CN110879891B - Vulnerability detection method and device based on web fingerprint information - Google Patents

Abstract

The present invention provides a vulnerability detection method and device based on web fingerprint information, wherein the method comprises: determining a web site of a penetration target, wherein the penetration target is a network system connected through a network; collecting web fingerprint information of the web site; and using the web fingerprint information to detect external vulnerabilities of the penetration target. The present invention solves the technical problem that vulnerability detection cannot be performed through web fingerprint information in the related art.

Description

Vulnerability detection method and device based on web fingerprint information

Technical Field

The present invention relates to the field of network security, and in particular to a vulnerability detection method and device based on web fingerprint information.

Background Art

A cyber attack is an attack on electronic devices by hackers or viruses and Trojans, which causes huge losses to users by stealing files. Penetration testing is the process of simulating cyber attacks in order to discover problems in advance, remedy them in time, and be prepared for any eventuality.

In the related technology, generally only websites with known structure information can be attacked, and the structure information of the web site will not be collected. Currently, the fingerprint recognition methods on the market are relatively simple and cannot support the recognition of special fingerprints. There are a large number of false positives in the recognition rules.

With respect to the above-mentioned problems existing in the related technologies, no effective solutions have been found so far.

Summary of the invention

The embodiment of the present invention provides a vulnerability detection method and device based on web fingerprint information.

According to one embodiment of the present invention, a vulnerability detection method based on web fingerprint information is provided, comprising: determining a web site of a penetration target, wherein the penetration target is a network system connected via a network; collecting web fingerprint information of the web site; and using the web fingerprint information to detect external vulnerabilities of the penetration target.

Optionally, collecting web fingerprint information of the web site includes: collecting at least one of the following architecture information of the web site: development language, operating system of the deployment server, middleware, third-party code common framework used, content management system CMS, content distribution network CDN.

Optionally, collecting the web fingerprint information of the web site includes: sending a Hypertext Transfer Protocol (HTTP) request to a website server of the web site; receiving web page information fed back by the web site based on the HTTP request; and detecting the web fingerprint information according to the web page information.

Optionally, detecting the web fingerprint information according to the web page information includes: searching for a status code in the web page information; judging whether a designated page exists on the web site according to the status code; and determining the web fingerprint information according to the designated page.

Optionally, detecting the web fingerprint information according to the web page information includes: identifying a HASH value of a specified file in the web page information; and determining the web fingerprint information according to the HASH value.

Optionally, detecting the web fingerprint information according to the web page information includes: searching for a specified keyword in the data packet body of the web page source code, and/or searching for a specified string in the data packet header of the web page source code, and/or searching for a regular string in the data packet header of the web page source code, wherein the web page information includes the web page source code, and the regular string is a string combination set using a regular expression; determining the web fingerprint information according to at least one of the following: the specified keyword, the specified string, and the regular string.

Optionally, after using the web fingerprint information to detect the external vulnerability of the penetration target, the method further includes: using the external vulnerability to obtain the operation authority of the penetration target; and using the operation authority to perform a penetration operation on the network system.

Optionally, using the web fingerprint information to detect external vulnerabilities of the penetration target includes: selecting a detection plug-in that matches the web fingerprint information in a preset plug-in library; and calling the detection plug-in to identify an external service port provided by the penetration target.

According to another embodiment of the present invention, a vulnerability detection device based on web fingerprint information is provided, including: a determination module, used to determine a web website of a penetration target, wherein the penetration target is a network system connected through a network; a collection module, used to collect web fingerprint information of the web website; and a detection module, used to use the web fingerprint information to detect external vulnerabilities of the penetration target.

Optionally, the acquisition module includes: a collection unit, used to collect at least one of the following architecture information of the web site: development language, operating system of the deployment server, middleware, third-party code general framework used, content management system CMS, content distribution network CDN.

Optionally, the acquisition module includes: a sending unit, used to send a Hypertext Transfer Protocol HTTP request to the website server of the web website; a receiving unit, used to receive web page information fed back by the web website based on the HTTP request; and a detection unit, used to detect the web fingerprint information based on the web page information.

Optionally, the detection unit includes: a first search subunit, used to search for a status code in the web page information; a judgment subunit, used to judge whether a specified page exists on the web site based on the status code; and a first determination subunit, used to determine the web fingerprint information based on the specified page.

Optionally, the detection unit includes: an identification subunit, used to identify the HASH value of a specified file in the web page information; and a second determination subunit, used to determine the web fingerprint information according to the HASH value.

Optionally, the detection unit includes: a second search subunit, used to search for specified keywords in the data packet body of the web page source code, and/or, search for specified strings in the data packet header of the web page source code, and/or, search for regular strings in the data packet header of the web page source code, wherein the web page information includes the web page source code, and the regular string is a string combination set using a regular expression; a third determination subunit, used to determine the web fingerprint information based on at least one of the following: the specified keyword, the specified string, and the regular string.

Optionally, the device also includes: an acquisition module, which is used to obtain the operation authority of the penetration target by using the external vulnerability after the detection module uses the web fingerprint information to detect the external vulnerability of the penetration target; and a penetration module, which is used to use the operation authority to perform penetration operations on the network system.

Optionally, the detection module includes: a selection unit, used to select a detection plug-in matching the web fingerprint information in a preset plug-in library; and an identification unit, used to call the detection plug-in to identify the external service port provided by the penetration target.

According to yet another embodiment of the present invention, a storage medium is provided, in which a computer program is stored, wherein the computer program is configured to execute the steps of any one of the above method embodiments when running.

According to yet another embodiment of the present invention, there is provided an electronic device, including a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.

Through the present invention, the web site of the penetration target is determined, and then the web fingerprint information of the web site is collected. Finally, the web fingerprint information is used in the external network of the local area network to detect the external vulnerabilities of the penetration target, which solves the technical problem that the vulnerability detection cannot be performed through the web fingerprint information in the related technology, and more network vulnerabilities can be discovered during the penetration test.

BRIEF DESCRIPTION OF THE DRAWINGS

The drawings described herein are used to provide a further understanding of the present invention and constitute a part of this application. The exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the drawings:

FIG1 is a hardware structure block diagram of a computer device for detecting vulnerabilities based on web fingerprint information according to an embodiment of the present invention;

FIG2 is a flow chart of a vulnerability detection method based on web fingerprint information according to an embodiment of the present invention;

FIG3 is a logic flow chart of an embodiment of the present invention through identifying web fingerprint information;

FIG4 is an attack route diagram of a task node against a penetration target according to an embodiment of the present invention;

FIG. 5 is a structural block diagram of a vulnerability detection device based on web fingerprint information according to an embodiment of the present invention.

DETAILED DESCRIPTION

In order to enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are only embodiments of a part of the present application, not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in the field without creative work should fall within the scope of protection of the present application. It should be noted that the embodiments in the present application and the features in the embodiments can be combined with each other without conflict.

It should be noted that the terms "first", "second", etc. in the specification and claims of the present application and the above-mentioned drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the data used in this way can be interchangeable where appropriate, so that the embodiments of the present application described herein can be implemented in an order other than those illustrated or described herein. In addition, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those steps or units clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products or devices.

Example 1

The method embodiment provided in the first embodiment of the present application can be executed in a computer device or a similar computing device. Taking running on a computer device as an example, FIG1 is a hardware structure block diagram of a computer device for vulnerability detection based on web fingerprint information according to an embodiment of the present invention. As shown in FIG1 , a computer device 10 may include one or more (only one is shown in FIG1 ) processors 102 (the processor 102 may include but is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data. Optionally, the computer device may also include a transmission device 106 and an input/output device 108 for communication functions. It can be understood by a person skilled in the art that the structure shown in FIG1 is only for illustration and does not limit the structure of the computer device. For example, the computer device 10 may also include more or fewer components than those shown in FIG1 , or have a configuration different from that shown in FIG1 .

The memory 104 can be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to a vulnerability detection method based on web fingerprint information in an embodiment of the present invention. The processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, that is, to implement the above method. The memory 104 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include a memory remotely arranged relative to the processor 102, and these remote memories may be connected to the computer device 10 via a network. Examples of the above network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The transmission device 106 is used to receive or send data via a network. The specific example of the above network may include a wireless network provided by a communication provider of the computer device 10. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, referred to as NIC), which can be connected to other network devices through a base station so as to communicate with the Internet. In one example, the transmission device 106 can be a radio frequency (RF) module, which is used to communicate with the Internet wirelessly.

In this embodiment, a vulnerability detection method based on web fingerprint information is provided. FIG. 2 is a flow chart of a vulnerability detection method based on web fingerprint information according to an embodiment of the present invention. As shown in FIG. 2 , the process includes the following steps:

Step S202, determining a website of a penetration target, wherein the penetration target is a network system connected through a network;

The penetration target of this embodiment is a network system composed of hardware, software and network, which runs in a local area network and is isolated from the wide area network by switches, firewalls, etc. The network system includes electronic equipment and data programs. The network system includes servers, databases, business systems, electronic equipment connected to the local area network, operating systems installed on electronic equipment, etc. It is used in various scenarios, such as units with strong confidentiality or security requirements, such as the intranet of government agencies, the local area network of financial structures, etc.

Step S204, collecting web fingerprint information of the web site;

Step S206: Use the web fingerprint information to detect external vulnerabilities of the penetration target.

The vulnerability of this embodiment is a defect in the specific implementation of the hardware, software, protocol or system security policy, which can enable an attacker to access or damage the system without authorization. The external vulnerability of this embodiment is a defect in the network system that can be exploited by third-party devices.

Through the above steps, the web site of the penetration target is determined, and then the web fingerprint information of the web site is collected. Finally, the web fingerprint information is used in the external network of the local area network to detect the external vulnerabilities of the penetration target. This solves the technical problem that the vulnerability detection technology cannot be performed through web fingerprint information in related technologies, and more network vulnerabilities can be discovered during penetration testing.

The execution subject of this embodiment can be a computer, tablet or other electronic device, which is connected to the local area network where the penetration target is located, or connected to the wide area network.

In this embodiment, collecting web fingerprint information of a website includes collecting at least one of the following architecture information of the website: development language, operating system of the deployment server, middleware, third-party code common framework used, content management system CMS, content distribution network CDN. The web fingerprint information of this embodiment is composed of various types of architecture information, and examples are given here: CMS information: such as Dahan CMS, Dreamweaver, Empire CMS, phpcms, ecshop, etc.; front-end technology: such as HTML5, jquery, bootstrap, pure, ace, etc.; web server: such as Apache, lighttpd, Nginx, IIS, etc.; application server: such as Tomcat, Jboss, weblogic, websphere, etc.; development language: such as PHP, Java, Ruby, Python, C#, etc.; operating system information: such as linux, win2k8, win7, kali, centos, etc.; CDN information: whether CDN is used, and which type of CDN is used, such as cloudflare, 360cdn, 365cyd, yunjiasu, etc.; WAF information: whether waf is used, and which type of waf is used, such as Topsec, Jiasule, Yundun, etc.; IP and domain name information: IP and domain name registration information, service provider information, etc.; port information: some software or platforms will also detect common ports opened by the server.

In one implementation of this embodiment, collecting web fingerprint information of a website includes:

S11, sending a Hypertext Transfer Protocol HTTP request to the website server of the web website;

The HTTP request of this embodiment can be, but is not limited to, GET, POST, HEAD, custom request headers, and other request methods;

S12, receiving web page information fed back by the web site based on the HTTP request;

S13, detecting web fingerprint information according to the web page information.

In an optional example, detecting web fingerprint information according to web page information includes: searching for a status code in the web page information; judging whether a designated page exists on the web site according to the status code; and determining web fingerprint information according to the designated page.

In an optional example, detecting web fingerprint information according to web page information includes: identifying a HASH value of a specified file in the web page information; and determining the web fingerprint information according to the HASH value.

In an optional example, detecting web fingerprint information based on web page information includes: searching for specified keywords in the body of a data packet of a web page source code, and/or searching for specified strings in a data packet header of a web page source code, and/or searching for regular strings in a data packet header of a web page source code, wherein the web page information includes the web page source code, and the regular string is a string combination set using a regular expression; determining the web fingerprint information based on at least one of the following: specified keywords, specified strings, and regular strings.

In one implementation of this embodiment, when identifying CMS, CMS can be identified by MD5 of specific files. Specific image files, js files, CSS and other static files of some websites, such as favicon.ico, css, logo.ico, js and other files are generally not modified. These files are captured by crawlers and compared with the md5 value. If it is consistent with the Md5 in the rule library, it means that it is the same CMS. Or it can be identified by keywords contained in normal pages or error pages. Keywords contained in normal pages or error pages, first visit the homepage or specific pages such as robots.txt, etc., and match certain keywords through regular methods, such as Powered by Discuz, dedecms, etc. Or an error page can be constructed to determine the CMS or middleware information used based on the error information, such as the more common error page of tomcat.

This embodiment can also match web fingerprint information through keywords in the request header information of the web page information fed back by the website server. Keyword matching is performed based on the response header information returned by the website. Whatweb and Wappalyzer quickly identify fingerprints through banner information. There are several identification methods based on the response header: check the X-Powered-By field of the http response header to identify; judge based on Cookies, for example, some waf will contain some information in the return header, such as 360wzws, Safedog, yunsuo, etc.; judge based on the Server information in the header, such as DVRDVS-webs, yunjiasu-nginx, Mod_Security, nginx-wallarm, etc.; judge based on WWW-Authenticate, some routing switching devices may have this field, such as NETCORE, Huawei, h3c and other devices.

This embodiment can also identify web fingerprint information by specifying keywords contained in the URL, such as wp-includes, dede and other URL key features. Use the rule base to detect whether there is a corresponding directory, or analyze the link URL according to the crawler results, or detect the directory in the robots.txt file, etc., to determine whether a certain CMS is used through the URL address. For example, wordpress has wp-includes and wp-admin directories by default, the default management backend of the dream weaving site is the dede directory, the solr platform may use the /solr directory, and weblogic can use the wls-wsat directory.

When identifying the development language, the common web development languages are PHP, jsp, aspx, asp, etc. The identification methods are as follows: directly judging by crawling to obtain dynamic links is a relatively simple method. The identification rules of Asp are as follows: <a[^>]*? href＝('|")[^http][^>]*?\.asp(\?|\#|\1), other languages can be replaced with the corresponding asp; locate and identify by using X-Powered-By in the http response header of the station as a keyword; identify by Set-Cookie, for example, if Set-Cookie contains PHPSSIONID, it means it is php, if it contains JSESSIONID, it means it is java, if it contains ASP.NET_SessionId, it means it is aspx, etc.

FIG3 is a logic flow chart of an embodiment of the present invention through identifying web fingerprint information, where each piece of information in the web fingerprint information (eg, webCMS, middleware, development language, etc.) corresponds to a set of fingerprint identification rules.

In this embodiment, web fingerprint recognition is mainly used to discover the architecture information of the web site, so as to more deeply explore the vulnerabilities existing in the website. For example, the development language, the operating system of the deployment server, the middleware, the third-party code common framework used, etc. The discovery means are as follows: by judging whether the specified page exists; by identifying the HASH value of a special file; by specifying keywords in the page content; and by unique marking strings or rules in the data response header information.

Optionally, after using web fingerprint information to detect external vulnerabilities of the penetration target in the external network of the local area network, it also includes: using the external vulnerabilities to obtain the operating authority of the penetration target; using the operating authority to perform penetration operations on the network system. Among them, the penetration operation includes at least one of the following: accessing the business system of the penetration target, accessing the local data of the penetration target, and performing lateral penetration in the intranet of the penetration target. The business system includes website servers, databases, etc., such as frequent access to website servers, frequent sending of the same instructions, etc., when the business system exceeds the processing limit, it may cause downtime or crash. The local data of this embodiment includes data that can be shared in the local area network, as well as data stored in various devices connected through the local area network, etc.

This embodiment encapsulates the exploitable vulnerabilities detected, and integrates the complex vulnerability exploitation process into the plug-in library. When it is necessary to exploit the vulnerability, the response input can be executed to obtain the echo result with one key, such as executing a system command. For the user, it is only necessary to enter the command to be executed and click the execute button (or the system automatically triggers) to obtain the command execution result, without having to care about the complex exploitation process of the vulnerability. For example, after discovering the weblogic deserialization vulnerability, it is possible to directly execute commands, upload files, rebound interactive shells and other operations through advanced exploitation functions. The penetration personnel only need to enter the target address to perform the discovery and exploitation process of the vulnerability with one key. For some vulnerabilities that cannot be fully automatically discovered, a separate vulnerability exploitation function is provided. The penetration personnel only need to enter the corresponding parameters to exploit the vulnerability with one key, such as the exploitation of the fastjson vulnerability. It can also be used for the exploitation of known vulnerabilities, such as entering an oracle account password, one-key privilege escalation, and executing system commands. This function greatly simplifies the vulnerability exploitation process.

This embodiment instructs the execution of the penetration operation by sending a penetration instruction to the penetration target. Before sending the penetration instruction to the target server of the penetration target, it needs to pass through the gateway and protection system of the penetration target, including WAF, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), monitoring equipment, routers, and switches. Various means of bypassing WAF are added to the underlying packet sending program, and the method of automatically selecting the WAF according to the target situation includes: 1. Filling a large amount of useless data in the packet header to bypass the resource restriction detection type WAF; 2. Using encoding, deformation, same type function replacement, annotation symbol processing, word segmentation, database syntax characteristics to bypass the rule detection type WAF; 3. Using protocol conversion, protocol format change, and protocol replacement to bypass the protocol level detection type WAF; 4. Using the self-discovered data packet fragmentation transmission technology to bypass WAF. Fragmentation transmission is to divide the data to be sent into multiple data packets every three bytes, and send them separately to the target server, so as to avoid the detection means based on the matching of the data packet content, and embed the fragmentation technology of this embodiment in the underlying program for sending HTTP data packets.

In this embodiment, in an implementation of this embodiment, it also includes: determining the external vulnerability as a dangerous entrance to the local area network, determining the operation authority as an illegal authority of the network system, and generating a penetration test report of the penetration target.

This embodiment can customize the specified detection scheme according to the operating environment of the penetration target. For example, the scenario of detecting a newly-exploited vulnerability, the scenario of detecting weak email passwords, the scenario of detecting industrial control vulnerabilities, etc. Supporting scenario-based detection, it can quickly customize at least routine testing, attack and defense drills, range drills, security capability assessments and other scenarios according to needs, so as to meet the needs of customized scenario vulnerability discovery. A single penetration task does not limit the number of targets added, and the task can be executed concurrently in a distributed manner, thereby ensuring efficient vulnerability discovery.

Figure 4 is an attack route diagram of a task node against a penetration target in an embodiment of the present invention, illustrating the process from information collection to post-penetration attack, and each task node can perform a penetration test. In this embodiment, the implementation of each function can be achieved by a functional module set in the penetration device, including:

Information collection module: Before the penetration test, various online means are used to collect relevant information about the penetration target. The information collection module is mainly used to complete the information collection of the penetration target.

Vulnerability detection module: This module can automatically detect vulnerabilities in the penetration target. Vulnerability detection is divided into two methods, website URL detection method and IP address detection method. The website URL detection method is to fingerprint the target, collect fingerprint information such as middleware, general website framework, development language, operating system, etc., and find related vulnerability plug-ins from the plug-in library to find existing vulnerabilities. The IP address detection method is to perform port scanning on the target, find open services, identify the corresponding service type, and find related vulnerability plug-ins to determine whether a vulnerability exists.

Vulnerability plug-in library has multiple vulnerability plug-ins, and the scope of vulnerabilities covers web, middleware, database, network equipment, operating system, smart device, mobile terminal, industrial control equipment and other systems. It can find vulnerabilities of types such as but not limited to SQL (Structured Query Language) injection, XXE (Xml external entity injection), XSS (cross-site scripting attack), arbitrary file upload, arbitrary file download, arbitrary file operation, information leakage, weak password, local file inclusion, directory traversal, command execution, and misconfiguration. Some plug-ins also provide advanced functions for one-click vulnerability exploitation. Advanced functions include: executing commands, executing SQL, uploading files, rebounding Shell, uploading GTwebshell, downloading files, etc. The vulnerability plug-in library is maintained by 360 personnel with many years of penetration experience.

The web fingerprint library can identify a variety of CMS (content management systems), with a total number of rules reaching multiple. The system service fingerprint integrates the NMAP tool fingerprint library, which can meet the type and version identification of conventional system services. It supports scenario-based detection, and can quickly customize scenarios including at least conventional testing, attack and defense drills, range drills, security capability assessments, etc. according to needs, so as to meet the needs of customized scenario vulnerability discovery. There is no limit on the number of targets added in a single task, and tasks can be executed concurrently in a distributed manner, thereby ensuring efficient vulnerability discovery.

Vulnerability Exploitation Module: The vulnerability exploitation module is used to solve two problems: First, it provides a separate vulnerability exploitation function for some vulnerabilities that cannot be fully automatically discovered; for example, when the target address cannot be automatically obtained through crawlers or other means, the infiltration personnel only need to manually fill in the corresponding parameters to exploit the vulnerability with one click using this module. Second, it can directly detect whether the specified vulnerability exists and further exploit this vulnerability. This function can simplify the complex vulnerability exploitation process, such as entering the oracle account password, one-click privilege escalation, and executing system commands. In addition, this module also provides advanced vulnerability exploitation functions, including executing commands, executing SQL, uploading files, rebounding Shell, uploading GTwebshell, downloading files, etc., all of which can be used to exploit vulnerabilities.

Post-penetration module: Use the post-penetration module to penetrate the target horizontally. For example: discover the network topology of the intranet, discover the vulnerability of the intranet database, discover the location of the mail server, and even obtain the permissions of the office network segment, operation and maintenance host or domain controller. The post-penetration module includes a remote control system that can control 16 platforms such as windows, linux, unix, android, ios, aix, bsd, cisco, osx, etc., and supports more than 30 frameworks such as X86, X64, arm, sparc, ppc, etc. For the controlled end, it supports the generation of controlled ends in multiple formats, including executable file formats. For example, more than 20 formats such as exe, elf, powershell, vbs, dll, and the generation of original shellcode. Connect the post-penetration module through the external network vulnerability points opened by other vulnerabilities, and use the post-penetration plug-in to realize host information collection, host privilege escalation, intranet network topology discovery, host forensics, password acquisition, system screenshots, keyboard recording and other functions.

Plugin management module: quickly write plugins according to relevant documents. The tool also provides automatic code generation function to facilitate plugin writing. Plugin library management supports submitting and importing new plugins at any time, and uses dynamic import loading technology to load new plugins without delay. In order to ensure the effectiveness and accuracy of the plugin, the plugin enable and disable operation functions are provided to facilitate the configuration of plugin library rules at any time. In order to better maintain the plugin library, a plugin review mechanism is added to ensure that the plugins in the plugin library are high-quality plugins. It has a complete plugin library management function, which can submit plugins, view plugin lists, and review plugins.

Fingerprint management module: Fingerprint management is mainly designed for maintaining the fingerprint library. You can view all the rule information in the fingerprint library on this page. The fingerprint management module provides a fingerprint submission function, which is convenient for penetration personnel to add fingerprint information at any time. Using dynamic import technology, new fingerprints can be loaded into the fingerprint library without delay. Adding fingerprint rules supports common web frameworks, middleware, development languages, third-party frameworks, etc. Identification methods support strings, MD5, data packet headers, special page status codes, etc. In order to better maintain the fingerprint library, a fingerprint review mechanism has been added to ensure that the plug-ins in the fingerprint library are all high-quality fingerprint rules. Fingerprint management includes the functions of submitting fingerprints, fingerprint lists, and reviewing fingerprints.

WAF bypass technology module: Many WAF (web application-level intrusion prevention system, web Application Firewall) protection devices are deployed in network nodes. This module is used to bypass the protection devices.

Through the description of the above implementation methods, those skilled in the art can clearly understand that the method according to the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present invention, or the part that contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes a number of instructions for a terminal device (which can be a mobile phone, computer, server, or network device, etc.) to execute the methods described in each embodiment of the present invention.

Example 2

In this embodiment, a vulnerability detection device based on web fingerprint information is also provided, which is used to implement the above embodiments and preferred implementation modes, and the descriptions that have been made will not be repeated. As used below, the term "module" can be a combination of software and/or hardware that implements a predetermined function. Although the device described in the following embodiments is preferably implemented in software, the implementation of hardware, or a combination of software and hardware, is also possible and conceivable.

FIG5 is a structural block diagram of a vulnerability detection device based on web fingerprint information according to an embodiment of the present invention, which can be applied in a server. As shown in FIG5 , the device includes: a determination module 50, a collection module 52, and a detection module 54, wherein:

A determination module 50, for determining a website of a penetration target, wherein the penetration target is a network system connected via a network;

A collection module 52, used to collect web fingerprint information of the web site;

The detection module 54 is used to detect external vulnerabilities of the penetration target using the web fingerprint information.

Optionally, the acquisition module includes: a collection unit, used to collect at least one of the following architecture information of the web site: development language, operating system of the deployment server, middleware, third-party code general framework used, content management system CMS, content distribution network CDN.

Optionally, the acquisition module includes: a sending unit, used to send a Hypertext Transfer Protocol HTTP request to the website server of the web website; a receiving unit, used to receive web page information fed back by the web website based on the HTTP request; and a detection unit, used to detect the web fingerprint information based on the web page information.

Optionally, the detection unit includes: a first search subunit, used to search for a status code in the web page information; a judgment subunit, used to judge whether a specified page exists on the web site based on the status code; and a first determination subunit, used to determine the web fingerprint information based on the specified page.

Optionally, the detection unit includes: an identification subunit, used to identify the HASH value of a specified file in the web page information; and a second determination subunit, used to determine the web fingerprint information according to the HASH value.

Optionally, the detection unit includes: a second search subunit, used to search for specified keywords in the data packet body of the web page source code, and/or, search for specified strings in the data packet header of the web page source code, and/or, search for regular strings in the data packet header of the web page source code, wherein the web page information includes the web page source code, and the regular string is a string combination set using a regular expression; a third determination subunit, used to determine the web fingerprint information based on at least one of the following: the specified keyword, the specified string, and the regular string.

Optionally, the device also includes: an acquisition module, which is used to obtain the operation authority of the penetration target by using the external vulnerability after the detection module uses the web fingerprint information to detect the external vulnerability of the penetration target; and a penetration module, which is used to use the operation authority to perform penetration operations on the network system.

It should be noted that the above modules can be implemented by software or hardware. For the latter, it can be implemented in the following ways, but not limited to: the above modules are all located in the same processor; or the above modules are located in different processors in any combination.

Example 3

An embodiment of the present invention further provides a storage medium, in which a computer program is stored, wherein the computer program is configured to execute the steps of any of the above method embodiments when running.

Optionally, in this embodiment, the storage medium may be configured to store a computer program for performing the following steps:

S1, determining a website of a penetration target, wherein the penetration target is a network system connected via a network;

S2, collecting web fingerprint information of the web site;

S3, using the web fingerprint information to detect external vulnerabilities of the penetration target.

Optionally, in this embodiment, the above-mentioned storage medium may include but is not limited to: a USB flash drive, a read-only memory (ROM), a random access memory (RAM), a mobile hard disk, a magnetic disk or an optical disk, and other media that can store computer programs.

An embodiment of the present invention further provides an electronic device, including a memory and a processor, wherein a computer program is stored in the memory, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.

Optionally, the electronic device may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.

Optionally, in this embodiment, the processor may be configured to perform the following steps through a computer program:

S1, determining a website of a penetration target, wherein the penetration target is a network system connected via a network;

S2, collecting web fingerprint information of the web site;

S3, using the web fingerprint information to detect external vulnerabilities of the penetration target.

Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation modes, and this embodiment will not be described in detail here.

The serial numbers of the above-mentioned embodiments of the present application are for description only and do not represent the advantages or disadvantages of the embodiments.

In the above embodiments of the present application, the description of each embodiment has its own emphasis. For parts that are not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. Among them, the device embodiments described above are only schematic. For example, the division of the units is only a logical function division. There may be other division methods in actual implementation. For example, multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be through some interfaces, indirect coupling or communication connection of units or modules, which can be electrical or other forms.

The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware or in the form of software functional units.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions to enable a computer device (which can be a personal computer, server or network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage medium includes: U disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, disk or optical disk and other media that can store program code.

The above is only a preferred implementation of the present application. It should be pointed out that for ordinary technicians in this technical field, several improvements and modifications can be made without departing from the principles of the present application. These improvements and modifications should also be regarded as the scope of protection of the present application.

Claims (10)

1. A vulnerability detection method based on web fingerprint information is characterized by comprising the following steps:

determining a web site of a penetration target, wherein the penetration target is a network system connected through a network;

Collecting web fingerprint information of the web site;

detecting an external vulnerability of the penetration target by using the web fingerprint information;

Acquiring the operation authority of the penetration target by using the external leak;

Performing a permeation operation on the network system using the operation authority, wherein the permeation operation comprises at least one of: and accessing the business system of the penetration target, accessing the local data of the penetration target, and performing transverse penetration on the intranet of the penetration target.

2. The method of claim 1, wherein gathering web fingerprint information for the web site comprises:

Gathering at least one of the following framework information of the web site: development language, operating system of deployment server, middleware, third party code general framework used, content management system CMS, content delivery network CDN.

3. The method of claim 1, wherein gathering web fingerprint information for the web site comprises:

sending a hypertext transfer protocol (HTTP) request to a website server of the web website;

receiving webpage information fed back by the web site based on the HTTP request;

And detecting the web fingerprint information according to the web page information.

4. The method of claim 3, wherein detecting the web fingerprint information from the web page information comprises:

searching a status code in the webpage information;

Judging whether a specified page exists in the web site according to the status code;

and determining the web fingerprint information according to the designated page.

5. The method of claim 3, wherein detecting the web fingerprint information from the web page information comprises:

Identifying a HASH value of the designated file in the web page information;

and determining the web fingerprint information according to the HASH value.

6. The method of claim 3, wherein detecting the web fingerprint information from the web page information comprises:

Searching a specified keyword in a data packet text of a webpage source code, and/or searching a specified character string in a data packet header of the webpage source code, and/or searching a regular character string in the data packet header of the webpage source code, wherein the webpage information comprises the webpage source code, and the regular character string is a character string combination set by adopting a regular expression;

Determining the web fingerprint information according to at least one of: the specified keywords, the specified character strings and the regular character strings.

7. The method of claim 1, wherein detecting an external vulnerability of the infiltrated target using the web fingerprint information comprises:

selecting a detection plugin matched with the web fingerprint information from a preset plugin library;

and calling the detection plug-in to identify an external service port provided by the penetration target.

8. A vulnerability detection device based on web fingerprint information, comprising:

The system comprises a determining module, a processing module and a processing module, wherein the determining module is used for determining a web site of a penetration target, and the penetration target is a network system connected through a network;

the acquisition module is used for acquiring web fingerprint information of the web website;

the detection module is used for detecting external loopholes of the penetration targets by using the web fingerprint information;

The acquisition module is used for acquiring the operation authority of the penetration target by utilizing the external vulnerability;

And a penetration module for performing a penetration operation on the network system using the operation authority, wherein the penetration operation comprises at least one of the following: and accessing the business system of the penetration target, accessing the local data of the penetration target, and performing transverse penetration on the intranet of the penetration target.

9. A storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when run.

10. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of claims 1 to 7.