CN113992409A - WebShell interception method, system, medium and computer equipment - Google Patents
WebShell interception method, system, medium and computer equipment Download PDFInfo
- Publication number
- CN113992409A CN113992409A CN202111258844.2A CN202111258844A CN113992409A CN 113992409 A CN113992409 A CN 113992409A CN 202111258844 A CN202111258844 A CN 202111258844A CN 113992409 A CN113992409 A CN 113992409A
- Authority
- CN
- China
- Prior art keywords
- identification code
- file
- webshell
- unique identification
- interface
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000001514 detection method Methods 0.000 claims abstract description 25
- 238000004590 computer program Methods 0.000 claims description 12
- 230000004044 response Effects 0.000 claims description 7
- 230000004048 modification Effects 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000014509 gene expression Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 241000282326 Felis catus Species 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000002715 modification method Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
Abstract
The invention provides a WebShell interception method, a WebShell interception system, a WebShell interception medium and computer equipment, wherein a unique identification code is configured for an uploaded file, and the unique identification code and file content are stored in a database; modifying the file path name according to the unique identification code; when a new network request exists, judging whether the network path contains the stored unique identification code, and if so, further judging whether the file content is consistent; if the operation is consistent with the normal operation, the normal operation needs to be released; if not, the operation is not normal, and strict regular matching is required to detect whether the operation is WebShell. In addition, the WebShell is detected by using the operating system instruction, so that comprehensive and accurate detection can be realized.
Description
Technical Field
The invention relates to the field of WebShell interception, in particular to a WebShell interception method, a WebShell interception system, a WebShell interception medium and computer equipment.
Background
The Web Application protection system (also called as a website Application level intrusion prevention system, in English, Web Application Firewell, WAF for short). Using an internationally recognized statement: a Web application firewall is a product that provides protection specifically for Web applications by enforcing a series of security policies against HTTP/HTTPs.
WebShell is a code execution environment in the form of webpage files such as asp, php, jsp or cgi and is mainly used for website management, server management, authority management and other operations. The application method is simple, and a lot of daily operations can be carried out by only uploading a code file and accessing through the website, thereby greatly facilitating the management of the user on the website and the server. Therefore, a small number of people modify the code and use the modified code as a backdoor program to achieve the purpose of controlling the website server.
As the name implies, "web" means that the server is obviously required to open a web service, and "shell" means to fetch some operational commands to the server. WebShell is mainly used for website and server management, and is used as a website backdoor tool by some people due to the fact that WebShell is particularly modified due to the fact that WebShell is convenient and powerful.
The WAF generally checks the WebShell in a regular matching manner, but because the method and features of the WebShell are very flexible and changeable, matching using common feature values is often easily bypassed.
Disclosure of Invention
In view of the above defects in the prior art, the technical problem to be solved by the present invention is that the existing interception method cannot effectively intercept WebShell.
In order to achieve the above object, the present invention provides a WebShell intercepting method, comprising: judging whether the request interface is a file uploading interface or not; if the file is the file uploading interface, generating a corresponding unique identification code for the uploaded file, and storing the unique identification code and the uploaded file content to form an identification code set and an uploaded file content set; modifying the path name of the uploaded file so that the path name at least comprises the unique identification code; receiving a current network request, and matching a network path of the current network request with the identification code set to determine whether the network path contains a unique identification code in the identification code set; if the matching is successful, confirming whether the file content requested by the current network request is consistent with the uploaded file content corresponding to the matched unique identification code; if the network requests are consistent, the current network request is released; otherwise, detecting whether the uploaded file content is WebShell based on the regular matching, and executing corresponding interception or passing operation according to the detection result.
In a preferred embodiment of the present invention, the determining whether the request interface is a file upload interface includes: judging whether the HTTP head of the request interface is matched with the HTTP head of the standard interface; if so, determining the request interface as a file uploading interface; otherwise, determining that the request interface is not a file uploading interface.
In another preferred embodiment of the present invention, the unique identifier comprises a UUID identifier.
In another preferred embodiment of the present invention, the encoding rule of the UUID identifier includes: 1-8 bit of system time is adopted; adopting a bottom IP address for 9-16 bits; adopting the HashCode value of the current object at 17-24 bits; and 25-32 bits adopt a random number of a calling method.
In another preferred embodiment of the present invention, the generating a corresponding unique identification code for an uploaded file, and storing the unique identification code and the uploaded file content to form an identification code set and a file content set, includes: generating a UUID identification code for the uploaded file; storing the file content into a database by taking the UUID identification code as a key value; each record in the database represents an uploaded file, and the file contents in the database are taken out according to UUID as a key value.
In another preferred embodiment of the present invention, the method further comprises: when the path name of the uploaded file is modified, the path name also contains a file type; and replacing the original file name by the unique identification code of the uploaded file and reserving the file type.
In another preferred embodiment of the present invention, the detecting whether the file content is WebShell based on the regular matching includes: and detecting whether the file content is WebShell according to the response content of the operating system command.
In order to achieve the above object, the present invention provides a WebShell interception system, including: the interface module is used for judging whether the request interface is a file uploading interface or not; the unique identification code module is used for generating a corresponding unique identification code for the uploaded file after judging that the request interface is the uploading interface, and storing the unique identification code and the uploaded file content to form an identification code set and a file content set; the path modification module is used for modifying the path name of the uploaded file so that the path name at least comprises the file type and the unique identification code; the path matching module is used for receiving a current network request and matching a network path of the network request with the identification code set so as to determine whether the network path contains a unique identification code in the identification code set; the interception judgment module is used for confirming whether the file content requested by the current network request is consistent with the file content corresponding to the matched unique identification code if the matching is successful; if the network requests are consistent, the current network request is released; otherwise, detecting whether the file content is WebShell based on the regular matching, and executing corresponding interception or passing operation according to the detection result.
To achieve the above and other related objects, a third aspect of the present application provides a computer-readable storage medium having stored thereon a computer program that, when executed by a processor, implements the WebShell interception method.
To achieve the above and other related objects, a fourth aspect of the present application provides a computer apparatus comprising: a processor and a memory; the memory is used for storing a computer program, and the processor is used for executing the computer program stored by the memory so as to enable the device to execute the WebShell interception method.
The WebShell interception method, the WebShell interception system, the WebShell interception medium and the computer equipment have the following technical effects: the unique identification code is configured for the uploaded file, and the unique identification code and the file content are stored in the database; modifying the file path name according to the unique identification code; when a new network request exists, judging whether the network path contains the stored unique identification code, and if so, further judging whether the file content is consistent; if the operation is consistent with the normal operation, the normal operation needs to be released; if not, the operation is not normal, and strict regular matching is required to detect whether the operation is WebShell. In addition, the WebShell is detected by using the operating system instruction, so that comprehensive and accurate detection can be realized.
The conception, the specific structure and the technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, the features and the effects of the present invention.
Drawings
Fig. 1 is a schematic flow chart of a WebShell intercepting method in an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a WebShell intercepting system in an embodiment of the present invention.
FIG. 3 is a schematic diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention are described below with reference to specific embodiments, and other advantages and effects of the present invention will be easily understood by those skilled in the art from the disclosure of the present specification. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention. It is to be noted that the features in the following embodiments and examples may be combined with each other without conflict.
It should be noted that the drawings provided in the following embodiments are only for illustrating the basic idea of the present invention, and the drawings only show the components related to the present invention rather than the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
Some exemplary embodiments of the invention have been described for illustrative purposes, and it is to be understood that the invention may be practiced otherwise than as specifically described.
As shown in fig. 1, a schematic flow diagram of a WebShell intercepting method in an embodiment of the present invention is shown. The WebShell interception method of the embodiment is applied to a web application protection system (WAF) and is used for preventing the web from being invaded and tampered and maintaining the security of a website. Wherein the web application defense system may be a hardware device, a software product, or a cloud-based WAF.
Specifically, the WAF of the hardware device exists in the form of an independent hardware device, and supports deployment in a network in multiple ways (such as a transparent bridge mode, a bypass mode, a reverse proxy, and the like) to provide security protection for the Web application at the back end. The WAF of the software product is realized by adopting a pure software mode, such as ModSecurity, Naxsi, website security dog and the like, exists in the form of the software product, and has the advantages of simple installation, easy use, low cost and the like. The method comprises the steps that a cloud-based WAF establishes virtual hosts for a protected Web server, provides a corresponding security policy for each virtual host to protect, and configures a Web application firewall into a reverse proxy server for acting on a connection request of the Web server to an external network; when the Web application firewall can act as a host on an external network to access the internal Web server, the Web application firewall is externally represented as a Web server; it is responsible for transmitting the request on the external network to the internal application server, then return the data of the internal response to the external network; the Web application firewall does not store the real data of any internal server, and all static Web pages or CGI programs are stored in the internal Web server; therefore, the Web page information is not damaged by the attack on the firewall of the Web application, thereby enhancing the safety of the Web server.
The WebShell intercepting method provided by this embodiment mainly includes steps S11 to S16, and the execution process and principle of each step will be further explained below.
Step S11: and judging whether the request interface is a file uploading interface.
It should be understood that since the WebShell of the external attack is mainly uploaded to the server through the file uploading function, and then because the WebShell is caused by the server parsing problem, the entry of the uploaded file is controlled.
In some examples, determining whether the requesting interface is a file upload interface includes: the process of judging whether the request interface is a file uploading interface comprises the following steps: judging whether the HTTP head of the request interface is matched with the HTTP head of the standard interface; if so, determining the request interface as a file uploading interface; otherwise, determining that the request interface is not a file uploading interface.
For example: the HTTP header Content-Type of the standard interface with the file uploading function is multipart/form-data, so if the HTTP header of the request interface is matched with the HTTP header, the specification is the file uploading interface.
Step S12: and if the file is the file uploading interface, generating a corresponding unique identification code for the uploaded file, and storing the unique identification code and the uploaded file content to form an identification code set and an uploaded file content set.
In some examples, the unique identifier is a UUID, that is, after the request interface is determined to be a file upload interface, a unique identifier UUID for uniquely identifying the identity of each uploaded file, for example, c8237826-3426-41f9-b5df-2567411c0446, is generated for each uploaded file, and then the UUID and the corresponding uploaded file content are saved.
It should be noted that UUID is an abbreviation of universal Unique Identifier (Universally Unique Identifier), and is a standard for software construction, which aims to enable all elements in the distributed system to have Unique new identification information without specifying the identification information through the central control end. In this way, each user can create a UUID that does not conflict with others. In such a case, there is no need to consider the name duplication problem at the time of database creation. Furthermore, the UUID is a 128-bit value that can be calculated by a certain algorithm. To improve efficiency, the commonly used UUID may be shortened to 16 bits. The UUID is calculated based on the current time, a counter (counter), and hardware identification (typically the MAC address of the wireless network card). UUIDs have no centralized authority, they are unique identifiers that cannot be duplicated.
Furthermore, the UUID is defined as a main key of a character string, is composed of 32-bit numbers, adopts a 16-system code, and defines completely unique system information in time and space; the encoding rule of UUID is as follows: firstly, system time is adopted for 1-8 bits, the system time is accurate to millisecond level, and the uniqueness of the time is ensured; secondly, 9-16 bits adopt IP addresses of a bottom layer to ensure uniqueness in the server cluster; thirdly, 17-24 bits adopt the HashCode value of the current object to ensure the uniqueness on an internal object; and 25-32 bits adopt a random number of a calling method to ensure the uniqueness of a millisecond level in an object. Uniqueness can be guaranteed through the 4 strategies, and UUID algorithm can be considered to be adopted in places where random numbers need to be used in the system.
In this embodiment, the storing the unique identification code and the uploading of the file content to form an identification code set and a file content set includes the following processes: storing the file content into a database by taking the UUID as a key value; a record in the database represents an uploaded file, and the file content of the record can be retrieved according to the UUID as a key during subsequent retrieval.
Step S13: and modifying the path name of the uploaded file so that the path name at least comprises the file type and the unique identification code.
In some examples, the pathname of the uploaded file may be modified in a manner of "unique identifier. For example: the uploaded file is an a.php file, the corresponding unique identifier UUID is c8237826-3426-41f9-b5df-2567411c0446, and therefore the path name of the uploaded file needs to be modified to c8237826-3426-41f9-b5df-2567411c0446. php.
It should be noted that the above examples are provided for illustrative purposes and should not be construed as limiting. The modification method of the path name of the uploaded file is not limited to the method of "unique identification code + file type", and in practical applications, for example, the unique identification code and other contents (such as upload date or file creator information) besides the file type may also be added, and this embodiment is not limited.
Step S14: and receiving a current network request, and matching a network path of the current network request with the identification code set to confirm whether the network path contains a unique identification code in the identification code set.
Specifically, when a new network request (for example, a download request or an access request) is received, a network path of the network request needs to be detected, for example, character string matching is performed on the network path of the network request and each unique identifier in the unique identifiers one by one, and if matching is successful, it indicates that the network path includes a unique identifier in the identifier set.
Step S15: and if the matching is successful, confirming whether the file content requested by the current network request is consistent with the uploaded file content corresponding to the matched unique identification code.
In some examples, the corresponding file content is retrieved from the database according to the matched unique identification code as a key, and the file content is matched with the file content requested by the current network request (such as the currently accessed or downloaded file content).
Step S16: and if the current network request is consistent with the current network request, the current network request is released. That is, if the file contents are consistent between the file uploading time and the file accessing time, it indicates that the file uploading and downloading requests are normal, and the file should be released and should not be intercepted.
Step S17: and if not, detecting whether the content of the uploaded file is WebShell or not based on the regular matching, and executing corresponding interception or passing operation according to the detection result. It should be understood that if the contents of the files are not consistent, this indicates that the file upload and download request is not normal, and the possibility of detecting whether the file is WebShell needs to be further detected.
The detection mode of WebShell generally comprises a static detection method: searching WebShell by matching feature codes, feature values, danger functions and the like in the script file through a series of predefined regular expressions; although the method has the advantages of simplicity in implementation, convenience in deployment and the like, only known WebShell can be searched, and the false alarm rate are high. In addition, the maintenance of the regular database needs to ensure the detection rate under the condition of low false alarm rate, and the performance of regular matching depends very much on the writing of the regular expression. The regular writing method for the same detection purpose can have a plurality of writing methods, and the difference of different writing methods in performance is very large, so that the regular writing capability of regular database maintainers is especially checked and depended on.
Meanwhile, since WebShell is very flexible, the sense of detecting the request content may not be great, but for the response, the operating system command line is mainly returned. In view of this, the present invention provides a solution to change the regular matching rule from the request detection of WebShell to the response content detection of the operating system command. WebShell content is mainly in the form of language codes such as <% eval request (' sb ")% >, <% execute request (' sb")% > ' <% loop <% >, and the like, and operating system commands are mainly common operating system commands such as ls, cd, ifconfig, cat/etc/password and the like. Therefore, if the operating system instructions are successfully matched, the problem is considered to exist, the request is intercepted, and whether the uploaded file content is reported to the manual identification is webshell or not can be judged; otherwise, the request is passed. Therefore, the WebShell detection based on the language content is not easy to match completely due to flexibility and changeability, and the operating system command is relatively more fixed, easy to detect and higher in accuracy.
It is worth to be noted that, in the WebShell intercepting method provided in this embodiment, the unique identification code is configured for the uploaded file, and both the unique identification code and the file content are stored in the database; modifying the file path name according to the unique identification code; when a new network request exists, judging whether the network path contains the stored unique identification code, and if so, further judging whether the file content is consistent; if the operation is consistent with the normal operation, the normal operation needs to be released; if not, the operation is not normal, and strict regular matching is required to detect whether the operation is WebShell. In addition, the WebShell is detected by using the operating system instruction, so that comprehensive and accurate detection can be realized.
As shown in fig. 2, a schematic structural diagram of the WebShell intercepting system in an embodiment of the present invention is shown. The WebShell intercepting system 200 of the present embodiment includes: the system comprises an interface module 21, a unique identification code module 22, a path modification module 23, a path matching module 24 and an interception judgment module 25.
The interface module is used for judging whether the request interface is a file uploading interface.
It should be understood that since the WebShell of the external attack is mainly uploaded to the server through the file uploading function, and then because the WebShell is caused by the server parsing problem, the entry of the uploaded file is controlled.
In some examples, determining whether the requesting interface is a file upload interface includes: the process of judging whether the request interface is a file uploading interface comprises the following steps: judging whether the HTTP head of the request interface is matched with the HTTP head of the standard interface; if so, determining the request interface as a file uploading interface; otherwise, determining that the request interface is not a file uploading interface.
The unique identification code module 22 is configured to generate a corresponding unique identification code for the uploaded file after determining that the request interface is the upload interface, and store the unique identification code and the content of the uploaded file to form an identification code set and a file content set.
In some examples, the unique identifier is a UUID, that is, after the request interface is determined to be a file upload interface, a unique identifier UUID for uniquely identifying the identity of each uploaded file, for example, c8237826-3426-41f9-b5df-2567411c0446, is generated for each uploaded file, and then the UUID and the corresponding uploaded file content are saved.
In this embodiment, the storing the unique identification code and the uploading of the file content to form an identification code set and a file content set includes the following processes: storing the file content into a database by taking the UUID as a key value; a record in the database represents an uploaded file, and the file content of the record can be retrieved according to the UUID as a key during subsequent retrieval.
The path modification module 23 is configured to modify a path name of the uploaded file, so that the path name at least includes the file type and the unique identifier.
In some examples, the pathname of the uploaded file may be modified in a manner of "unique identifier. For example: the uploaded file is an a.php file, the corresponding unique identifier UUID is c8237826-3426-41f9-b5df-2567411c0446, and therefore the path name of the uploaded file needs to be modified to c8237826-3426-41f9-b5df-2567411c0446. php.
It should be noted that the above examples are provided for illustrative purposes and should not be construed as limiting. The modification method of the path name of the uploaded file is not limited to the method of "unique identification code + file type", and in practical applications, for example, the unique identification code and other contents (such as upload date or file creator information) besides the file type may also be added, and this embodiment is not limited.
The path matching module 24 is configured to receive a current network request, and match a network path of the network request with the set of identification codes to determine whether the network path includes a unique identification code in the set of identification codes.
Specifically, when a new network request (for example, a download request or an access request) is received, a network path of the network request needs to be detected, for example, character string matching is performed on the network path of the network request and each unique identifier in the unique identifiers one by one, and if matching is successful, it indicates that the network path includes a unique identifier in the identifier set.
The interception judging module 25 is configured to, if the matching is successful, determine whether the file content requested by the current network request is consistent with the file content corresponding to the matched unique identification code; if the network requests are consistent, the current network request is released; otherwise, detecting whether the file content is WebShell based on the regular matching, and executing corresponding interception or passing operation according to the detection result.
In some examples, the corresponding file content is retrieved from the database according to the matched unique identification code as a key, and the file content is matched with the file content requested by the current network request (such as the currently accessed or downloaded file content).
And if so, not intercepting the current network request. That is, if the file contents are consistent between the file uploading time and the file accessing time, it indicates that the file uploading and downloading requests are normal, and the file should be released and should not be intercepted.
And if not, detecting whether the file content is WebShell or not based on the regular matching, and executing corresponding interception or passing operation according to the detection result. It should be understood that if the file contents are not consistent, this indicates that the file upload and download request is not normal, and the possibility of detecting whether the file is WebShell needs to be further detected.
The detection mode of WebShell generally comprises a static detection method: searching WebShell by matching feature codes, feature values, danger functions and the like in the script file through a series of predefined regular expressions; although the method has the advantages of simplicity in implementation, convenience in deployment and the like, only known WebShell can be searched, and the false alarm rate are high. In addition, the maintenance of the regular database needs to ensure the detection rate under the condition of low false alarm rate, and the performance of regular matching depends very much on the writing of the regular expression. The regular writing method for the same detection purpose can have a plurality of writing methods, and the difference of different writing methods in performance is very large, so that the regular writing capability of regular database maintainers is especially checked and depended on.
Meanwhile, since WebShell is very flexible, the sense of detecting the request message content may not be great, but for the response, the operating system command line output is mainly returned. In view of this, the present invention provides a solution to change the regular matching rule from the request detection of WebShell to the response content detection of the operating system command. WebShell content is mainly in the form of language codes such as <% eval request (' sb ")% >, <% execute request (' sb")% > ' <% loop <% >, and the like, and operating system commands are mainly common operating system commands such as ls, cd, ifconfig, cat/etc/password and the like. Therefore, if the operating system instructions are successfully matched, the problem is considered to exist, the request is intercepted, and whether the uploaded file content is reported to the manual identification is webshell or not can be judged; otherwise, the request is passed. Therefore, the WebShell detection based on the language content is not easy to match completely due to flexibility and changeability, and the operating system command is relatively more fixed, easy to detect and higher in accuracy.
It should be understood that the division of the modules of the above apparatus is only a logical division, and the actual implementation may be wholly or partially integrated into one physical entity or may be physically separated. And these modules can be realized in the form of software called by processing element; or may be implemented entirely in hardware; and part of the modules can be realized in the form of calling software by the processing element, and part of the modules can be realized in the form of hardware. For example, the interface module may be a processing element separately set up, or may be implemented by being integrated in a chip of the apparatus, or may be stored in a memory of the apparatus in the form of program code, and a processing element of the apparatus calls and executes the functions of the interface module. Other modules are implemented similarly. In addition, all or part of the modules can be integrated together or can be independently realized. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in the form of software.
For example, the above modules may be one or more integrated circuits configured to implement the above methods, such as: one or more Application Specific Integrated Circuits (ASICs), or one or more microprocessors (DSPs), or one or more Field Programmable Gate Arrays (FPGAs), among others. For another example, when one of the above modules is implemented in the form of a Processing element scheduler code, the Processing element may be a general-purpose processor, such as a Central Processing Unit (CPU) or other processor capable of calling program code. For another example, these modules may be integrated together and implemented in the form of a system-on-a-chip (SOC)
Fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present invention. This example provides a computer device, comprising: a processor 31, a memory 32, a communicator 33; the memory 32 is connected with the processor 31 and the communicator 33 through a system bus and completes mutual communication, the memory 32 is used for storing computer programs, the communicator 33 is used for communicating with other devices, and the processor 71 is used for running the computer programs so as to enable the electronic terminal to execute the steps of the WebShell interception method.
The above-mentioned system bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The system bus may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus. The communication interface is used for realizing communication between the database access device and other equipment (such as a client, a read-write library and a read-only library). The Memory may include a Random Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
The present invention also provides a computer-readable storage medium having stored thereon a computer program that, when executed by a processor, implements the WebShell interception method.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the above method embodiments may be performed by hardware associated with a computer program. The aforementioned computer program may be stored in a computer readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
In the embodiments provided herein, the computer-readable and writable storage medium may include read-only memory, random-access memory, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory, a USB flash drive, a removable hard disk, or any other medium that can be used to store desired program code in the form of instructions or data structures and that can be accessed by a computer. Also, any connection is properly termed a computer-readable medium. For example, if the instructions are transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. It should be understood, however, that computer-readable-writable storage media and data storage media do not include connections, carrier waves, signals, or other transitory media, but are intended to be non-transitory, tangible storage media. Disk and disc, as used in this application, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers.
In summary, the present invention provides a WebShell intercepting method, system, medium, and computer device, which configure a unique identification code for an uploaded file, and store both the unique identification code and the file content in a database; modifying the file path name according to the unique identification code; when a new network request exists, judging whether the network path contains the stored unique identification code, and if so, further judging whether the file content is consistent; if the operation is consistent with the normal operation, the normal operation needs to be released; if not, the operation is not normal, and strict regular matching is required to detect whether the operation is WebShell. In addition, the WebShell is detected by using the operating system instruction, so that comprehensive and accurate detection can be realized.
The foregoing embodiments are merely illustrative of the principles and utilities of the present invention and are not intended to limit the invention. Any person skilled in the art can modify or change the above-mentioned embodiments without departing from the spirit and scope of the present invention. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical spirit of the present invention be covered by the claims of the present invention.
Claims (10)
1. A WebShell interception method is characterized by comprising the following steps:
judging whether the request interface is a file uploading interface or not;
if the file is the file uploading interface, generating a corresponding unique identification code for the uploaded file, and storing the unique identification code and the uploaded file content to form an identification code set and an uploaded file content set;
modifying the path name of the uploaded file so that the path name at least comprises the unique identification code;
receiving a current network request, and matching a network path of the current network request with the identification code set to determine whether the network path contains a unique identification code in the identification code set;
if the matching is successful, confirming whether the file content requested by the current network request is consistent with the uploaded file content corresponding to the matched unique identification code;
if the network requests are consistent, the current network request is released; otherwise, detecting whether the uploaded file content is WebShell based on the regular matching, and executing corresponding interception or passing operation according to the detection result.
2. The WebShell intercepting method of claim 1, wherein the determining whether the request interface is a file upload interface comprises: judging whether the HTTP head of the request interface is matched with the HTTP head of the standard interface; if so, determining the request interface as a file uploading interface; otherwise, determining that the request interface is not a file uploading interface.
3. The WebShell intercepting method of claim 1, wherein the unique identifier comprises a UUID identifier.
4. The WebShell intercepting method of claim 3, wherein the encoding rule of the UUID identification code includes: 1-8 bit of system time is adopted; adopting a bottom IP address for 9-16 bits; adopting the HashCode value of the current object at 17-24 bits; and 25-32 bits adopt a random number of a calling method.
5. The WebShell intercepting method of claim 2, wherein the generating a corresponding unique identification code for the uploaded file and saving the unique identification code and the uploaded file content to form an identification code set and an uploaded file content set comprises:
generating a UUID identification code for the uploaded file; storing the uploaded file content into a database by taking the UUID identification code as a key value; each record in the database represents an uploaded file, and the uploaded file content in the database is taken out according to UUID as a key value.
6. The WebShell intercepting method of claim 1, further comprising: when the path name of the uploaded file is modified, the path name also contains a file type; and replacing the original file name by the unique identification code of the uploaded file and reserving the file type.
7. The method of claim 1, wherein the detecting whether the uploaded file content is WebShell based on canonical matching comprises: and detecting whether the uploaded file content is WebShell according to the response content of the operating system command.
8. A WebShell interception system, comprising:
the interface module is used for judging whether the request interface is a file uploading interface or not;
the unique identification code module is used for generating a corresponding unique identification code for the uploaded file after judging that the request interface is the uploading interface, and storing the unique identification code and the uploaded file content to form an identification code set and an uploaded file content set;
the path modification module is used for modifying the path name of the uploaded file so that the path name at least comprises a file type and the unique identification code;
the path matching module is used for receiving a current network request and matching a network path of the current network request with the identification code set so as to determine whether the network path contains a unique identification code in the identification code set;
the interception judgment module is used for confirming whether the file content requested by the current network request is consistent with the uploaded file content corresponding to the matched unique identification code if the matching is successful; if the network requests are consistent, the current network request is released; otherwise, detecting whether the uploaded file content is WebShell based on the regular matching, and executing corresponding interception or passing operation according to the detection result.
9. A computer-readable storage medium, having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the WebShell interception method of any of claims 1 to 7.
10. A computer device, comprising: a processor and a memory;
the memory is used for storing a computer program;
the processor is configured to execute the memory-stored computer program to cause the computer device to perform the WebShell interception method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111258844.2A CN113992409A (en) | 2021-10-28 | 2021-10-28 | WebShell interception method, system, medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111258844.2A CN113992409A (en) | 2021-10-28 | 2021-10-28 | WebShell interception method, system, medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113992409A true CN113992409A (en) | 2022-01-28 |
Family
ID=79742949
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111258844.2A Pending CN113992409A (en) | 2021-10-28 | 2021-10-28 | WebShell interception method, system, medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113992409A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110078794A1 (en) * | 2009-09-30 | 2011-03-31 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN105491053A (en) * | 2015-12-21 | 2016-04-13 | 用友网络科技股份有限公司 | Web malicious code detection method and system |
| CN111163095A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Network attack analysis method, network attack analysis device, computing device, and medium |
| CN111159708A (en) * | 2019-12-02 | 2020-05-15 | 中国建设银行股份有限公司 | Apparatus, method and storage medium for detecting web Trojan horse in server |
| CN111698283A (en) * | 2020-04-29 | 2020-09-22 | 中国平安财产保险股份有限公司 | Distributed cluster host management and control method, device, equipment and storage medium |
| CN113190837A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack behavior detection method and system based on file service system |
-
2021
- 2021-10-28 CN CN202111258844.2A patent/CN113992409A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110078794A1 (en) * | 2009-09-30 | 2011-03-31 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
| CN104967616A (en) * | 2015-06-05 | 2015-10-07 | 北京安普诺信息技术有限公司 | WebShell file detection method in Web server |
| CN105491053A (en) * | 2015-12-21 | 2016-04-13 | 用友网络科技股份有限公司 | Web malicious code detection method and system |
| CN111159708A (en) * | 2019-12-02 | 2020-05-15 | 中国建设银行股份有限公司 | Apparatus, method and storage medium for detecting web Trojan horse in server |
| CN111163095A (en) * | 2019-12-31 | 2020-05-15 | 奇安信科技集团股份有限公司 | Network attack analysis method, network attack analysis device, computing device, and medium |
| CN111698283A (en) * | 2020-04-29 | 2020-09-22 | 中国平安财产保险股份有限公司 | Distributed cluster host management and control method, device, equipment and storage medium |
| CN113190837A (en) * | 2021-03-29 | 2021-07-30 | 贵州电网有限责任公司 | Web attack behavior detection method and system based on file service system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN109922062B (en) | Source code leakage monitoring method and related equipment | |
| US8775607B2 (en) | Identifying stray assets in a computing enviroment and responsively taking resolution actions | |
| CN115702420A (en) | Predictive model application for file upload block determination | |
| US9519780B1 (en) | Systems and methods for identifying malware | |
| US10742668B2 (en) | Network attack pattern determination apparatus, determination method, and non-transitory computer readable storage medium thereof | |
| US11636219B2 (en) | System, method, and apparatus for enhanced whitelisting | |
| KR102393913B1 (en) | Apparatus and method for detecting abnormal behavior and system having the same | |
| US11507675B2 (en) | System, method, and apparatus for enhanced whitelisting | |
| CN116582365B (en) | Network traffic safety control method and device and computer equipment | |
| US20210312271A1 (en) | Edge ai accelerator service | |
| US11916875B2 (en) | System and method for multi-layered rule learning in URL filtering | |
| CN112069499A (en) | Detection method, detection device, storage medium and electronic equipment | |
| CN113992409A (en) | WebShell interception method, system, medium and computer equipment | |
| US11425162B2 (en) | Detection of malicious C2 channels abusing social media sites | |
| CN116611058A (en) | Lexovirus detection method and related system | |
| CN114070596A (en) | Performance optimization method, system, terminal and medium of Web application protection system | |
| US11032245B2 (en) | Cognitive stateful firewall for IoT devices | |
| US10089261B2 (en) | Discriminating dynamic connection of disconnectable peripherals | |
| US11403395B1 (en) | Method of using a dynamic rule engine with an application | |
| US11750660B2 (en) | Dynamically updating rules for detecting compromised devices | |
| US20220231992A1 (en) | System and method for detecting forbidden network accesses based on zone connectivity mapping | |
| US20220188409A1 (en) | System, Method, and Apparatus for Enhanced Blacklisting | |
| US10489267B2 (en) | Taking an action in response to detecting an unsupported language in a log | |
| CN114944955A (en) | Access control method and access control server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |