected through a network;
Collecting web fingerprint information of the web site;
detecting an external vulnerability of the penetration target by using the web fingerprint information;
Acquiring the operation authority of the penetration target by using the external leak;
Performing a permeation operation on the network system using the operation authority, wherein the permeation operation comprises at least one of: and accessing the business system of the penetration target, accessing the local data of the penetration target, and performing transverse penetration on the intranet of the penetration target.
2. The method of claim 1, wherein gathering web fingerprint information for the web site comprises:
Gathering at least one of the following framework information of the web site: development language, operating system of deployment server, middleware, third party code general framework used, content management system CMS, content delivery network CDN.
3. The method of claim 1, wherein gathering web fingerprint information for the web site comprises:
sending a hypertext transfer protocol (HTTP) request to a website server of the web website;
receiving webpage information fed back by the web site based on the HTTP request;
And detecting the web fingerprint information according to the web page information.
4. The method of claim 3, wherein detecting the web fingerprint information from the web page information comprises:
searching a status code in the webpage information;
Judging whether a specified page exists in the web site according to the status code;
and determining the web fingerprint information according to the designated page.
5. The method of claim 3, wherein detecting the web fingerprint information from the web page information comprises:
Identifying a HASH value of the designated file in the web page information;
and determining the web fingerprint information according to the HASH value.
6. The method of claim 3, wherein detecting the web fingerprint information from the web page information comprises:
Searching a specified keyword in a data packet text of a webpage source code, and/or searching a specified character string in a data packet header of the webpage source code, and/or searching a regular character string in the data packet header of the webpage source code, wherein the webpage information comprises the webpage source code, and the regular character string is a character string combination set by adopting a regular expression;
Determining the web fingerprint information according to at least one of: the specified keywords, the specified character strings and the regular character strings.
7. The method of claim 1, wherein detecting an external vulnerability of the infiltrated target using the web fingerprint information comprises:
selecting a detection plugin matched with the web fingerprint information from a preset plugin library;
and calling the detection plug-in to identify an external service port provided by the penetration target.
8. A vulnerability detection device based on web fingerprint information, comprising:
The system comprises a determining module, a processing module and a processing module, wherein the determining module is used for determining a web site of a penetration target, and the penetration target is a network system connected through a network;
the acquisition module is used for acquiring web fingerprint information of the web website;
the detection module is used for detecting external loopholes of the penetration targets by using the web fingerprint information;
The acquisition module is used for acquiring the operation authority of the penetration target by utilizing the external vulnerability;
And a penetration module for performing a penetration operation on the network system using the operation authority, wherein the penetration operation comprises at least one of the following: and accessing the business system of the penetration target, accessing the local data of the penetration target, and performing transverse penetration on the intranet of the penetration target.
9. A storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when run.
10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910747265.0A CN110879891B (en) | 2019-08-14 | 2019-08-14 | Vulnerability detection method and device based on web fingerprint information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910747265.0A CN110879891B (en) | 2019-08-14 | 2019-08-14 | Vulnerability detection method and device based on web fingerprint information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110879891A CN110879891A (en) | 2020-03-13 |
| CN110879891B true CN110879891B (en) | 2024-08-23 |
Family
ID=69727412
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910747265.0A Active CN110879891B (en) | 2019-08-14 | 2019-08-14 | Vulnerability detection method and device based on web fingerprint information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110879891B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111737702A (en) * | 2020-06-22 | 2020-10-02 | 四川长虹电器股份有限公司 | Web fingerprint identification method based on Chebyshev inequality |
| CN111898133A (en) * | 2020-07-23 | 2020-11-06 | 昆山领创信息科技有限公司 | Penetration testing device and method based on automation |
| CN112087455B (en) * | 2020-09-10 | 2022-10-21 | 杭州安恒信息技术股份有限公司 | WAF site protection rule generation method, system, equipment and medium |
| CN112468360A (en) * | 2020-11-13 | 2021-03-09 | 北京安信天行科技有限公司 | Asset discovery identification and detection method and system based on fingerprint |
| CN115941280B (en) * | 2022-11-10 | 2024-01-26 | 北京源堡科技有限公司 | Penetration method, device, equipment and medium based on web fingerprint information |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103065095A (en) * | 2013-01-29 | 2013-04-24 | 四川大学 | WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology |
| CN103297394A (en) * | 2012-02-24 | 2013-09-11 | 阿里巴巴集团控股有限公司 | Website security detection method and device |
| CN103324886A (en) * | 2013-06-05 | 2013-09-25 | 中国科学院计算技术研究所 | Method and system for extracting fingerprint database in network intrusion detection |
| CN108063759A (en) * | 2017-12-05 | 2018-05-22 | 西安交大捷普网络科技有限公司 | Web vulnerability scanning methods |
| CN109190380A (en) * | 2018-08-20 | 2019-01-11 | 杭州安恒信息技术股份有限公司 | The method and system that batch website loophole quickly detects are realized based on web fingerprint |
-
2019
- 2019-08-14 CN CN201910747265.0A patent/CN110879891B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103297394A (en) * | 2012-02-24 | 2013-09-11 | 阿里巴巴集团控股有限公司 | Website security detection method and device |
| CN103065095A (en) * | 2013-01-29 | 2013-04-24 | 四川大学 | WEB vulnerability scanning method and vulnerability scanner based on fingerprint recognition technology |
| CN103324886A (en) * | 2013-06-05 | 2013-09-25 | 中国科学院计算技术研究所 | Method and system for extracting fingerprint database in network intrusion detection |
| CN108063759A (en) * | 2017-12-05 | 2018-05-22 | 西安交大捷普网络科技有限公司 | Web vulnerability scanning methods |
| CN109190380A (en) * | 2018-08-20 | 2019-01-11 | 杭州安恒信息技术股份有限公司 | The method and system that batch website loophole quickly detects are realized based on web fingerprint |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110879891A (en) | 2020-03-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110879891B (en) | Vulnerability detection method and device based on web fingerprint information | |
| CN110677381B (en) | Penetration test method and device, storage medium and electronic device | |
| US11709945B2 (en) | System and method for identifying network security threats and assessing network security | |
| CN110881024B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN112383546B (en) | Method for processing network attack behavior, related equipment and storage medium | |
| CN108183916B (en) | Network attack detection method and device based on log analysis | |
| Kumar et al. | Signature based intrusion detection system using SNORT | |
| US9344446B2 (en) | Systems and methods for malware detection and scanning | |
| CN107026821B (en) | Message processing method and device | |
| US8732304B2 (en) | Method and system for ensuring authenticity of IP data served by a service provider | |
| Stasinopoulos et al. | Commix: automating evaluation and exploitation of command injection vulnerabilities in Web applications | |
| CN110768951B (en) | Method and device for verifying system vulnerability, storage medium and electronic device | |
| CN110768949B (en) | Vulnerability detection method and device, storage medium and electronic device | |
| Li et al. | Towards fine-grained fingerprinting of firmware in online embedded devices | |
| CN110880983A (en) | Penetration testing method and device based on scene, storage medium and electronic device | |
| CN110765333A (en) | Method and device for collecting website information, storage medium and electronic device | |
| CN110768948A (en) | Vulnerability detection method and device, storage medium and electronic device | |
| CN114666104A (en) | Penetration testing method, system, computer equipment and storage medium | |
| CN110768947B (en) | Penetration test password sending method and device, storage medium and electronic device | |
| CN110768950A (en) | Permeation instruction sending method and device, storage medium and electronic device | |
| CN114866361A (en) | Method, device, electronic equipment and medium for detecting network attack | |
| CN108259416B (en) | Method for detecting malicious webpage and related equipment | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN110768858A (en) | Signaling control method and device for penetration test, storage medium and electronic device | |
| Cardarelli | Automated Deployment of a Security Operations Center |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: 100032 NO.332, 3rd floor, Building 102, 28 xinjiekouwai street, Xicheng District, Beijing Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: 100032 NO.332, 3rd floor, Building 102, 28 xinjiekouwai street, Xicheng District, Beijing Applicant before: QAX Technology Group Inc. Country or region before: China Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |