CN114168147A

CN114168147A - WebShell killing-free method and device, storage medium and electronic equipment

Info

Publication number: CN114168147A
Application number: CN202111492987.XA
Authority: CN
Inventors: 许承祖; 王帅; 邓晓东; 余航
Original assignee: China Telecom Corp Ltd
Current assignee: China Telecom Corp Ltd
Priority date: 2021-12-08
Filing date: 2021-12-08
Publication date: 2022-03-11

Abstract

The disclosure belongs to the technical field of internet, and relates to a WebShell killing-free method and device, a storage medium and electronic equipment. The method comprises the following steps: acquiring a sensitive keyword, and setting a variable name of the sensitive keyword to obtain a target keyword; encrypting the target keyword and the sensitive keyword to obtain an encrypted keyword, and splicing the encrypted keyword to obtain a WebShell file; and performing searching and killing treatment on the WebShell file to determine that the WebShell file passes the searching and killing treatment. The dynamic setting and using of the sensitive keywords are realized, the WebShell file is helped to bypass the subsequent searching and killing processing from the dimension of the variable name, the target keywords and the sensitive keywords are encrypted, the characteristics of the keywords are helped to be erased by the target keywords and the sensitive keywords, and the sensitive keywords which are mainly concerned by the searching and killing system or the searching and killing tool are hidden, so that the searching and killing system or the searching and killing tool cannot perform the searching and killing processing according to the characteristics of the keywords, the effect of preventing the WebShell file from being searched and killed is obtained, and further deep penetration is realized.

Description

WebShell killing-free method and device, storage medium and electronic equipment

Technical Field

The disclosure relates to the technical field of internet, and in particular to a WebShell killing-free method, a WebShell killing-free device, a computer-readable storage medium and an electronic device.

Background

Hackers often leave some backdoor files on the server after hacking a web site, and then use a browser to access the backdoor files to control the server. These backdoor files are often referred to as web backdoors (WebShell, also known as a sentence Trojan). For the traditional WebShell, all large antivirus software and a website Application level intrusion prevention system WAF (Web Application Firewall) are stared tightly, so that the attack efficiency of an attacker is effectively reduced.

Currently, there are three main ways for WebShell to kill. One is to split the sensitive keywords and then to splice; the other is to use notes for obfuscation; yet another is to use base64 (representing binary data based on 64 printable characters) or the like for encoding mode bypass. The three methods can reduce the WebShell detection risk level to a certain extent, but still have the risk of being detected by a WebShell searching and killing tool, so that further deep penetration is influenced. For an attacker, a stable and alive WebShell plays a very important role.

In view of this, there is a need in the art to develop a new WebShell killing-free method and device.

It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.

Disclosure of Invention

The purpose of the disclosure is to provide a WebShell killing-free method, a WebShell killing-free device, a computer-readable storage medium and an electronic device, thereby overcoming, at least to some extent, the technical problems of easy killing and inability to penetrate deeply due to the limitations of the related art.

Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.

According to a first aspect of embodiments of the present invention, there is provided a WebShell killing-free method, the method comprising:

acquiring a sensitive keyword, and setting a variable name of the sensitive keyword to obtain a target keyword;

encrypting the target keyword and the sensitive keyword to obtain an encrypted keyword, and splicing the encrypted keyword to obtain a WebShell file;

and carrying out killing processing on the WebShell file to determine that the WebShell file passes through the killing processing.

In an exemplary embodiment of the present invention, the sensitive keyword includes: eval and assert.

In an exemplary embodiment of the present invention, the performing variable name setting on the sensitive keyword to obtain a target keyword includes:

and in the target script language, setting a variable name of the sensitive keyword by using a variable delimiter to obtain a target keyword.

In an exemplary embodiment of the present invention, the splicing the encrypted keywords to obtain a WebShell file includes:

and splicing the encrypted keywords by using a grouping symbol in the target script language to obtain a WebShell file.

In an exemplary embodiment of the present invention, the encrypting the target keyword and the sensitive keyword to obtain an encrypted keyword includes:

and encrypting the target keyword and the sensitive keyword by using an encryption algorithm to obtain an encrypted keyword.

In an exemplary embodiment of the invention, the method further comprises:

and executing a command corresponding to the WebShell file.

In an exemplary embodiment of the present invention, the executing the command corresponding to the WebShell file includes:

determining a decryption algorithm corresponding to the encryption algorithm, and acquiring a key corresponding to the decryption algorithm and a command corresponding to the WebShell file;

and decrypting the encrypted keyword by using the decryption algorithm and the key to obtain the target keyword and the sensitive keyword, and executing the command according to the target keyword and the sensitive keyword.

According to a second aspect of the embodiments of the present invention, there is provided a WebShell killing-free device, including:

the variable setting module is configured to acquire a sensitive keyword and perform variable name setting on the sensitive keyword to obtain a target keyword;

the encryption processing module is configured to encrypt the target keyword and the sensitive keyword to obtain an encrypted keyword, and splice the encrypted keyword to obtain a WebShell file;

and the searching and killing passing module is configured to perform searching and killing processing on the WebShell file and determine that the WebShell file passes the searching and killing processing.

According to a third aspect of embodiments of the present invention, there is provided an electronic apparatus including: a processor and a memory; wherein the memory has stored thereon computer-readable instructions that, when executed by the processor, implement the WebShell suicide avoidance method in any of the above-described exemplary embodiments.

According to a fourth aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the WebShell suicide avoiding method in any of the above-described exemplary embodiments.

As can be seen from the foregoing technical solutions, the WebShell killing-free method, the WebShell killing-free device, the computer storage medium, and the electronic device in the exemplary embodiment of the present disclosure have at least the following advantages and positive effects:

in the method and the device provided by the exemplary embodiment of the disclosure, the target keyword is obtained by setting the variable name of the sensitive keyword, so that the dynamic setting and use of the sensitive keyword are realized, and the dimension of the variable name helps the WebShell file to bypass the subsequent searching and killing processing. Furthermore, the target keywords and the sensitive keywords are encrypted to help the target keywords and the sensitive keywords to erase the characteristics of the keywords, and the sensitive keywords which are focused by the searching and killing system or the searching and killing tool are hidden, so that the searching and killing system or the searching and killing tool cannot perform searching and killing processing according to the characteristics of the keywords, and the effect of preventing the WebShell file from being searched and killed is achieved, and further deep penetration is achieved. And compared with the common WebShell file, the use of suspicious functions such as coding and decoding functions is greatly reduced, the writing habit of normal grammar is closer, and the killing-free effect of the WebShell file is improved.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.

Fig. 1 schematically illustrates a flow diagram of a WebShell kill-exempt method in an exemplary embodiment of the present disclosure;

fig. 2 schematically illustrates a flowchart of a method of executing a command corresponding to a WebShell file in an exemplary embodiment of the present disclosure;

fig. 3 schematically shows a flow chart of a method for searching and killing a WebShell file in the related art;

fig. 4 schematically illustrates a flowchart of a WebShell killing-exempt method in an application scenario in an exemplary embodiment of the present disclosure;

fig. 5 schematically illustrates a structural schematic diagram of a WebShell killing-free device in an exemplary embodiment of the present disclosure;

fig. 6 schematically illustrates an electronic device for implementing a WebShell kill-exempt method in an exemplary embodiment of the present disclosure;

fig. 7 schematically illustrates a computer-readable storage medium for implementing a WebShell kill-exempt method in an exemplary embodiment of the present disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and the like. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.

The terms "a," "an," "the," and "said" are used in this specification to denote the presence of one or more elements/components/parts/etc.; the terms "comprising" and "having" are intended to be inclusive and mean that there may be additional elements/components/etc. other than the listed elements/components/etc.; the terms "first" and "second", etc. are used merely as labels, and are not limiting on the number of their objects.

Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus their repetitive description will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities.

Aiming at the problems in the related art, the WebShell killing-free method is provided by the disclosure. Fig. 1 shows a flowchart of a WebShell killing-free method, and as shown in fig. 1, the WebShell killing-free method at least includes the following steps:

and S110, acquiring the sensitive keywords, and setting variable names of the sensitive keywords to obtain target keywords.

And S120, encrypting the target keyword and the sensitive keyword to obtain an encrypted keyword, and splicing the encrypted keyword to obtain a WebShell file.

And S130, performing checking and killing treatment on the WebShell file to determine that the WebShell file passes the checking and killing treatment.

In the exemplary embodiment of the disclosure, the target keyword is obtained by setting the variable name of the sensitive keyword, so that the sensitive keyword is dynamically set and used, and the WebShell file is helped to bypass the subsequent searching and killing processing from the dimension of the variable name. Furthermore, the target keywords and the sensitive keywords are encrypted to help the target keywords and the sensitive keywords to erase the characteristics of the keywords, and the sensitive keywords which are focused by the searching and killing system or the searching and killing tool are hidden, so that the searching and killing system or the searching and killing tool cannot perform searching and killing processing according to the characteristics of the keywords, and the effect of preventing the WebShell file from being searched and killed is achieved, and further deep penetration is achieved. And compared with the common WebShell file, the use of suspicious functions such as coding and decoding functions is greatly reduced, the writing habit of normal grammar is closer, and the killing-free effect of the WebShell file is improved.

The individual steps of the WebShell suicide avoidance method are described in detail below.

In step S110, a sensitive keyword is obtained, and a variable name of the sensitive keyword is set to obtain a target keyword.

In exemplary embodiments of the present disclosure, generally, a WebShell file refers to a file that has been determined to contain WebShell. Generally, a WebShell file is composed of a plurality of fields (also called field information), which may include but are not limited to: any one or any combination of file names, file paths, file contents, and the like.

And sensitive keywords are also important components of the WebShell file. The sensitive words are exactly the contents concerned by the killing system or the killing tool terminal.

In an alternative embodiment, the sensitive keywords include: eval and assert.

Where eval is a language builder, not a function, and cannot be called by a variable function. eval may parse the string in accordance with PHP code (Hypertext Preprocessor code, PHP code, Hypertext Preprocessor code) and execute it.

Among them, PHP supports the concept of a variable function. This means that if a variable is followed by a parenthesis, the PHP will look for a function with the same name as the value of the variable and try to execute it. Variable functions may be used to implement some uses including callback functions, function tables, and variable functions cannot be used for language constructs such as echo, print, unset (), isset (), empty (), include, require, and the like. It is necessary to use its own wrapper function to use these structures as variable functions.

Specifically, eval (): and executing the character string as a function (a complete statement needs to be transmitted in), and outputting a hello after execution.

alert (): and judging whether the character string is a character string. If the judgment result is yes, the code is executed. The PHP authority modifies the alert function in PHP 7. Versions behind PHP 7.0.29 do not support dynamic calls.

After the sensitive keywords are acquired, variable name setting can be performed on one or more sensitive keywords.

In an optional embodiment, in the target script language, a variable name setting is performed on the sensitive keyword by using a variable delimiter to obtain a target keyword.

The target scripting language may be a PHP (Hypertext Preprocessor) language, or may be other scripting languages, which is not particularly limited in this exemplary embodiment.

The PHP is a scripting Language executed on the server side, and is particularly suitable for Web development and can be embedded in HTML (Hyper Text Markup Language). The PHP grammar learns the C language, absorbs the characteristics of a plurality of languages such as Java and Perl to develop own characteristic grammar, and continuously improves and promotes the PHP grammar according to long items of the characteristic grammar, such as Java object-oriented programming. The PHP supports object-oriented and process-oriented development at the same time, and is very flexible in use.

With the development of more than twenty years and the rapid development and improvement of related components of PHP-cli, PHP can be applied to the system research and development in non-Web fields such as TCP/UDP (Transmission Control Protocol/User data program), high-performance Web (World Wide Web), WebSocket (a Protocol for full duplex communication on a single TCP connection), internet of things, real-time communication, games, micro-services, and the like.

According to the statistical data published by W3Techs2019, 12 and 6, the share of the programming language used by the PHP on the WEB website server side is as high as 78.9%. Of the websites of the Content Management System, 58.7% of the websites use WordPress (CMS (Content Management System) System developed by PHP), which accounts for 25.0% of all the websites.

In the PHP language, the variable definer is "$".

PHP uses the syntax of the C language, but there are some differences. The $ symbol plus the string, which is from a variable source name or object name.

For example, in the PHP language, the variable name of a sensitive keyword may be $ a. Further, the variable name setting for the sensitive keyword by using the variable delimiter may be to set a variable delimiter again to obtain $ $ A. And the $ a obtained after the addition of the variable definer is the target keyword. In addition, there may be other methods of setting the variable name, and this exemplary embodiment is not particularly limited to this.

It is worth noting that when the sensitive key includes eval and assert, variable name setting can be performed on assert to obtain the corresponding target key, without performing variable name setting on eval.

In the exemplary embodiment, the dynamic setting and use of the variable name of the sensitive keyword by using the target scripting language can help the WebShell file bypass the killing system subsequently, so that the logic structure of the execution grammar and the sentence of the WebShell file can be searched.

In step S120, the target keyword and the sensitive keyword are encrypted to obtain an encrypted keyword, and the encrypted keyword is spliced to obtain a WebShell file.

In an exemplary embodiment of the present disclosure, after the target keyword is obtained, the target keyword and the sensitive keyword may be further encrypted.

In an alternative embodiment, the encryption algorithm is used to encrypt the target keyword and the sensitive keyword to obtain an encrypted keyword.

When the sensitive keywords comprise eval and assert, variable name setting can be carried out on assert to obtain corresponding target keywords, and therefore, the target keywords and the sensitive keywords eval corresponding to the assert can be encrypted to obtain the encrypted keywords by utilizing an encryption algorithm.

The encryption algorithm comprises a symmetric encryption algorithm, an asymmetric encryption algorithm and a Hash algorithm. Specifically, the symmetric encryption algorithm may include, but is not limited to, a DES algorithm, a 3DES algorithm, a TDEA algorithm, a Blowfish algorithm, an RC5 algorithm, an IDEA algorithm, and the like; asymmetric encryption algorithms may include, but are not limited to, the RSA algorithm, the Elgamal algorithm, the knapsack algorithm, the Rabin algorithm, the D-H algorithm, the ECC algorithm, and the like; the hash algorithm may include, but is not limited to, the SHA512 algorithm, the SHA224 algorithm, the SHA384 algorithm, and the like.

In the exemplary embodiment, the characteristics of the sensitive keywords can be erased by encrypting the target keywords and the sensitive keywords by using the encryption algorithm, so that the searching and killing system or the searching and killing tool cannot acquire the characteristics of the characters of the WebShell file to obtain the sensitive keywords, and the searching and killing of the searching and killing system or the searching and killing software is facilitated to avoid.

After the encrypted keywords are obtained, splicing processing can be performed on the encrypted keywords to obtain the Web Shell file.

In an optional embodiment, in the target script language, the encrypted keywords are spliced by using the grouping symbol to obtain the WebShell file.

The target scripting language may also be a PHP language, or may also be another scripting language, and this exemplary embodiment is not particularly limited to this.

In the PHP language, the grouping symbol may be "()".

Since the encrypted keyword is obtained by encrypting the target keyword and the sensitive keyword eval corresponding to the alert, the encrypted target keyword and the encrypted sensitive keyword eval corresponding to the alert may be spliced.

Specifically, the splicing manner for performing the splicing process by using the grouping symbol may be $ $ a (eval). The $ A is the encrypted target keyword corresponding to the alert, eval represents the encrypted sensitive keyword eval, and the entirety of the $ A (eval) is the WebShell file.

In step S130, the WebShell file is subjected to a killing process to determine that the WebShell file passes the killing process.

In the exemplary embodiment of the present disclosure, after obtaining the WebShell file, the WebShell file may be subjected to a killing process by using a killing system or a killing tool. And because the WebShell file is subjected to variable name setting and encryption processing, the WebShell file cannot be killed by a killing system or a killing tool. That is, the WebShell file is processed by killing.

Furthermore, a command corresponding to the WebShell file may also be executed.

In an alternative embodiment, a command corresponding to the WebShell file is executed.

The command corresponding to the WebShell file may be a command for viewing the current Web service directory and then granting rights to acquire system permissions. Also, this is true regardless of ASP language (dynamic Server Pages), PHP language, Jsp language (Java), aspx language (class library for developing Web applications).

In an alternative embodiment, fig. 2 is a flowchart illustrating a method for executing a command corresponding to a WebShell file, where as shown in fig. 2, the method at least includes the following steps: in step S210, a decryption algorithm corresponding to the encryption algorithm is determined, and a key corresponding to the decryption algorithm and a command corresponding to the WebShell file are acquired.

The decryption algorithm may be an algorithm capable of decrypting the encrypted keyword. For example, when the target keyword and the sensitive keyword are encrypted by using a symmetric encryption algorithm to obtain an encrypted keyword, the decryption algorithm is to decrypt the encrypted keyword, and thus may be the same algorithm as the encryption algorithm. In addition, the corresponding decryption algorithm may also be set according to different encryption algorithms, which is not particularly limited in this exemplary embodiment.

The key may be a parameter used in the decryption algorithm to decrypt the encrypted keyword. Which is a parameter input in an algorithm that converts ciphertext into plaintext. Also, the key may be divided into a symmetric key and an asymmetric key according to a distinction of an encryption algorithm or a decryption algorithm.

The symmetric key encryption is also called private key encryption or session key encryption algorithm, that is, the sender and the receiver of the information use the same key to encrypt and decrypt data. Its most important advantage is that it is quick in encryption/decryption speed, suitable for encrypting large data volume, but difficult in key management.

Asymmetric key encryption systems, also known as public key encryption. It requires the use of different keys to perform the encryption and decryption operations separately, one being publicly distributed, i.e. public keys, and the other being kept secret by the user himself, i.e. private keys. The sender of the message is decrypted using the public key and the recipient of the message is decrypted using the private key. Public key mechanisms are flexible, but encryption and decryption speeds are much slower than symmetric key encryption.

In step S220, the encrypted keyword is decrypted by using the decryption algorithm and the key to obtain the target keyword and the sensitive keyword, and the command is executed according to the target keyword and the sensitive keyword.

After determining the decryption algorithm and the key, the encryption key may be decrypted by using the key and the decryption algorithm, and the encryption key may be restored to the target key and the sensitive key, for example, after decryption, and the assert with variable name setting and the eval after decryption are performed.

Further, a command corresponding to the WebShell file may be executed using the target keyword and the sensitive keyword.

In the exemplary embodiment, the decryption algorithm and the key are used for decrypting the encrypted keyword, and then the command of the kill-free WebShell file can be executed, so that the WebShell file can be helped to bypass the killing process, the execution of the WebShell file can be further ensured, and a deepened effect is achieved.

The WebShell killing-free method in the embodiment of the present disclosure is described in detail below with reference to an application scenario.

Fig. 3 is a schematic flow chart illustrating a method for searching and killing a WebShell file in the related art, where as shown in fig. 3, in step S310, a WebShell-related keyword and a syntax structure are included.

And acquiring related keywords and grammar structures forming the WebShell file.

In step S320, the original version of Webshell.

And generating an initial WebShell file according to the related keywords and the grammar structure.

In step S330, the tool is killed.

And (4) checking and killing the original WebShell file by using a checking and killing tool.

In step S340, automatic clearing is performed.

The searching and killing tool can focus on the sensitive keywords of the original WebShell file, so that the original WebShell file can be searched and killed by identifying the sensitive keywords, and the original WebShell file cannot be processed through searching and killing.

Fig. 4 is a schematic flowchart illustrating a WebShell killing-free method in an application scenario, where as shown in fig. 4, in step S410, the WebShell-related keywords, the syntax structure, and the decryption algorithm are used.

In general, a WebShell file refers to a file that has been determined to contain WebShell. Typically, a WebShell file is constructed to include a number of fields, which may include, but are not limited to: any one or any combination of file names, file paths, file contents, and the like.

In general, sensitive keywords may include: eval and assert.

Where eval is a language builder, not a function, and cannot be called by a variable function. eval may parse the string in PHP code and execute.

The grammar structure may be that of a target scripting language, such as the PHP language.

In step S420, the keyword is encrypted.

After the sensitive keywords are acquired and before the keywords are encrypted, variable name setting may be performed on one or more sensitive keywords.

In the target script language, variable name setting is carried out on the sensitive keywords by using variable delimiters to obtain target keywords.

The target scripting language may be a PHP language or other scripting languages, and this exemplary embodiment is not particularly limited thereto.

In the PHP language, the variable definer is "$".

For example, in the PHP language, the variable name of a sensitive keyword may be $ a. Further, the variable name setting for the sensitive keyword by using the variable delimiter may be to set a variable delimiter again to obtain $ $ A. And the $ a obtained after the addition of the variable definer is the target keyword.

The encryption algorithm comprises a symmetric encryption algorithm, an asymmetric encryption algorithm and a Hash algorithm. Specifically, the symmetric encryption algorithm may include, but is not limited to, DES algorithm, 3DES algorithm, TDEA algorithm, Blowfish algorithm, RC5 algorithm, IDEA algorithm, etc., the asymmetric encryption algorithm may include, but is not limited to, RSA algorithm, Elgamal algorithm, knapsack algorithm, Rabin algorithm, D-H algorithm, ECC algorithm, etc., and the hash algorithm may include, but is not limited to, SHA512 algorithm, SHA224 algorithm, SHA384 algorithm, etc.

In step S430, the variable variables are concatenated.

And in the target script language, splicing the encrypted keywords by using the grouping symbols to obtain the Web Shell file.

In the PHP language, the grouping symbol may be "()".

In step S440, the WebShell file is first versioned.

The original WebShell file is the entirety of $ $ A (eval).

In step S450, the tool is killed.

After the WebShell file is obtained, the WebShell file can be subjected to killing processing by using a killing system or a killing tool. And because the WebShell file is subjected to variable name setting and encryption processing, the WebShell file cannot be killed by a killing system or a killing tool. That is, the WebShell file is processed by killing.

In step S460, the key is attached and the command is transmitted.

Furthermore, a command corresponding to the WebShell file may also be executed.

The command corresponding to the WebShell file may be a command for viewing the current Web service directory and then granting rights to acquire system permissions. This is true regardless of the ASP language, PHP language, Jsp language, and aspx language.

In step S470, decryption processing.

In step S480, WebShell is killed.

In the WebShell killing-free method under the application scene, the target keyword is obtained by setting the variable name of the sensitive keyword, the dynamic setting and use of the sensitive keyword are realized, and the variable function grammar of the WebShell file bypassing the subsequent killing tool is helped to be killed by the dimension of the variable name. Furthermore, the target keywords and the sensitive keywords are encrypted to help the target keywords and the sensitive keywords to erase the characteristics of the keywords, and the sensitive keywords which are mainly concerned by the searching and killing system or the searching and killing tool are hidden, so that the searching and killing system or the searching and killing tool cannot perform searching and killing processing according to the characteristics of the keywords, and further deep penetration is realized. And moreover, a secret key is attached to the execution command to help decryption processing, the effect of preventing the WebShell file from being killed is achieved, and the risk that the WebShell file is killed in the permission maintaining process is solved.

The common WebShell file often uses coding and decoding functions for many times for avoiding searching and killing, and in the process, the coding and decoding functions are used less, so that the defect of a conventional killing-free means is overcome. In addition, the whole processing process is close to the normal grammar habit, and the concealment of the WebShell file can be further improved.

In addition, in an exemplary embodiment of the present disclosure, a WebShell killing-free device is also provided. Fig. 5 shows a schematic structural diagram of a WebShell killing-free device, and as shown in fig. 5, the WebShell killing-free device 500 may include: a variable setting module 510, an encryption processing module 520, and a kill pass module 530. Wherein:

a variable setting module 510, configured to obtain a sensitive keyword, and perform variable name setting on the sensitive keyword to obtain a target keyword;

the encryption processing module 520 is configured to encrypt the target keyword and the sensitive keyword to obtain an encrypted keyword, and splice the encrypted keyword to obtain a WebShell file;

and the searching and killing passing module 530 is configured to perform searching and killing processing on the WebShell file and determine that the WebShell file passes the searching and killing processing.

In an exemplary embodiment of the invention, the method further comprises:

and executing a command corresponding to the WebShell file.

The details of the WebShell killing-exempting device 500 are described in detail in the corresponding WebShell killing-exempting method, and therefore are not described herein again.

It should be noted that although several modules or units of the WebShell kill-exempt device 500 are mentioned in the above detailed description, such partitioning is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.

In addition, in an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.

An electronic device 600 according to such an embodiment of the invention is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.

As shown in fig. 6, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: the at least one processing unit 610, the at least one memory unit 620, a bus 630 connecting different system components (including the memory unit 620 and the processing unit 610), and a display unit 640.

Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs the steps according to various exemplary embodiments of the present invention as described in the above section "exemplary method" of the present specification.

The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)621 and/or a cache memory unit 622, and may further include a read only memory unit (ROM) 623.

The storage unit 620 may also include a program/utility 624 having a set (at least one) of program modules 625, such program modules 625 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.

Bus 630 may be one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.

The electronic device 600 may also communicate with one or more external devices 800 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 600, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 600 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. As shown, the network adapter 660 communicates with the other modules of the electronic device 600 over the bus 630. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.

Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.

In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, aspects of the invention may also be implemented in the form of a program product comprising program code means for causing a terminal device to carry out the steps according to various exemplary embodiments of the invention described in the above-mentioned "exemplary methods" section of the present description, when said program product is run on the terminal device.

Referring to fig. 7, a program product 700 for implementing the above method according to an embodiment of the present invention is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited in this regard and, in the present document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims

1. A WebShell killing-free method, which is characterized in that the method comprises the following steps:

2. The WebShell suicide avoiding method of claim 1, wherein the sensitive keyword comprises: eval and assert.

3. The WebShell killing-free method according to claim 1, wherein the variable name setting of the sensitive keyword to obtain a target keyword comprises:

4. The WebShell killing-free method according to claim 3, wherein the splicing processing of the encrypted keywords to obtain the WebShell file comprises:

5. The WebShell suicide avoiding method of claim 1, wherein the encrypting the target keyword and the sensitive keyword to obtain an encrypted keyword comprises:

6. The WebShell suicide avoidance method of claim 5, further comprising:

and executing a command corresponding to the WebShell file.

7. The WebShell suicide avoiding method of claim 6, wherein the executing the command corresponding to the WebShell file comprises:

8. A WebShell killing-free device is characterized by comprising:

9. A computer-readable storage medium, having stored thereon a computer program, characterized in that the computer program, when being executed by a processor, implements the WebShell killing-exempt method of any of claims 1-7.

10. An electronic device, comprising:

a processor;

a memory for storing executable instructions of the processor;

wherein the processor is configured to perform the WebShell kill-exempt method of any of claims 1-7 via execution of the executable instructions.