CN118041679A - Vulnerability detection method, vulnerability detection device, terminal equipment and storage medium - Google Patents
Vulnerability detection method, vulnerability detection device, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN118041679A CN118041679A CN202410344511.9A CN202410344511A CN118041679A CN 118041679 A CN118041679 A CN 118041679A CN 202410344511 A CN202410344511 A CN 202410344511A CN 118041679 A CN118041679 A CN 118041679A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- detection
- vulnerability detection
- request message
- response result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 394
- 230000004044 response Effects 0.000 claims abstract description 217
- 238000000034 method Methods 0.000 claims abstract description 36
- 230000008595 infiltration Effects 0.000 abstract description 10
- 238000001764 infiltration Methods 0.000 abstract description 10
- 230000008569 process Effects 0.000 description 10
- 238000004891 communication Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012360 testing method Methods 0.000 description 4
- 238000012795 verification Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 208000028257 Joubert syndrome with oculorenal defect Diseases 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a vulnerability detection method, a vulnerability detection device, terminal equipment and a storage medium, and belongs to the technical field of network security. The method comprises the following steps: obtaining a vulnerability detection request message; the vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system; and reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result. The method and the device realize the loophole detection of the code execution loopholes, solve the problem that the traditional loophole detection cannot cover the code execution loopholes and needs to be confirmed by manual infiltration, and improve the efficiency and the accuracy of the loophole detection.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to a vulnerability detection method, a vulnerability detection device, a terminal device, and a storage medium.
Background
The internet technology is very different day by day, the network security vulnerability type is also endless, even if the vulnerability type is the same, the attack method is the variational moistureproof, and the detection rule also needs to be changed along with the variational moistureproof. Where remote code execution vulnerability is a method of remotely injecting and executing code in a target machine or system using the internet.
The support degree of the traditional vulnerability scanning software to remote code execution type vulnerabilities (such as FastJson deserialized remote code execution, log4j2 arbitrary code execution, spring remote command execution and the like) detection is low, and the traditional vulnerability scanning software cannot cover the remote code execution type vulnerabilities because the vulnerability is complex to utilize and needs to be confirmed through manual infiltration.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The application mainly aims to provide a vulnerability detection method, a device, terminal equipment and a storage medium, and aims to solve the problem that the conventional vulnerability detection cannot cover remote code execution type vulnerabilities and needs to be confirmed by manual infiltration.
In order to achieve the above object, the present application provides a vulnerability detection method, which is applied to a vulnerability scanner, comprising the following steps:
obtaining a vulnerability detection request message;
The vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system;
And reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result.
Optionally, the step of obtaining the vulnerability detection request packet includes:
acquiring a history request message of the application server;
acquiring a request message assembly rule corresponding to the history request message based on a pre-constructed vulnerability rule base;
and reassembling the history request message according to the request message assembling rule to obtain a vulnerability detection request message.
Optionally, the step of sending the vulnerability detection request packet to an application server, executing, by the application server, executable code in the vulnerability detection request packet, obtaining a response result, and sending the response result to a vulnerability display system further includes:
Detecting and analyzing the vulnerability detection request message to obtain an analysis result;
if the analysis result is in a single request mode, the vulnerability detection request message is sent to the application server, and the application server acquires a response result according to the vulnerability detection request message;
reading a response result in the application server, and performing vulnerability detection according to the response result to obtain a vulnerability detection result;
if the analysis result is a multi-request mode, executing the steps of: and sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, obtaining a response result, and sending the response result to a vulnerability display system.
Optionally, the step of reading the response result in the application server, performing vulnerability detection according to the response result, and obtaining the vulnerability detection result further includes:
Judging whether the application server has a vulnerability type corresponding to the vulnerability detection request message or not according to the vulnerability detection result;
and if the vulnerability type exists in the application server, storing the vulnerability by combining the application server with the vulnerability type.
Optionally, the step of reading the response result in the vulnerability display system and performing vulnerability detection according to the response result, and obtaining the vulnerability detection result includes:
reading a response result in the vulnerability display system;
Based on the vulnerability rule base, acquiring a response message detection rule corresponding to the vulnerability detection request message;
and performing vulnerability detection according to the response result based on the response message detection rule to obtain a vulnerability detection result.
The vulnerability detection method is applied to an application server and comprises the following steps:
Receiving a vulnerability detection request message sent by a vulnerability scanner;
Executing the executable code in the vulnerability detection request message, obtaining a response result, sending the response result to a vulnerability display system, reading the response result in the vulnerability display system by the vulnerability scanner, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result.
Optionally, the type of the vulnerability corresponding to the vulnerability detection request packet is any code execution vulnerability, the executing the executable code in the vulnerability detection request packet obtains a response result, and sends the response result to a vulnerability display system, the vulnerability scanner reads the response result in the vulnerability display system, and performs vulnerability detection according to the response result, where the step of obtaining the vulnerability detection result includes:
Acquiring a detection random value according to the vulnerability detection request message;
If the application server has the random code execution vulnerability, executing the executable code through the random code execution vulnerability according to the detection random value, and acquiring a response result;
And sending the response result to the vulnerability display system through a payload, reading the response result in the vulnerability display system by the vulnerability scanner, and acquiring a vulnerability detection result according to a detection random value in the response result and a preset detection random value in the vulnerability display system.
The embodiment of the application also provides a vulnerability detection device, which comprises:
the request acquisition module is used for acquiring a vulnerability detection request message;
The request execution module is used for sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, acquiring a response result and sending the response result to a vulnerability display system;
And the vulnerability detection module is used for reading the response result in the vulnerability display system, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result.
The embodiment of the application also provides a terminal device, which comprises a memory, a processor and a vulnerability detection program stored on the memory and capable of running on the processor, wherein the vulnerability detection program realizes the steps of the vulnerability detection method when being executed by the processor.
The embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium is stored with a vulnerability detection program, and the vulnerability detection program realizes the steps of the vulnerability detection method when being executed by a processor.
The vulnerability detection method, the vulnerability detection device, the terminal equipment and the storage medium provided by the embodiment of the application acquire a vulnerability detection request message; the vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system; and reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result. According to the method and the device for detecting the loopholes, the obtained loophole detection request message is sent to the application server, the application server executes the executable codes in the loophole detection request message, then the response result obtained by execution is sent to the loophole reproduction system, the response result in the loophole reproduction system is read, the loophole detection is carried out according to the response result, the loophole detection result is obtained, the loophole detection of the code execution type loopholes is realized, the problem that the traditional loophole detection cannot cover the code execution type loopholes and needs to be confirmed by manual infiltration is solved, and the efficiency and the accuracy of the loophole detection are improved.
Drawings
FIG. 1 is a schematic diagram of functional modules of a terminal device to which a vulnerability detection apparatus of the present application belongs;
FIG. 2 is a flowchart illustrating a vulnerability detection method according to a first exemplary embodiment of the present application;
FIG. 3 is a flowchart illustrating a vulnerability detection method according to a second exemplary embodiment of the present application;
FIG. 4 is a diagram of a whole vulnerability detection architecture according to the vulnerability detection method of the present application;
FIG. 5 is a schematic flow chart of single request mode vulnerability detection according to the vulnerability detection method of the present application;
FIG. 6 is a flowchart illustrating a third exemplary embodiment of a vulnerability detection method according to the present application;
FIG. 7 is a flow chart of a method for detecting loopholes according to the present application.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The main solutions of the embodiments of the present application are: obtaining a vulnerability detection request message; the vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system; and reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result. According to the method and the device for detecting the loopholes, the obtained loophole detection request message is sent to the application server, the application server executes the executable codes in the loophole detection request message, then the response result obtained by execution is sent to the loophole reproduction system, the response result in the loophole reproduction system is read, the loophole detection is carried out according to the response result, the loophole detection result is obtained, the loophole detection of the code execution type loopholes is realized, the problem that the traditional loophole detection cannot cover the code execution type loopholes and needs to be confirmed by manual infiltration is solved, and the efficiency of the loophole detection is improved.
According to the embodiment of the application, the detection support of the vulnerability scanning software of the related technical scheme on remote code execution type vulnerabilities (such as FastJson deserialized remote code execution, log4j2 arbitrary code execution, spring remote command execution and the like) is low, and because the vulnerability is complex to utilize, whether the vulnerability exists can not be directly verified through only one test request and response, and the vulnerability needs to be confirmed through manual infiltration. In terms of performance, conventional scanners often detect requests only, and the framework-level loopholes have the phenomenon of repeated detection. In terms of operation and maintenance, the traditional vulnerability scanning software can only be installed on a physical machine or a virtual machine generally, does not support containerized deployment, and is not convenient in the deployment process.
Based on the above, the embodiment of the application provides a solution, which uses the history request message as a data source, configures a vulnerability rule base of a vulnerability detection rule in combination with each vulnerability, receives the request result of remote execution of the vulnerability through an independent vulnerability display system, and the vulnerability scanning software acquires the execution result from the system to judge whether the vulnerability exists or not, thereby improving the response capability and detection efficiency of vulnerability detection.
Specifically, referring to fig. 1, fig. 1 is a schematic diagram of functional modules of a terminal device to which a vulnerability detection apparatus of the present application belongs. The vulnerability detection device may be a device independent of the terminal device and capable of vulnerability detection, and may be carried on the terminal device in a form of hardware or software. The terminal equipment can be intelligent mobile equipment with a vulnerability detection function such as a mobile phone and a tablet personal computer, and can also be fixed terminal equipment or a server with the vulnerability detection function.
In this embodiment, the terminal device to which the vulnerability detection apparatus belongs at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.
The memory 130 stores an operating system and a bug detection program, and the bug detection device may store the received and processed data information in the memory 130; the output module 110 may be a display screen, a speaker, etc. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.
Wherein the vulnerability detection program in the memory 130, when executed by the processor, performs the steps of:
obtaining a vulnerability detection request message;
The vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system;
And reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result.
Further, the vulnerability detection program in the memory 130 when executed by the processor also implements the following steps:
acquiring a history request message of the application server;
acquiring a request message assembly rule corresponding to the history request message based on a pre-constructed vulnerability rule base;
and reassembling the history request message according to the request message assembling rule to obtain a vulnerability detection request message.
Further, the vulnerability detection program in the memory 130 when executed by the processor also implements the following steps:
Detecting and analyzing the vulnerability detection request message to obtain an analysis result;
if the analysis result is in a single request mode, the vulnerability detection request message is sent to the application server, and the application server acquires a response result according to the vulnerability detection request message;
reading a response result in the application server, and performing vulnerability detection according to the response result to obtain a vulnerability detection result;
if the analysis result is a multi-request mode, executing the steps of: and sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, obtaining a response result, and sending the response result to a vulnerability display system.
Further, the vulnerability detection program in the memory 130 when executed by the processor also implements the following steps:
Judging whether the application server has a vulnerability type corresponding to the vulnerability detection request message or not according to the vulnerability detection result;
and if the vulnerability type exists in the application server, storing the vulnerability by combining the application server with the vulnerability type.
Further, the vulnerability detection program in the memory 130 when executed by the processor also implements the following steps:
reading a response result in the vulnerability display system;
Based on the vulnerability rule base, acquiring a response message detection rule corresponding to the vulnerability detection request message;
and performing vulnerability detection according to the response result based on the response message detection rule to obtain a vulnerability detection result.
Further, the vulnerability detection program in the memory 130 when executed by the processor also implements the following steps:
Receiving a vulnerability detection request message sent by a vulnerability scanner;
Executing the executable code in the vulnerability detection request message, obtaining a response result, sending the response result to a vulnerability display system, reading the response result in the vulnerability display system by the vulnerability scanner, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result.
Further, the vulnerability detection program in the memory 130 when executed by the processor also implements the following steps:
Acquiring a detection random value according to the vulnerability detection request message;
If the application server has the random code execution vulnerability, executing the executable code through the random code execution vulnerability according to the detection random value, and acquiring a response result;
And sending the response result to the vulnerability display system through a payload, reading the response result in the vulnerability display system by the vulnerability scanner, and acquiring a vulnerability detection result according to a detection random value in the response result and a preset detection random value in the vulnerability display system.
According to the scheme, the embodiment specifically obtains the vulnerability detection request message; the vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system; and reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result. According to the method and the device for detecting the loopholes, the obtained loophole detection request message is sent to the application server, the application server executes the executable codes in the loophole detection request message, then the response result obtained by execution is sent to the loophole reproduction system, the response result in the loophole reproduction system is read, the loophole detection is carried out according to the response result, the loophole detection result is obtained, the loophole detection of the code execution type loopholes is realized, the problem that the traditional loophole detection cannot cover the code execution type loopholes and needs to be confirmed by manual infiltration is solved, and the efficiency of the loophole detection is improved.
The method embodiment of the application is proposed based on the above-mentioned terminal equipment architecture but not limited to the above-mentioned architecture.
Referring to fig. 2, fig. 2 is a flowchart of a first exemplary embodiment of a vulnerability detection method according to the present application. The vulnerability detection method is applied to a vulnerability scanner and comprises the following steps:
step S10: and obtaining a vulnerability detection request message.
The execution body of the method of the embodiment may be a vulnerability detection device, or may be a vulnerability detection terminal device or a server, and in this embodiment, the vulnerability detection device is exemplified by the vulnerability detection device, and the vulnerability detection device may be integrated on a terminal device having a data processing function.
First, a vulnerability detection request message is acquired. The vulnerability detection request message is a network request with a specific format, may include an operation request for a target application server, and is aimed at triggering a potential vulnerability in an application system. For example, the vulnerability detection request message may include specific input data or remotely executed code for testing how the application server handles malicious input.
Step S20: and sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, obtaining a response result, and sending the response result to a vulnerability display system.
And sending the vulnerability detection request message to an application server, and analyzing the request by the application server and executing executable codes in the request by the application server to obtain a response result of the application server. Wherein the response result may include execution information, error information, or other related data of the application. The vulnerability scanner and application server request transmission process involves network communication and interaction of the server.
Step S30: and reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result.
And reading a response result returned by the application server from the vulnerability display system, and according to the response result, performing vulnerability detection by the system, and analyzing whether the response of the application server exposes a potential vulnerability or not to obtain a vulnerability detection result. The specific vulnerability detection process may involve parsing, matching, comparing and peer-to-peer operations on the response result to determine whether a security vulnerability exists, where the generated vulnerability detection result includes information such as a detected vulnerability type, a possible influence, and the like. The vulnerability display system is an independently constructed system and is responsible for receiving a request result of remote execution of the vulnerability, and the vulnerability scanner acquires an execution result from the system to judge whether the vulnerability exists or not, so that the problem that the conventional vulnerability scanning software cannot cover remote code execution type vulnerabilities is solved.
Further, as an implementation manner, the step of obtaining the vulnerability detection request packet includes:
Step S101: acquiring a history request message of the application server;
Step S102: acquiring a request message assembly rule corresponding to the history request message based on a pre-constructed vulnerability rule base;
step S103: and reassembling the history request message according to the request message assembling rule to obtain a vulnerability detection request message.
Specifically, first, a history request message of a target application server is acquired. The history request message is a request record sent when normal communication is carried out with the application server. By analyzing the history request messages, the information such as the interface structure, the parameter format, the request message structure and the like of the application server can be known.
Then, based on a pre-constructed vulnerability rule base, analyzing the historical request messages and obtaining a request message assembly rule corresponding to each historical request message. The request message assembly rule describes how to construct an effective vulnerability detection request message to trigger a potential vulnerability in an application server.
And finally, re-assembling the historical request message according to the acquired request message assembly rule to obtain the vulnerability detection request message. The vulnerability detection request message is subjected to a specific assembly mode, so as to simulate a real attack scene, and effectively detect possible vulnerabilities of the application system. The vulnerability rule base configures a vulnerability detection POC rule for each vulnerability, so that security developers can flexibly perform new addition and update operations without updating and upgrading the scanning software, and the quick response capability of the new addition or mutation vulnerability is greatly improved.
According to the scheme, the embodiment specifically obtains the vulnerability detection request message; the vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system; and reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result. According to the method and the device for detecting the loopholes, the obtained loophole detection request message is sent to the application server, the application server executes the executable codes in the loophole detection request message, then the response result obtained by execution is sent to the loophole reproduction system, the response result in the loophole reproduction system is read, the loophole detection is carried out according to the response result, the loophole detection result is obtained, the loophole detection of the code execution type loopholes is realized, the problem that the traditional loophole detection cannot cover the code execution type loopholes and needs to be confirmed by manual infiltration is solved, and the efficiency of the loophole detection is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second exemplary embodiment of a vulnerability detection method according to the present invention.
Based on the first embodiment, a second embodiment of the present application is proposed, which differs from the first embodiment in that:
In this embodiment, the step of sending the vulnerability detection request packet to an application server, executing, by the application server, executable code in the vulnerability detection request packet, obtaining a response result, and sending the response result to a vulnerability display system further includes:
Step S201: detecting and analyzing the vulnerability detection request message to obtain an analysis result;
Step S202: if the analysis result is in a single request mode, the vulnerability detection request message is sent to the application server, and the application server acquires a response result according to the vulnerability detection request message;
Step S203: reading a response result in the application server, and performing vulnerability detection according to the response result to obtain a vulnerability detection result;
Step S204: if the analysis result is a multi-request mode, executing the steps of: and sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, obtaining a response result, and sending the response result to a vulnerability display system.
Specifically, first, analyzing a vulnerability detection request message to obtain an analysis result. The detection analysis is to analyze a request mode required by the vulnerability detection request message to acquire characteristics and possible influences of the detection request, and the analysis process is helpful to determine the type of the vulnerability detection request and provide a basis for subsequent processing.
Then, if the analysis result shows that the request mode corresponding to the vulnerability detection request message is a single request mode, the vulnerability detection request message is directly sent to the application server, and the response result of the application server is obtained after the application server executes the request of the vulnerability detection request message. The single request mode is suitable for detecting the loopholes of the non-remote code execution type, and the response result of the application server can be obtained through a single request to detect the existence of the loopholes.
And then, reading response results returned by the application server, and performing vulnerability detection analysis according to the results to judge whether the potential vulnerability exists in the application system.
And finally, if the analysis result shows that the vulnerability detection request is in a multi-request mode, sending a vulnerability detection request message to an application server according to the pre-designed multi-request mode flow step, executing executable codes in the vulnerability detection message to obtain a response result of the application server, and sending the response result to the vulnerability display system.
Further, as an implementation manner, the step of reading the response result in the application server, performing vulnerability detection according to the response result, and obtaining the vulnerability detection result further includes:
Step S2031: judging whether the application server has a vulnerability type corresponding to the vulnerability detection request message or not according to the vulnerability detection result;
step S2032: and if the vulnerability type exists in the application server, storing the vulnerability by combining the application server with the vulnerability type.
Specifically, first, according to the obtained vulnerability detection result, the application server is further analyzed to determine whether the vulnerability type corresponding to the vulnerability detection request message exists in the application server, so that the security state of the application server can be determined, and a basis is provided for subsequent processing.
Finally, if the vulnerability type exists in the application server, integrating and storing the vulnerability information so as to carry out subsequent vulnerability restoration or other security processing operations. The method is beneficial to establishing a database of vulnerability information of the application server and provides support for security management.
Further, as an implementation manner, the step of reading the response result in the vulnerability display system and performing vulnerability detection according to the response result, and obtaining the vulnerability detection result includes:
Step S301: reading a response result in the vulnerability display system;
Step S302: based on the vulnerability rule base, acquiring a response message detection rule corresponding to the vulnerability detection request message;
Step S303: and performing vulnerability detection according to the response result based on the response message detection rule to obtain a vulnerability detection result.
Specifically, first, a corresponding response result is read from the vulnerability display system.
And then, acquiring a response message detection rule corresponding to the vulnerability detection request message according to a pre-established vulnerability rule base. Wherein, the response message detection rule is used for analyzing and explaining the response result of the vulnerability detection request.
And finally, performing vulnerability detection on the response result of the vulnerability detection request according to the acquired response message detection rule to obtain a vulnerability detection result. And determining whether potential vulnerabilities exist or not by carrying out rule matching and analysis on the response result.
More specifically, as shown in fig. 4, fig. 4 is a diagram of an overall vulnerability detection architecture related to the vulnerability detection method of the present application. According to the embodiment, aiming at the vulnerability detection requests of remote code execution classes, the vulnerability detection requests are divided into a single request mode and a multi-request mode, service system history request messages are used as data sources, request message information is modified according to detection request assembly rules defined in a vulnerability verification POC file, an application server or a vulnerability display system is requested again, response messages are obtained, and whether a vulnerability exists is analyzed and judged according to response results in the POC file.
Fig. 5 is a schematic flow chart of single request mode vulnerability detection related to the vulnerability detection method of the present application. The single request mode obtains response information by directly requesting the application server, and directly judges whether the vulnerability exists according to the detection rule. Taking the example that the detection of the complete TRACE vulnerability type is not forbidden in a request mode, wherein the vulnerability type is a single request mode, the request method of an original request is modified into the TRACE method, an application server is requested again, whether the vulnerability exists or not is judged according to response information returned by the application server, and the whole detection process can be completed by only one request.
The history request message is modified by the request policy in the vulnerability verification POC file, and the request policy is classified into the following types, which are Query, path, header, body, replace, replaceValue respectively. Wherein the concrete request policy paraphrasing includes:
query: modifying the query string parameters;
Path: modifying the path;
Header: modifying the request header;
body: modifying the request body;
Reproduction: replacing the request message;
ReplaceValue: replacing the value in the request message.
Taking reflection type XSS vulnerability detection as an example, two strategies of Query and Body are adopted to modify the request parameter value, for example, the original request parameter is id=12345, and the original request parameter is id=12345\ "; "/script >/" "script > alert (00192384992) </script >; the < script > \' "is < script > alert (00192384992) </script >" is a reflection type XSS test statement of pop-up alert type, and the request is resent to the application server, and whether the vulnerability exists or not is judged according to response body information.
Judging whether the current request has the loopholes or not by verifying the loophole detection strategies in the POC file through the loopholes, wherein the detection strategies are RegexSearch, response, strSearch, statusCode respectively, and the concrete detection strategy definition comprises the following steps:
RegexSearch: searching response content by using the regular expression;
response: checking whether the response contains a specific character string, file, etc.;
STRSEARCH: searching whether the response character string contains a specified character or character string;
StatusCode: the status code returned by the server is checked.
Taking the detection of CORS vulnerability type allowed by any source as an example, after modifying the message Header of the original request through a Header strategy, retransmitting the request to the application server, and acquiring response information returned by the application server. Judging whether a vulnerability exists or not by STRSEARCH strategies to judge whether character strings such as Access-Control-alloy-Origin exist in the response message.
The multi-request mode is to initiate multiple requests in one vulnerability detection, and judge through the results of the multiple requests. The multi-request mode is mainly used for executing class vulnerabilities for remote codes, and auxiliary verification is needed by depending on a vulnerability display system.
In addition, the detection ranges of different vulnerabilities are different, some vulnerabilities such as swagger interface leakage, spring-boot unauthorized and the like belong to the framework level vulnerabilities, the detection results of all interfaces under the same domain name are the same, all interfaces are not required to be detected once, and the detection can be completed only by directly constructing a request according to the domain name. Based on the scheme, the detection of the loopholes can be pre-processed, and the detection of the loopholes at the frame level can be preferentially carried out before the loopholes are detected on all the request messages. Compared with the traditional scanner, the number of loophole scanning times is greatly reduced, and the performance is obviously improved. Leading the frame-level vulnerability detection, avoiding repeated detection of the frame-level vulnerability and improving the performance. Based on containerized deployment, the number of instances is increased to expand the capacity rapidly, and the operation and maintenance are more convenient and faster.
According to the embodiment, through the scheme, the vulnerability detection request message is detected and analyzed, and an analysis result is obtained; if the analysis result is in a single request mode, the vulnerability detection request message is sent to the application server, and the application server acquires a response result according to the vulnerability detection request message; reading a response result in the application server, and performing vulnerability detection according to the response result to obtain a vulnerability detection result; if the analysis result is a multi-request mode, executing the steps of: and sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, obtaining a response result, and sending the response result to a vulnerability display system. Before sending the vulnerability detection request message to the application server, further analyzing the request, and selecting a proper processing mode according to different conditions so as to ensure the accuracy and the comprehensiveness of vulnerability detection.
Referring to fig. 6, fig. 6 is a flowchart of a third exemplary embodiment of the vulnerability detection method of the present invention.
Based on the first embodiment, a third embodiment of the present application is proposed, which differs from the first embodiment in that:
In this embodiment, the vulnerability detection method is applied to an application server, and includes the following steps:
step S40: receiving a vulnerability detection request message sent by a vulnerability scanner;
step S50: executing the executable code in the vulnerability detection request message, obtaining a response result, sending the response result to a vulnerability display system, reading the response result in the vulnerability display system by the vulnerability scanner, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result.
Specifically, firstly, an application server receives a vulnerability detection request message sent by a vulnerability scanner, wherein the request comprises vulnerability information and related parameters which need to be detected.
And finally, executing the executable code in the vulnerability detection request message, and then sending the acquired response result to the vulnerability display system, wherein the vulnerability scanner reads the response result in the vulnerability display system, and performs vulnerability detection according to the response result to obtain a vulnerability detection result.
Further, as an implementation manner, the vulnerability type corresponding to the vulnerability detection request message is any code execution vulnerability, the executing the executable code in the vulnerability detection request message obtains a response result, and sends the response result to a vulnerability display system, the vulnerability scanner reads the response result in the vulnerability display system, and performs vulnerability detection according to the response result, and the step of obtaining the vulnerability detection result includes:
step S501: acquiring a detection random value according to the vulnerability detection request message;
step S502: if the application server has the random code execution vulnerability, executing the executable code through the random code execution vulnerability according to the detection random value, and acquiring a response result;
step S503: and sending the response result to the vulnerability display system through a payload, reading the response result in the vulnerability display system by the vulnerability scanner, and acquiring a vulnerability detection result according to a detection random value in the response result and a preset detection random value in the vulnerability display system.
Specifically, first, according to a vulnerability detection request message, a random value of vulnerability detection is obtained. Wherein the detection random value is used for verification and matching in the subsequent steps.
Then, if the application server has a bug of any code execution type, executing the executable code in the bug detection request message by using any code according to the detection random value, and acquiring a corresponding response result.
And then, the obtained response result is sent to the vulnerability display system through the payload, then, the response result in the vulnerability display system is read by the vulnerability scanner, and then, the vulnerability detection result is obtained according to the detection random value in the response result and the preset detection random value in the vulnerability display system. Wherein, whether the vulnerability exists can be determined by comparing the detection random value in the response result with a preset detection random value.
More specifically, as shown in fig. 7, fig. 7 is a flow chart of testing arbitrary code execution vulnerabilities in a multi-request mode according to the vulnerability detection method of the present invention. Taking arbitrary code execution Log4j2 vulnerability type detection as an example, the vulnerability type is a multi-request mode used, a vulnerability scanner firstly requests a vulnerability display system, and a random value is transmitted to the vulnerability display system while network connectivity is detected. After the vulnerability display system receives the request, the vulnerability display system stores the random value and returns a response to the vulnerability scanner. After receiving the response, the vulnerability scanner modifies the historical request message according to the request strategy, and the request parameter value is replaced by a section of specific code, and the code executes the remote request to send the random value generated by the first request to the vulnerability display system again. If the application server has a bug, the code is executed, otherwise, the code is not executed. The vulnerability display system maintains the state of the random values according to whether the vulnerability display system receives a request from an application server. At this time, the vulnerability scanner initiates a third request, queries the state of the random value of the vulnerability display system, and judges whether the vulnerability exists in the current application server according to the state, wherein the whole detection process needs three requests to complete detection.
According to the scheme, the vulnerability detection request message sent by the vulnerability scanner is received; executing the executable code in the vulnerability detection request message, obtaining a response result, sending the response result to a vulnerability display system, reading the response result in the vulnerability display system by the vulnerability scanner, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result. The method and the device realize the loophole detection of the code execution loophole, solve the problem that the traditional loophole detection cannot cover the code execution loophole and needs to be confirmed by manual infiltration, and improve the efficiency of loophole detection.
In addition, an embodiment of the present application further provides a vulnerability detection apparatus, where the vulnerability detection apparatus includes:
the request acquisition module is used for acquiring a vulnerability detection request message;
The request execution module is used for sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, acquiring a response result and sending the response result to a vulnerability display system;
And the vulnerability detection module is used for reading the response result in the vulnerability display system, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result.
The principle and implementation process of the vulnerability detection in this embodiment are referred to the above embodiments, and are not described herein.
In addition, the embodiment of the application also provides a terminal device, which comprises a memory, a processor and a vulnerability detection program stored on the memory and capable of running on the processor, wherein the vulnerability detection program realizes the steps of the vulnerability detection method when being executed by the processor.
Because the vulnerability detection program is executed by the processor and adopts all the technical schemes of all the embodiments, the vulnerability detection program at least has all the beneficial effects brought by all the technical schemes of all the embodiments and is not described in detail herein.
In addition, the embodiment of the application also provides a computer readable storage medium, wherein the computer readable storage medium stores a vulnerability detection program, and the vulnerability detection program realizes the steps of the vulnerability detection method when being executed by a processor.
Because the vulnerability detection program is executed by the processor and adopts all the technical schemes of all the embodiments, the vulnerability detection program at least has all the beneficial effects brought by all the technical schemes of all the embodiments and is not described in detail herein.
Compared with the prior art, the vulnerability detection method, the vulnerability detection device, the terminal equipment and the storage medium provided by the embodiment of the application are characterized in that a vulnerability detection request message is obtained; the vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system; and reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result. According to the method and the device for detecting the loopholes, the obtained loophole detection request message is sent to the application server, the application server executes the executable codes in the loophole detection request message, then the response result obtained by execution is sent to the loophole reproduction system, the response result in the loophole reproduction system is read, the loophole detection is carried out according to the response result, the loophole detection result is obtained, the loophole detection of the code execution type loopholes is realized, the problem that the traditional loophole detection cannot cover the code execution type loopholes and needs to be confirmed by manual infiltration is solved, and the efficiency of the loophole detection is improved.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (10)
1. The vulnerability detection method is characterized by being applied to a vulnerability scanner and comprising the following steps of:
obtaining a vulnerability detection request message;
The vulnerability detection request message is sent to an application server, executable codes in the vulnerability detection request message are executed by the application server, a response result is obtained, and the response result is sent to a vulnerability display system;
And reading a response result in the vulnerability display system, and performing vulnerability detection according to the response result to obtain a vulnerability detection result.
2. The method of vulnerability detection as set forth in claim 1, wherein the step of obtaining the vulnerability detection request message comprises:
acquiring a history request message of the application server;
acquiring a request message assembly rule corresponding to the history request message based on a pre-constructed vulnerability rule base;
and reassembling the history request message according to the request message assembling rule to obtain a vulnerability detection request message.
3. The method of detecting a vulnerability of claim 1, wherein the steps of sending the vulnerability detection request message to an application server, executing executable code in the vulnerability detection request message by the application server, obtaining a response result, and sending the response result to a vulnerability display system further comprise:
Detecting and analyzing the vulnerability detection request message to obtain an analysis result;
if the analysis result is in a single request mode, the vulnerability detection request message is sent to the application server, and the application server acquires a response result according to the vulnerability detection request message;
reading a response result in the application server, and performing vulnerability detection according to the response result to obtain a vulnerability detection result;
if the analysis result is a multi-request mode, executing the steps of: and sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, obtaining a response result, and sending the response result to a vulnerability display system.
4. The method of vulnerability detection as recited in claim 3, wherein the steps of reading the response result in the application server, performing vulnerability detection according to the response result, and obtaining the vulnerability detection result further comprise:
Judging whether the application server has a vulnerability type corresponding to the vulnerability detection request message or not according to the vulnerability detection result;
and if the vulnerability type exists in the application server, storing the vulnerability by combining the application server with the vulnerability type.
5. The method of vulnerability detection as set forth in claim 2, wherein the step of reading the response result in the vulnerability display system and performing vulnerability detection according to the response result, and obtaining the vulnerability detection result comprises:
reading a response result in the vulnerability display system;
Based on the vulnerability rule base, acquiring a response message detection rule corresponding to the vulnerability detection request message;
and performing vulnerability detection according to the response result based on the response message detection rule to obtain a vulnerability detection result.
6. The vulnerability detection method is characterized by being applied to an application server and comprising the following steps of:
Receiving a vulnerability detection request message sent by a vulnerability scanner;
Executing the executable code in the vulnerability detection request message, obtaining a response result, sending the response result to a vulnerability display system, reading the response result in the vulnerability display system by the vulnerability scanner, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result.
7. The method of detecting a vulnerability of claim 6, wherein the vulnerability type corresponding to the vulnerability detection request message is any code execution vulnerability, the executing the executable code in the vulnerability detection request message obtains a response result, and sends the response result to a vulnerability display system, the vulnerability scanner reads the response result in the vulnerability display system, and performs vulnerability detection according to the response result, and the step of obtaining the vulnerability detection result comprises:
Acquiring a detection random value according to the vulnerability detection request message;
If the application server has the random code execution vulnerability, executing the executable code through the random code execution vulnerability according to the detection random value, and acquiring a response result;
And sending the response result to the vulnerability display system through a payload, reading the response result in the vulnerability display system by the vulnerability scanner, and acquiring a vulnerability detection result according to a detection random value in the response result and a preset detection random value in the vulnerability display system.
8. A vulnerability detection apparatus, the apparatus comprising:
the request acquisition module is used for acquiring a vulnerability detection request message;
The request execution module is used for sending the vulnerability detection request message to an application server, executing executable codes in the vulnerability detection request message by the application server, acquiring a response result and sending the response result to a vulnerability display system;
And the vulnerability detection module is used for reading the response result in the vulnerability display system, and carrying out vulnerability detection according to the response result to obtain a vulnerability detection result.
9. A terminal device, characterized in that the terminal device comprises: a memory, a processor, and a vulnerability detection program stored on the memory and executable on the processor, the vulnerability detection program configured to implement the steps of the vulnerability detection method of any one of claims 1-7.
10. A storage medium having stored thereon a vulnerability detection program which when executed by a processor implements the steps of the vulnerability detection method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410344511.9A CN118041679A (en) | 2024-03-25 | 2024-03-25 | Vulnerability detection method, vulnerability detection device, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410344511.9A CN118041679A (en) | 2024-03-25 | 2024-03-25 | Vulnerability detection method, vulnerability detection device, terminal equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118041679A true CN118041679A (en) | 2024-05-14 |
Family
ID=90999074
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410344511.9A Pending CN118041679A (en) | 2024-03-25 | 2024-03-25 | Vulnerability detection method, vulnerability detection device, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118041679A (en) |
-
2024
- 2024-03-25 CN CN202410344511.9A patent/CN118041679A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111400722B (en) | Method, apparatus, computer device and storage medium for scanning small program | |
| US9390270B2 (en) | Security testing using semantic modeling | |
| CN105808399B (en) | Remote debugging method and device | |
| US11108803B2 (en) | Determining security vulnerabilities in application programming interfaces | |
| CN107948120B (en) | Vulnerability detection method and device | |
| KR101972825B1 (en) | Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method | |
| CN110704816B (en) | Interface cracking recognition method, device, equipment and storage medium | |
| CN111756697B (en) | API safety detection method and device, storage medium and computer equipment | |
| CN110879889A (en) | Method and system for detecting malicious software of Windows platform | |
| WO2021234525A1 (en) | System for centralized monitoring and control of iot devices | |
| CN112671605A (en) | Test method and device and electronic equipment | |
| CN112866051A (en) | Vulnerability processing method, device, server and medium | |
| CN114816894A (en) | Chip testing system, method, equipment and medium | |
| CN111327588A (en) | Network access security detection method, system, terminal and readable storage medium | |
| CN112699034B (en) | Virtual login user construction method, device, equipment and storage medium | |
| CN114091031A (en) | Class loading protection method and device based on white rule | |
| CN111563260B (en) | Android application program-oriented Web injection code execution vulnerability detection method and system | |
| CN113312633A (en) | Website vulnerability scanning method, device, equipment and storage medium | |
| CN113158195A (en) | Distributed vulnerability scanning method and system based on POC script | |
| CN115348086B (en) | Attack protection method and device, storage medium and electronic equipment | |
| CN118041679A (en) | Vulnerability detection method, vulnerability detection device, terminal equipment and storage medium | |
| CN110647749A (en) | Second-order SQL injection attack defense method | |
| CN113849817B (en) | Detection method and device for pollution loopholes of JavaScript prototype chain | |
| CN114780398A (en) | Cisco IOS-XE-oriented Web command injection vulnerability detection method | |
| CN113872919B (en) | Vulnerability scanning method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |