CN111191237A - A WEB backdoor detection device and detection method based on RCE vulnerability - Google Patents

A WEB backdoor detection device and detection method based on RCE vulnerability Download PDF

Info

Publication number
CN111191237A
CN111191237A CN201911319681.7A CN201911319681A CN111191237A CN 111191237 A CN111191237 A CN 111191237A CN 201911319681 A CN201911319681 A CN 201911319681A CN 111191237 A CN111191237 A CN 111191237A
Authority
CN
China
Prior art keywords
vulnerability
task
rce
web
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911319681.7A
Other languages
Chinese (zh)
Other versions
CN111191237B (en
Inventor
娄宇
范渊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DBAPPSecurity Co Ltd
Original Assignee
DBAPPSecurity Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by DBAPPSecurity Co Ltd filed Critical DBAPPSecurity Co Ltd
Priority to CN201911319681.7A priority Critical patent/CN111191237B/en
Publication of CN111191237A publication Critical patent/CN111191237A/en
Application granted granted Critical
Publication of CN111191237B publication Critical patent/CN111191237B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种基于RCE漏洞的WEB后门检测装置及检测方法,初始化,特征收集模块进行特征收集,处理得到特征库,启动装置后任务下发,任务接收模块接收任务并由任务执行模块执行,进行漏洞识别,检测WEB后门,由结果输出模块输出检测结果。本发明通过对RCE漏洞的利用,可以在远程探测到网站的目录树以及所有的网页文件的源文件,再对网页进行特征识别、检测以孤链存在的WEB后门,实现远程静态检测网站的WEB后门并查杀。

Figure 201911319681

The invention relates to a WEB backdoor detection device and detection method based on RCE vulnerability. Initialization, a feature collection module collects features, processes to obtain a feature library, and after starting the device, a task is issued, and a task receiving module receives a task and is executed by a task execution module. Identify vulnerabilities, detect WEB backdoors, and output the detection results from the result output module. By utilizing the RCE loophole, the invention can remotely detect the directory tree of the website and the source files of all webpage files, and then perform feature identification on the webpage and detect the WEB backdoor existing in the orphan chain, so as to realize the remote static detection of the WEB of the website. Backdoor and kill.

Figure 201911319681

Description

WEB backdoor detection device and detection method based on RCE vulnerability
Technical Field
The invention relates to the technical field, in particular to a WEB backdoor detection device and a detection method based on RCE vulnerabilities.
Background
The WEB backdoor is a command execution environment in the form of WEB page files such as ASP, PHP, JSP or CGI, and can also be called WebShell; after a hacker invades a normal website, the ASP or PHP backdoor file is usually mixed with a normal WEB page file in a WEB directory of a website server, and then the ASP or PHP backdoor can be accessed by using a browser to obtain a command execution environment, thereby achieving the purpose of controlling the website server. The WEB backdoor is a malicious webpage which is embedded into a normal website by hackers and can execute commands, and is generally hidden and difficult to discover.
In the prior art, a WEB crawler technology is adopted for actively detecting a WEB backdoor to identify a suspicious WEB path, however, since the WEB backdoor is implanted by a hacker through a website leak and is generally placed in a relatively hidden position, the WEB backdoor cannot be crawled in a crawler mode because no website access traffic exists under the condition of remote monitoring.
Websites with WEB backdoors may typically have intrusion points that can be exploited by hackers, such as remote code execution vulnerabilities, i.e., RCE vulnerabilities, that can allow an attacker to execute malicious programs while a user is running an application and control the affected system, and once the attacker has access to the system, it will try to raise its rights.
Disclosure of Invention
The invention solves the problems in the prior art, and provides an optimized WEB backdoor detection device and method based on RCE loopholes, which are used for detecting whether a website has a remote code execution loophole or not, acquiring a webpage file source code of the website by utilizing the loophole and executing the code, and detecting the WEB backdoor by characteristic matching.
The invention adopts the technical scheme that a WEB backdoor detection method based on RCE vulnerability comprises the following steps:
step 1: initializing, collecting characteristics, and processing to obtain a characteristic library;
step 2: starting the device and issuing the task;
and step 3: executing a task, performing vulnerability identification, and detecting a WEB backdoor;
and 4, step 4: and outputting a detection result.
Preferably, in step 1, the feature collection and processing to obtain the feature library includes the following steps:
step 1.1: downloading known WEB backdoor source codes, and adding the collected source codes into a source code feature matching set A;
step 1.2: acquiring a known RCE vulnerability, and adding the known RCE vulnerability into a vulnerability library B;
step 1.3: acquiring corresponding vulnerability Poc based on the RCE vulnerability, and generating a vulnerability Poc library C;
step 1.4: formulating a corresponding vulnerability Ext based on the RCE vulnerability and the corresponding vulnerability Poc, and generating a vulnerability Ext library D;
step 1.5: and adding a matching rule based on the RCE vulnerability to form a fingerprint rule base E.
Preferably, in step 2, the task is a URL connection of the normalized website.
Preferably, in step 2, the task is text input or file input.
Preferably, the step 3 comprises the steps of:
step 3.1: calling a fingerprint rule base E to identify the task;
step 3.2: matching the RCE loopholes Poc corresponding to the identified fingerprints, if the matching is successful, performing the next step, otherwise, judging that the RCE loopholes Poc are not WEB backdoors, and performing the step 4;
step 3.3: executing the vulnerability Poc, if judging that the vulnerability exists, performing the next step, otherwise, judging that the vulnerability does not exist, and performing the step 4;
step 3.4: matching the identified fingerprints with corresponding vulnerability Ext, executing the vulnerability Ext, and acquiring source codes of all webpages of the task;
step 3.5: carrying out feature recognition on any source code by using the source code feature matching set A, if the recognition is successful, judging the source code as a WEB backdoor, and outputting, otherwise, discarding a page corresponding to the current source code; and (4) until the source codes of all the web pages of the task are identified.
Preferably, in step 3.1, the identifying comprises the steps of:
step 3.1.1: accessing a website corresponding to the task to obtain a response message;
step 3.1.2: constructing response message characteristics F based on server field characteristics, X-Powered-By field characteristics and page related characteristics pages in the response message, and matching the response message characteristics F with a fingerprint rule base E;
step 3.1.3: and if the E is matched with the F, and the E belongs to the E and the F belongs to the F, judging that the website fingerprint of the task is the fingerprint corresponding to the E.
A detection device adopting the RCE vulnerability-based WEB backdoor detection method comprises the following steps:
the characteristic collection module is used for collecting the existing WEB backgate source codes and RCE code execution vulnerabilities Poc and vulnerabilities Ext and corresponding fingerprint characteristics to construct a characteristic library;
the task receiving module is used for receiving webpage information needing to detect a WEB backdoor;
the task execution module is used for carrying out WEB backdoor detection on the basis of the feature library of the feature collection module and the webpage information received by the task receiving module;
and the result output module is used for receiving and outputting the feedback result of the task execution module.
Preferably, the task execution module includes:
the detection module is used for carrying out fingerprint identification and vulnerability detection on the received task;
and the characteristic identification module is used for finding out a source file matched with the webpage corresponding to the task and outputting a file path.
Preferably, the detection module comprises:
the fingerprint identification module is used for accessing the URL of the website to acquire page resources and carrying out fingerprint identification based on the characteristic matching of the Http response message;
the loophole detection module is used for finding out Poc of the corresponding REC loophole through the identified fingerprint and verifying the Poc;
and the vulnerability utilization module is used for executing the corresponding vulnerability Ext aiming at the vulnerability and obtaining all source files and paths of the website.
The invention relates to an optimized WEB backdoor detection device and a detection method based on RCE loopholes.
By utilizing RCE loopholes, the invention can remotely detect the directory tree of the website and the source files of all the webpage files, and then carry out feature recognition on the webpage and detect the WEB backdoor existing in an isolated chain, thereby realizing the remote static detection of the WEB backdoor of the website and the searching and killing.
Drawings
FIG. 1 is a schematic structural diagram of a detecting device according to the present invention, wherein arrows indicate the direction of data transmission;
FIG. 2 is a flow chart of the detection method of the present invention.
Detailed Description
The present invention is described in further detail with reference to the following examples, but the scope of the present invention is not limited thereto.
The invention relates to a WEB backdoor detection method based on RCE vulnerabilities, which comprises the following steps.
Step 1: initializing, collecting the characteristics, and processing to obtain a characteristic library.
In the step 1, the characteristic collection and processing to obtain the characteristic library comprises the following steps:
step 1.1: downloading known WEB backdoor source codes, and adding the collected source codes into a source code feature matching set A;
step 1.2: acquiring a known RCE vulnerability, and adding the known RCE vulnerability into a vulnerability library B;
step 1.3: acquiring corresponding vulnerability Poc based on the RCE vulnerability, and generating a vulnerability Poc library C;
step 1.4: formulating a corresponding vulnerability Ext based on the RCE vulnerability and the corresponding vulnerability Poc, and generating a vulnerability Ext library D;
step 1.5: and adding a matching rule based on the RCE vulnerability to form a fingerprint rule base E.
In the invention, a source code feature matching set A refers to a WEB backdoor feature library, and is used for collecting published webpage source codes of a WEB backdoor and generating a source code feature library for file feature matching; generally, the WEB backdoor source code can be downloaded from a related forum, or downloaded from a related code hosting platform of an open source, such as a github website, searching for a "WEB backdoor", and downloading the WEB backdoor source code.
In the invention, the remote code execution vulnerability refers to website software defects, and an attacker can construct an attack packet remote execution code; the remote command execution vulnerability means that an attacker can construct an attack packet to remotely execute a system command.
In the invention, the data of the vulnerability database can be obtained from a vulnerability publishing platform, for example, the publicly published vulnerability is collected in the CNNVD, and RCE type vulnerabilities in the vulnerability database are screened, and the vulnerability Poc database and the vulnerability Ext database are treated in the same way.
In the invention, the matching rule of the fingerprint rule base can be added manually, for example, apache ═ in ("Server", "apache") indicates that apache exists in the Server field of the response header, and then the Server of the website is the apache.
Step 2: starting the device and issuing the task.
In the step 2, the task is the URL connection of the normalized website.
In the step 2, the task is text input or file input.
In the invention, irregular URL links are removed, and the irregular URL generally refers to wrong URL or URL without protocol and the link does not conform to the rule of URL, such as: "http: www.aa.com", "http: www.aa.com", "http:// www.aa.com: aa", shall be "http:// www.aa.com", "http:// www.aa.com: 80", "http:// www.aa.com/aa/", respectively.
And step 3: and executing the task, performing vulnerability identification, and detecting a WEB backdoor.
The step 3 comprises the following steps:
step 3.1: calling a fingerprint rule base E to identify the task;
in step 3.1, the identification comprises the following steps:
step 3.1.1: accessing a website corresponding to the task to obtain a response message;
step 3.1.2: constructing response message characteristics F based on server field characteristics, X-Powered-By field characteristics and page related characteristics pages in the response message, and matching the response message characteristics F with a fingerprint rule base E;
step 3.1.3: and if the E is matched with the F, and the E belongs to the E and the F belongs to the F, judging that the website fingerprint of the task is the fingerprint corresponding to the E.
Step 3.2: matching the RCE loopholes Poc corresponding to the identified fingerprints, if the matching is successful, performing the next step, otherwise, judging that the RCE loopholes Poc are not WEB backdoors, and performing the step 4;
step 3.3: executing the vulnerability Poc, if judging that the vulnerability exists, performing the next step, otherwise, judging that the vulnerability does not exist, and performing the step 4;
step 3.4: matching the identified fingerprints with corresponding vulnerability Ext, executing the vulnerability Ext, and acquiring source codes of all webpages of the task;
step 3.5: carrying out feature recognition on any source code by using the source code feature matching set A, if the recognition is successful, judging the source code as a WEB backdoor, and outputting, otherwise, discarding a page corresponding to the current source code; and (4) until the source codes of all the web pages of the task are identified.
In the invention, the matching in the step 3.1.3 refers to matching the webpage with the corresponding fingerprint rule, and a plurality of implementation modes such as character string matching can be adopted; for example, the fields of the response header of web page E are as follows:
Connection:keep-alive;
Content-Encoding:gzip;
Content-Language:zh-CN;
Content-Type:text/html;charset=gbk;
Date:Fri,06 Dec 2019 09:28:59GMT;
Server:nginx;
Transfer-Encoding:chunked;
if rule F is nginx ═ in ("Server", nginx), then here e matches F;
if rule F' is apache-in ("Server"), then e does not match F here.
In the invention, the feature recognition in the step 3.5 is generally to match a source code feature library by using a regular expression and a SimHash, judge the similarity of pages by calculating the Hamming distance between a source file and a feature page, so as to judge whether a source code is similar to the feature page, and further obtain whether the source code is a backdoor; in actual operation, a person skilled in the art can select other feature string matching or text similarity algorithm for recognition according to requirements.
And 4, step 4: and outputting a detection result.
In the invention, the detection result is generally output in an Excel report form or a Word text form.
The invention also relates to a detection device adopting the RCE vulnerability-based WEB backdoor detection method, which comprises the following steps:
the characteristic collection module is used for collecting the existing WEB backgate source codes and RCE code execution vulnerabilities Poc and vulnerabilities Ext and corresponding fingerprint characteristics to construct a characteristic library;
the task receiving module is used for receiving webpage information needing to detect a WEB backdoor;
the task execution module is used for carrying out WEB backdoor detection on the basis of the feature library of the feature collection module and the webpage information received by the task receiving module;
and the result output module is used for receiving and outputting the feedback result of the task execution module.
The task execution module comprises:
the detection module is used for carrying out fingerprint identification and vulnerability detection on the received task;
and the characteristic identification module is used for finding out a source file matched with the webpage corresponding to the task and outputting a file path.
The detection module comprises:
the fingerprint identification module is used for accessing the URL of the website to acquire page resources and carrying out fingerprint identification based on the characteristic matching of the Http response message;
the loophole detection module is used for finding out Poc of the corresponding REC loophole through the identified fingerprint and verifying the Poc;
and the vulnerability utilization module is used for executing the corresponding vulnerability Ext aiming at the vulnerability and obtaining all source files and paths of the website.
In the invention, the characteristic collection module is mainly used for collecting the source codes of the open WEB backdoor webpage and collecting RCE code execution vulnerabilities Poc, vulnerabilities Ext and related influence ranges, namely fingerprint ranges (characteristic ranges) of websites.
In the invention, a task URL is input through a task receiving module, judgment is carried out through a task executing module, and a WEB backdoor path is output through a result output module.
In the invention, in the vulnerability detection module, verification refers to verifying whether the current website has the current REC vulnerability.
In the invention, an embodiment is provided for WEB site WEB backdoor detection of the ThinkPHP 5.X RCE vulnerability.
Collecting a feature library of a WEB backgate from gitubs, wherein a WEB backgate source code set A { a }1,a2,…an-present in the read medium;
collecting Poc of the ThinkPHP 5.XRCE vulnerability from the Internet, wherein host is the host domain name of the target website, and Poc is as follows:
GET /echo abcdefg HTTP/1.1
Host:host
;
collecting website fingerprint characteristics of ThinkPHP 5.X from the Internet, wherein the website fingerprint characteristics are X-Power-By: ThinkPHP.
Defining the vulnerability Ext as dir as a directory path and file as a file name, respectively displaying all files and subdirectories of the current directory and displaying source files of the file:
GET /ls–R HTTP/1.1
Host:host
GET /catfileHTTP/1.1
Host:host
setting an editable text box for a user to manually input a website home page address to be scanned; setting a clickable submission button, and clicking the button by a user to issue a task; issuing a website A http:// www.abc.com that a ThinkPHP 5.X RCE vulnerability exists;
accessing a website http:// www.abc.com, and receiving a response packet returned by A;
recognizing that a message header X-Powered-By exists in the response packet: ThinkPHP, then the A website may have a ThinkPHP 5.X RCE vulnerability;
sending vulnerability detection messages
GET /echo abcdefg HTTP/1.1
Host:www.abc.com
;
Identifying that the page response content is abcdefg, and judging that a ThinkPHP 5.X RCE vulnerability exists in the website A;
executing the following steps to obtain all pages of the website:
GET /ls–R HTTP/1.1
Host:www.abc.com
if the response result is: file, dir, then show the source file of the file:
GET /catfileHTTP/1.1
Host:www.abc.com
if the corresponding result is: <? php @ eval ($ _ POST [ 'pass' ]); is there a Carrying out feature matching;
if the source code content of the page <? php @ eval ($ _ POST [ 'pass' ]); is there a If the file is matched regularly, the file is sent to a result output module;
and outputting, and writing the file path and the source file into the Excel output.
After the device is initialized, the feature collection module is used for collecting features, processing is carried out to obtain a feature library, a task is issued after the device is started, the task receiving module receives the task and is executed by the task execution module, vulnerability recognition is carried out, a WEB backdoor is detected, and a detection result is output by the result output module.
By utilizing RCE loopholes, the invention can remotely detect the directory tree of the website and the source files of all the webpage files, and then carry out feature recognition on the webpage and detect the WEB backdoor existing in an isolated chain, thereby realizing the remote static detection of the WEB backdoor of the website and the searching and killing.

Claims (9)

1.一种基于RCE漏洞的WEB后门检测方法,其特征在于:所述方法包括以下步骤:1. a WEB backdoor detection method based on RCE vulnerability, is characterized in that: described method may further comprise the steps: 步骤1:初始化,进行特征收集,处理得到特征库;Step 1: Initialize, collect features, and process to obtain a feature library; 步骤2:启动装置,任务下发;Step 2: Start the device and issue the task; 步骤3:执行任务,进行漏洞识别,检测WEB后门;Step 3: Execute tasks, identify vulnerabilities, and detect WEB backdoors; 步骤4:输出检测结果。Step 4: Output the detection result. 2.根据权利要求1所述的一种基于RCE漏洞的WEB后门检测方法,其特征在于:所述步骤1中,特征收集并处理得到特征库包括以下步骤:2. a kind of WEB backdoor detection method based on RCE vulnerability according to claim 1, is characterized in that: in described step 1, characteristic collection and processing obtains characteristic library and comprises the following steps: 步骤1.1:下载已知的WEB后门源码,将收集的源码加入源代码特征匹配集合A;Step 1.1: Download the known WEB backdoor source code, and add the collected source code to the source code feature matching set A; 步骤1.2:获取已知的RCE漏洞,加入漏洞库B;Step 1.2: Obtain known RCE vulnerabilities and add them to vulnerability library B; 步骤1.3:基于所述RCE漏洞,采集对应的漏洞Poc,生成漏洞Poc库C;Step 1.3: Based on the RCE vulnerability, collect the corresponding vulnerability Poc, and generate the vulnerability Poc library C; 步骤1.4:基于所述RCE漏洞及对应的漏洞Poc,制定对应的漏洞Ext,生成漏洞Ext库D;Step 1.4: Based on the RCE vulnerability and the corresponding vulnerability Poc, formulate the corresponding vulnerability Ext, and generate the vulnerability Ext library D; 步骤1.5:基于所述RCE漏洞添加匹配规则,形成指纹规则库E。Step 1.5: A matching rule is added based on the RCE vulnerability to form a fingerprint rule base E. 3.根据权利要求1所述的一种基于RCE漏洞的WEB后门检测方法,其特征在于:所述步骤2中,任务为规范化处理的网站的URL连接。3. a kind of WEB backdoor detection method based on RCE vulnerability according to claim 1, is characterized in that: in described step 2, the task is the URL connection of the website of normalization processing. 4.根据权利要求1所述的一种基于RCE漏洞的WEB后门检测方法,其特征在于:所述步骤2中,任务为文本输入或文件输入。4. A kind of WEB backdoor detection method based on RCE vulnerability according to claim 1, is characterized in that: in described step 2, the task is text input or file input. 5.根据权利要求2所述的一种基于RCE漏洞的WEB后门检测方法,其特征在于:所述步骤3包括以下步骤:5. a kind of WEB backdoor detection method based on RCE vulnerability according to claim 2 is characterized in that: described step 3 comprises the following steps: 步骤3.1:调用指纹规则库E,对任务进行识别;Step 3.1: Call the fingerprint rule base E to identify the task; 步骤3.2:对识别到的指纹匹配对应的RCE漏洞Poc,若匹配成功,则进行下一步,否则,判定为非WEB后门,进行步骤4;Step 3.2: Match the identified fingerprint to the corresponding RCE vulnerability Poc, if the match is successful, go to the next step, otherwise, it is determined as a non-WEB backdoor, and go to step 4; 步骤3.3:执行漏洞Poc,若判断为存在漏洞,则进行下一步,否则,判定为非WEB后门,进行步骤4;Step 3.3: Execute the vulnerability Poc, if it is judged that there is a vulnerability, go to the next step, otherwise, it is judged as a non-WEB backdoor, and go to step 4; 步骤3.4:对识别到的指纹匹配对应的漏洞Ext,执行漏洞Ext,获取任务的所有网页的源代码;Step 3.4: Match the identified fingerprint to the corresponding vulnerability Ext, execute the vulnerability Ext, and obtain the source codes of all webpages of the task; 步骤3.5:利用源代码特征匹配集合A对任一源代码进行特征识别,若识别成功,则判定为WEB后门,输出,否则丢弃当前源代码对应的页面;直至任务的所有网页的源代码识别完毕。Step 3.5: Use the source code feature matching set A to perform feature identification on any source code. If the identification is successful, it is determined as a WEB backdoor and output, otherwise the page corresponding to the current source code is discarded; until the source code identification of all webpages of the task is completed . 6.根据权利要求4所述的一种基于RCE漏洞的WEB后门检测方法,其特征在于:所述步骤3.1中,识别包括以下步骤:6. a kind of WEB backdoor detection method based on RCE vulnerability according to claim 4, is characterized in that: in described step 3.1, identifying comprises the following steps: 步骤3.1.1:访问任务对应的网站,获得响应报文;Step 3.1.1: Visit the website corresponding to the task to obtain a response message; 步骤3.1.2:基于响应报文中的server字段特征、X-Powered-By字段特征和页面相关特征page,构建响应报文特征F,与指纹规则库E进行匹配;Step 3.1.2: Based on the server field feature, X-Powered-By field feature and page-related feature page in the response message, construct the response message feature F and match it with the fingerprint rule base E; 步骤3.1.3:若存在e匹配f,且e∈E,f∈F,则判定任务的网站指纹为e对应的指纹。Step 3.1.3: If there is e matching f, and e ∈ E, f ∈ F, the website fingerprint of the task is determined as the fingerprint corresponding to e. 7.一种采用权利要求1~6之一所述的基于RCE漏洞的WEB后门检测方法的检测装置,其特征在于:所述装置包括:7. A detection device using the RCE vulnerability-based WEB backdoor detection method described in one of claims 1 to 6, wherein the device comprises: 一特征收集模块,用于收集已经存在的WEB后门源代码及RCE代码执行漏洞Poc、漏洞Ext和对应的指纹特征,构建特征库;A feature collection module, used to collect existing WEB backdoor source code and RCE code execution vulnerability Poc, vulnerability Ext and corresponding fingerprint features, and build a feature library; 一任务接收模块,用于接收需要检测WEB后门的网页信息;A task receiving module, used for receiving web page information that needs to detect web backdoor; 一任务执行模块,用于基于特征收集模块的特征库和任务接收模块接收到的网页信息进行WEB后门检测;A task execution module, used for web backdoor detection based on the feature library of the feature collection module and the webpage information received by the task receiving module; 一结果输出模块,用于接受任务执行模块的反馈结果并输出。A result output module, used for receiving the feedback result of the task execution module and outputting it. 8.根据权利要求7所述的基于RCE漏洞的WEB后门检测方法的检测装置,其特征在于:所述任务执行模块包括:8. the detection device of the WEB backdoor detection method based on RCE vulnerability according to claim 7, is characterized in that: described task execution module comprises: 一探测模块,用于对接收的任务进行指纹识别和漏洞检测;a detection module, used to perform fingerprint identification and vulnerability detection on the received tasks; 一特征识别模块,用于找到匹配于所述任务对应的网页的源文件,输出文件路径。A feature identification module is used to find the source file matching the webpage corresponding to the task, and output the file path. 9.根据权利要求8所述的基于RCE漏洞的WEB后门检测方法的检测装置,其特征在于:所述探测模块包括:9. the detection device of the WEB backdoor detection method based on RCE vulnerability according to claim 8, is characterized in that: described detection module comprises: 一指纹识别模块,用于访问网站URL获取页面资源并基于Http响应报文的特征匹配进行指纹识别;A fingerprint identification module, used to access website URLs to obtain page resources and perform fingerprint identification based on feature matching of Http response packets; 一漏洞检测模块,用于通过识别到的指纹,找到对应的REC漏洞的Poc,验证;A vulnerability detection module, which is used to find and verify the POC of the corresponding REC vulnerability through the identified fingerprint; 一漏洞利用模块,用于针对所述漏洞执行对应的漏洞Ext,获得网站的所有源文件及其路径。A vulnerability exploiting module is used to execute the corresponding vulnerability Ext for the vulnerability, and obtain all source files of the website and their paths.
CN201911319681.7A 2019-12-19 2019-12-19 WEB backdoor detection device and detection method based on RCE (Radar Cross-section) vulnerability Active CN111191237B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911319681.7A CN111191237B (en) 2019-12-19 2019-12-19 WEB backdoor detection device and detection method based on RCE (Radar Cross-section) vulnerability

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911319681.7A CN111191237B (en) 2019-12-19 2019-12-19 WEB backdoor detection device and detection method based on RCE (Radar Cross-section) vulnerability

Publications (2)

Publication Number Publication Date
CN111191237A true CN111191237A (en) 2020-05-22
CN111191237B CN111191237B (en) 2022-08-30

Family

ID=70707487

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911319681.7A Active CN111191237B (en) 2019-12-19 2019-12-19 WEB backdoor detection device and detection method based on RCE (Radar Cross-section) vulnerability

Country Status (1)

Country Link
CN (1) CN111191237B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112667092A (en) * 2020-12-22 2021-04-16 江苏千米网络科技股份有限公司 Method, device, equipment and storage medium for acquiring characters in Webshell page

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis
CN107911355A (en) * 2017-11-07 2018-04-13 杭州安恒信息技术有限公司 A kind of website back door based on attack chain utilizes event recognition method
CN108520180A (en) * 2018-03-01 2018-09-11 中国科学院信息工程研究所 A multi-dimensional firmware web vulnerability detection method and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790292A (en) * 2017-03-13 2017-05-31 摩贝(上海)生物科技有限公司 The web application layer attacks detection and defence method of Behavior-based control characteristic matching and analysis
CN107911355A (en) * 2017-11-07 2018-04-13 杭州安恒信息技术有限公司 A kind of website back door based on attack chain utilizes event recognition method
CN108520180A (en) * 2018-03-01 2018-09-11 中国科学院信息工程研究所 A multi-dimensional firmware web vulnerability detection method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112667092A (en) * 2020-12-22 2021-04-16 江苏千米网络科技股份有限公司 Method, device, equipment and storage medium for acquiring characters in Webshell page

Also Published As

Publication number Publication date
CN111191237B (en) 2022-08-30

Similar Documents

Publication Publication Date Title
CN107918733B (en) System and method for detecting malicious elements of web page
US8910292B1 (en) Method and system for detection of remote file inclusion vulnerabilities
US9680866B2 (en) System and method for analyzing web content
CN101517570B (en) The system and method for analyzing web content
JP6624771B2 (en) Client-based local malware detection method
US11962610B2 (en) Automated security testing system and method
CN111651757A (en) Monitoring method, device, device and storage medium for attack behavior
US10389750B2 (en) Malware detection and prevention system
US20130263270A1 (en) Systems and methods for detecting malicious code
CN101816148A (en) System and method for authentication, data transfer and protection against phishing
CN101971591A (en) System and method of analyzing web addresses
CN107612926B (en) One-sentence speech WebShell interception method based on client recognition
CN107911355A (en) A kind of website back door based on attack chain utilizes event recognition method
Alosefer et al. Honeyware: a web-based low interaction client honeypot
CN110879891A (en) Vulnerability detection method and device based on web fingerprint information
CN111191237B (en) WEB backdoor detection device and detection method based on RCE (Radar Cross-section) vulnerability
CN110851840A (en) WEB backdoor detection method and device based on website vulnerability
Karthik et al. W3-Scrape-A windows based reconnaissance tool for web application fingerprinting
US20240223594A1 (en) Automated security testing system and method
Alanda et al. Cross-Site Scripting (XSS) Vulnerabilities in Modern Web Applications
AU2018101260B4 (en) Automated Security Testing System and Method
CN110855612B (en) Web backdoor path detection method
Elsaleh Using Machine Learning to Detect Malicious Websites
Barbind et al. Detection Of Phishing Websites Using Data Mining
CN116389122A (en) An attack detection method, device, medium and machine based on abnormal state

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20200522

Assignee: Hangzhou Anheng Information Security Technology Co.,Ltd.

Assignor: Dbappsecurity Co.,Ltd.

Contract record no.: X2024980043366

Denomination of invention: A web backdoor detection device and detection method based on RCE vulnerabilities

Granted publication date: 20220830

License type: Common License

Record date: 20241231

EE01 Entry into force of recordation of patent licensing contract